Our biggest security challenge was the number of alerts. It has helped with the reduction in alerts. We had too many alerts in the past that were false positives. The reduction in alerts was definitely a big benefit to us.

With Vision One, we have a platform view and all alerts go to one place. It gives us a much better understanding.

We definitely have better visibility. We can now detect things that we could never detect in the past using traditional AV platforms. That is definitely the biggest benefit. The second one is the risk score where we can see where the risk is in the business, and we can actively call and address it.

We use it on all of our endpoints. We use it on our cloud, on our email, M365, SharePoint, and OneDrive. We have been using it pretty much everywhere.

Vision One provides us with centralized visibility and management across protection layers. It is critical to us. Without it, our staff has to work harder because we are in multiple dashboards, and we do not have a giant picture between the systems and the security layers. Vision One connects it all together for you, and it can show us an attack from start to finish. It allows us to defend that much better.

Vision One has definitely increased our efficiency by reducing the number of alerts and correlating them. It is almost impossible to put a real number on it, but we definitely see things that we could not detect without it. There is probably 50% efficiency.

We use the Executive Dashboards. It is important to us that we can drill down from the Executive Dashboards into XDR detections.

We use the Risk Index feature. We look at the highest risks to the business, and we actively address those risks. There is a little bit of gamification with it. We have engineers looking to reduce the overall score of the business. They are targeting the biggest risks that Vision One has given us and that are most likely to be exploited. By addressing that, we reduced our risk score, and, as a side effect of that, we improved our business' security posture.

We use the Attack Surface Risk Management capabilities. We can see what is being actively exploited in the wild, and if we see some of that in our perimeter, we are going to do that straight away. We have full visibility of what is vulnerable, which allows us to prioritize.

Trend Micro XDR has helped to decrease our time to detect and respond to threats. With the combined visibility of Vision One, we get a lot of better-quality reports. In the past, with products like SIEM, we used to get a lot of noise. We would get thousands of alerts that were never risks to us, whereas XDR is all joined together. It gives you a much more confident data set, and from our data set, we can then start addressing the real risks to the business, which we have never been able to do in the past. It is the primary driver for business change. We get great visibility and high-quality alerts. We never measured the time to detect in the past, but I know that we are now detecting things within an hour or so, whereas in the past, it might be in hours if not days. We would have never detected some of the things in the past because we did not have a tool to do it.

Vision One has helped to reduce the amount of time we spend investigating false positive alerts. It has saved a lot of time. Traditional tools give you completely out-of-context alerts, which take time. We had thousands of alerts to look at, but 99% of them were just false positives. People sat on those alerts all day long that were never going to be an issue for us. When you get an XDR and Vision One in place, you start getting good-quality alerts. It just frees up countless amounts of time, but I cannot give a number.

We use its automation capabilities. Some of the playbooks have saved us days. They have taken action without the security being involved. 

It is definitely the center of our detection and response these days. We are seeing things that we have not seen before or never detected with other tools. It has made us far more aware of what is on our estate. It provides better visibility and allows the threat detection team to stop anything that might even be a suspect well in advance. It has definitely improved our response times.

I like the workbench. It is a view of all the alerts or problems in your estate. The visibility that it provides to engineers is very useful. It is one thing having lots of alerts. It is another thing to have something to correlate all your alerts into a workbench for you so that you can see what is going on. 

Integration is very good. There are lots of integrations. There are third-party products that we use, so the integrations are beneficial.

Within five minutes, even a new engineer can understand how to use it. It is very intuitive. You can easily learn how to use the platform and get the most from it. 

It is very good. It is very simplistic to learn. It is very intuitive to learn. We do not spend a lot of time training the staff on how to use it. They can just pick it up and use it themselves quite well.

On the reporting side, we use quite a lot of reports and dashboards. This visibility is very beneficial.

Playbooks are very good, but on the automation side, they could always improve. Having more variables within the playbook would be useful. It would allow us to have more refined playbooks for the business. It would allow us to take stronger action through a playbook. It will give us confidence to target a particular area of business where our risk tolerance might be higher or lower. We would like to have more granular playbooks.

Further integrations with other products are always beneficial.

I have been using it for four years.

It has never been down for us, so it is very stable. I would rate it a ten out of ten in terms of stability.

We have never had any scale issues. It has been absolutely fine. I would rate it a ten out of ten for scalability. 

