What needs improvement with Trend Micro XDR?

Trend Vision One requires several enhancements for optimal performance. The platform should allow users to create custom phishing templates directly within the console and improve logging capabilities to facilitate seamless integration with SIEM solutions. Additionally, it should provide a mechanism for configuring Office 365 Advanced Threat Protection alerts to be displayed within the Workbench for streamlined threat management.

Trend Micro is making many improvements, including addressing some of our feature requests. However, their reporting functionality needs improvement. The reports lack detail and customization options, particularly for XDR, which hinders our ability to provide tailored reports to clients. For example, we cannot generate reports on threat intelligence data from XDR, making it difficult to assess the protection received from external sources. This limitation also prevents clients from seeing the total value of XDR, including external factors contributing to their security posture. Threat intelligence is crucial, and clients want to understand its impact. Therefore, enhancing report customization, especially for XDR, would be a significant improvement.

There are limitations in terms of threat response actions.

Trend Vision One would be enhanced by incorporating an SIEM solution as a built-in feature. This integration would streamline functionality and eliminate the need for us to acquire and manage separate SIEM solutions.

Currently, there is nothing specific that needs improvement. Their support is very cooperative, and they provide an educational portal for learning the solution. However, deployment could improve by considering customer environments that are not fully updated.

The only downside to Trend Vision One is its complexity. It's a comprehensive product covering a lot of ground, which can be a little intimidating initially. The user interface, in particular, can take some time to get used to, with menus that could be better organized and a dashboard that could be more user-friendly. Due to the sheer complexity of the product, navigating and familiarizing oneself with the environment requires some effort. While the initial learning curve might be steep, the product's vast capabilities justify the time investment.

Vision One's functional capabilities are excellent, but the platform can be upgraded and simplified in many ways. We use multiple playbooks to automate many things, but I'm not sure there are mature cybersecurity applications. There are several external alerts, and their behavior changes daily, so I'm not sure automation can help you that much. We're using the playbooks, but it might require some improvement.

There should be a bit more dynamism when it comes to their playbooks in terms of the action triggers. That is the only thing that I would want to see a bit more. There should be a bit more dynamism, especially when you are creating your own playbook. This is something I have also discussed with Trend Micro.

The SOAR features (Security Playbooks) are quite limited. At the moment, it is impossible to execute a simple piece of Python code that would pull or push something to an API, for example. While you can tackle some use cases, a SOAR from another vendor is still a must-have. To assist with complex use case integrations, having all the data from the SIEM inside XDR would be great, too. That's where the market is moving with solutions like Falcon Logscale and Cortex XSIAM. Pivoting from XDR to Splunk or vice-versa can be time-consuming during incidents.

We'd like to see more use of AI around analytics and controls.

Trend Micro Vision One requires significant customization to fit our specific needs, which increases the administrative burden. While the wider data collection offers a broader security net, we don't utilize all its services (e.g., Okta integration). This necessitates manual log ingestion from Azure (e.g., anonymous logins, suspicious tokens) and additional verification using separate tools like Azure for risky sign-in detection and IP vetting, making it a more hands-on security solution. Trend Vision One has some usability issues. For example, extracting browser history for forensic analysis is cumbersome. The platform parses the history file but then doesn't allow exporting the data, making it difficult to share findings with managers. Additionally, the lack of a Network Security Installer for endpoint agents is surprising, especially considering servers have them. The feature request process, relying on a community voting system within a product portal, seems inefficient. Overall, improvements in data consistency and user-friendliness would be beneficial.

Vision One's search could be improved. While the platform is very user-friendly, the search feature uses terms that aren't as intuitive. The automation is excellent, but I wish there were more templates to help me optimize more things.

While blocking an IP address restricts access for 30 days, it eventually becomes accessible again. For true permanence, blocked IPs need to be transferred to a dedicated storage solution. However, this storage has limited capacity. To accommodate new blocked IPs, we must remove existing ones, creating a disadvantage that has room for improvement.

Playbooks are very good, but on the automation side, they could always improve. Having more variables within the playbook would be useful. It would allow us to have more refined playbooks for the business. It would allow us to take stronger action through a playbook. It will give us confidence to target a particular area of business where our risk tolerance might be higher or lower. We would like to have more granular playbooks. Further integrations with other products are always beneficial.

