Migrate from Deep Security to Trend Vision One Endpoint Security - Server & Workload Protection

Deep Security administrators preparing to migrate their deployment to Trend Vision One Endpoint Security - Server & Workload Protection can use the instructions in this article as a roadmap to a migration.

Your environment must be on Deep Security Manager 20.0.513 (20 LTS Update 2021-10-14) or later.

In general, the order of operations for a successful migration is as follows:

1. Configure Trend Vision One Endpoint Security - Server & Workload Protection
2. Create an API key
3. Find the region of Trend Vision One Endpoint Security - Server & Workload Protection
4. Prepare a link to Trend Vision One Endpoint Security - Server & Workload Protection
5. Migrate policies
6. Migrate common objects
7. Migrate cloud accounts
8. Migrate agents
9. Migrate other Deep Security settings
10. Configure network and communication settings

Configure Trend Vision One Endpoint Security - Server & Workload Protection

In addition to having a Trend Vision One account, you need to perform the following:

• Update Trend Vision One to the Foundation Services release
• Provision a new Trend Vision One Endpoint Security - Server & Workload Protection instance

Create an API key

You can create an API key as follows:

1. Log in to Trend Vision One.
2. Navigate to Endpoint Security Operations > Server & Workload Protection.
3. Go to Administration > User Management > API Keys and create a new API key with the role Deep Security Migration.
   The Deep Security Migration role is preconfigured and managed by Trend Vision One Endpoint Security - Server & Workload Protection with rights to perform migration of agents and policies. Note that the associated rights may change in the future, as additional migration features are implemented.
4. Save the key for later use.

Determine the region of Trend Vision One Endpoint Security - Server & Workload Protection

To determine the region, you may use ACTIVATIONURL in the deployment scripts, as follows:

1. Navigate to Administration > Updates > Software > Local.
2. Select a software package and click Generate Deployment Scripts.
3. In the Deployment Scripts dialog, check ACTIVATIONURL. The following is the activation URL to region mapping:
   

   ACTIVATION URL	REGION
   dsm://agents.workload.jp-1.cloudone.trendmicro.com:443	JP-1
   dsm://agents.workload.in-1.cloudone.trendmicro.com:443	IN-1
   dsm://agents.workload.gb-1.cloudone.trendmicro.com:443	GB-1
   dsm://agents.workload.ca-1.cloudone.trendmicro.com:443	CA-1
   dsm://agents.workload.sg-1.cloudone.trendmicro.com:443	SG-1
   dsm://agents.workload.au-1.cloudone.trendmicro.com:443	AU-1
   dsm://agents.workload.de-1.cloudone.trendmicro.com:443	DE-1
   dsm://agents.deepsecurity.trendmicro.com:443	US-1

Prepare a link to Trend Vision One Endpoint Security - Server & Workload Protection

The role permission Allow management of Trend Vision One Endpoint Security must be assigned for users to manage Trend Vision One Endpoint Security - Server & Workload Protection Link.

1. In the Deep Security Manager console, select Support > Migrate to Trend Vision One Endpoint Security.
2. Complete the Link to Trend Vision One Endpoint Security Account dialog:
   1. Enter the API key that you created in the previous section.
   2. Select the region where your Trend Vision One Endpoint Security - Server & Workload Protection account is located.
   3. Click Save.

   If you previously set up a connection between Deep Security and Trend Vision One Endpoint Security - Server & Workload Protection and want to change the link, ensure that all migration-related tasks using the previous connection are completed before changing the link. Otherwise, you may experience unexpected behavior.

   Each Deep Security Manager tenant allows only one Trend Vision One Endpoint Security - Server & Workload Protection link.

   During the Trend Vision One Endpoint Security - Server & Workload Protection Link creation, Deep Security Manager connects to Trend Vision One Endpoint Security - Server & Workload Protection to authenticate the link and retrieve information. If the Deep Security Manager installation requires a proxy to connect to Trend Vision One Endpoint Security - Server & Workload Protection, configure the proxy for Trend Vision One Endpoint Security - Server & Workload Protection.

