Getting Started With

Trend Vision One Endpoint Security

Student Guide
Copyright© 2024 Trend Micro Incorporated. All rights reserved.

Trend Micro, the Trend Micro logo, the t-ball logo, and [other Trend trademarks] are
trademarks or registered trademarks of Trend Micro Incorporated. All other company
and/or product names may be trademarks or registered trademarks of their owners.
Information contained in this document is subject to change without notice. Trend Micro,
the Trend Micro logo, and the t-ball logo Reg. U.S. Pat. & Tm. Off.

For details about what personal information we collect and why, please see our Privacy
Notice at trendmicro.com/privacy

Released: April 29, 2024

Courseware v1.0
Student Guide

Getting Started With

Trend Vision One Endpoint Security

Getting Started with Trend Vision One Endpoint Security 1

Student Guide

Welcome

• SHORT instructor intro

2 | ©2024 Trend Micro Inc.

Getting Started with Trend Vision One Endpoint Security 2

Student Guide

Objectives

After completing this course, participants will be able to:

• Describe the differences in protection required on a server/
workload and a standard endpoint
• Configure the initial environment
• Create protection managers for servers/workloads and standard
endpoints
• Add protected endpoints to Trend Vision One Endpoint Security
• Configure and deploy security policies to servers/workloads and
standard endpoints

3 | ©2024 Trend Micro Inc.

After completing this course, participants will be able to:

• Describe the differences in protection required on a server or workload and a standard
endpoint
• Configure the initial environment
• Create protection managers for servers/workloads and standard endpoints
• Add protected endpoints to Trend Vision One Endpoint Security
• Configure and deploy security policies to servers/workloads and standard endpoints

Getting Started with Trend Vision One Endpoint Security 3

Student Guide

Before We Start

? !

Post questions in Answer trainer Download your copy of the Student Guide
the Q&A pane only questions in the Chat pane from the Education Portal

4 | ©2024 Trend Micro Inc.

Post any questions in the Q&A pane as it is being monitored by trainers. Use the Chat pane
to response to questions from the Instructor.

The Student Guide for this course can be downloaded from the Trend Education Portal. Log
into your account, click the Getting Started With Trend Vision One Endpoint Security
course. Scroll to the Course Syllabus section and click to download the Student Guide PDF.

Getting Started with Trend Vision One Endpoint Security 4

Student Guide

Endpoint Protection

Servers and workloads End user desktop

computers

5 | ©2024 Trend Micro Inc.

The servers/workloads and the end-user endpoints in your organization are under constant
attack from external sources. These important corporate resources must be protected from
attack. Compromise of these resources could harm financial results for the organization,
result in the disclosure of confidential corporate information or important intellectual
property, which can all lead to harming the company's reputation.

Getting Started with Trend Vision One Endpoint Security 5

Student Guide

Trend Vision One Endpoint Security

• Single platform experience for deploying and managing protection

on endpoint computers
− Standard end-user endpoints (Windows, Mac)
− Server and workloads (Windows, Linux)

6 | ©2024 Trend Micro Inc.

Trend Vision One Endpoint Security provides a single platform experience for deploying and
managing protection on endpoint computers, including end-user Windows or Mac desktop
computers and Windows and Linux servers and workloads. With Trend Vision One Endpoint
Security, administrators can manage security agent deployment and policy assignment
from the same Trend Vision One console they currently use for Risk Insights, Extended
Detection and Response and Attack Surface Risk Management.

Getting Started with Trend Vision One Endpoint Security 6

Student Guide

Endpoint Threat Detection

Entry Exit
point Pre-execution Runtime point
Entry Exit
point Pre-execution Runtime point

Server and workloads

End user endpoint

Capture and block Capture and block

Capture and block Capture and block
threats as they are threats as they
threats as they enter threats as they are
written to disk or attempt to forward
the server executed
memory data

7 | ©2024 Trend Micro Inc.

There are several points at which threats could enter the system through endpoint
computers. A variety of automated threat detection techniques can be enabled to monitor
for threats on the endpoint.

1. Entry-point detection captures threats as they enter the endpoint.

2. Pre-execution detection captures and blocks threats as they are written to disk or to
memory.
3. Runtime detection captures and blocks threats as they execute.
4. Exit-point detection detects and blocks attempts to forward data from the endpoint.

Getting Started with Trend Vision One Endpoint Security 7

Student Guide

Server and Workload Protection End User Endpoint Protection

Threat actors typically target servers End-user desktop endpoints are
and workloads using software and typically exposed to threats
configuration vulnerabilities, lateral through email, websites, cloud
movement, and stolen employee services, or USB drives
credentials

The differences in threat exposure create a need for distinct security

requirements and protection strategies
8 | ©2024 Trend Micro Inc.

