Jason Stamper asks Trend Micro’s co-founder and CEO, Eva Chen, what she believes are the new frontiers in enterprise security, and why she stated recently that, “The antivirus industry sucks.”
Security firm Trend Micro’s leafy UK headquarters on a business park just outside Marlow are not flanked by sandbags and razor wire. There are no guard dogs on patrol, and the person you first meet on entering the building is more likely to offer you a cup of tea than frisk you. But then, the biggest threat to any enterprise has always been from within its own four walls, whether it is in the business of security or any other.
Trend Micro knows a thing or two about security, especially Internet content security. Founded by Steve and Jenny Chang and Eva Chen in LA, California back in 1988, it began life in the consumer antivirus space with a product called PC-cillin, launched in 1990. It was a huge success in the booming virus scanner market, and the firm followed this up with the launch of ServerProtect for the corporate IT market a year later.
Also proving popular, Trend Micro then launched Interscan VirusWall into the enterprise space, after an expansion that also saw it move its HQ to Tokyo, Japan, in preparation for a stock market flotation there. What an IPO it was — it opened at 8,300 yen, almost double the initial offering price.
Don’t miss: Trend Micro’s CEO and security visionary Eva Chen in an exclusive 15-minute CBR podcast – listen or download at http://bit.ly/4sfynS
Fast forward just over twenty years, and you find a rather grown-up company: revenue in 2008 came in at $985m, up 16%. It employs around 3,800 staff worldwide, has operations in 50 countries and has nine global R&D centres — almost 30% of its staff are involved in R&D.
Commenting on its twentieth anniversary last year, co-founder Eva Chen, who took the CEO role in 2005, said: “Over the last two decades, we made history by delivering innovative solutions that were best suited for the way we used technology. Today, technology has a greater role in the world. While it is still neither good nor bad, it is used and will continue to be used to do both.”
But it’s fair to say there have been a number of bumps in the road along the way. In April 2005 the firm suffered a public relations set-back when one of its virus definitions updates completely disabled Windows XP SP2 at scores of companies in Asia. The faulty update was only available for 90 minutes, and the firm offered compensation to those worst affected. “The total cost related to this matter is not likely be huge, but what investors want to see is whether the company can maintain its brand name as a leading antivirus maker,” said Yoshihiko Kosuga, equities deputy general manager at Mizuho Investors Securities. “These kind of incidents do hurt the corporate image and name.”
By now, however, Trend Micro had been sensible enough to diversify its business not only through its own R&D but also a series of acquisitions that had given it the likes of anti-spyware, content filtering, data leakage prevention and more.
Which is just as well, because its reputation took another hit in 2007 when PC World published the results of a test performed by AV-test.org in which Trend Micro AntiVirus + AntiSpyware 2007 — the latest incarnation of its PC-cillin line — scored the lowest of all applications tested, with an 82% detection rate.
A test by AV-comparatives later saw it fair somewhat better, and a second test by AV-test.org later that year saw Trend Micro score 90.97% overall. In the Consumer Reports Electronics Buying Guide 2008, Trend Micro was rated higher than any other security suite tested.
But Eva Chen, who had taken the CEO role in 2005, was angry at what she felt was the over-simplistic nature of antivirus tests, and the fact that they were not looking at the technology’s ability to protect machines from numerous, different types of attack. “The antivirus industry sucks,” she told reporters last year.
Meeting Chen at the firm’s UK HQ in Marlow recently, I recorded a 15-minute podcast with this security visionary which you can listen to or download at http://bit.ly/4sfynS. I asked her how she believes Trend Micro is different from its numerous competitors, how the firm is evolving its technology to handle virtual infrastructures, social networking and cloud computing, what it’s like being the only female CEO of a company listed on the Tokyo Stock Exchange, and more besides.
Protection is not a game
But I also asked, naturally, why she made that controversial statement that the AV industry “sucks”. “At that time we had seen that the malware increase, the volume increase is tremendous,” she tells me. “Before, every year we see probably 5,000 viruses, and from 2006 we are starting to see it’s like, a million. And right now it’s already six million every year.
“But the whole antivirus industry is still stuck at the previous way of computation which is detection rate. When you have 5,000 viruses and you compete with detection rate, you [get] 100% or 99% — it makes sense. When you have five million viruses, and are still competing in that way, it’s stupid, right?
“And also all these five million viruses, they change — every two seconds there’s a new malware that comes out. You need to measure the security by how soon you can provide that protection; how fast you can block those threats for customers and on what vector you block it,” Chen says. “For Trend Micro we feel that protection is not a game of playing those protection rates, but at that time the entire antivirus industry was still doing that.”
Coping with blended threats
Trend Micro’s big play to cope with the new demands of rapid, blended threats in enterprise IT is its Smart Protection Network. It describes it as,
“A next generation cloud-client content security infrastructure designed to block threats before they reach your network.”
It’s said to combine Internet-based technologies with smaller, lighter-weight clients, giving users the latest protection wherever and however they connect — from home, within a company’s network or on the go.
I asked Chen why the mostly cloud-based Smart Protection Network makes sense in the corporate security space. “One, better protection, and second, less complexity,” she says. She explains further in our podcast.
Indeed there are some who believe that cloud computing could be the next frontier in enterprise security.
Neil Hollister is chairman and CEO at CRYPTOCard, a Canadian network authentication specialist with a European HQ in Bristol. He told me this month how the firm has tweaked its authentication service to run in the cloud, ushering in what he calls ‘passwords as a service’.
“Authentication is a natural for the cloud,” Hollister says. “It’s a piece of infrastructure that’s a pain in the butt to manage internally.”
But as well as offering cloud-based authentication to users accessing corporate networks, Hollister says the firm will also sit in front of single sign on (SSO) systems to add more secure authentication, and increasingly sees its role as easing the complexity for users signing on to multiple, disparate Software as a Service (SaaS) apps hosted in the cloud.
Meanwhile Chen tells me that securing social networking content in the enterprise, and security for virtualised environments join cloud computing as three of the hottest areas in enterprise security today — all of which Trend Micro is targeting. She hints that the quiet acquisition last year of Bristol University incubator Identum, an encryption technology firm, could be put into action to help to make virtualised environments more secure.
The key question then: does Chen still think that the antivirus industry sucks? “I have high hopes that the security industry is moving in the right direction,” she says. “Recently a national software testing lab, the NSS, they implemented a new way of testing the security product, not just the detection rate but real protection. And I think that is a great move to move the whole industry to look at the right index in enterprise security profile posture.”