Trend Vision One Reviews

We use Trend Micro XDR for rapid response to end-user computing and security concerns.

As a health system, one of our core challenges is ensuring full visibility into our attack surface. We have many thousands of endpoints and end users that must be properly secured and protected. Our primary use case was to improve visibility, and response time, and reduce complexity. That is why we chose Trend Micro XDR.

Trend Micro XDR is deployed on Trend Micro's private cloud.

We are using Trend Micro XDR on our endpoint and server infrastructure. The coverage is extremely important to our organization.

Trend Micro XDR provides us with centralized visibility and management across protection layers.

The centralized visibility and management across protection layers have helped our efficiency. The most significant advantage is that we used to manage these platforms with three or even five engineers, and now we're managing them with one.

It is extremely important to us that we can drill down from the executive dashboards into XDR detections. This provides us with the single pane of glass view that I mentioned previously. Being able to see at a high level that there may be systems that are behind on patch levels or need additional service or support, and then being able to drill down specifically to an individual machine, which may be unique in our environment, is very helpful.

We use the risk index to evaluate ourselves holistically, including our performance against best practices and security, as well as our performance against other healthcare systems around the world. This allows us to identify areas where we may have vulnerabilities or where we are particularly strong so that we can focus on improving in the areas where we need to.

Trend Micro XDR has helped us improve our resource utilization through automation, reducing manual effort and enabling faster response times. In under a week, we had tuned our environment to perform optimally.

Trend Micro's Managed XDR service has significantly reduced our team's workload by nearly 50 percent, providing a big improvement in our overall threat intelligence and endpoint security.

The Managed XDR service has enabled our team to work on other tasks. This additional availability for our staff has allowed us to reduce our need for contractors. If we are overburdened, we will hire contractors to assist in other areas of the business. However, because we have become more efficient, I have been able to hire some of those contractors and reduce the burden of contract labor.

Attack surface work management capabilities have been extremely valuable. The user and identity services provided by CREM help us to focus on and improve visibility into end-user behavior, including that of endpoints such as laptops and desktops, the network, cloud infrastructure, and applications.

The ability to detect our blind spots has significantly improved our security posture. Seeing everything clearly in a single, easy-to-understand dashboard allows us to allocate our resources directly to where they are needed most, enabling us to respond faster.

The biggest advantage of Trend Micro XDR is that it has helped decrease our time to detect and respond to threats by around 50 percent.

Trend Micro XDR has helped reduce the amount of time we spend investigating false positive alerts by 60 percent.

Trend Micro XDRs automation capabilities save us around ten hours per week. 

We are very impressed with the single pane of glass visibility that Trend Micro XDR provides. It allows us to work from a single console instead of having to use four or five separate tools to maintain the same level of security. This is extremely helpful.

The manageability and artificial intelligence built into Trend Micro XDR are extremely helpful.

I've seen a lot of improvement in just the year that we've been with Trend Micro. However, I think that continued optimization of the environment towards automation and orchestration, a kind of layer that sits underneath all of the technologies, would be extremely important. When we look at the speed and sophistication of attacks today, such as ransomware, malware, and cyber threats, we need tools and technologies that can react faster. So, I think integration with automation, orchestration, and artificial intelligence will help tremendously.

I have been using Trend Micro XDR for one year.

Trend Micro XDR is remarkably stable.

Considering our growth rate of nearly 30 percent per year, Trend Micro XDR is scalable enough to keep up, so we have no concerns.

Technical support is exceptional. They are extremely engaged and supportive of everything we have needed.

Positive

We previously used Sophos but switched to Trend Micro because of its enhanced capabilities.

The initial deployment was straightforward. The deployment took between one and two weeks to complete. 

Moving between security tools requires an analysis of the existing environment to understand the current configuration, rulesets, and architecture. This analysis is quickly followed by implementation to improve the security posture and validation to ensure that the infrastructure is not only properly protected, but better protected than before.

Three people were required for the deployment.

We have been able to reduce some labor costs and use our resources more efficiently. These savings of hours per week are definitely a return on investment.

The solution is fairly priced.

I would rate Trend Micro XDR ten out of ten. The solution works extremely well for us. In a healthcare environment, the types of data and the sheer size of the attack surface are somewhat extraordinary. Having the enhanced capabilities of the Trend Micro toolset has been very important to us, and I strongly recommend it.

We have 11,000 users, five acute care hospitals, and around 80 clinics.

Two people are required to maintain Trend Micro XDR for the investigation of threats and incidents. When threat intelligence comes in from Trend Micro or we receive an alert, we validate or respond to it. A lot of this process has been automated, which has helped tremendously.

I strongly recommend Trend Micro XDR and advise doing a proof of concept against any current tool on the market, as it works extremely well and a POC can clearly demonstrate this in a short period of time.

Our main goal with Trend Vision One is to ensure comprehensive security coverage for all our devices and clients worldwide. We're concerned with far more than just traditional antivirus protection. With this solution, I can now see in detail which software updates have already been installed and which security vulnerabilities still exist. The comprehensive reporting and intelligent protective measures give me significantly more control than before. We can now cover all servers uniformly and completely, which is something that wasn’t possible with our previous solution at this level of quality.

The dashboard is the heart of Trend Vision One for me. What I particularly appreciate is the flexibility: each colleague can create their own dashboard, and I still maintain an overview of the big picture. This granular way of working while maintaining a holistic view motivates me to engage with the tool.

The cloud-based architecture offers considerable advantages over local, individual solutions. Previously, I had to manage patching across various Trend Micro systems manually - now, that’s centrally handled. However, I need to be cautious that updates aren't rolled out too quickly, which could impact notebooks or servers.

The global overview has definitely helped me a lot. The only drawback is the usual subscription model - unfortunately, prices tend to move upward.

Since I've been working with Trend Micro for over 20 years, we’ve been able to consolidate our security landscape and source everything from one vendor, rather than juggling multiple providers.

Trend Vision One gives us better visibility to detect and respond to threats because we can now see more than ever before. We've always made every effort to receive notifications quickly so we could act immediately. Now, I have a much clearer, centralized platform where I can manage all incidents in a structured way.

Interestingly, Trend Vision One shows us more error messages than before, not because more problems are occurring, but because I can now see them for the first time and address them systematically.

