Trend Vision One

I work on Trend Vision One  endpoint security in the XDR  part. I have been working with Trend Vision One  for approximately two years. We manage multiple endpoints, approximately 3,000 endpoints. We collect telemetric data from there and check all the servers in our inventory, whether they are online or offline. We troubleshoot whether there is unusual activity happening on the endpoint. Trend Vision One generates alerts for any suspicious activity, and then we mitigate accordingly. We are using Trend Vision One's sensors on endpoints and servers.

The versatility of Trend Vision One is what I like the most; we have a lot of options. The segregation is best, with endpoints divided into separate parts and servers into different parts. The policies are well-figured and well-maintained. We have the threat hunting part, the mitigation part, and the sandboxing capabilities. The areas to explore in Trend Vision One are fabulous. We can divide the endpoint on our own, and the server part is also great. It is very user-friendly, and we can segregate it on our basis. We can generate alerts on the basis of what we want. We have the option of playbooks, which makes it a more user-friendly and understandable environment that gives us exactly what we want.

Trend Vision One is very critical for us because we do not use an EDR tool; we use an XDR  tool only, and we have integrated it with the SIM solution. If we did not have Trend Vision One, we would not be receiving the traffic or SIM data, and if there is any individual traffic or any individual behavior in the network, we would not be able to recognize it without it.

The biggest challenge is that users take care of their laptops approximately 80% of the time, but when there is an outbound connection, the user is not able to do anything. The user does not understand if he gets redirected from a legitimate site to another site through backtracking. At that time, the user is not itself involved in this, but Trend Vision One blocks the site on its own. It blocks the traffic on its own, which is the greatest thing and the live working thing with Trend Vision One that helps us.

We have the Cyber Risk Exposure Management  capabilities in Trend Vision One. It shows us how much risk is in our environment based on the data it takes from the endpoints and the environment. We check that on a regular basis and develop a report every day on the basis of that. It is very great and gives us much more visualization. We do not need to go anywhere; we just need to open that and check where it is happening, and it gives us the best results.

In exposure management, we have multiple parts covering spyware and malware. Approximately six or seven months ago, one of the users was trying to access a website and it was getting linked to another website which was carrying grayware, which is a kind of spyware. Usually, the EDR solution does not track that because it is a web traffic issue, and EDR solutions are not able to track spyware much because it is only a bit suspicious without anything malicious in it. However, in the exposure management part, we received an alert of unusual traffic. We checked the telemetric data and all other things through our VTA and other tools. We did not find much that was malicious, but Trend Vision One was generating an alert again and again. We deep-dived into it and found that the website itself was not malicious, but it was carrying some spyware and was redirecting to something different. That was the best experience I had from the past two years.

When we started to use the product, the policies were not fitted properly. At that time, we used to receive a lot of false positive alerts. After doing some fine-tuning and adjusting some playbooks, the noise has been reduced to 80 to 90 percent. A lot of data has started coming in, and the data we get now is mostly true positive. We get to segregate it easily because the noise is reduced.

The AI of Trend Micro is really very good. If we are getting an alert and analyzing it, people sometimes ask to charge ChatGPT, but that is not good because that data is going to ChatGPT and that is not safe either. If we are asking the AI model of Trend Micro only, that is the best thing because our data is not going to anyone external, and Trend Micro already has that data. At that time, the threat gets less. However, the area where it should improve is that it gets stuck. It does not have that much amount of data. It does not understand easily, and we have to explain it more. I suggest that you make sure to train that model a bit more.

Apart from that, the rest of the things are really very fine. Only the AI part needs to be learned more. The AI should be given more data and should be made to understand more how to work. The rest of things are great, really great.

I have been working with Trend Vision One for approximately two years.

On Diwali, I do not remember the exact date, but it may have coincided with the AWS  outage. We were not able to log into Trend Vision One due to a problem in the back end, which I believe was due to the AWS  outage. We were not able to log in for approximately an hour or two. At that time, it caused us a lot of crisis because anything could have happened at that time. Fortunately, everything was on its case after we logged in. No attack happened during that one to two hours, and everything was fixed.

