Professional Documents
Culture Documents
Apex One
Specialization
Handbook
Asia Pacific,
@2022 Trend Middle
Micro Inc.East and Africa P a g e 1 | 224
Table of Content
Lesson 1: Trend Micro Apex One Overview .................................................................................. 4
Objectives: .......................................................................................................................................... 4
1.1 Trend Micro Solutions ...................................................................................................................................... 5
1.2 Key Challenges ................................................................................................................................................. 9
1.3 Apex One Features & Components .......................................................................................................... 24
1.4 Architecture ................................................................................................................................................. 37
1.5 Supported Platforms...................................................................................................................................... 39
1.6 Introduction to Apex One SaaS.................................................................................................................. 46
Lesson 2: Apex One Basic Configuration ................................................................................... 49
Objectives: ........................................................................................................................................ 49
2.1 Communication Ports ................................................................................................................................... 50
2.2 Scan Types ....................................................................................................................................................... 59
2.3 Configuring Policies ............................................................................................................................... 83
2.4 Log Flow...................................................................................................................................................... 101
2.5 Agent Grouping............................................................................................................................................ 103
2.6 Updates………………. .............................................................................................................................. 105
Lesson 3: Apex One Product Licensing ............................................................................................... 114
Objectives: ...................................................................................................................................... 114
3.1 Smart Protection Suite ................................................................................................................................. 115
3.2 NFR Licenses ................................................................................................................................................. 117
3.3 NFR - User Protection .................................................................................................................................. 118
3.4 Customer Licensing Portal (CLP) .............................................................................................................. 120
Lesson 4: Introduction to Proof of Concepts ........................................................................................ 125
Objectives: ...................................................................................................................................... 125
4.1 Introduction to PoC & Demo ..................................................................................................................... 126
4.2 Product Cloud................................................................................................................................................ 128
4.3 Proof-of-Concept (PoC) .............................................................................................................................. 132
4.4 PoC Use Cases .............................................................................................................................................. 137
Lesson 5: Competitive Advantage ...................................................................................................... 171
Objectives: ...................................................................................................................................... 171
5.1 Competitive Advantage ............................................................................................................................. 172
5.2 IDC Market Share .................................................................................................................................... 173
5.3 Gartner ............................................................................................................................................................ 174
5.4 The Forrester Wave...................................................................................................................................... 175
Lesson 6: Endpoint Detection & Response .......................................................................................... 171
Objectives:
Upon completion of this lesson, you will be able to:
Trend Micro provides layered content security with interconnected solutions that share data so
you can protect your users, network, data center, and cloud resources from data breaches and
targeted attacks.
Network Defense
The enterprise is at the cross-hairs of an increasingly complex array of ransomware, advanced
threats, targeted attacks, vulnerabilities, and exploits. Only complete visibility into all network
traffic and activity will keep the organization ahead of purpose-built attacks which bypass
traditional controls, exploit network vulnerabilities, and either ransom or steal sensitive data,
communications, and intellectual property.
Trend Micro Network Defense detects and prevents breaches anywhere on the network to protect
critical data and reputation. Rapidly detect, analyze, and respond to targeted attacks on your
network. Stop targeted email attacks and detect advanced malware and ransomware with custom
sandbox analysis, before damage is done. The Trend Micro Network Defense solution preserves
the integrity of the network while ensuring that data, communications, intellectual property, and
other intangible assets are not monetized by unwanted third parties. A combination of next-
generation intrusion prevention and proven breach detection enables the enterprise to prevent
targeted attacks, advanced threats and ransomware from embedding or spreading within their
network.
User Protection
The threat landscape is constantly changing, and traditional security solutions on endpoint
computers can’t keep up. Turning to multiple point products on a single endpoint results in too
many products that don’t work together, increasing complexity, slowing users, and leaving gaps
in an organization’s security. To further complicate matters, organization are moving to the cloud
and need flexible security deployment options that will adapt as their needs change.
Trend Micro User Protection is an interconnected suite of security products and advanced threat
defense techniques that protect users from ransomware and other threats, across endpoints,
gateways and applications, allowing the organization to secure all it users' activity on any
application, any device, anywhere.
Optimized
Minimizes IT impact with solutions that are specifically designed for and integrated with leading
customer platforms and applications on endpoints computers. The footprint on the client
applications is minimized to ensure a more efficient use of resources.
Connected
Speeds time to response with automatic sharing of threat intelligence across security layers and
centralized visibility and control XGen security uses proven techniques to quickly identify known
good or bad data, freeing advanced techniques to more quickly and accurately identify unknown
threats. This identification in rapid succession with right-time technology regardless of location
and device across a connected system, maximizes both visibility and performance. This core set
of techniques powers each of the Trend Micro solutions, in a way that is optimized for each layer
of security: hybrid clouds, networks, and user environments.
Apex One is the next evolution of the Trend Micro enterprise endpoint security solution and
replaces OfficeScan as Trend Micro’s flagship endpoint security product. Apex One can be
installed as a new product in the enterprise or upgrade OfficeScan XG to Apex One. Apex One
protects endpoint computers from malware, network viruses, Web-based threats, spyware and
mixed threat attacks (both known and unknown). It uses a client/server architecture that consists
of a Security Agent program that resides on the endpoint and a Server program that manages all
Agents. The Agent guards the endpoint and reports on its security status to the Server. Apex One
offers threat detection, response and investigation within a single agent on both Windows and
Mac computers.
The Apex One Server is capable of providing real-time, bidirectional communication between the
Server and Security Agents using Hypertext Transfer Protocol (HTTPS). The Apex One Web
Management console makes it easy for administrators to set coordinated security policies and
IoT (Internet of things) is a blessing to us, but it’s an extraordinary blessing to criminals nowadays.
Most of us use different types of smart devices. Thanks to IoT, we can now connect all our devices
to each other. It reduces a lot of complexity. Now you can handle and control all of your devices
from anywhere using just your phone. With the modern innovation, you are continuously plugged
in. That’s getting you away from the cyber protection. Criminals can hack one of your devices and
then it can have access to your entire information; both personal and professional. They can use
the internet of things for the DDoS attack. It will make them take down the whole system based
on the internet. Threats to IoT systems and devices translate to bigger security risks because of
certain characteristics that the underlying technology possesses. These characteristics make IoT
environments functional and efficient, but they are likely to be abused by threat actors.
Characteristics like:
• Gathering of abundant data
• Connection of virtual and physical environments
• Creation of complex environments
• Centralization of architecture
The 2020 SonicWall Cyber Threat Report, is the result of threat intelligence collected over the course of
2019 by over 1.1 million sensors placed in over 215 countries and territories:
A single management console makes it easy to deploy antivirus protection to multiple devices,
manage all devices from one place, mix and match device types, schedule regular scans and
quickly add more devices.
❖ Visibility:
“Lack of Integration of Security tools”
❖ Intelligence Sharing:
“Sharing of Threat Intelligence across different Solutions”
Threat Intelligence or Cyber Threat Intelligence (CTI) is a part of cybersecurity that focuses
on the analysis and collection of information on both potential and current cyber-attacks that
threaten the security of an environment. Threat intelligence sharing among solutions is very
important as it helps in lowering risk, avoid loss of data, avoiding repetitive tasks, enables In-
depth threat analysis and sharing this intelligence helps to give a timely response to an
attack.
Apex One converges to overcome key challenges like manageability, visibility & threat intelligence
sharing.
Trend Micro Apex One™ protection offers advanced automated threat detection and response
against an ever-growing variety of threats, including fileless and ransomware. Our cross-
generational blend of modern techniques provides highly tuned endpoint protection that
maximises performance and effectiveness.
Threat Detection
A range of layered detection capabilities, alongside investigation and response,
defends the endpoint through every stage
Entry point detection uses methods to capture threats as they enter the endpoint.
✓ Web Reputation: Web reputation blocks connections to malicious Web sites. This is done
at the kernel level, allowing Apex One to not only block users from accessing a malicious
site, but also blocking programs on the endpoint from accessing the site.
