BATTLECARD

TREND MICRO™ APEX ONE™ BATTLE CARD

Symantec VMware Blackberry
Trend Micro McAfee Sophos CrowdStrike Microsoft
(Broadcom) Carbon Black Cylance

Pre-Execution

Vulnerability Assessment
(Virtual Patching)
Application Control
(Whitelist)

Runtime

Endpoint Detection and

Response (EDR)
Managed Detection and
Response (MDR)
Data Loss Prevention
(DLP)

Single Agent

Software as a Service
(SaaS), On-Premises &
Hybrid Deployment Options
Cross-Layer Detection
and Response (XDR)

Best in class

Feature exists, good enough

Feature exists, bare minimum

Feature/offering does not exist

CONFIDENTIAL – NOT FOR GENERAL DISTRIBUTION This document is intended to provide general guidance to and for the exclusive use of Trend Micro field sales, marketing personnel, and authorized partners. The contents represent the best
information available to Trend Micro at the time of publication and is provided “AS IS”, without warranty of any kind as to its accuracy, currency, or completeness, expressed or implied. The contents may not be applicable in all situations, may not reflect
the most current situation, and are subject to change without notice and at the sole discretion of Trend Micro. It is not intended and should not be construed to constitute legal advice and should not be relied upon as such. Neither Trend Micro nor any
party involved in creating, producing, preparing, or delivering the contents shall be liable for any consequences, losses, or damages, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out
of access to, use of or inability to use, or reliance upon the contents of this document, or any errors or omissions in the content. Do not disseminate, publish, disclose, or transmit this document, in whole or part, without the prior written permission of
an authorized representative of Trend Micro.
 BATTLECARD

TREND MICRO APEX ONE™ VS. TRADITIONAL VENDORS

Apex One can take on traditional vendors:
Apex One is a strong contender against traditional vendors, with its powerful blend
of modern pre-execution and runtime threat detection techniques. Relative to other
established endpoint security vendors, Apex One shines with its breadth of threat
detection functionality, SaaS and on-premises deployment options, managed detection
and response service options, and high-quality support.
Differentiation:
Apex One stands out from the traditional vendors with its unique virtual patching
advantages, built-in data protection, and SaaS and on-premise options. In addition to
strong endpoint protection capabilities, Trend Micro goes beyond just endpoint detection
and response to offer XDR for Users—true cross layered detection and response across
both endpoint and email, allowing for greater visibility and faster response to stealthy
threats. Trend Micro XDR offering is augmented by its powerful managed service, which
cannot be matched by all competitors in this group as it also includes network and server/
cloud workload managed detection and response.
Sales motion:
We can displace established vendors by offering the best of both worlds; modern threat
detection and EDR on par with “next gen” solutions, as well as stability and long-term
financial viability. We also offer a migration path to full cross-layered detection and response
which can provide comprehensive detection and response across email, endpoint, servers,
cloud workloads, and network.
Traditional vendors background:
We often encounter established “next-gen” vendors in new customer opportunities.
Customers of vendors in this category frequently end up looking for alternatives because
they have been experiencing frequent malware outbreaks, painful support experiences, and
product complexity. Trend Micro’s technical support is well-regarded and a key differentiator
for customers upset with their current vendor.

