TrendAI Vision One – Endpoint Security Reviews

I used EDR from Palo Alto, and I utilized Cortex XDR and the firewall from Palo Alto. I worked in the bank nearly a year ago, specifically until March, when I was still working there.

I remembered Trend Micro. We used the integration with other Trend Micro products such as email security, but we only evaluated it for nearly three months, and that evaluation was limited to just email security.

We use Trend Vision One Endpoint Security in AWS, as we migrated half of our infrastructure from on-premise to AWS, utilizing it on both Linux and Windows servers in AWS. In my opinion, Trend Vision One Endpoint Security's scalability is very good; it is very scalable.

I don't know why I find it valuable; my colleague administrated it, but I was the chief of a team of six people, and one of them administered this product, which worked well for defending our servers.

I don't know what the best features of Trend Vision One Endpoint Security are; it performs well compared to other products, and I am curious about it, but I cannot think of specific features. Perhaps my colleagues could provide that information, but I do not have that knowledge.

The centralized console helps my team greatly; it is very convenient as everything is all in one console, not only EDR but many other products, such as email security and XDR features.

Trend Vision One Endpoint Security positively impacts our organization as it is very simple to install on Windows and Linux servers; it is not very difficult to install.

It can be improved by adding additional features; I don't have specific suggestions because my engineer could answer that better. It is convenient and has a great console. However, we have servers on FreeBSD, and as I remember, there is no client for FreeBSD operating systems, which is not ideal for us. If they could provide a client for FreeBSD, it would be better.

I have been using Trend Vision One Endpoint Security for nearly a year, maybe more, and before this product, we used Cortex XR, and then we used Trend Micro.

I believe this product is stable.

I find scalability convenient and do not need to elaborate much on it.

We evaluate customer service and technical support as good; we used customer service from our vendor, who helped us with open tickets, and we reached out to our local vendor in the country for questions, and they resolved these issues with Trend Micro.

I would rate the customer service and technical support nearly an eight.

Positive

Before choosing this product, we evaluated other options such as Cortex XDR for nearly two years and also Bitdefender. We considered CrowdStrike and wanted to evaluate SentinelOne, but we did not do that while I was at the bank.

The initial setup of Trend Vision One Endpoint Security is very simple; we generate it for special operating systems, download it, and install it on the servers, which is convenient and very easy.

We used an integrator or vendor to help us, but I cannot remember what it was called; the vendor helped us with this.

I don't know if we have seen a return on investment with this product; we are a bank and we should have the product, but I don't know how to measure this return on investment as we did not count it.

Regarding the price, there was a tender, and Trend Micro won; the price was good.

We bought this product from our Ukrainian integrator, not through Amazon Marketplace.

Incident response is not my profile; it is managed by another team in the bank, specifically the SOC and incident response team, as my team did not engage in incident response.

Real-time threat detection is very important for our organization; it is a bank, and it is especially important in processing servers as it is a critical part of the bank.

I haven't used a threat intelligence feature, but I think our team will use it in the future; when I was at the bank, we did not use it.

I don't know anything specific that I dislike about this product; it works well, and there are no problems with it.

We are customers; our relationship with this vendor is solely as a customer. My overall rating for this review is an eight.

For primary use cases, we required DLP solutions with application control and web control, which is not provided by Trend Vision One Endpoint Security. We moved ahead to SecureRite, which we got in POC that it is controlling web traffic as well as DLP. However, we have some issues with both of these features.

For effective threat detection, EDR and XDR, as well as antivirus and anti-malware, are all features effective in our infrastructure.

The response automation capabilities are very quick. They are very aggressive for our program, so whenever we have any issue, we just lodge a call, and within 15 minutes, we get the engineer on a call or Webex call to resolve the issue for the solution.

We don't have any issues related to viruses and all that with Trend Vision One Endpoint Security. It supports Mac and is fully functional with that. We don't have many issues, and we didn't take any calls with them. Reports are very clear.

With Trend Vision One Endpoint Security, we want a DLP solution and Mac support because there are some different issues with DLP in Mac, which would be beneficial for us.

We have been using it for more than five years.

The operational cost is much higher with SecureRite, but the product is stable.

Trend Vision One Endpoint Security is scalable and stable because we have been using it for more than five years, and we don't have many issues with that. They are also doing timely preventive activities, with a PM call every month where they take our report, suggestions, and provide their suggestions regarding system upgrades or any patch upgrades related to vulnerabilities.

We are satisfied with the performance and technical support.

Their technical support deserves a rating of nine out of ten.

Positive

We have been working with SecureRite for some time, but we are not very happy with it. During the POC time, the team suggested that the DLP was working fully in SecureRite, but there is a significant lack of information in DLP. We raised a case, and they are working on it, which will take time.

We are currently working with both solutions: SecureRite and Trend Vision One Endpoint Security. We are using Trend Vision One Endpoint Security for antivirus, anti-malware, and EDR and XDR solutions.

We are suggesting Trend Vision One Endpoint Security to others. Currently, we will continue using SecureRite while we wait for solutions. If they do not provide the solution, we may discontinue SecureRite from our infrastructure. As we are new to SecureRite, we raised our queries and are waiting for support for features that are not working on Mac. If they work in the same line, we would be satisfied with SecureRite as well.

On a scale of 1-10, I rate Trend Vision One Endpoint Security an 8.

Trend Vision One Endpoint Security helps us protect from ransomware and malware and many vulnerability-based attacks on the endpoints.

Since we are a long-standing customer of endpoint security, Trend Vision One has helped in protecting against ransomware and many such attacks on the endpoints and it has proved to be a reliable solution for us.

The best features of Trend Vision One Endpoint Security are the ransomware protection and the vulnerability protection module which has helped us to secure our endpoints against various threats.

