TrendAI Vision One Reviews

Vision One access supports multiple modules, including endpoint protection, the XDR module, and the Cloud One module, which are the ones that particularly caught our interest.

We have been doing a proof of concept for Trend Vision One to assess its capabilities as a cybersecurity solution. Vodafone is partnering with Trend Micro to offer security services and products to our customers to secure their environments, similar to a SaaS solution. We are exploring it as a partnership opportunity to provide enhanced security solutions to our customers.

We conducted a POC and tested multiple use cases by downloading malicious files and observing their behavior. Trend Vision One successfully detected and blocked all threats, including malicious files, scripts, and even dormant scripts that later became active. All these threats were stopped at the endpoint level, demonstrating that Trend Vision One effectively defends against malware, ransomware, and malicious scripts.

Trend Vision One incorporates a machine learning agent designed to defend against advanced threats, such as zero-day attacks. This agent monitors endpoints for malicious activity and, if detected, automatically quarantines the affected machine to conduct further analysis.

It employs machine learning to quarantine devices during ransomware attacks, however, this functionality has not yet been tested.

Trend Vision One provides a single console with a unified dashboard that consolidates information from our entire environment.

The single console provides end-to-end visibility into our IT security environment. We tested the endpoint security, and the SDR performed exceptionally well, providing a clear topology and metrics of our environment. This allows us to monitor the status of each node within our network.

The Trend Vision One platform was integrated with a Linux-based Service Engine to facilitate integration with third-party IT security solutions.

Learning to use Trend Vision One was straightforward, thanks to the helpful courses available on their portal and the excellent support provided during product introduction.

Administering Vision One endpoint security is easy through the single console.

We successfully tested Trend Vision One in a hybrid environment, with components deployed both on-premises and in the cloud.

Trend Vision One offers virtual patching to protect against vulnerabilities while vendors develop permanent patches. This is crucial because vendor patches can be delayed, leaving systems exposed. Virtual patching provides immediate protection, acting as a temporary shield until the official fix is released.

Since we are still in the testing phase, we have not yet seen a reduction in viruses or malware. However, we anticipate potential improvements in security operations across hybrid environments if implemented fully.

Trend Vision One's greatest assets are its cloud-based platform and credit-based purchasing system, which eliminate the need for traditional licensing and procurement processes, enabling quick product acquisition within one or two days. Trend Micro's strong reputation and excellent threat intelligence further enhance the platform's value. The analytics are also good, particularly the XDR and cloud assessment tools, which correlate logs and information to consolidate alerts for the SOC team.

One area that requires improvement is the installation process of the agents, as it is not seamless. The installation sometimes requires multiple troubleshooting steps and is not straightforward.

We have been conducting the POC of Trend Vision One for approximately three to four months.

There were no major issues with stability, no bugs, glitches, or errors, except for the challenges faced with agent installation. I rate the stability of Trend Vision One eight out of ten.

I rate the scalability of Trend Vision One ten out of ten.

We did not engage with customer support during the POC phase, so we cannot provide feedback on that aspect at this time.

For endpoint protection, we have used Microsoft Defender and Cortex XDR. We encountered issues with those solutions, but Trend Vision One seemed to address these concerns effectively.

The initial setup was not complex. The prerequisites were set first, allowing integration to be completed in about a week.

The pricing is mid-range, neither cheap nor overly expensive. The cost is considered fairly priced.

I would rate Trend Vision One nine out of ten.

Our team from our organization includes three members involved in the POC testing.

I recommend Trend Vision One to other users based on our experience during the POC phase.

Its main purpose is orchestration where I have full visibility into all the different Trend Micro products I use, and it is all centralized in a single dashboard. There is ease of use with this centralized dashboard. With this centralized management, I can dive into technicalities, and I am able to do all my workbench investigations. It is quite clear, and I do not have to sift through different logs. It makes our work so easy when we need to respond to or remediate a particular issue.

The main problem that we wanted to solve by implementing Trend Vision One was the blindspots. We tend to focus on endpoints, but we forget IoT devices such as printers and CCTV cameras. This is where we had serious blind spots simply because these devices do not have an operating system. For us, it was just about eliminating these blind spots. That was our number one focus.

It has been exceptional. If you look at the evolution of the Trend Micro products up until Vision One, you can see that they do what they say they do. It has worked for me so well. That is why I have had it all these years.

We have protection against zero-day threats. One of the things that pushed me towards Trend Micro was the fact that they have the R&D for the zero-day initiative. They are a pioneer in terms of classifying CVEs. It gives me comfort. When you go and check the workbench or the report, you can see the type of exploits that it was able to detect, which have even been classified as CVEs.

Apart from the things that I do in IT, my responsibility is to protect my company's assets. I am able to safeguard my data against ransomware. The company does not have to worry that they can be held at ransom. The assurance that they do not have to pay just to get their data back makes it easy to sleep at night.

We have a single console for cross-layer detection, threat hunting, and investigation. We have what we call the executive dashboard. This is what I share with the C-suite. It is quite easy for me to break down cybersecurity in a business way, and then, of course, we have the operational dashboard and the security dashboard where I centralize all the products into one single pane. From an orchestration point of view, I love Trend Vision One. We are able to orchestrate all of our different products from one single dashboard.

Trend Vision One provides visibility into different products. I have a 360-degree view of my entire IT infrastructure, which helps me understand my threat landscape and the way it looks. The beauty of it is that it has metrics. I can see how I am performing as compared to 30 days or 7 days ago in terms of the risk indicator. Is it going up or is it going down? This is important for me because I am able to forecast and anticipate behaviors or patterns from the people perspective and the process perspective. I know what I need to do and train people on, and in terms of processes, I know what I need to do to clean up my policies. In terms of technology, I can assess if there is any other thing of Trend Micro that I need to supplement to make sure I am fully protected.

Our response is instantaneous. I do not have an exact percentile in mind when it comes to the reduction in the response time, but our response is instantaneous.

I have integrated it with my NUC, my firewall, and my database monitoring tool. Trend Micro has a feature for virtual patching through Trend Micro TippingPoint. It instantaneously does the patching and cascades them across. Apart from what we call scheduled patching, on-demand patching is a part of their product features.