Trend Vision One helps us reduce our overall cyber risk. I've always had good experiences with Trend Micro. It gives me the confidence to recognize well-protected areas and uncover vulnerabilities that need attention. Even though I've achieved a good security level, I can't afford to relax. For security audits, the solution helps us demonstrate compliance with certain standards.

Regarding AI integration, I can't make a final judgment yet. AI has both advantages and disadvantages, and attackers are increasingly using it too. However, I believe that AI will become indispensable in security platforms.

The expansion of Phish Insight would be desirable, especially for employee training. Also, in the MDM area for mobile devices, not all functions are available that I know from on-premise or other cloud variants. There's still development potential there.

We began implementing the current Trend Vision One solution in June 2024. However, Trend Micro has been our vendor for about ten years.

I'm very satisfied with the stability. I haven't experienced any direct outages so far. Occasionally, there were connection problems with individual clients, but those were exceptions.

I think Trend Vision One offers very good scalability.

I would rate the service and technical support for Trend Vision One at nine to ten points. Of course, it depends on the specific situation, but overall, I'm very satisfied.

Positive

We didn't switch from another solution but rather implemented Trend Vision One as an evolution of our existing Trend Micro infrastructure. I had explored Microsoft solutions in recent years and attended related training, but ultimately, we stayed with Trend Micro.

The initial setup has a certain complexity that varies by area. Some areas are relatively easy to configure; others definitely require expertise and practice. Without professional support, the start would have been difficult.

We had two German partners on board for several weeks and months. In short, intensive sessions of two to four hours, they developed a structured onboarding process with us. After about three two-hour sessions, we could work independently with the product.

Our implementation strategy for Trend Vision One was three-tiered: First, we migrated from our on-premise Apex One solution to Trend Vision One in the cloud. In the second step, we migrated the servers, and finally we checked all sensors.

We worked with a Trend Micro partner for onboarding. With Trend Micro's recommendation, we also purchased the licenses through them. The partner guided us during the sessions, then we carried out the actual integration and migration ourselves.

For implementation, we needed two to three employees. A colleague and I carried the main responsibility, my colleague handled the cloud migration, agents, and clients. I brought in two additional colleagues for servers and local infrastructure, particularly for Mac systems.

From mid-June to mid-September, an average of two to three people were involved in the project.

I can't definitively evaluate the return on investment yet, since we've only been working productively for a few months. We had a very good onboarding process and worked intensively on it, but for a solid ROI evaluation, it's still too early. I plan to have meaningful numbers by year-end, particularly through patch management and sensor detections.

As usual, we work with twelve-month or multi-year licenses on a subscription basis. The subscription model is ideal for the vendor and predictable for us, but still quite expensive.

I would like more flexibility - for example, the ability to purchase individual modules separately.

For others evaluating Trend Vision One, I recommend checking whether the vendor is a pure security specialist or also active in other, non-security-related areas. That can be an important decision factor.

Overall, I rate the solution 9 out of 10 points.

Foreign language: (German)

Weltweiter Schutz der gesamten IT-Infrastruktur mit nur einer zentralen Plattform

Was ist unser primärer Anwendungsfall?

Unser Hauptziel mit Trend Vision One ist es, eine lückenlose Sicherheitsabdeckung für alle unsere Geräte und Clients weltweit zu gewährleisten. Dabei geht es uns um weit mehr als nur klassischen Antivirenschutz. Mit der Lösung kann ich nun detailliert einsehen, welche Software-Updates bereits installiert sind und welche Sicherheitslücken noch bestehen. Das umfassende Reporting und die intelligenten Schutzmaßnahmen geben mir deutlich mehr Kontrolle als früher. Wir können jetzt alle Server einheitlich und vollständig abdecken, was mit unserer vorherigen Lösung nicht in dieser Qualität möglich war.

Was ist am wertvollsten?

Das Dashboard ist für mich das Herzstück von Trend Vision One. Was ich besonders schätze, ist die Flexibilität: Jeder Kollege kann sich sein eigenes Dashboard erstellen, und trotzdem behalte ich den Überblick über das große Ganze. Diese granulare Arbeitsweise bei gleichzeitigem Gesamtüberblick motiviert mich mit dem Tool zu arbeiten.

Die Cloud-basierte Architektur bringt mir erhebliche Vorteile gegenüber lokalen Einzellösungen. Früher musste ich mich um das individuelle Patching verschiedener Trend Micro Systeme kümmern, das ist jetzt zentral verwaltet. Allerdings muss ich aufpassen, dass Updates nicht zu schnell ausgerollt werden und dabei Notebooks oder Server beeinträchtigen.

Der globale Überblick hat mir definitiv sehr geholfen. Einziger Nachteil ist das übliche Abonnementmodell, die Preise entwickeln sich leider nur in eine Richtung und das ist nach oben.

Da ich bereits seit über 20 Jahren mit Trend Micro arbeite, konnten wir unsere Sicherheitslandschaft gut konsolidieren und alles aus einer Hand beziehen, anstatt verschiedene Anbieter zu jonglieren.

Trend Vision One verschafft uns deutlich bessere Sichtbarkeit, um Bedrohungen zu erkennen und darauf zu reagieren, weil wir jetzt noch mehr sehen können als zuvor. Wir haben immer alles darangesetzt, Informationen sehr schnell über Benachrichtigungen zu erhalten, damit wir sofort daran arbeiten können. Aber jetzt habe ich eine wesentlich klarere, zentrale Plattform, auf der ich alle Vorfälle strukturiert bearbeiten kann.

Interessant ist, dass Vision One uns mehr Fehlermeldungen anzeigt als früher, nicht weil mehr Probleme auftreten, sondern weil ich sie jetzt überhaupt erst sehen und systematisch abarbeiten kann.

Trend Vision One hilft uns, unser gesamtes Cyber-Risiko zu reduzieren. Ich habe immer gute Erfahrungen mit Trend Micro gemacht. Es gibt mir das Sicherheitsgefühl, gut geschützte Bereiche zu erkennen, aber auch Schwachstellen aufzudecken, an denen wir arbeiten müssen. Auch wenn ich bereits ein gutes Sicherheitsniveau erreicht habe, darf ich mich nicht darauf ausruhen. Bei Sicherheits-Audits hilft uns die Lösung definitiv, bestimmte Standards nachzuweisen.