Since we are using endpoint security along with the EDR, the vulnerability protection module helps to identify which threat group is active and is using which specific vulnerability and also it helps to detect if those vulnerabilities exist within our environment and shows which machine is affected. Along with that, it also helps me see if Trend Micro offers an intrusion prevention system rule against that particular vulnerability.

Trend Vision One has very good threat intelligence, which has helped in protecting against malware attacks for quite some time now.

We have seen Trend Vision One Endpoint Security's EDR capability help our security operations move at a faster pace compared to earlier. With all the incidents that we have seen in the recent past, the mean time to detect and respond is significantly better than before.

Trend Vision One Endpoint Security can be improved in application control. We have seen that there are multiple ways in which an application could be blocked but at the same time, it does not show what application is installed on which machine and that is a gap for us. We would appreciate seeing improvements in that area.

I have been working in my current field for six years.

We have a really good sales team to manage that and they have been really helpful in giving the proposal as well as the setup and fine-tuning cost every year over year, so that is taken care.

We were earlier using McAfee, but we switched it because of the technical support issues that we were encountering with that solution.

We have certainly seen the return on investment with Trend Vision One Endpoint Security given that endpoints are largely focused in terms of cyber attacks, but in terms of fewer employees needed, I cannot comment on that.

Trend Vision One Endpoint Security is a reliable solution and what we have seen is that the solution improved year over year, and we felt that Trend Micro has a very good roadmap in terms of bringing out new features. Hence we have opted for Cyber Exposure Management as well. I would rate this review a three.

My company had an opportunity to implement Trend Micro Endpoint for one of our customers. They have around 500 PCs as endpoints and also around 100 or 120 servers.

The behavior analytics feature is very useful, and its threat detection based on AI is very strong. It is easy to integrate with other vendors and technologies like SIEM and SOAR. The traffic is monitored and can be managed successfully.

The pricing is very high. Despite the magnificent capabilities, the cost is still a concern. Additionally, we need more training resources for my team and I, such as developing labs and sessions to implement it more easily.

I have been working with it for almost two years.

I have not had any performance or stability issues with it.

The solution is very scalable.

I mentioned that I also worked with Kaspersky Endpoint.

We first installed the endpoints, then installed the manager. We had many technologies from Trend Micro like Email Security and the Sandbox, so they all integrated together in the same network.

Four people were involved in the deployment aspect.

It elevated the security and trained their SOC team, which led to positive feedback from our customer.

The pricing is very high, despite the solution’s capabilities.

I recommend training well before implementing to do it faster and more efficiently. On a scale of one to ten, I would rate Vision One as eight or eight and a half.

We use Trend Micro to troubleshoot and monitor. We implemented it to gain more visibility into the networks we manage. Automatic network mapping helps visualize the network.

Trend Micro reduces our response time by around 40 percent. We can patch vulnerabilities and create specific rules to fix issues before an official solution is available. We've also reduced viruses and malware by about 30 percent. 

The Trend Micro security products are well-integrated with each other, creating a lot of value for the company. We need a comprehensive solution for preventing all cyberattacks and problems users cause when they don't understand the dangers of clicking on phishing websites, emails, attachments, etc. The company needs to reduce its exposure to threats. If we lose the data, we lose the company. 

Apex One provides a single console for receiving information about each machine, virus, malware, etc. The console receives telemetry from each machine that we can consolidate and view on one dashboard. We can see all the problems and vulnerabilities to make the best choices to prevent, restore, or recover. It gives us unified visibility into our entire IT environment. It's easy to administer Apex One. There are some advanced settings, but they aren't difficult to understand, and the documentation is detailed. 

OfficeScan wasn't 100 percent perfect when it was rolled out, but integration with Apex One improved its efficiency for dealing with trending attacks or ransomware. Initially, it wasn't very good, but now we can better control the environment. 

Trend Micro has advanced protection capabilities that cover unknown and advanced novel threats. It's critical because restoration could be complicated if we lose machines or information on the machine. If we lose some business information, we might run afoul of the law. Apex One can prevent all these incidents. It's an excellent solution.

Machine-learning ransomware detection is essential, as ransomware attacks can be difficult to contain. Without this agent, we wouldn't know that we lost all this information, and we might be forced to close the company and lose money.

Initially, it isn't easy to understand the console because most of the applications integrate through Visual One. When we create a new dashboard, it takes some time to adapt, but the IT staff does not have any problems.

We have used Trend Micro for seven years.

Trend Micro's support has been very helpful.

Deployment is simple. The engine was difficult to install the first time, but the latest versions are different. The package is small and doesn't affect the performance. It deploys quickly and we start receiving the telemetry on the console fast. 

Trend Micro reduces equipment costs. We don't need to buy services for an on-prem data center.

In Brazil, Trend Micro is cheaper than its big competitors like CrowdStrike and Symantec.

We evaluated several products and landed on the Trend Micro stack because it can be integrated with different solutions. They also have products covering various IT areas, such as networks, email, etc., that we can control from one place and manage from our mobile phones. The appeal of Trend Micro is that we can consolidate all our security and IT tasks into one console.

I rate Trend Micro eight out of 10. 

We use the solution for security for endpoints. 

I do a lot of POCs to measure response. 

Trend Micro uses agents to communicate with servers. We're using the service gateway. 

We use the cloud and take advantage of virtual patching. Most customers now use the platform. However, I also have a lot of experience with on-premises setups. 

I work on various models and work on multiple Trend Micro products.

If a machine is not patched properly or the required certificates are not installed, Trend Micro has the ability to remove the existing end device. 

We can access all products and policies now from One Endpoint Security. We can deploy policies and do everything directly from One Endpoint Security. 

