Trend Vision One Reviews

Vision One is the primary endpoint security product we use to protect our Macs and PCs. We also use the server product version, so it runs on my servers as well. We exclusively purchase Trend Micro's endpoint products. They have network and firewall products. We were using their email product until last month, and I ended up selecting a different provider. We stayed with them for the endpoint, but I moved off of them for the email product.

Vision One was a big deal to us immediately because we did not have context-aware before. We saw everything we had no idea was happening. It was a big deal three years ago. 

It certainly reduces time to detect because a lot of the time, I didn't have it before. I didn't have that information until it gave it to me. The speed of response helps me know much more about what's happening quicker. They have some improvement to do in terms of automated remediation. It probably makes investigations 30 percent faster because of what it puts together. 

When we purchased Vision One, what set it apart was that it wasn't a traditional signature-based antivirus. It's a process-aware solution that provides real-time protection. That was a big differentiator three years ago, but now it's a given that every AV provider should be doing that. It combines signature-based telemetry with behavioral awareness and a detection-based solution, making it a good solution for us.

When we bought it three years ago, it was separate. Apex One handled cloud and web app security, and Vision One handled cloud and server workload protection. Now, they call it Vision One. The server stuff is still separate, but it is the same now. When we purchased it, they told us we'd have a single console, but that took about two and a half years. Finally, there is a single pane of glass. 

One of the things that made me the craziest was that we had too many tools or one tool that I had to log into five different ways. One of the frustrations is you have both legacy and newer detection methods. Not being able to fully investigate it in a single portal was a huge pain.

They need to stop changing Vision One once a week. They're in a hurry to change things so badly and so fast that I can't find where stuff is half the time, which is a challenge sometimes.

I've given one piece of feedback to their product guys. One thing that they're trying to make is a SIEM. It's a product where you input all the logs from your tools, and it creates additional insights into how things look. They've been kind of playing the "me too" game on that, even though that's not what I bought the product for.

They have a new gateway where I can take my firewall of email logs and send it over there. In theory, it's supposed to do a more comprehensive evaluation of all my stuff to improve that risk index score. I'm not impressed with it, and I've told them as much. I feel if you're good at something, you should keep working on that and not try to be all the things to all the people. 

I bought a different email solution even though it would have been 10 times easier to just stay with their email solution because they aren't great at it. They are great at other things, but they're playing the "me too" game with some of their products. Their competitors do this, so they should be doing this, too. They need to pick a product and keep being good at that. If they're going to roll new things out, they should do it but do it right. 

They have a button to isolate an endpoint because it looks bad, but it doesn't usually work. I've had no chance to argue with the product guys to show them examples of how their button doesn't work. You think it does, but it doesn't work in a real environment. That can be a challenge sometimes.

I can see in the data showing what is a false positive. But it doesn't save me time helping them figure out how to fix the problem in their engine. It can help me identify it as a false positive, but it doesn't apply that consistently. It will ignore the false positive for that device, but if they start detecting a false positive on Apple devices, I have eight thousand Apple devices and get 8,000 alerts. I can tell that specific false positive, but it doesn't learn from that particularly well.

We use the executive dashboards, but I don't find them particularly useful. One is the ability to customize. That has gotten a little better, and it'll be better in the future. Most of what they have on there are data points that are generic and not particularly actionable. That's why it's called an executive dashboard. Executives want to see if we are secure, but it's hard for me to find out why our attack surface risk went down by x percentage. I don't know. It says that on the dashboard, but it doesn't give me specific details about why.

I find it confuses my executives, and it's not useful for me because it doesn't give me things to work on. It will give me generic things on the executive dashboard like you have a thousand accounts with an old password. Those are big generic things, but I also can't tell it that our password policy is different from what your automatic detection model means, and I don't have a problem with that, so quit lowering my risk score. 

The risk score is useless. In theory, it's based on the random intelligence they're getting from their various customers. I'm in K-12 education, so they have a decent amount of K-12 customers, but it's a subset, and the baseline of what's common in K-12 education is not the same. There's not enough data to make that particularly clean or useful. Vision One is not custom, and that's part of my beef. That index score is based on whatever random report they're looking at from their data sources at any given moment in time. It's nice, but I'd rather have one that's based on your particular circumstances. Instead, it's saying that the number one attack threat surface for school districts is email phishing. It's too generic.

I have used Trend Vision One for three and a half years.

Vision One has been less impactful toward my endpoints when scanning than the previous solution. 

Vision One's resource usage is starting to creep up compared to three years ago. They used to focus on making their agent lightweight. I don't necessarily think all of this is their fault, but their agents are starting to suck more resources than they used to. Part of it is that the threat landscape has changed, and you need to look at it in additional ways, and it is a strain on the servers. They've gotten really bad about that on the servers.

I rate Trend Micro support three out of 10. Their technical support is challenging. The support's good once you get to the second layer, but they don't read what you write. They auto-respond by telling us to give them the logs. 

Every time, I need to send them a written statement with my product license ID and that I'm the contact authorized to do a support ticket. About 75 percent of the time when I open a support ticket, I immediately email my customer service satisfaction manager person with the ticket number so they can help move it along.

Negative

I was using Sophos three years ago. I've looked at many of the feature sets out there, and they might be 80 percent of what Vision One has, and some might be better, but Vision One is price-competitive.

Deploying Vision One was a pain because of the automated removal tool. In the antivirus world, they try to make it difficult to uninstall people's defenses because that's what an attacker would do. However, all the competitors are making tools to uninstall their competitors' tools when they win business. That's directly counterintuitive to the whole point of the antivirus. 

