Trellix Endpoint Security Solution

Training 

1
What is Trellix Endpoint Security (ENS)?

Trellix Endpoint Security(ENS) is a flexible, unified solution that protects devices

and endpoints at the network edge, empowering your
organization to address complex, distributed security issues
thoroughly, efficiently, and quickly.

Trellix ENS uses analytics and machine learning to achieve

industry-leading effectiveness, continuously learning and evolving to protect your changing
business needs in a dynamic threat landscape.

2
Why Trellix Endpoint Security?
Aligns security with your
top priorities…
Regardless of your role,
Trellix Endpoint Security
aligns to your specific
critical needs—from
preventing threats and hunting
them, to tailoring
security controls
3
Ensures uptime
and visibility…
You gain the ability
to respond to and manage the
threat defense lifecycle with
proactive defenses
and remediation tools,
including returning systems to
a healthy state to keep users
and admins productive
Improves protection
against threats…
Trellix ENS collaborates and
accelerates
the identification
of suspicious
behaviors, facilitates better
coordination
of defenses,
and provides better protection
against targeted attacks
and zero-day threats
Why Organizations Need Trellix Endpoint Security

Before Scenarios
• Analysts are overwhelmed by alerts, security tools, and attack complexities
• Increased attack complexity equals manual processes and delayed responses
• Multiple endpoint protection tools utilized in an organization with numerous devices

Negative Consequences
• Higher exposure to data breaches
• Longer response times = more damage
• Lack of resources to investigate incidents.
• Disconnected environment leading to lack of visibility

4
Trellix Endpoint Security: What differentiates the solution?
Visibility
Offers greater visibility,
and true centralized management
using
Trellix ePO
Story graph shows
security admins pain points for
immediate remediation
5
Accuracy Sustainability
Provides dynamic analysis Removes the complexity of duplicate
of behaviors and threats, technologies, connects other
not simply signatures solutions,
and enables more defenses to
Offers unique capabilities communicate using our endpoint
to unmask and security framework
contain threats
Reduces protection gaps with
to thwart infection spread seamless integration between Trellix
and third-party products
Endpoint Threat Defense

How various ENS Modules work

together to protect endpoints.

6
Endpoint Security Platform
A framework to simplify today, built with the future in mind

Security Management & Threat Intel

Management Agent Client UI

Threat Firewall Web Control Adaptive Threat Endpoint

Prevention Protection Detection &
Response

Common Components Kernel Mode Drivers

Logger, Scheduler, GTI, etc. Network, File, Access Control, etc.

7
Endpoint Security Platform
• Threat Prevention
– OAS, ODS, Exploit Prevention, Endpoint
and Access Protection Detection
Response
• Firewall
– Monitors network and Internet traffic
Web
• Web Control Control
Firewall
– Web filtering and browser protection
• Adaptive Threat Protection
– Application Containment, Machine Learning Analysis, Advanced
Behavior Blocking, Credential Theft Prevention
Trellix
• Endpoint Detection & Response ePO™
– Trace and Alert on suspicious activity Threat Adaptive
Prevention Threat
– Hunt on all endpoints and take actions immediately Protection
• Threat Intel
– Operationalizes shared intelligence across endpoints
– 1500+ campaigns & threat profiles with prevalence

8
 ExP:Illegal API Use was detected as an attempt to exploit C:\WINDOWS\
SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE,
which targeted the SetEnvironmentVariableW API. It wasn't blocked
because Exploit Prevention was set to Report Only.

Actionable, real-time threat intelligence

• More details on attack sources

and destinations
• Delivers actionable intelligence explained in
simple language
• Available via the client UI and Trellix ePO™

9
What Types of Threat Forensics are Available?
Machine Target Source Threat Data Additional
Host Name Ipv4 Address Parent Process Signed Ipv4 Address File Path Event ID Cleanable
Ipv6 Address Ipv6 Address Parent Process Signer Ipv6 Address File Size Severity Task Name
Ipv4 Address Port Name Port Hash Name API Name
Mac URL Path URL Signed Type First Attempted Action
Location Share Name File Size Action Taken Second Attempted Action
Share Name Signer
Mac Modify Time Handled First Action Status
Mac Modify Time
Protocol Access Time Detected On Create Second Action Status
User Name Access Time Impact Event ID Description
Detection Feature User Name Create Time
Process Name Create Time
Process Name Device Display Name Event ID Natural Language
Name Hash Serial Number Parent Process Name Device Serial Number Description
Version Signed Device VID Duration Before Detection
Parent Process
Content Version Signer Device PID Device VID
Hash Attack Vector Type
Description
Content Creation Date Parent Process Signed Source Description Direction
Rule ID Parent Process Signer ICMP Type
Rule Name Firewall Event Type
Reg Info Throttled Event Count
GTI Query
Name
Defend against file-less threats with Powershell and
script-based attack data*
10 *Windows 10, 11, Server 2016, 2019, 2022 environments
Supported by Global Threat Intelligence
• Arms endpoints with global insights, plus more volume and intelligence than anyone else