The monitoring is very good.

It offers good server protection. 

There's event monitoring and monitoring for duplicate system files and suspicious behavior.

It has a lot of features that are not available with other OEM products. Trend Micro offers good virtual patching. Many OEMs rely on Trend Micro based on its bug bounty. Many submit bugs to Trend Micro, and Trend Micro pays people to find bugs. 

The IPS model will protect users until they patch to the latest updates.

There's a malware module that was recently released. It offers damage cleanup services and protection against viruses. It offers real-time protection. 

There's machine learning that protects against unknown tests. If the behavior looks suspicious, Trend Micro will kick in to secure the customer. 

It adapts to protect against stealth threats. Most customers are using One Endpoint Security with XDR. We can analyze potential threats. If there are any glitches running continuously, if any lateral movement is detected, we can move in to secure the endpoint. It helps us move in immediately. We'll be able to recognize things that aren't part of our processes.

It has the capability to integrate with our Active Directory.

It has ransomware detection capabilities. Users may not know which emails are suspicious. However, we can control access via the gateway. It helps protect against unknown suspicious activity.

One Endpoint Security provides a single console across layers for detection, threat hunting, and investigation. It's very important for customers to have this single console so that everything can be located in one place. This single console provides end-to-end visibility into the entire IT security environment for our customers. The configuration and monitoring are important. Every machine must remain compliant in order to ensure no threats can break through. We work hard to make sure every machine is up to date.

The learning curve of Apex One is very low. It's easy to use. 

It's easy enough to administer One Endpoint Security. 

We've seen a reduction in threats and viruses since moving to One Endpoint Security. We've seen a drop of 60% to 70%.

We do use One Endpoint Security as a service. We recommend that our customers use the SaaS offering. It has fewer limitations. It helps reduce the workload for customers by 60%. Overall, the administrative overhead has been reduced by 65%.

The performance could always be improved.

The solution has separate XDR agents. They should be working as one agent with One Endpoint Security.

I've been using the solution since 2019.

I'd rate the stability eight out of ten. Sometimes, there may be performance issues. 

We have customers with as many as 10,000 or 15,000 nodes.

The solution can scale. I'd rate scalability eight or nine out of ten. I haven't had any issues with scaling. 

We've been satisfied with the OEM support. 

Positive

I've also worked with McAfee, Symantec, Kaspersky, and AVG. I work with a lot of cybersecurity products. Prior to this product, I specifically used Symantec.

I also worked with Crowdstrike; however, it works using a different algorithm. One Endpoint Security is based more on data and works more on a behavioral basis, and Crowdstrike does not work like that.

I tend to do POC setups and sometimes manage troubleshooting for customers. On-premises, we can install an agent from the console if there is an Active Directory. 

The deployment itself takes two to three minutes. 

If there's centralized management, it's fast. We might do a more manual process if it's a smaller organization. If there are more than 5,000 to 10,000 nodes, we need a team to help deploy it. 

Typically, one person is enough to handle maintenance. 

I don't directly deal with pricing. 

I did not evaluate other options. 

We use both on-premises and cloud SaaS deployments. We're a Trend Micro partner. 

I'd rate the solution nine out of ten. 

We use Trend Micro One Endpoint Security for endpoint security. We are using the SaaS version of One Endpoint Security. 

I am confident in One Endpoint Security's capability to defend endpoints against threats like malware, ransomware, and malicious scripts. 

One Endpoint Security has predictive machine learning and behavior monitoring, which are essential for endpoint security. Our file scan also scans the memory for malware. Behavior monitoring is particularly effective at detecting ransomware attacks because it can check for unusual encryption methods.

I like the way Trend products integrate with each other. The servers are all tied into Central, which is now integrated into my Vision One console. The on-premises stuff is also integrated with Azure.

We use a single dashboard through The Central to view detections, threat hunting, and investigations. The visibility through the single console is important. When we open the dashboard, it tells us what it has found. For example, I am currently looking at the SaaS version. If I go to One Endpoint Security, I can see all of the agents that are currently connected. It takes a few moments for all of the agents to load. We are currently in a downtime during the summer months. We are a school board, so there are fewer staff members on-site, and not all of the schools are open. We have 12,000 employees and 80,000 students. However, not all of the students are online right now as they would be during the school year. Next Friday, we will have more staff members in the office. When school starts after the Labor Day long weekend in Canada in September, everyone will be back online. Currently, the dashboard only shows 9,140 agents. Last week, it showed 6,400 agents. I have the system set up to remove inactive agents so that the system does not have to constantly scan a bunch of systems that are not even there. I have seen up to 17,000 endpoints on our system.

Vision One is now monitoring my Cloud One workload security and My Cloud Central. This means that Vision One is collecting data from both systems and giving me a comprehensive overview of my security posture. When I open Vision One, I will be able to see visibility into my entire organization. I have configured Vision One to send data to our Syslog server and receive data from our Qualys server. The Qualys server scans my servers for vulnerabilities and reports back to Vision One. I have also set up a service gateway and a workload security data center gateway. The workload security data center gateway feeds data from my VMware ESX servers into Vision One. This allows Vision One to see the real-time status of our VMs, including which ones are powered on, which ones are running the Deep Security Agent, and which ones are still running on my on-prem Deep Security server. Vision One provides me with a risk overview, an exposure overview, and an attack overview. This information includes details about credential access, lateral movement, collection impact, and suspicious mail forwarding rules.

