Student Guide

Trend Vision One Platform Advanced

Trend Vision One Platform Advanced 1

Student Guide

The threat landscape is always changing, but the drastic shifts of recent years have made unprecedented demands of
security teams:

Attackers are trying to attack in all kinds of new ways and new places.
The battleground never stops growing and changing.
This very complex and diverse digital environment presents new opportunities for attack.
An increased number of cyber assets means more of those assets are likely to be vulnerable, more areas of weakness
arise in the infrastructure, and, overall, results in an even bigger and more profitable target that cybercriminals are only
too eager to exploit.

Due to this attack surface scale in the past year alone, nearly 70% of organizations have been compromised via an
unknown, unmanaged, or poorly managed internet-facing asset.
This is partly due to the complexity of taking an inventory of external-facing assets — with the average organization
taking upwards of 80 hours to generate an accurate picture of their attack surface.
(Source: https://www.randori.com/reports/the-state-of-attack-surface-management-2022/)

Trend Vision One Platform Advanced 2

Student Guide

How are threat actors behaving differently than before?

Cyber criminals are focusing more and more on extortion and business email compromise. Extortion can mean
ransomware and other tactics for causing organizations to pay them money. We know that this behavior is going to grow
as we enter a period of economic uncertainty. Cyber criminals are specializing and are targeting customers more
effectively and customizing their attacks. We've seen instances during 2022 where governments are hacking back, and
that is changing the landscape a little.

Nation state actors like to disrupt. They like to potentially destroy equipment or data or steal IP. Nation states frequently
tolerate cyber criminal activity inside their borders. You must think about whether nation states are part of the threat
model that is applicable to your organization.

Economic pain is driving increased potential misbehavior by insiders, such as employees. This type of cyber crime
behavior is going to grow as we enter a period economic uncertainty. It may also be the result of perceived slights and
the need for revenge, or they're being paid by cyber criminals to get access to your organization.

Trend Vision One Platform Advanced 3

Student Guide

Threat activity evolution

Initial Access Lateral Movement Impact

Increased speed and specialization

Getting better
Phishing emails at avoiding EDR
look more real Higher-quality
encryption

New
vulnerabilities
are exploited
faster
Exfiltration and
extortion, not
Open source and “Living off the Land” just encryption
supply chain to evade detection
exploitation (PowerShell, etc.)

4 | ©2024 Trend Micro Inc.

Let’s discuss the evolution of threat activity at each of the stages of an attack.

• When we think about initial access, phishing emails are looking more and more real. It's harder for employees to
figure out what's real and what isn't. New vulnerabilities are getting exploited faster and faster. The attackers are
getting incredibly efficient at weaponizing new vulnerabilities, turning those into exploits and moving fast before
people have time to patch. And we've seen more and more instances of open-source exploitation as well as supply
chain exploitation.

• In the middle stage, lateral movement stage we've seen attackers get smarter at avoiding EDR and other security
controls. They are also finding success by “living off the land”, for example, by leveraging various typical IT tools
inside the organization, such as PowerShell and other pre-installed tools in the organization.

• And at the impact stage, ransomware has evolved to leverage higher quality encryption and it is becoming harder to
find decryption tools that work. More behavior around data exfiltration and other new types of extortion have been
noted, not just encryption behavior as this behavior has been so disruptive that it is attracted unwanted law
enforcement attention.

Trend Vision One Platform Advanced 4

Student Guide

Tool sprawl combined with the growing skills gap has also created more opportunity for attackers to hide between siloes.

Many security organizations today have siloed toolsets from different areas of the environment, generating a lot of noisy
alerts that either get sent to a SIEM, or to a vendor or independent service provider managing the product on behalf of
the customer, or alerts are being generated from a completely disconnected system and console.​

For example, you might use EDR to get detailed visibility for suspicious activity on endpoints​ but then a separate siloed
view of network security alerts and traffic analysis, but there are some blind spots with IoT and OT entities and little if any
visibility into undiscovered threats already in their user mailboxes​​.

Without a detailed record of system activity, these alerts are missing important attack details, and the analyst ends up
buried in alerts without context.

Given the operational and commercial implications of a distributed toolset and the current economic and skills shortage,
it is critical to resolve this challenges associated with this common customer scenario. ​Purchasing, deploying, and
maintaining different tools becomes overwhelming, and disconnected workflows and disjointed views slow down
response time, and create security gaps.

Trend Vision One Platform Advanced 5

Student Guide

Shift from Security

Tools to a e Risk M
urfaScurface • Assess Risk a• nag
S ttack
Cybersecurity M
i ti

emate Risk
Dis ck
rA g

ve
a
co

ent
Att
Platform Zero Trust
Architecture

Extended Detection and Response (XDR)

Ecosystem Integration
Managed Services

User and Email Endpoints and Cloud Applications Code Data Network 5G ICS/OT
Identity Servers Infrastructure Repository

Email Security Endpoint Security Cloud Security Network Security Data Security Identity Security

Risk Mitigation • IT Automation Orchestration and Automation Custom Playbooks • Case Management

Attack Surface Intelligence • Zero Day Initiative Global Threat Intelligence Threat Research • Big Data Analytics

AI Privacy and Ethics • AI Companion AI Native Foundation Generative AI • Custom LLM • Machine Learning

6 | ©2024 Trend Micro Inc.

The Trend Vision One platform represents a truly integrated approach and visibility across the entire digital environment.
The platform includes the solutions, services, and technology that connect and benefit security and operations teams
across multiple functions​.

More importantly, the platform delivers a single common framework so security teams can bridge threat protection and
cyber risk management to drive better security outcomes and accelerate the business.