✓ HIPS-Virtual Patching: Apex One block exploits of operating system vulnerabilities by
applying a virtual patch. Trend Micro provides timely protection for operating system
vulnerabilities with the industry’s most timely vulnerability research.
✓ Browser Exploit Protection: Malicious behavior can also be captured within the Web
browser based on script inspection and site behavior.
✓ Device Control: Apex One can block unknown removable media devices, making it less
likely for the endpoint to be infected with malware. This protection is now available for the
Mac in Apex One.
Detection methods used in the pre-execution phase capture and block threats as they are written
to disk or to memory.
✓ Packer Detection: Apex One identifies packed malware as it unpacks prior to execution,
blocking threats attempting to hide themselves in memory.
✓ Predictive Machine Learning: File-based threats can be evaluated against a cloud-based
model before they are run to predict if the file is malicious. Apex One can take advantage of
an offline model in cases where the endpoint is not connected to the network. Mac computers
can now benefit from this technique as well.
✓ Application Control: Application control prevents unrecognized software from executing.
✓ Variant Protection: Variant protection detects mutations of malicious samples by
recognizing known fragments of malware code.
✓ File-based Signatures: The majority of threats still arrive at the endpoint as file-based
attacks. File-based signatures provide an effective technique for detecting known malicious
items.
While many threats can be detected as they are written to disk, there are some threats that won’t
be detected until they execute.
✓ Runtime Machine Learning: Run-time machine learning techniques monitor anything that
is executing and evaluates it against a separate run-time machine learning model.
✓ IOA Behavioral Analysis: Powerful behavior analysis techniques provide a clear indication
if an attack is taking place based on file behavior. This provides an effective mechanism for
detecting ransomware and file-less malware. New rules are continually being introduced to
detect new suspicious behavior.
✓ In-memory Runtime Analysis: Some malware executes only in memory. In-memory
runtime analysis can monitor for malicious script behavior or code injections in memory and
stop them once they start running.
Methods in this phase can detect and block attempts to forward data from the endpoint.
✓ Web Reputation: At this phase, Web reputation protection can block connections to
malicious Web sites, such as Command & Control sites. Again, this protection is applied at
the kernel level blocking connections from the Web browser, or from any other application
running on the endpoint.
✓ Host Intrusion Prevention: Host intrusion prevention detects and blocks malware lateral
movement behavior.
✓ Data Exfiltration Detection: Data Leak Prevention techniques can detect sensitive data
leaving the endpoint and block its movement.
✓ Device Control: Unknown removable media devices can be blocked to prevent data leaving
the endpoint.
Threat detection techniques on the endpoint enables Apex One to give rapid, effective and an
automated response to threats.
• Infuses high-fidelity machine learning with other advanced detection techniques for the
broadest protection against ransomware and advanced attacks.
• Progressively filters out threats using the most efficient technique for maximum detection
without false positives.
• Blends signature-less techniques, including high-fidelity machine learning, behavioral
analysis, variant protection, census check, application control, exploit prevention and good
✓ Insightful:
Get actionable insights, expanded investigative capabilities, and centralised visibility by using an
advanced EDR toolset, strong SIEM integration, and an open API set. Perform threat investigation
through integrated and extended EDR or by boosting your security teams with the managed
service option.
Leverage techniques that allow you to discover and respond to threats before they compromise
data. Extend detection and response across endpoints, email, and servers.
Apex One integrates new Endpoint Detection & Response capabilities including server-side
metadata sweeping, Indicator of Attack (IOA) behavior hunting, new query & automation
Application Programming Interfaces(API).
Apex One offers an industry-leading breadth of capabilities from a single user agent. Apex One
offers a powerful EDR with automated detection & response tools, simplifying deployment and
eliminating silos. In an evolving technological landscape, you need security that goes beyond
traditional antivirus. Apex One offers threat detection, response and investigation within a single
agent. Eliminate multiple vendors and consoles and gain deployment flexibility through both SaaS
and on-premises deployment options.
• Apex One leverages a blend of cross-generational threat techniques to provide the broadest
protection against all types of threats. Apex One offers additional threat protection from
programs that exhibit malicious behavior.
• Infuse high-fidelity machine learning which uniquely analyzes files not only before execution
but also during runtime for more accurate detection.
• Apex One can be deployed on site in your network or is available as a service, with full product
parity between the two deployment options.
• Extend control and visibility across hybrid & multi-cloud models. Maintains consistent security
in a hybrid environment.
Vulnerability Protection
Protects endpoint computers from being exploited through operating system Vulnerability Attacks.
Delivers critical patches to legacy operating systems that is no longer being patched by the
vendor. Reduces downtime for recovery with incremental protection against zero-day attacks.
Predictive Machine Learning can protect your network from new, previously unidentified, or
unknown threats through advanced file feature analysis and heuristic process monitoring. Apex
One delivers this functionality through a cloud-based machine learning model and introduces a
local model for computers without a network connection.
Behavior Monitoring
Behavior Monitoring constantly monitors and protects Agents from unusual and unauthorized
modifications to the operating system or installed software.
Web Reputation technology protects Agent computers within or outside the corporate network
from malicious and potentially dangerous Web sites. This service breaks the infection chain and
prevents downloading of malicious code. The credibility of Web sites and pages can be verified
by integrating Apex One with the Smart Protection Server or the Trend Micro Smart Protection
Network. The Apex One Suspicious Connection Service monitors the behavior of connections
that endpoint make to potential Command & Control servers and the Browser Exploit Protection
blocks web pages containing malicious scripts.
Data Loss Prevention safeguards an organization’s digital assets against accidental or deliberate
leakage. Provides visibility and control of data and prevents data loss via USB, email, cloud
storage, etc. Protection for your data at rest, in motion. Detects improper data use based on
keywords, regular expressions, and file attributes. Simplifies deployment and complies with
guidelines and regulations. Provides Device Control by regulating access to external storage
devices & network resources connected to computers. Prevents data loss, leakage and combined
with file scanning, helps to guard against security risks.
Apex One provides actionable insights, expanded investigative capabilities, and centralized
visibility across the network through an advanced Endpoint Detection and Response (EDR)
toolset. Perform threat investigation through integrated EDR or by boosting your security teams
with the Managed Detection and Response (MDR) service option. Endpoint Detection and
Response capabilities are included in Apex One and Apex Central but are licensed separately.
Application Control
Sandboxing provides custom defense against threats identified by endpoints protected by Trend
Micro products in your environment. It allows Security Agents to submit suspicious file to a Cloud
Sandbox, where the file is executed in an isolated environment. The files determined to be
dangerous are submitted to Trend Micro Apex Central for addition to Suspicious Objects list.
Endpoint Encryption
Endpoint Encryption encrypts data on a wide range of devices including laptops and desktops,
USB drives and other removable media, providing full disk, file/folder, and removable media
encryption to prevent unauthorized access and use of private information. Endpoint Encryption is
a standalone product that is licensed and installed separately from Apex One, but its capabilities
can be integrated into Apex One Security Agents through Apex Central policies.
Ransomware Protection
Enhanced scan features can identify and block ransomware programs that target documents on
endpoint computers by identifying common behaviors and blocking processes commonly
associated with ransomware programs.
Firewall Protection
The Apex One firewall protects endpoint computers on the network using stateful inspection.
Rules can be created to filter connections by application, IP address, port number and protocol
and then applied to different groups of users.
Device Control
Device Control regulates access to external storage devices and network resources connected
to computers. Device Control helps prevent data loss and leakage, and, combined with file
scanning, helps guard against security risks.
Outbreak Control
Apex One Outbreak Prevention Services shut down infection vectors and rapidly deploys attack
specific security policies to prevent or contain outbreaks before pattern files are available.
Virtual Patching
Vulnerability Protection protects endpoints from being exploited by operating system vulnerability
attacks. It automates the application of virtual patches to endpoint computer before official
patches from the vendor become available.
Cloud-Based Intelligence
Apex One benefits from a global cloud-based repository of threat data through the Trend Micro
Smart Protection Network. Services, such as ActiveUpdate, File Reputation, Web Reputation,
Predictive Machine Learning and more are delivered to Trend Micro products through the cloud-
based Smart Protection Network.