We have our Azure system for Office 365 and on-premises Azure Active Directory also connected to Vision One. This means that Vision One can see all logins to our Azure system and our on-premises AD. I have agents running on our on-premises directory controllers, so this data is also being fed into Vision One. Vision One can also see our Azure domain controllers and our DMZ. I receive alert emails when something serious happens. I haven't received any of these emails since we started using Vision One. However, I receive emails about endpoints that have had files quarantined. The file on the endpoint was too large to move to the main server quarantine, so Vision One just gave me a small error message. Currently, the endpoint protection dashboard shows that out of 19,678 endpoints, agents have been deployed on 13,675. This includes Macs. The dashboard shows one Linux endpoint, which is my service gateway. There are 882 Mac OS endpoints, which is lower than the usual number of 1,100 because not all of them are turned on. There are 12,792 Windows endpoints. The dashboard also shows that 6,003 endpoints have no security protection. These endpoints likely include network equipment, certain Linux servers that are not running Trend Micro software, and proprietary operating systems that are used by our network team and other IT groups. There are also endpoints that are listed in our Active Directory, but they are either turned off or do not have any active systems.

Updates are applied on an hourly basis. If an exploit gets through and an endpoint has not been updated, it will receive the update on the next cycle. The most common reason for an endpoint not receiving an update is a network issue or the endpoint being powered off. Once an endpoint goes online, it is configured to automatically retrieve security updates from the server, or directly from Trend Servers over the internet if the server is unavailable. The first thing the endpoint does when it goes online is update its security patches, signatures, and scan engines. When a detection is made, the endpoint first deletes the file and quarantines it. It then blocks the action of whatever the file was trying to do. The endpoint's virtual patching, behavior monitoring, and predictive machine learning then stop any unusual activity. This may even include an activity that is supposed to happen. We have had members of our ICT department complain that they were unable to install software because the antivirus protection was blocking it. In some cases, we have groups within our organization that are responsible for maintaining their own servers. When they are doing upgrades, they may schedule us to temporarily disable the antivirus protection so that they can complete the upgrade. Even if malware does not get detected by the web reputation system and is downloaded by a user, it may still be detected by the signature-based malware detection system. If it is not detected by either of these systems, it may still be blocked if it tries to contact its master. These master addresses are often common addresses on the internet that are used by bots to communicate with a server that is maintained by the threat actor. If a bot is blocked from contacting its master, it will be unable to function. If we see a large number of bots being blocked, we will investigate the system to see what is causing the issue. In many cases, it turns out to be a legitimate activity that is being blocked by the system. For example, we may have custom scripts running on certain servers that look suspicious to the system. We can manually whitelist these scripts so that they are not blocked. Overall, the system is designed to be overprotective. This is because it is better to block something that is legitimate than to let malware through. We can always fix a false positive, but it is much more difficult to fix a security breach.

I started using One Endpoint Security in August 2020. I learned how to move agents, install software, and get the agent onto the server. I also learned from the documentation, knowledge base, forums, and other users. I found One Endpoint Security to be more difficult to learn than PaperCut because the terminology and concepts are different. PaperCut is just about printing and monitoring, while One Endpoint Security is about cybersecurity. There are also many caveats to consider with One Endpoint Security. I found the scan settings to be particularly challenging. Trend Micro has helpful best practices documents, which I used to learn what the normal settings are for servers and workstations. For example, servers don't need to be scanned for office document exploits because they typically don't have Office installed. I also learned that it's important to balance security with performance. We don't want to scan servers so heavily that it slows them down, but we also don't want to skip important security checks. In January 2021, we changed our policy on security settings. We now tell users that if there are any problems, we will fix them. We would rather have a small problem that we can fix quickly than have to restore a server from backup, which can take days.

One Endpoint Security provides virtual patching, also known as vulnerability protection, to protect against vulnerabilities before they are exploited. Deep Security and Workload Security call this feature intrusion prevention, but it is essentially the same thing.

Workload security now has a feature called Activity Monitor for each endpoint. This is a free version of their Endpoint Basecamp product that is automatically installed with every One Endpoint Security agent. Even if we are not licensed for Endpoint Basecamp, it will still be installed. On the servers, I had to remove the Endpoint Basecamp and then deactivate and reactivate the workload security agent to get the Activity Monitor working properly. However, I am glad that we get free monitoring for our servers, even though we do not get it for our workstations.

The agent program version column in the agent screen, we could never sort by. It's so handy to be able to sort by that now. We can go to one end of the scale to see the lowest agent version, and then go to the other end to see how many are updated to the latest agent.

Microsoft's new Azure Code Signing is causing a lot of issues for us with One Endpoint Security. We currently have two systems in operation, on-prem and SaaS, and many of the agents won't upgrade beyond version B11564 because these newer versions require Azure Code Signing compliance on the endpoint. If we are not up to date with our Windows updates, we don't have this compliance. Irrespective of the Windows version we are running, we have to apply patches to the machines, if the OS is not damaged, to make them compliant. After that, we can upgrade to the latest version of the respective agent. This process also applies to both Deep Security and Workload Security.

I have two production servers: one for Windows and another for Mac. These servers are available in both on-premise and SaaS versions. Additionally, I have a test server that is located on-premises. The significant distinction with the SaaS version is the absence of a test server where I can install a new version. This means I can't allow the agents on it to upgrade and then perform testing. In contrast, with the production SaaS version of One Endpoint Security, I have numerous agents transitioning and coming online. It's essential that these agents upgrade to a newer version. Among these agents, there are five or six different versions, not counting the really old ones that have yet to upgrade due to ACS non-compliance. I can't leave the testing phase for an extended period because I still have outdated agents that need to be updated. These agents can't be left hanging while I wait to test the newest version that has just been released. New versions seem to come out every couple of months in the SaaS environment. In the past, when I solely used the on-premises version, I would review security bulletins for the SaaS version to identify any issues. I'm apprehensive about potential future situations involving this, primarily because the majority of our agents now operate on the cloud version. If a problem is discovered, rolling back on those agents would be challenging. It would require careful operation to revert them to a different version.