SYMANTEC®

Company stability: Symantec was purchased by Broadcom
in 2019, with the acquisition causing some confusion and
uncertainty for channel partners and certain customer
segments. In January of 2020, Accenture purchased
Symantec’s cybersecurity services business from Broadcom,
which will lead to even more uncertainty and challenges
for channel partners and existing customers. Following the
Broadcom acquisition, support levels for customers and
partners as well as roadmap commitments have fallen.
Pre-execution: Similar to Trend Micro, Symantec uses
advanced machine learning (AML), along with a number of
other pre-execution techniques (although they don’t do as well
on independent tests).
Virtual patching: Protects against exploits with intrusion
prevention system (IPS) on Microsoft® Windows® and
macOS®, with memory exploit mitigation for up to 20 popular
applications. This approach is not very effective as the majority
of application traffic is encrypted and not generally visible to
IPS. A new add-on to SEP Cloud is Vulnerability Remediation
which identifies vulnerabilities for Windows 10 and critical
third-party applications and lets you activate remediation to
fix discovered vulnerabilities. Vulnerability Remediation only
supports Windows 10. Trend Micro’s virtual patching protects
against operating system (OS)-specific exploits, and has more
timely rules.
Application control: Inconsistent capability across on- MDR: Symantec’s Managed Cloud Defense service offers
premises and SaaS. With on-premises, application and device similar services as MDR (security monitoring, threat
control is available for Windows, but requires a lot of manual correlation, remote incident investigation, containment,
configuration and effort to implement. System lockdown and threat hunting) and was recently sold off to Accenture,
(whitelisting) is also available, but also requires a lot of manual impacting all existing customers.
and time-consuming configuration. With SaaS, two layers of
Data protection: Symantec is the leader in DLP functionality.
application protection are available—Application Control; which
However, the solution is expensive and not integrated with their
can automatically discover files and applications on every
endpoint security product, requiring a separate management
endpoint and create a policy for it, and Application Isolation;
console and agent. Symantec DLP on the endpoint cannot scan
which shields known-good applications from being exploited.
SSL. Have to buy the network product for that functionality.
Runtime: SONAR provides runtime protection using heuristics
Single agent: Symantec implements single agent approach
and behaviors such as system changes, but does not add
with EPP/EDR on their SaaS agent. But for on-premises,
a machine learning layer like Trend Micro does (beyond
customers are required to deploy EDR appliance to integrate
behavioral rules).
the EDR functions to the Symantec® Endpoint Protection agent
EDR: Inconsistent offerings on SaaS and on-premises. on-premises.
With SaaS, EDR is integrated to the agent but has minimal
Manageability and SaaS/on-premises deployment: Symantec
functionality and can only do endpoint activity recording and
provides the option to either manage your agents in the cloud,
endpoint searching. For on-premises deployments Symantec
on-premises, or hybrid. However, the cloud console and on-
requires EDR appliance which integrates into the Symantec®
premises console don’t have 100% feature parity. Therefore,
Endpoint Protection agent on-premises. For customers with
it’s very likely for customers to end up managing both
hybrid setup (both cloud and on-premises), they will end-
consoles. Since the acquisition, Symantec doesn’t offer support
up managing two different EDR consoles due to disparate
for on-premises solutions anymore, leading to unhappiness for
capabilities of both the cloud and on-premises EDR.
existing on-premises customers.
 BATTLECARD
MCAFEE®
Company Stability: McAfee replaced its CEO in January 2020,
a sign that investors aren’t happy with the direction of the
company thus far. Could signal the first in a series of actions
to help transition McAfee into a new cloud-first cybersecurity
vendor. McAfee’s new CEO specializes in helping struggling
companies trim their costs and prepare for sale. Many
customers remain on legacy versions of McAfee (8.8) due to
migration issues caused by McAfee. These customers may be
more willing to switch vendors and should be sought out.
Pre-execution: Uses machine learning for pre-execution static
analysis of files—similar to Trend Micro’s approach.
Virtual patching: McAfee® Host Intrusion Prevention for
Desktop Advanced vulnerability shielding protects against
exploits that target new vulnerabilities. This feature is reported
by customers as being very difficult to manage and configure.
Application control: Application control has a whitelist mode
(default deny) and can be managed by McAfee® ePolicy
SOPHOS
Company Stability: Thoma Bravo announced on March 2,
2020 that it has closed its hefty $3.9 billion acquisition of