Reporting could be a little bit better. They are working on it, and it is getting better. They have different development teams working on this product. Like any bigger organization, they have so many people working and fixing the product, and they have their own development routines and cycles and understanding of the code. It has gotten a lot better, but it has a long way to go. Recently, there were a couple of more reports. What I like is that they listen to the feedback. If we tell them that we need this reporting, they go back and do something about it. It does not get lost in emails or meetings.

It is very expensive.

The information captured by Trend Vision One needs to be more detailed.

The automation capabilities on-premises could be improved, as we currently have to manually activate servers and push policies. I would like the uninstall process of agents to require two-step verification.

It took some time to realize the benefits, as we had some issues with support. It took us three to four months to realize its benefits. The support should be improved. We'd like to see deception features in the next release. It would help us to reduce false positive alerts.

The login system could be improved. We must pass two different dashboards to log in to the solution. We have a second-factor authentication. We need to check the platform, which delays three or four minutes because of logging, checking email, and returning to the platform. If you multiply the entire team, we lose a lot of time daily.

The web viewer could be improved. I've had some issues with it in the past. The zero trust is a bit complicated compared to other parts of the solution. Mostly, I don't have any issues with XDR.

I would like to have the capability to export the information we receive from the XDR into Microsoft Excel.

Sometimes, there are some false positives. For example, once a user had a file in their system named recovery.txt. The solution was flagging that as a ransom note, so we were confused. It isn't that serious, but it should be improved. Also, XDR should improve its coverage of the latest IOCs. Their suspicious object management works, but the coverage should be improved. It will take one or two months to get those things covered. XDR will detect on a behavioral basis, but these databases will not get updated daily like some other solutions. If you're dealing with new ransomware or malware, it may take around a month before it's covered by Trend Micro.

The centralized dashboard has room for improvement.

I've seen a lot of improvement in just the year that we've been with Trend Micro. However, I think that continued optimization of the environment towards automation and orchestration, a kind of layer that sits underneath all of the technologies, would be extremely important. When we look at the speed and sophistication of attacks today, such as ransomware, malware, and cyber threats, we need tools and technologies that can react faster. So, I think integration with automation, orchestration, and artificial intelligence will help tremendously.

We do use the automation capability a little. However, we noticed some limitations, especially on the playbook side. The API we use. We are integrating that with another product, a SOAR product. The playbooks are a little bit limited in what they can do at this point. Let's say that we want to connect on a specific API. The templates we cannot modify very well. When we noticed that limitation, we decided to go and use Trend Micro VisionOne API and connect it to other tools to develop that activity using another product. Under attack surface management, when you go to the specific sites or applications that the users are accessing, the capability of downloading that report could be better. Let's say, as an example, we want to identify users using chatGPT, for example. We want to download that data through an API or through the GUI. Right now, it's not available as an option. Maybe having the capability of extracting data from VisionOne for specific areas of the tool could work. That's something that could be useful, especially if we want to generate that report and send it to specific teams. Often, we don't want to provide DX to all the people. Sometimes it's easier to just have that file and share that file with the people who need to have that information.

I would like to have more integration with mobile device management.

The integration with third-party tools and with on-premises Active Directory needs improvement.

There are certain items that are blocked, and another component is not working properly so the blocking does not happen correctly. They have a DLP module in Tredn Moicros and they need to enhance its capabilities.

The solution is issue-free. There are no missing features. The solution only supports Windows and Mac. It would be helpful if it could support other OS, such as Linux. We'd like to have more application and data loss features in the future.

For me, so far, the product is fine. I haven't had any issues. I haven't used it for that long and therefore haven't come across any problems. The solution could always be made to be more secure.

For some time, if you were installing this XDR solution, there is a Sensor. Sometimes we need backend support for some scripting parts. They're applying it from the backend for us. Therefore, there's a dependency on the backend from that point of view. I don't like that feature. The option for deploying the scripts should be available on the platform itself, so there is no need to raise the case with the backend team. We'd like to see some security playbooks. Currently, Auto-Remediation is not there. Only Manual-Remediation is there. We have to create a Security Playbook. However, they are just planning to add the Auto-Remediation part. They are just also planning on adding the Security Playbooks as a complete feature. In the preview mode, it is available; however, it is not released.

