Vision One

Endpoint Security
V1 Endpoint Security - Review
 Server Workloads & User Endpoints Facing Different Threats
According to Gartner1, “An end-user endpoint is regularly
exposed to threats through email, websites, cloud services or
USB drives.
By contrast, threat actors target server workloads using software and configuration
vulnerabilities, lateral movement, and stolen employee credentials.

These differences in threat exposure create a need for distinct security requirements
and protection strategies for end-user endpoints and server workloads”
1. Gartner, Prioritizing Security Controls for Enterprise Servers and End-User Endpoints (Evgeny Mirolyubov, Peter Firstbrook, January 2023)

Laptop Server Virtual

Desktop Public/Private Obsolete
Server Cloud Desktop

4 | ©2024 Trend Micro Inc.

 Why “Vision One - Endpoint Security”?
Purpose-built security for endpoint,
server, and cloud workloads

Secure datacenter, cloud & hybrid

Endpoint Security
Single console for visibility and
management; protection and EDR

Connected IT/SecOps workflow

Laptop Desktop Server Virtual Public/ Part of Vision One platform; easy
Private expansion to other native security
Server Cloud
solutions, XDR, and ASRM

5 | ©2024 Trend Micro Inc.

 Vision One - Endpoint Security
Get timely protection against an ever-growing variety of threats by leveraging automated and advanced security controls and the latest industry-leading threat intelligence. With a
full range of layered prevention, detection, and response capabilities—such as modern anti-malware and ransomware protection, device control, host-based intrusion prevention,
application control, machine learning/AI, and more—you can defend your endpoints, virtual desktops, servers, and cloud workloads in real-time.

7 | ©2024 Trend Micro

Inc.
V1 Endpoint Security –
Offering
 Vision One: Endpoint Security Subscription Packages
Vision One – Endpoint Security
Detection and Response
Core Essentials Pro (EDR-XDR Add-on)

Critical endpoints including

Primary endpoint type User endpoints & file server User endpoints & file server application servers &
workloads

Windows, Linux & Mac OS

Antimalware, bahavioral analysis, machine learning, web

reputation

Device Control

Data Loss Prevention (DLP)

Firewall

Application Control

Intrusion Prevention – IPS (OS)

Virtualization Protection

EDR – XDR

Intrusion Prevention – IPS (Server Applications)

Integrity Monitoring / Log Inspection

Vision One Endpoint Security - XDR
V1 Endpoint Security -
Architecture
 High-level architecture

Vision
WebOne
Management
V Endpoint Console
1 Security

Security
Agents

12 | ©2024 Trend Micro Inc.

 Components Vision One Endpoint Security: Manages Security Agents on
Windows, Mac and Linux endpoints.

Vision One Data Lake: Cloud-based repository for XDR telemetry

data

Vision One: Extends XDR capabilities

Security Agents (Internal): Enforces protection on Windows, Mac

and Linux endpoint computers within the network

Security Agents (External): Enforces protection on Windows, Mac

and
Linux endpoint
Reference Server:computers outsidetothe
Allows Agents networkif they are internal
determine
Vision One Endpoint or external to the network
Security
Vision One Data Lake
Trend Micro Smart Protection Network: Cloud-based repository
of
threat information and services

Trend Micro ActiveUpdate Server: Default download source for

pattern files and program updates

Update Agent: Promoted Agent serving as an alternate

download
source for pattern files and Agent updates

Microsoft Active Directory (Optional): Provides enhanced

authentication for administrative users, endpoint mapping
and reporting lines
13 | ©2024 Trend Micro Inc.
V1 Endpoint Security -
Requirements
 Security Agent Deployment Prerequisites
• Agent endpoints can communicate with Vision
One Endpoint Security
• Endpoints can access *.trendmicro.com
• If required, configure Agent proxy server
settings
• Administrative level privileges to install
software
• No registry keys already on client from previous
installation
• Existing antivirus applications must be
removable

15 | ©2024 Trend Micro Inc.