The platform:
• Improves cyber risk resilience, by continuously discovering and assessing risks, thwarting attackers, and prioritizing
mitigation.
• Reduces cost and complexity with one platform to assess, protect, investigate, respond, automate, and report– even
with non-Trend products.
• Protects brand reputation. The longer it takes to stop an attacker, the more it can harm the reputation of an
organization. The platform helps you confidently implement security controls and policies to reduce chances of a
breach and possible business impact.
• Optimize compliance as the platform makes it easy to implement and ensure you’re meeting key industry standards–
for example Zero Trust.

Trend Vision One Platform Advanced 6

Student Guide

Data Lake

7 | ©2024 Trend Micro Inc.

Data feeds the different capabilities in Trend Vision One. Telemetry collected different sources in the environment is
stored in a centralized cloud-based data lake from which correlation and analysis can be performed using a variety of big
data techniques. From that analysis, the attack surface can be derived, and events correlated.

Sources of telemetry in the environment can include:

• End-user endpoint computers
• Servers and workloads
• Email
• Network
• Operational technologies
• Cloud
• Third-party products
• Data
• Identities

A data lake is a centralized repository that allows you to store all your structured and unstructured data at any scale. You
can store your data as-is, without having to first structure the data, and run different types of analytics—from dashboards
and visualizations to big data processing, real-time analytics, and machine learning to guide better decisions.

These solutions all contribute to the Trend Vision One data lake and the collected telemetry serves as the foundation for
delivering Attack Surface Risk Management (ASRM). The capabilities addresses an issue companies have been struggling
with for years: discovering all the assets in the environment, classifying and tagging them, understanding their
relationships with other assets, assessing their risk, and prioritizing risk reduction measures.

In addition, robust Extended Detection and Response (XDR) capabilities are derived from the same data lake. The raw
activity data collected by Trend sensors allows the platform components to detect and report on even the sneakiest of

Trend Vision One Platform Advanced 7

Student Guide

attacks, crossing many layers such as email, endpoint, and the network. With the details of every process ran, every
network connection made, and so forth Trend Vision One continually sweeps the data lake comparing the collected
telemetry with new threat intelligence obtained from various trusted sources. To understand attacks quicker, Trend Vision
One Companion AI can explain in easily understandable language the attacker’s actions and recommend the best next
steps.

Attack Surface Risk Management and Extended Detection and Response work hand in hand. Having them both in the same
platform, working off the same data, allows for powerful streamlined workflows, increasing proactive measures and
reducing the need for as much responsive action.

Trend Vision One Platform Advanced 7

Student Guide

Telemetry

Both security
event data and
system activity
data are
Security event Security agent
needed to
compile the full
story of an
attack

System activity Sensors

(endpoint, email, network…)
8 | ©2024 Trend Micro Inc.

Telemetry from all the different sources in the environment is collected in the data lake. This telemetry includes:

Security Events generated by protection modules hosted on the devices, such as anti-malware, virtual patching/IPS, Web
reputation… etc. A Trend Micro-managed security agent is required on the devices to generate this information which is
then forwarded for storage.

System Activity includes internal activities such as registry changes, user creation/deletion, cronjobs and scheduled tasks,
processes starting/stopping, software installed/removed, network connections to IPs or domains… etc. Sensor are
required to collect this data and forward for storage. Sensors exist for endpoints, email, and the network.

Simply dealing with security events generated by endpoint protection is just not enough to get a full idea of what is
happening in the environment.

Trend Vision One Platform Advanced 8

Student Guide

Endpoint Protection

9 | ©2024 Trend Micro Inc.

Trend Vision One Platform Advanced 9

Student Guide

Endpoint Protection

Servers and workloads End user computers

10 | ©2024 Trend Micro Inc.

The servers and workloads and the end-user endpoints in your organization are under constant attack from external
sources. These important corporate resources must be protected from attack. Compromise of these resources could
harm financial results for the organization, disclosure of confidential corporate information, disclosure of important
intellectual property all leading to harm to the company's reputation.

Trend Vision One Platform Advanced 10

Student Guide

Endpoint Threat Detection

Entry Exit
point Pre-execution Runtime point
Entry Exit
point Pre-execution Runtime point

Server and workloads

End user endpoint

Capture and block Capture and block

Capture and block Capture and block
threats as they are threats as they
threats as they enter threats as they are
written to disk or attempt to forward
the server executed
memory data

11 | ©2024 Trend Micro Inc.

There are several points at which threats could enter the system through endpoint computers. A variety of automated
threat detection techniques can be enabled to monitor for threats on the endpoint.

1. Entry point detection uses methods to capture threats as they enter the endpoint.
2. Detection methods used in the pre-execution phase capture and block threats as they are written to disk or to
memory.
3. While many threats can be detected as they are written to disk, there are some threats that won’t be detected until
they execute.
4. Methods in this phase can detect and block attempts to forward data from the endpoint.

Trend Vision One Platform Advanced 11

Student Guide

Server and Workload Protection

Anti-malware Device control

Web reputation Integrity monitoring

Firewall Log inspection

Intrusion prevention Application control

12 | ©2024 Trend Micro Inc.

Protection features available for servers and workloads include the following:

Anti-Malware protection detects and blocks malicious software such as viruses, trojans, spyware, ransomware and other
applications intended to harm endpoints. It is based on the Trend Micro Anti-Malware Solution Platform in conjunction
with the Trend Micro Smart Protection Network. Anti-malware protection can occur in real-time, can be run on demand,
or can be set up to run on a schedule. A variety of techniques including behavior monitoring and machine learning enable
protection against emerging malware that would not be captured by traditional pattern-based malware scanning.

Web Reputation protection tracks the credibility of websites and safeguards servers from malicious URLs. Web
Reputation integrates with the Trend Micro Smart Protection Network to detect and block Web-based security risks,
including Phishing attacks. Web Reputation blocks endpoints from accessing compromised or infected sites, blocks users
from communicating with Communication & Control servers (C&C) used by cybercriminals and blocks access to malicious
domains registered for perpetrating malicious activities.
Protection is provided whether a user types a URL in a Web browser, or an application makes an internal reference to a
URL.