• 1B+ global threat sensors in over 120 countries

• 54B+ queries/day
• 18K+ new threats identified hourly
• 838M+ samples in the malware zoo
• 100M+ sensors training machine learning models
• 500+ researchers

We see more, we protect more, and we offer the market’s

strongest global threat intelligence
11
Trellix Endpoint Security

Endpoint Threat Prevention

Allow-listing (Hash + Cert)
Trellix Insights Adaptive Threat Trellix EDR
Proactive, Actionable Defense Detect, Investigate,
File Reputation Security Analytics Respond

Global Threat Intelligence

Threat Intelligence Exchange > ATD

Static Machine Learning Web Control

Pre-execution Firewall

Post-execution Dynamic Machine

Learning
TRELLIX
ENDPOINT
Enhanced SECURITY
Remediation

EDR Advanced Threat

Detection

Threat
Intelligence

12 Trellix | Always Learning. Always Adapting.

Endpoint Security Platform / Threat Prevention
Protect
• Access Protection: Protect against
unwanted changes on files, shares,
registry, process or services.
• Exploit Prevention
• Buffer Overflow Protection
• Illegal API Use
• Network Exploit
• Expert Rules
• Command Line Interface: Run
full, quick or custom scan or content
update.
13
Detect
• Reputation Lookup (GTI)
• On-Access Scan: Scan for threats
on files and command lines via the
Antimalware Script Interface (AMSI)
• On-Demand Scan: Run scheduled
predefined scans.
• Potentially Unwanted
Programs: Such as Spyware,
adware, Hacking tools, etc.
• Quarantine: Always keep a copy in
quarantine.
• Early Launch Anti-Malware:
Supports ELAM on Windows 8 and
later releases.
Correct
• Actions: Clean or Repair, Delete,
Deny/Allow Access.
• Alerts: Notify admin and/or users.
• Scheduled scans: Use shared cache
for best performance.
• Content repositories: Distributed
repositories or use peer-to-peer
protocol.
• Log files: Standardized formatted
logs
• Dashboards and monitors:
Review alerts and actions taken.
Endpoint Security Platform / Firewall
Protect
• Rules: Block or Allow incoming
and/or outgoing traffic.
• Rule groups: Organize rules per
group then define options for the
group.
• Stateful packet filtering and
inspection: Allow only packets that
match a known open connection.
• Process Containment: Block all
traffic from unknown processes.
14
Detect
• Reputation Lookup (GTI):
Block incoming and/or outcoming
traffic on known malicious IPs.
• Connection Aware Group: Based
on the connection context detects the
location, then use the corresponding
rule group.
• Log as Threat Event: If the Rule
match then reports it as a Threat
event.
• Alerts: Reports blocked traffic based
on process or network reputation.
Correct
• Adaptive mode: Create rules to
allow current legitimate activity.
• Defined networks: Use defined
network objects in rules.
• Trusted executables: Use trusted
executables to reduce false positive.
• Object Catalog: Define and use
objects in multiple policies.
• Client options: Allow users to
disable the firewall temporarily.
• Log files: Standardized formatted
logs
Endpoint Security Platform / Web Control
Protect
• Block & Allow list: Prevent or
allow users accessing URLs or
domains.
• Rating Actions & Web
Category Blocking: Use safety
ratings and web categories to control
user access to sites, pages &
downloads.
• Secure Search: Remove risky site
in search results.
• Self protection: Prevent users from
disabling the plug-in.
15
Detect
• Web Control button in browser
window: The button color indicates
the rating of the site.
• Web Control icon on search
results pages: A colored icon
appears next to each listed site.
• Site reports: Details how the safety
rating was calculated.
• Dashboards and monitors:
Displays visits and downloads from
sites by rating.
Correct
• Contextual Auto-activation:
Auto-disable when corporate proxy is
detected.
• Pre Scan of downloads: Start
scan while the file is downloading.
• Exclusions: Exclude specific IP
addresses.
• Log files: Standardized formatted
logs
• Dashboards and monitors:
Review alerts and actions taken.
Endpoint Security Platform / Adaptive Threat Prevention
Protect
• On-Execute Scan: Block processes
based on dynamic reputation.
• Deny List: Override reputation
based on custom level set in Threat
Intelligence Exchange.
• Dynamic Application
Containment: Block defined
actions based on process reputation or
DLLs that downgrade its reputation.
• Credential Theft Protection:
Block attacks against Local Security
Authority Subsystem Service
(LSASS).
16
Detect
• Advanced Behavior Blocking
rules: Detect bad behavior based on
processes chain and context, then set
the reputation accordingly.
• RealProtect scanning: Detect
unknown malware based on ML
models.
• Enhanced Script scanning:
Detect unknown file-less attacks
based on ML models
• Learn from unknown: If a file is
observed for the first time by TIE,
ATP can send it to a sandbox for
automatic analysis.
Correct
• Actions: Block new process or
Clean current processes based on
reputation threshold.
• Enhanced Remediation: roll-
back actions taken by unknown
process convicted malicious.
• Allow List: Override reputation
based on custom level set in Threat
Intelligence Exchange.
• ABB Rules: security content
monthly updated
• Log files: Standardized formatted
logs
• Dashboards and monitors:
Review alerts and actions taken.
Endpoint Security Platform / Endpoint Detection & Response
Detect
• Continuous real-time
monitoring: Information from
devices is sent to the cloud providing
the context and visibility to uncover
threats.
• Cloud-based analytics: Analytic
engines inspect device activity to
uncover a broad spectrum of
suspicious behavior and detect threats.
• MITRE ATT&CK mapping:
Behavior-based detection results map
to the framework.
• Flexible data display: Toggle
between tree, graph or table views in
the same screen.
17
Investigate
• AI Guided Investigation:
Explore many hypotheses in parallel
for maximum speed and accuracy.
• Broad data collection and local
relevancy: Gathers data from
devices or the SIEM.
• Search: Through Historical cloud
data collected from all monitored
systems or in Real-time to quickly
query for up-to-the-moment
information from connected devices.
• On-demand data collection:
Take a snapshot of a device on-
demand for enrichment.
Remediate
• Contains threats: Quarantine
devices or kill processes, logoff users,
shutdown or reboot the system.
• Remediate threats: Remove a
threat remotely or delete artifacts such
as process, folder, file, registry value,
or content permanently
• Dismiss threats: Based on the
investigation, you can dismiss a
particular threat.
• Exclude threats: Exclude a
particular threat based on SHA-256,
File path or the Command Line.
Use Cases

