Detection and Response
ESG Economic Value Validation of XDR
Hear leading analyst firm ESG and Chase Renes, system administrator at Vision Bank, discuss the operational, business, and financial value of Trend Micro’s industry-leading XDR solution.
Save to Folio
Cybersecurity skills shortage. Overwhelming number of alerts. Overburdened, burnt out security teams. These are the main problems facing organizations, according to the Enterprise Strategy Group (ESG). Thankfully, cybersecurity solutions with XDR can help fill those gaps and enable business innovation. To help organizations become more resilient, we hosted a webinar with ESG analysts and a Trend Micro customer to explore the key benefits of our industry-leading XDR capabilities.
It’s been established that EDR doesn’t do enough to detect threats—it is, after all only on the endpoint and over 90% of threats enter the enterprise through email and other avenues. And while many respondents considered SIEM their most valuable tool for threat detection and response, they also faced many challenges with it. Namely, 57% said they had operation and resource issues, 58% noted there was room for improvement with upfront correlation capabilities, and a whopping 82% said SIEM lacked ease of integration.
XDR was designed to specifically address such problems, and the payoff is notable. Stats such as 50% reduction in product spend, 54% faster investigation, and 60% less likely to report re-propagation, are certainly impressive, but the benefits go beyond the facts and figures.
Among these benefits is business enablement. With less time spent hunting down threats and figuring out the chain of attack, security leaders are free to work with business groups to align organizational and security goals to achieve better outcomes that even the c-suite can get on board with.
ESG also determined that it would take an average of eight full-time employees to replace the automation benefits of XDR. This reduces the pressure to find the most skilled (and more expensive) IT professionals to keep breaches at bay. An XDR solution empowers less expensive, less experienced, and easier-to-find junior staff to become effective security professionals. Another win-win for c-suite and security teams.
Choosing the right solution
Ok, the board gave the greenlight to invest in an XDR solution because of the financial and business benefits, and you’re now ready to march ahead with confidence in the security capabilities. So, how do you make the most of your budget in a market overflowing with choices? First, look for vendors with platform solutions. A platform consolidates threat data from multiple environments (email, endpoint, cloud, network) into a single pane of glass, allowing security teams to see everything at a glance, instead of wasting hours manually aggregating and correlating from siloed solutions. When evaluating security platform vendors, we recommend asking these questions:
- Are they constantly innovating and evolving? The threat landscape certainly is, so make sure your vendor of choice is keeping up—or even better, staying ahead of threats with new security capabilities and features.
- Are they keeping you updated? Some vendors go “missing in action” (MIA) after they’ve landed your business. Select a company that has a track-record of continuous and proactive communication about what’s going on in the hacker world and a reputation for good customer service. This will allow security teams to know what to look for and save hours of research time, while knowing they can count on their security partner for help.
- Does the platform offer third-party integration? As we mentioned, integration is key for many organizations. Instead of requiring specific sources of information, the platform should fit and operate within your ecosystem, reducing complexity and saving you time.
- Do they really care about improving cybersecurity? Ideally, they should. But unfortuntely, this isn’t always the case. A vendor that readily shares suspicious objects and zero-day vulnerability research with other companies means they truly care about improving cybersecurity across the board, not just within their own suite of products.
- Do they offer managed services? Yes, XDR alleviates security teams, but managed detection and response (MDR) services can take this a step further. In this interview, Renes noted that detailed monthly reports populated by Trend Micro’s MDR service significantly helped his team meet regular audits while saving them time.
For more insights from ESG and customers using our solution with industry-leading XDR capabilities, read ESG Economic Validation: Analyzing the Economic Benefits of Trend Micro Vision One. Want to know how much you can save with XDR? Check out the ESG calculator to receive a personalized savings report.
Lori Smith: Hi, everyone, welcome. I am Lori Smith, part of the global product marketing team here at Trend Micro. And we are excited to have you all join us today for our webinar. As we wait for everyone to get settled in, let me just go through some housekeeping notes. For audio, the sound, you [00:00:30] should be hearing the sound stream through your computer speakers. As well, we have a Q&A widget. So, we are going to attempt to leave some time at the end of our webinar to respond to some of the questions. So please jot your question down in the Q&A widget, we'll respond to it live, if we don't get to it, we will be sure to follow up after the webinar.