We went through a process of trying to do this in an automated fashion to replace the old product, and Trend didn't quite do it right. Trend had a real struggle toget their own tool to fix it. 

We use it as a SaaS, so we have a gateway integrator on the server on-site, but the product sits on all my endpoints. In that aspect, it's on-prem, but all the processing, reporting, and everything else happens in the cloud. We had it 75 percent deployed in 45 days. That last 25 percent took us another four months.

I work at an underfunded public school district. I need a whole team, but there is only me. I used to have a security analyst until that position moved around, and
my ability to use the product has been drastically reduced. I miss much of the value of what I'm paying for because I don't have enough staff to use it. I wouldn't need more than one if that was their whole job. 

It's not a totally elegant solution that always feeds and cares for itself. We have to check if it's doing its updates properly. It doesn't tell us, for example, that 2,000 devices haven't been updated or checked in. I have to go proactively looking at it.

Vision One's pricing is extremely competitive. They're probably the lowest-cost provider that has this feature set. 

I rate Vision One seven out of 10. Make sure you learn the 90 percent of stuff in there that you didn't know you bought and preestablish an escalation contact for support tickets. 

I use Trend Vision One for Total XDR and endpoint protection as an all-in-one security solution.

One of the best decisions we made was choosing Trend Vision One. It has transformed our entire security and cybersecurity landscape, providing a one-stop solution to manage everything efficiently and effectively.

One of the most valuable features is Cyber Risk Exposure Management.

There is room for improvement in leveraging AI technology to protect against emerging AI-based threats.

I have been using the solution for two years.

We previously used an outdated and inefficient Trend Micro system, which caused high security risks.

This is not a competitive price — the costs are on the higher side. However, I don’t regret it, as it can help save significantly in other areas. The only disappointing aspect is that every time new features are adopted, additional credits are required, which could push the budget over. This practice should really be reconsidered by Trend.

I also evaluated CrowdStrike as an alternate solution.

Trend Vision One is a five-star product.

My primary use case for Trend Vision One is for application device control, web reputation services, and malware scanning, as well as providing a remote malware scan option. I also use it for log inspection and endpoint identification.

Trend Vision One helps save us time.

I am satisfied with the security Trend Vision One provides for our cloud environment. It effectively identifies threats by regularly inspecting logs to establish a baseline of normal operations and reports any detected anomalies on the console.

Trend Vision One offers good visibility and control over our environment, providing valuable telemetry into network traffic.

Trend Vision One offers comprehensive insights into our infrastructure, allowing me to identify unmonitored endpoints, such as those without the software installed, which I can then verify through the console.

Trend Vision One allowed us to consolidate the Apex One and Deep Security consoles, which were previously used separately in our on-premises environment.

Trend Vision One offers superior integrations, enhanced tool capabilities, and expanded solutions for network security, firewalls, and remote malware scanning. Its ability to identify unmonitored endpoints and perform log inspection, which establishes operational baselines and detects anomalies, proves invaluable for threat identification. The platform's comprehensive reporting capabilities further enhance its value in maintaining a secure environment.

Trend Micro could improve its support for non-third-party products and product integrations. Technical support in our region needs improvement.

I have been using Trend Vision One for approximately one year.

Trend Vision One effectively scales to accommodate our workloads.

Trend Micro's support is suboptimal in my region, likely due to proximity to their resources, favouring areas closer to the company. Consequently, we utilize local support providers who offer better service.

Neutral

The deployment usually takes an hour, more or less. Trend Vision One was easier to deploy than other tools when integrating with the cloud environment.

We have a local vendor that provides support.

Trend Vision One is cost-effective because it offers detailed reporting and environment control features.

I would rate Trend Vision One eight out of ten because every tool needs improvement. Trend Micro has some low-cost services and minor areas for improvement.

Trend Vision One provides regular updates according to customer needs.

I would recommend Trend Vision One. There is flexibility, and their credit system is quite effective. 

I mainly use it for the management console and threat investigation. It helps us understand what is going on in our environment. I also generate reports to see what is going on in the background in our environment and how our devices are. I can see whether they are getting timely virus definition updates or patches. I get information related to the vulnerabilities on our devices.

Trend Vision One provides centralized visibility and management across protection layers. It is pretty important to know data from different data sources. It helps to gather information about the environment and reduce the attack surface. The custom reports based on those data sources and different modules help me reduce the risk level of the environment.

Executive dashboards help to see the devices in the environment and Internet-facing assets. If any device has any vulnerability, then based on that data, I can go to the XDR threat detection and get more information about that particular vulnerability or alert. Based on that, I can communicate with the team and get it remediated. We only provide a risk assessment. Based on the information provided, the team remediates the issues.

It has definitely reduced the time to respond to threats, but I do not have the metrics.

The best part is the XDR threat investigation, which includes different modules like Observer Attack Techniques, Workbench, and Detection Model Manager. It provides patterns and we can see what is going on. We can act on them accordingly. We can make playbooks and automate processes to reduce the attack surface.

For XDR threat investigation, there is not enough documentation about how to search for different keywords. The documentation for keywords used in attack techniques is lacking, making it difficult to understand certain aspects. 

Providing more interaction options in sandbox analysis would also be helpful. They have not given us many options. 

I have been using Trend Vision One for more than one and a half years.

It is quite stable. They provide proper updates.

I have used different solutions, such as SentinelOne, Carbon Black, and Cylance, but Trend Vision One provides more comprehensive visibility across the environment. For environment-level visibility, I prefer Trend Vision One.