Multi-Platform Support
Apex One provides endpoint protection features for both Windows and Mac operating systems.
Support for Mac endpoints is enabled through a plug-in in Apex One. Not all Apex One
functionality is currently available on Mac endpoint computers.
Simplified Administration
The Apex One Web Management console gives administrators access to all Agents and Servers
on the network. From the Web Management console, administrators can coordinate automatic
deployment of security policies, pattern files, and software updates on every Agent and server.
Off-Premise Management
Apex One provides management to external Security Agents through the Edge Relay Server. This
device provides log collection, sample submission and suspicious list deployment to Agents
outside of the network.
▪ Components:
Database
The database stores all the information Apex One requires to operate. A Microsoft SQL Server
database is required to complete the Apex One setup. Alternately, an SQL Server Express
database can be installed as part of the setup process. The database can be hosted on the same
server as Apex One, or can hosted on a separate server.
Apex Central
Apex Central (previously known as Control Manager) provides a single unified interface to
manage, monitor and report across multiple layers of security and deployment models.
Customizable data displays allow administrators to rapidly assess status, identify threats and
respond to incidents. With Apex Central, administrators can manage Apex One, Apex One (Mac),
as well as other Trend Micro products, from a single interface. User-based visibility shows what
is happening across all endpoints, enabling administrators to review policy status and make
changes across all user devices. In the event of a threat outbreak, administrators have complete
visibility of an environment to track how threats have spread.
Direct links to Trend Micro Threat Connect database provides access to actionable threat
intelligence, which allows administrators to explore the complex relationships between malware
instances, creators, and deployment methods. Apex Central is responsible for compiling the
Suspicious Objects for use in Connected Threat Defense.
Security Agents
An Apex One Security Agent on each endpoint protects Windows and Mac computers from
security risks. The Apex One Agent reports to the parent Apex One Server from which it was
installed and sends security events and status information to the Server in real time. Security
Agents can be installed on endpoints computer within and outside the corporate network.
Update Agents
Update Agents are Security Agents that function as alternative update sites for other Agents within
an Apex One network. Update Agents serve as local Active Update sites.
Reference Server
Reference Server allows Agents to determine if they are internal or external to the network.
Trend Micro Vision One
Trend Micro Vision One is a threat defense platform that extends XDR capabilities to endpoints
managed by Apex One as a Service. It applies the most effective AI and expert analytics to the
activity data collected from Apex One as a Service to produce fewer, higher-fidelity alerts.
Mac Sandbox
Mac Sandbox is hosted service that analyzes possible threats for macOS.
Combination of on-premises and cloud servers and requires Remote Connection Tool in the DMZ
to allow the service product consoles to register to the on-premise Apex Central Server. The
Remote Connection Tool will run as a service named Smart Relay Service.
▪ OS Platforms
• OS Platforms
NOTE: Resource spikes may occur if a large number of applications, whether native Windows
or third-party, are running simultaneously on a computer. If the target machine is already running
low on memory and disk space, the Apex One administrator should be critical in upgrading the
necessary hardware components prior to Apex One installation. Applicable for On-Premise &
SaaS
• Supported OS Platforms
Service Gateway
• Specifications
Database Server
• Supported DB versions (Apex Central)
When doing a fresh installation of Apex One with the SQL 2019 version, it aborts due to a
compatibility issue. To work around the installation failure:
1. Install the new Data-tier Application 18.2 (both x86 and x64 are required) on the Apex One
server.
2. Install or re-run the Apex One server installer again.
Trend Micro Apex One as a Service provides enhanced security against unknown, zero day and
web-based threats on top of and alongside, current endpoint protection solution.
Apex One as a Service provides rapid deployment and simplified administration and maintenance
with the same comprehensive enterprise threat protection as Trend Micro on-premises Apex One.
Apex One as a Service is delivered through an architecture that uses resources more effectively
and optimizes CPU and network utilization.
With this service offering, Trend Micro applies updates and patches to the service on a regular
basis. Administrators log into the Web Management console through a customized URL. Trend
Micro provides feature parity between the on-premise and service version of Apex One. An on-
premise deployment of Apex One can be migrated to Apex One as a Service.
Objectives:
Upon completion of this lesson you will be able to:
Multiple ports must be allowed through an organization’s firewall to enable Apex One to operate.
For secure connectivity between Apec One Agent with Apex One Server, agent must become
valid by the following flow:
1. Register : The agent registers with server with its endpoint information (such as Mac/IP
address, Hostname, OS version, Language, product version)
2. Acknowledgement : The server acknowledges the registration and put the incoming agent
to the pending list for approval
3. Awaiting Approval : Upon receiving the acknowledge, agent waits for approval by re-
connecting to server regularly for a fixed period of time (e.g. 24 hours)
4. Approval : Server approves registering agents by the following approaches:
• Manual Approval.
• Automatic Approval via the whitelist solutions.
• Automatic Approach via deployment session token
Server-initiated Communications
Apex One uses public-key cryptography to authenticate communications that the Apex
One server initiates on agents. With public-key cryptography, the server keeps a private key and
deploys a public key to all agents. The agents use the public key to verify that incoming
communications are server-initiated and valid. The agents respond if the verification is
Agent-initiated Communications
Agents communicate with their Server by sending HTTPS messages to the Apex One Server and
calling ISAPI/CGI commands. These commands invoke certain actions on the Server and the
Server returns a corresponding answer to the Agent's request. These messages can be sent to
the Server as a regular polling messages. While doing this, they also pass information about the
Agent, for example UID, computer name, program version, etc. These calls are processed by the
The Apex One Agent connection status depends on the way in which the Apex One server
communicates with the Apex One Agent. The different connection statuses available for the Apex
One Agent include:
Online
The Apex One Agent can connect to the Apex One server for bi-directional communication of the
following:
• Policy settings
• Updates
• Scan commands
• Suspicious Object list synchronization
• Sample submission
Offline
The Apex One Agent has no functional connection with the Apex One server or an Edge Relay
server.
Independent
The Apex One Agent can connect to the server, but communication is limited. While in
Independent mode:
• The Apex One Agent does not accept policy settings from the server
• The Apex One Agent does not initiate scan commands from the server
• The Apex One Agent does not send logs to the server
You can configure Independent Agents with privileges to allow or block component updates if a
functional connection to the Apex One server is available.
End users can manually initiate scans and updates on Agents in Independent mode.
Security Agents can use one of two scan methods when scanning for security risks. The scan
methods are Smart Scan & Conventional Scan.
Default Scan Type: In this Apex One version, the default scan method for fresh installations is
smart scan. This means that if you perform a fresh Apex One server installation and do not
change the scan method on the web console, all agents that the server manages use smart scan.
If you upgrade the Apex One server from an earlier version and automatic agent upgrade is
enabled, all agents managed by the server still use the scan method configured before the
upgrade. For example, if you upgrade from a previous version of Apex One that supports smart
scan and conventional scan, all upgraded agents that use smart scan continue to use smart scan
and all agents using conventional scan continue to use conventional scan.
Apex One server Ensure that agents can connect to the Apex One server. Only
online agents will be notified to switch to smart scan. Offline
agents get notified when they become online. Independent
agents are notified when they become online or, if the agent
has scheduled update privileges, when scheduled update
runs.
Also verify that the Apex One server has the latest
components because smart scan agents need to download
the Smart Scan Agent Pattern from the server.
Number of agents to switch Switching a relatively small number of agents at a time allows
efficient use of Apex One server resources. The Apex
One server can perform other critical tasks while agents
change their scan methods.
Timing When switching to smart scan for the first time, agents need
to download the full version of the Smart Scan Agent Pattern
from the Apex One server. The Smart Scan Pattern is only
used by smart scan agents.
Consider switching during off-peak hours to ensure the
download process finishes within a short amount of time. Also
consider switching when no agent is scheduled to update
from the server. Also temporarily disable "Update Now" on
agents and re-enable it after the agents have switched to
smart scan.