18
Use Case – University
A University in Netherlands, serves more than 30.000 students annually and is ranked 47 on the Academic Ranking of World
Universities. With extensive experience managing endpoint security, the University’s IT Administrator oversees endpoint
infrastructure decisions and implementation. The IT team is always looking
to improve protection as well as reduce costs and improve efficiency within the university’s infrastructure.

Before Scenarios
• “Ransomware isn’t just a problem for companies. We wanted to upgrade from yesterday’s technology to more
current technology that incorporates more than signature-based
malware detection.”
• The IT team was looking for a stable environment that enables users to be as productive
as possible, while minimizing administrative overhead for information security

Negative Consequences
• “We used to see ransomware in waves—weeks with nothing and then a week with several.”
• The small security team wanted to have better protection with less time spent on remediation.

19
Use Case – Positive Business Outcomes
A University in Netherlands, serves more than 30.000 students annually and is ranked 47 on the Academic Ranking of World
Universities. With extensive experience managing endpoint security, the University’s IT Administrator oversees endpoint
infrastructure decisions and implementation. The IT team is always looking
to improve protection as well as reduce costs and improve efficiency within the university’s infrastructure.

More Robust Protection from the Start

Allowing End Users to Stay Productive

Easier Security Administration

Reduced Complexity
20
Use Case – How Trellix Does it Better
A University in Netherlands, serves more than 30.000 students annually and is ranked 47 on the Academic Ranking of World
Universities. With extensive experience managing endpoint security, the University’s IT Administrator oversees endpoint
infrastructure decisions and implementation. The IT team is always looking
to improve protection as well as reduce costs and improve efficiency within the university’s infrastructure.

How we do it: How we do better:

Deliver a truly proactive endpoint security with Improved protection against advanced and zero-day
Trellix Endpoint Security threats

Provide unified management with a single console to
manage Trellix advanced
defenses with simplified policies using
Trellix ePO
Simply… we enable analysts to do more
Blocked ransomware within the environment
Reduced time from encounter to containment
Repaired the endpoint to the last known good state to
immediately prevent infection with rollback
remediation

21
 Thank you

22