The initial setup was easy.

The pricing is fair and not on the higher side.

I would definitely recommend Trend Vision One to others. It offers high visibility into the environment, helps reduce the attack surface, and automates many processes, thus enhancing response time.

I would rate Trend Vision One a seven out of ten.

We were using Symantec before, and with the coming of EDRs in the market, we were looking for a solution. We wanted a defense system so that if there is an attack on the system, such as an endpoint is infected or the attacker or a known technique for ransomware is moving laterally, I do not need to go to the firewall team. I do not need to go to other teams to find out. I should have enough intel at that very stage to contain it if possible.

We were looking for a system with a single pane of glass. The journey started with deploying the EDR client on the servers, which is called Deep Security, and Apex One on the endpoints, such as desktops and laptops. We then connected them to a single pane of glass, which was called XDR, now known as Vision One. It has helped us to correctly hunt and fix. We could see the communication between the endpoints and the servers and anything else they were talking to. We could then further expand it and connect it to all of the systems through APIs. That was the initial requirement we had, and it worked very well in that sense.

When you buy extensive or expensive SIEM solutions, such as Splunk or something else, what happens is that you need analytics. You can write meaningful queries to query the data. At the end of the day, all the data going in needs to be correlated. Vision One provides visibility in that sense.

We connected it to the cloud, so we could see the telemetry from Azure and cloud. We then installed the network detection response. It could see and detect a little movement from the network layer. We then connected it to Active Directory, so we could have attribution happening. We currently have a lot of data coming. With a small team, the issue that arises is how to deal with so much information and how to prioritize. It helps with the prioritization. The system is smart enough to proactively go and scan the logs and trigger workflow alerts. It prioritizes them based on the criticality, such as high, medium, low, or informational. When you have a small team, your analysts can go and start looking into those and see what is happening and what they need to prioritize at a stage.

We came very close to a Russian threat actor and Vision One helped tremendously. It helped us to control the attack in the initial stages. They got into the environment and they got the reverse shell out. I saw the alert. Vision One Protection showed me in detail what they ran, what they queried, what information was captured, and where the connections were going out. It was an initial access broker that had done the attack. If this information was not picked up on the late Friday afternoon, you can imagine what could have happened by Monday. Within hours, that information would have gone on to the dark net and would have been sold to a ransomware gang. The mean time to respond was reduced significantly. It is very rare for most organizations to detect such attacks in their own environment within the first four hours. It reduced the mean time to respond by 70% to 80%.

Its real-time monitoring capabilities help a lot in our overall security posture. We have everything configured to our central SOC email system, so the minute an alert is fired and depending on what criticality it is, we can work on it. When you work in the health industry, you often work with vendors who are still not very cybersecurity conscious. They are still learning. One of them plugged in a USB drive, and we found an early indicator of compromise. The device was plugged into one of the technical systems. It not only detected and blocked that, but we also got the alert pointing to the machine. If it was not detected and picked up at that very stage within a matter of minutes, it could have had a pretty big impact eventually.

The beauty is that I do not need to go and log in to the separate console of Apex One or Deep Security. I have got all the visibility and telemetry feeding in real-time into the Vision One console. The Vision One console straightaway alerts you. It just flashes a critical alert. It blocks, but then it provides mitigation recommendations. We need to take the machine off the network, scan the USB, educate the user, and escalate to the right people. Having all that information at hand is very crucial. We can influence the user behavior as well so that they do not do that again.

We are using it on endpoints. We are using it on our servers. We have a network detection response, which is called NDR. We are monitoring all the internal traffic coming from the firewalls. We have Citrix NetScalers, so we are monitoring the network side as well. We also have another product called Conformity that does a cloud assessment and compliance check for all externally exposed cloud assets. It tells you if they are not in compliance. For example, with the project that went in, something might get exposed accidentally, such as an Azure storage account, to the Internet. It all feeds into Vision One, and we have a single pane of glass.

It is helpful for multiple teams. It is not only limited to SOC. We have teams from the cloud side and sometimes from the endpoint and the server side who can get in, and they can see the alerts. It makes it easier to work because we all are seeing the same thing with more information. So, we are using it for our endpoint servers and network. We are using it for monitoring our Azure cloud. We also have something called Trend Micro Cloud App licenses as part of our licensing. We have policies that do advanced threat protection monitoring and DLP monitoring on the SaaS channels, such as Exchange Online, Teams, OneDrive, and SharePoint sites. These are other channels from where the data can be shared, the data can enter our environment, or the data can go out of our environment. It has policies to monitor DLP. It has policies to monitor any malicious files or any indicators of an ATP attack. We get those alerts as well.

There are two dashboards. The Executive Dashboards give an overall view of the entire system and what is happening on our system at any point in time. We can see how many outstanding vulnerabilities we have, what we need to report to the management, and how we will be progressing for things like that. Then we have the Operational dashboard with real-time alerts or pending alerts. It shows us that we have some account that is a match from a .Net data lake. A problem, for example, is that most users keep the same password, so you could have the same account password for your work account and for your personal account. They can get compromised at home and work as well. So, we use Executive Dashboards for reporting and overall understanding of what is happening in the environment and what we need to report and prioritize. The Operational dashboard is for day-to-day work.