Agent tree settings Scan method is a granular setting that can be set on the root,
domain, or individual agent level. When switching to smart
scan, you can:
• Create a new agent tree domain and assign smart scan as
its scan method. Any agent you move to this domain will
use smart scan. When you move the agent, enable the
setting Apply settings of new domain to selected
agents.
• Select a domain and configure it to use smart scan.
Conventional scan agents belonging to the domain will
switch to smart scan.
• Select one or several conventional scan agents from a
domain and then switch them to smart scan.
Note:
Smart Scan:
File Reputation Services: Check the reputation of each file against an extensive in-the-cloud
database. Since the malware information is stored in the cloud, it is available instantly to all users.
The cloud-Agent architecture eliminates the burden of pattern deployment while significantly
reducing the overall Agent footprint. Security Agents must be in Smart Scan mode to use File
Reputation Services.
Web Reputation Services: With one of the largest domain-reputation databases in the world,
Trend Micro Web reputation technology tracks the credibility of Web domains by assigning a
reputation score based on factors such as a Website's age, historical location changes and
indications of suspicious activities discovered through malware behavior analysis. Web reputation
then continues to scan sites and block users from accessing infected ones. Web reputation
features help ensure that the pages that users access are safe and free from Web threats, such
as malware, spyware, and phishing scams that are designed to trick users into providing personal
information. To increase accuracy and reduce false positives, Trend Micro Web reputation
Security Agents can switch between these Smart Protection sources based on their location
relative to the corporate network. When the Agent detects that it is outside the corporate network,
it will look for the Trend Micro Smart Protection Network, and when it is inside the network, it will
look for pre-designated Smart Protection Servers.
A Service Gateway installed in the local network acts as a relay between Trend Micro Vision
One and other products, such as on-premises Trend Micro or third-party products. This allows use
of Trend Micro cloud services while reducing Internet traffic and sharing threat intelligence.
• Select Local File > choose the downloaded OVA file, and then click Next.
• Make a final review then click Finish to start the deployment process.
• Click Next
• Specify the network connection that VM will use, and click Next
• Navigate to the location where you downloaded and extracted the VHD file, select the file,
and then click Open
• Click Processor, specify the number of virtual processors, and then click OK
• Click Start to start the virtual machine. Service installation during the first launch of the
appliance takes approximately 10 minutes.
• Copy the registration Token and proceed and paste it to putty to register the Service
Gateway.
Column Description
Priority Displays the priority of the policies
• Apex Central lists policies from the highest to the lowest priority.
• When administrators create a filtered policy, Apex Central saves the
new policy as the lowest priority policy.
• A specified policy takes priority over any filtered policies and remains
on the top of the list. Administrators cannot reorder specified policies.
• Apex Central places draft policies at the bottom of the list.
Labels can be assigned to endpoints allowing policies to be deployed to any endpoints with that
label. It can be added manually to endpoints, or auto-label rules can assign the labels to any
endpoint that match the rule criteria.
Create Labels
• Click Directories > Users/Endpoints to display the User/Endpoint Directory list.
• Expand Endpoints > Labels and click Add new label
2. Select the type of product settings from the Product list. The screen refreshes to display
policies created for the selected managed product.
5. Specify targets.
Apex Central provides several target selection methods that affect how a policy works.
The policy list arranges the policy targets in the following order:
o Specify Targets: Use this option to select specific endpoints or managed products.
o Filter by Criteria: Use this option to allocate endpoints automatically based on the filtering
criteria.
i. On the Create Policy screen, go to the Targets section, select Filter by Criteria, and
then click Set Filter. The Filter by Criteria screen appears.
ii. Select the following options and define the criteria.
6. Click a managed product feature to expand it and configure its settings. Repeat this step to
configure all features.
Administrators can copy the settings from an existing policy, create a new policy with the same
settings, and deploy the settings to different endpoints or managed products.
Note:
It is not possible to copy the settings of a child Apex One Agent policy. To determine whether
the Apex One Agent policy is a child or a parent, check the Parent Policy column. A clickable
value displays if the policy is a child, and N/A if otherwise.
2. Select the type of product settings from the Product list. The screen refreshes to display
policies created for the selected managed product.
4. Click Copy Settings. The Copy and Create Policy screen appears.
8. Click Deploy.
Note:
o After clicking Deploy, please wait two minutes for Apex Central to deploy the
policy to the targets. Click Refresh on the Policy Management screen to update
the status information in the policy list.
o Apex Central enforces the policy settings on the targets every 24 hours.
III. Inherited policy settings:
Create a new child policy by inheriting the settings of an existing parent policy. A child policy
cannot be copied and its settings cannot be inherited.
This task requires a parent policy for the Apex One agent. A parent policy for the Apex One agent
has the value N/A displayed under the Parent Policy column.
2. Select Apex One Agent from the Product list. The screen refreshes to display policies created
for the selected managed product.
3. Select a parent policy that does not have locally managed settings.
4. Click Inherit Settings. The Inherit and Create Policy screen appears.
7. (Optional) Review the settings that can be customized or extended and then make changes
as necessary.
Note:
A setting cannot be customized or extended if the option selected on the parent policy
is Inherit from parent.
For example:
o If the Scheduled Scan setting is customizable, you can change the schedule from weekly
to daily.
o If the scan exclusion list for Real-time Scan can be extended, you can type additional file
names that you deem safe and trustworthy. After the child policy is created, it will add
those file names to the scan exclusion list.
8. Click Deploy.
o After clicking Deploy, please wait two minutes for Apex Central to deploy the policy to the
targets. Click Refresh on the Policy Management screen to update the status information
in the policy list.
o Apex Central enforces the policy settings on the targets every 24 hours.
Administrators can modify policy targets and settings as necessary. The root account owner can
modify every policy in the list, while other account owners can only modify the policies they
created. After a policy is modified, Apex Central deploys the policy to the targets.
Important:
Each managed product provides different policy settings that you can configure and deploy to
policy targets. You can find a complete list of supported managed products and the policy settings
for each in the Apex Central Widget and Policy Management Guide.
You can download a PDF version of the guide, or view the guide online, using the following link:
https://docs.trendmicro.com/en-us/enterprise/apex-central.aspx
For a parent policy for the Apex One agent, if you modified the targets and settings for specific
features, the modifications will apply to all child policies and deployed to the respective targets.
Some settings on a parent policy support permission, which control the changes allowed on child
policies. Modifications to these parent policy permissions are also applied to child policies and
deployed to targets.
1. Navigate to Policies > Policy Management. The Policy Management screen appears.
2. Select the type of product settings from the Product list. The screen refreshes to display
policies created for the selected managed product.
3. Click a policy name in the Policy column. The Edit Policy screen appears.
Note:
Modifying the filtering criteria in a filtered policy can affect target allocation. Apex Central may re-
assign some targets to other filtered policies, or add additional targets to the current policy.
5. Click Deploy.
V. Importing & Exporting Policies:
Export policies for backup or to import to another Apex Central server of the same version.
Note:
• Apex Central exports policy settings but not policy targets.
• A parent policy stays as a parent after the export or import.
• A child policy becomes a parent after the export. Consequently, it is a parent after the import.
2. Select the type of product settings from the Product list. The screen refreshes to display
policies created for the selected managed product.
3. To export, select one or several policies, click Export Settings, and then save the resulting
policy file.
o If you exported a single policy, the resulting file has the extension *.cmpolicy.
o If you exported several policies, the resulting file is a compressed (*.zip) file containing the
individual .cmpolicy files.
4. To import, click Import Settings and then locate and load the policy file.
o You can import an entire *.zip file or import individual *.cmpolicy files one by one.
o If the policy already exists in the policy list, a confirmation prompt appears, asking if you
want to overwrite the existing policy.
Click OK to proceed.
The screen refreshes and displays the imported policy at the top of the list.
VI. Deleting a policy:
Administrators can remove a policy from the list. Apex Central then re-allocates the targets
associated with the deleted policy if the targets match the filtering criteria of another policy. Those
without a match become endpoints without policies, and they keep the settings defined by the
deleted policy unless a managed product administrator modifies the settings.