The Migrate to Trend Vision One Endpoint Security page appears with the Migrate Configurations tab selected.

The role permission Allow migration to Trend Vision One Endpoint Security must be assigned for users to be able to process all the migration tasks.

Next, migrate your policies to Trend Vision One Endpoint Security - Server & Workload Protection.

Migrate other Deep Security settings

Migrate the following artifacts if you are using them in your Deep Security environment:

• VMware connector and data center gateway
• Computer groups and smart folders
• Proxy configuration
• Event and alert logging
• Additional configuration

VMware connector and data center gateway

Virtual machines running in a VMware environment can have agents deployed and activated to the Trend Vision One Endpoint Security - Server & Workload Protection service the same as any other workload. If you want to connect to a VMware vCenter to retrieve a VM inventory, Trend Vision One Endpoint Security - Server & Workload Protection needs to communicate with vCenter. This is done through the data center gateway. For instructions on setting up the data and importing the vCenter inventory, see Add a VMware vCenter to Trend Vision One Endpoint Security - Server & Workload Protection.

Computer groups and smart folders

Computer groups and smart folders do not yet have a direct migration method. Deep Security and Trend Vision One Endpoint Security - Server & Workload Protection have APIs for listing and creating computer groups, so migration of large numbers of groups could be automated by scripting the appropriate API calls.

Proxy configuration

Currently, there is no method for automatically migrating proxy configurations from Deep Security to Trend Vision One Endpoint Security - Server & Workload Protection. You can manually configure proxy configurations for agent communications in Trend Vision One Endpoint Security - Server & Workload Protection according to the instructions in Configure proxies.

You do not need to configure a proxy for the manager because it is part of the Trend Vision One Endpoint Security - Server & Workload Protection service and is maintained by Trend Micro.

Event and alert logging

A major difference between Deep Security and Trend Vision One Endpoint Security - Server & Workload Protection is the retention of event and alert data within the manager. Trend Vision One Endpoint Security - Server & Workload Protection retains security events for 4 weeks and system events for 13 weeks. If you need to retain events longer, Trend Micro recommends exporting events to a SIEM or log server.

If event logging is already used, some changes to the infrastructure of how alerts and events are received might be necessary. In a traditional on-premises deployment where Deep Security Manager sends all alerts and events via syslog to a local syslog server, that syslog server may not be directly accessible from Trend Vision One Endpoint Security - Server & Workload Protection. Consider the following alternatives:

• Create a new syslog server that is accessible from the Trend Vision One Endpoint Security - Server & Workload Protection service by following instructions provided in Forward Trend Vision One Endpoint Security - Server & Workload Protection events to a Syslog or SIEM server.
• Configure agents to send events directly to a local syslog server rather than through the manager. Note that to use TLS encryption with syslog, events must be forwarded from the Trend Vision One Endpoint Security - Server & Workload Protection service; agents do not currently support TLS encryption of syslog events.
• Use Amazon SNS as an alternative to syslog. See Set up Amazon SNS.

Additional configuration

Configuration of other items such as system settings, reports, event-based and scheduled tasks, tags, version controls, and API keys is not currently part of an automated migration feature. They can be recreated manually in Trend Vision One Endpoint Security - Server & Workload Protection. Many of these items are configurable in both the Deep Security and Trend Vision One Endpoint Security - Server & Workload Protection APIs and could be automated.

Some system settings may not be supported or applicable when migrating from Deep Security to Trend Vision One Endpoint Security - Server & Workload Protection, and caution is advised when automating the migration of these settings via API calls. Contact Trend Micro support for guidance on these settings.

Configure network and communication settings

Evaluate the following artifacts:

• Required ports, protocols, and URLs
• Proxy configuration
• Bandwidth utilization
• Relay configuration

Required ports, protocols, and URLs

Network communication between the Deep Security Agent and Trend Vision One Endpoint Security - Server & Workload Protection is different from the communication between the agent and Deep Security Manager. Several URLs must be specifically allowed in environments where outbound internet access is restricted. For a full list, see Port numbers, URLs, and IP addresses.