Trend Vision One is very easy to learn. This is the second organization where I am using this Trend Micro solution. When I introduced it, my team did not know about Trend Vision One, but within a month, simply with the help of the business portal where we have the e-learning, they were fully skilled and even certified at the entry-level of Trend Micro. Their feedback was that it was quite easy for them to adopt.

Trend Vision One is not at all difficult to administer.

We have seen a reduction in viruses and malware since implementing this solution. They provide you with the metrics for risk posture. You can see the reduction in your threat landscape. It goes granular to the point of telling you which type of malware or threat you are exposed to and the reduction. It is very definitive from a percentile marking. In my previous organization, we saw about a 75% reduction when we rolled it out. We were previously using something else there.

It reduces administrative overhead. I stopped adding additional headcounts from a security analyst and a security officer's point of view. It helps me reduce the overhead. On average, considering the annual wage of a security analyst, there is a reduction of about 7,000 dollars per annum.

I use Trend Micro's managed XDR services in conjunction with Vision One Endpoint Security. It reduces overhead. It is a fully-fledged managed service, so I do not need to have the business invest in an in-house SOC. It is a whole lot cheaper.

From an automation point of view, I find the ability to curate and deploy playbooks very helpful. I find that very convenient for us. It gives away the manual process. There is the ease of use.

I love what they have done with their Trend Companion AI, where it becomes so easy to have it do something for you instead of sifting through different tabs. So, the automation element and their new AI feature are top-notch for me.

I find the virtual patching that they offer superb.

There should be a bit more dynamism when it comes to their playbooks in terms of the action triggers. That is the only thing that I would want to see a bit more. There should be a bit more dynamism, especially when you are creating your own playbook. This is something I have also discussed with Trend Micro.

I have been using Trend Vision One since 2020 when it was rolled out. I have been using Trend Micro products since 2015.

It is stable. I would rate it a ten out of ten for stability.

It is scalable. I would rate it a ten out of ten for scalability.

I would rate their support a ten out of ten.

Positive

I have used a plethora of other solutions. I moved to Trend Vision One for multiple reasons:

• The ability to do what the solution says it does
• The ability to orchestrate all different solutions into one single pane
• The ability to have automation when it comes to detecting and responding to threats

It is deployed on the cloud. For me, the deployment was easy. For the endpoints, we just did a GPO push through Active Directory. For the cloud, we used just simple tenancy APIs and we were good to go.

It took us a week simply by virtue of how big the organization was.

In the IT team, there are 10 people working with this solution. We also have other departments such as risk and audit that use it. Overall, there are about 20 people directly working with it. The remaining are users for whom it just works silently in the background.

The maintenance is not done in-house. It is handled 100% by the OEM. They do share notifications, but we as users do not feel it, so whatever maintenance is required is handled 100% by the OEM. That is the beauty of a cloud service. You are not overly bothered by it.

In my previous company, over the four years, I believe we had seen about 81% ROI.

There are cost reductions because of the simple fact that I have automation. It means that I do not need to spend a whole lot on headcount for security analysts. From a commercial point of view, it has helped me reduce my operational costs, and then there are also security cost reductions because of the fact that it is automated and it responds in real time.

When I compare it to its peers that can do the same, it is cost-effective.

The evolution has been great. When I started using Trend Micro Vision One, the product feature was what they used to call business worry-free. It has evolved from an EDR to a fully-fledged XDR. You can see that the R&D is putting in work, and there is evolution. In terms of product coverage, they do not look at only endpoint protection. Right now, we have bespoke server protection. We have cloud asset protection and email security. You can see the growth of Trend Micro when it comes to its cybersecurity offering.

Based on my experience, I would recommend this solution. The ease of use, elimination of overhead, and return on investment are the reasons why you should have this solution.

I would rate Trend Vision One a ten out of ten.

We use it for analytics. We check all the maps and communications when there is an incident or an issue. It is very helpful for analytics.

Trend Vision gives a lot of visibility. If you have a big environment, you can use it to see logs or events. It gives more visibility into what is going on in your infrastructure.

Last year, we experienced an attack attempt, and it gave us a lot of visibility. We were able to track the source and all the processes that were involved during the attack. For security, it is very good.

Trend Vision One has helped reduce our time to detect and respond to threats by 30% to 40%.

I find the maps particularly helpful. The object list, specifically the suspicious object list, is also quite valuable. You can simply add one object to that list to manage it from another solution.

It gives comprehensive visibility. It is very good. It gives a lot of visibility into all layers such as layer three or layer seven. It helps with monitoring the endpoints, including all the desktops and processes or communication between servers.

I believe that the interface could be more user-friendly. At times, it is challenging to locate certain features, and they need to reorganize the user interfaces.

I have been using the solution for one year.

I would rate their customer support a five out of ten. They sometimes do not give enough attention to the tickets. Even when I update a ticket or a case, they ask the same questions that I have already answered. I explain my problem, and they respond as if not paying enough attention.

Neutral

Previously, we used another solution. We observed that Trend is trying to move all the solutions to Vision One. That is why we decided to transition, and it is working very well. 

It gives more visibility. The other solution was focused only on the server or endpoint protection. It did not provide any tracks, just the basics. With Vision One, we can see all the information correlated in one place, which I find very helpful.

The initial setup is very easy. It is not very complicated. Sometimes, the documentation is not updated, but the processes are very intuitive, so it is not that hard.

In terms of the implementation strategy, we first focus on non-critical servers or appliances, and then we move on to critical ones.

It is being used in an enterprise environment at a data center.

The implementation may require two people, depending on the infrastructure and scale. You might need an engineer or an administrator.

For maintenance, there are two people. One person scans and reviews all the information and the other one is from the backup. It requires minimal maintenance.

Overall, the visibility and security that it provides are our returns on the investments.

I feel that Vision One is a bit expensive. As for the pricing or licensing, I would rate it a seven out of ten.

I would rate Vision One an eight out of ten.