Zur KI-Integration kann ich noch nicht abschließend urteilen. KI hat Vor- und Nachteile, und auch Angreifer nutzen sie zunehmend. Ich gehe aber davon aus, dass KI in Sicherheitsplattformen unverzichtbar werden wird.

Was muss verbessert werden?

Der Ausbau von Phish Insight wäre wünschenswert, besonders für Mitarbeiterschulungen. Auch im MDM-Bereich für mobile Geräte sind nicht alle Funktionen verfügbar, die ich von On-Premise oder anderen Cloud-Varianten kenne. Da ist noch Entwicklungspotential vorhanden.

Wie lange nutze ich die Lösung schon?

Wir haben im Juni 2024 mit der Implementierung der aktuellen Vision One Lösung begonnen. Trend Micro als Anbieter begleitet uns aber bereits seit etwa zehn Jahren.

Was halte ich von der Stabilität der Lösung?

Ich bin mit der Stabilität sehr zufrieden. Direkte Ausfälle hatte ich bisher keine. Gelegentlich gab es Verbindungsprobleme bei einzelnen Clients, aber das waren eher Ausnahmen.

Was halte ich von der Skalierbarkeit der Lösung?

Ich denke, Trend Vision One bietet eine sehr gute Skalierbarkeit.

Wie sind Kundenservice und Support?

Ich würde den Service und technischen Support für Trend Vision One mit neun bis zehn Punkten bewerten. Es hängt natürlich immer von der konkreten Situation ab, aber grundsätzlich bin ich sehr zufrieden.

Welche Lösung habe ich zuvor verwendet und warum habe ich gewechselt?

Wir haben nicht von einer anderen Lösung gewechselt, sondern Vision One als Weiterentwicklung unserer bestehenden Trend Micro Infrastruktur implementiert. Ich hatte mir in den letzten Jahren zwar Microsoft-Lösungen angeschaut und entsprechende Schulungen besucht, aber letztendlich sind wir bei Trend Micro geblieben.

Wie war das initiale Setup?

Die Ersteinrichtung hat eine gewisse Komplexität, die je nach Bereich variiert. Einige Bereiche sind relativ einfach zu konfigurieren, andere erfordern definitiv Fachwissen und Übung. Ohne professionelle Unterstützung wäre der Start schwierig gewesen.

Wir hatten zwei deutsche Partner über mehrere Wochen und Monate im Boot. In kurzen, intensiven Sitzungen von zwei bis vier Stunden entwickelten sie mit uns einen strukturierten Onboarding-Prozess. Nach etwa drei zweistündigen Sitzungen konnten wir eigenständig mit dem Produkt arbeiten.

Unsere Implementierungsstrategie für Trend Vision One war dreistufig: Zunächst migrierten wir von unserer On-Premise Apex One Lösung zu Vision One in der Cloud. Im zweiten Schritt haben wir die Server migriert, und abschließend überprüften wir alle Sensoren.

Wie war das Implementierungsteam?

Wir arbeiteten mit einem Trend Micro Partner für das Onboarding zusammen. Auf Empfehlung von Trend Micro kauften wir auch die Lizenzen dort. Der Partner leitete uns während der Sitzungen an, die eigentliche Integration und Migration führten wir dann selbst durch.

Für die Implementierung benötigten wir zwei bis drei Mitarbeiter. Ein Kollege und ich trugen die Hauptverantwortung, wobei sich mein Kollege um den Cloud-Umzug, Agents und Clients kümmerte. Ich zog zwei weitere Kollegen für Server und lokale Infrastruktur, insbesondere für Mac-Systeme, hinzu.

Von Mitte Juni bis Mitte September waren durchschnittlich zwei bis drei Personen gleichzeitig am Projekt beteiligt.

Wie war unser ROI?

Den Return on Investment kann ich noch nicht definitiv bewerten, da wir erst seit wenigen Monaten produktiv arbeiten. Wir hatten einen sehr guten Onboarding-Prozess und haben intensiv daran gearbeitet, aber für eine fundierte ROI-Bewertung ist es derzeit noch zu früh. Ich plane, bis Jahresende aussagekräftige Zahlen zu haben, insbesondere durch das Patch-Management und die Sensor-Erkennungen.

Wie sind meine Erfahrungen mit Preisgestaltung, Einrichtungskosten und Lizenzierung?

Wie üblich arbeiten wir mit zwölfmonatigen oder mehrjährigen Lizenzen auf Abonnementbasis. Das Abonnementmodell ist für den Anbieter ideal und für uns kalkulierbar, auch wenn nicht ganz günstig.

Ich würde mir mehr Flexibilität wünschen – zum Beispiel die Möglichkeit, einzelne Module separat zu erwerben.

Welche weiteren Ratschläge habe ich?

Anderen, die Trend Vision One evaluieren, empfehle ich zu prüfen, ob der Anbieter ein reiner Sicherheitsspezialist ist oder ob er auch in anderen, sicherheitsfremden Bereichen tätig ist. Das kann ein wichtiger Entscheidungsfaktor sein.

Insgesamt bewerte ich die Lösung mit 9 von 10 Punkten.

My primary use case for Trend Vision One is for application device control, web reputation services, and malware scanning, as well as providing a remote malware scan option. I also use it for log inspection and endpoint identification.

Trend Vision One helps save us time.

I am satisfied with the security Trend Vision One provides for our cloud environment. It effectively identifies threats by regularly inspecting logs to establish a baseline of normal operations and reports any detected anomalies on the console.

Trend Vision One offers good visibility and control over our environment, providing valuable telemetry into network traffic.

Trend Vision One offers comprehensive insights into our infrastructure, allowing me to identify unmonitored endpoints, such as those without the software installed, which I can then verify through the console.

Trend Vision One allowed us to consolidate the Apex One and Deep Security consoles, which were previously used separately in our on-premises environment.

Trend Vision One offers superior integrations, enhanced tool capabilities, and expanded solutions for network security, firewalls, and remote malware scanning. Its ability to identify unmonitored endpoints and perform log inspection, which establishes operational baselines and detects anomalies, proves invaluable for threat identification. The platform's comprehensive reporting capabilities further enhance its value in maintaining a secure environment.

Trend Micro could improve its support for non-third-party products and product integrations. Technical support in our region needs improvement.