It is very important that we are able to drill down from the Executive Dashboards into XDR detections. We are in the health industry. We are a hospital. The board is not only worried about ransomware because that can happen to anyone. You can never be safe enough. They are also concerned about the damage to our reputation and the operational cost of recovering, so they are very keen to have visibility. The Executive Dashboards give us good enough information to filter that. For example, our desktop support team has a limited set of people. For cybersecurity, we want to prioritize patching for a zero-day threat, but sometimes, it cannot happen because the teams have other priorities. The issue is not that they do not want to help, but they do not have resources. With Executive Dashboards and reporting, we can escalate things to the board saying that we need some attention. We can ask them to fund us with more resources to get this across the line. It helps us dictate the impact and prioritize a critical cybersecurity vulnerability so that we can get the management's buy-in to prioritize it and address it before it goes out of hand.

We use the Risk Index feature to map against other organizations in the same geographic region to see how we are doing in terms of risks as compared to other organizations. Are we better or worse than others? If we have some areas where we are worse than others, they help us to understand the reason and how to improve.

If we want to go through every single event, then with our current licensing, XDR can hold up to six months of data, which could be millions or thousands of alerts. A smart thing that they have done is to provide the Workbench, which automatically prioritizes. It does the hard work for you by pulling that intel and saying that these are the highly critical ones that you need to address as soon as possible. I am not discounting the fact that sometimes, attackers do not even go for highly critical ones. They go for a medium one, but it helps us to get them out of the way. Our team is small, and I had a good experience training a few people, taking them through, and showing them how to do it. Once people start working, they understand the workflow. It just becomes a second habit. It is very intuitive. You can get into the console, add new indicators of compromise, add new threat-hunting queries, add new CTI feeds, and check for new vulnerabilities. There is so much you can get out of it. You just have to prioritize what you think is important for that day.

We do use Managed XDR as a second service. The way that comes in handy is that we do have people on call. I, for sure, keep checking my emails, but if we have a critical alert that no one has attended from our side, they triage it. They triage it very well and then rate it. For example, they might say, "It seems to be benign or negative, but an alert came in, and no one was available. If you want to add an extra layer of security or caution, here is the mitigation." They are very responsive. I was able to see the big attack that we had two years ago within the first four hours, and by the time it got to the XDR, it was all correlated. Within half an hour, their response team came to the same conclusion. They reached out to us when I was about to reach out to them, so we were on the same page. They are definitely a good backup or a second solution for us. Also, some of the alerts can come up from workflows. They may seem malicious but they are not. The Managed XDR service people come back to us just to reconfirm that. We tell them that it is a known file. They do not need to worry about it. Sometimes, we might miss something or have no idea about the next step. They then come up with a recommendation about what we need to do. It is a very good service to have.

We are using Attack Surface Discovery to monitor the devices we have and the internet-facing assets, accounts, and applications. API is something we are still looking into, but with a few clicks, we get an overview. We can see how many are patched and how many are exposed externally or internet-facing assets. We have a lot of subdomains linked to the primary hospital site for different projects and workflows. We can see how they are doing, which ports are open, and which known vulnerabilities are there because some of them are not managed by us. They are managed by externally hosted vendors, so we can keep them in check. The same is applicable to our accounts. If we have accounts that are on the dark net, or we have accounts with excessive privileges that can potentially be exploited, we can address that.

For applications, the feature that I like the most is called the Cloud App List. It basically looks at all the SaaS applications and benchmarks them. It profiles them based on the rest and gives us a report. It tells us that certain apps that people are using may not be officially sanctioned by us. For an unsanctioned app, they do a risk profiling through Vision One, which shows us which security compliance standard it has gone through from the vendor. They give us a quick understanding of how bad or good it is to continue using an application.

During the COVID time, I was setting up Vision One, and I got an informational alert. The husband of a nurse gave her a USB, and she plugged it in. She was in an off-site environment, but the Trend client was still running. The clients were connected to the SaaS console or the Internet, so all telemetry was still being fed. They must have thought that it was not the case, but detections were still coming. When she plugged it in, it downloaded a power shell exploitation framework, which they were able to map to an ATP group from China that commonly uses this technique for intellectual property exfiltration. I quite like how much visibility it provides. For a couple of applications here, sometimes an alert comes in, and it can even drill down to the last command that was executed. It can create an attack graph and show you the full execution profile. It helps you troubleshoot and filter out whether something is a false positive or an issue at hand. This whole interconnectivity of different systems into Vision One, and its ability to help individualize an attack, is the thing I like the most. It is very good because reading logs and seeing an attack visualized are two different perspectives for a threat hunter. It really helps you understand what is going on.

With every such technology in an enterprise environment, as well as with most of the production systems, the reduction in the amount of time we spend investigating false positive alerts depends on how fast you finetune the system. You need to tell it which are the exceptions and not to alert you on it, and which ones it should alert you on. It is a balancing act in cybersecurity. For example, logins are used by attackers but also by your admin staff. If you totally put them in exemption, you can have a malicious login executing in your environment. You would be completely blind there because nothing would get alerted. In terms of false positives, the system is capturing a lot of data, and it is not the system's fault because it is seeing a lot of data. Sometimes, we have not classified the data. We are getting better at it. We are labeling and tagging the systems. We are fine-tuning it, and it has reduced a fair bit, but we still have a lot of work to do. It happens, but it is something we do behind the scenes. In terms of the day-to-day threat hunting and visibility, it categorizes them in Workbench, and that is what we look at first thing in the morning. We get to know what is happening and what we need to focus on. Once we see that there is a pattern repeating for some false positives and Workbench alerts are high and not true positive, we then figure out how to whitelist those systems. We now know that this is a known execution process. We know it is a known traffic or a known vendor that runs this application, and when it opens, it connects to these ports, for example. It is a bit of a balancing act. It changes dynamically.