Proxy configuration

For information about the configuration of proxies for agent communication to the Trend Vision One Endpoint Security - Server & Workload Protection service, see Configure proxies.

SOCKS4 and SOCKS5 proxies are not supported for agent communications. If you need to use a proxy for agent communication, implement an HTTP proxy before agents are activated to the Trend Vision One Endpoint Security - Server & Workload Protection service.

Bandwidth utilization

When considering network planning for deployment of the Deep Security Agent, consider the overall life cycle of the agent, both for agent download and activation, as well as for ongoing operations and security pattern updates.

Existing Deep Security Agents do not need to be reinstalled, they only need to be reactivated to the Trend Vision One Endpoint Security - Server & Workload Protection service. New deployments done via activation script can expect the following bandwidth usage:

• Agent download and activation: 5 MB on Linux; 25 MB on Windows
• Download of initial security update: 50 MB Linux; 102 MB Windows

Ongoing agent traffic is highly variable, depending on detection activity, policy configuration, and module usage. Expect a baseline usage for administrative traffic similar to the following guidelines:

• Security Updates (1x daily, Smart Scan on): 60 MB
• Security Updates (1x daily, Smart Scan off): 120 MB
• Heartbeat overhead: 40 KB per heartbeat. Default interval is 10 minutes; ~5.7 MB daily per agent

For more information about Smart Scan, see Smart Protection in Trend Vision One Endpoint Security - Server & Workload Protection.

Beyond baseline traffic, any detections result in additional bandwidth consumption as agents communicate with the Trend Vision One Endpoint Security - Server & Workload Protection and Vision One services. This is difficult to predict, but expect usage in a range of 0.1 MB per hour per agent for a low quantity of detections and up to 3 MB per hour per agent for elevated detection rates.

Relay configuration

In most cases, the relays provided by the Trend Vision One Endpoint Security - Server & Workload Protection service are sufficient. In some scenarios operations may be improved using relays. For details, see How relays work and Deploy additional relays.

Migrate using the Deep Security and Trend Vision One Endpoint Security - Server & Workload Protection APIs

You can use Deep Security Manager and Trend Vision One Endpoint Security - Server & Workload Protection UI to perform migration. If you prefer to use the API:

• Read further for general requirements and tips.
• Create an API key, then use the API documentation to create a Trend Vision One Endpoint Security - Server & Workload Protection Link.
• Refer to the Deep Security API documentation for information on the following:
  • Migrating a policy
  • Migrating an agent
  • Migrating common objects
  • Migrating AWS connectors
• To check the policy migration status, use an HTTP GET call to retrieve the status from /policymigrationtasks/{taskID}. For details, see Automation Center.

Artifacts that are not currently supported via in-product migration features can generally be migrated using a combination of Deep Security and Trend Vision One Endpoint Security - Server & Workload Protection APIs to read the pertinent setting or object from a Deep Security deployment and write it to a Trend Vision One Endpoint Security - Server & Workload Protection account.

Some artifacts are not available in the current API but are accessible via the legacy REST and SOAP APIs, and some features exist in Deep Security only and are not supported for migration.

The following is not supported in Trend Vision One Endpoint Security - Server & Workload Protection:

• Deep Security multi-tenancy settings, as per the /tenants API. Multiple account management in Trend Cloud One supersedes traditional on-premises multi-tenancy and these settings are not applicable in Trend Vision One Endpoint Security - Server & Workload Protection.
• Agentless protection for VMware environments.

The following legacy REST API are not in the current API:

• Status monitoring
• SAML configuration
• Proxy configuration, control, and assignment
• Event retrieval

The following SOAP API are not in the current API:

• Proxy configuration, control, and assignment
• Event retrieval
• Actions (update agent, run scans, and so on)
• Rule configurations