When you deploy these tools from Trend Micro, the integration and getting them to work together, are among the more difficult pieces of the puzzle. But when you get that set up and working, you're glad you did.

When you manage a security department for a number of healthcare organizations and deploy security into their environments, they want it done today. And they certainly don't want to be bothered with it over the course of a few weeks. We've been in our Cloud One migration for a couple of months now and it isn't our only project. We've got a lot of things going on here and at our subsidiaries, for which I'm also the CISO. It's very busy. We don't have time to sit down and work on projects just for the sake of having the resources to work on them.

When we invest the time to integrate disparate resources, appliances, and applications, we do so with the idea that we're going to get something out of it that is worth more than what we put into it. In each and every case, that's what has happened with Trend Micro.

Still, a lot of folks I know have adopted their technology but have not integrated it. The endpoint management tool sits on the endpoint and manages it, but it's not fully integrated with, for example, the sandbox. So it would be nice if they could simplify the integration process. And I would like to see better documentation.

Another point is that, with Vision One, there were issues that we experienced with the IPS and EDR technologies when we first got it. We had some difficulties figuring out how to make it dance. Once we figured it out, we were okay.

The remediation they put in place for that was to increase the number of presentations they did on the software, presentations where they answered questions. We attend one about every two to four weeks with Trend Micro to go over things, and it's not just us. There are 70 to 100 people in those meetings. They figured out that, while it's okay to build reasonably complex systems, at some point you have to pass the knowledge along to the end-users. That's not always easy to do. Most companies operate under the mindset that, "Well, we understand it, why don't you understand it?"

Reporting could be a little bit better. They are working on it, and it is getting better. They have different development teams working on this product. Like any bigger organization, they have so many people working and fixing the product, and they have their own development routines and cycles and understanding of the code. It has gotten a lot better, but it has a long way to go. Recently, there were a couple of more reports. What I like is that they listen to the feedback. If we tell them that we need this reporting, they go back and do something about it. It does not get lost in emails or meetings.

Trend Vision One offers training sessions every few weeks or every month to showcase new features. However, the product's rapid development and the introduction of numerous new features make it challenging to keep track of the evolving interface and maintain a consistent understanding of its usability. While the continuous addition of features is commendable, the sheer volume of changes makes it difficult to stay abreast of the latest developments.

The support documentation could be more comprehensive. The last time I needed to find information, it was scattered, and took me a long time to locate what I needed. 

I would like to have the capability to export the information we receive from the XDR into Microsoft Excel.

I've seen a lot of improvement in just the year that we've been with Trend Micro. However, I think that continued optimization of the environment towards automation and orchestration, a kind of layer that sits underneath all of the technologies, would be extremely important. When we look at the speed and sophistication of attacks today, such as ransomware, malware, and cyber threats, we need tools and technologies that can react faster. So, I think integration with automation, orchestration, and artificial intelligence will help tremendously.

It is very expensive. 

We've received some mild complaints that the documentation is sometimes not up to date. 

The area for improvement is mobile security. We have just finished a proof of concept for Zero Trust Secure Access. We withdrew from this PoC because it does not have that many points for proxy across Europe. Our organization is across Europe, and it will be nice when it is possible to have Trend Micro proxies across many more countries. At this time, they are only located in Germany and the UK. For us, it's not enough. We are waiting for them to increase the points of contact, and after that, we will return to this project. 

From my experience, it was quite a nice tool, and I could manage almost all of the actions that I could not manage in a traditional way. Traditionally, I could allow or block usage of an application. But using the Zero Trust Secure Access tool, I could manage the schema of the usage. I will wait for this tool to change in the next few months.

Playbooks are very good, but on the automation side, they could always improve. Having more variables within the playbook would be useful. It would allow us to have more refined playbooks for the business. It would allow us to take stronger action through a playbook. It will give us confidence to target a particular area of business where our risk tolerance might be higher or lower. We would like to have more granular playbooks.

Further integrations with other products are always beneficial.

The login system could be improved. We must pass two different dashboards to log in to the solution. We have a second-factor authentication. We need to check the platform, which delays three or four minutes because of logging, checking email, and returning to the platform. If you multiply the entire team, we lose a lot of time daily.