I found Trend Vision One to be very scalable because it is adaptive in nature. It takes care of vulnerabilities on its own. Its core services and AI-driven capabilities are also good. It has threat management on its own, and its effectiveness is also good; it is efficient.

I would rate customer service as 4 out of 10.

The setup process of Trend Vision One is pretty quite easy. We set up a path and keep the sensor there and then run it as an illustrator and perform some basic steps. We check the telnet of the URL and ping the IPs. If everything is working fine, then the connectivity is perfect and we are good to go.

I work in the Cybersecurity department. We do the deployment and take care of the security part end-to-end. I have not personally done the implementation myself, but I have done this work and I have knowledge about this all.

I have used Centra one, which is a very small product compared to Trend Vision One. Trend Vision One has many things in it and takes care of many servers. In Centra one, we have global sites and endpoints, but all the policies are at one place with all the endpoints and servers at one place, which is a bit of a hurdle when we take care of compliance. In Trend Vision One, we have that at different places, which makes it help us a lot. Centra one is an EDR solution that takes care of endpoints only and does not take care of the network. Trend Vision One takes care of the network also. If we have ten laptops in the environment and only eight of them are integrated with the XDR, then the remaining two will sometimes generate an alert on the basis of network. In EDR, if the eight endpoints are integrated, we will get the data of those eight only. That is the plus point here. If there is anything in the network, we will get to know. I also use other India solutions like Sentinel  One and CrowdStrike.

I gave my highest consideration to Trend Vision One based on its integration and its user-friendly nature. Everything is segregated properly. The servers we get on the different part, and the endpoints we get on the different part. The alerts for the servers we get on the different part and for the endpoints we get on the different part. One more thing that is great is the workbench part. We have OAT, we have EPR, we have other things, but the best thing about it is its workbench. If we get an alert anywhere in the EDR XDR part and if that is much critical and it is getting an alert again and again, then Trend Vision One on its own generates its workbench. What makes it easy is the check that this one is more critical, and we should go and check this one first and then move to another part. It helps us to reduce the time to check which one we should go first and which we should check second. As an incident responder, it is very good to segregate the criticality of the function. If Trend Vision One gives that on its own, it becomes really very helpful.

We do face vulnerabilities. I know of Zbot, which is one vulnerability. We were getting an OAT alert over that vulnerability, and we were getting many more alerts also. We got approximately 40 to 50 alerts in an hour. For an incident responder, it becomes hard to decide which one to pick first and which one to resolve first. The workbench came here and analyzed all of the data and generated one workbench indicating that we should first go for this host and check the details here because it is more crucial than the other one. Security is never complete, so we can go for the more critical one which will be affecting the business more, and then we should resolve that first and then move to the other part. That is the best thing ever.

Whenever Trend Vision One gets connected to any malicious IPs or URLs or anything, it blocks it first and then generates the alert. If it is not blocked, it generates the alert, and then we analyze the telemetric data and find the URL and IPs from it. We then make sure to block it from our end, not from the XDR only, but from the SIM and other firewalls and all the tools. We do threat hunting from it. We check the telemetric data on a regular basis and find some URLs and IPs, and then we block it from the firewall and our SIM, EDR, XDR, and another tool. What happens from it is we know that this IP is malicious. We get the advisory, we block it from our side, and we give these IPs and URLs to another security tool so they block it. In the future, if a user clicks that malicious IP or visits those malicious links, Trend Vision One will block it on its own.

I would also like to mention that we do isolate the machines from the back end when they are not compliant or when the version is older. After isolation, the network gets completely isolated, the user tends to work faster, and our compliance gets maintained much more easily. The data encryption and access controls across the isolated system for the non-compliance does not get much of the risk, and our data also gets out of the control. The inconsistency of security comes into the point, and then our compliance gets maintained properly, and it is all because of the silo performance. I know that Trend Micro works for the hybrid environment, but right now we do not use that. We have on-premises for all the things. We are thinking to shift over the cloud, but right now we have not shifted.

One thing I would like to suggest is the user login and log out time. If we have ten users integrated with the XDR solution, it should show us when the user was last logged in and when it was logged out. That time should reflect over the console. The blocking capability works most of the time, but it does not work every time, which is a bit problematic.

I rate this product 9 out of 10.