We use Vision One XDR to provide managed security services to our clients by correlating logs from various Trend Micro products like Apex One, Cloud One, and Deep Security. Vision One acts as a central monitoring platform, providing a single pane of glass view of our clients' security posture. This simplifies monitoring and allows us to easily create playbooks and analyze alerts. While our EDR solutions, Apex One, Cloud One, and Deep Security provide robust security features like anti-malware, web reputation, and intrusion prevention, Vision One enhances this by correlating logs and leveraging threat intelligence to identify incidents missed by these individual products. Essentially, Vision One functions like a level three SOC analyst, providing an additional layer of protection and ensuring comprehensive security coverage.

Trend Vision One's centralized visibility and management are crucial for our managed security services because they reduce the overhead required for monitoring. As an XDR solution, it performs many of the tasks an analyst would typically handle, streamlining our workflow and allowing us to focus on in-depth analysis when needed. This reduction in workload is a significant benefit, enabling us to efficiently provide comprehensive security services to our clients.

The executive dashboard is a valuable tool for analyzing the threat level of specific assets, particularly for generating end-of-month reports that detail threat and alert volumes, and highlight high-security risks. This comprehensive analysis helps customers understand their security posture and take appropriate action to strengthen their defenses. However, it's important to note that the dashboard's usefulness may vary depending on the individual customer's needs and priorities.

The risk index is a useful tool that provides benefits, but its value depends on the specific needs of the customer. Some customers may utilize the risk index to identify assets with high-security risks, allowing them to address vulnerabilities and implement necessary patching. However, other customers may rely on alternative sources for vulnerability visibility and, therefore, may not prioritize the risk index. While not always a primary focus, the risk index remains a valuable resource.

Trend Vision One provides immediate benefits upon deployment. Its built-in XDR, which includes EDR functionality and integrates with existing security models like Apex One, Cloud One, or Workload Security, allows for seamless provisioning of endpoints and workloads. Rigorous testing confirms that Vision One effectively identifies and correlates alerts, including those missed by other EDR solutions. This enhanced detection capability is evident during post-deployment testing, as Vision One Workbench alerts are generated immediately.

We use Trend Vision One to consolidate security across hybrid environments.

We use attack surface risk management and often customize it in our reports to meet client needs. This service helps identify vulnerabilities and blind spots in their environments. For instance, we assisted a customer experiencing recurring attacks due to unknown vulnerabilities. Our attack surface management analysis provided the data to identify and patch these critical vulnerabilities, ultimately enhancing their security posture.

Vision One XDR significantly reduces threat detection and response time by automating the analysis typically done by a level two or three analyst. It provides a comprehensive view of the environment, incorporating behavioral analysis and intelligence sources to quickly identify unusual activity. This eliminates the need for manual investigation of logs and data, allowing analysts to focus on addressing actual threats. The XDR's automated workbench triggers alerts with a high degree of accuracy, minimizing false positives and further streamlining the security process.

We use security playbooks for certain low-level security alerts because many of these alerts, despite the large volume of data they represent, do not require significant time or attention. Playbooks are particularly useful in these situations as they automate the process of blocking the source or IP address associated with the alert.

Vision One offers several features I value. 

The threat intelligence sources enable it to automatically block domains known for command-and-control callbacks, effectively preventing attacks from those sources. 

Additionally, the security playbooks provide templates to block URLs or scripts, enhancing endpoint protection. 

Finally, the console allows for remote connection to endpoints, enabling direct investigation and remediation within the customer's environment. This flexibility and comprehensive functionality make Vision One a valuable tool.

Trend Micro is making many improvements, including addressing some of our feature requests. However, their reporting functionality needs improvement. The reports lack detail and customization options, particularly for XDR, which hinders our ability to provide tailored reports to clients. For example, we cannot generate reports on threat intelligence data from XDR, making it difficult to assess the protection received from external sources. This limitation also prevents clients from seeing the total value of XDR, including external factors contributing to their security posture. Threat intelligence is crucial, and clients want to understand its impact. Therefore, enhancing report customization, especially for XDR, would be a significant improvement.

I have been using Trend Vision One XDR for one and a half years.

Lagging does happen in Trend Vision One but it is infrequent and does not significantly disrupt operations. This is typical for many SaaS platforms and not a major issue.

Trend Vision One is scalable, allowing for flexibility from four licenses to a hundred or more, depending on how much or how fast scaling is needed.

The experience with customer service can vary depending on the case. Simple issues might involve referring to KB articles for resolution, while more complex issues might need backend support, which can take time. Overall, my experience has been positive.

Neutral

Trend Vision One is easy to set up and can potentially be handled by one person. However, teamwork is preferred to ensure accuracy, catch potential errors, and maintain a high standard of service.

Trend Micro's licensing is outsourced to third-party vendors, resulting in price variations depending on the vendor. Since Trend Micro doesn't directly handle pricing, I cannot provide specific cost details.

Trend Vision One XDR is an excellent security product that deserves a ten out of ten rating. It's surprising that more companies haven't adopted XDR, given its advantages over traditional SIEM solutions. XDR automates tasks like configuration, signature creation, and rule implementation, significantly reducing the manual workload required with SIEM. While I expect a shift towards XDR, many companies still rely on SIEM, which seems inefficient in comparison.

Trend Vision One functions as our XDR solution. I spend considerable time within it conducting reconnaissance on any security incidents requiring investigation. This tool allows me to quickly search for information that might be difficult to locate using our other tools.

We implemented Trend Vision One to improve our security posture by creating multiple layers of protection. This tool addresses security gaps our existing solutions, like Defender, may miss, providing deeper insights into potential threats.

We have implemented the product on both our cloud environment and endpoints. While we utilize a different Trend product for email, we also leverage Trend for this purpose. Trend's complete coverage is invaluable, as it centralizes data that would otherwise be difficult to locate, and its robust search function has been instrumental in our decision to continue using the platform. Although our organization is always exploring alternatives, the all-in-one nature of this solution has proven highly effective for our needs.

Vision One offers centralized oversight and control across our protective layers. It provides valuable insights into our various Trend applications, though its visibility into other layers is understandably limited. This limitation isn't a concern at this time.

Vision One has significantly improved our efficiency. For example, we recently faced a critical situation where a rule change on a client-server posed a potential security breach. Using Vision One, we quickly identified the employee responsible for the shift and resolved the incident without an extensive investigation. This would have been highly challenging without the tool, as determining the culprit would have been much more difficult.