security firm Sophos, marking yet another private equity deal
in the books.
Pre-execution: Sophos® Intercept X®, Intercept X Advanced,
and Intercept X Advanced with EDR leverage machine
learning focused on Windows portable executable (PE) files
for pre-execution detection. With the acquisition of Invincea,
Sophos has boosted its pre-execution detection with deep
learning detection.
Virtual patching: Pre-execution and runtime host intrusion
prevention systems (HIPS) are available in Sophos® Central
Endpoint®, Sophos® Intercept X® Advanced, and Sophos®
Intercept X® Advanced with EDR to protect against attempted
exploits. Sophos doesn’t have any virtual patching capability.
Trend Micro has a rule set that is timelier due to the strength of
its research.
Application control: Sophos has basic application control
that allows for the blocking of pre-determined applications
by category or application name (blacklisting), but does not
have an option to block all applications except those allowed
(whitelisting). Sophos does not allow administrators to add
their own applications like Trend Micro does.
Orchestrator® (McAfee ePO), which works on Windows and
Linux® workloads. The feedback is that this product is powerful,
but cumbersome to configure and manage, and is a separate
product from endpoint protection.
Runtime: Uses machine learning for post-execution behavioral
analysis, similar to Trend Micro.
EDR: On-premises solution requires the combination of
McAfee® Endpoint Security (ENS) plus McAfee® Active
Response (MAR) and McAfee® Threat Intelligence Exchange
(TIE).
MDR: Managed service provider (MSP) partners (third-party)
offer an MDR service for McAfee’s EDR solution while Trend
Micro owns and operates its MDR service.
Data protection: McAfee’s Endpoint Security (ENS) doesn’t
include DLP. Additional product purchase and a separate agent
deployment are required.
Runtime: Various techniques are employed by Intercept X
to provide runtime detection, including behavior monitoring
(HIPS), real-time strategy (RTS), advanced anti-ransomware,
Sophos® Cryptoguard®, Sophos® Wipeguard®, and others.
Sophos has not been as effective in key tests such as AEP
or AV-test, and they did not participate in the MITRE APT29
evaluation, raising questions on the confidence of their
product efficacy.
EDR: Sophos EDR only supports Windows platform. When
doing RCA, you can only search for known malicious objects.
Investigative functions is very limited to a few options. There
is also no option to use YARA, STIX, and TAXII. Only the
detections known to Sophos are searchable. Endpoint activity
data is stored locally in the endpoint and can be exported using
a forensic snapshot feature. However this is cumbersome as
the endpoint needs to be online and analysis is done manually
and outside of the console. Sophos was not included in the
2020 Forrester Wave™: Endpoint Detection and Response, due
to the fact they did not participate in MITRE, resulting in less
third-party proof points for consideration.
Single agent: McAfee’s current architecture requires multiple
agents (McAfee ePO, endpoint security, etc.) running on a
machine which consumes a significant amount of central
processing unit (CPU) and memory.
Manageability and SaaS/on-premises deployment: Cloud
McAfee ePO has similar functionality but has some limitations
such as; no lightweight directory access protocol (LDAP)
support, limited to 10k clients, and limited product support
(endpoint security mainly). Customers can deploy McAfee
ePO in AWS and retain all the functionality of McAfee ePO in
a cloud environment, but the customer bears the cost and
maintenance burden. Additionally, migrating to cloud McAfee
ePO requires a database migration, McAfee ePO disaster
recovery, and re-deployment of agents. McAfee doesn’t
support legacy Windows OS, and have EOL email and mobile
security products.
XDR: Being developed, similar to Trend Micro workbench.
MDR: Sophos acquired all its MDR capabilities and threat
experts through acquisition (DarkBytes and Rook Security),
compared to Trend Micro’s in-house team of threat experts, all
with deep understanding of threats and Trend Micro detection
and response solutions. In January 2020, Sophos enhanced
their MSP program, offering MDR capabilities to their MSPs,
allowing them to provide fully managed threat hunting,
detection and response services for Windows Server, macOS,
and Linux, with flexible monthly billing
Data protection: DLP available with pre-built or custom rules,
similar to the capabilities of Trend Micro. However, they don’t have
as many custom rules compared to Trend Micro DLP offering.
Single agent: Sophos Intercept X Advanced with EDR is a
single agent for endpoint protection and EDR. EDR
functionality is not available in Intercept X, Intercept X
Advanced, or Endpoint Protection.
Manageability and SaaS/on-premises deployment: To get the
full features of EPP and EDR, it is recommended to use the SaaS
version of Intercept X Advanced with EDR. The on-premises
product, Central Endpoint, and SaaS product are not equal in
terms of features. Sophos do not support hybrid deployment.
 BATTLECARD