Their support is great. Whenever I have called them, the support teams have always been fast to respond. They are always helpful and willing to talk by email, phone, or WebEx. The escalations are always good as well. If we need further support, they are always there to promote that.

I would rate their support a ten out of ten. I do not think it can be improved. It is excellent.

Positive

We had a SIEM from LogRhythm. We almost replaced that entirely. We went for Trend Micro for a lot of reasons. The product was definitely the number one reason. It went through some rigorous testing with us, and we proved it to be very good and helpful to the business. Trend Micro's support model from their sales and delivery and their pricing model just worked for us. They were a good fit with our business.

Deployment on the cloud is always easy. Deploying the agents to the endpoints can take time due to the size of your estate, but it is not a Trend Micro issue. It is purely down to the size of your environment. If you have 1,000 endpoints, it is not going to take as long if you have 100,000 endpoints. It is just a bit of a scale thing. You have got to deploy it out. It is not the worst deployment we have ever seen.

It is fairly straightforward. Cloud-to-cloud gets done in minutes. With all such tools, it is always about how long it is going to take the IT team to deploy the agents to all of their endpoints. It was not a massive issue for us.

We spent a few months getting it working.

We had about four people for implementation and maintenance. We had about 11,000 endpoints. We have offices around the world. We have the UK, India, Canada, Australia, and many others. We have a full global team there. 

In terms of maintenance, the cloud does not require maintenance. The rest of it is about looking at the agents in terms of how the agents work, how they are deployed, and whether they are doing what we are expecting.

We do not calculate return on investment as such, but we have detected things that we may never have detected in the past. Those things could have turned into an actual real attack. We have probably saved far more than the cost of the system by not having an attack. The cost of being attacked, being exploited, having downtime, and reputation damage would be huge. It easily pays for the product.

It is definitely not cheap. I do believe you get what you pay for to some degree. It is cost-effective. The money we spend on it is justifiable. It is not the most expensive product in the market. It is definitely not the cheapest product in the market. You have got to weigh that off as part of your business risk and understand what the risk to the business is if you do not spend and invest in modern tools like Vision One.

I would definitely recommend this product. We would not be without it. I would definitely recommend doing a proof of concept in your environment. Once you have done that, you will realize the value of it, and once you realize the value of the tool, there is no going back. You would have to purchase it.

I would rate Trend Vision One an eight out of ten. They have room for improvement, but that is not at all unusual. It is still very good, and we would not want to get rid of it any time soon.

We were using Symantec before, and with the coming of EDRs in the market, we were looking for a solution. We wanted a defense system so that if there is an attack on the system, such as an endpoint is infected or the attacker or a known technique for ransomware is moving laterally, I do not need to go to the firewall team. I do not need to go to other teams to find out. I should have enough intel at that very stage to contain it if possible.

We were looking for a system with a single pane of glass. The journey started with deploying the EDR client on the servers, which is called Deep Security, and Apex One on the endpoints, such as desktops and laptops. We then connected them to a single pane of glass, which was called XDR, now known as Vision One. It has helped us to correctly hunt and fix. We could see the communication between the endpoints and the servers and anything else they were talking to. We could then further expand it and connect it to all of the systems through APIs. That was the initial requirement we had, and it worked very well in that sense.

When you buy extensive or expensive SIEM solutions, such as Splunk or something else, what happens is that you need analytics. You can write meaningful queries to query the data. At the end of the day, all the data going in needs to be correlated. Vision One provides visibility in that sense.

We connected it to the cloud, so we could see the telemetry from Azure and cloud. We then installed the network detection response. It could see and detect a little movement from the network layer. We then connected it to Active Directory, so we could have attribution happening. We currently have a lot of data coming. With a small team, the issue that arises is how to deal with so much information and how to prioritize. It helps with the prioritization. The system is smart enough to proactively go and scan the logs and trigger workflow alerts. It prioritizes them based on the criticality, such as high, medium, low, or informational. When you have a small team, your analysts can go and start looking into those and see what is happening and what they need to prioritize at a stage.

We came very close to a Russian threat actor and Vision One helped tremendously. It helped us to control the attack in the initial stages. They got into the environment and they got the reverse shell out. I saw the alert. Vision One Protection showed me in detail what they ran, what they queried, what information was captured, and where the connections were going out. It was an initial access broker that had done the attack. If this information was not picked up on the late Friday afternoon, you can imagine what could have happened by Monday. Within hours, that information would have gone on to the dark net and would have been sold to a ransomware gang. The mean time to respond was reduced significantly. It is very rare for most organizations to detect such attacks in their own environment within the first four hours. It reduced the mean time to respond by 70% to 80%.