 Firewall exceptions: Americas - all exceptions
• <Apex One console_DNS>.manage.trendmicro.com • assessment-us1.mgcp.trendmicro.com
• (refer to license email) • release-us1.mgcp.trendmicro.com
• licenseupdate.trendmicro.com • cti-us1.mgcp.trendmicro.com
• asm01-nabu-prod.aot.trendmicro.com • api-us1.xbc.trendmicro.com
• api-nabu.aot.trendmicro.com • wsc-us1.xbc.trendmicro.com
• osce14-p.activeupdate.trendmicro.com • tgw-us1.mgcp.trendmicro.com
• tmsm35-p.activeupdate.trendmicro.com • support-connector-api.manage.trendmicro.com
Important:
• osce14.icrc.trendmicro.com • supportconnectorpacks.manage.trendmicro.com
If you enable endpoint sensor detection
• osce14-0-en.url.trendmicro.com • rpcollectedthings.manage.trendmicro.com
and response, you must also add the
• osce140-en.fbs25.trendmicro.com • cloudendpoint-us1.mgcp.trendmicro.com
• osce14-en.gfrbridge.trendmicro.com Endpoint Sensor Agents exceptions. • er-ws-ue1.xdr.trendmicro.com
• osce14-en-census.trendmicro.com • era-ue1.xdr.trendmicro.com
• osce140-en-f.trx.trendmicro.com • endpointpolicy-cdn-us1.xbc.trendmicro.com
• mcs.trendmicro.com • files.trendmicro.com
• oscecmp140-en-f.trx.trendmicro.com • xlogr-ue1.xdr.trendmicro.com
• osce140-en-b.trx.trendmicro.com • api.xdr.trendmicro.com
• osce14bak-en-census.trendmicro.com • api-cert.xdr.trendmicro.com
• www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ • upload.xdr.trendmicro.com

Fuente: https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-firewallexceptionsam_001#GUID-F8FAF1DF-7A1E-4C0A-ADA3-6F6FC6CAD49D-ia3nqu

16 | ©2024 Trend Micro Inc.

V1 Endpoint Security -
Deployment
 Instance Provisioning – Existing customers
Customers who already have Trend Micro endpoint security products, such as Apex One as a Service, already connected to Trend Vision One will require
an update to take advantage of the new feature in Trend Vision One, including Endpoint Security. No changes or updates to installed security agents are
required.

18 | ©2024 Trend Micro Inc.

 Instance Provisioning – Existing customers
Customers who already have Trend Micro endpoint security products, such as Apex One as a Service, already connected to Trend Vision One will require
an update to take advantage of the new feature in Trend Vision One, including Endpoint Security. No changes or updates to installed security agents are
required.

Only the root user has the ability to initiate the update to Trend Vision All other non-root Master Administrators are presented with a similar information window,
One. but theirs contains a message to contact the root user to initiate the update.

19 | ©2024 Trend Micro Inc.

 Instance Provisioning – Existing customers
Customers who already have Trend Micro endpoint security products, such as Apex One as a Service, already connected to Trend Vision One will require
an update to take advantage of the new feature in Trend Vision One, including Endpoint Security. No changes or updates to installed security agents are
required.
A System Update Notice is displayed for the root user with some considerations regarding the update.

20 | ©2024 Trend Micro Inc.

 Instance Provisioning – Existing customers
Customers who already have Trend Micro endpoint security products, such as Apex One as a Service, already connected to Trend Vision One will require
an update to take advantage of the new feature in Trend Vision One, including Endpoint Security. No changes or updates to installed security agents are
required.

Identities in Trend Vision One after the update to the new IAM rely on email addresses
instead of usernames. As part of the update, the user is prompted to enter an email address
for the primary user account.
21 | ©2024 Trend Micro Inc.
 Instance Provisioning – Existing customers
Customers who already have Trend Micro endpoint security products, such as Apex One as a Service, already connected to Trend Vision One will require
an update to take advantage of the new feature in Trend Vision One, including Endpoint Security. No changes or updates to installed security agents are
required.

Identities in Trend Vision One after the update to the new IAM rely on email addresses On the Verify Email Address tab, type the code listed in the email and click
instead of usernames. As part of the update, the user is prompted to enter an email address Submit
for the primary user account.
22 | ©2024 Trend Micro Inc.
 Instance Provisioning – Existing customers
Customers who already have Trend Micro endpoint security products, such as Apex One as a Service, already connected to Trend Vision One will require
an update to take advantage of the new feature in Trend Vision One, including Endpoint Security. No changes or updates to installed security agents are
required.

A new password for the account must be provided. Enter and confirm a new password
and click Reset Password
23 | ©2024 Trend Micro Inc.
 Instance Provisioning – Existing customers
Customers who already have Trend Micro endpoint security products, such as Apex One as a Service, already connected to Trend Vision One will require
an update to take advantage of the new feature in Trend Vision One, including Endpoint Security. No changes or updates to installed security agents are
required.

24 | ©2024 Trend Micro Inc.

 Instance Provisioning – Existing customers
Customers who already have Trend Micro endpoint security products, such as Apex One as a Service, already connected to Trend Vision One will require
an update to take advantage of the new feature in Trend Vision One, including Endpoint Security. No changes or updates to installed security agents are
required.