I have been using Trend Vision One for approximately one year.

Trend Vision One effectively scales to accommodate our workloads.

Trend Micro's support is suboptimal in my region, likely due to proximity to their resources, favouring areas closer to the company. Consequently, we utilize local support providers who offer better service.

Neutral

The deployment usually takes an hour, more or less. Trend Vision One was easier to deploy than other tools when integrating with the cloud environment.

We have a local vendor that provides support.

Trend Vision One is cost-effective because it offers detailed reporting and environment control features.

I would rate Trend Vision One eight out of ten because every tool needs improvement. Trend Micro has some low-cost services and minor areas for improvement.

Trend Vision One provides regular updates according to customer needs.

I would recommend Trend Vision One. There is flexibility, and their credit system is quite effective. 

I mainly use it for the management console and threat investigation. It helps us understand what is going on in our environment. I also generate reports to see what is going on in the background in our environment and how our devices are. I can see whether they are getting timely virus definition updates or patches. I get information related to the vulnerabilities on our devices.

Trend Vision One provides centralized visibility and management across protection layers. It is pretty important to know data from different data sources. It helps to gather information about the environment and reduce the attack surface. The custom reports based on those data sources and different modules help me reduce the risk level of the environment.

Executive dashboards help to see the devices in the environment and Internet-facing assets. If any device has any vulnerability, then based on that data, I can go to the XDR threat detection and get more information about that particular vulnerability or alert. Based on that, I can communicate with the team and get it remediated. We only provide a risk assessment. Based on the information provided, the team remediates the issues.

It has definitely reduced the time to respond to threats, but I do not have the metrics.

The best part is the XDR threat investigation, which includes different modules like Observer Attack Techniques, Workbench, and Detection Model Manager. It provides patterns and we can see what is going on. We can act on them accordingly. We can make playbooks and automate processes to reduce the attack surface.

For XDR threat investigation, there is not enough documentation about how to search for different keywords. The documentation for keywords used in attack techniques is lacking, making it difficult to understand certain aspects. 

Providing more interaction options in sandbox analysis would also be helpful. They have not given us many options. 

I have been using Trend Vision One for more than one and a half years.

It is quite stable. They provide proper updates.

I have used different solutions, such as SentinelOne, Carbon Black, and Cylance, but Trend Vision One provides more comprehensive visibility across the environment. For environment-level visibility, I prefer Trend Vision One.

The initial setup was easy.

The pricing is fair and not on the higher side.

I would definitely recommend Trend Vision One to others. It offers high visibility into the environment, helps reduce the attack surface, and automates many processes, thus enhancing response time.

I would rate Trend Vision One a seven out of ten.

We were using Symantec before, and with the coming of EDRs in the market, we were looking for a solution. We wanted a defense system so that if there is an attack on the system, such as an endpoint is infected or the attacker or a known technique for ransomware is moving laterally, I do not need to go to the firewall team. I do not need to go to other teams to find out. I should have enough intel at that very stage to contain it if possible.

We were looking for a system with a single pane of glass. The journey started with deploying the EDR client on the servers, which is called Deep Security, and Apex One on the endpoints, such as desktops and laptops. We then connected them to a single pane of glass, which was called XDR, now known as Vision One. It has helped us to correctly hunt and fix. We could see the communication between the endpoints and the servers and anything else they were talking to. We could then further expand it and connect it to all of the systems through APIs. That was the initial requirement we had, and it worked very well in that sense.

When you buy extensive or expensive SIEM solutions, such as Splunk or something else, what happens is that you need analytics. You can write meaningful queries to query the data. At the end of the day, all the data going in needs to be correlated. Vision One provides visibility in that sense.

We connected it to the cloud, so we could see the telemetry from Azure and cloud. We then installed the network detection response. It could see and detect a little movement from the network layer. We then connected it to Active Directory, so we could have attribution happening. We currently have a lot of data coming. With a small team, the issue that arises is how to deal with so much information and how to prioritize. It helps with the prioritization. The system is smart enough to proactively go and scan the logs and trigger workflow alerts. It prioritizes them based on the criticality, such as high, medium, low, or informational. When you have a small team, your analysts can go and start looking into those and see what is happening and what they need to prioritize at a stage.

We came very close to a Russian threat actor and Vision One helped tremendously. It helped us to control the attack in the initial stages. They got into the environment and they got the reverse shell out. I saw the alert. Vision One Protection showed me in detail what they ran, what they queried, what information was captured, and where the connections were going out. It was an initial access broker that had done the attack. If this information was not picked up on the late Friday afternoon, you can imagine what could have happened by Monday. Within hours, that information would have gone on to the dark net and would have been sold to a ransomware gang. The mean time to respond was reduced significantly. It is very rare for most organizations to detect such attacks in their own environment within the first four hours. It reduced the mean time to respond by 70% to 80%.

Its real-time monitoring capabilities help a lot in our overall security posture. We have everything configured to our central SOC email system, so the minute an alert is fired and depending on what criticality it is, we can work on it. When you work in the health industry, you often work with vendors who are still not very cybersecurity conscious. They are still learning. One of them plugged in a USB drive, and we found an early indicator of compromise. The device was plugged into one of the technical systems. It not only detected and blocked that, but we also got the alert pointing to the machine. If it was not detected and picked up at that very stage within a matter of minutes, it could have had a pretty big impact eventually.

The beauty is that I do not need to go and log in to the separate console of Apex One or Deep Security. I have got all the visibility and telemetry feeding in real-time into the Vision One console. The Vision One console straightaway alerts you. It just flashes a critical alert. It blocks, but then it provides mitigation recommendations. We need to take the machine off the network, scan the USB, educate the user, and escalate to the right people. Having all that information at hand is very crucial. We can influence the user behavior as well so that they do not do that again.

We are using it on endpoints. We are using it on our servers. We have a network detection response, which is called NDR. We are monitoring all the internal traffic coming from the firewalls. We have Citrix NetScalers, so we are monitoring the network side as well. We also have another product called Conformity that does a cloud assessment and compliance check for all externally exposed cloud assets. It tells you if they are not in compliance. For example, with the project that went in, something might get exposed accidentally, such as an Azure storage account, to the Internet. It all feeds into Vision One, and we have a single pane of glass.