Its real-time monitoring capabilities help a lot in our overall security posture. We have everything configured to our central SOC email system, so the minute an alert is fired and depending on what criticality it is, we can work on it. When you work in the health industry, you often work with vendors who are still not very cybersecurity conscious. They are still learning. One of them plugged in a USB drive, and we found an early indicator of compromise. The device was plugged into one of the technical systems. It not only detected and blocked that, but we also got the alert pointing to the machine. If it was not detected and picked up at that very stage within a matter of minutes, it could have had a pretty big impact eventually.

The beauty is that I do not need to go and log in to the separate console of Apex One or Deep Security. I have got all the visibility and telemetry feeding in real-time into the Vision One console. The Vision One console straightaway alerts you. It just flashes a critical alert. It blocks, but then it provides mitigation recommendations. We need to take the machine off the network, scan the USB, educate the user, and escalate to the right people. Having all that information at hand is very crucial. We can influence the user behavior as well so that they do not do that again.

We are using it on endpoints. We are using it on our servers. We have a network detection response, which is called NDR. We are monitoring all the internal traffic coming from the firewalls. We have Citrix NetScalers, so we are monitoring the network side as well. We also have another product called Conformity that does a cloud assessment and compliance check for all externally exposed cloud assets. It tells you if they are not in compliance. For example, with the project that went in, something might get exposed accidentally, such as an Azure storage account, to the Internet. It all feeds into Vision One, and we have a single pane of glass.

It is helpful for multiple teams. It is not only limited to SOC. We have teams from the cloud side and sometimes from the endpoint and the server side who can get in, and they can see the alerts. It makes it easier to work because we all are seeing the same thing with more information. So, we are using it for our endpoint servers and network. We are using it for monitoring our Azure cloud. We also have something called Trend Micro Cloud App licenses as part of our licensing. We have policies that do advanced threat protection monitoring and DLP monitoring on the SaaS channels, such as Exchange Online, Teams, OneDrive, and SharePoint sites. These are other channels from where the data can be shared, the data can enter our environment, or the data can go out of our environment. It has policies to monitor DLP. It has policies to monitor any malicious files or any indicators of an ATP attack. We get those alerts as well.

There are two dashboards. The Executive Dashboards give an overall view of the entire system and what is happening on our system at any point in time. We can see how many outstanding vulnerabilities we have, what we need to report to the management, and how we will be progressing for things like that. Then we have the Operational dashboard with real-time alerts or pending alerts. It shows us that we have some account that is a match from a .Net data lake. A problem, for example, is that most users keep the same password, so you could have the same account password for your work account and for your personal account. They can get compromised at home and work as well. So, we use Executive Dashboards for reporting and overall understanding of what is happening in the environment and what we need to report and prioritize. The Operational dashboard is for day-to-day work.

It is very important that we are able to drill down from the Executive Dashboards into XDR detections. We are in the health industry. We are a hospital. The board is not only worried about ransomware because that can happen to anyone. You can never be safe enough. They are also concerned about the damage to our reputation and the operational cost of recovering, so they are very keen to have visibility. The Executive Dashboards give us good enough information to filter that. For example, our desktop support team has a limited set of people. For cybersecurity, we want to prioritize patching for a zero-day threat, but sometimes, it cannot happen because the teams have other priorities. The issue is not that they do not want to help, but they do not have resources. With Executive Dashboards and reporting, we can escalate things to the board saying that we need some attention. We can ask them to fund us with more resources to get this across the line. It helps us dictate the impact and prioritize a critical cybersecurity vulnerability so that we can get the management's buy-in to prioritize it and address it before it goes out of hand.

We use the Risk Index feature to map against other organizations in the same geographic region to see how we are doing in terms of risks as compared to other organizations. Are we better or worse than others? If we have some areas where we are worse than others, they help us to understand the reason and how to improve.