APEX ONE VS. “NEXT-GEN” VENDORS

Apex One can take on “Next-Gen”:
Apex One is a strong contender against “next-gen” vendors, with its powerful blend of modern
pre-execution and runtime threat detection techniques.
Differentiation:
Apex One stands out from the “next-gen” vendors with its unique virtual patching advantages,
built-in data protection, SaaS, and on-premises options. Trend Micro complements its EDR
capabilities with a powerful cross-layered detection and response through XDR, and Managed
XDR service, which is not available from all competitors in this group.
Next-gen background:
Vendors in this category have typically started with a single capability (EDR for CrowdStrike®
and Carbon Black, pre-execution machine learning for Cylance) and then expanded their
capabilities.
Sales motion:
In enterprises, security response and security operations center (SOC) teams are frequently
interested in finding a powerful EDR tool, Crowdtrike and Carbon Black often get to the
table this way. Since Apex One covers a range of threat detection and EDR capabilities, it’s
important to be in contact with the relevant (and potentially multiple) teams influencing the
purchase and talk about going beyond EDR with XDR.
What do they say about us?
The vendors in this category love to say that their detection abilities surpass the likes of
Trend Micro, and that our solutions rely on outdated signature-based detection of known
threats. These claims are simply untrue. We haven’t relied on signatures in over 15 years, and
our threat detection abilities are world-class, as proven by independent testing. In addition,
we were first to the market with a true cross-layered detection and response solution with
XDR for Users (endpoint and email), and will continue to innovate and build on our strong
protection and detection and response capabilities with the launch of the broader XDR
offering which will also include network, servers/cloud).
They’re expensive:
Next-gen solutions are typically considerably more expensive than established vendors, yet
are delivering similar value