It is helpful for multiple teams. It is not only limited to SOC. We have teams from the cloud side and sometimes from the endpoint and the server side who can get in, and they can see the alerts. It makes it easier to work because we all are seeing the same thing with more information. So, we are using it for our endpoint servers and network. We are using it for monitoring our Azure cloud. We also have something called Trend Micro Cloud App licenses as part of our licensing. We have policies that do advanced threat protection monitoring and DLP monitoring on the SaaS channels, such as Exchange Online, Teams, OneDrive, and SharePoint sites. These are other channels from where the data can be shared, the data can enter our environment, or the data can go out of our environment. It has policies to monitor DLP. It has policies to monitor any malicious files or any indicators of an ATP attack. We get those alerts as well.

There are two dashboards. The Executive Dashboards give an overall view of the entire system and what is happening on our system at any point in time. We can see how many outstanding vulnerabilities we have, what we need to report to the management, and how we will be progressing for things like that. Then we have the Operational dashboard with real-time alerts or pending alerts. It shows us that we have some account that is a match from a .Net data lake. A problem, for example, is that most users keep the same password, so you could have the same account password for your work account and for your personal account. They can get compromised at home and work as well. So, we use Executive Dashboards for reporting and overall understanding of what is happening in the environment and what we need to report and prioritize. The Operational dashboard is for day-to-day work.

It is very important that we are able to drill down from the Executive Dashboards into XDR detections. We are in the health industry. We are a hospital. The board is not only worried about ransomware because that can happen to anyone. You can never be safe enough. They are also concerned about the damage to our reputation and the operational cost of recovering, so they are very keen to have visibility. The Executive Dashboards give us good enough information to filter that. For example, our desktop support team has a limited set of people. For cybersecurity, we want to prioritize patching for a zero-day threat, but sometimes, it cannot happen because the teams have other priorities. The issue is not that they do not want to help, but they do not have resources. With Executive Dashboards and reporting, we can escalate things to the board saying that we need some attention. We can ask them to fund us with more resources to get this across the line. It helps us dictate the impact and prioritize a critical cybersecurity vulnerability so that we can get the management's buy-in to prioritize it and address it before it goes out of hand.

We use the Risk Index feature to map against other organizations in the same geographic region to see how we are doing in terms of risks as compared to other organizations. Are we better or worse than others? If we have some areas where we are worse than others, they help us to understand the reason and how to improve.

If we want to go through every single event, then with our current licensing, XDR can hold up to six months of data, which could be millions or thousands of alerts. A smart thing that they have done is to provide the Workbench, which automatically prioritizes. It does the hard work for you by pulling that intel and saying that these are the highly critical ones that you need to address as soon as possible. I am not discounting the fact that sometimes, attackers do not even go for highly critical ones. They go for a medium one, but it helps us to get them out of the way. Our team is small, and I had a good experience training a few people, taking them through, and showing them how to do it. Once people start working, they understand the workflow. It just becomes a second habit. It is very intuitive. You can get into the console, add new indicators of compromise, add new threat-hunting queries, add new CTI feeds, and check for new vulnerabilities. There is so much you can get out of it. You just have to prioritize what you think is important for that day.

We do use Managed XDR as a second service. The way that comes in handy is that we do have people on call. I, for sure, keep checking my emails, but if we have a critical alert that no one has attended from our side, they triage it. They triage it very well and then rate it. For example, they might say, "It seems to be benign or negative, but an alert came in, and no one was available. If you want to add an extra layer of security or caution, here is the mitigation." They are very responsive. I was able to see the big attack that we had two years ago within the first four hours, and by the time it got to the XDR, it was all correlated. Within half an hour, their response team came to the same conclusion. They reached out to us when I was about to reach out to them, so we were on the same page. They are definitely a good backup or a second solution for us. Also, some of the alerts can come up from workflows. They may seem malicious but they are not. The Managed XDR service people come back to us just to reconfirm that. We tell them that it is a known file. They do not need to worry about it. Sometimes, we might miss something or have no idea about the next step. They then come up with a recommendation about what we need to do. It is a very good service to have.

We are using Attack Surface Discovery to monitor the devices we have and the internet-facing assets, accounts, and applications. API is something we are still looking into, but with a few clicks, we get an overview. We can see how many are patched and how many are exposed externally or internet-facing assets. We have a lot of subdomains linked to the primary hospital site for different projects and workflows. We can see how they are doing, which ports are open, and which known vulnerabilities are there because some of them are not managed by us. They are managed by externally hosted vendors, so we can keep them in check. The same is applicable to our accounts. If we have accounts that are on the dark net, or we have accounts with excessive privileges that can potentially be exploited, we can address that.

For applications, the feature that I like the most is called the Cloud App List. It basically looks at all the SaaS applications and benchmarks them. It profiles them based on the rest and gives us a report. It tells us that certain apps that people are using may not be officially sanctioned by us. For an unsanctioned app, they do a risk profiling through Vision One, which shows us which security compliance standard it has gone through from the vendor. They give us a quick understanding of how bad or good it is to continue using an application.

During the COVID time, I was setting up Vision One, and I got an informational alert. The husband of a nurse gave her a USB, and she plugged it in. She was in an off-site environment, but the Trend client was still running. The clients were connected to the SaaS console or the Internet, so all telemetry was still being fed. They must have thought that it was not the case, but detections were still coming. When she plugged it in, it downloaded a power shell exploitation framework, which they were able to map to an ATP group from China that commonly uses this technique for intellectual property exfiltration. I quite like how much visibility it provides. For a couple of applications here, sometimes an alert comes in, and it can even drill down to the last command that was executed. It can create an attack graph and show you the full execution profile. It helps you troubleshoot and filter out whether something is a false positive or an issue at hand. This whole interconnectivity of different systems into Vision One, and its ability to help individualize an attack, is the thing I like the most. It is very good because reading logs and seeing an attack visualized are two different perspectives for a threat hunter. It really helps you understand what is going on.