The on-premises version of One Endpoint Security has an update function that allows us to manually update a bunch of servers. For example, if I just turned on a policy, I can force the agents to quickly download the policy and start following the update procedure or update settings. However, this function is not available in the SaaS version. This is because the system cannot communicate with the agent through the firewall. The SaaS version has an automatic update function and an update source entry in the update agents sub-menu, but it does not have a way to force agents to update. This is a problem because we cannot automatically update the agents. We have to manually log in to the machines and give them an update command. Currently, we have no choice but to wait until the agents find the updates themselves.

I have been using Trend Micro One Endpoint SecurityOne for three years.

I have the enterprise version, so I can usually talk to someone in the Philippines even during after-hours. I only do this when it's something that can't wait until the next day. If it can wait, I'll let it go until then. But if something is broken and needs to be fixed right away, I'll get in touch with the Philippines team. They have some good people there, and the support is really good. I think Trend's support is probably the best of any of the vendors I work with.

I have a few open tickets, and one of them involves the developers. They keep coming back to me with questions that they have passed on to the service representative I'm working with. The developers want to know why I'm seeing something that they think I shouldn't be seeing. I'm generating a report that is supposed to show me all the endpoints on our workload security server that do not have agent self-protection enabled. This is part of the Vision One report. One of the endpoints that the report identifies is our service gateway. It is running Ubuntu Linux and has a Deep Security agent installed, but agent self-protection is not enabled by default. There is a way to enable it, but it's not typically done for Linux systems. Agent self-protection prevents unauthorized configuration of the Trend Deep Security agent service settings. This means that we can't change or stop the service without first disabling agent self-protection.

Positive

I would rate Trend Micro One Endpoint Security ten out of ten.

My concern arises when an endpoint lacks One Endpoint Security, as we are not actively monitoring for this. While we possess a scanner, this is why I intend to maintain the on-premises system's functionality. I plan to transition away from the deep security system and migrate the application team to the cloud version, although this transition process is currently pending. I need to retain the on-premises One Endpoint Security primarily for assessment scanning purposes. This involves scanning all items listed in our active directory, along with the subnets for our VPN, to identify unprotected endpoints. During a recent scan, I identified nine such endpoints and proceeded to install the agent on them. Occasionally, there are instances where the agent won't install, but no error message indicates a connection issue or existing installation. Some of them show as not having the agent installed, even though they do, which can happen when the endpoint is booting up during the assessment scan and the agent hasn't yet been loaded. Resolving this is relatively swift, although there are instances where devices not compliant with ACS will trigger a message stating that the agent cannot be loaded. These devices are then flagged, and I work on making them ACS-compliant to ensure proper agent protection.

The noteworthy aspect of One Endpoint Security is that we didn't begin using it extensively until the third quarter of 2021 when vulnerability scanning was initiated. Although we had an Central server, we were not using any policies on it. To enable Vulnerability Protection, we needed to implement endpoint policies in Central. Vulnerability protection involves virtual patching, where regular scans check our operating system's vulnerability to known exploits. It also includes monitoring applications for vulnerabilities and guarding against those vulnerabilities until they can be patched. This process is largely automatic, as the rules to counter cyber threats are introduced until the system is patched, at which point they are removed automatically. In contrast, on the Deep Security side, I need to execute this process manually. A weekly automated scan takes place, followed by an emailed report. This report aids in identifying missing policies or necessitated rule adjustments based on scan findings.

We have to constantly monitor the systems to make sure it is okay. I have email alerts coming in from Trend Micro One Endpoint Security, and Central Systems. I have folders for workload security, deep security, and Trend Micro in my inbox. I check these folders even when I'm not online to make sure there are no major alerts. In a way, this gives me peace of mind. As long as the agents are running properly and there is enough memory and disk space, everything is fine. However, I still have to manually check the System Event Log to see if any One Endpoint Securityendpoints are running out of memory or disk space. We also use SCCM. I set up a scheduled script to create a report of all endpoints with less than 1 gigabyte of disk space. I put this report in a folder that is accessible to all of our school techs and team leaders. This way, they can check the report periodically to see if any endpoints need to be reimaged or have some garbage removed from the disk.

We protect our client's desktops, laptops, and other devices. The servers will be protected by cloud and workload security. It's a complete end-to-end inter-security solution.

The solution provides our customers with malware protection. It has a good level of malware protection to protect against malicious threats. It provides protection against a good number of threats, both known and unknown, and we do get more details to help us log and investigate.

We like that we can catch any malicious threats. We have device and application control. We have more features when we complete office scans.

The device and application control are quite valuable. If users use USB sticks, they can potentially infect devices. We have a list of approved corporate policies, and certain things can not be let through to the endpoints. It helps keep companies safe.

We have protection from malware and ransomware. We get notifications from the console and can take action if we see any malicious activity. 

One Endpoint Security has advanced protection capabilities that adapt to protect against unknown threats. It can protect clients from both known and unknown threats via machine learning. This is critical. We can't always expect certain attacks. Some threats may be very new. And clients are still protected. It can protect against behavior monitoring, for example, via machine learning. 

One Endpoint Security detects ransomware with runtime machine-learning capabilities. This is important. Clients need to know whether a program is trying to encrypt their files and, if so, if it's legitimate or malicious. It gives good protection to our customers to ensure their security is not violated.