CROWDSTRIKE

Pre-execution: CrowdStrike® Falcon Prevent™ provides pre-
execution machine learning, but only covers executable files.
Trend Micro looks at all files, including documents that may
contain malicious scripts. Trend Micro also leverages vastly
larger sample training sets, which impact detection accuracy
and false positive rates. CrowdStrike along with Trend Micro
uses signatures to block known-bad files, but CrowdStrike’s
use is limited to file hashes, compared to Trend Micro which
can detect malware variations. When it comes to blocking
connections to malicious sites, CrowdStrike has limited visibility
to outbound connections, and no visibility on inbound, meaning
all malicious communications (C&C and lateral movement)
must be detected using real-time behavior, compared to Apex
One which can additionally use web reputation at the kernel
level to block outbound connections, stopping threats faster.
Virtual patching: CrowdStrike® used to promote Falcon
Spotlight™ which only offered vulnerability assessment and not
filtering or patching, but it no longer appears on their website.
CrowdStrike must rely only on runtime behavioral techniques
to block exploits. Trend Micro offers virtual patching to
protect earlier and more effectively by blocking on arrival,
and is supported by a strong team of vulnerability and threat
researchers including the Trend Micro™ Zero Day Initiative™.
Application control: Provides a rudimentary way to manually
whitelist or blacklist individual applications and hashes, but does
offer enterprise application control functionality. CrowdStrike data is only retained for seven days, which limits the ability
argues App Control is too difficult to manage, which is true for to investigate attacks. Trend Micro retains data for 30 days
their basic offering. Trend Micro™ App Control provides a flexible in its SaaS EDR, and data retention time is unlimited on-
and automated solution to manage applications. premises. CrowdStrike has a few higher-end features for large
SOC teams, including third-party threat feeds, slightly more
Runtime: They don’t have runtime machine learning to detect
telemetry (packet capture and memory dumps), and slightly
malicious behavior, but can sit beside Defender, which is
more MITRE ATT&CK™ framework coverage. The majority of
suitable. Like Trend Micro has done for 10 years, CrowdStrike
customers will be more than satisfied by Apex One EDR. Both
uses indicators of attack (IoA) behavioral blocking at runtime.
CrowdStrike and Trend Micro provide a full range of sweeping
This is done to determine whether the activity is legitimate or
and threat hunting capabilities. CrowdStrike’s detection and
suspicious and detect malicious script which can be effective
response is mainly focused on endpoints (which includes
against fileless malware. CrowdStrike relies on EDR events in
servers), with no in-house capabilities for network or email,
real-time to detect threats, but its automated threat detection
compared to Trend Micro’s approach of true cross-layered
capabilities are still growing. CrowdStrike doesn’t participate
detection and response.
often, in advanced tests, so effectiveness of rapid detection is
hard to assess. CrowdStrike also relies on sending telemetry to MDR: CrowdStrike offers its Falcon Overwatch™ platform to
their cloud and waiting for a decision, Trend Micro’s behavioral leverage the sale of its complex EDR into less-staffed or less
engine makes its decisions locally and much faster. skilled organizations. Overwatch primarily provides services
for endpoints only, although there is an integration with
EDR: CrowdStrike has one of the most fully featured EDR
Lastline® to extend CrowdStrike’s MDR visibility to the network.
offerings on the market, covering all operating systems,
OverWatch is also required to improve detections, which
with a focus on enterprise and large enterprise. However,
can cause delays in threat response and remediation. Trend
CrowdStrike’s support for macOS and Linux EDR detection
Micro Managed XDR has visibility across a broader range of
capabilities are not on par with what they offer on Windows.
environment (including email and network).
These tools are favored by large SOC security teams, but can
be complex for those with smaller and less technically savvy
teams. If you purchase the solution at the default price, the
 BATTLECARD
CROWDSTRIKE Continued
Data protection: No DLP, but does provide basic USB device
control. It’s possible to configure access to different types of
USB devices, but not possible to restrict access based on the
type of data. CrowdStrike also has no file repair or damage
clean up capabilities, compared to Trend Micro Apex One’s full
ransomware rollback and file repair capabilities.
VMWARE® CARBON BLACK
Company Stability: Carbon Black was acquired by VMware in
2019, VMware created a new security business unit following
acquisition to help them reach a security buyer. This acquisition
may cause a slowdown in investment in Cb as they try to
achieve profitability. Trend Micro continues to have much more
comprehensive solutions for endpoints and servers/cloud
workloads.
Pre-execution: Cb Defense® does not do any pre-execution
analysis, it relies on behavioral analysis called Streaming
Prevention in order to identify threats at runtime.
Virtual patching: No virtual patching, HIPS, or vulnerability
protection. Trend Micro has virtual patching to protect earlier
and more effectively by blocking on arrival. Carbon Black relies
on runtime detection, which is riskier.
Application control: Powerful application control (Cb
Protection® formerly Bit9). Generally considered best in class,