If we want to go through every single event, then with our current licensing, XDR can hold up to six months of data, which could be millions or thousands of alerts. A smart thing that they have done is to provide the Workbench, which automatically prioritizes. It does the hard work for you by pulling that intel and saying that these are the highly critical ones that you need to address as soon as possible. I am not discounting the fact that sometimes, attackers do not even go for highly critical ones. They go for a medium one, but it helps us to get them out of the way. Our team is small, and I had a good experience training a few people, taking them through, and showing them how to do it. Once people start working, they understand the workflow. It just becomes a second habit. It is very intuitive. You can get into the console, add new indicators of compromise, add new threat-hunting queries, add new CTI feeds, and check for new vulnerabilities. There is so much you can get out of it. You just have to prioritize what you think is important for that day.

We do use Managed XDR as a second service. The way that comes in handy is that we do have people on call. I, for sure, keep checking my emails, but if we have a critical alert that no one has attended from our side, they triage it. They triage it very well and then rate it. For example, they might say, "It seems to be benign or negative, but an alert came in, and no one was available. If you want to add an extra layer of security or caution, here is the mitigation." They are very responsive. I was able to see the big attack that we had two years ago within the first four hours, and by the time it got to the XDR, it was all correlated. Within half an hour, their response team came to the same conclusion. They reached out to us when I was about to reach out to them, so we were on the same page. They are definitely a good backup or a second solution for us. Also, some of the alerts can come up from workflows. They may seem malicious but they are not. The Managed XDR service people come back to us just to reconfirm that. We tell them that it is a known file. They do not need to worry about it. Sometimes, we might miss something or have no idea about the next step. They then come up with a recommendation about what we need to do. It is a very good service to have.

We are using Attack Surface Discovery to monitor the devices we have and the internet-facing assets, accounts, and applications. API is something we are still looking into, but with a few clicks, we get an overview. We can see how many are patched and how many are exposed externally or internet-facing assets. We have a lot of subdomains linked to the primary hospital site for different projects and workflows. We can see how they are doing, which ports are open, and which known vulnerabilities are there because some of them are not managed by us. They are managed by externally hosted vendors, so we can keep them in check. The same is applicable to our accounts. If we have accounts that are on the dark net, or we have accounts with excessive privileges that can potentially be exploited, we can address that.

For applications, the feature that I like the most is called the Cloud App List. It basically looks at all the SaaS applications and benchmarks them. It profiles them based on the rest and gives us a report. It tells us that certain apps that people are using may not be officially sanctioned by us. For an unsanctioned app, they do a risk profiling through Vision One, which shows us which security compliance standard it has gone through from the vendor. They give us a quick understanding of how bad or good it is to continue using an application.

During the COVID time, I was setting up Vision One, and I got an informational alert. The husband of a nurse gave her a USB, and she plugged it in. She was in an off-site environment, but the Trend client was still running. The clients were connected to the SaaS console or the Internet, so all telemetry was still being fed. They must have thought that it was not the case, but detections were still coming. When she plugged it in, it downloaded a power shell exploitation framework, which they were able to map to an ATP group from China that commonly uses this technique for intellectual property exfiltration. I quite like how much visibility it provides. For a couple of applications here, sometimes an alert comes in, and it can even drill down to the last command that was executed. It can create an attack graph and show you the full execution profile. It helps you troubleshoot and filter out whether something is a false positive or an issue at hand. This whole interconnectivity of different systems into Vision One, and its ability to help individualize an attack, is the thing I like the most. It is very good because reading logs and seeing an attack visualized are two different perspectives for a threat hunter. It really helps you understand what is going on.

With every such technology in an enterprise environment, as well as with most of the production systems, the reduction in the amount of time we spend investigating false positive alerts depends on how fast you finetune the system. You need to tell it which are the exceptions and not to alert you on it, and which ones it should alert you on. It is a balancing act in cybersecurity. For example, logins are used by attackers but also by your admin staff. If you totally put them in exemption, you can have a malicious login executing in your environment. You would be completely blind there because nothing would get alerted. In terms of false positives, the system is capturing a lot of data, and it is not the system's fault because it is seeing a lot of data. Sometimes, we have not classified the data. We are getting better at it. We are labeling and tagging the systems. We are fine-tuning it, and it has reduced a fair bit, but we still have a lot of work to do. It happens, but it is something we do behind the scenes. In terms of the day-to-day threat hunting and visibility, it categorizes them in Workbench, and that is what we look at first thing in the morning. We get to know what is happening and what we need to focus on. Once we see that there is a pattern repeating for some false positives and Workbench alerts are high and not true positive, we then figure out how to whitelist those systems. We now know that this is a known execution process. We know it is a known traffic or a known vendor that runs this application, and when it opens, it connects to these ports, for example. It is a bit of a balancing act. It changes dynamically.