You will notice the new Standard

Endpoint Protection and Server &
Workload Protection apps displayed
under the Endpoint Security
Operations menu.

25 | ©2024 Trend Micro Inc.

 Instance Provisioning – Existing customers
Customers who already have Trend Micro endpoint security products, such as Apex One as a Service, already connected to Trend Vision One will require
an update to take advantage of the new feature in Trend Vision One, including Endpoint Security. No changes or updates to installed security agents are
required.

Expand the Service

Management category
and click the Product
Instance app. You will see
the Apex One as a Service
instance that are connected
to Trend Vision One.

26 | ©2024 Trend Micro Inc.

 Agent Deployment
An agent installer package can be downloaded from the Endpoint Security Inventory for either Standard Endpoint Protection, Se rvers and Workload
Protection, or an Endpoint Sensor only. A zip package is downloaded to your system, unzip the contents and run the EndpointBasecamp.exe file.

27 | ©2024 Trend Micro Inc.

 Agent Deployment – General Sensor Settings
Separate sensor policy settings can be defined for Standard Endpoints, Servers & Workloads or for a Sensor only. Endpoints with an installed sensor will
automatically inherit the settings defined here.

28 | ©2024 Trend Micro Inc.

 Deploying Agents with a Software Management System
Use a software management system such as Microsoft Intune to deploy the agent installer to your managed
endpoints.
You can use a software management system to deploy the agent installer across your environment, making
deployment and installation even easier. Deployment of Trend Vision One Endpoint Security agents is tested
and supported for the following deployment methods:
• Microsoft Intune
• Microsoft Endpoint Configuration Manager (formerly System Center Configuration Manager)
• Microsoft Active Directory Group Policy Object (GPO)

29 | ©2024 Trend Micro Inc.

 Deploying Policies

Vision
WebOne
Management
V Endpoint Console
1 Security

30 | ©2024 Trend Micro Inc.

 Policy Management

Select
product

Select targets

Define settings

Deploy

31 | ©2024 Trend Micro Inc.

 Policy Management

Select
product

Select targets

Define settings

Deploy

32 | ©2024 Trend Micro Inc.

 Policy Management

Select
product

Select targets

Define settings

Deploy

33 | ©2024 Trend Micro Inc.

 Policy Management

Select
product

Select targets

Define settings

Deploy

34 | ©2024 Trend Micro Inc.

V1 Endpoint Security -
Integration
 Active Directory Integration

• Maps the User/Endpoint Directory according to your existing organizational structure

and integrate endpoint information (such as threat detections and policy statuses) with
Active Directory user information (such as login history and contact details).

• Create User-based Application Control rules and Device Control rules based on Active
Directory users and groups.

36 | ©2024 Trend Micro Inc.

 Active Directory Integration
• Downloading a new synchronization agent deactivates any previously downloaded agents and stops
synchronizing previously configured Active Directory servers.

37 | ©2024 Trend Micro Inc.

 Active Directory Integration
• Downloading a new synchronization agent deactivates any previously downloaded agents and stops
synchronizing previously configured Active Directory servers.

38 | ©2024 Trend Micro Inc.

V1 Endpoint Security -
Data Loss Prevention
 Preventing Data Loss on Endpoint Computers
Data Loss Prevention protects Agents from the risk of data loss or leakage. Data Loss Prevention safeguards an
organization’s sensitive data against accidental or deliberate leakage. Data Loss Prevention allows you to:
• Identify the sensitive information that requires protection using data identifiers
• Create policies that limit or prevent the transmission of digital assets through common transmission channels,
such as email and external devices
• Enforce compliance to established privacy standards

Data Loss Prevention in Vision One Endpoint Security provides the following features:
• Digital Asset Control
• Data Discovery
• Device Control

40 | ©2024 Trend Micro Inc.

 DLP – Digital Asset Control

Create Create
Create
Data Template
Identifiers
Policy
• Expression Combine
• Template
s identifiers to
• Channel
• Attributes create condition
• Action
• Keywords statements

41 | ©2024 Trend Micro Inc.

 DLP – Digital Asset Control

Create
Data
Identifiers

• Expressions
• Attributes
• Keywords

42 | ©2024 Trend Micro Inc.

 DLP – Digital Asset Control

Create
Data
Identifiers

• Expressions
• Attributes
• Keywords

43 | ©2024 Trend Micro Inc.

 DLP – Digital Asset Control

Create
Data
Identifiers

• Expressions
• Attributes
• Keywords

44 | ©2024 Trend Micro Inc.