With every such technology in an enterprise environment, as well as with most of the production systems, the reduction in the amount of time we spend investigating false positive alerts depends on how fast you finetune the system. You need to tell it which are the exceptions and not to alert you on it, and which ones it should alert you on. It is a balancing act in cybersecurity. For example, logins are used by attackers but also by your admin staff. If you totally put them in exemption, you can have a malicious login executing in your environment. You would be completely blind there because nothing would get alerted. In terms of false positives, the system is capturing a lot of data, and it is not the system's fault because it is seeing a lot of data. Sometimes, we have not classified the data. We are getting better at it. We are labeling and tagging the systems. We are fine-tuning it, and it has reduced a fair bit, but we still have a lot of work to do. It happens, but it is something we do behind the scenes. In terms of the day-to-day threat hunting and visibility, it categorizes them in Workbench, and that is what we look at first thing in the morning. We get to know what is happening and what we need to focus on. Once we see that there is a pattern repeating for some false positives and Workbench alerts are high and not true positive, we then figure out how to whitelist those systems. We now know that this is a known execution process. We know it is a known traffic or a known vendor that runs this application, and when it opens, it connects to these ports, for example. It is a bit of a balancing act. It changes dynamically.

For our day-to-day use cases, the correlation and attribution of different alerts are valuable. It is sort of an SIEM, but it is intelligent enough to run the queries and intentionally detect and prioritize attacks for you. At the end of the day, it is different data that you see. It correlates data for you and makes it meaningful. You can see that someone got an email and clicked a link. That link downloaded, for example, malware into the memory of the machine. From there, you can see that they started moving laterally to your environment. I quite like it because it gives visibility, so Workbench is what we use every day.

They also have something called virtual patching. If you have end-of-life systems or systems that are out of support, you cannot upgrade the agent, but you can still do the update if you get the signature. This is the feature I like. For example, today, if a new zero-day threat is out with a link vulnerability where attackers send you a link, and that link, even if opened in the preview mode, can basically execute a malicious code, we just cannot patch within four or five hours. We are a midsized organization. We are fairly big, and sometimes, it takes two days or even a week. With virtual patches being there and XDR with all that information connected, we can see that the virtual patch is working. It is there. We have all the mitigation in place, but then it is also detecting the environment for that threat. We can further write the hunting queries and enhance detections. So, Workbench detections and virtual patching are very helpful.

It also gives us an executive dashboard where we are monitoring our external sites. We can see what ports are open and what known vulnerabilities are being scanned on them. We get visibility and better mean time to respond and act.

The user interface is pretty easy to use. Sometimes, you learn it while you play around with it and you set it up. One thing I do like, which is very good, is that you can pivot from within the console to different sections if you know how to go about it, but if you have not used it, it could take a bit of learning. A good thing that Trend Micro has been doing for the last two years is organizing some sort of CDFs, which are scenarios based on real threat actors. They get you to come to those events. It is gamified so they can attract people. If you want to learn, they would show the event ID that came in and where to go and see that event ID. They show you how to hunt based on that event and how to extract the indicators of compromise from that ID. There is a feature called Suspicious Object. They show you how to block one. If you have a suspicious object linked to a threat intel feed that goes to Palo Alto, you can not only block it in XDR or Vision One, but straightaway, it also gets pushed to your firewall, so your firewall is also blocking it now. There are some cool functionalities, but you need to spend time to understand how you would pivot between different subsections. If someone is new and starting, it is still pretty straightforward. The UI interface is very self-explanatory. There are a lot of details. There is a lot of telemetry added to it for you to see and understand. It is not that complicated. If you have a bit of a cybersecurity background, you should be able to pick it up pretty straight.

They are constantly updating it, which is a good as well as not-so-good thing. There is an update every few weeks. They are very good updates. I quite like it that they have such an agile development. They listen to their customer's feedback, and they are constantly investing in the product. They do not give you an off-the-shelf product. The world is changing, and the attacks are changing. It is kept up to date. 

Reporting could be a little bit better. They are working on it, and it is getting better. They have different development teams working on this product. Like any bigger organization, they have so many people working and fixing the product, and they have their own development routines and cycles and understanding of the code. It has gotten a lot better, but it has a long way to go. Recently, there were a couple of more reports. What I like is that they listen to the feedback. If we tell them that we need this reporting, they go back and do something about it. It does not get lost in emails or meetings.

We have been using Trend Vision One for almost three years.

I have not seen any downtime as such. I have not seen the console going down, not even once in three years.

It is set in firm defense. It is a very interconnected system now. I spend most of my time fine-tuning and working in Vision One. It has been 100% stable for me most of the time. I have had no issues. It is very stable. I would rate it a ten out of ten for stability.

We are based in Southwestern. It is a fairly big site. After COVID, we have remote workplaces. It is a part of our standard operating environment. Any new server or any new desktop or laptop has to have the client installed, but we are also multi-site. We have sites in Central Queensland and North Queensland. Those sites came along as well. It is a through-and-through solution. It is being used on all three sites.

Vision One is currently being used by multiple teams. There are 15 to 20 people at the moment. We have the Network and Security team, and then we have the core cyber team. We have people who look after the Apex One and desktops, and we also have people who look after servers and the cloud. They all know what to look for, and they know where the alert is coming from and what they need to do. I have given training internally a few times for people.

The customer support experience has been fantastic. They are fairly technical. What I like is that they are very responsive. You log a job, and within two hours, someone is on the call with you or contacts you through email. We have a relationship manager or a technical account manager from them who does biweekly calls with us. He addresses any issues and provides escalation channels as well. Their engagement as a vendor and as support has been amazing.

Positive

We were using Symantec. When we did the research three and a half years ago, the world was moving to EDRs. An EDR solution compensates for different technologies. It is not static signature-based detection because that can be bypassed easily.

The main considerations were the costs and virtual patching. We were looking for a solution that could help us with virtual patching. When you have a zero-day at hand, regardless of how big is your team, patching sometimes is just not possible. When you are a hospital, you cannot take the systems down. You have to go through a couple of processes, but during that time, you are in a vulnerable state. We were looking for a system that could provide virtual patching, has detection and virtual patching signatures, and gives you the breathing space where you can go and patch a system. It satisfies that need. 

The EDR/full-stack functionality was also a welcome change. We do not have just an antivirus or EDR. It can do a lot more. It can do file integrity checks. It can do a baseline of your known system file caches. It can do all these things.

Our model is hybrid. Vision One console is on SaaS. It is on the cloud, but we have relays that get the updates, so agents have to be local. The EDR clients on servers and endpoints, such as laptops and desktops, have to be on-prem. The cloud posture management and PC bot are also SaaS-based. It is just through an API. Other than the EDR clients, most of the other integrations are pretty much SaaS-based.