Trend Vision One  provides a platform where everything is consolidated. I started with the proxy and then moved on to the XDR , which Trend Vision One  provided. We collaborated with them, had POCs for the customer, and they liked it, going ahead with it. The main scenario was to integrate with the cloud security platform since the customer had a hybrid platform and needed one-point access to view the whole infrastructure in one place rather than having different solutions for each cloud and device.

The best feature of Trend Vision One that I like the most is the investigation graph, which was the main point demonstrated during the POC. If an attack happens and data is exfiltrated or an attacker finds a backdoor into the system, I need a graph of it rather than going to third-party sources. Trend Vision One XDR  provides this graph, which helps visualize and make RCA and incident understanding easier, especially when presenting the findings to management.

Trend Vision One has greatly reduced my time to detect and respond to threats. After the implementation, I see how it integrates with the SOC team, and the XDR is so consolidated, making it easier for the SOC team to analyze tickets since it does not export logs from different components. The logs from Trend Vision One are easy to understand, which has helped me reduce false positives and determine whether they are true or not without checking each system individually, which made my job much easier.

The ability of Trend Vision One to provide centralized visibility and management across various protection layers is the best part for me. Many may not appreciate everything under one roof because it creates confusion, but once you get familiar with the dashboard, it becomes easy to navigate. However, it can create confusion because everything is under one roof, showcasing both pros and cons.

Aside from the investigation graph, I find that sometimes when we collect data, the UI seems a bit laggish and is not that interactive during that process. When we extract logs, it can be a bit slow, but everything else is acceptable.

The UI does lag a bit.

The implementation of Trend Vision One was not easy; it is not a one-click process. I prefer it for larger organizations that can allocate team resources because the implementation can be complex. Resource utilization is quite high, and there is a scarcity of resources focused on Trend Vision One. The availability of troubleshooting guides is not as high as with some other vendors, creating some difficulties, but it is manageable because their support is good. When I open a ticket, they respond quickly.

I have been using Trend Vision One for two years in my previous organization, and right now, I am implementing it as a system integrator at our customer location.

Stability-wise, I feel there are times when it is not a stable solution, but I also had another client where it worked smoothly, and I did not have to revisit it often. However, in hybrid setups, I do face multiple issues, but the on-premises platform works quite well.

Trend Vision One is scalable. We have deployed it for the maximum users, around two hundred to two hundred fifty, and it handles that well.

For Trend Vision One's technical support, I would rate it around seven point five to eight, so let us give it an eight.

I have worked with SentinelOne and multiple other solutions, and from a user experience perspective, I find SentinelOne to be more convenient compared to Trend Vision One. However, for consolidation, the fact that I can find everything under one roof is a plus for Trend Vision One, despite my preference for ease of user experience in other products such as SentinelOne.

The implementation of Trend Vision One was not easy; it is not a one-click process. I prefer it for larger organizations that can allocate team resources because the implementation can be complex.

In my organization, there are only four Trend Vision One specialists, including me.

I would estimate that overall, I have seen approximately a twenty percent return on investment.

I would not say Trend Vision One is cheap; I always recommend it for mid-size to large-sized enterprises, not for SMBs, as I have other solutions suited for them. I have never pitched Trend Vision One to SMBs because I believe it fits mid-sized to large-sized businesses better.

I have worked with SentinelOne and multiple other solutions, and from a user experience perspective, I find SentinelOne to be more convenient compared to Trend Vision One.

I actually believe that it has reduced false positives by more than fifteen to twenty percent.

The switch to Trend Vision One did reduce risks significantly. Deploying XDR created a spiderweb effect, monitoring every endpoint and node, which mitigated many attacks and helped prevent some.

The built-in AI is important, and I am currently working on certifications from Trend Vision One to better pitch it to AI development companies to demonstrate its benefits. I need hands-on experience with it before I pitch to those companies.

Overall, from implementation to operations, I would rate it a seven.

I do recommend this product; it depends on the case-to-case scenario. If a customer wants everything in a single platform, I recommend Trend Vision One without hesitation. Its good support and lack of major issues influence my decision to pitch it to customers looking for a consolidated platform. My overall review rating for Trend Vision One is seven.

