We use Vision One to detect to detect and respond to malware incidents. With endpoints (Apex One/Cloud One Workload Security), network (Deep Discovery Inspector) and Office365 (Cloud Email and Collaboration Security).

The environment is complex, distributed in more than +100 locations. Some locations are just offices, some others are industrial facilities with ICS and SCADA. Besides Windows, we deal with a lot of operating systems, including Solaris on SPARC. And our users are diverse, with lots of employees roaming around the country.

With CREM, we tackle important use cases around identity protection and risk management in general. Identification, prioritization, and remediation.

The full stack of Vision One has delivered what "SIEM 2.0" couldn't deliver. The capability to monitor threats and discover attack vectors before they are exploited and across all our workspace (on-prem, IaaS, PaaS and SaaS). We have invested well over a million into SIEM during the last decade. A full ArcSight upgrade and then a Splunk migration assisted with a large MSSP. Vision One is still ahead at a fraction of the cost.

Going through a capable, single-vendor solution was necessary, given our small team. Choosing the best solutions for every task and building all the integrations was not an option.

Vision One is much more than just EDR for us; it is a threat intelligence platform and a SOAR too. And even with the limited capabilities in this area, we find ways to tackle challenges our MSSP and SOC haven't been able to accomplish on a very large budget.

I like everything. The most valuable feature is how the stack fully integrates all components of a solution. Then, integrations with third parties will be provided.

As an example, I am capable of sending a suspicious file directly to my Deep Discovery Analyzer appliance (a sandbox) while investigating a suspicious download/file interaction, and I can then quickly push the IOCs in the suspicious object lists to protect both managed endpoints, and the rest of the network too! Yes, you can push domains and IP addresses to Palo Alto through a Trend Micro Service Gateway, ensuring you can protect even what cannot receive an endpoint. And all this without writing a single line of code. The ease of use and ease of deployment for use cases like this are my favourite features.

The SOAR features (Security Playbooks) are quite limited. At the moment, it is impossible to execute a simple piece of Python code that would pull or push something to an API, for example. While you can tackle some use cases, a SOAR from another vendor is still a must-have.

To assist with complex use case integrations, having all the data from the SIEM inside XDR would be great, too. That's where the market is moving with solutions like Falcon Logscale and Cortex XSIAM. Pivoting from XDR to Splunk or vice-versa can be time-consuming during incidents.

I was actually an early beta tester of the Apex One Endpoint Sensor before Vision One appeared in 2021. That would be three solid years of using it.

Quite reliable. In the last three years, only one incident created memory leaks on Windows Servers. We didn't see too much impact (fortunately) as a workaround could be quickly provided.

Support is quite responsive when something does work well. However, we do pay for Premium support.

The scalability is really good.

My experience is generally good, but I have had the chance to deal with premium support. I'd say I get the support I expect for the price that I pay.

Positive

Although we have been dealing with other security vendors (McAfee, Symantec, Proofpoint, and more), Vision One was really our first EDR.

The initial setup was a breeze. It is realistically one of the strong points of the solution.

We implemented the solution in-house. Although with premium support, you do get a lot of help from Trend Micro if you ask for it. You'll be able to talk to actual experts.

It is very hard to quantify an ROI on a security product. It doesn't generate revenues, and you can't quantify the cost of incidents that didn't happen.

Product names are changing all the time. Lots of changes in the last three years. They introduced the concept of credits, too, which did not make anything easier.

It's also easy to underestimate the credits required with Cloud Email and Collaboration Security: people invited from third-party tenants will count.

The credit usage and allocation tool has been improving, at least.

We had a look at Carbon Black and CrowdStrike Falcon.

It's probably the best solution for a small team that cannot absorb the complexity of a multivendor solution. The ability to execute VS the cost is surprisingly good.

Vision One is the primary endpoint security product we use to protect our Macs and PCs. We also use the server product version, so it runs on my servers as well. We exclusively purchase Trend Micro's endpoint products. They have network and firewall products. We were using their email product until last month, and I ended up selecting a different provider. We stayed with them for the endpoint, but I moved off of them for the email product.

Vision One was a big deal to us immediately because we did not have context-aware before. We saw everything we had no idea was happening. It was a big deal three years ago. 

It certainly reduces time to detect because a lot of the time, I didn't have it before. I didn't have that information until it gave it to me. The speed of response helps me know much more about what's happening quicker. They have some improvement to do in terms of automated remediation. It probably makes investigations 30 percent faster because of what it puts together. 

When we purchased Vision One, what set it apart was that it wasn't a traditional signature-based antivirus. It's a process-aware solution that provides real-time protection. That was a big differentiator three years ago, but now it's a given that every AV provider should be doing that. It combines signature-based telemetry with behavioral awareness and a detection-based solution, making it a good solution for us.

When we bought it three years ago, it was separate. Apex One handled cloud and web app security, and Vision One handled cloud and server workload protection. Now, they call it Vision One. The server stuff is still separate, but it is the same now. When we purchased it, they told us we'd have a single console, but that took about two and a half years. Finally, there is a single pane of glass. 

One of the things that made me the craziest was that we had too many tools or one tool that I had to log into five different ways. One of the frustrations is you have both legacy and newer detection methods. Not being able to fully investigate it in a single portal was a huge pain.