We've been using the risk index feature to try to chip away at the risks within the environment and identify the vulnerabilities that need to be prioritized because that's been one area that has been more invisible to us with the other tools.

Vision One offers a valuable new perspective on our risk profile. While we receive reports from other tools like Nexus IQ, Vision One's unique risk classification and ranking system allows us to prioritize issues differently. This enables more informed decision-making as we can identify risks that other tools might underestimate. We've fully leveraged Vision One's benefits since our team's formation over two years ago. Though the tool existed previously, its impact was limited due to the absence of a dedicated team focused on its utilization.

It's able to detect things that other tools don't detect. We use a layered approach, so those tools have found stuff it hasn't detected. But that's to be expected. That's the goal of using the layered approach to it. But it's helpful because it catches things we might have been unaware of. Additionally, it might rank things differently than the other tools, and that's the same for this piece. And that can be very helpful for us to catch things we might have otherwise missed because it gives us that extra detail.

Trend Micro XDR has significantly reduced the time needed to detect and respond to threats. It offers capabilities that other security solutions lack, enabling us to address challenges innovatively. Additionally, built-in features such as insights and endpoint protection provide valuable tools that enhance our security posture compared to other systems.

Despite having a fifteen-year career in cybersecurity, I joined this role with limited hands-on experience. However, I quickly became proficient with Trend Vision One through self-directed learning, and my team soon recognized my expertise in the tool, making it a positive experience overall.

The Workbench feature is fantastic. It is so helpful to have something that pulls all the data into one visual representation of the events.

Vision One generates numerous false positives, forcing unnecessary investigations and highlighting a need for improved filtering options. A recurring false positive in our environment cannot be safely filtered, preventing us from ignoring it without risking overlooking genuine threats. This issue arises from a script that renames computers, which behaves suspiciously like malware but lacks a unique identifier within Trend for precise filtering. We cannot exclude the entire script due to potential exploitation by attackers who could embed malicious code within it, bypassing our security measures. While this scenario requires a targeted attack, the sensitive nature of our client's data, including threats from nation-state actors, necessitates a cautious approach to avoid compromising our security posture.

We want the ability to download and inspect emails from clients' mailboxes. Microsoft's platform supports this functionality, and we possess the necessary license. However, some clients lack the required license, prompting us to recommend Trend. If we could directly access and inspect client emails, it would eliminate the need to sell additional licenses to those clients, streamlining the process.

I have been using Trend Vision One for over two years.

Trend Vision One is stable.

As we've added employees and removed employees and added servers and removed servers, I haven't had to think about the scalability of Vision One. It has been very smooth.

We had a script that was not right and kept triggering false positives. I had reached out for help with that. The help I got took a lot of time to get responses. And in the end, they closed out the ticket I had opened without resolving it. I also found the communication experience to be rather frustrating. My biggest complaint about my experience with Trend has been the support. There's a lot of good to be said, but there's room for improvement in the support. The people were very polite, so I'm not giving them a five because that goes a long way for me. Having support that is snippy makes the experience significantly worse. So, I am grateful for that part.

Neutral

We used a Microsoft XDR in conjunction with Trend Vision One. The main pros for Vision One are that the interface is typically a lot easier and a lot less confusing. 

The overall experience of the interface is a lot more positive. The details I can pull out of Trend are much better than I can typically pull out from Microsoft. I'm able to get results that Microsoft doesn't seem to gather. The cons are that it's in such flux right now because they're moving all their other products into the Vision One console, which can sometimes make it a bit confusing. 

It can also mean that we're unable to access the tools we previously did as rapidly. For example, many of the Apex One stuff is now within Vision One. So we had to relearn how to do that, which cost us time during security incidents. And Microsoft does change things, but they typically change things by adding extra bloat. So that ends up being a con for Trend compared to Microsoft.

While I cannot confirm the specific return on investment for Vision One without firsthand data, I expect it to be positive, given our organization's tendency to quickly discontinue partnerships that fail to deliver value.

I would rate Trend Vision One eight out of ten. There is room for improvement, but with the tools I've used, Vision One is one of the better.

I don't do much regarding the maintenance of Trend Vision One, but I also know that because I get emails about stuff that goes down, it's relatively low maintenance compared to other tools.

We have Trend Vision One deployed across multiple locations internationally. Because the number fluctuates, we have roughly 1,500 to 2,000 users at any given time. Three people on our network team use Vision One. We have also used Trend products, other than Vision One, for a couple of our clients, which would expand those numbers significantly.

My experience with Trend Vision One has taught me many valuable details, and I strongly recommend that new users carefully review the provided documentation.

We use Vision One to detect to detect and respond to malware incidents. With endpoints (Apex One/Cloud One Workload Security), network (Deep Discovery Inspector) and Office365 (Cloud Email and Collaboration Security).

The environment is complex, distributed in more than +100 locations. Some locations are just offices, some others are industrial facilities with ICS and SCADA. Besides Windows, we deal with a lot of operating systems, including Solaris on SPARC. And our users are diverse, with lots of employees roaming around the country.

With CREM, we tackle important use cases around identity protection and risk management in general. Identification, prioritization, and remediation.

The full stack of Vision One has delivered what "SIEM 2.0" couldn't deliver. The capability to monitor threats and discover attack vectors before they are exploited and across all our workspace (on-prem, IaaS, PaaS and SaaS). We have invested well over a million into SIEM during the last decade. A full ArcSight upgrade and then a Splunk migration assisted with a large MSSP. Vision One is still ahead at a fraction of the cost.

Going through a capable, single-vendor solution was necessary, given our small team. Choosing the best solutions for every task and building all the integrations was not an option.

Vision One is much more than just EDR for us; it is a threat intelligence platform and a SOAR too. And even with the limited capabilities in this area, we find ways to tackle challenges our MSSP and SOC haven't been able to accomplish on a very large budget.

I like everything. The most valuable feature is how the stack fully integrates all components of a solution. Then, integrations with third parties will be provided.

As an example, I am capable of sending a suspicious file directly to my Deep Discovery Analyzer appliance (a sandbox) while investigating a suspicious download/file interaction, and I can then quickly push the IOCs in the suspicious object lists to protect both managed endpoints, and the rest of the network too! Yes, you can push domains and IP addresses to Palo Alto through a Trend Micro Service Gateway, ensuring you can protect even what cannot receive an endpoint. And all this without writing a single line of code. The ease of use and ease of deployment for use cases like this are my favourite features.