The initial deployment was a bit tricky because even though Symantec was a very outdated product, there was still something on the machine. We had to work extra to get rid of that and put this on. Overall, the deployment was pretty good. The biggest challenge in the deployment of an EDR is understanding what your network traffic, day-to-day workflow, or applications look like. Most EDRs have something called real-time scans, so if something is trying to access the memory where the credentials are stored or write to a system-protected file, and if an EDR does not know about them, it will straightaway block it. They helped us to create those amazing baselines where we could whitelist the known applications and the known traffic. It was good. It took a while to get it right. As the environment changes, you keep fine-tuning it. I did not hear of any major issues or any dramas with it, but I did not do the deployment. 

It does not require any maintenance as such. The only major change that I have recently seen is that they have gone from version 1 to version 2, and version 3 is coming. That is all happening behind the scenes. We had some agents in a different geographic region. We had to migrate them across, which is on-prem, but the backend team did the rest. 

We had a dedicated project team that worked with Trend Micro project managers for implementation.

I do not have much visibility to it. It is definitely not a cheap product, but to my knowledge, it is out there with the big wigs in the industry, such as CrowdStrike, SentinelOne, and other EDR/XDR vendors. I had heard, and found out eventually, that their sales teams are very flexible, as more sales teams are.

The problem with any XDR is that you need to buy into their whole ecosystem so that it can provide more visibility and more data points. It can understand your system environment a bit more.

We started with the endpoint and server detection, and then XDR was given to us for free at that time to try it out. Once we got into it, we added NDR, which is the network detection response, the cloud side, and all the other things to it. They were pretty good in terms of pricing and understanding of our needs.

Their team is also very good, which is something I have not seen with other vendors. They are proactive. They reach out to you with new things happening in the cybersecurity world, such as any new attacks or detections, any new events, or new training. They reach out to you every few weeks and sit with you to understand what they can do better. This constant engagement and service is good. I do not base it only on the cost. Nothing is cheap, but it is about what you get from a vendor on the service. It is not like sell and forget, where they sold you the product, and they have nothing to do with you. It is a constant engagement because XDR is ever-evolving. They take you on that journey. They show you what new capabilities are coming. They ask about the use cases and how they can help us. They ask about what we are seeing or what challenges or gaps we still have in the environment so that they can help that. This has been my personal experience. It has been absolutely fantastic.

We had another vendor. We tested both EDR clients, and at that time, XDR was just a big buzzword in the market. We did not know what XDR was and whether we would get it. It was given to us as a complimentary to try for a few months. I did EDR testing of this solution and another very well-known vendor in the market. We did an attack simulation. We performed a couple of attacks with malicious code and ransomware. It was really good at picking up most of the attacks, whereas the other one was 50/50. We then created a report based on the facts we had in front of us.

Back then, we were told that Palo Alto was coming up with something called Cortex XDR. They bought another company, which had an EDR client that they slapped into their solution. Their methodology was a bit different. Firewalls were still the first line of defense. For example, the malware sitting on a machine is trying to connect to a command and control server or a malicious domain outside the environment on some ports. Once Cortex XDR sees it, and it hits the threshold, you will start seeing the alerts. I did not want to wait for it to get 25 machines infected before Cortex XDR started doing something. That was too late. I have heard that they have come a long way. They might have gotten similar feedback from others and made some changes internally. They are a brilliant company, but it did not meet our requirements at that time. The detections during the EDR testing were not that great. Most importantly, it did not meet one of the key requirements we were looking for back then. We wanted virtual patching and virtual patching signatures for end-of-support operating systems. That is what was the deciding factor for us.

To those who are evaluating this solution, I would advise doing a PoC and understanding their workflow and traffic. They should have the right expectations going into the product. It is a system with which you need to invest in other components as well, but once you get it up and running and it's working and tuned, you will start seeing the value of it.

They are now acting as a support partner for us. We can rely on them and work with them because we invested a fair amount of money with them. The product has proven to be very valuable for our defense arsenal. I personally follow them. It is not just me. It is all over the Internet that Trend Micro's zero-day initiative still picks up around 60% of vulnerabilities. It is more than any vendor out there. They have got a very good team.

I would rate Trend Vision One a nine out of ten. Reporting could use a bit of work, but it is improving. Just the other day, I heard that they are starting to provide automated threat hunt queries and an AI bot on Vision One. These features are still in preview, but it is changing rapidly. They also have something called forensic, so you can create forensic cases and log calls directly from the Vision One portal. There are some very good changes that they have made. It is evolving and dynamic.

I use the solution primarily for EDR. The top challenges in our industry are the accuracy of the detections and the visibility of alerts and events.

We are accessing it via the cloud, and we are monitoring the endpoints and cloud servers. 

Vision One provides centralized visibility and management across protection layers, which is critical for tracking threats, viewing vulnerable assets, and understanding the overall security posture of the organization.

Vision One helps me a lot when it comes to reporting. The reports are very detailed and informative. There are recommendations and analyses of how to mitigate threats. We have comprehensive visibility.

The executive dashboards are very helpful for us in assessing our security posture. We can see what needs to be prioritized and mitigated first.

The risk index feature helps us make security improvements and implement security policies. It helps to have robust security.

Vision One helps to harden security controls and policy implementations.

Vision One improves our organization's security posture by allowing us to apply more robust security controls, implement security policies, and improve the security culture. The centralized visibility enables more efficient security operations.

Vision One makes it convenient to assess and mitigate or block threats across the organization. The XDR is collecting data from more than one client or company and correlating it. The XDR detects the loopholes or vulnerabilities of the system. It uses MITRE ATT&CK techniques to identify and respond to cyber threats or vulnerabilities.

Vision One improves our security posture because we can patch any vulnerable machines that are prone to risks and attacks.

Vision One has decreased our time to detect and respond to threats by 50%.

We use automation capabilities, especially when there is a breach or a risk activity with the user or the endpoint. It helps us by isolating devices automatically. This automation saves us about 20% of the time.

I love everything about the solution, especially the XDR features, the attack surface management, and the workbench alerts. It oversees vulnerabilities among the system and devices, prioritizing areas that need patching.