One Endpoint Security provides our customers with a single console for cross-layer detection, threat hunting, and investigation. We depend on the Vision One console. With One Endpoint Security, we do have two consoles. There's one for managing policies and one for agent management. We used to have the central manager console, however, now we are using OPEX Central for policy management. On the other console, there is for agent management, threat hunting, and other remediation. Soon we'll have one console again that will centralize everything, including alerts, actions, auto-response, and remediation.

There are options to integrate with other products. However, we may not use any integrations. Any logs generated get passed to the SOC team. They get logs from Splunk also and centralize the management of logs. However, my understanding is that everything can be integrated. 

It's easy to learn One Endpoint Security. It does have user-friendly interfaces.

The Trend Micro portal allows you to access documentation and manuals.  It shows you, for example, how it can be configured and how to use certain features. We refer to the guidelines and articles a lot. 

There hasn't been any issue with administering the solution.

Once we implemented the solution, we immediately witnessed security benefits.

We've noted a reduction in issues as we have increased transparency, and we do have more control. Based on that, we can easily modify policies, have better control over enrollment, and have better visibility into infection threats and how issues may enter systems. We reduced the number of infections and the number of hosts getting infected. We've seen a 10% to 15% drop in threats. 

We are using One Endpoint Security as a Service. We do find that having endpoint deployment in the cloud is reducing people's workloads. The setup files can be downloaded so long as there is internet connectivity. We can do both online and offline installations now. With client enrollments spread across multiple locations, it may not be feasible for the IT team to be onsite to do deployments. It's much easier to have everything done online and this approach reduces a lot of work for the IT team (including traveling to locations, et cetera). Travel logistics can be completely avoided. We've likely saved more than 50% of our time having online deployments. 

It's also reduced administrative overhead. Many reports, for example, are now automated and sent directly to country administrators. We've saved around 50% of administrative overhead using One Endpoint Security. 

We use Trend Micro's managed XDR services in conjunction with One Endpoint Security. We get a lot of risk alerts and detailed information about events, including which endpoints were involved in which particular threats. We can get a lot of information directly from the XDR console. It's one of the best places to find more information about threats. We do threat hunting and management through the XDR console. 

The solution does not have virtual patching. 

The role-based access control needs improvement. We have 40 countries in our environment. We do provide admin access to the countries and cities. A French admin may administrate endpoints in Germany, which is why we need better role-based controls. 

We've used the solution for our clients for more than seven or eight years. 

The solution is very stable. Even when it's offline, it's not completely dependent on the cloud due to the agent. That way, you can protect your device even without the internet. And when you are connected, you have the SmartScan protection as well. 

We have One Endpoint Security deployed across 40 countries and around 40,000 endpoints. 

We started deploying with 1,000 or 2,00 devices and now we have tens of thousands. It has good scalability. 

We may add more endpoints and increase usage. 

Technical support is good. Sometimes there may be issues, and we can send them across to Trend Micro's technical team to investigate. From time to time we'll get troubleshooting recommendations from them.

Positive

I've previously worked with Symantec and McAfee. This is my third solution. I find Trend Micro to be very user-friendly. Everything is integrated under one solution. It's a host-based intrusion prevention system by default and we get protection of all four endpoints with it. 

We previously only used free business services such as lightweight protection and OfficeScan.

The initial deployment of One Endpoint Security was straightforward. We have done both online and offline installations. If a local IT can deploy it they will. If not, it can be done online. The installation of the agent is very easy. If an agent is corrupted, we can use a tool to remove it and install the latest version of a new agent. It's very flexible in that sense. With other products, if an agent is corrupted, it's very hard to remove from the system. Here, it's very easy. You can just remove it and reinstall the agent package. 

With good internet connectivity, you can deploy the solution in 30 to 40 minutes. It's very fast. 

We'll download the MSA package from the console. That'll be given to the IT team, and what they do is push from the SCCM console. Once the systems are online, then they can push it to those systems. It can be done in silent mode without the knowledge of the user.

We have three people handling the deployment, and they are working with nearly 40,000 endpoints. Whoever handles implementation needs to have a good understanding of the endpoint protection software and its requirements and basic knowledge about the antivirus policies, as the policies may need to be altered or changed based on the country's requirements. Sometimes you need to have a scan exclusion and whitelist certain applications or URLs.

As a cloud solution, it doesn't require maintenance. 

We have seen ROI reflected in the good protection we're getting on endpoints. 

The pricing is moderate. It's affordable. The costs are variable. You have the flexibility to choose between different options. 

We evaluated Windows Defender and Symantec. Trend Micro surpassed all other options. 

We are an MSP, a managed service provider. We provide malware and security solutions. 

I'd rate the solution nine out of ten. It can protect desktops, laptops, and most other devices. I'd recommend it to others. It offers very good protection. You can scale it, and it offers many good features. 

Our primary use case is to provide robust XDR capabilities along with advanced EPP solutions. Filtering which external devices, such as USB pen drives can be used on laptops and computers. It also helps determine whether users can use a 4G or 5G modem on the laptop. The tool performs peripheral filtering or securing the peripherals. IT team leaders and internal auditors were mostly interested in the big picture of the company's risk overview.

The solution is used for XDR (extended detection and response), threat hunting, endpoint protection, and device filtering.

The solution works wonderfully to defend endpoints against malware, ransomware, and malicious scripts.

The solution’s machine learning capabilities are wonderful. We extensively tested the solution's machine-learning capabilities, and deploying it to several hundred machines was easy. The solution has capabilities to extend it to protect against AI attacks, deepfake videos, or deepfake emails. In the email protection module, the solution has a writing style analyzer. You can pinpoint the most important entities or people in the company, and the tool will learn how they write and communicate from their emails.

This allows the tool to protect against the business being compromised, and that's a very useful feature. It's a statistical analyzer based on machine learning that observes how you communicate. It needs time, but you can make it learn faster to see the emails. However, it's more useful if you work with current emails, not just the old ones.