Apex Central only allows policy creators to delete their own policies. However, the root account
can delete every policy in the list.
It is not possible to delete an Apex One Agent parent policy with settings inherited by an existing
child policy.
1. Go to Policies > Policy Management.
The Policy Management screen appears.
2. Select the type of product settings from the Product list.
The screen refreshes to display policies created for the selected managed product.
3. Select the policy to delete.
4. Click Delete.
A confirmation screen appears.
5. Click OK
The default owner of a policy is the user account that created the policy. You can use the Policy
Management screen to change the owner of a policy to any Apex Central user account. You can
also change the policy owner to an Active Directory group, which designates all Active Directory
users within the group as owners of the policy.
Server Policy:
• Endpoint Sensor Server Settings
• Application Control Server Settings
What happens after a policy is deployed from Apex Central to Apex One server?
CASE 2: Apex One server does not have a valid iProduct license
When there is a policy containing settings to enable iProduct settings, before dispatching the
policies to iProduct servers, Apex One server will first check if there are valid licenses; if there is
no valid license, Apex One server will respond “unactuated license” error code to Apex Central
directly. (i.e. iProduct license info are managed by Apex One server).
• On
premise:
Apex Central Every
default mechanism 24
POLICY
to ensure all All endpoints All policies hours
ENFORCEMENT
endpoints get • SaaS:
policies Every
10
minutes
Note: AD-based filtered policies always need to have Apex Central sync the latest AD info first
in order to trigger policy changes.
Sending logs:
The logs from Update Agent are sent to the Apex One Server(On-Premise).
The logs from Apex One Agent are sent to the Apex One Server(On-Premise).
Use Agent Grouping to manually or automatically create and manage domains on the Apex
One agent tree.
There are two ways to group Security Agents into domains.
Method Agent Grouping Description
Manual • NetBIOS domain Manual agent grouping defines the domain to which a
newly installed agent should belong. When the agent
• Active Directory
appears in the agent tree, you can move it to another
domain domain or to another Apex One server.
• DNS domain
Manual agent grouping also allows you to create,
manage, and remove domains in the agent tree.
Automatic Custom agent groups Automatic agent grouping uses rules to sort agents in
the agent tree. After you define the rules, you can
access the agent tree to manually sort the agents or
allow Apex One to automatically sort them when
specific events occur.
3. Click Save.
Manage domains and the agents grouped under them by performing the following tasks:
• Add a domain
• Delete a domain or agent
• Rename a domain
• Move a single agent to another domain
2.5 Updates
All component updates originate from the Trend Micro ActiveUpdate server. When updates are
available, the Apex One server and smart protection sources (Smart Protection Server or Smart
Protection Network) download the updated components. There are no component download
overlaps between the Apex One server and smart protection sources because each one
downloads a specific set of components.
Note:
You can configure both the Apex One server and Smart Protection Server to update from a source
other than the Trend Micro ActiveUpdate server. To do this, you need to set up a custom update
source. If you need assistance setting up this update source, contact your support provider.
The following table describes the update process for smart protection sources.
Update Process Description
ActiveUpdate The Trend Micro Smart Protection Network receives updates from
server > Smart the Trend Micro ActiveUpdate server. Smart scan agents that are
Protection Network not connected to the corporate network send queries to the Trend
Micro Smart Protection Network.
ActiveUpdate A Smart Protection Server (integrated or standalone) receives
server > Smart updates from the Trend Micro ActiveUpdate server. Smart
Protection Server protection agents that are connected to the corporate network send
queries to the Smart Protection Server.
Smart Protection A Smart Protection Server (integrated or standalone) receives
Network > Smart updates from the Trend Micro Smart Protection Network. Smart
Protection Server protection agents that are connected to the corporate network send
queries to the Smart Protection Server.
Server Updates:
5. Click Save.
Pattern Updates
Apex One uses Trend Micro ActiveUpdate to obtain and distribute updates for specific program
components. Two types of components can be updated:
• Patterns
• Engines
The ActiveUpdate (AU) module is Apex One’s interface to the ActiveUpdate system. As a Trend
Micro common module, this module is developed independently of other products.
Trend Micro releases two types of pattern updates:
Official Pattern Release: Patterns are regularly made available to users as part of an Official
Pattern Release (OPR). Upon release, these patterns are posted on the ActiveUpdate system,
where products can download using the default update source.
Controlled Pattern File Release: These are pre-release version of a Trend Micro virus pattern
file. It is a fully tested pattern file intended to provide additional antivirus protection in between
official pattern file releases.
Incremental Updates
Update Agents
Update Agents are Security Agents that function as alternative update sites for other Agents within
an Apex One network. They permit the deployment of the below settings to Agents whose
connections to the Apex One Server would have been sufficient for regular Agent-Server
messages but not for bandwidth-intensive updates:
• Component updates
• Domain settings
• Agent programs and hot fixes
Update Agents serve as local ActiveUpdate sites. Like the Apex One Server, they offer both full
and incremental patterns to their Agents by way of its own ActiveUpdate folder.
Any Security Agent can be promoted to an Update Agent, but typically, it is recommended that an
Agent on an endpoint computer that remains on at all times be used.
Without Update Agents, all endpoint computers contact the Apex One Server for updates. In
installations with many Security Agent, this can create network traffic issues.
Agent updates can run automatically when certain events occur or when scheduled. In
addition to components, Security Agents also receive updated configuration files during
automatic update. In the Web Management console, click Updates > Agents > Automatic
Update
Event-Triggered Updates
The Server can notify online Agents to update components after it downloads the latest
components, and offline Agents when they restart and then connect to the Server.
When an update is critical, use Manual Update to immediately notify Agents to perform a
component update. In addition to components, Security Agents also receive updated
configuration files automatically during a Manual Update. In the Web Management console,
click Updates > Agents > Manual Update
Users with update privileges have greater control over how the Apex One Agent on their
computers gets updated.
Objectives:
Upon completion of this lesson you will be able to:
With differentiated solutions our NFR package is designed to deepen the value of our solutions
to secure new sources of revenue for our partners. The new NFR bundle will enable partners to
position Trend Micro solutions to maximize the value of our offerings and explore business
opportunities. The NFR will help our partners to get familiarized with Trend Micro solutions, lab
testing, product demo, customer PoC and internal training.
Below are the available NFR bundles, both free & paid packages.
3.2.2 NFR Business Builder (Free for Silver, Gold and Platinum, Paid for Bronze)
This pack offers Hybrid Cloud Security solutions along with Advanced Threat Detection
for Endpoint Protection Suite which covers both SaaS based and on-prem solutions. Trend
Micro's Email Security (CAS), a SaaS based Email security solution for Office365 is also
part of the package.
3.2.3 NFR Business Pro (Paid for Silver, Gold and Platinum)
This pack offers a layered security solution that provides a better way to quickly protect,
detect and respond to new threats by Trend Micro’s Connected Threat Defense thereby
improving visibility and streamlining investigation across the customers IT infrastructure.
The pack includes Advanced Threat Detection for Endpoint, Hybrid Cloud Security, Next
Gen IPS and Breach Detection.
3.2.4 NFR Business Max (Paid for Silver, Gold and Platinum)
A comprehensive security bundle which not only extends detection and response beyond
the endpoint but also includes Network, Email, & Cloud Workload protection, offering
broader visibility and expert security analytics, leading to better detection and swift
response.
The pack includes Advanced Threat Detection for Endpoint, Hybrid Cloud Security, Next
Gen IPS, Breach Detection and Cloud Sandboxing. These solutions connects to Trend
Micro Data Lake for Automated Detection, Sweeping Hunting & Root Cause Analysis.
Customer Licensing Portal (CLP) is the online management center for Trend Micro products &
services.
Features:
• Safer
Easily activate and register security products and services from the extensive Trend Micro
product line.
• Smarter
Access all your Trend Micro security products and services from a central location online.
• Simpler
Logon once for access to all Trend Micro products and services on the portal.
• Click Continue.
• Review the Product Information.
• Read the Trend Micro License Agreement terms and tick the check box to accept.
• Click Continue.