When I started working with it, I knew nothing about this solution. I found it very user-friendly and easy to understand.

There are limitations in terms of threat response actions. 

I have been using Vision One since December 2022. It has been about two years.

There are some errors with the solution. I would rate the stability a seven out of ten.

It is scalable. I would rate the scalability of the solution as eight out of ten.

We have clients of various sizes. Our clients are small, medium, and large organizations.

The customer service or technology is responsive, but they take a minimum of one day, and up to three days, which is too long.

Positive

I previously used Azure Sentinel. Vision One is an advanced solution compared to Azure Sentinel. I prefer Vision One because of the convenience and easy correlation.

The initial setup is complex due to the various cloud resources that we have. We have workstations, servers, etc. Its implementation can be simplified.

It did not take us very long. We migrated from Apex One to Vision One. It did not take long.

It provides returns on investment by saving about 50% of time, money, and resources.

I find it to be a cost-efficient platform.

I would recommend this solution. It helps a lot when it comes to security. It covers endpoint security, email security, web security, and data leak prevention. It has everything.

I would rate Vision One a nine out of ten.

Trend Vision One has advanced sensors that collect telemetry from various sources like endpoints, email, and network. Workbench then correlates data to provide visibility across the entire environment. If there is any virus in the environment, it correlates the information, shows where it started, who the user is, and how it traveled through the environment, thus providing complete visibility and infrastructure correlation.

Trend Vision One consolidates security and saves time.

Trend Vision One is a cybersecurity platform in which Trend Micro has integrated every kind of solution. You have an MDR solution. You have an email security solution. You have endpoint protection. You have server protection. You have EDR. You get everything in one console, whereas vendors like Kaspersky and CrowdStrike do not have only one console. With Trend Vision One, you get all the solutions in one web console or platform. 

It helps with faster response. You have telemetry from different sources, which makes it easy to do analysis and respond. Its automation capabilities help to isolate endpoints and respond. You can respond in multiple ways. You can revoke permissions or terminate any process. You can isolate an endpoint. You can run a script. You can automate in different ways and integrate scripts, playbooks, etc. It saves time.

Centralized visibility is valuable. We can view what kind of virus or threat exists, where it has traveled, and how it started. A security analyst can use just this one console to view all the information.

Another valuable feature is its automation capabilities, which help in responding to any kind of alert swiftly.

Currently, there is nothing specific that needs improvement. Their support is very cooperative, and they provide an educational portal for learning the solution. However, deployment could improve by considering customer environments that are not fully updated.

I have been working with Trend Vision One for the last six months.

When I contacted Trend Micro support, they were very cooperative and quick in resolving and remediating any issues. I would rate their support a nine out of ten.

Positive

I have worked with Kaspersky, which offered only a single solution and not a fully integrated console. Kaspersky had multiple options but did not provide the same level of centralized visibility as Trend Micro. Kaspersky has graphs for visibility whereas Trend Vision One has both graphs and Workbench. Workbench provides a wider overview, whereas, with Kaspersky, you can only see a sketch of where a virus started or where it ended. Trend Vision One tells you how and through which user a virus came into your environment and how it traveled through your infrastructure.

There is a big difference in the price. Trend Micro solutions are more expensive than others.

It can be a bit complex. Trend Micro has a requirement that endpoints should be fully updated. In customer environments that are not connected to the Internet, that can be an issue. Trend Vision One is a cloud platform. If the endpoints are not updated, you can have multiple errors when you deploy the agents. We find such issues in customer environments.

The initial deployment time depends on the infrastructure. It took us about a month to cover 1,000 endpoints and 200 servers.

Trend Micro solutions are very expensive compared to other solutions. Even though everything is in one console, each feature requires a separate license.

If you do not have any compliance regulations preventing you from using a single vendor, I recommend adopting Trend Micro's cybersecurity platform for full security coverage and reduced management time.

The Risk Index feature helps with the attack surface and risk management. It detects vulnerabilities in your environment and calculates the risk in your environment, but I have not yet used this feature.

When you deploy such a solution in your environment, there is always a huge amount of false positives. The false positive rate depends on how your security engineer has done the configuration. After some time, the false positive rate reduces. The reduction in the false positive rate depends on your infrastructure. If you have a huge infrastructure, it would take some time. It also depends on your security resources who work on this solution. If you have only one person, it can take about six months, but if you have a team of five security people, it would take about a month.

I would rate Trend Vision One a nine out of ten.

I primarily use the solution to prevent attacks. 

It's good for detecting malware and anomalies. We use it on our endpoints. 

The user interface is very good. Everything is all on one single platform.

With this product, we get centralized visibility and management across all of our protection layers. With a central platform, we don't have to look around across different websites or platforms. We can go right on the portal and manage things. It also helps us reduce the learning curve. We can manage and monitor products from the same place instead of learning different platforms. It's also helped us increase efficiency.

We have made use of the executive dashboard. It greatly increased visibility. We get a risk management view and metrics that help us narrow down and find issues. It helps us reduce risks. The risk index feature gives us a score to help us in our security goals. With it, we know what's the baseline or standard, so now we know what we need to do in order to meet the standards out there in the industry. We can see everything we need to in one glance. 

It's kept up to date and is consistently improving. This helps us protect our environment. 

The patch management has been very useful. They help recommend what needs to be installed.

We leverage the attack surface risk management capabilities. It shows the entire incident, including how it happened. We can use the information when we're doing forensics.

We've been able to reduce our mean time to detect and mean time to respond. What would previously take us two to three hours to fix, we can do in one hour or even half an hour. We've also been able to reduce the amount of time we spend investigating false positives. 

We'd like to see more use of AI around analytics and controls. 

I've been using the solution for five years. 

The stability is good; I'd rate it eight out of ten.

We're a small-to-medium-sized company. We have it deployed to less than 5,000 users. 

I'm not sure of the scalability. It works for us and our company size.

Support is okay. They could be more responsive and could provide more communication channels. 

Positive

We did not previously use a different solution. 

I'm more of an end-user. I do not handle the installation aspect. The deployment was done a long time ago. 

The tool does not require much maintenance. 

I'm not familiar with the exact pricing of the solution. My understanding is the licensing is reasonable. 

I'm an end-user and customer. 

I'd rate the solution eight out of ten. It has very good management and monitoring benefits.