The protection required for servers/workloads and end-user endpoints can be different as
the threats and type of attacks can be different.

For servers and workloads, threat actors typically attack by taking advantage of software
and configuration vulnerabilities, lateral movement, and stolen employee credentials.

An end-user endpoint are typically exposed through email, websites, cloud services or USB
drives.

These differences in threat exposure create a need for distinct security requirements and
protection strategies for end-user endpoints and server workloads.

https://www.trendmicro.com/en_us/business/products/endpoint-security.html

Getting Started with Trend Vision One Endpoint Security 8

Student Guide

Server and Workload Protection

Anti-malware Device control

Web reputation Integrity monitoring

Firewall Log inspection

Intrusion prevention Application control

9 | ©2024 Trend Micro Inc.

Ensure your security addresses the way server and cloud workloads are deployed and
attacked. Protect against vulnerabilities, malware, and unauthorized changes, and deploy
advanced security capabilities specifically designed for the server and cloud workload
environment.

Some of the protection features available for servers and workloads include the following:

Anti-Malware protection detects and blocks malicious software such as viruses, trojans,
spyware, ransomware and other applications intended to harm endpoints. Anti-malware
protection can occur in real-time, can be run on demand, or can be set up to run on a
schedule. A variety of techniques including behavior monitoring and machine learning
enable protection against emerging malware that would not be captured by traditional
pattern-based malware scanning.

Web Reputation protection tracks the credibility of websites and safeguards servers from
malicious URLs. Web Reputation blocks endpoints from accessing compromised or
infected sites, blocks users from communicating with Communication & Control servers
(C&C) used by cybercriminals and blocks access to malicious domains registered for
perpetrating malicious activities.

Getting Started with Trend Vision One Endpoint Security 9

Student Guide

Firewall protection examines the header information in each network packet to allow or
deny traffic based on direction, specific frame types, transport protocols, source and
destination addresses, ports, and header flags. Firewall protection also prevents denial of
service attacks as well as blocking reconnaissance scans.

Intrusion Prevention protection examines the payload information in a packet. Intrusion

Prevention protection implements rules to drop traffic designed to leverage unpatched
vulnerabilities in certain applications or the operating system itself. This virtual patching
protects the host while awaiting the application of the relevant patches.
Intrusion Prevention can detect activity that is considered suspicious, such as ransomware or
remote access as well as detecting and blocking traffic that does not conform to protocol
specifications, allowing agents to detect packet fragments, packets without flags, and similar
anomalies. This protection can also block traffic associated with specific applications like
Skype or file-sharing utilities.
Built-in Intrusion Prevention rules are provided for over 100 applications, including database,
web, email and FTP servers.

Device Control protection regulates access to external storage devices connected to

computers. Device Control helps prevent data loss and leakage and combined with file
scanning, helps guard against security risks. The Device Control enforcement settings can be
set to three options for each supported device type:
• Full-Access
• Read-Only
• Block

Integrity Monitoring protection monitors critical operating system and application files,
including directories, custom files, registry keys and values, open ports, processes and
services to provide real-time detection and reporting of malicious and unexpected changes.
The Integrity Monitoring modules tracks both authorized and unauthorized changes made to
a server instance. The ability to detect unauthorized changes is a critical component in a
cloud security strategy as it provides the visibility into changes that could indicate the
compromise of an instance.

Log Inspection protection collects and analyzes operating system and application logs for
suspicious behavior, security events, and administrative events across the data center. This
module optimizes the identification of important security events buried in multiple log
entries.

Application Control protection monitors computers for any software changes that drift away
from an approved software inventory. It detects all changes to executables, including users
installing unapproved software, new PHP pages or Java applications, unscheduled auto-
updates, and zero-day malware. This module can lock down software so that only approved
applications can execute or stop specific unwanted software from running.

Getting Started with Trend Vision One Endpoint Security 9

Student Guide

End User Endpoint Protection

Anti-malware Device control

Web reputation Outbreak prevention

Firewall Vulnerability protection

Data loss prevention Application control

10 | ©2024 Trend Micro Inc.

Some of the capabilities related to end user endpoint protection include:

Anti-Malware protection detects and blocks malicious software such as viruses, trojans,
spyware, ransomware and other applications intended to harm endpoints. Anti-malware
protection can occur in real-time, can be run on demand, or can be set up to run on a
schedule. A variety of techniques including behavior monitoring and machine learning
enable protection against emerging malware that would not be captured by traditional
pattern-based malware scanning.