For our day-to-day use cases, the correlation and attribution of different alerts are valuable. It is sort of an SIEM, but it is intelligent enough to run the queries and intentionally detect and prioritize attacks for you. At the end of the day, it is different data that you see. It correlates data for you and makes it meaningful. You can see that someone got an email and clicked a link. That link downloaded, for example, malware into the memory of the machine. From there, you can see that they started moving laterally to your environment. I quite like it because it gives visibility, so Workbench is what we use every day.

They also have something called virtual patching. If you have end-of-life systems or systems that are out of support, you cannot upgrade the agent, but you can still do the update if you get the signature. This is the feature I like. For example, today, if a new zero-day threat is out with a link vulnerability where attackers send you a link, and that link, even if opened in the preview mode, can basically execute a malicious code, we just cannot patch within four or five hours. We are a midsized organization. We are fairly big, and sometimes, it takes two days or even a week. With virtual patches being there and XDR with all that information connected, we can see that the virtual patch is working. It is there. We have all the mitigation in place, but then it is also detecting the environment for that threat. We can further write the hunting queries and enhance detections. So, Workbench detections and virtual patching are very helpful.

It also gives us an executive dashboard where we are monitoring our external sites. We can see what ports are open and what known vulnerabilities are being scanned on them. We get visibility and better mean time to respond and act.

The user interface is pretty easy to use. Sometimes, you learn it while you play around with it and you set it up. One thing I do like, which is very good, is that you can pivot from within the console to different sections if you know how to go about it, but if you have not used it, it could take a bit of learning. A good thing that Trend Micro has been doing for the last two years is organizing some sort of CDFs, which are scenarios based on real threat actors. They get you to come to those events. It is gamified so they can attract people. If you want to learn, they would show the event ID that came in and where to go and see that event ID. They show you how to hunt based on that event and how to extract the indicators of compromise from that ID. There is a feature called Suspicious Object. They show you how to block one. If you have a suspicious object linked to a threat intel feed that goes to Palo Alto, you can not only block it in XDR or Vision One, but straightaway, it also gets pushed to your firewall, so your firewall is also blocking it now. There are some cool functionalities, but you need to spend time to understand how you would pivot between different subsections. If someone is new and starting, it is still pretty straightforward. The UI interface is very self-explanatory. There are a lot of details. There is a lot of telemetry added to it for you to see and understand. It is not that complicated. If you have a bit of a cybersecurity background, you should be able to pick it up pretty straight.

They are constantly updating it, which is a good as well as not-so-good thing. There is an update every few weeks. They are very good updates. I quite like it that they have such an agile development. They listen to their customer's feedback, and they are constantly investing in the product. They do not give you an off-the-shelf product. The world is changing, and the attacks are changing. It is kept up to date. 

Reporting could be a little bit better. They are working on it, and it is getting better. They have different development teams working on this product. Like any bigger organization, they have so many people working and fixing the product, and they have their own development routines and cycles and understanding of the code. It has gotten a lot better, but it has a long way to go. Recently, there were a couple of more reports. What I like is that they listen to the feedback. If we tell them that we need this reporting, they go back and do something about it. It does not get lost in emails or meetings.

We have been using Trend Vision One for almost three years.

I have not seen any downtime as such. I have not seen the console going down, not even once in three years.

It is set in firm defense. It is a very interconnected system now. I spend most of my time fine-tuning and working in Vision One. It has been 100% stable for me most of the time. I have had no issues. It is very stable. I would rate it a ten out of ten for stability.

We are based in Southwestern. It is a fairly big site. After COVID, we have remote workplaces. It is a part of our standard operating environment. Any new server or any new desktop or laptop has to have the client installed, but we are also multi-site. We have sites in Central Queensland and North Queensland. Those sites came along as well. It is a through-and-through solution. It is being used on all three sites.

Vision One is currently being used by multiple teams. There are 15 to 20 people at the moment. We have the Network and Security team, and then we have the core cyber team. We have people who look after the Apex One and desktops, and we also have people who look after servers and the cloud. They all know what to look for, and they know where the alert is coming from and what they need to do. I have given training internally a few times for people.