The SOAR features (Security Playbooks) are quite limited. At the moment, it is impossible to execute a simple piece of Python code that would pull or push something to an API, for example. While you can tackle some use cases, a SOAR from another vendor is still a must-have.

To assist with complex use case integrations, having all the data from the SIEM inside XDR would be great, too. That's where the market is moving with solutions like Falcon Logscale and Cortex XSIAM. Pivoting from XDR to Splunk or vice-versa can be time-consuming during incidents.

I was actually an early beta tester of the Apex One Endpoint Sensor before Vision One appeared in 2021. That would be three solid years of using it.

Quite reliable. In the last three years, only one incident created memory leaks on Windows Servers. We didn't see too much impact (fortunately) as a workaround could be quickly provided.

Support is quite responsive when something does work well. However, we do pay for Premium support.

The scalability is really good.

My experience is generally good, but I have had the chance to deal with premium support. I'd say I get the support I expect for the price that I pay.

Positive

Although we have been dealing with other security vendors (McAfee, Symantec, Proofpoint, and more), Vision One was really our first EDR.

The initial setup was a breeze. It is realistically one of the strong points of the solution.

We implemented the solution in-house. Although with premium support, you do get a lot of help from Trend Micro if you ask for it. You'll be able to talk to actual experts.

It is very hard to quantify an ROI on a security product. It doesn't generate revenues, and you can't quantify the cost of incidents that didn't happen.

Product names are changing all the time. Lots of changes in the last three years. They introduced the concept of credits, too, which did not make anything easier.

It's also easy to underestimate the credits required with Cloud Email and Collaboration Security: people invited from third-party tenants will count.

The credit usage and allocation tool has been improving, at least.

We had a look at Carbon Black and CrowdStrike Falcon.

It's probably the best solution for a small team that cannot absorb the complexity of a multivendor solution. The ability to execute VS the cost is surprisingly good.

We use Vision One together with the other products in the Trend Micro security stack, such as XDR, Site Management, and Apex One. 

Vision One has made our detection and response time much faster. We have 30-plus integrations, helping us to identify the most critical threats. The more connections, the better. We can also identify and resolve false positives faster. 

I like Vision One's workbench. It provides helpful logs that I can search, and the telemetry is excellent because I can see what's happening during an attack or potential attack.

Another one of my favorite features is attack surface risk management. It shows me faults and blind spots in my security. I also like the attack phase management. The model shows the risks in the corporation and provides considerable information about what is happening on the platform and the network, offering more visibility. There's also a risk index that shows me where I can improve my security. 

Vision One provides centralized visibility and management across multiple layers. This is critical because I need to see what's happening. It also allows me to set separate rules and policies for some security areas. 

Vision One's search could be improved. While the platform is very user-friendly, the search feature uses terms that aren't as intuitive. The automation is excellent, but I wish there were more templates to help me optimize more things. 

I have used Vision One for nearly a year.

I rate Vision One nine out of 10 for stability. It has only crashed once. 

I rate Trend Micro support six out of 10. They respond quickly but the answers aren't clear sometimes. They don't always understand the issue, so I need to explain a lot.

Neutral

I previously used the Microsoft 365 security stack, but I found Microsoft's XDR lacking. We also used Microsoft CASB and Defender for Endpoint. Vision One's threat intelligence and modeling are better. It has all the features like attack surface and risk management as well as the workbench. I also find Vision One easier to navigate. 

Vision One is easy to deploy. It's mostly automatic, but we needed to deploy some of the agents manually. If you can deploy all of the agents to the endpoints automatically, it takes only about five minutes. 

Vision One is expensive, but I think it's a typical market price. 

I rate Visione One nine out of 10. I recommend fully exploring Vision One's features. It has many features that you don't need to pay extra for. There are so many things to explore. For example, they have free playbooks for third-party integration.

We were using Symantec before, and with the coming of EDRs in the market, we were looking for a solution. We wanted a defense system so that if there is an attack on the system, such as an endpoint is infected or the attacker or a known technique for ransomware is moving laterally, I do not need to go to the firewall team. I do not need to go to other teams to find out. I should have enough intel at that very stage to contain it if possible.

We were looking for a system with a single pane of glass. The journey started with deploying the EDR client on the servers, which is called Deep Security, and Apex One on the endpoints, such as desktops and laptops. We then connected them to a single pane of glass, which was called XDR, now known as Vision One. It has helped us to correctly hunt and fix. We could see the communication between the endpoints and the servers and anything else they were talking to. We could then further expand it and connect it to all of the systems through APIs. That was the initial requirement we had, and it worked very well in that sense.

When you buy extensive or expensive SIEM solutions, such as Splunk or something else, what happens is that you need analytics. You can write meaningful queries to query the data. At the end of the day, all the data going in needs to be correlated. Vision One provides visibility in that sense.

We connected it to the cloud, so we could see the telemetry from Azure and cloud. We then installed the network detection response. It could see and detect a little movement from the network layer. We then connected it to Active Directory, so we could have attribution happening. We currently have a lot of data coming. With a small team, the issue that arises is how to deal with so much information and how to prioritize. It helps with the prioritization. The system is smart enough to proactively go and scan the logs and trigger workflow alerts. It prioritizes them based on the criticality, such as high, medium, low, or informational. When you have a small team, your analysts can go and start looking into those and see what is happening and what they need to prioritize at a stage.

We came very close to a Russian threat actor and Vision One helped tremendously. It helped us to control the attack in the initial stages. They got into the environment and they got the reverse shell out. I saw the alert. Vision One Protection showed me in detail what they ran, what they queried, what information was captured, and where the connections were going out. It was an initial access broker that had done the attack. If this information was not picked up on the late Friday afternoon, you can imagine what could have happened by Monday. Within hours, that information would have gone on to the dark net and would have been sold to a ransomware gang. The mean time to respond was reduced significantly. It is very rare for most organizations to detect such attacks in their own environment within the first four hours. It reduced the mean time to respond by 70% to 80%.