• To complete the registration process, enter the Account Information.
• Click Continue to finish the registration.
NOTE:
If the Merge Products option is not available when using your account this means that your
registered license does not support merging.
• The Merge Products page lists products that support the merge function. However, not
all Trend Micro Products support the license merge function.
Scenario 1: For services such as WFBS-SVC, click sign in to merge two WFBS-SVC
accounts.
• Click Merge.
Objectives:
Upon completion of this lesson you will be able to:
• Proof of Concepts:
A more formalized version of the trial and involves a more targeted and guided implementation of
the product in the customer’s environment. The goal is to provide a high level of understanding of
how the product may function for a specific use case and give the vendor an opportunity to more
closely align the product’s capabilities with the customer’s needs. As it is a more formal
engagement, the customer and vendor should agree on the specific objectives and outcomes
expected as well as the responsibilities of each party (i.e. the customer should devote resources
such as staff and infrastructure and the vendor provide technical support and training). A
POC/POV (Proof of Value) can vary in length, depending on the objectives agreed to at the outset
but great care should be taken by the customer and the vendor to conclude the POC as agreed.
• Demo:
A demonstration, or demo, for short, is a brief overview of the product’s features and capabilities
followed by a live presentation of the product going through various tasks that provide the customer
with a practical understanding of how the product works. It sometime is doing just after product or
solution presentation. With the extensive available of pre-record video, it sometime just refer for
the product demo video clip or sometime access to product demo edition. That typically had feature
limited and use for get the lead. A demo typically is the first time the customer has seen the product
in action (Remember, video product demo clip is also cover this). Demos usually take no more
than 1-2 hours and can be customized to focus on features important to the customer. Demos
may also be recorded so that they can be viewed at the convenience of the customer but this does
not provide an opportunity for questions or customization of the presentation (it due to pre-record
and scripting in nature and prepare in advance).
• PoC:
• Time Consuming process, as it requires a lot of time on planning & delivering a PoC.
• Slows down the procurement process when it performs tests with multiple vendors.
• Resource intensive as it requires resources for functional tests in the customer’s environment.
• Demo:
• Speed of deployment in a demo takes less time spend on installing/configuring products.
• Configurations are known to work together & does not introduce localized issues found on
customer’s sites.
• There is no need of customer prerequisites like building the supporting infrastructure.
“Product Cloud” is a hybrid cloud infrastructure built by the PreSales and Corporate IT teams to
provides Field Sales Engineers and Solution Architects with a powerful and agile platform to
demo, troubleshoot and test Trend Micro products and 3dy party software from anywhere in the
world using only a web browser.
Using Product Cloud to run POC’s offer many benefits including:
• Speed of Deployment – Less time spend installing/configuring products
• Configuration Stability – The configurations are known to work together and doesn’t
introduce localized issues found on customer’s sites
• No Customer Prerequisites – Often one of the biggest delays with POC’s is waiting for
customer to build the supporting infrastructure
• Trend Micro Product Cloud enables partners and employees to conduct an instant, web-based
demo (24x7) of Trend Micro’s top-selling products, and to invite prospects and customers to
conduct a free, self-paced online product trial, complete with step-by-step guidance.
Instant Demo:
Instant Demo provides 24x7 web access to Trend Micro’s top selling products, and is pre-loaded
with data to enrich your demo experience.
Steps:
1. Login to the Partner Portal & select Demo Cloud.
2. Choose the desired product instant demo.
3. Available for most of our Top Selling Products.
Step 1:
• Define the success criteria of the PoC.
• PoC start date, finish date and other important dates of the PoC.
• Set out the objectives of the PoC precisely.
Step 2:
• Understand the customer environment and the PoC to be conducted.
• Share the pre-requisites with the customer.
Step 3:
Review and sign-off meetings should be completed and the PoC should Kick-off.
Step 4:
• Manage the PoC.
• Set your performance goals and track the PoC metrics.
Step 5:
Present the PoC results that was performed. Explain the success criteria on how the requirements
are met.
NOTE:
Taking it a step further, applying the lessons learnt from previous POCs would help to fine tune
your approach to future ones. Gathering, learning and evolving!
Checklist: On-Premise
To build a standard PoC report after conducting a PoC at a customer’s environment, you
need to have the following key sections in your report:
• Introduction
• Solution Overview
• PoC Architecture that you designed at the customer’s environment
Pre-Requisites:
1. On Apex Central, go to Policy > Policy Management.
2. Click on your Defined Policy and scroll down to Real-time Scan Settings.
3. Make sure the ff. options are checked.
Policy & Security Agent should look like this after Policy Configuration:
1. Go to EICAR.org (http://www.eicar.org/download/eicar.com)
2. Scroll down to the test files and click on any or all of the samples.
3. Detection for EICAR samples should be immediately be picked up by real time scanning.
Pre-Requisites:
1. Login to Apex Central and go to Policy > Policy Management
2. Click on your Defined Policy and scroll down to Web Reputation Settings
3. Confirm the following settings are checked (enabled)
Policy & Security Agent should look like this after Policy Configuration:
1. Open a web browser and use the following URLs to test Web Reputation
3. C&C Callback
Pre-Requisites:
1. Login to Apex Central and go to Policy > Policy Management.
2. Put a check on Enable Predictive Machine Learning and set the following actions:
• File: Log Only
• Process: Terminate
Pre-Requisites:
• Programs not known to Trend Micro (download through web browsers or email channels).
• Heuristic detection of processes (downloaded through supported web browsers or email
channels).
• Low prevalence autorun programs on removable storage.
Pre-Requisites:
1. On a test endpoint, download COMMAND MINI and extract it on a folder named C:\tmp
2. Download and place LINE INSTALLER (https://www.download3k.com/Install-LINE.html) on
the same folder; C:\tmp
2. Launch C:\tmp\cmder_mini\cmder.exe
• Expected Result: Allowed
Pre-Requisites:
TEST ENDPOINT (TE)
1. Login to Apex Central and go to Policy > Policy Management
2. Put a check on Vulnerability Protection and enable Intrusion Prevention Rule - 1009490:
• Status: Enabled
• Identifier: 1009490
• Rule Name: Block Administrative Share - 1 (ATT&CK T1077, T1105)
• Mode: Detect Only
NOTE:
Both endpoints must be on the same network and sub-net.
Credentials to access the Test Endpoint (TE) must have administrative privileges.
4. You will be prompted to input the Test Endpoint (TE) admin credentials.
5. Press OK. If the provided credentials is successful logging in to the Test Endpoint (TE) admin
shares, you should be able to see its contents from the Attack Endpoint (AE). Else, check
admin permissions and try again.
On this example, we can see from the logs that Affected IP Address 92.168.146.128 was
accessed by an Attack Source with an IP address of 192.168.146.134.
Pre-Requisites:
1. Login to Apex Central and go to Policy > Policy Management.
2. On the Product drop down, choose Apex One Data Loss Prevention then click on Create.
3. Provide a Policy Name. Under Targets, click Set Filter beside Filter by Criteria.
• Click on Directories and choose Product Directory.
• Select Apex Central as a Service then click Save.
5. On the DLP Settings, navigate the Available templates drop down and choose Category-
base templates.
• Scroll down and select all the templates, then click on Add.
• Go the step #2 Channel.
8. Click on Deploy.
9. Go back to Policy Management and choose Apex One Security Agent under Product.
Click the policy you are currently managing.
• Under Additional Service Settings, make sure that Data Protection Service for
Windows Desktop is checked.
• If checked, leave it be. If not, put a check on it and hit Save
NOTE:
Give the new the policy settings a few minutes to take effect. You may check the status of the
policy by clicking on the number of machines under the Deployed column.
• Additionally, you can also check the Logs in Apex Central for the detection.