with a bit more functionality than Trend Micro. Announced they
would discontinue Mac support for Cb Protection, meaning
customers will no longer receive the same whitelisting
capabilities for Mac endpoints. However, this is only an on
premise product and is managed on a separate console.
Single agent: CrowdStrike uses a single agent for EPP and
EDR. However, the single agent does not provide the breadth of
functionality that Trend Micro provides, because the product
lacks some features like DLP, application control, and virtual
patching.
Runtime: Cb Defense combines signatures, reputation, and
Streaming Prevention which is a behavioral analysis technique
to detect and prevent threats at runtime.
EDR: Cb Response® is a feature-rich EDR. It’s good in larger
organizations that have more resources due to application
programming interfaces (APIs) integration. Cb Response can
feed many global threat intelligence resources. Carbon Black
has a few higher-end features for large SOC teams, including
third-party threat feeds, slightly more telemetry (packet
capture and memory dumps), and slightly more MITRE ATT&CK
framework coverage. The majority of customers will be more
than satisfied by Apex One EDR.
MDR: MDR capabilities (ThreatSight) is only delivered by third-
party partners and not directly from Carbon Black, Trend Micro
operates its own MDR service and built its own MDR platform.
Cb ThreatSight is limited to endpoint only, unlike Trend Micro
who can also support email, network, and cloud workloads) and
therefore lacks correlated detection and visibility across the
entire organization.
Manageability and SaaS/on-premises deployment: SaaS only,
no on-premises option. Trend Micro has SaaS or on-premises
deployment options.
Data protection: No DLP, but does provide basic USB device
control. It’s possible to configure access to different types of
USB devices, but not possible to restrict access based on the
type of data.
Single agent: Carbon Black uses a single agent and single
console to deliver functionality from multiple licensed
components.
Manageability and SaaS/on-premises deployment: Cb
Defense is provided on SaaS, and Cb Response is provided on-
premises. A substantial portion of Carbon Black’s installed base
is still on Cb Response and Cb Protection product lines, which
does not include any EPP capabilities and are on-premises-only
products. Carbon Black has recently transitioned its focus to
selling and migrating customers to its cloud-based security
platform, the Cb Predictive Security Cloud (PSC), which
consolidates its multiple security capabilities in the cloud using
one endpoint agent and console. PCS is still missing the EPP
features listed earlier, and does not include Cb Protection (app
whitelisting and device lockdown). Focus going forward will be
SaaS only deployments.
 BATTLECARD
BLACKBERRY® CYLANCE
Company Stability: Blackberry purchased Cylance in 2019
with plans to leverage security capabilities into their device
management and IoT segments.
Pre-execution: Cylance relies heavily on pre-execution
machine learning and a little on script analysis for protection.
Cylance started with a heavy focus on pre-execution machine
learning, and it’s still their main focus. While their agent is
small and efficient, using machine learning for everything
is more resource intensive than using other, more efficient
techniques to detect known bad threats.
Virtual patching: No virtual patching, HIPS, or vulnerability
protection. Trend Micro offers virtual patching to protect
earlier and more effectively by blocking on arrival. Cylance
depends on runtime exploit detection, which is riskier.
Application control: Application control is very rudimentary
and only allows endpoints to be “locked” at a point in time,
with whatever applications exist (an ongoing management
challenge). No granular control of applications, whereas Trend
Micro has a very comprehensive application control capability.
Runtime: Fairly limited versus Trend Micro. Uses memory Single agent: Cylance is a pluggable single agent, although
exploit protection and script analysis to analyze at runtime Cylance lacks many protection capabilities. This means
and provide protection. No IoA behavioral detection capability, additional products and agents may be required to match the
machine learning, or other runtime techniques. same level of protection provided by Apex OneT. The agent
doesn’t have big resource utilization, but size of agent on disk
EDR: CylanceOPTICS®—not comprehensive enough (basic
is very large.
rules). Viewed as weak on threat hunting by industry analysts,
but have made enhancements. As a result, Cylance packages Manageability and SaaS/on-premises deployment: SaaS
EDR with their endpoint product at a competitive price to is the main deployment model for very large enterprises. An
offset the shortcomings of the CylanceOPTICS. Moving towards extremely expensive appliance solution that also requires
automotive industry. manual updates is available for air-gapped and industrial
control systems (ICS)/supervisory control and data acquisition
MDR: Cylance THREATZERO® is a managed prevention and
(SCADA) use cases but this is not intended for customers
response service offered by the Cylance’s consulting group.
interested in SaaS and on-premises parity.
Proficio is also offering MDR services that use Cylance. Cylance
Guard is now part of Cylance
Data protection: No DLP, but does provide basic USB device
control. It’s possible to configure full access or block different
types of USB devices, but not possible to restrict access based
on the type of data.
 BATTLECARD