Its real-time monitoring capabilities help a lot in our overall security posture. We have everything configured to our central SOC email system, so the minute an alert is fired and depending on what criticality it is, we can work on it. When you work in the health industry, you often work with vendors who are still not very cybersecurity conscious. They are still learning. One of them plugged in a USB drive, and we found an early indicator of compromise. The device was plugged into one of the technical systems. It not only detected and blocked that, but we also got the alert pointing to the machine. If it was not detected and picked up at that very stage within a matter of minutes, it could have had a pretty big impact eventually.

The beauty is that I do not need to go and log in to the separate console of Apex One or Deep Security. I have got all the visibility and telemetry feeding in real-time into the Vision One console. The Vision One console straightaway alerts you. It just flashes a critical alert. It blocks, but then it provides mitigation recommendations. We need to take the machine off the network, scan the USB, educate the user, and escalate to the right people. Having all that information at hand is very crucial. We can influence the user behavior as well so that they do not do that again.

We are using it on endpoints. We are using it on our servers. We have a network detection response, which is called NDR. We are monitoring all the internal traffic coming from the firewalls. We have Citrix NetScalers, so we are monitoring the network side as well. We also have another product called Conformity that does a cloud assessment and compliance check for all externally exposed cloud assets. It tells you if they are not in compliance. For example, with the project that went in, something might get exposed accidentally, such as an Azure storage account, to the Internet. It all feeds into Vision One, and we have a single pane of glass.

It is helpful for multiple teams. It is not only limited to SOC. We have teams from the cloud side and sometimes from the endpoint and the server side who can get in, and they can see the alerts. It makes it easier to work because we all are seeing the same thing with more information. So, we are using it for our endpoint servers and network. We are using it for monitoring our Azure cloud. We also have something called Trend Micro Cloud App licenses as part of our licensing. We have policies that do advanced threat protection monitoring and DLP monitoring on the SaaS channels, such as Exchange Online, Teams, OneDrive, and SharePoint sites. These are other channels from where the data can be shared, the data can enter our environment, or the data can go out of our environment. It has policies to monitor DLP. It has policies to monitor any malicious files or any indicators of an ATP attack. We get those alerts as well.

There are two dashboards. The Executive Dashboards give an overall view of the entire system and what is happening on our system at any point in time. We can see how many outstanding vulnerabilities we have, what we need to report to the management, and how we will be progressing for things like that. Then we have the Operational dashboard with real-time alerts or pending alerts. It shows us that we have some account that is a match from a .Net data lake. A problem, for example, is that most users keep the same password, so you could have the same account password for your work account and for your personal account. They can get compromised at home and work as well. So, we use Executive Dashboards for reporting and overall understanding of what is happening in the environment and what we need to report and prioritize. The Operational dashboard is for day-to-day work.

It is very important that we are able to drill down from the Executive Dashboards into XDR detections. We are in the health industry. We are a hospital. The board is not only worried about ransomware because that can happen to anyone. You can never be safe enough. They are also concerned about the damage to our reputation and the operational cost of recovering, so they are very keen to have visibility. The Executive Dashboards give us good enough information to filter that. For example, our desktop support team has a limited set of people. For cybersecurity, we want to prioritize patching for a zero-day threat, but sometimes, it cannot happen because the teams have other priorities. The issue is not that they do not want to help, but they do not have resources. With Executive Dashboards and reporting, we can escalate things to the board saying that we need some attention. We can ask them to fund us with more resources to get this across the line. It helps us dictate the impact and prioritize a critical cybersecurity vulnerability so that we can get the management's buy-in to prioritize it and address it before it goes out of hand.

We use the Risk Index feature to map against other organizations in the same geographic region to see how we are doing in terms of risks as compared to other organizations. Are we better or worse than others? If we have some areas where we are worse than others, they help us to understand the reason and how to improve.

If we want to go through every single event, then with our current licensing, XDR can hold up to six months of data, which could be millions or thousands of alerts. A smart thing that they have done is to provide the Workbench, which automatically prioritizes. It does the hard work for you by pulling that intel and saying that these are the highly critical ones that you need to address as soon as possible. I am not discounting the fact that sometimes, attackers do not even go for highly critical ones. They go for a medium one, but it helps us to get them out of the way. Our team is small, and I had a good experience training a few people, taking them through, and showing them how to do it. Once people start working, they understand the workflow. It just becomes a second habit. It is very intuitive. You can get into the console, add new indicators of compromise, add new threat-hunting queries, add new CTI feeds, and check for new vulnerabilities. There is so much you can get out of it. You just have to prioritize what you think is important for that day.

We do use Managed XDR as a second service. The way that comes in handy is that we do have people on call. I, for sure, keep checking my emails, but if we have a critical alert that no one has attended from our side, they triage it. They triage it very well and then rate it. For example, they might say, "It seems to be benign or negative, but an alert came in, and no one was available. If you want to add an extra layer of security or caution, here is the mitigation." They are very responsive. I was able to see the big attack that we had two years ago within the first four hours, and by the time it got to the XDR, it was all correlated. Within half an hour, their response team came to the same conclusion. They reached out to us when I was about to reach out to them, so we were on the same page. They are definitely a good backup or a second solution for us. Also, some of the alerts can come up from workflows. They may seem malicious but they are not. The Managed XDR service people come back to us just to reconfirm that. We tell them that it is a known file. They do not need to worry about it. Sometimes, we might miss something or have no idea about the next step. They then come up with a recommendation about what we need to do. It is a very good service to have.

We are using Attack Surface Discovery to monitor the devices we have and the internet-facing assets, accounts, and applications. API is something we are still looking into, but with a few clicks, we get an overview. We can see how many are patched and how many are exposed externally or internet-facing assets. We have a lot of subdomains linked to the primary hospital site for different projects and workflows. We can see how they are doing, which ports are open, and which known vulnerabilities are there because some of them are not managed by us. They are managed by externally hosted vendors, so we can keep them in check. The same is applicable to our accounts. If we have accounts that are on the dark net, or we have accounts with excessive privileges that can potentially be exploited, we can address that.