Web Reputation protection tracks credibility of websites and safeguards servers from
malicious URLs. Web Reputation blocks endpoint computers from accessing compromised
or infected sites, blocks users from communicating with Communication & Control servers
(C&C) used by cybercriminals and blocks access to malicious domains registered for
perpetrating malicious activities.

Firewall protection examines the header information in each network packet to allow or
deny traffic based on direction, specific frame types, transport protocols, source and
destination addresses, ports, and header flags. The firewall prevents denial of service
attacks as well as blocks reconnaissance scans.

Getting Started with Trend Vision One Endpoint Security 10

Student Guide

Data Loss Prevention safeguards an organization’s digital assets against accidental or

deliberate leakage.

Device Control protection regulates access to external storage devices connected to

computers. Device Control helps prevent data loss and leakage and combined with file
scanning, helps guard against security risks. The Device Control enforcement settings can be
set to three options for each supported device type:
• Full-Access
• Read-Only
• Block

Outbreak Prevention shut down infection vectors and rapidly deploys attack specific
security policies to prevent or contain outbreaks before pattern files are available.

Vulnerability Protection protects endpoints from being exploited by operating

system vulnerability attacks. It automates the application of virtual patches to
endpoint computer before official patches from the vendor become available.

Application Control protection enhances defense against malware or targeted attacks

by preventing unwanted and unknown application from executing on endpoints.

Getting Started with Trend Vision One Endpoint Security 10

Student Guide

Implementing Trend Vision One Endpoint Security

The method for implementing Trend Vision One Endpoint Security and adding endpoints
to the inventory will depend on your relationship with Trend
11 | ©2024 Trend Micro Inc.

The method for implementing Trend Vision One Endpoint Security and adding endpoints to
the inventory will depend on your relationship with Trend, for example, do you currently
use an Trend endpoint protection products, as well as whether they are cloud-based or on
premises.

Getting Started with Trend Vision One Endpoint Security 11

Student Guide

Implementing Trend Vision One Endpoint Security

Organization is new to Organization would like Organization uses Trend

Trend endpoint to evaluate Trend Vision on-premises endpoint
protection One Endpoint Security protection

12 | ©2024 Trend Micro Inc.

The options for implementing Trend Vision One Endpoint Security include:
• The organization is new to Trend endpoint protection
• The organization would like to evaluate Trend Vision One Endpoint Security on a
selection of endpoints. Once the evaluation and testing is complete, the entire instance
can be updated to Trend Vision One Endpoint Security.
• The organization uses Trend on-premises endpoint protection

Getting Started with Trend Vision One Endpoint Security 12

Student Guide

Common Terminology

Policy Security Endpoint Endpoint Protection

agent sensor basecamp manager

13 | ©2024 Trend Micro Inc.

There are some terms that will be used in this presentation.

Policy: A policy a collection of security settings that will be applied to servers, workloads
and endpoint computers.

Security Agent: A security agent is a software component that enforces the security
settings defined in the policy. Any security events captured by the agent are forwarded to
the Trend data lake for analysis. Security agents exist for servers and workloads and for
end-user endpoints, as well as for different operating systems.

Endpoint sensor: An endpoint sensor is a software component installed on servers and

workloads and end-user endpoints that monitors system activity and forwards them to the
Trend data lake for analysis

Endpoint basecamp: Endpoint basecamp is a software component installed on servers and

workloads and end-user endpoints that allows Trend Vision One to install distribute
components, such as the security agent, the endpoint sensor and the advanced risk
telemetry components. Once installed, endpoint basecamp can add components to the
endpoints as needed by Trend Vision One.

Getting Started with Trend Vision One Endpoint Security 13

Student Guide

Protection manager: A protection manager is an instance of protection settings applied to

servers and workloads and end-user endpoints. Trend Vision One supports multiple
protection managers, for example, you can have multiple instances of standard endpoint
protection, each with their own security policies.

Getting Started with Trend Vision One Endpoint Security 13

Student Guide

First Steps

Update to Foundation Services Configure proxies

Enable Service Gateway services Create firewall exceptions

14 | ©2024 Trend Micro Inc.

Before configuring endpoints and policies for Trend Vision One for Endpoint Security, the
following system configurations must be performed.