You should give the tool two weeks for the current emails, and after two weeks, you can close the learning mode. The solution alerts if it thinks that a business email has been compromised. You have to give it two weeks before it can reliably say whether it's written by the actual user or if it's a fake.

Trend Vision One Endpoint Security provides a single console for cross-layer detection, threat hunting, and investigation. It will collect and show through alerts what is connected from other modules. When something happens on the node that originally came from an email the user clicked on, the tool can pinpoint where the email came from and who else in the company got it. You can block, delete, or put those emails in quarantine before other users click and open them.

You can see all the network activities they have done or tried to do. You can also see where they tried to communicate from the URL filtering and what they dropped. In the solution's new version, a privileged user has access to a predictive attack vector.

The single console's end-to-end visibility has reduced our response time because we have automated responses called playbooks. You can decide whether the probability is small, medium, or high and whether it comes from an email or file. You can also decide whether to block the user, kill the process, send an email, or create the workbench automatically to see what happened and what was the case.

You can manually generate workbenches for the hunting, but if you use the automation playbooks, it can respond faster automatically. The customer bought and managed the MDR (managed detection and response) service. Other professionals bought this managed service for all the products.

For the price of one SOC Analyst a year, a medium-sized bank got 24/7 service with extra help. It was pretty cheap compared to competitors or to the fine they would have to pay if something happened and they could not report back in a timely manner. They wanted to make sure they had double protection.

The solution's end-to-end visibility has reduced your response times. If something happens, the automation handles it pretty fast. Everything is filtered, and the workbenches are created automatically. There's also an auto-response. If something happens, we can block the user or disable the user's Active Directory. We can kill the process or isolate the machine.

It happens almost in real-time when the detection happens. Still, we have an option to just give alerts because the machine or user is too important to block or isolate automatically. You just want to see what happens in the console. If somebody's online, the response time takes ten minutes or so.

Users have to learn to use the solution because it's a bit complex. The solution is pretty straightforward in that the problem is not with the tool's usage but who works with it. Suppose a helpdesk person or an operator gets the alarms for the user laptops. It's not about where to click, how to use it, or which user is using that because it's super easy as it shows the username and where the user is logged in on other computers. You have all the information from the company if it's a clean alert.

Sometimes, they have to verify the technical background. Based on the alerts, the knowledge base, and the preview setting, Trend Micro users can chat with an AI to find out how serious the problem is. Suppose there is a software that behaves badly and gives a false positive because it's poorly written. You excluded it on other machines or decided not to quarantine it because you know it is problematic.

The software has a new version. It comes and is blocked again. It can learn that it has happened before in your environment, so that could be a false positive. You can chat with an AI there, and they can ask about the context. If you are in the workbench environment, you can ask about a user, and it will analyze. Previously, it was not so great. However, it's much better and more mature now because it has learned a lot from the company and what has happened inside it. They also could have just developed a new version.

It's very easy to administer Trend Vision One Endpoint Security.

The solution provides consolidated security across hybrid environments because users don't have to buy tools from three different vendors. Previously, there was an antivirus, an EDR, and a CM to analyze. They kept the CM because they already paid for it. The email protection was different. Right now, they see everything, including email protection, server protection, desktop or PC protection, and XDR.

All the protection for PCs, servers, and emails by both modules is happening from the same console. The threat hunting happens in the same console because they have all the logs. They have everything in one console, including email protection, threat hunting, and server protection. They will introduce mobile protection from Trend Micro, which is XDR for mobile.

All the threat hunting can happen. If something happens on one device, you can see the full context of the user in one console. This is the risk analysis for the C-level entities. It's the overall risk index, and it calculates the actual state. They have a module. The customer didn't buy it because they had already bought a tool for that. This module is more accurate and detailed because the default risk index shows you the overall risk or the ten most risky PCs and users.

Suppose you want the Attack Surface Risk Management (ASRM), which is a more detailed module. It calculates the risk differently if you are inside the company network, on the road with a laptop and free Wi-Fi, or at home and you don't have patches. It calculates that if you have a very important system that you have marked, and if the user connects to that and it's not patched correctly, it has a higher risk.

It could happen with another user who misses the same patches but doesn't have access to critical systems. It has a lower index because the impact will not be so high if the user is compromised. However, it will have a higher index if it's a privileged user. It's not like watching the software versions and the configuration options, but it also benchmarks the context of the user and learns from the AI as well.

The PC product includes 300 of the most widely used virtual patches for ongoing attacks. For example, if there is a new Microsoft bug with a remote desktop, it will provide virtual patches. However, if there is a missing patch not on your system, it's used and gives you an alarm if somebody tries to take advantage of it. Even if you don't need a patch, you can see when an unmanaged computer on the network is trying to hack it.

They have another virtual patching system for the servers in the server product, which is the cloud one and needs an extra license. It gives the host IPFs, and it analyzes traffic as well. If you have vulnerable systems, it will automatically use virtual patches, but it's an extra license for the servers.

If it sees that you have a vulnerable Java application and an old Java version, it will activate the virtual patches for the vulnerabilities against it. However, if you patch, it will turn off automatically by default, so it doesn't consume resources. So, it can be all automated.

It would be much easier if the solution added the allowed USB for pen drives and USB drives. You can import an Excel CSV file with 500 devices, but it will be allowed globally. That would be helpful if you want to allow it only in one policy. If you want to enable these pen drives only for one group or an organization's security group, you have to add them manually one by one. That could be easier.