For our day-to-day use cases, the correlation and attribution of different alerts are valuable. It is sort of an SIEM, but it is intelligent enough to run the queries and intentionally detect and prioritize attacks for you. At the end of the day, it is different data that you see. It correlates data for you and makes it meaningful. You can see that someone got an email and clicked a link. That link downloaded, for example, malware into the memory of the machine. From there, you can see that they started moving laterally to your environment. I quite like it because it gives visibility, so Workbench is what we use every day.

They also have something called virtual patching. If you have end-of-life systems or systems that are out of support, you cannot upgrade the agent, but you can still do the update if you get the signature. This is the feature I like. For example, today, if a new zero-day threat is out with a link vulnerability where attackers send you a link, and that link, even if opened in the preview mode, can basically execute a malicious code, we just cannot patch within four or five hours. We are a midsized organization. We are fairly big, and sometimes, it takes two days or even a week. With virtual patches being there and XDR with all that information connected, we can see that the virtual patch is working. It is there. We have all the mitigation in place, but then it is also detecting the environment for that threat. We can further write the hunting queries and enhance detections. So, Workbench detections and virtual patching are very helpful.

It also gives us an executive dashboard where we are monitoring our external sites. We can see what ports are open and what known vulnerabilities are being scanned on them. We get visibility and better mean time to respond and act.

The user interface is pretty easy to use. Sometimes, you learn it while you play around with it and you set it up. One thing I do like, which is very good, is that you can pivot from within the console to different sections if you know how to go about it, but if you have not used it, it could take a bit of learning. A good thing that Trend Micro has been doing for the last two years is organizing some sort of CDFs, which are scenarios based on real threat actors. They get you to come to those events. It is gamified so they can attract people. If you want to learn, they would show the event ID that came in and where to go and see that event ID. They show you how to hunt based on that event and how to extract the indicators of compromise from that ID. There is a feature called Suspicious Object. They show you how to block one. If you have a suspicious object linked to a threat intel feed that goes to Palo Alto, you can not only block it in XDR or Vision One, but straightaway, it also gets pushed to your firewall, so your firewall is also blocking it now. There are some cool functionalities, but you need to spend time to understand how you would pivot between different subsections. If someone is new and starting, it is still pretty straightforward. The UI interface is very self-explanatory. There are a lot of details. There is a lot of telemetry added to it for you to see and understand. It is not that complicated. If you have a bit of a cybersecurity background, you should be able to pick it up pretty straight.

They are constantly updating it, which is a good as well as not-so-good thing. There is an update every few weeks. They are very good updates. I quite like it that they have such an agile development. They listen to their customer's feedback, and they are constantly investing in the product. They do not give you an off-the-shelf product. The world is changing, and the attacks are changing. It is kept up to date. 

Reporting could be a little bit better. They are working on it, and it is getting better. They have different development teams working on this product. Like any bigger organization, they have so many people working and fixing the product, and they have their own development routines and cycles and understanding of the code. It has gotten a lot better, but it has a long way to go. Recently, there were a couple of more reports. What I like is that they listen to the feedback. If we tell them that we need this reporting, they go back and do something about it. It does not get lost in emails or meetings.

We have been using Trend Vision One for almost three years.

I have not seen any downtime as such. I have not seen the console going down, not even once in three years.

It is set in firm defense. It is a very interconnected system now. I spend most of my time fine-tuning and working in Vision One. It has been 100% stable for me most of the time. I have had no issues. It is very stable. I would rate it a ten out of ten for stability.

We are based in Southwestern. It is a fairly big site. After COVID, we have remote workplaces. It is a part of our standard operating environment. Any new server or any new desktop or laptop has to have the client installed, but we are also multi-site. We have sites in Central Queensland and North Queensland. Those sites came along as well. It is a through-and-through solution. It is being used on all three sites.

Vision One is currently being used by multiple teams. There are 15 to 20 people at the moment. We have the Network and Security team, and then we have the core cyber team. We have people who look after the Apex One and desktops, and we also have people who look after servers and the cloud. They all know what to look for, and they know where the alert is coming from and what they need to do. I have given training internally a few times for people.

The customer support experience has been fantastic. They are fairly technical. What I like is that they are very responsive. You log a job, and within two hours, someone is on the call with you or contacts you through email. We have a relationship manager or a technical account manager from them who does biweekly calls with us. He addresses any issues and provides escalation channels as well. Their engagement as a vendor and as support has been amazing.

Positive

We were using Symantec. When we did the research three and a half years ago, the world was moving to EDRs. An EDR solution compensates for different technologies. It is not static signature-based detection because that can be bypassed easily.

The main considerations were the costs and virtual patching. We were looking for a solution that could help us with virtual patching. When you have a zero-day at hand, regardless of how big is your team, patching sometimes is just not possible. When you are a hospital, you cannot take the systems down. You have to go through a couple of processes, but during that time, you are in a vulnerable state. We were looking for a system that could provide virtual patching, has detection and virtual patching signatures, and gives you the breathing space where you can go and patch a system. It satisfies that need. 

The EDR/full-stack functionality was also a welcome change. We do not have just an antivirus or EDR. It can do a lot more. It can do file integrity checks. It can do a baseline of your known system file caches. It can do all these things.