Firewall protection provides broad coverage for all IP-based protocols and frame types as well as fine-grained filtering for
ports and IP and MAC addresses through a bidirectional, stateful firewall. The firewall examines the header information in
each network packet to allow or deny traffic based on direction, specific frame types, transport protocols, source and
destination addresses, ports, and header flags. Firewall protection also prevents denial of service attacks as well as
blocking reconnaissance scans.

Intrusion Prevention protection examines all incoming and outgoing traffic at the packet level, searching for protocol
deviations, policy violations, or any content that can signal an attack. This module detects and blocks known and zero-day
attacks. Where firewall protection examines the header information in the packet, the Intrusion Prevention module
examines the payload information. Intrusion Prevention protection implements rules to drop traffic designed to leverage

Trend Vision One Platform Advanced 12

Student Guide

unpatched vulnerabilities in certain applications or the operating system itself. This virtual patching protects the host while
awaiting the application of the relevant patches.
Intrusion Prevention can detect activity that is considered suspicious, such as ransomware or remote access as well as
detecting and blocking traffic that does not conform to protocol specifications, allowing agents to detect packet fragments,
packets without flags, and similar anomalies. This protection can also block traffic associated with specific applications like
Skype or file-sharing utilities.
Built-in Intrusion Prevention rules are provided for over 100 applications, including database, web, email and FTP servers.
The Intrusion Prevention module automatically delivers rules that shield newly discovered vulnerabilities (within hours),
and these can be pushed out to thousands of servers within minutes, without a system reboot.

Device Control protection regulates access to external storage devices connected to computers. Device Control helps
prevent data loss and leakage and combined with file scanning, helps guard against security risks. The Device Control
enforcement settings can be set to three options for each supported device type:
• Full-Access
• Read-Only
• Block

Integrity Monitoring protection monitors critical operating system and application files, including directories, custom files,
registry keys and values, open ports, processes and services to provide real-time detection and reporting of malicious and
unexpected changes. The Integrity Monitoring modules tracks both authorized and unauthorized changes made to a server
instance. The ability to detect unauthorized changes is a critical component in a cloud security strategy as it provides the
visibility into changes that could indicate the compromise of an instance.

Log Inspection protection collects and analyzes operating system and application logs for suspicious behavior, security
events, and administrative events across the data center. This module optimizes the identification of important security
events buried in multiple log entries. Suspicious events can be forwarded to a Security Information and Event Management
(SIEM) system or to a centralized logging server for correlation, reporting and archiving. The Log Inspection module
leverages and enhances the Open Source Security (OSSEC) Log Inspection Engine.

Application Control protection monitors computers for any software changes that drift away from an approved software
inventory. It detects all changes to executables, including users installing unapproved software, new PHP pages or Java
applications, unscheduled auto-updates, and zero-day malware. This module can lock down software so that only approved
applications can execute or stop specific unwanted software from running. During a software update or maintenance
window, the Application Control module can be configured to approve the change, while still blocked software from
executing.

Trend Vision One Platform Advanced 12

Student Guide

End User Endpoint Protection

Anti-malware Device control

Web reputation Outbreak prevention

Firewall Vulnerability protection

Data loss prevention Application control

13 | ©2024 Trend Micro Inc.

Some of the capabilities related to end user endpoint protection include:

Anti-Malware protection detects and blocks malicious software such as viruses, trojans, spyware, ransomware and other
applications intended to harm endpoints. It is based on the Trend Micro Anti-Malware Solution Platform in conjunction
with the Trend Micro Smart Protection Network. Anti-malware protection can occur in real-time, can be run on demand,
or can be set up to run on a schedule. A variety of techniques including behavior monitoring and machine learning enable
protection against emerging malware that would not be captured by traditional pattern-based malware scanning.

Web Reputation protection tracks credibility of websites and safeguards servers from malicious URLs. Web Reputation
protection integrates with Trend Micro Smart Protection Network to detect and block Web-based security risks, including
phishing attacks. Web Reputation blocks endpoint computers from accessing compromised or infected sites, blocks users
from communicating with Communication & Control servers (C&C) used by cybercriminals and blocks access to malicious
domains registered for perpetrating malicious activities. Protection is provided whether a user types a URL in a Web
browser, or an application makes an internal reference to a URL.

Firewall protection provides broad coverage for all IP-based protocols and frame types as well as fine-grained filtering for
ports and IP and MAC addresses through a bidirectional, stateful firewall. The firewall examines the header information in
each network packet to allow or deny traffic based on direction, specific frame types, transport protocols, source and
destination addresses, ports, and header flags. The firewall prevents denial of service attacks as well as blocks
reconnaissance scans.

Data Loss Prevention safeguards an organization’s digital assets against accidental or deliberate leakage.

Device Control protection regulates access to external storage devices connected to computers. Device Control helps
prevent data loss and leakage and combined with file scanning, helps guard against security risks. The Device Control
enforcement settings can be set to three options for each supported device type:

Trend Vision One Platform Advanced 13

Student Guide

• Full-Access
• Read-Only
• Block

Outbreak Prevention shut down infection vectors and rapidly deploys attack specific security policies to prevent or contain
outbreaks before pattern files are available.

Vulnerability Protection protects endpoints from being exploited by operating system vulnerability attacks. It automates
the application of virtual patches to endpoint computer before official patches from the vendor become available.

Application Control protection enhances defense against malware or targeted attacks by preventing unwanted and
unknown application from executing on endpoints.

Trend Vision One Platform Advanced 13

Student Guide

Trend Vision One Endpoint Security

Security tailored to Support for multiple

the type of endpoint protection manager instances

Single console
experience Wide OS support

Wide variety of
Interface consistency
detection techniques

14 | ©2024 Trend Micro Inc.

Some of the benefits of Trend Vision One Endpoint Security include:

Security tailored to the type of endpoint: Since attacks on end user endpoints and servers can be very different,
Standard Endpoint Protection Managers and Server and Workload Protection Managers provide security controls that are
tailored to the type of endpoint being used.

