Interview: Eva Chen, Trend Micro

Trend Micro has always been an advocate for a server-based approach to fighting viruses. But in recent weeks, the company has embraced a broader portfolio of products and technologies in the battle against security threats. Trend Micro CTO Eva Chen explained her company's new approach to security, especially the need to reach out to the edge of the network and beyond, in an interview with CRN Editor in Chief Michael Vizard.

CRN: How would you describe Trend Micro's overall approach to security, and how is it changing?
CHEN: I always start with where the overall computer infrastructure is going and then try to place us where we should be in the overall picture. Trend Micro has been a server-based antivirus company. I would say that is evolving. Nowadays, the whole world is a gigantic TCP/IP network. You can hardly tell where there is a boundary. The first point of contact is the network, so that is where to put your security management.

CRN: Given that, how is Trend Micro changing?
CHEN: For antivirus, there are several things to consider. First is where to detect, and second is where to do the control. We are moving the control from client and the server to the gateway.

CRN: How does that change the security management equation?
CHEN: The other thing we are thinking about is outbreak prevention. We always say we are in the antivirus business. But I was so frustrated that I called our CEO, Steve Chang, and said we've been lying to our customers for 10 years. We call ourselves antivirus, but we have never prevented a virus from hitting our customers. None of the antivirus vendors have ever done that. From that day, we started to rethink the whole business about antivirus. We've come up with this whole idea that antivirus is not just about prevention. It's about monitoring, isolation and risk minimization. You need to put in something where you can help customers do damage control. If they get hit, you want to isolate the infected area. And finally there is recovery. You need to have some way to do recovery.

CRN: There is a saying that says to be forewarned is to be forearmed. How do you monitor what's happening on the Internet?
CHEN: The monitoring system is a very exciting project that I was driving. I call it collaborative antivirus. Trend Micro has been focusing on antivirus for so many years that the most important asset we've got is our knowledge about virus behavior. All the information we collect is sent back to our control manager and our server in our labs. Once we detect something, we can respond in 45 minutes.CRN: In the meantime, what are end users supposed to do if they get hit with something?
CHEN: That's why isolation is important. We've come out with this new product that sits on the network and allows us to isolate a certain port or a certain protocol. We don't identify the specific virus, but we can say we now know that there's something fishy going on.

CRN: This new product obviously has to leverage some heuristic technology to do that kind of analysis. What is your take on heuristic technology?
CHEN: Most of the heuristic technology failed because it was too ambitious. If you have big ambitions for heuristic solutions, I would say it is impossible to achieve. I think it's great theoretically, but it's just very hard to do. We are very, very modest in heuristics. I only want to detect virus outbreak; I'm not detecting it before it happens. It's about early warning rather than immunization. We put these agents out there to monitor the traffic.

CRN: Once that is in place, does it mean that people then can start to implement policy management based on traffic patterns?
CHEN: That's why one of the major functions that we're putting into this product is called policy enforcement, or the patch policy security baseline enforcement. When a machine first connects to the network, we check if you're complying to the policy. If not, then I can isolate you from the network temporarily and force you to, say, update your virus pattern file or do the patch before you go on the network. We can also limit the false positives, and customers don't need to write their own policy, although we do provide the interface if they think they want to write their own policy.

CRN: Given all of that, how do you differentiate Trend Micro from Symantec or Network Associates?
CHEN: Attacks know how to use network resources, so why shouldn't an antivirus company use network resources? We say they are using network resources; therefore, the defense is to deploy the agent around the network and come out with a network defense plan. The other reason I think Trend Micro is better than its competitors is its service infrastructure. They don't have the same level of infrastructure support with rapid updates and 24-hour support, which is harder than just crafting the technology. Our support is 24 hours. You can always call, and there's always somebody there. The real business we are in is not even just security. I call it software environment risk management. That is the real business we are in.