It's a user experience, but you can add not just the serial but also the vendor. If you only have a Kingston pen drive, you can say that you want to allow all Kingston, or you can add the model number. If you know that you have a specific model of the Kingston pen drive, you can just allow Kingston and that model. The serial number is not important. You will not filter by serial number. However, if you want to filter by serial number and add only the given devices with the serial number, you have to add them one by one.

You have to do this if you don't want to allow them globally. It's enough if you know that you bought a Kingston pen drive and you just put in that you want to allow the Kingston and the model number. Then, all pen drives of the given model will be allowed for a given security group on a given number of computers. In that case, you can attach only pen drives and no external hard drives from Kingston. That could be fast.

If you want to add a given serial number, you add it one by one for a specific group. If you want to allow them globally, you say that everybody can use the pen drive on every computer. You can do it from a CSV. Let's say the CSV imports for security groups only and not company-wide. I think this is the more punctual way. If you want to allow it only for the security group or Active Directory group of users, you must manually edit it to limit the serial numbers.

The solution's user experience regarding device control could be more friendly or straightforward.

The solution's technical support was fine. The support team responded in a timely manner, and we didn't face any problems with them. This customer belongs to the EU because they use the EU data center, and the number of users is more than 500.

I rate the solution’s technical support nine and a half out of ten.

Positive

The solution's initial setup is straightforward. We planned in advance and created the policies. When we deployed the agents, it was easy because there was a generic deployment agent called base camps. When you deploy the base camps, it will look for the policy you want to use, download the needed components, and install the agent. For the EDR part, it will download the actual optimized driver and use only that one.

You can also create full offline installers, but you can use this automated one, which is small. You download the base camp agents, it reads the configuration, downloads everything that is needed, and activates the policy. If you have a system that cannot be reached by the internet, you can create a full installer. For example, you can download Red Hat Linux version 8.4 or version 8 and install it from a package. You can do this if you don't like the full automation.

We deployed the tool for a segment or group of users. We first deployed it on the PCs and then went to the servers. Once we had the installer, it was pretty fast. It was so pretty fast, but it took longer because of the management's decision not to replace everything at once. We have to consider the window when we can do the maintenance. We have to do it in a maintenance window and not anytime we want.

For the PCs and client computers, you could install 100 in an hour if you want. It took time to remove the previous vendor, ESET NOD32, and reboot the node. After we removed it, it was pretty fast. On one PC, it took about four to five minutes in general.

Along with Trend Vision One Endpoint Security, we evaluated Cynet and ESET NOD32. ESET NOD32 has limited time for roll logs, like seven to 15 days. The logs, by default, were there for 15 days. Only the hunted, examined, or the logs that were marked as not a false positive or the real attack were kept forever. Trend Micro, by default, gives customers 30 days to store or pull all the logs, and they could extend this to six months.

There were performance issues with ESET NOD32 because it has limited space to store the data, just like the URL and the reasoning. Trend Vision One Endpoint Security could store everything and has a much more mature interface. When NIS2 comes, you have to keep the logs for a longer day. You could store the logs externally instead of storing them in ESET NOD32 or Trend Vision One Endpoint Security.

In NIS2, you have a maximum of one month to represent the full threat hunting and the countermeasures you did. We need the logs for a longer period. You can do it in two days. However, if you don't find time to create the full report promptly within one month, it is better to have the full logs, not just for seven days, but 30 days by default, and be included in the price.

Overall, I rate the solution a nine out of ten.

We use Trend Vision One Endpoint Security for threat investigation, DDI, DLP,  analyzer, and email scanning. Other Trend Micro solutions share their suspicious objects with One Endpoint Security , and One Endpoint Security investigates the suspicious items. 

We are using One Endpoint Security  in the cloud because we are a ministry, and we have more than a hundred branches. All the branches are connected and integrated through the cloud. We have 6,500 endpoints or 20,000 if we include all the branches. 

We have all of the Trend Micro products, so it's beneficial to integrate them all and get consolidated logs of suspicious objects and malware attacks in a single console. We can do the same work with fewer employees because of One Endpoint Security's automation. 

I like Vision Central. We can manage all the Trend Micro products from one console. Vision One protects against zero-day attacks. It has a feature where it identifies suspicious objects and traffic. We believe it's easy to learn.

We perform cross-layer detection, threat hunting, and investigation from a single console. This capability is essential. We have 15-point IPS, DDI, and all these different security products that we can manage from one console. One Endpoint Security gives us end-to-end visibility. We can forward all the logs to the same solution and interact with the SOC team immediately. We get an alert about any suspicious objects or abnormal behavior, enabling us to take immediate action. 

We have had some false positives with One Endpoint Security's ransomware detection. We received an alert, but it wasn't a ransomware attack. When we did an investigation, we found it was only malware.

We have used Trend Vision One Endpoint Security for five or six years. 

One Endpoint Security is highly stable. We have multiple devices configured in high availability. One is active, and one is passive. It's always active and working fine.

One Endpoint Security is easy to scale because some of our devices are VM-based, so when we need that scalability, we can increase the RAM or CPU.

I rate Trend Micro support 9 out of 10. We have contacted them many times. They provide immediate answers and sometimes connect remotely to solve problems for us. 

Positive

We had QRadar and Symantec before that. We did a POC for Trend Micro with good results. One of the biggest benefits is that it is a consolidated solution. Everything is managed from one console. 

The setup wasn't complicated. A Trend Micro engineer deployed it for us. We had an Active Directory deployment and pushed it to all our branches using our management software. 

Every year, the ministry does POCs for other software. We recently did a POC for a Microsoft solution to replace One Endpoint Security , but we are fully satisfied with One Endpoint Security . One advantage of One Endpoint Security is that it's manageable. Once you change the policies, it updates the endpoints automatically. 

I rate Trend Micro Vision One Endpoint Security One 10 out of 10.