Objectives:
Upon completion of this lesson you will be able to:
• Competitive Advantage
• The Forrester Wave
• NSS Labs
• Gartner
Apex One leverages a blend of cross-generational threat techniques to provide the broadest
protection against all types of threats. More than just a scan, Apex One Vulnerability Protection
uses a host-based intrusion prevention system (HIPS) to virtually patch known and unknown
vulnerabilities before a patch is available or deployable. Leverage techniques that allow you to
discover and respond to threats before they compromise data. Extend detection and response
across endpoints, email, and servers. Provides Effective security for your sensitive data. Enhanced
application control against malicious software. Has central visibility & Control. Apex One’s
competitive features are:
• Hybrid – Environment Feature
Supports hybrid deployment & extends visibility and control across on-premises, cloud, and
hybrid deployment models.
• Automation & Visibility
Provides advanced automated threat detection and response against an ever-growing variety
of threats, including fileless and ransomware. Trend Micro’s cross-generational blend of
modern techniques provides highly tuned endpoint protection that maximises performance
and effectiveness. Provides an all-in-one centralized visibility.
• Data Retention
Data retention module provides continued storage of data & data loss prevention module
protects data from being lost.
• Data Privacy
Prevents unauthorized transmission of digital assets.
• Actionable insights
Apex One introduces expanded endpoint detection and response (EDR) capabilities. It also
connects to Trend Micro’s managed detection and response (MDR) service option that boosts
in-house teams with threat hunting and alert monitoring.
We believe Trend Micro Apex One™ endpoint security provides you with protection trusted by
analysts and customers alike.
“Reliable vendor that I would call my own team!”
“Trend Micro Apex One™ as a Service dashboard landing page summary is very
user friendly and I would say what admins would want to see.”
“Protection, technology, service, integration, everything top of the class!”
– Gartner Peer Insights, November 2021
Trend Micro a Leader with the highest ranking in the current offering category in
the first ever XDR vendor New Wave™ evaluation, Q4 2021!
The 2019 Forrester Wave demonstrates that Trend Micro is a strong and reliable choice
for endpoint protection.
“Trend Micro is the best fit for companies that need a robust, easy to operate
security suite.”
“Offers strong cross-telemetry detection, investigation, and response.”
“Trend Micro has loyal customers confident in the security efficacy of the offering.”
– The Forrester New Wave™: Extended Detection and Response (XDR) Providers, Q4
2021
Trend Micro is Named a Leader in The Forrester Wave™: Endpoint Security
Software as a Service, Q2 2022!
Objectives:
Upon completion of this lesson you will be able to:
An advanced persistent threat (APT) is a broad term used to describe an attack campaign in
which an intruder, or team of intruders, establishes an illicit, long-term presence on a network in
order to mine highly sensitive data.
What is the extent of the breach?
• Point of entry
• Lateral Movement
• Data Exfilteration
How did the breach happen?
• Social Engineering
• Spear Phishing Email
• External USB
What did the hacker or malware do while it was active?
• Command & Control
• Data Discovery/Asset
• Data Exfiltration
How do we restore the system with confidence that all traces are destroyed?
This leads to Trend Micro’s EDR Solution.
The adaptive security architecture is a useful framework to help organizations classify existing
and potential security investments to ensure that there is a balanced approach to security
investments.
Endpoint Detection and Response (EDR) provides the solutions that enable the bottom half of the
adaptive security architecture.
• Impact assessment (IA) is basically a quick search of objects that is ran over metadata that
is stored on the Apex Server. This task is not executed on endpoints.
• Impact Assessment works when an analyst receives an IoC and runs it over the metadata
stored on the Apex Server to see if their environment is compromised.
• Average time results for “Impact Assessment” is between 10 to 15 seconds.
NOTE: The term “Impact Assessment” is unique to Trend Micro. It may differ with on other
vendors. Just remember the following keywords for your reference: Quick Health Check /
Sweeping / Assessment / Threat Hunting / Impact scope Evaluation
• Root Cause Analysis (RCA) is the graphical representation of how the infection and/or
suspicious activities occurred. (e.g.: patient zero, entry point)
• Root Cause Analysis (RCA) can be initiated from various points
– Automatically from Critical Threat and Virtual Analyzer/User-Defined SO and In-
Memory Detailed Investigation
– Manually from Preliminary Investigation**
• Root Cause Analysis result generation in SaaS is < 10 seconds.
• RCA on-premise is < 10 mins. Time-out of RCA is 24 hours.
NOTE: Various vendors may use different terms in describing “Root Cause Analysis”. Here
are a few synonymous terms with this functionality: Drill down events / Infection Chain
analysis / Attack Kill Chain / Forensic Graph
• If an assessment returns a match, administrators may generate a root cause analysis to:
– List all related objects to the specified criteria
– Identify if any of the related objects are noteworthy
– Review the sequence of events leading to the execution of the matched object.
• Generating a root cause analysis may take some time to complete.
NOTE:
MacOS not supported yet
• Detailed Investigation methods available:
– Search in-memory using Yara files
– Search on-disk using OpenIOC files
– Search in-registry with custom criteria
• “Detailed Investigation” task can be run once or can be scheduled regularly (same
settings).
• Can also be initiated from Impact Analysis page.
• Average Detailed Investigation timing result is about 40 min.
{Agent polling (every 10 min) + Detailed Investigation task (10 min) + Upload Results}
• Choose between One-Time Investigation or Schedule Investigation.
• If you have selected Schedule Investigation, you can set Schedule, Frequency and Time.
• Results are available on Detailed Investigation page and all previous results are retained
until period limit (license).
• Tasks can be stopped (under processing) or deleted
Objectives:
Objectives:
Upon completion of this lesson you will be able to:
Upon completion
• Why EDR isofSimply
this lesson you will: be able to:
not Enough
• • EDR
Why Threat Actors look
is Simply beyond :the endpoint
not Enough
• • Challenges
Threat Actors look beyond the endpoint
• Trend• Micro Vision One
Challenges
• Zero
• Trend MicroTrust Approach
Vision One
• • Trend
Zero Micro Vision One on Any Device, Any Network, Any Location, Any Cloud
Trust Approach
• • Trend
TrendMicro
MicroZero Trust
Vision OneStrategy
on Any Device, Any Network, Any Location, Any
• Endpoint
Cloud Basecamp
• • Fewer, Micro– Zero
TrendHigh Fidelity alerts
Trust with XDR
Strategy
• • Trend MicroBasecamp
Endpoint Vision One at Cybersecurity Platform
• • Trend Micro
Fewer, HighVision – Integration
One alerts
– Fidelity with XDR
• • Trend
TrendMicro
MicroVision One– at
VisionOne XDR WorkbenchPlatform
Cybersecurity Demo
With today’s ever-evolving threat landscape, you need capabilities that help you detect and
respond rapidly to threats breaching your defenses. Today, many organizations use multiple,
separate security layers to detect threats across their email, endpoints, servers, cloud
infrastructure, and networks.
Investigating threats across all these disparate solutions makes for a very piecemeal and manual
investigation process that can miss threats altogether due to lack of visibility and correlation.
Solution such as EDR only looks at endpoints, missing threats that pass-through user emails,
servers, cloud workloads, and networks. This results in a very limited view of the attacker’s
activities and an inadequate, incomplete response.
However, making EDR simply not enough, as :
• EDR functionality has traditionally been provided as a point solution at one specific
security layer
• Siloed tools often leads to manually correlate & prioritize threats
• Lack of integrated contextual visibility results in an incomplete view of the breach
Recently, it has been observed, phishing techniques are being updated with what appears as a
calculated attempt to take the advantage of rapid adoption of cloud-based SaaS. The new
techniques are designed to both evade detection and increase the likelihood of a successful
phish.
On the execution of a successful phish or password attack against a user and taking over an
account in a Microsoft® Office 365™ tenant environment, the threat actor harvests a contact list
for targets and send an email to the list.
Because the email comes from an account within the Office 365 platform, it inherits the standard
and expected user trappings, such as stored signatures. Additionally, based on extended mail
headers, the recipient and the recipient email system would have seen the incoming mail as
originating from the Office 365 tenant space.
This campaign’s carefully crafted emails further challenged users’ abilities to discern the phish.
The threat actors themed the lure as a secure, encrypted email. They did so by basing the
message on the legitimate secure email provider, which generally requires a user to click on a
link in an email.