For applications, the feature that I like the most is called the Cloud App List. It basically looks at all the SaaS applications and benchmarks them. It profiles them based on the rest and gives us a report. It tells us that certain apps that people are using may not be officially sanctioned by us. For an unsanctioned app, they do a risk profiling through Vision One, which shows us which security compliance standard it has gone through from the vendor. They give us a quick understanding of how bad or good it is to continue using an application.

During the COVID time, I was setting up Vision One, and I got an informational alert. The husband of a nurse gave her a USB, and she plugged it in. She was in an off-site environment, but the Trend client was still running. The clients were connected to the SaaS console or the Internet, so all telemetry was still being fed. They must have thought that it was not the case, but detections were still coming. When she plugged it in, it downloaded a power shell exploitation framework, which they were able to map to an ATP group from China that commonly uses this technique for intellectual property exfiltration. I quite like how much visibility it provides. For a couple of applications here, sometimes an alert comes in, and it can even drill down to the last command that was executed. It can create an attack graph and show you the full execution profile. It helps you troubleshoot and filter out whether something is a false positive or an issue at hand. This whole interconnectivity of different systems into Vision One, and its ability to help individualize an attack, is the thing I like the most. It is very good because reading logs and seeing an attack visualized are two different perspectives for a threat hunter. It really helps you understand what is going on.

With every such technology in an enterprise environment, as well as with most of the production systems, the reduction in the amount of time we spend investigating false positive alerts depends on how fast you finetune the system. You need to tell it which are the exceptions and not to alert you on it, and which ones it should alert you on. It is a balancing act in cybersecurity. For example, logins are used by attackers but also by your admin staff. If you totally put them in exemption, you can have a malicious login executing in your environment. You would be completely blind there because nothing would get alerted. In terms of false positives, the system is capturing a lot of data, and it is not the system's fault because it is seeing a lot of data. Sometimes, we have not classified the data. We are getting better at it. We are labeling and tagging the systems. We are fine-tuning it, and it has reduced a fair bit, but we still have a lot of work to do. It happens, but it is something we do behind the scenes. In terms of the day-to-day threat hunting and visibility, it categorizes them in Workbench, and that is what we look at first thing in the morning. We get to know what is happening and what we need to focus on. Once we see that there is a pattern repeating for some false positives and Workbench alerts are high and not true positive, we then figure out how to whitelist those systems. We now know that this is a known execution process. We know it is a known traffic or a known vendor that runs this application, and when it opens, it connects to these ports, for example. It is a bit of a balancing act. It changes dynamically.

For our day-to-day use cases, the correlation and attribution of different alerts are valuable. It is sort of an SIEM, but it is intelligent enough to run the queries and intentionally detect and prioritize attacks for you. At the end of the day, it is different data that you see. It correlates data for you and makes it meaningful. You can see that someone got an email and clicked a link. That link downloaded, for example, malware into the memory of the machine. From there, you can see that they started moving laterally to your environment. I quite like it because it gives visibility, so Workbench is what we use every day.

They also have something called virtual patching. If you have end-of-life systems or systems that are out of support, you cannot upgrade the agent, but you can still do the update if you get the signature. This is the feature I like. For example, today, if a new zero-day threat is out with a link vulnerability where attackers send you a link, and that link, even if opened in the preview mode, can basically execute a malicious code, we just cannot patch within four or five hours. We are a midsized organization. We are fairly big, and sometimes, it takes two days or even a week. With virtual patches being there and XDR with all that information connected, we can see that the virtual patch is working. It is there. We have all the mitigation in place, but then it is also detecting the environment for that threat. We can further write the hunting queries and enhance detections. So, Workbench detections and virtual patching are very helpful.

It also gives us an executive dashboard where we are monitoring our external sites. We can see what ports are open and what known vulnerabilities are being scanned on them. We get visibility and better mean time to respond and act.

The user interface is pretty easy to use. Sometimes, you learn it while you play around with it and you set it up. One thing I do like, which is very good, is that you can pivot from within the console to different sections if you know how to go about it, but if you have not used it, it could take a bit of learning. A good thing that Trend Micro has been doing for the last two years is organizing some sort of CDFs, which are scenarios based on real threat actors. They get you to come to those events. It is gamified so they can attract people. If you want to learn, they would show the event ID that came in and where to go and see that event ID. They show you how to hunt based on that event and how to extract the indicators of compromise from that ID. There is a feature called Suspicious Object. They show you how to block one. If you have a suspicious object linked to a threat intel feed that goes to Palo Alto, you can not only block it in XDR or Vision One, but straightaway, it also gets pushed to your firewall, so your firewall is also blocking it now. There are some cool functionalities, but you need to spend time to understand how you would pivot between different subsections. If someone is new and starting, it is still pretty straightforward. The UI interface is very self-explanatory. There are a lot of details. There is a lot of telemetry added to it for you to see and understand. It is not that complicated. If you have a bit of a cybersecurity background, you should be able to pick it up pretty straight.

They are constantly updating it, which is a good as well as not-so-good thing. There is an update every few weeks. They are very good updates. I quite like it that they have such an agile development. They listen to their customer's feedback, and they are constantly investing in the product. They do not give you an off-the-shelf product. The world is changing, and the attacks are changing. It is kept up to date. 

Reporting could be a little bit better. They are working on it, and it is getting better. They have different development teams working on this product. Like any bigger organization, they have so many people working and fixing the product, and they have their own development routines and cycles and understanding of the code. It has gotten a lot better, but it has a long way to go. Recently, there were a couple of more reports. What I like is that they listen to the feedback. If we tell them that we need this reporting, they go back and do something about it. It does not get lost in emails or meetings.

We have been using Trend Vision One for almost three years.

I have not seen any downtime as such. I have not seen the console going down, not even once in three years.

It is set in firm defense. It is a very interconnected system now. I spend most of my time fine-tuning and working in Vision One. It has been 100% stable for me most of the time. I have had no issues. It is very stable. I would rate it a ten out of ten for stability.

We are based in Southwestern. It is a fairly big site. After COVID, we have remote workplaces. It is a part of our standard operating environment. Any new server or any new desktop or laptop has to have the client installed, but we are also multi-site. We have sites in Central Queensland and North Queensland. Those sites came along as well. It is a through-and-through solution. It is being used on all three sites.