There's also a resource widget that we have posted [00:01:00] some information and assets too related to today's webinar topic and particularly the report that we're going to be referencing. If you have any platform issues, refresh your browser, try a different browser. There's also a question mark help widget that should help answer some of the common questions and we'll do our best to help you out as well. We will send an on-demand recording and the slides [00:01:30] within 24 hours after our session.
So with that, I think we'll get started. So, I'm absolutely delighted to have the opportunity to host the webinar today. So, we're going to be talking all things XDR, obviously, a hot topic in the market these days. And we have the privilege of having two experts from Enterprise [00:02:00] Strategy Group, ESG, to help us dissect the topic, Dave Gruber, who's on the research side, and Nathan McAfee on validation services side. We also have Chase Renes from Vision bank, who we're honored to say is a customer of ours.
And so, between all of us on the call, we want to have a good discussion on what is the actual value and tangible benefits as [00:02:30] a result of adopting XDR. ESG, as we'll go into further has done a lot of research on this topic. And most recently, Trend Micro has commissioned ESG's validation services to do an economic validation report on our Trend Micro Vision One platform specifically so we could confirm the specific business benefits that can be achievable with our solution.
[00:03:00] So we'll walk through the findings there, and throughout have Chase add his own perspective and experience as a customer of Trend Micro Vision One, as well as the multiple Trend Micro products feeding the platform. So with that, Dave, let's maybe do a level set on XDR in general. As I mentioned, XDR has been a topic of study for a while for ESG, [00:03:30] and you've led much of that. Let's start with a little bit of your role and what you've covered from an XDR perspective, and based on that collective research, what have you seen as some of the common findings?
Dave Gruber: Thanks Lori, and I appreciate the opportunity to join the session today and share a little bit about some of our perspective on XDR, and in particular some very detailed analysis of what's [00:04:00] happening with Trend Micro Vision One.
But let me start by saying as an industry analyst, I have an interesting perspective. For those of you who have not spent time with industry analysts in the past, our role that we play in the world is we assess what's happening in the industry, from individual technology perspective XDR is one of my coverage areas. And so, I look at all the vendors who are providing solutions for XDR.
But on the consumption side of the house, I take a look at what [00:04:30] are the challenges that security operations roles are having today. How they're approaching solving those challenges. What kind of tools and technologies. What kind of have been built as part of the security stack to support the security operations role. And then I align that with what's happening from a vendor perspective Trend Micro being one of the leading options for XDR based solutions.
And so, with XDR being a hot topic, as you said over the last couple of years, [00:05:00] I started doing research for this really over two years ago before XDR was a thing. And we were looking at closely at the broader perspective about what does it take to automate the security operations functions?
And as such, we've run a number of formal research projects, one in the spring of 2020, I ran a detailed research initiative to look at the actual challenges that were associated with security operations center. Benchmark companies who [00:05:30] had really the best performance, both in efficacy and efficiency in their infrastructure, and looked at the different maturity levels of organizations, what kind of people process and technology that they were utilizing as part of that process, and then quantify those results to try to actually segment what was happening there.
And then in the fall of 2020, sort of the tail end of last year, when XDR was really getting off the ground, we went out and we took a hard look at, what are people's expectations about [00:06:00] XDR? Are people investing. What do they believe their most important problems are that they want XDR to help them solve? We took a look at who was in the planning phase versus implementation versus sort of already off the ground. And then we're looking for emerging trends that were happening within XDR.
And then later in the winter, earlier this calendar year, we took a hard look at some Trend Micro customers, and [00:06:30] quantified the results of what they're seeing. So it sort of took the same sort of framework in the fall of 2020, and applied it very specifically to Trend Micro Vision One, so we could see how people were doing, meeting their objectives and their goals with this research.
Another research project coming up shortly here, we're doing another assessment of a progress for XDR. Many of the XDR solutions have evolved very, very rapidly. Trend Micro one of those who's just continually [00:07:00] pushing new capabilities into the platform, on a very regular basis. And so that things are moving fast. And so we want to make sure we stay on top of that. And we'll have another research initiative that's coming shortly.