Single console experience: Endpoint protection operations on end-user endpoints and servers and workloads are now
controlled from a single console, which is the same console used for other security operations like Attack Surface Risk
Management and Zero Trust Secure Access.

Wide variety of detection techniques: A wide variety of detection technique (patterns, behavior monitoring, predictive
machine learning, Windows antimalware scan interface, IntelliTrap, process memory scans) can help stop different types
of malware.

Support for multiple protection manager instances: Trend Vision One allows for multiple instances of Standard Endpoint
Protection Managers and Server and Workload Protection Manager. Each instance can have separate policy settings.

Wide OS support: Trend Vision One Endpoint Security allows protection settings to be applied to Windows, Mac and an
extensive collection of Linux flavors.

Interface consistency: The interface for the Standard Endpoint Protection Managers is identical to what was used in Apex
One/Apex One as a Service. The interface for the Server and Workload Protection Managers is identical to what was used
in Deep Security/Cloud One – Endpoint & Workload Security. Administrators will not have to learn a new way of applying
security to their managed endpoints.

Trend Vision One Platform Advanced 14

Student Guide

Trend Vision One Endpoint Security

Organization is new to Organization would like Organization is ready to Organization uses Trend
Trend endpoint to evaluate Trend Vision update to Trend Vision on-premises endpoint
protection One Endpoint Security One Endpoint Security protection

Connect the endpoint Connect on-premises

Create new instance of Create new instance of
security product to Trend endpoint security product
Trend Endpoint Security Trend Endpoint Security
Vision One to Trend Vision One

Install agent+sensor Export and import policies Update all endpoints to

Install sensor on endpoints
package on endpoints and custom objects report to Trend Vision One

Update selected endpoints

Create policies to apply
to report to Trend Vision Install sensor on endpoints
protection settings
One

Install sensor on selected

endpoints
15 | ©2024 Trend Micro Inc.

The process for implementing Trend Vision One Endpoint Security will vary depending on
your exiting relationship with Trend endpoint protection (Apex One on-premises, Apex One
as a Service, Deep Security on-premises, or Cloud One – Endpoint & Workload Security).

Organization is new to Trend endpoint protection

If the organization does not currently use any Trend endpoint protection products, a new
instance of Trend Endpoint Security (for either Standard Endpoint Protection or Server &
Workload Protection) must be created, then an installation package generated which
includes both the security agent and the endpoint sensor. The package is installed on the
endpoints and the device displays in the endpoint inventory. Policies can be defined and
assigned to the endpoints to apply protection.

Organization would like to evaluate Trend Endpoint Security

If the organization currently uses a cloud-based Trend endpoint protection product, a
selection of endpoints can be updated to Trend Endpoint Security for evaluation, testing or
proof of concepts. In this scenario, a new instance of Trend Endpoint Security (for either
Standard Endpoint Protection or Server & Workload Protection) must be created, then
policies and common objects used by the selected endpoints are be exported from the
original product, then imported in the Trend Vision One Endpoint Security instance. The
agents on the selected endpoints can then be updated to report to Trend Vision One

Trend Vision One Platform Advanced 15

Student Guide

through a Move operation. Finally, an endpoint sensor-only installation package can be

generated and installed on the endpoint.

Organization is ready to update to Trend Endpoint Security

Once the organization has run all their evaluation tests on Trend Vision One Endpoint
Security, they can update their entire instance of the cloud-based endpoint protection
product. This involves connecting the product to Trend Vision One through the Product
Instance app, then allowing Trend Vision One to update all the existing agents to report to
Trend Vision One. Finally, an endpoint sensor-only installation package can be generated and
installed on the endpoint.

Organization uses Trend on-premises endpoint protection

Organization using Trend on-premises endpoint protection (Apex One or Deep Security) can
also benefit from Trend Vision One Endpoint Security. If you connect Apex One (on-premises)
or Deep Security Software to Trend Vision One, you will be able to collect security event
telemetry, and view the devices they manage in the inventory list. You will not however, be
able to configure or apply policy settings to these devices from Trend Vision One Endpoint
Security. Those operation remain in the on-premises consoles. You will, however, be able to
apply mitigation actions such as Isolate Endpoint, Run Remote Custom Shell and Start
Remote Shell to any items in the list.

Trend Vision One Platform Advanced 15

Student Guide

Open Trend Vision One console

16 | ©2024 Trend Micro Inc.

Trend Vision One Platform Advanced 16

Student Guide

Zero Trust Secure Access

17 | ©2024 Trend Micro Inc.

Trend Vision One Platform Advanced 17

Student Guide

Resource Access

Traditionally, once authenticated, devices and identities are trusted by default

18 | ©2024 Trend Micro Inc.

In a traditional networking environment, once authenticated, devices and identities are trusted by default. A user’s
credentials are checked once when the initial access to a network resource is requested, and the system uses that initial
authentication for any subsequent activity before the user logs out. The user identity, however, could be easily
compromised through social engineering, brute force password guessing or other forms of attacks. Once compromised,
the credentials could be shared and reused to access protected resources across the organization. These legacy networks
were architected as flat networks with protection at the perimeter only. Once an adversary finds a hole in the security at
the perimeter, they can leverage vulnerabilities to gain lateral access. Once past the perimeter, attackers can move
around the network easily and access everything. In these environments systems, applications, and data are protected to
generally the same level. However, trying to protect everything equally results in some systems being over-protected and
overall functionality across the network being constrained.

Trend Vision One Platform Advanced 18

Student Guide

Zero Trust
Access Policy

All Accounting Users

Acceptable CRM Application

User / Group Application
specific specific Only when in the office
Is the user or
device risky? Deny access
During business hours
Risky
If AV and EDR are installed
Time control Geolocation and up to date.