APEX ONE VS. MICROSOFT

Apex One can take on Microsoft:
Apex One is a strong contender against Microsoft, with its powerful blend of modern pre-
execution and runtime threat detection techniques. Relative to Microsoft, Apex One shines
with its breadth of threat detection functionality, SaaS, and on-premises deployment options,
MDR service option, strong centralized management, competitive pricing, and high-quality
support. Many of the advanced protection capabilities Microsoft offers are only available
as part of the E5 offering, which is significantly more expensive than the more limited E3
offering, and needs to be factored in to any pricing comparisons. For a competitive security
experience, ATP is a must-have and only available with an E5 license, which is more expensive
than most EPP and EDR offerings. ATP does not have feature parity, or is not available, across
older versions of Windows. Policy configuration and management is complex. Additionally,
Microsoft still lacks a true central management console, meaning administrators have to patch
together Group Policy Objects (GPOs), Microsoft® Intune®, and Microsoft System Center
consoles to effectively manage security controls. In an attempt to consolidate the complicated
management woes, Microsoft released Endpoint Manager which combines the functionality,
data, and actions of Microsoft Intune and Microsoft System Center Configuration Manager.
However, licensing and policy management still remains an issue.
Differentiation:
Apex One stands out from Microsoft with its unique virtual patching advantages, centralized
management, built-in data protection, and SaaS, and on-premises options. Trend Micro
complements its EDR capabilities with a powerful MDR service, not available from Microsoft.
Sales motion:
We can displace Microsoft by offering the best of both worlds; modern threat detection and
EDR on par with “next-gen” solutions, as well as stability and long-term financial viability.
Microsoft doesn’t offer any gateway email protection such as Trend Micro™ Hosted Email
Security™ or Trend Micro™ InterScan™ Messaging Security. It lacks the effectiveness Trend
Micro™ Cloud App Security for Office 365® delivers, and any protection for Microsoft®
SharePoint®, Microsoft® Lync®, or the gateway. Smart Protection Suites with Apex One
provide all of this functionality and more, at a competitive price point relative to Microsoft.
Microsoft background:
Microsoft provides an array of protection capabilities integrated into the operating system.
However, currently, the full breadth of its capabilities are only available to customers running a
homogenous Windows 10 environment that have standardized on certain components such as
the Microsoft® Edge® browser. In order to support these older operating systems, however,
additional agents are required and not every feature of Windows Defender ATP is available
on older operating systems. For instance, Windows Defender® Application Control (WDAC),
Windows Defender® Application Guard (WDAG), Windows Information Protection® (WIP), and
Windows Defender® Exploit Guard (WDEG) are not available on Windows 7 and 8.1.