Update to Foundation Services

If your Trend Vision One instance was created before July 3, 2023, update it to the Trend
Vision One Foundational Services. The release of Trend Vision One Endpoint Security
introduces a new foundation-level Identity Access Management (IAM) service. A prompt in
the console will remind you to update to the new IAM if this applies to your instance.
Identity Access Management is the centralized Trend Vision One service which handles user
identities and roles. The IAM service provides several important benefits within Trend
Vision One:
• Role-Based Access Control: The Identity Access Management service provides
centralized role-based access control for Trend Vision One Endpoint Security and other
Trend Vision One apps
• Single Sign-On: The Identity Access Management service enables single sign-on for
Trend Vision One and the embedded Vision One product consoles.
• Multiple Product Instances: The Identity Access Management service enables multiple
point product instance management within Trend Vision One.
• Endpoint Protection Product Migration: The Identity Access Management service
implements update paths for existing Apex One as a Service/Cloud One - Endpoint &

Getting Started with Trend Vision One Endpoint Security 14

Student Guide

Workload Security customers to Trend Vision One Endpoint Security.

Details at: https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-
v1updatingfromconsol

Proxy services
Configure global proxy services if you using a proxy server in your environment.

Enable service gateway services

As an alternate to a proxy server, deploy a Trend Vision One Service Gateway appliance and
configure the Forward Proxy service.

Firewall Exceptions
To ensure that Trend Vision One can properly communicate with your environment, you must
configure the appropriate Allow rules in your firewall.
Firewall exception requirements differ depending on the location hosting your Trend Vision
One environment. View the following article for more details:
https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-firewall-
permissions

Getting Started with Trend Vision One Endpoint Security 14

Student Guide

Trend Vision One Endpoint Security

Create new protection
manager instance (for either
Standard Endpoints or
Servers & Workloads)

Organization is new to
Install the Endpoint
Trend endpoint
Basecamp package created in
protection Trend Vision One on the
endpoints

Create policies to apply

protection settings

15 | ©2024 Trend Micro Inc.

Organization is new to Trend endpoint protection

If the organization does not currently use any Trend endpoint protection products, a new
protection manager instance (for either Standard Endpoint Protection or Server &
Workload Protection) must be created, then an Endpoint Basecamp installation package is
created in Trend Vision One. The package will install a security agent, an endpoint sensor
and the advanced risk telemetry component on the endpoints and the device will then
display in the endpoint inventory. Policies can be defined and assigned to the endpoints to
apply protection.

Getting Started with Trend Vision One Endpoint Security 15

Student Guide

Trend Vision One Endpoint Security

Create new protection manager
instance (for either Standard
Endpoints or Servers & Workloads)

i – Your organization
would like to evaluate Export and import policies and
custom objects
Trend Vision One
Endpoint Security
Update selected endpoints to report
to the new protection manager

Install Endpoint Basecamp on

selected endpoints

16 | ©2024 Trend Micro Inc.

Organization would like to evaluate Trend Endpoint Security

If the organization currently uses a cloud-based Trend endpoint protection product, a
selection of endpoints can be updated to Trend Endpoint Security for evaluation, testing or
proof of concepts. In this scenario, a new instance of protection manager (for either
Standard Endpoint Protection or Server & Workload Protection) must be created. Policies
and common objects used by the selected endpoints are exported from the original
product, then imported in the new protection manager instance. The agents on the
selected endpoints can then be updated to report to new protection manager through a
Move operation. Finally, an endpoint basecamp installation package can be generated and
installed on the endpoint. Since the agent already exists on the device, only the endpoint
sensor and advanced risk telemetry components are installed through Endpoint Basecamp.

Getting Started with Trend Vision One Endpoint Security 16

Student Guide

Trend Vision One Endpoint Security

Connect the endpoint security

product to Trend Vision One

ii – Your organization is
now ready to update to
Trend Vision One Allow Trend Vision One to update all
endpoints to report to the
Endpoint Security appropriate protection manager

Install Endpoint Basecamp on

endpoints

17 | ©2024 Trend Micro Inc.

Organization is ready to update to Trend Endpoint Security

Once the organization has run all their evaluation tests on Trend Vision One Endpoint
Security, they can update their entire instance of the cloud-based endpoint protection
product. This involves connecting the product to Trend Vision One through the Product
Instance app, then allowing Trend Vision One to update all the existing agents to report to
the appropriate protection manager. Finally, an Endpoint basecamp installation package
can be generated and installed on the endpoint, adding the endpoint sensor and advanced
risk telemetry components on the devices.

Getting Started with Trend Vision One Endpoint Security 17

Student Guide

Trend Vision One Endpoint Security

Connect the endpoint

security product to Trend
Vision One
Organization uses Trend
on-premises endpoint
protection
Install sensor on endpoints

18 | ©2024 Trend Micro Inc.