Our model is hybrid. Vision One console is on SaaS. It is on the cloud, but we have relays that get the updates, so agents have to be local. The EDR clients on servers and endpoints, such as laptops and desktops, have to be on-prem. The cloud posture management and PC bot are also SaaS-based. It is just through an API. Other than the EDR clients, most of the other integrations are pretty much SaaS-based.

The initial deployment was a bit tricky because even though Symantec was a very outdated product, there was still something on the machine. We had to work extra to get rid of that and put this on. Overall, the deployment was pretty good. The biggest challenge in the deployment of an EDR is understanding what your network traffic, day-to-day workflow, or applications look like. Most EDRs have something called real-time scans, so if something is trying to access the memory where the credentials are stored or write to a system-protected file, and if an EDR does not know about them, it will straightaway block it. They helped us to create those amazing baselines where we could whitelist the known applications and the known traffic. It was good. It took a while to get it right. As the environment changes, you keep fine-tuning it. I did not hear of any major issues or any dramas with it, but I did not do the deployment. 

It does not require any maintenance as such. The only major change that I have recently seen is that they have gone from version 1 to version 2, and version 3 is coming. That is all happening behind the scenes. We had some agents in a different geographic region. We had to migrate them across, which is on-prem, but the backend team did the rest. 

We had a dedicated project team that worked with Trend Micro project managers for implementation.

I do not have much visibility to it. It is definitely not a cheap product, but to my knowledge, it is out there with the big wigs in the industry, such as CrowdStrike, SentinelOne, and other EDR/XDR vendors. I had heard, and found out eventually, that their sales teams are very flexible, as more sales teams are.

The problem with any XDR is that you need to buy into their whole ecosystem so that it can provide more visibility and more data points. It can understand your system environment a bit more.

We started with the endpoint and server detection, and then XDR was given to us for free at that time to try it out. Once we got into it, we added NDR, which is the network detection response, the cloud side, and all the other things to it. They were pretty good in terms of pricing and understanding of our needs.

Their team is also very good, which is something I have not seen with other vendors. They are proactive. They reach out to you with new things happening in the cybersecurity world, such as any new attacks or detections, any new events, or new training. They reach out to you every few weeks and sit with you to understand what they can do better. This constant engagement and service is good. I do not base it only on the cost. Nothing is cheap, but it is about what you get from a vendor on the service. It is not like sell and forget, where they sold you the product, and they have nothing to do with you. It is a constant engagement because XDR is ever-evolving. They take you on that journey. They show you what new capabilities are coming. They ask about the use cases and how they can help us. They ask about what we are seeing or what challenges or gaps we still have in the environment so that they can help that. This has been my personal experience. It has been absolutely fantastic.

We had another vendor. We tested both EDR clients, and at that time, XDR was just a big buzzword in the market. We did not know what XDR was and whether we would get it. It was given to us as a complimentary to try for a few months. I did EDR testing of this solution and another very well-known vendor in the market. We did an attack simulation. We performed a couple of attacks with malicious code and ransomware. It was really good at picking up most of the attacks, whereas the other one was 50/50. We then created a report based on the facts we had in front of us.

Back then, we were told that Palo Alto was coming up with something called Cortex XDR. They bought another company, which had an EDR client that they slapped into their solution. Their methodology was a bit different. Firewalls were still the first line of defense. For example, the malware sitting on a machine is trying to connect to a command and control server or a malicious domain outside the environment on some ports. Once Cortex XDR sees it, and it hits the threshold, you will start seeing the alerts. I did not want to wait for it to get 25 machines infected before Cortex XDR started doing something. That was too late. I have heard that they have come a long way. They might have gotten similar feedback from others and made some changes internally. They are a brilliant company, but it did not meet our requirements at that time. The detections during the EDR testing were not that great. Most importantly, it did not meet one of the key requirements we were looking for back then. We wanted virtual patching and virtual patching signatures for end-of-support operating systems. That is what was the deciding factor for us.

To those who are evaluating this solution, I would advise doing a PoC and understanding their workflow and traffic. They should have the right expectations going into the product. It is a system with which you need to invest in other components as well, but once you get it up and running and it's working and tuned, you will start seeing the value of it.

They are now acting as a support partner for us. We can rely on them and work with them because we invested a fair amount of money with them. The product has proven to be very valuable for our defense arsenal. I personally follow them. It is not just me. It is all over the Internet that Trend Micro's zero-day initiative still picks up around 60% of vulnerabilities. It is more than any vendor out there. They have got a very good team.

I would rate Trend Vision One a nine out of ten. Reporting could use a bit of work, but it is improving. Just the other day, I heard that they are starting to provide automated threat hunt queries and an AI bot on Vision One. These features are still in preview, but it is changing rapidly. They also have something called forensic, so you can create forensic cases and log calls directly from the Vision One portal. There are some very good changes that they have made. It is evolving and dynamic.

I use the solution primarily for EDR. The top challenges in our industry are the accuracy of the detections and the visibility of alerts and events.

We are accessing it via the cloud, and we are monitoring the endpoints and cloud servers. 

Vision One provides centralized visibility and management across protection layers, which is critical for tracking threats, viewing vulnerable assets, and understanding the overall security posture of the organization.

Vision One helps me a lot when it comes to reporting. The reports are very detailed and informative. There are recommendations and analyses of how to mitigate threats. We have comprehensive visibility.

The executive dashboards are very helpful for us in assessing our security posture. We can see what needs to be prioritized and mitigated first.

The risk index feature helps us make security improvements and implement security policies. It helps to have robust security.

Vision One helps to harden security controls and policy implementations.