We'd like to see a few more integrations. Specifically, we'd like to see more IOC integration tools. We haven't implemented the automation piece just yet; however, we will go through that soon. We just need more time to see how it all works.

Trend Micro doesn't have the next-generation firewall. They have the IPS TippingPoint, however, interms of the next generation firewall, Trend Micro doesn't have this as a part of their solution.

Results were delayed. We had all the logs in our hands. We were pretty quick in giving out the results and coming up with a conclusion. Trend Micro was pretty delayed on that front, however. Their turnaround time or the response to their MDR services was slow. While doing POC, we did MDR as well. They could improve the response time on that. That was my view back then, as it used to take a lot of time to get that case generated, get that case analyzed. In the end, we were more interested in the responses from the actual human analysts. Instead of having a machine-generated thing, we were banking on understanding how an incident is treated and how a response is being given. For us, for example, we were able to do our analysis and come to the same conclusion maybe four or five hours before we received Trend Micro's report. Almost all the results were identical. There was one feature called Sandbox that I wanted to try on, however, at that time, they had not released it yet. Since last August, I have been working with another organization, so I am not sure how Trend Micro has developed within the last ten months. I was never able to test the live response feature, wherein I could take access, remote access of the infected system, and send some commands to kill the processes, or maybe to grab the artifacts, to triage the artifact. By the time it came online, I was moving to another organization. We'd like a bit of freedom or flexibility on the portal. If I'm the end-user, and I see something bad which might not be bad from Trend Micro's perspective, however, for my organization, was an abnormal activity. Executing things via PsExec might be something that is normal for some organizations, however, for my organization, it is a highly suspicious thing. If I want to investigate that, having the flexibility for me to investigate it in a deeper sense would be ideal. That was something that was not possible at that time. I don't know if they have given more freedom to Trend Micro admins. We'd love more flexibility in terms of implementing some of the configurations, estate-wise. That is something that I would have loved to see in Trend Micro.

A room for improvement in Trend Micro XDR is more visibility into the alerts. We do get alerts from the solution, but when we are away, we need to have more visibility. An additional feature we'd like to see in the next release of Trend Micro XDR is reporting, particularly RCA reports because those will help us a lot. Right now, we need to log into the portal to drill down the RCA. For example, when an alert comes in, it will be blocked immediately by Trend Micro XDR. We get the message "This has been blocked", but when we want to drill down in terms of where it started, we need to log into the server, do the RCA, and drill down on it. While doing the RCA and drilling down on it, it would be good if we could get a report directly from Trend Micro XDR because that report could help us.

The Endpoint Basecamp we are installing to every system is not recognized. It is important to know what feature needs to be enabled. The printer driver is automatically disabled, which is creating some concerns for us. The agent system is very slow, it needs to improve its performance.

It would be better if it were more user-friendly. It would also be better if the implementation were more straightforward.

In new versions I would like to see better implementation of the reporting features, especially in regards to EDR visibility. However, Trend Micro XDR has only been around for a year or so, so I know it's still being developed and I think it will get more mature given time.

The product needs to have a lot more maturity, and they need to improve the overall technical support framework for getting the value out of XDR. They need to improve their overall market presence and make sure they are bringing value for the company that is spending money on them. From the business side, there are a lot of areas for improvement, like improving their business relationships. That will help them increase their customer presence as well.

There isn't a lot I'd do to change it. The web interface could be improved to sort of make it a little easier to manage multiple clients out of one location. It could also be made a bit easier to sort of manage the licensing side of it. In terms of additional features, probably the only thing would be a rollback function. They are actually working on it because they're halfway there with it.

It should integrate with more tools. There are a lot of tools that can do the PTP dump.

The reporting could be better. We've had some reporting issues in the past. It would be ideal if they could improve it and make it more robust. The solution lacks compatibility with other products. It needs to integrate better with other surrounding solutions.