Vision One is currently being used by multiple teams. There are 15 to 20 people at the moment. We have the Network and Security team, and then we have the core cyber team. We have people who look after the Apex One and desktops, and we also have people who look after servers and the cloud. They all know what to look for, and they know where the alert is coming from and what they need to do. I have given training internally a few times for people.

The customer support experience has been fantastic. They are fairly technical. What I like is that they are very responsive. You log a job, and within two hours, someone is on the call with you or contacts you through email. We have a relationship manager or a technical account manager from them who does biweekly calls with us. He addresses any issues and provides escalation channels as well. Their engagement as a vendor and as support has been amazing.

Positive

We were using Symantec. When we did the research three and a half years ago, the world was moving to EDRs. An EDR solution compensates for different technologies. It is not static signature-based detection because that can be bypassed easily.

The main considerations were the costs and virtual patching. We were looking for a solution that could help us with virtual patching. When you have a zero-day at hand, regardless of how big is your team, patching sometimes is just not possible. When you are a hospital, you cannot take the systems down. You have to go through a couple of processes, but during that time, you are in a vulnerable state. We were looking for a system that could provide virtual patching, has detection and virtual patching signatures, and gives you the breathing space where you can go and patch a system. It satisfies that need. 

The EDR/full-stack functionality was also a welcome change. We do not have just an antivirus or EDR. It can do a lot more. It can do file integrity checks. It can do a baseline of your known system file caches. It can do all these things.

Our model is hybrid. Vision One console is on SaaS. It is on the cloud, but we have relays that get the updates, so agents have to be local. The EDR clients on servers and endpoints, such as laptops and desktops, have to be on-prem. The cloud posture management and PC bot are also SaaS-based. It is just through an API. Other than the EDR clients, most of the other integrations are pretty much SaaS-based.

The initial deployment was a bit tricky because even though Symantec was a very outdated product, there was still something on the machine. We had to work extra to get rid of that and put this on. Overall, the deployment was pretty good. The biggest challenge in the deployment of an EDR is understanding what your network traffic, day-to-day workflow, or applications look like. Most EDRs have something called real-time scans, so if something is trying to access the memory where the credentials are stored or write to a system-protected file, and if an EDR does not know about them, it will straightaway block it. They helped us to create those amazing baselines where we could whitelist the known applications and the known traffic. It was good. It took a while to get it right. As the environment changes, you keep fine-tuning it. I did not hear of any major issues or any dramas with it, but I did not do the deployment. 

It does not require any maintenance as such. The only major change that I have recently seen is that they have gone from version 1 to version 2, and version 3 is coming. That is all happening behind the scenes. We had some agents in a different geographic region. We had to migrate them across, which is on-prem, but the backend team did the rest. 

We had a dedicated project team that worked with Trend Micro project managers for implementation.

I do not have much visibility to it. It is definitely not a cheap product, but to my knowledge, it is out there with the big wigs in the industry, such as CrowdStrike, SentinelOne, and other EDR/XDR vendors. I had heard, and found out eventually, that their sales teams are very flexible, as more sales teams are.

The problem with any XDR is that you need to buy into their whole ecosystem so that it can provide more visibility and more data points. It can understand your system environment a bit more.

We started with the endpoint and server detection, and then XDR was given to us for free at that time to try it out. Once we got into it, we added NDR, which is the network detection response, the cloud side, and all the other things to it. They were pretty good in terms of pricing and understanding of our needs.

Their team is also very good, which is something I have not seen with other vendors. They are proactive. They reach out to you with new things happening in the cybersecurity world, such as any new attacks or detections, any new events, or new training. They reach out to you every few weeks and sit with you to understand what they can do better. This constant engagement and service is good. I do not base it only on the cost. Nothing is cheap, but it is about what you get from a vendor on the service. It is not like sell and forget, where they sold you the product, and they have nothing to do with you. It is a constant engagement because XDR is ever-evolving. They take you on that journey. They show you what new capabilities are coming. They ask about the use cases and how they can help us. They ask about what we are seeing or what challenges or gaps we still have in the environment so that they can help that. This has been my personal experience. It has been absolutely fantastic.

We had another vendor. We tested both EDR clients, and at that time, XDR was just a big buzzword in the market. We did not know what XDR was and whether we would get it. It was given to us as a complimentary to try for a few months. I did EDR testing of this solution and another very well-known vendor in the market. We did an attack simulation. We performed a couple of attacks with malicious code and ransomware. It was really good at picking up most of the attacks, whereas the other one was 50/50. We then created a report based on the facts we had in front of us.

Back then, we were told that Palo Alto was coming up with something called Cortex XDR. They bought another company, which had an EDR client that they slapped into their solution. Their methodology was a bit different. Firewalls were still the first line of defense. For example, the malware sitting on a machine is trying to connect to a command and control server or a malicious domain outside the environment on some ports. Once Cortex XDR sees it, and it hits the threshold, you will start seeing the alerts. I did not want to wait for it to get 25 machines infected before Cortex XDR started doing something. That was too late. I have heard that they have come a long way. They might have gotten similar feedback from others and made some changes internally. They are a brilliant company, but it did not meet our requirements at that time. The detections during the EDR testing were not that great. Most importantly, it did not meet one of the key requirements we were looking for back then. We wanted virtual patching and virtual patching signatures for end-of-support operating systems. That is what was the deciding factor for us.

To those who are evaluating this solution, I would advise doing a PoC and understanding their workflow and traffic. They should have the right expectations going into the product. It is a system with which you need to invest in other components as well, but once you get it up and running and it's working and tuned, you will start seeing the value of it.

They are now acting as a support partner for us. We can rely on them and work with them because we invested a fair amount of money with them. The product has proven to be very valuable for our defense arsenal. I personally follow them. It is not just me. It is all over the Internet that Trend Micro's zero-day initiative still picks up around 60% of vulnerabilities. It is more than any vendor out there. They have got a very good team.

I would rate Trend Vision One a nine out of ten. Reporting could use a bit of work, but it is improving. Just the other day, I heard that they are starting to provide automated threat hunt queries and an AI bot on Vision One. These features are still in preview, but it is changing rapidly. They also have something called forensic, so you can create forensic cases and log calls directly from the Vision One portal. There are some very good changes that they have made. It is evolving and dynamic.