We do use the automation capability a little. However, we noticed some limitations, especially on the playbook side. The API we use. We are integrating that with another product, a SOAR product. The playbooks are a little bit limited in what they can do at this point. Let's say that we want to connect on a specific API. The templates we cannot modify very well. When we noticed that limitation, we decided to go and use Trend Micro VisionOne API and connect it to other tools to develop that activity using another product.

Under attack surface management, when you go to the specific sites or applications that the users are accessing, the capability of downloading that report could be better. Let's say, as an example, we want to identify users using chatGPT, for example. We want to download that data through an API or through the GUI. Right now, it's not available as an option. Maybe having the capability of extracting data from VisionOne for specific areas of the tool could work. That's something that could be useful, especially if we want to generate that report and send it to specific teams. Often, we don't want to provide DX to all the people. Sometimes it's easier to just have that file and share that file with the people who need to have that information. 

Results were delayed. We had all the logs in our hands. We were pretty quick in giving out the results and coming up with a conclusion. Trend Micro was pretty delayed on that front, however.

Their turnaround time or the response to their MDR services was slow. While doing POC, we did MDR as well. They could improve the response time on that. That was my view back then, as it used to take a lot of time to get that case generated, get that case analyzed. In the end, we were more interested in the responses from the actual human analysts. Instead of having a machine-generated thing, we were banking on understanding how an incident is treated and how a response is being given. For us, for example, we were able to do our analysis and come to the same conclusion maybe four or five hours before we received Trend Micro's report. Almost all the results were identical.

There was one feature called Sandbox that I wanted to try on, however, at that time, they had not released it yet. 

Since last August, I have been working with another organization, so I am not sure how Trend Micro has developed within the last ten months.

I was never able to test the live response feature, wherein I could take access, remote access of the infected system, and send some commands to kill the processes, or maybe to grab the artifacts, to triage the artifact. By the time it came online, I was moving to another organization.

We'd like a bit of freedom or flexibility on the portal. If I'm the end-user, and I see something bad which might not be bad from Trend Micro's perspective, however, for my organization, was an abnormal activity.

Executing things via PsExec might be something that is normal for some organizations, however, for my organization, it is a highly suspicious thing. If I want to investigate that, having the flexibility for me to investigate it in a deeper sense would be ideal.

That was something that was not possible at that time. I don't know if they have given more freedom to Trend Micro admins. 

We'd love more flexibility in terms of implementing some of the configurations, estate-wise. That is something that I would have loved to see in Trend Micro.

It took some time to realize the benefits, as we had some issues with support. It took us three to four months to realize its benefits. 

The support should be improved. 

We'd like to see deception features in the next release. It would help us to reduce false positive alerts. 

The automation capabilities on-premises could be improved, as we currently have to manually activate servers and push policies.

I would like the uninstall process of agents to require two-step verification.

The deployment process could be more streamlined over the existing infrastructure, as it was not as easy as we thought. We are working with an expert from Trend Micro to improve the rollout process, but it has taken some time and we do not yet have a concrete understanding of the issue. There are some features that we have to install repeatedly before they start running.

We'd like to see a few more integrations. Specifically, we'd like to see more IOC integration tools. 

We haven't implemented the automation piece just yet; however, we will go through that soon. We just need more time to see how it all works. 

The information captured by Trend Vision One needs to be more detailed.

They should increase their potential for third-party integrations. We'd like to see integrations with other IT security vendors that are not currently there. 

I'd like to see central management of all products.

The centralized dashboard has room for improvement.

Sometimes, there are some false positives. For example, once a user had a file in their system named recovery.txt. The solution was flagging that as a ransom note, so we were confused. It isn't that serious, but it should be improved. 

Also, XDR should improve its coverage of the latest IOCs. Their suspicious object management works, but the coverage should be improved. It will take one or two months to get those things covered. XDR will detect on a behavioral basis, but these databases will not get updated daily like some other solutions. If you're dealing with new ransomware or malware, it may take around a month before it's covered by Trend Micro. 

I would like to have more integration with mobile device management.

A room for improvement is Trend Micro XDR's website. It's a very complicated website since finding the right point one wants to see is difficult.

A room for improvement in Trend Micro XDR is more visibility into the alerts. We do get alerts from the solution, but when we are away, we need to have more visibility.