And
Only if user and device risk are low

Device posture Risk score Grant access

Lock the
Validation factors user’s account

19 | ©2024 Trend Micro Inc.

A Zero Trust architecture assumes that all users and devices pose a threat. Zero Trust considers multiple factors when
validating access, including the user’s role and location, the state of the device attempting access, and the data or
services being accessed. Identity is validated at every step and can be revoked at anytime during a session based on
perceived risk.

With Trend Vision One we have full visibility of users, devices, applications, and who is doing what, when, and where.
Zero Trust Secure Access can take actions based on real-time and continuous risk assessment of users and devices
associated with vulnerabilities, and suspicious web or even email activities.

Depending on the user and device risk scores and events, the system can either:
- grant users' access if they comply with the organization security and access policy, or
- deny access to the targeted application or website and even lock the user's account

Zero Trust Secure Access leverages analytics, attack surface landscape and threat intelligence from the platform to create
risk-based access control decisions.

Trend Vision One delivers a zero-trust technology ecosystem (native and integrated) that consolidates security controls to
provide comprehensive visibility of all enterprise assets, real-time continuous risk assessment and scoring and a
centralized policy decision and enforcement point in a single console.

Trend Vision One Platform Advanced 19

Student Guide

Zero Trust Secure Access

Zero Trust Private Access Zero Trust Internet Access

20 | ©2024 Trend Micro Inc.

There are two forms of Zero Trust Secure Access in Trend Vision One:

Zero Trust Private Access

Zero Trust Private Access allows end users to access internal apps and resources from anywhere they want and enables
dynamic, purpose-oriented network paths from users' endpoint computers to the needed apps only. All the internal apps
flow through Zero Trust Private Access whether the user is on or off the corporate network.

Zero Trust Internet Access

Internet Access is provided by the Internet Access Gateway. The Internet Access Gateway is automatically provisioned in
the cloud and delivered as a service. The Gateway is proxy based and analyzes your users' HTTPS/HTTP traffic forwarded
to it to enforce secure access rules. Alternately, customers could select a built-in on-premises Gateway deployed in the
corporate network.

Trend Vision One Platform Advanced 20

Student Guide

Zero Trust Secure Access

Real-time risk assessment and Comprehensive visibility and

scoring analytics

Centralized policy decision and

enforcement management Protects a hybrid workforce

21 | ©2024 Trend Micro Inc.

Benefits of the Trend Vision One Zero Trust Secure Access implementation include:

Real-time risk assessment and scoring

Improve situational awareness and prioritization with real-time, contextualized risk
assessment and scoring. Integrate and calculate multiple critical risk factors including
vulnerabilities and exposures, security configurations and controls, XDR detections and
threats, user activity and behavior, asset criticality, account compromise, dark web activity,
and cloud app usage across both internal and internet-facing assets.
Continuous risk assessment and scoring verifies every entity is who they claim to be to
inform authentication and secure dynamic attribute-based access control to corporate
resources.

Centralized policy decision and enforcement management

Continuously inform dynamic risk-based policy decisions with integrated risk and threat
analysis and manage policy enforcement (Zero Trust Network Access, Cloud Access Security
Broker, Secure Web Gateway) and policy decision points (Platform) from a single console.

Comprehensive visibility and analytics

Zero Trust strategies cannot succeed within silos. Integrated visibility and analytics are
integral to capturing and comprehending the internet accessible attack surface as well as

Trend Vision One Platform Advanced 21

Student Guide

network activity in real time. Trend Vision One centralizes visibility and analytics across
identities, devices, networks, applications and workloads, and data to inform security
controls, slow down attackers, and rapidly respond to threats. With highly integrated sensors
and third-party integrations across the environment, practitioners automatically and
continuously discover, inventory, and monitor all internal and internet-facing assets
associated with their infrastructure using a platform ecosystem approach that captures
suspicious, unauthorized, unverified, or anomalous activity.

Protect a Hybrid Workforce

Zero Trust Secure Access security controls to keep your organization protected, and your
users connected. Security controls to enable and protect the hybrid workforce are
centralized at your fingertips. Automatically block connections based on machine learning,
custom policies, and dynamic risk assessment ensures only authorized users, identities
(human and non-human), and devices can access corporate resources, regardless of where
they are located.
Confidently enable and protect the hybrid workforce with not just secure, but seamless
access to the resources teams needed, without compromising security. Internal teams
benefit from fast and secure access to cloud apps through our secure web gateway for the
SaaS applications they use every day.

Trend Vision One Platform Advanced 21

Student Guide

Open Trend Vision One console

22 | ©2024 Trend Micro Inc.

Trend Vision One Platform Advanced 22

Student Guide

Extended Detection and Response

23 | ©2024 Trend Micro Inc.

Trend Vision One Platform Advanced 23

Student Guide

What is going on?

Threats evaded
Threats hiding What is the full
other malware Correlate low
between security story of the attack?
detection confidence events
silos
techniques

24 | ©2024 Trend Micro Inc.

How can we find threats evading detection by hiding in between security silos?

How can we find threats that have evaded other malware detection techniques?

How can we correlate low confidence events across security vectors to quickly detect complex, multi-layer attacks?

How can we visualize the full attack story with fragments of malicious activity?

Trend Vision One Platform Advanced 24

Student Guide

Trend Vision One XDR

Threat Intelligence
Collaboration
Workloads Latest Threat campaigns
(IOCs and STIX)
Third-party
Fewer
High

Trend Data Lake

Containers
Fidelity

Observed Attack

Threat Intel
Cloud

Techniques
Activity Data Alerts

Triage
Identity Detections

OT SIEM and
SOC Analyst
Network
Triage
Email and
Workbench

Endpoint

25 | ©2024 Trend Micro Inc.

Trend Vision One Extended Detection and Response (XDR) finds attacks within the noise of alerts and telemetry with
powerful detection models.