They need to stop changing Vision One once a week. They're in a hurry to change things so badly and so fast that I can't find where stuff is half the time, which is a challenge sometimes.

I've given one piece of feedback to their product guys. One thing that they're trying to make is a SIEM. It's a product where you input all the logs from your tools, and it creates additional insights into how things look. They've been kind of playing the "me too" game on that, even though that's not what I bought the product for.

They have a new gateway where I can take my firewall of email logs and send it over there. In theory, it's supposed to do a more comprehensive evaluation of all my stuff to improve that risk index score. I'm not impressed with it, and I've told them as much. I feel if you're good at something, you should keep working on that and not try to be all the things to all the people. 

I bought a different email solution even though it would have been 10 times easier to just stay with their email solution because they aren't great at it. They are great at other things, but they're playing the "me too" game with some of their products. Their competitors do this, so they should be doing this, too. They need to pick a product and keep being good at that. If they're going to roll new things out, they should do it but do it right. 

They have a button to isolate an endpoint because it looks bad, but it doesn't usually work. I've had no chance to argue with the product guys to show them examples of how their button doesn't work. You think it does, but it doesn't work in a real environment. That can be a challenge sometimes.

I can see in the data showing what is a false positive. But it doesn't save me time helping them figure out how to fix the problem in their engine. It can help me identify it as a false positive, but it doesn't apply that consistently. It will ignore the false positive for that device, but if they start detecting a false positive on Apple devices, I have eight thousand Apple devices and get 8,000 alerts. I can tell that specific false positive, but it doesn't learn from that particularly well.

We use the executive dashboards, but I don't find them particularly useful. One is the ability to customize. That has gotten a little better, and it'll be better in the future. Most of what they have on there are data points that are generic and not particularly actionable. That's why it's called an executive dashboard. Executives want to see if we are secure, but it's hard for me to find out why our attack surface risk went down by x percentage. I don't know. It says that on the dashboard, but it doesn't give me specific details about why.

I find it confuses my executives, and it's not useful for me because it doesn't give me things to work on. It will give me generic things on the executive dashboard like you have a thousand accounts with an old password. Those are big generic things, but I also can't tell it that our password policy is different from what your automatic detection model means, and I don't have a problem with that, so quit lowering my risk score. 

The risk score is useless. In theory, it's based on the random intelligence they're getting from their various customers. I'm in K-12 education, so they have a decent amount of K-12 customers, but it's a subset, and the baseline of what's common in K-12 education is not the same. There's not enough data to make that particularly clean or useful. Vision One is not custom, and that's part of my beef. That index score is based on whatever random report they're looking at from their data sources at any given moment in time. It's nice, but I'd rather have one that's based on your particular circumstances. Instead, it's saying that the number one attack threat surface for school districts is email phishing. It's too generic.

I have used Trend Vision One for three and a half years.

Vision One has been less impactful toward my endpoints when scanning than the previous solution. 

Vision One's resource usage is starting to creep up compared to three years ago. They used to focus on making their agent lightweight. I don't necessarily think all of this is their fault, but their agents are starting to suck more resources than they used to. Part of it is that the threat landscape has changed, and you need to look at it in additional ways, and it is a strain on the servers. They've gotten really bad about that on the servers.

I rate Trend Micro support three out of 10. Their technical support is challenging. The support's good once you get to the second layer, but they don't read what you write. They auto-respond by telling us to give them the logs. 

Every time, I need to send them a written statement with my product license ID and that I'm the contact authorized to do a support ticket. About 75 percent of the time when I open a support ticket, I immediately email my customer service satisfaction manager person with the ticket number so they can help move it along.

Negative

I was using Sophos three years ago. I've looked at many of the feature sets out there, and they might be 80 percent of what Vision One has, and some might be better, but Vision One is price-competitive.

Deploying Vision One was a pain because of the automated removal tool. In the antivirus world, they try to make it difficult to uninstall people's defenses because that's what an attacker would do. However, all the competitors are making tools to uninstall their competitors' tools when they win business. That's directly counterintuitive to the whole point of the antivirus. 

We went through a process of trying to do this in an automated fashion to replace the old product, and Trend didn't quite do it right. Trend had a real struggle toget their own tool to fix it. 

We use it as a SaaS, so we have a gateway integrator on the server on-site, but the product sits on all my endpoints. In that aspect, it's on-prem, but all the processing, reporting, and everything else happens in the cloud. We had it 75 percent deployed in 45 days. That last 25 percent took us another four months.

I work at an underfunded public school district. I need a whole team, but there is only me. I used to have a security analyst until that position moved around, and
my ability to use the product has been drastically reduced. I miss much of the value of what I'm paying for because I don't have enough staff to use it. I wouldn't need more than one if that was their whole job. 

It's not a totally elegant solution that always feeds and cares for itself. We have to check if it's doing its updates properly. It doesn't tell us, for example, that 2,000 devices haven't been updated or checked in. I have to go proactively looking at it.

Vision One's pricing is extremely competitive. They're probably the lowest-cost provider that has this feature set. 

I rate Vision One seven out of 10. Make sure you learn the 90 percent of stuff in there that you didn't know you bought and preestablish an escalation contact for support tickets.