Trend Micro IoT Security (TMIS) provides IoT risk detection and system protection. In order to provide those features, Trend Micro IoT Security automatically analyzes the system libraries, network metadata, and process behaviors in your IoT devices to create baselines that are used to protect IoT devices against network threats.
By installing Trend Micro IoT Security, Trend Micro will analyze, receive, and collect the following information:
|Email address||The email address used to log onto the management console.|
|Password hash||Hash for the password used to log onto the management console|
|Kernel header file (optional)||The header file used to integrate the Approved Applications List (AAL) into a device|
|Toolchain||A set of programming tools used to integrate the Trend Micro IoT Security agent into a device|
|Google Analytics data||Collected data that Google Analytics uses to track management console usage|
|TMIS configuration||TMIS configuration for devices that can be downloaded from the management console after baseline release|
|Device status and TMIS agent version||Status for each device and the Trend Micro IoT Security agent version information for display on the management console|
Remote Attestation detects device file integrity using a challenge-response method. When you first use Trend Micro IoT Security, the device must upload a baseline of its file system to the Trend Micro IoT Security server, the baseline includes file hash, file path and directory path.
|File/Directory path and attributes||Specified files or directories for data collection|
|File hash|| |
Specified hash algorithm to use. Only one type of file hash is collected by the Trend Micro IoT Security server.
To stop sending file hash information to the Trend Micro IoT Security server, comment out all settings in the configuration file (located in /etc/opt/atom/baseline_rule ) for Trend Micro IoT Security agents.
The following figure shows an example.
Approved Application List
The Approved Application List (AAL) intercepts system calls with Linux kernel module and provides a locked security feature in the Trend Micro IoT Security agent. This feature automatically generates a policy to match the target Linux device environment. The policy information (including file path, file hash and audit log) is sent to the Trend Micro IoT Security server.
|Executable/library path||Data displayed in detection logs on the management console|
System Vulnerability Scan
The System Vulnerability Scan feature checks for vulnerabilities related to system libraries. The Trend Micro IoT Security agent scans the system libraries in IoT devices on a daily basis.
|Library path, name, and version||Data collected by the Trend Micro IoT Security agent to enable library vulnerability scans|
Hosted IPS (HIPS) provides network-based intrusion protection in the TMIS agent. This feature protects devices by detecting and blocking intrusions from network traffic (with or without encryption). The Trend Micro IoT Security agent sends the blocked attack information to the Trend Micro IoT Security server for display on the management console.
|Blocked attack information||Data sent to the Trend Micro IoT Security server for display on the management console|
Network Anomaly Detection
The Network Anomaly Detection feature detects abnormal network occurrences and behaviors. A continuous learning process first defines ‘normal’ behaviors, which Trend Micro IoT Security uses to detect any unusual network occurrences, such as communication with an external server or connections to suspicious websites. Trend Micro IoT Security collects Netflow metadata to enable the Network Anomaly Detection feature.
|Network interface name||Data used for analyzing network traffic and detecting abnormal network behaviors|
|Network packet metadata (in flow format)|