Raw activity telemetry (activity data and detections) is forwarded to the data lake from sources in the environment, such
as endpoint, server, cloud, email, network, etc.

Detection models, developed by Trend threat experts, use a variety of techniques including data stacking, machine
learning, expert rules, etc., to find tactics, techniques, and correlated events. These detection models combine filters to
surface attacks. Detection models are frequently updated/added.

Detection model alerts are investigated and responded to by either your security team or by Trend Micro-Managed XDR
personnel (MDR service).

After processing by XDR, high fidelity alerts can be investigated by the analysts in the SOC.

Trend Vision One Platform Advanced 25

Student Guide

Trend Vision One XDR

Earlier threat detection

Complete response

Faster threat investigation Sweeping with new intel

Advanced correlation Companion AI

REACTIVE
26 | ©2024 Trend Micro Inc.

Benefits of Trend Vision One Extended Detection and Response include:

Earlier threat detection

• Improve visibility and reduces silos to unearth threats evading detection by hiding in between security silos amid
disconnected solution alerts.
• Correlate low confidence events across security vectors to quickly detect complex, multi-layer attacks.
• Detect and stop threats before they take hold.
• Comprehensive MITRE ATT&CK mapping (common framework and language for the SOC team) delivers visualizations
for trending alerts to give a clear understanding of the tactics, techniques, and procedures associated with suspicious
activity happening in the environment.
• Early threat indication tooling analyzes, predicts, and alerts security teams before an event can happen.

Faster threat investigation

• Power to search, investigate, analyze, and respond from a single console, leveraging AI assistance to understand
complex threat activity.
• Quickly visualize the full attack story. XDR automatically pieces together fragments of malicious activity and paints a
complete picture across security layers.

Advanced correlation leveraging native and third-party data

• Native sensors deliver deep activity data—not just XDR detections—across endpoint, email, server, network, cloud
workloads and more. This provides full context of every piece of data that we produce. Competitors who do not
leverage native integrations can struggle to make sense of data they do not own.
• The API-friendly platform integrates third-party inputs to deliver more data (firewall, vulnerability management,
network, identity access management, SIEM, SOAR, for example) for analytical enrichment, as well as optimizing
processes and workflows.

Trend Vision One Platform Advanced 26

Student Guide

Complete response
• Enact embedded response options across multiple security layers from one location and all with one action (e.g.
quarantine an email across multiple mail accounts or block an IP address across email, endpoint, servers, cloud).
• Automated remediation capabilities to deal with threats like ransomware (e.g. auto-restore any files damaged prior to
detection or cleanup malware automatically).
• Automate and integrate detection and response with Trend Vision One APIs and integrated parties, including SIEM and
SOAR.
• Manually and automatically submit samples for analysis in a secure virtual environment.

Sweeping with new intel

With the details of every process ran, every network connection made, etc., Trend Vision One is constantly sweeping with
new threat intelligence obtained from trusted third-parties.

Companion AI
To understand attacks quicker, Trend Vision One Companion uses AI to explain the attacker’s actions and recommend the
best next steps.

Trend Vision One Platform Advanced 26

Student Guide

Open Trend Vision One console

27 | ©2024 Trend Micro Inc.

Trend Vision One Platform Advanced 27

Student Guide

Attack Surface Risk Management

28 | ©2024 Trend Micro Inc.

Trend Vision One Platform Advanced 28

Student Guide

What is out there?

Devices Applications

Internet-facing assets Cloud Assets

Accounts APIs

29 | ©2024 Trend Micro Inc.

It is important for the organization to identify all its devices, accounts and other resources that are out there. Trend
Vision One Attack Surface Risk Management (ASRM) can identify the following items from an analysis of all the collected
telemetry:

Devices: Displays desktops, servers, mobile devices and more discoverable within the organization.

Internet-facing assets: Displays IP and domain assets (expiring certificates, weak cyphers and vulnerabilities) that are
visible from external internet locations and displays detailed IP profile risk assessments​.

Accounts: Displays visible domain and service accounts, identifies highly-authorized accounts, and displays detailed
risk profiles.

Applications: Displays the applications deployed to devices and the cloud apps being accessed by users.

Cloud Assets: Displays detected cloud resources within the organization, enabling compliance and security best practice
violations on public cloud infrastructure and across cloud service platforms.

APIs: Displays REST and HTTP-based API collections detected in AWS API gateways and assesses the vulnerability of
individual API endpoints.

Trend Vision One Platform Advanced 29

Student Guide

Attack Surface Risk Management (ASRM)

Discovering all assets Assessing cyber risk

Prioritizing risk mitigation Mapping relationships

Classifying and tagging Analyzing compliance

assets with AI

PROACTIVE
30 | ©2024 Trend Micro Inc.

Trend Vision One Attack Surface Risk Management proactively discovers, assesses, and reduces cyber risk. It can help
identify and reduce risk exposure and the opportunity for attacks and breaches across cloud, hybrid, and on-premises
environments through the following capabilities.

Discovering all assets: ASRM locates assets that threat actors might be able to use to attack the organization, across the
internal, external and cloud attack surface.

Prioritizing risk mitigation: ASRM aggregates data from across the enterprise, including third-party security tools, helping
to identify areas of weakness, make risk-informed decisions, and benchmark against peers in the same region, industry,
or company size.

Classifying and tagging assets with AI

Assessing cyber risk: Leverage continuous real-time risk assessments to focus efforts and prioritize remediation actions.

Mapping relationships

Analyzing compliance: ASRM helps manage compliance at scale and immediately act on high-risk violations.

Trend Vision One Platform Advanced 30

Student Guide

Risk Index

31 | ©2024 Trend Micro Inc.

Attack Surface Risk Management calculates a Risk Index for the environment. Organizations can gain better insights into
their security posture by understanding their risk index. This comprehensive score is based on a dynamic assessment of
exposure, attack, and security configuration risks. Trend Vision One continuously identifies known and unknown assets in
your environment to inform your attack exposure and security configuration. Visibility into the environment and the
attack surface improves as you integrate more Trend Micro products, sensors, and third-party data sources.