An additional feature we'd like to see in the next release of Trend Micro XDR is reporting, particularly RCA reports because those will help us a lot. Right now, we need to log into the portal to drill down the RCA. For example, when an alert comes in, it will be blocked immediately by Trend Micro XDR. We get the message "This has been blocked", but when we want to drill down in terms of where it started, we need to log into the server, do the RCA, and drill down on it. While doing the RCA and drilling down on it, it would be good if we could get a report directly from Trend Micro XDR because that report could help us.

When an incident occurs, it will detect the incident within half an hour to an hour. I'd like to see alert time reduction so that they show up on the dashboard faster. 

The web viewer could be improved. I've had some issues with it in the past. 

The zero trust is a bit complicated compared to other parts of the solution. 

Mostly, I don't have any issues with XDR.

While blocking an IP address restricts access for 30 days, it eventually becomes accessible again. For true permanence, blocked IPs need to be transferred to a dedicated storage solution. However, this storage has limited capacity. To accommodate new blocked IPs, we must remove existing ones, creating a disadvantage that has room for improvement.

The support has been delayed at times. They could improve that aspect of the solution. 

The integration with third-party tools and with on-premises Active Directory needs improvement. 

Trend Micro doesn't have the next-generation firewall. They have the IPS TippingPoint, however, interms of the next generation firewall, Trend Micro doesn't have this as a part of their solution. 

There are certain items that are blocked, and another component is not working properly so the blocking does not happen correctly.

They have a DLP module in Tredn Moicros and they need to enhance its capabilities. 

It would be better if it were more user-friendly. It would also be better if the implementation were more straightforward.

The solution is issue-free. There are no missing features. 

The solution only supports Windows and Mac. It would be helpful if it could support other OS, such as Linux.

We'd like to have more application and data loss features in the future.

The product needs to have a lot more maturity, and they need to improve the overall technical support framework for getting the value out of XDR.

They need to improve their overall market presence and make sure they are bringing value for the company that is spending money on them. From the business side, there are a lot of areas for improvement, like improving their business relationships. That will help them increase their customer presence as well.

There isn't a lot I'd do to change it. The web interface could be improved to sort of make it a little easier to manage multiple clients out of one location. It could also be made a bit easier to sort of manage the licensing side of it.

In terms of additional features, probably the only thing would be a rollback function. They are actually working on it because they're halfway there with it.

The solution needs a better graphical user interface and more interface in general.

The price could be lower.

We would like to see more integration with Azure and Azure AD for the computer and for the user. That way we can see that the user is traveling from one place to another, and if they're doing something wrong, we want to look.

For me, so far, the product is fine. I haven't had any issues. I haven't used it for that long and therefore haven't come across any problems. 

The solution could always be made to be more secure. 

We have not found any missing features as of yet.

It would be ideal if they could improve the control of connectivity between sensors. If they could be combined into one console, it would be better. 

For some time, if you were installing this XDR solution, there is a Sensor. Sometimes we need backend support for some scripting parts. They're applying it from the backend for us. Therefore, there's a dependency on the backend from that point of view. I don't like that feature. The option for deploying the scripts should be available on the platform itself, so there is no need to raise the case with the backend team. 

We'd like to see some security playbooks. Currently, Auto-Remediation is not there. Only Manual-Remediation is there. We have to create a Security Playbook. However, they are just planning to add the Auto-Remediation part.

They are just also planning on adding the Security Playbooks as a complete feature. In the preview mode, it is available; however, it is not released. 

The Endpoint Basecamp we are installing to every system is not recognized. It is important to know what feature needs to be enabled. 

The printer driver is automatically disabled, which is creating some concerns for us. 

The agent system is very slow, it needs to improve its performance.

It should integrate with more tools. There are a lot of tools that can do the PTP dump.

In new versions I would like to see better implementation of the reporting features, especially in regards to EDR visibility. However, Trend Micro XDR has only been around for a year or so, so I know it's still being developed and I think it will get more mature given time.

The reporting could be better. We've had some reporting issues in the past. It would be ideal if they could improve it and make it more robust.

The solution lacks compatibility with other products. It needs to integrate better with other surrounding solutions.