The customer support experience has been fantastic. They are fairly technical. What I like is that they are very responsive. You log a job, and within two hours, someone is on the call with you or contacts you through email. We have a relationship manager or a technical account manager from them who does biweekly calls with us. He addresses any issues and provides escalation channels as well. Their engagement as a vendor and as support has been amazing.

Positive

We were using Symantec. When we did the research three and a half years ago, the world was moving to EDRs. An EDR solution compensates for different technologies. It is not static signature-based detection because that can be bypassed easily.

The main considerations were the costs and virtual patching. We were looking for a solution that could help us with virtual patching. When you have a zero-day at hand, regardless of how big is your team, patching sometimes is just not possible. When you are a hospital, you cannot take the systems down. You have to go through a couple of processes, but during that time, you are in a vulnerable state. We were looking for a system that could provide virtual patching, has detection and virtual patching signatures, and gives you the breathing space where you can go and patch a system. It satisfies that need. 

The EDR/full-stack functionality was also a welcome change. We do not have just an antivirus or EDR. It can do a lot more. It can do file integrity checks. It can do a baseline of your known system file caches. It can do all these things.

Our model is hybrid. Vision One console is on SaaS. It is on the cloud, but we have relays that get the updates, so agents have to be local. The EDR clients on servers and endpoints, such as laptops and desktops, have to be on-prem. The cloud posture management and PC bot are also SaaS-based. It is just through an API. Other than the EDR clients, most of the other integrations are pretty much SaaS-based.

The initial deployment was a bit tricky because even though Symantec was a very outdated product, there was still something on the machine. We had to work extra to get rid of that and put this on. Overall, the deployment was pretty good. The biggest challenge in the deployment of an EDR is understanding what your network traffic, day-to-day workflow, or applications look like. Most EDRs have something called real-time scans, so if something is trying to access the memory where the credentials are stored or write to a system-protected file, and if an EDR does not know about them, it will straightaway block it. They helped us to create those amazing baselines where we could whitelist the known applications and the known traffic. It was good. It took a while to get it right. As the environment changes, you keep fine-tuning it. I did not hear of any major issues or any dramas with it, but I did not do the deployment. 

It does not require any maintenance as such. The only major change that I have recently seen is that they have gone from version 1 to version 2, and version 3 is coming. That is all happening behind the scenes. We had some agents in a different geographic region. We had to migrate them across, which is on-prem, but the backend team did the rest. 

We had a dedicated project team that worked with Trend Micro project managers for implementation.

I do not have much visibility to it. It is definitely not a cheap product, but to my knowledge, it is out there with the big wigs in the industry, such as CrowdStrike, SentinelOne, and other EDR/XDR vendors. I had heard, and found out eventually, that their sales teams are very flexible, as more sales teams are.

The problem with any XDR is that you need to buy into their whole ecosystem so that it can provide more visibility and more data points. It can understand your system environment a bit more.

We started with the endpoint and server detection, and then XDR was given to us for free at that time to try it out. Once we got into it, we added NDR, which is the network detection response, the cloud side, and all the other things to it. They were pretty good in terms of pricing and understanding of our needs.

Their team is also very good, which is something I have not seen with other vendors. They are proactive. They reach out to you with new things happening in the cybersecurity world, such as any new attacks or detections, any new events, or new training. They reach out to you every few weeks and sit with you to understand what they can do better. This constant engagement and service is good. I do not base it only on the cost. Nothing is cheap, but it is about what you get from a vendor on the service. It is not like sell and forget, where they sold you the product, and they have nothing to do with you. It is a constant engagement because XDR is ever-evolving. They take you on that journey. They show you what new capabilities are coming. They ask about the use cases and how they can help us. They ask about what we are seeing or what challenges or gaps we still have in the environment so that they can help that. This has been my personal experience. It has been absolutely fantastic.

We had another vendor. We tested both EDR clients, and at that time, XDR was just a big buzzword in the market. We did not know what XDR was and whether we would get it. It was given to us as a complimentary to try for a few months. I did EDR testing of this solution and another very well-known vendor in the market. We did an attack simulation. We performed a couple of attacks with malicious code and ransomware. It was really good at picking up most of the attacks, whereas the other one was 50/50. We then created a report based on the facts we had in front of us.