The Risk Index algorithm was recently upgraded and provides a comprehensive overview of your organization's risk
landscape by significantly expanding the foundation and extent of risk calculation. While earlier versions of the algorithm
relied on the risk scores of sampled assets, the updated version calculates the index using the risk scores and levels of all
events. By incorporating the risk scores and levels of every risk event within your organization, the updated algorithm has
broader scope and a more direct influence on risk events.

When you remediate a risk event, the Risk Index decreases by an amount equivalent to the event's impact score. The Risk
Index can be improved significantly even if you only remediate some high-impact instances of a risk event. This
relationship between the Risk Index and risk events creates a positive feedback loop for your organization's risk
mitigation efforts: Remediation actions consistently lower the Risk Index, boosting the effectiveness and efficiency of
your security operations, which, in turn, helps your organization proactively address threats and maintain a robust
security posture.

Trend Vision One Platform Advanced 31

Student Guide

Reducing the Risk Index

32 | ©2024 Trend Micro Inc.

In addition to identifying the risk index, Trend Vision One highlights measures that you can use to reduce the risk index.

Trend Vision One Platform Advanced 32

Student Guide

Open Trend Vision One console

33 | ©2024 Trend Micro Inc.

Trend Vision One Platform Advanced 33

Student Guide

And More

34 | ©2024 Trend Micro Inc.

Trend Vision One Platform Advanced 34

Student Guide

And More

Threat intelligence Cyber-risk assessments Generative AI Mobile security

35 | ©2024 Trend Micro Inc.

Other important Trend Vision One features include:

Threat intelligence
There are many sources of threat information available, such as web sites, blogs, podcasts, but it can be very time
consuming to keep up to the minute on threats showing up all over the globe.
Trend Vision One Threat Intelligence helps in that we can integrate information from sources around the globe into the
Trend Vision One console, then scan the data lake for these indicators of compromise.
Trend Vision One can take advantage of what other companies, organizations and government have discovered in their
systems, and we can share with others as well.

Cyber-risk assessments
Cyber Risk Assessments scan different areas of the environment for file-based threat indicators from global intelligence
sources. When deployed, the tool automatically collects and uploads data to Trend Vision One for in-depth analysis and
reporting. New assessment may be added to the app from time to time when new vulnerabilities or attack campaigns are
discovered.

Generative AI
Trend Vision One Companion is an AI assistant for cyber security. This sophisticated threat expert can answer your
queries about threats for answers and guidance. Security Workflow Commander is an AI-driven threat intelligence
systems to prioritize threats based on severity and relevance to the organization. It provide insights into user activities
and help identify potential security risks associated with user behavior and leads users to the optimized workflow by
security analysis and prediction.

Mobile security
Trend Vision One Mobile Security proactively protects and manages mobile devices (including iOS, Android, iPad and
Chromebooks) against a wide range of mobile threat attacks.

Trend Vision One Platform Advanced 35

Student Guide

Mobile Security can protect corporate mobile devices or personally-owned mobile devices for work-related purposes by
providing the following features:
Malware Detection: Proactively detects malware apps, privacy-leaking apps, and apps riddled with vulnerabilities.
Wi-Fi Protection: Detects Wi-Fi connections with man-in-the-middle attacks, HTTPS stripping, and poor encryption, with
alerts on the console and device.
Configuration Manager: Checks device settings for possible security violations.
Web Reputation: Protects mobile devices from web-based threats and potential operating system vulnerabilities.

Trend Vision One Platform Advanced 35

Student Guide

Implementing Trend Vision One

36 | ©2024 Trend Micro Inc.

Customers who are using Trend Vision One for the first time will have some tasks to configure the platform for their
environment. This includes some initial administrations tasks, configuring the data sources that feed into the data lake,
configuring endpoint security, configuring sensors, configuring threat intelligence sources and configuring zero trust
secure access components if using.

Trend Vision One Platform Advanced 36

Student Guide

Implementing Trend Vision One - Administration

Credits and licensing Assign roles and accounts Configure identity providers

37 | ©2024 Trend Micro Inc.

Initial Admin tasks required include:

Credit and licensing:

Acquire the required licenses and credits for the features you want to implement. Contact your Trend salesperson or
purchase from a Marketplace. The number of credits required for each component will vary.

Assign roles and accounts:

Assign appropriate roles to different users requiring access to the console. Create custom roles if required.

Configure identify provider:

If using SAML authentication, configure an external identify provider.

Trend Vision One Platform Advanced 37

Student Guide

Implementing Trend Vision One – Data Sources

etc…
Connect Trend products Connect Service Gateway Connect third-party products

38 | ©2024 Trend Micro Inc.

Configure your data sources

It is a best practice to configure as many data sources as possible.

Connect Trend products:

Use the Product Instance app to connect Trend products to Vision One and enable the option to forward telemetry to the
data lake. Ensure that endpoints in the environment host both a security agent and an endpoint sensor.

Connect Service Gateway:

Some product connection require a Service Gateway to communicate with Vision One. Use the Service Gateway
Management app to connect the gateway.

Connect third-party products:

Connect any third-party applications to Trend Vision One. Use the Third-Party Integration app to connect the products.

Trend Vision One Platform Advanced 38

Student Guide

Implementing Trend Vision One – Endpoints

New to endpoint protection Existing endpoint protection user

39 | ©2024 Trend Micro Inc.

Add your endpoints

Add your end user endpoint computers and your server and workloads to Trend Vision One.
All endpoint computers should host a security agent to capture security event details and a sensor to capture activity data
on the endpoint.

The process for adding endpoints to Trend Vision One will vary depending on whether you are a current Trend endpoint
security user. (see slide earlier in this presentation).