 DLP – Digital Asset Control

Create Create
Create
Data Template
Identifiers
Policy
• Expression Combine
• Template
s identifiers to
• Channel
• Attributes create condition
• Action
• Keywords statements

45 | ©2024 Trend Micro Inc.

 DLP – Digital Asset Control

Create
Template

Combine
identifiers to
create condition
statements

46 | ©2024 Trend Micro Inc.

 DLP – Digital Asset Control

Create Create
Create
Data Template
Identifiers
Policy
• Expression Combine
• Template
s identifiers to
• Channel
• Attributes create condition
• Action
• Keywords statements

47 | ©2024 Trend Micro Inc.

 DLP – Digital Asset Control

Create

Policy

• Template
• Channel
• Action
Templat Channel Action
e

48 | ©2024 Trend Micro Inc.

 DLP – Digital Asset Control

Create

Policy

• Template
• Channel
• Action

49 | ©2024 Trend Micro Inc.

 DLP – Digital Asset Control

Create

Policy

• Template
• Channel
• Action

50 | ©2024 Trend Micro Inc.

 DLP – Digital Asset Control

Create

Policy

• Template
• Channel
• Action

51 | ©2024 Trend Micro Inc.

 DLP – Digital Asset Control

Create

Policy

• Template
• Channel
• Action

52 | ©2024 Trend Micro Inc.

V1 Endpoint Security -
Troubleshooting & Investigation
 Security Configuration
The Security Configuration Index is a comprehensive rating of your organization's Trend Micro protection
status. The index is based on factors including agent and sensor deployment, and key feature adoption rates
for the endpoint, email, and network security layers. Enhance your security configuration to improve your
organization's Security Configuration Index.

54 | ©2024 Trend Micro Inc.

 Detection Models

Event on server Event from email

Event on network

Event on client Telemetry stored

in data lake

Data sweeping using Workbench Mitigate

Detection Models created threat

55 | ©2024 Trend Micro Inc.

 Detection Model Management

56 | ©2024 Trend Micro Inc.

 Model Details

57 | ©2024 Trend Micro Inc.

 Workbench Insights
Identify and mitigate potential system breaches and incidents in your environment.
Workbench Insights (XDR Threat Investigation → Workbench) displays a list of high-priority insights that let you start your investigations intelligently.
There are two types of Workbench insights: Correlated alerts and standalone alerts. Trend Vision One creates insights using advanced correlation and machine learning
techniques.

58 | ©2024 Trend Micro Inc.

 Workbench Alert Details

The product that is Findings: The findings of the alert

providing the data to the Available
investigation.
Open Workbench app •values:
Confirmed incident: The
In Progress investigation
confirmed the occurrence of threats or
malicious activities.
Closed • False positive: No malicious activity found.
• Benign true positive: The investigation has
confirmed the presence of a genuine threat that
poses no risk to the organization.
• Benign true positives are the result of
penetration test or other legitimate activities in
your environment.
• Noteworthy: Observations have identified
suspicious activity that requires more
investigation.
• -: The investigation has no
findings.

59 | ©2024 Trend Micro Inc.

 Alert Details

Basic
information of
the selected alert

Visualization
of alert with
click and drag
nodes

Event objects
that triggered
the alert

60 | ©2024 Trend Micro Inc.

 Navigating Within a Workbench

Entities affected
by the alert

61 | ©2024 Trend Micro Inc.

 Navigating Within a Workbench

Change status
of the alert

62 | ©2024 Trend Micro Inc.

 Navigating Within a Workbench

The findings
of the alert
investigation.

63 | ©2024 Trend Micro Inc.

 Navigating Within a Workbench

Add notes to
document
actions
performed.

64 | ©2024 Trend Micro Inc.

 Navigating Within a Workbench

View details of
MITRE
technique or
type of malware
used

65 | ©2024 Trend Micro Inc.

 Navigating Within a Workbench
Hover over
objects to
highlight in
the graph and
view
relationships
among objects

66 | ©2024 Trend Micro Inc.

 Navigating Within a Workbench

Click View
Event to create a
new search
query with the
event

67 | ©2024 Trend Micro Inc.

 Navigating Within a Workbench

Actions
•include:
Add to Block List
• Remove from Block
List
• Terminate
• Collect File
Right-click any • Block Sender
object to view • Quarantine Message
available actions • Delete Message
(menu varies • Isolate Endpoint
• Restore Connection
depending on the
• Start Remote Shell
type of object) Session

68 | ©2024 Trend Micro Inc.

©2024 Trend Micro Inc.