Back then, we were told that Palo Alto was coming up with something called Cortex XDR. They bought another company, which had an EDR client that they slapped into their solution. Their methodology was a bit different. Firewalls were still the first line of defense. For example, the malware sitting on a machine is trying to connect to a command and control server or a malicious domain outside the environment on some ports. Once Cortex XDR sees it, and it hits the threshold, you will start seeing the alerts. I did not want to wait for it to get 25 machines infected before Cortex XDR started doing something. That was too late. I have heard that they have come a long way. They might have gotten similar feedback from others and made some changes internally. They are a brilliant company, but it did not meet our requirements at that time. The detections during the EDR testing were not that great. Most importantly, it did not meet one of the key requirements we were looking for back then. We wanted virtual patching and virtual patching signatures for end-of-support operating systems. That is what was the deciding factor for us.

To those who are evaluating this solution, I would advise doing a PoC and understanding their workflow and traffic. They should have the right expectations going into the product. It is a system with which you need to invest in other components as well, but once you get it up and running and it's working and tuned, you will start seeing the value of it.

They are now acting as a support partner for us. We can rely on them and work with them because we invested a fair amount of money with them. The product has proven to be very valuable for our defense arsenal. I personally follow them. It is not just me. It is all over the Internet that Trend Micro's zero-day initiative still picks up around 60% of vulnerabilities. It is more than any vendor out there. They have got a very good team.

I would rate Trend Vision One a nine out of ten. Reporting could use a bit of work, but it is improving. Just the other day, I heard that they are starting to provide automated threat hunt queries and an AI bot on Vision One. These features are still in preview, but it is changing rapidly. They also have something called forensic, so you can create forensic cases and log calls directly from the Vision One portal. There are some very good changes that they have made. It is evolving and dynamic.

Its real-time analysis has impacted our security incident response time. We use the Workbench console and dashboards. We are normally able to analyze an incident in a few hours, understand what is going on, and provide a specific solution for any type of incident.

A few days ago, a user opened something with malware on their machine. In a few seconds, I received an email, and I received a pop-up in the console. To mitigate this, we removed the machine from the network and checked it.

In terms of integration, we intend to integrate more solutions with Trend Micro, but so far, we have just integrated the firewall.

Telemetry is very useful. They provide all the information. I can see specific details about any malware and various types of attacks. I can prevent my environment from different types of attacks based on what I see in the Vision One console.

Log inspection is also very useful for me. We check the logs all the time. In certain cases, it is necessary to analyze with more detail. It is very useful to understand what is going on in my environment with log inspection.

It is very expensive. 

I have been using this solution for ten years.

We do not have any problems with the stability of this solution.

It scales well. We do not have any problems with scalability.

At the moment, we do not have any plans to increase its usage.

Their technical support is good. They take some time to give me the answers, but in the end, they fix and solve all my problems. I would rate their support a nine out of ten.

Positive

We were not using any other solution previously. We have been using Trend Micro's solutions from the beginning of our operations in Brazil.

It is a SaaS solution. Its initial setup is not complex. It is very easy to deploy. It is not complicated. It is very user-friendly. It took around 15 days.

In terms of implementation strategy, we prepared some test machines and servers. After that, we deployed it for the entire company.

They do the maintenance, but we do not have any downtime in this maintenance mode.

We had a Brazilian reseller.

We have not seen an ROI.

Trend Micro's cost is higher than other solutions. That is the main reason why we need to switch to another solution.

We are using a full license that provides different types of features, but CrowdStrike does not provide some of the features such as MDM or anti-spam. We do not have these options or features with CrowdStrike. If we switch to CrowdStrike, we would have to buy other solutions to have a complete solution.

In addition to the license, there are no extra costs.

Its cost is high for us, so we are checking other options and other companies to provide the same solution. We are evaluating CrowdStrike, Trellix, McAfee, and Sophos. We have not yet received the quotation, but their cost is lower than Trend Micro.

Trend Vision One is very useful. It has many functionalities and integrations. Its integration with other products is growing. In the future, it will probably be the biggest console in the world.

Trend Micro is making some changes to the console. At the moment, it is a little bit confusing for our use case because we are using three or four consoles from Trend Micro. We intend to migrate to just one, which is the Vision One console, but at the moment, we are using the Apex One console for the workstations and the Cloud One console for the servers. I do not know if the integration is complicated for Trend Micro, but at this moment, it is not so easy for me to manage all devices.

I would rate Trend Vision One an eight out of ten.