Trend Vision One Platform Advanced 39

Student Guide

Implementing Trend Vision One – Sensors

Install endpoint sensors Configure email sensors Configure network sensors

40 | ©2024 Trend Micro Inc.

Add your sensors

Sensors as required to collect activity data from your products, including:

Endpoint sensors: A sensor installation package can be created from the Endpoint Inventory app, which can then be run
on your endpoints.

Email account sensors: Use the Email Sensor app to install email sensors on your email accounts.

Network sensors: Use the Network Inventory app to install the network sensor.

Trend Vision One Platform Advanced 40

Student Guide

Implementing Trend Vision One – Threat Intelligence

Subscribe to Intelligence Reports Configure sandbox analysis Configure intelligence feeds

41 | ©2024 Trend Micro Inc.

Subscribe to intelligence feeds

Threat intelligence feeds threat details into Trend Vision One. This allows the platform to keep up to date on threats
occurring around the world.

Subscribe to Intelligence Reports: Use the Intelligence Reports app to integrate up-to-the-minute intelligence reports
from internal and external sources to help identify potential threats in your environment.

Configure sandbox analysis: Configure submission settings in the Sandbox Analysis app to allow suspicious objects to be
submitted for sandbox analysis. In addition, configure any exceptions in the Suspicious Objects Management app.

Configure intelligence feeds: Use the Third-Party Intelligence app to configure intelligence Taxii and MISP feeds to
produce custom intelligence reports

Trend Vision One Platform Advanced 41

Student Guide

Implementing Trend Vision One – Zero Trust Secure Access

Zero Trust Private Access Zero Trust Internet Access

Private Access Connector Internet Access Gateway

Secure Access Module

User portal
Risk control rules

42 | ©2024 Trend Micro Inc.

Configure Zero Trust Secure Access components if required.

Zero Trust Private Access Components:

Private Access Connector: The Private Access Connector connects to devices and internal apps and serves as a rule
enforcement point to control private app access depending on secure access rules. It can be deployed close to your on-
premises data centers, or your Infrastructure as a Service (IaaS) environments hosted on popular cloud computing
platforms, for example, Microsoft Azure and Amazon Web Services. The Secure Access Connector is a virtual appliance
that is supported on VMware ESXi, Microsoft Azure, Amazon AWS and Google Cloud Platform. Administrators can
download a disk image of this virtual appliance from the Trend Vision One console and install it in their environment.

Secure Access Module: This module is deployed on endpoints to establish a connection with the connector and forwards
end users' access requests to the connector where the access decision is made.

User portal: This portal is generated by Trend Vision One and is provided for users to launch browser access-enabled
internal apps, without requiring them to install the Secure Access Module on their endpoints.

Zero Trust Internet Access Components:

Internet Access is provided by the Internet Access Gateway. The Internet Access Gateway is automatically provisioned in
the cloud and delivered as a service. The Gateway is proxy based and analyzes your users' HTTPS/HTTP traffic forwarded
to it to enforce secure access rules.

Risk Control Rules:

Risk control rules control the way users can access and use your organization's network environment and Internet
resources. The rules enable you to respond to risky behavior or suspicious entities and activities in your environment, so
that you can perform dynamic control over access to internal and cloud applications by risk, identity, time, and location.

Trend Vision One Platform Advanced 42

Student Guide

Configure risk control rules to control a user or device's app access activity based on their risk score or risks discovered on
them. Based on the actions configured, when a user or device matches the criteria in a risk control rule, Trend Vision One
monitors the user or device's subsequent activity and acts when the monitored activity occurs. For example, a user with a
persistent high-risk score attempts to sign in to a SaaS app or access an internal app.

Trend Vision One Platform Advanced 42

Student Guide

Implementing Trend Vision One – Cloud Posture

Add Amazon Web Services account Add Microsoft Azure account

43 | ©2024 Trend Micro Inc.

Add any AWS or Azure accounts to Trend Vision One through the Cloud Posture Overview app if required.

These accounts contain all the cloud resource checks that confirm your level of compliance with the rules run against
your Cloud accounts.

Before you begin, ensure you have access to a sign-in or user role with administrator privileges for the cloud account or
subscription you wish to connect, and that you are logged into the cloud service provider on a separate tab in the same
browser instance as the Trend Vision One console.

Trend Vision One Platform Advanced 43

Student Guide

Implementing Trend Vision One – Container Security

Add Amazon ECS instance Add Kubernetes cluster Configure image scanning policy

44 | ©2024 Trend Micro Inc.

Configure Container security, if required.

Trend Vision One Container Security provides security for your containers at all stages of their lifecycle.

Add your Amazon ECS instance or your Kubernetes cluster to Trend Vision one, then configure image
scanning policies if required.

Trend Vision One Platform Advanced 44

Student Guide

Cybersecurity Outcomes

CONSOLIDATION | Pivot from a siloed cybersecurity approach to a

unified cybersecurity platform — without losing quality

VISIBILITY | Transform from limited visibility to broad visibility into

security and risk exposure, across all assets with Attack Surface Risk
Management — for proactive defense

AUTOMATION | Shift from manual response to automated workflows and

AI-supported response with integrated security playbooks — achieve real
time protection, assessment, detection and response, and improve mean
time to contain

45 | ©2024 Trend Micro Inc.

In summary, what can be accomplished through a successful implementation of Trend Vision One?

By centralizing our security infrastructure, we eliminate redundancies, improve coordination, and minimize security gaps.
This consolidation enables us to optimize resources, reduce costs, and create a more efficient and cohesive security
environment. Through consolidation, we can also gain comprehensive insights into security events, threats, and
vulnerabilities.

Enhanced visibility empowers our executives with the necessary information to make informed security decisions.

Automation is a key driver for efficiency and agility in cybersecurity. Automated workflows help us optimize resource
allocation and prioritize critical tasks. We can also deploy automated threat detection and response mechanisms to
thwart emerging threats swiftly.

Trend Vision One Platform Advanced 45