My use case for Trend Vision One  is in a SOC, specifically for Security Operation Monitoring. I am a SOC analyst responsible for over 200 clients. Trend Vision One  works effectively for us because it alerts us when suspicious activities occur, such as ransomware attacks. For example, if a possible spear-phishing attack happens where a phishing email comes into our organization, Trend Vision One monitors it as a SIEM  tool. It captures logs from servers, desktops, and users, generating alerts for suspicious activities. If a malicious phishing email arrives, we investigate where it originated, such as if it came from external sources in London or Germany. We contact our clients to determine if they have any relationships with those regions, and if not, we block the malicious phishing email.

Trend Vision One is deployed on-premises and also in the cloud, depending on what clients prefer. Some clients use cloud workload security while others rely on on-premises setups. With more than 200 clients, I log into each client's Trend Vision One setup based on their environment.

The best features of Trend Vision One include its ability to provide virtual patching. Virtual patching protects an organization's systems. For instance, if a hacker attempts a ransomware attack, Trend Vision One detects vulnerabilities in the system, such as outdated Windows 10  versions. If ransomware is launched, Trend Vision One informs the hacker that the system is already patched, preventing the attack. Additionally, it alerts developers to update any outdated applications or network settings.

The time to detect and respond to threats has been reduced significantly. For each alert, I typically need 30 minutes or even 15 minutes to investigate, prepare a report, and send it to clients, especially for high-priority cases. We categorize alerts into P1, P2, P3, and P4, where P1 is critical, and we prioritize those. We focus on critical alerts and can report back within 30 to 15 minutes. Overall, we have managed to reduce our resolution time by approximately 99% due to our multiple teams working 24/7.

We need to improve the reports generated in Trend Vision One. Currently, we prepare our own reports after alerts are triggered, which is time-consuming. It would be beneficial if Trend Vision One offered automated reports summarizing alerts over a specified period, such as one month, which would simplify reporting to clients.

I have been using Trend Vision One for approximately two years, and I have experience working with Trend Vision One.

Trend Vision One has a stability rating of ten out of ten.

I find the scalability of Trend Vision One to be ten out of ten. As a partner, Trend Micro provides educational resources that allow users to learn through various templates and videos available on their portal.

I rate the technical support from Trend Micro as a nine out of ten.

The initial setup process for Trend Vision One typically takes about two to three days but can vary. It depends on the client's infrastructure and whether they require support from their network team or need cloud integration. Smaller organizations might complete deployment in one or two days, while larger organizations could take about 10 to 15 days.

Trend Vision One is expensive. While it provides extensive services for clients, including integration capabilities, the overall cost is high. It is an XDR , and while some other products such as Trend Micro Deep Security  and Apex Central are somewhat cheaper, the comprehensive nature of Trend Vision One contributes to its higher pricing.

Compared to other products in the market such as CrowdStrike or Azure Sentinel , Trend Vision One excels. While Azure Sentinel  relies on complex KQL for deeper analysis, Trend Vision One provides accessible insights for both junior and experienced analysts, making it comprehensible even to those new to cybersecurity.

The false positives have been reduced by about 60 to 70%. Many clients experience low-category alerts. For instance, if someone such as Olga logs into her laptop and enters the wrong password multiple times, Trend Vision One triggers an alert for suspicious login attempts. We hold all related logs and investigate but often find these to be legitimate activities, which we confirm before closing them as false positives.

The ease of use is quite significant. Trend Vision One simplifies processes for junior analysts, offering clear diagrams of data analysis and providing sandbox analysis. It features a user-friendly design that aids learning for those less familiar with cybersecurity.

There are about 200 clients, and 30 employees monitor Trend Vision One. We maintain a 24/7 operation, with eight people scheduled for morning, afternoon, and night shifts.

Trend Vision One sensors are not critical but are quite easy to use. The sensors collect logs from desktops, laptops, servers, and cloud services, storing them in an encrypted database, making the gathering of data seamless.

I am a partner with Trend Micro and utilize their partner portal. Trend Vision One was purchased through Trend Micro's website and partner portal. If a client intends to create a SOC environment or work with many clients, they can consult with Trend Micro's team to establish a proper SOC setup to serve their clients effectively.

My overall rating for this review is 9.5 out of 10.