Trend Micro Endpoint Sensor (EDR)
Get more out of endpoint detection and response (EDR)

Overview

---

Key Features

Integrated workflow

Threat hunting and detection investigation is performed within the workflow and console of Apex One and shows investigations across connected emails and servers. No more moving from one console to another.

Efficient endpoint recording

Endpoint Sensor records and stores information on system behaviors, communications and user behaviors. Metadata on this information is sent to the Apex One server to allow investigators to “sweep” for indicators of compromise (IoCs)

Server side IoC sweeping

The Apex One server only stores essential metadata of end user recorded data (or telemetry). This allows investigators to perform multiple searches or sweeps of this data without having to query each endpoint individually. In addition, detailed root cause investigations can be made on each endpoint directly.

Flexible searching

Investigators can search (or sweep) with multiple parameters. Searches can be made on parameters such as, specific communications, specific malware, registry activity, account activity, and running processes. Or investigators can search using industry standard OpenIOC or YARA rules.

Root cause analysis

Investigators can drill down on an interactive process tree that illustrates the full chain of attack to analyze how the detection arrived, changed, and spread by viewing activities, objects, and processes. Immediate response can be taken to terminate processes, isolate users, update security, and to sweep further.

Vendor intelligence and assistance

Layering in proactive global threat intelligence, the Trend Micro™ Smart Protection Network™ provides clarity and assistance to threat investigators. Endpoint Sensor recognizes known good objects and processes as well as known bad. Investigators can view a colour-coded root cause analysis to identify risky or unknown processes and guide in the remediation. Investigators can also access Trend Micro™ Threat Connect™ service to research our database of threat information.

Immediate response options

Apex One already provides advanced automation to remediate detections. It can automatically isolate, quarantine, block executions, roll back settings (and files, in the case of ransomware), with the option to manually respond while performing an investigation. Endpoints can be isolated, processes can be terminated, and security intelligence can be automatically updated on a per-user or enterprise-wide basis.

Advanced threat hunting

Threat hunting, based on indicators of attack (IoAs), allows investigators to develop attack discovery rules or work with the IoAs provided by Trend Micro to hunt for threats.

Open APIs

Many customers want to be able to leverage their security operations tools. Apex One has multiple built-in documented application programming interfaces (APIs) that allow the product to work with these tools.

Sandbox integration

Security investigators can select objects and manually submit them to Trend Micro sandboxes. Suspicious objects can be sent to our Trend Micro™ Deep Discovery™ network security sandboxes on-premises, or to Trend Micro Apex One™ Sandbox as a Service subscription option.

How It Works

1. Endpoints with Trend Micro™ Apex One Endpoint Sensor enabled, and emails with Trend Micro™ Cloud App Security, will record system behaviors, user behaviors, and communications.


2. Activity and detection data from these servers, endpoints, and emails is sent to the Trend Micro™ XDR data lake.


3. When a detection is made, investigators can search through the data to understand the impact analysis of the detection to understand how far has it spread and who else has been compromised.





4. A full root cause analysis allows investigators to understand the cause of the detection and immediately implement a response that includes remediating affected systems and updating Apex One and Cloud App Security to block similar attacks in the future.





5. Alternately, before a detection, investigators can search for IoAs by using various search parameters or with IoCs and YARA rules.

Minimum Agent Requirements

Apex One Endpoint Sensor is available as an optional add-on to Apex One endpoint protection. It is available on-premises along with Apex One or in SaaS along with Trend Micro Apex One™ as a Service.

Apex One Endpoint Sensor is supported on the following endpoints with Apex One:

Windows

• Windows 7 SP1 (6.1)
• Windows 8.1 (6.3)
• Windows 10 (10.0)

Hardware: 2 GB minimum RAM, 2 GB available disk space (3 GB recommended)

Mac

• macOS™ Mojave 10.14
• macOS™ High Sierra 10.13
• macOS™ Sierra 10.12
• OS X™ El Capitan 10.11
• OS X™ Yosemite 10.10 or later
• OS X™ Mavericks 10.9.5 or later

Hardware: Intel Core™ processor, 512 MB RAM minimum, 300 MB minimum disk space

Documentation

Trend Micro Endpoint Sensor (EDR) Datasheet (.PDF)