Vision One improves our organization's security posture by allowing us to apply more robust security controls, implement security policies, and improve the security culture. The centralized visibility enables more efficient security operations.

Vision One makes it convenient to assess and mitigate or block threats across the organization. The XDR is collecting data from more than one client or company and correlating it. The XDR detects the loopholes or vulnerabilities of the system. It uses MITRE ATT&CK techniques to identify and respond to cyber threats or vulnerabilities.

Vision One improves our security posture because we can patch any vulnerable machines that are prone to risks and attacks.

Vision One has decreased our time to detect and respond to threats by 50%.

We use automation capabilities, especially when there is a breach or a risk activity with the user or the endpoint. It helps us by isolating devices automatically. This automation saves us about 20% of the time.

I love everything about the solution, especially the XDR features, the attack surface management, and the workbench alerts. It oversees vulnerabilities among the system and devices, prioritizing areas that need patching.

When I started working with it, I knew nothing about this solution. I found it very user-friendly and easy to understand.

There are limitations in terms of threat response actions. 

I have been using Vision One since December 2022. It has been about two years.

There are some errors with the solution. I would rate the stability a seven out of ten.

It is scalable. I would rate the scalability of the solution as eight out of ten.

We have clients of various sizes. Our clients are small, medium, and large organizations.

The customer service or technology is responsive, but they take a minimum of one day, and up to three days, which is too long.

Positive

I previously used Azure Sentinel. Vision One is an advanced solution compared to Azure Sentinel. I prefer Vision One because of the convenience and easy correlation.

The initial setup is complex due to the various cloud resources that we have. We have workstations, servers, etc. Its implementation can be simplified.

It did not take us very long. We migrated from Apex One to Vision One. It did not take long.

It provides returns on investment by saving about 50% of time, money, and resources.

I find it to be a cost-efficient platform.

I would recommend this solution. It helps a lot when it comes to security. It covers endpoint security, email security, web security, and data leak prevention. It has everything.

I would rate Vision One a nine out of ten.

Trend Vision One has advanced sensors that collect telemetry from various sources like endpoints, email, and network. Workbench then correlates data to provide visibility across the entire environment. If there is any virus in the environment, it correlates the information, shows where it started, who the user is, and how it traveled through the environment, thus providing complete visibility and infrastructure correlation.

Trend Vision One consolidates security and saves time.

Trend Vision One is a cybersecurity platform in which Trend Micro has integrated every kind of solution. You have an MDR solution. You have an email security solution. You have endpoint protection. You have server protection. You have EDR. You get everything in one console, whereas vendors like Kaspersky and CrowdStrike do not have only one console. With Trend Vision One, you get all the solutions in one web console or platform. 

It helps with faster response. You have telemetry from different sources, which makes it easy to do analysis and respond. Its automation capabilities help to isolate endpoints and respond. You can respond in multiple ways. You can revoke permissions or terminate any process. You can isolate an endpoint. You can run a script. You can automate in different ways and integrate scripts, playbooks, etc. It saves time.

Centralized visibility is valuable. We can view what kind of virus or threat exists, where it has traveled, and how it started. A security analyst can use just this one console to view all the information.

Another valuable feature is its automation capabilities, which help in responding to any kind of alert swiftly.

Currently, there is nothing specific that needs improvement. Their support is very cooperative, and they provide an educational portal for learning the solution. However, deployment could improve by considering customer environments that are not fully updated.

I have been working with Trend Vision One for the last six months.

When I contacted Trend Micro support, they were very cooperative and quick in resolving and remediating any issues. I would rate their support a nine out of ten.

Positive

I have worked with Kaspersky, which offered only a single solution and not a fully integrated console. Kaspersky had multiple options but did not provide the same level of centralized visibility as Trend Micro. Kaspersky has graphs for visibility whereas Trend Vision One has both graphs and Workbench. Workbench provides a wider overview, whereas, with Kaspersky, you can only see a sketch of where a virus started or where it ended. Trend Vision One tells you how and through which user a virus came into your environment and how it traveled through your infrastructure.

There is a big difference in the price. Trend Micro solutions are more expensive than others.

It can be a bit complex. Trend Micro has a requirement that endpoints should be fully updated. In customer environments that are not connected to the Internet, that can be an issue. Trend Vision One is a cloud platform. If the endpoints are not updated, you can have multiple errors when you deploy the agents. We find such issues in customer environments.

The initial deployment time depends on the infrastructure. It took us about a month to cover 1,000 endpoints and 200 servers.

Trend Micro solutions are very expensive compared to other solutions. Even though everything is in one console, each feature requires a separate license.

If you do not have any compliance regulations preventing you from using a single vendor, I recommend adopting Trend Micro's cybersecurity platform for full security coverage and reduced management time.

The Risk Index feature helps with the attack surface and risk management. It detects vulnerabilities in your environment and calculates the risk in your environment, but I have not yet used this feature.

When you deploy such a solution in your environment, there is always a huge amount of false positives. The false positive rate depends on how your security engineer has done the configuration. After some time, the false positive rate reduces. The reduction in the false positive rate depends on your infrastructure. If you have a huge infrastructure, it would take some time. It also depends on your security resources who work on this solution. If you have only one person, it can take about six months, but if you have a team of five security people, it would take about a month.

I would rate Trend Vision One a nine out of ten.

It's a perfect tool for monitoring infrastructure, including endpoints, servers, and potential attacks via networks. That's especially true for internet-visible hosts, which we can monitor directly from the tool.