Organization uses Trend on-premises endpoint protection

Organization using Trend on-premises endpoint protection (Apex One or Deep Security) can
also benefit from Trend Vision One Endpoint Security. If you connect Apex One (on-
premises) or Deep Security Software to Trend Vision One, you will be able to collect
security event and activity telemetry and view the devices they manage in the inventory
list. You will not however, be able to configure or apply policy settings to these devices
from Trend Vision One Endpoint Security. Those operation remain in the on-premises
consoles. You will, however, be able to apply mitigation actions such as Isolate Endpoint,
Run Remote Custom Shell and Start Remote Shell to any items in the list.

Getting Started with Trend Vision One Endpoint Security 18

Student Guide

Policy Deployment

Servers and workloads

Standard endpoints
19 | ©2024 Trend Micro Inc.

A policy a collection of security settings that will be applied to servers, workloads and
endpoint computers.

To simplify the transition for servers and workloads to Trend Vision One, the policy
deployment process is like what is used in Deep Security and Endpoint Security Cloud One
– Endpoint & Workload Security.

To simplify the transition for standard endpoints to Trend Vision One Endpoint Security, the
policy deployment process is like what is used in Apex Central as a Service.

Getting Started with Trend Vision One Endpoint Security 19

Student Guide

Server and Workload Policy Deployment

Create policy
(New, Duplicate, Import)

Modify settings to reflect

requirements

Assign to appropriate servers

and workloads

20 | ©2024 Trend Micro Inc.

To deploy a policy to a server or workload:

1. Create a new policy, duplicate and modify an existing one, or import a policy from
another installation.
2. Modify the settings of the policy to match your security requirement.
3. Assign the policy to the required servers and workloads.

1. In a Server & Workload Protection Manager, create a policy using one of three different
options (New, Duplicate, Import)
2. Modify the settings in the policy to reflect requirements
3. Assign the policy to the appropriate servers and workloads

Getting Started with Trend Vision One Endpoint Security 20

Student Guide

Standard Endpoint Policy Deployment

Select destination product
(Apex One Security Agent, Apex One Mac,
Apex One Data Loss Prevention, Apex One
Server)

Identify policy targets

Modify settings to reflect

requirements

Deploy the policy

21 | ©2024 Trend Micro Inc.

To deploy a policy to a standard endpoint:

1. In a Standard Endpoint Protection Manager, select a destination product (Apex One

Security Agent, Apex One Mac, Apex One Data Loss Prevention, Apex One Server)
2. Identify the target endpoints to receive the policy settings
3. Modify the settings of the policy to match your security requirement.
4. Deploy the policy.

Getting Started with Trend Vision One Endpoint Security 21

Student Guide

Trend Vision One Endpoint Security Summary

Security tailored to Support for multiple

the type of endpoint protection manager instances

Single console
experience Wide OS support

Wide variety of
Interface consistency
detection techniques

22 | ©2024 Trend Micro Inc.

Some of the benefits of Trend Vision One Endpoint Security include:

• Security is tailored to the type of endpoint being used, either server/workload or end-
user endpoint.
• Trend Vision One provide a single console experience, allowing endpoint management
from the same console used for XDR, Attack Surface Risk Management and more.
• A variety of detection techniques ensures that Trend Vision One Endpoint Security
captures malware at any phase of an attack.
• Support for multiple protection managers allows your organization to tailor their security
to their requirements as each protection manager can include distinct policies and
configurations.
• Wide OS support allow Trend Vision One to offer protection regardless of the operating
system being used.
• Interface consistency allows users to easily transition from Trend cloud-based or on-
premises endpoint protection products easily.

Getting Started with Trend Vision One Endpoint Security 22

Student Guide

Best Practices

• Endpoints should host both a security agent and an endpoint sensor

• Make sure endpoint security solutions are regularly updated and
patched
− Monitor the Security Configuration tab of Executive Dashboard

23 | ©2024 Trend Micro Inc.

These are just a few of the best practices related to endpoint security.
• Endpoints should host both a security agent and an endpoint sensor
• Make sure endpoint security solutions are regularly updated and patched
• Monitor the Security Configuration tab of Executive Dashboard

Getting Started with Trend Vision One Endpoint Security 23

Student Guide

Try it yourself

30-day full access trial

24 | ©2024 Trend Micro Inc.

A 30-day full access trial of Trend Vision One is available for download.

Getting Started with Trend Vision One Endpoint Security 24

Student Guide

Thank you for attending

Please complete the course survey

©2024 Trend Micro Inc.

Please complete the class survey at the following URL or by scanning the QR code:
https://www.surveymonkey.com/r/TrendMicroVisionOne

This helps guide the development of courses and helps ensure that content matches your
requirements.

Thank you for attending.

Getting Started with Trend Vision One Endpoint Security 25