MICROSOFT

Pre-execution: Adding Microsoft Defender ATP enables
Windows® Defender® to utilize on Microsoft Threat
Intelligence and Advanced Analytics. Windows Defender
alone doesn’t have a track record of effectiveness in
malware protection. Apex One has a track record of
consistent effectiveness in malware protection based from
independent testing organizations ever since.
Virtual patching: Windows Defender Exploit Guard or
WDEG (only available on Windows 10) provides generic
protection capabilities to prevent exploits but does not
protect against specific threats like Apex One does with
its virtual patching capabilities. Microsoft does provide
visibility of patching status, but does not provide protection
specifically against exploits, outside of deploying specific
patches. Apex One provides virtual patching, which gives
users more rapid protection during outbreaks, ahead of
regular Windows patching.
Application control: Windows Defender Application Control
or WDAC (only available on Windows 10) provides a whitelist
enforcement functionality, but the management is painful.
Has extensive system requirements, including Intune or
GPOs to manage effectively.
Runtime: Provided by Windows Defender Antivirus, which
uses multiple detection and prevention technologies to
deliver protection
EDR: Requires E5 license to enable Windows Defender ATP,
which is the component that provides EDR. Currently, only
available on Windows 10 and Windows Server, although
support for older versions of Windows (7 and 8) is in public
preview. Microsoft announced core EDR functionality for
macOS in 2019.
MDR: Announced Microsoft Threat Experts—managed
service in Microsoft defender Advanced Threat Protection—
provides targeted attack notifications and on-demand
experts to investigate and consult. Not as fully featured as
Trend Micro, as they don’t actively manage or investigate
threats. No human sweeping the environments. You still
manage it, but expert available to get advice from. Can get
help from experts, but you do it yourself.
Data protection: No DLP. WIP (only available on Windows
10) provides information rights management (IRM) based
on the location of data and not on the type of data or the
transmission of that data.
Single agent: Built-in approach, no need to deploy
additional agents to gain functionality.
Manageability and SaaS/on-premises deployment:
Microsoft doesn’t offer on-premises version of Windows
Defender ATP. Customers don’t have the same flexibility
they have with Trend Micro, when it comes to deploying on-
premises or SaaS.
XDR: Microsoft MTP is their version of XDR, integrate with
their own products as well as third party. Microsoft is in the
position to offer very attractive data storage prices as they
have the ability to undercut data storage costs
Questions to Ask Customers: Remember to
• Is the competition participating in independent third-party testing? There are very few truly independent-party labs for • Use the Gartner Endpoint Magic Quadrant, and The
testing endpoint security technology (AVTest.org, AV-Comparatives and MITRE are the only ones consistently referenced by Forrester Wave™ for Endpoint Security Suites and Enterprise
industry analysts and other thought leaders). Other “third-party” tests are paid for by the vendor, therefore the vendor can Detection and Response to demonstrate our extensive
dictate the terms of the testing and what specific features to look at versus the competitor(s). Some of the “next-gen” endpoint advanced protection capabilities. These reports are available
players are not participating in the independent testing at all and enforce licensing restrictions blocking third-party test labs. on Sales Library and our Partner Portal.
• If already with Trend Micro, are you using the latest endpoint product release with our modern threat detection features • Ensure existing customers are aware of our latest product
enabled? With older releases of Trend Micro™ OfficeScan™, or optional detection features disabled, protection will be less capabilities (including runtime detection, machine learning,
effective. Today’s threat environment requires a multi-layered defense, including modern pre-execution and runtime detection. EDR, MDR, XDR, and SaaS).
• Will you need to learn and use security products from multiple vendors, with multiple management consoles to get the • Show the latest NSS Labs Advanced Endpoint Protection
security coverage you need? How will the management for those different products work? Will you have visibility across user’s Report and AV-TEST (independent testing) that
devices and multiple platforms for rapid response? How will you manage cloud and on-premises security? demonstrates that we are the best at stopping the very
latest threats.
• How are you tackling patch management or zero-day protection against vulnerabilities? How are you ensuring that network-
based vulnerabilities that exploit a specific application are protected? Will virtual patching provide faster time to protection than • Tell our Connected Threat Defense story—how they can use
other approaches? (yes!) Without virtual patching, would you be dependent on real-time exploit detection on the endpoint? and connect breach detection, sandboxing, and email and
(typically, yes!). web gateways with the endpoint, to automatically protect
• How are you detecting threats and malware that get inside your network? Does your endpoint product look for command with real-time local signatures for zero-day threats.
and control traffic or detect lateral movement from one system to another? Does your endpoint integrate with internal network
breach detection technology and investigation and forensic capabilities?
• How are you providing data protection for your organization? How are you protecting against users sharing confidential
information with DLP (via all the channels today like email, cloud storage, instant message, USB, mobile devices, and web)? Are
there compliance regulations to enforce?
• What is the competition’s customer service and support coverage model? Does the vendor have 24/7 coverage and local
people in your region to provide the best account and technical support for your critical security infrastructure?

The Apex One Advantage

Automated detection and response:

Apex One is built upon the XGen™ security techniques, which is a cross-generational blend of threat defense functionality that
intelligently applies the right technology at the right time. The product includes the industry’s most timely virtual patching
capabilities powered by the Trend Micro Zero Day Initiative, along with a range of modern technologies to detect and block
advanced attacks, including fileless threats.

Actionable insights:
Apex One introduces expanded detection and response capabilities. It also connects to Trend Micro MDR service option that boosts
in-house teams with threat hunting and alert monitoring.

All-in-one:
Apex One™ offers a breadth of industry-leading capabilities from a single user agent. Apex One offers powerful EDR with
automated detection and response tools, simplifying deployment and eliminating silos.

©2020 Trend Micro Incorporated and/or its affiliates. All rights

reserved. Trend Micro and the t-ball logo are trademarks or registered
trademarks of Trend Micro and/or its affiliates in the U.S. and other
countries. Third-party trademarks mentioned are the property of their
respective owners. For more information, visit www.trendmicro.com.
[BC05_Apex_One_Battlecard_200330US]