We had problems with users not using legitimate tools, such as pendrives. We needed to protect hosts from external threats and third-party actors. That included monitoring behavior, scanning our infrastructure, and exploitation of vulnerabilities.

The solution has enabled us to completely reorganize our work. I was the first person using this tool in our company, and I completely changed user behavior to become more restricted. In Poland, but also in the United States, we are very strict about abnormal usage of our tools or attempts to download tools that shouldn't be on desktops, laptops, or servers. From my point of view, we are now a completely different organization than when I joined it. Trend Micro is one of the most important security tools we have implemented.

We don't need to use an external vulnerability scanner because Trend Micro XDR has a module for that, and we can save that money.

Trend Micro's Managed XDR is quite nice because I can manage more than 2,000 endpoints. I use the playbooks with particular scenarios for incident management. It's a very nice tool. It competes with anyone on the market. Sometimes, when we detect some kind of threat and we have no idea how we should investigate, troubleshoot, or mitigate the risk, we use the managed service team with Trend Micro engineers. I'm very happy with this team. They are very good professionals.

We respond much faster thanks to the intelligence used by Trend Micro. They have very good knowledge because they have many threat sources. That is why we are reacting much faster than we would if we had to dig deeper without that knowledge and this tool. It would be absolutely impossible to manage this infrastructure by a single admin or even two security admins. We are able to detect and respond about 80 percent faster. It's not only the monitoring and alerting for classic signature threats; there is also a tool for monitoring user behavior. It would be utterly impossible to find abnormal user behavior without this type of tool.

And we have mitigated most of the false positives—more than 90 percent. About one out of 10 alerts may be a false positive. In the beginning, we had to learn about Trend Micro, what was a legitimate action and what was a suspicious or malicious action. We had to learn what the right approach was.

This product is simple to use. Sometimes, especially when new features come out, I need to spend a little bit of time discovering how they work. But overall, it's simple. The interface is quite nice.

The integration is also nice because there are many external tools that we can connect to the platform, such as configuration management tools. Because the platform is integrated, I can manage almost the whole company across our global organization. I can almost manage the infrastructure alone. We have minimized the need to expand our team.

It also handles vulnerability management.

We use Trend Micro to cover endpoint protection and server protection. That's one of the key points for our company. And Trend Micro Vision One absolutely gives us centralized visibility and management. Especially when we integrate it with Active Directory, we get full visibility of our endpoint and server infrastructure. That is very important; a 10 on a scale of one to 10.

We also use the solution's Executive Dashboards. We present the findings in steering committees periodically. Sometimes, there is a repetitive alert or event. Directly from this dashboard, I can see the groups of this type of event. For me, it's quite a nice tool for presenting the results to the C level and the whole company for those who are not technically experienced.

And especially because of the new European regulation called NIST 2, we are using the solution's Risk Index feature. We calculate our risk score and we can see how it is changing in the timeline. Is it growing? Is there a new vulnerability detected? We can also compare our risk score with organizations of the same size or in the same industry and see if we are better or worse.

The area for improvement is mobile security. We have just finished a proof of concept for Zero Trust Secure Access. We withdrew from this PoC because it does not have that many points for proxy across Europe. Our organization is across Europe, and it will be nice when it is possible to have Trend Micro proxies across many more countries. At this time, they are only located in Germany and the UK. For us, it's not enough. We are waiting for them to increase the points of contact, and after that, we will return to this project. 

From my experience, it was quite a nice tool, and I could manage almost all of the actions that I could not manage in a traditional way. Traditionally, I could allow or block usage of an application. But using the Zero Trust Secure Access tool, I could manage the schema of the usage. I will wait for this tool to change in the next few months.

I have been using Trend Micro XDR for almost 20 months.

It's a stable product. We haven't detected any issues other than the false positives, but that's normal.

We use it in multiple locations because our company is spread across Europe and Asia, as well as the United States and Canada. We have more than 2,000 users, and the solution covers 400 or 500 assets.

If our company were to increase over two to three months to 10,000 users, it would not be a problem. We have the ability to extend as we scale our users. It's very simple and absolutely flexible.

Their technical support is nice. On a scale of one to 10, it's a 10. They respond fast using email, phone, and the customer service portal.

Positive

I used competitors' tools, Secureworks, as well as Carbon Black. These are nice tools, but they are very heavy to implement and heavy on daily operations. Trend Micro is much better, much more flexible, and I have much more visibility. It is a cost- and time-saving tool.

Our deployment is a hybrid. We have advanced our implementation a lot. The first implementation was only one of the features called OfficeScan. That was a few years ago, and the implementation was in the United States. After that, we moved forward with the implementation across servers and endpoints, including Mac and Microsoft endpoints.

The whole project took about three months, with the custom discovery and the fine tuning. We had two people involved, one in Europe and one in the US.

Sometimes, maintenance is required if there is a new feature. It needs to be restarted. But this function is done by Trend Micro engineers because we are using the XDR in the cloud. We don't touch it. There is maintenance on our side for Deep Discovery because that part is an on-prem solution. But it's simple to manage.

They are implementing new tools, like Trend Micro Apex One and DDI. They are ready for implementation on the console, and we are waiting to transition to these tools.

For the new features, I prefer doing a proof of concept, like we did for the Zero Trust Secue Access platform. That was a good move because we saved time when it came to resolving issues on the user side. We had a few users in every department, and we tried to discover what would happen if we implemented this tool. That is my approach to being safe with such products. We can do things without any technical training and can disconnect users around the world using one switch. For new features, I'm a big fan of using a proof of concept.