In these cases, the “View Message” link is rewritten by the Advanced Threat Protection (ATP)
SafeLinks, a URL rewrite service provided by Microsoft to help protect users from malicious
URLs. Because URLs can get unwieldy, there are several services that map shorter URLs. This
shortened URL is another strategy that may bypass URL filters. Not only this URL then goes to
Microsoft OneDrive, but it provides a quick link to a Microsoft OneNote™ stored on the OneDrive.
The cybercriminals behind this email campaign appear to be using social engineering tactics to
entice users into opening a file attachment, which in turn downloads the Locky ransomware and
encrypts users’ data.
The infection chain of this ransomware campaign starts with a socially engineered email. Threat
actors send social engineered email containing an archive which has an embedded VBscript file.
When executed, the script connects to command and control (C&C) servers to download the
Locky Ransomware, which then encrypts the users’ data locally as well as the files on network
shares. It has also been observed recently that “Fake voicemail email notifications” are being
used by this ransomware campaign as well.
Therefore, without the tools to identify threat indicators, detection is dangerously slow
Instead of the security perimeter being entombed in a box at the data center edge, the perimeter
is now everywhere an enterprise needs it to be — a dynamically created policy-based secure
access service edge. A home-based worker brings up a VPN connection that creates a secure
tunnel to take him straight into the data center. This might be fine when the company expects
10% to 20% of its employees to work remotely at any given time, but now the numbers might
approach 50% or 70%. This creates contention for resources and a poor VPN experience for all.
What is more, workers are routing a bunch of internet traffic to the data center along with traffic
destined for on-premises applications. There is another set of challenge that we are facing is lack
of visibility as data and users are everywhere, a user from one location can access that data
residing in another location. How do we correlate the activities such as:
Most of the organizations trust & assume that data is safe, and the apps that we are leveraging
are safe. But the fact is we are not 100% sure of what is going on.
• Should each WFH user, remote user sits behind firewall / IPS /IDS device to protect
themselves?
• But what happens when users aren't on the VPN?
• How is traffic secured for SaaS?
• What about visibility for users who are not on the enterprise network?
Trend Micro Vision One is a purpose-built threat defense platform that provides added value and
new benefits beyond XDR solutions, allowing you to see more and respond faster. It collects and
correlates data across email, endpoint, servers, cloud workloads, and networks, enabling visibility
and analysis that is difficult or impossible to achieve otherwise. Providing deep and broad
extended detection and response (XDR) capabilities that collect and automatically correlate data
across multiple security layers—email, endpoints, servers, cloud workloads, and networks—
Trend Micro Vision One prevents the majority of attacks with automated protection.
Native sensors and protection points—coupled with the XDR capabilities that stitch together threat
activity across layers— allow for the quick detection of complex attacks that bypass prevention.
This provides an unmatched understanding of the activity data in your environment and a
balanced approach to security, as teams can quickly see the story of an attack and respond faster
and more confidently. The visibility and efficiency that is provided by Trend Micro Vision One
makes great security teams even better, enabling them to do more with less.
Hence, Trend Micro Vision One is a single Platform providing Zero Trust Risk Insights
Functionality, Zero Trust Secure Access Functionality and XDR Functionality as a solution to
resolve the key challenges. It provides:
● Prioritized alerts based on one expert alert schema to interpret data in a standard and
meaningful way
● A consolidated view to uncover events and the attack path across security layers
● Guided investigations to understand the impact and identify the path to resolution
● SASE Functionality : This model combines networking and network security services, such
as ZTNA, CASB, SWG, DLP and more, into a single comprehensive, integrated solution
that supports all traffic, applications and users.
● XDR Functionality : By integrating with multiple platform and providing a centralized
visibility.
XDR delivers visibility into data across networks, clouds, endpoints, and applications while
applying analytics and automation to detect, analyze, hunt, and remediate threats.
XDR or cross-layer detection and response goes further. XDR collects activity information from
not only the endpoints but also from email, containers, and network. To the SIEM, it sends a
single, high-fidelity alert that tells the story of this attack from beginning to end.
XDR breaks down these silos using a holistic approach to detection and response. XDR collects
and correlates detections and deep activity data across multiple security layers – email, endpoint,
server, cloud workloads, and network. Automated analysis of this superset of rich data means
threats are detected faster, and security analysts are equipped to do more thorough investigations
and take quick, subsequent action. The more data sources and security vectors you bring into the
single, integrated XDR platform will present greater correlation opportunities and will result in a
more comprehensive investigation and response. For example, today an analyst might use an
EDR tool to get detailed visibility for suspicious activity on managed endpoints but then have a
separate siloed view of network security alerts and traffic analysis. As for the cloud workloads,
they likely have limited visibility to suspicious activity (perhaps using tools like EDR that aren’t
tailored to this different environment). All parts of the environment generate many noisy alerts that
are likely sent to a SIEM. The analyst can see the alerts but not a detailed record of all the activity
between alerts, so they miss important attack details and are left buried in alerts without context
or way to connect related events. XDR brings the layers together so security analysts can see the
bigger picture and quickly explain what may be happening in the enterprise.
Apex One SaaS when connected with Trend Micro Vision One gets an XDR Add – on. XDR
provides with the graphic replay communication activity, lateral movement of the attack and
provides the entire information on attack, the 1st target and C&C.
Trend Micro Vision One XDR automatically connects the product from Customer Licensing Portal.
Customer’s Apex One SaaS, CAS or both the products will be auto connected and register to
Vision One platform when they first logon to portal.
● On the Product Connector window, click on Connect Product > Select Product Name and
Click to generate the enrollment token.
● On the product console, under Administration , register with the Enrollment token.
Trend Micro Endpoint Basecamp is a program running in endpoint to provide a robust channel for
Trend Micro deploy endpoint application. When a customer wants to deploy more endpoint
applications, Endpoint Basecamp will download the endpoint application package from Trend
Micro backend and install it. The customer does not need to do another agent deployment for the
new endpoint application.
Trend Micro Endpoint Basecamp also provides the common functions to endpoint applications,
which includes the following:
• Endpoint Sensor (xES) and Endpoint Response application - Enabled from Vison
One Endpoint Inventory
• Assessment Tool for Windows Endpoints - from Vision One Security Assessment
It is a pure user-mode application without system/application event interception behavior. It does
not include kernel driver and there is no possibility to create endpoint failure.
• A single package will install both the protection agent and the XDR sensor
• Reboot then computer to finalise the protection agent installation, then
Objectives:
Upon completion of this lesson you will be able to:
NOTE: For accurate results, the IP address should be verified on the agent side as
communication issues could prevent the IP Address from updating on the console correctly
when it changes at the endpoint.
• To identify from the endpoint, open a command prompt and run ipconfig to find the IP
Address, and then right-click on the agent icon in the system tray and choose "Component
Versions".
At the top of the window will display the listening port.
When using this test, the "Do not save encrypted page to disk" setting must be disabled as shown
below. Otherwise, the test will fail.
Example:
• Recovery from
backup
• Agent
Apex One configuration
Apex One
Main Server • Website Backup Server
configuration
• Before recovering the Apex One server, please stop the following services:
✓ Apex One Master Service
➢ Endpoint Service
➢ Application Control Service
➢ Advanced Threat Assessment Service
➢ Vulnerability Protection Service
✓ WWW Publishing Service
• Unregister from Apex Central.
• Agent configuration using the Server Migration Tool.
• Restore website configuration.
• SQL server database recovery.
• Setup Privilege using svrsvcsetup.exe.
• Start:
✓ Apex One Master Service
➢ Endpoint Service
➢ Application Control Service
➢ Advanced Threat Assessment Service
➢ Vulnerability Protection Service
✓ WWW Publishing Service
• Make sure Apex One Server is working properly.
• Register to Apex Central.
Important:
This method works only when Apex one server is installed using FQDN.
NOTE: For this troubleshooting topic, refer to the KB: 1123738, download the Trend Micro Apex
One™ and iServices Disaster Recovery Guide.
It develops the understanding of product deployment in an effective manner and provides the
ability to manage it by formulating the response plans.