If you're on this call, these five challenges probably resonate with you. They've been sort of major challenges in security operations function for some time now, in addition to a very rapidly changing and [00:07:30] an expanding attack surface, not only from all the craziness that we've seen in the last 18 months about work from home, but also in cloud workloads, and all the different kinds of consumption models that are associated with cloud, multi-cloud, hybrid cloud, it's really made a huge challenge just from a security perspective, to keep up with what's happening there. And of course, we don't know about it, we can't secure it.
Meanwhile, the threat landscape, this is [00:08:00] an ongoing point that I won't really say much about, but not getting any easier from a threat standpoint. The silos of security data has been a problem that really we've been talking about for several years now. But it didn't get better overnight, and organizations are still trying to sort of converge, consolidate systems tools and ultimately data so we can have a more integrated perspective of what's happening.
I know everybody on the call is facing some [00:08:30] challenges associated with cyber skills, and finding the talent and the resources that you need. And for the resources that you do have are likely buried in overwhelming amounts of alerts on the table.
And then, as I use this, really is just a set up, all of these challenges actually play into what XDR intends to solve for individual organizations. And so, we're lucky enough to have Chase [00:09:00] Renes here with us.
Chase, you're a practitioner, you're hands on, and I know you've had time to work with Trend Micro Vision One solution. But talk to me on a broader perspective. Do these challenges resonate with you, and what's a day in the life been for you? Where are your frustrations, and what problems were you looking to solve with XDR?
Chase Renes: Well, as you pointed out, we are a bank, [00:09:30] and the biggest problem with a bank is, we cannot fully staff is what we would need to cover a complete security team. So, we always needed a solution that would kind of help us or hold our hand in that process. The good thing that we discovered about XDR is not only does it... Excuse me.
Dave Gruber: [00:10:00] So yeah, you can talk specifically about XDR, or just sort of the challenges that XDR sets out to tackle, breaking down these silos of data, addressing some of the more advanced or complex attacks as well.
Chase Renes: Yeah. Sorry about that. So, as I said, we only have had about half a team [00:10:30] that should be available. And one thing that Trend Micro offers outside the XDR is an MDR solution, that's managed detection and response. And that's something that's valuable to us, because we're here from 8:00 to 5:00, 8:00 to 6:00, 7:00 to 5:00, 7:00 to 6:00, and have somebody to constantly watch when we're not here, because I can't sit here and watch my phone, sit here and look at all the XDR data that it presents.
And [00:11:00] that's another thing that XDR does, is it puts everything in a single pane of glass, to where we can see at a glance, that we're not to spend my time as i cover many things outside of security. I can just sit there and look and see, here's this journey to take more look or a deeper dive look at this, or I get an alert that's kind of, hey, [00:11:30] look at this. And I can go and click on it. And what XDR only does about, hey, here's an alert, instead of just going and digging in this product or this product, versus XDR takes all that data, and it will present to you in a very, I should say a guess granular or a very easy way to see what's going on.
Instead of having to take an hour or two, I can look in [00:12:00] two minutes or a minute and say, this is what happened, it went from this pier to this computer, or whatever happens along the string of products, and that can be done in two minutes instead of spending an hour, and I can go on working on whatever I was for that day.
Dave Gruber: Yeah, that's great. So that makes a lot of sense. And I hear that often, from practitioners in a sort of, it's often referred to as sort of swivel chair security operations. And what you're talking about here is, is a pretty radical simplification, by bringing the [00:12:30] data together, by visualizing things in a more continuous converged way to simplify the process for you, so you don't have all the heavy lifting from system to system to integrate and bring the data together to try to figure out how to visualize the actual threat progresses as it goes through the organization.
And thanks for bringing up the manage services piece of the equation too. Because as part of this conversation, we often talk a lot about the details of XDR, [00:13:00] but most organizations are employing some amount of managed detection and response services as well. And I know Trend Micro has a great offering there too.
Lori Smith: Yeah. And I would say one of the common challenges that we've heard, and Chase spoke to us about that, having that single pane of glass. And one of the things that so many organizations are, or have been trying to use [00:13:30] SIEM as a way to solve that XDR challenge. And while it can help with some of the challenges in terms of bringing together data from the security silos, it can amplify others like alert overload, and ultimately, isn't fulfilling the need of quick, actionable insight.
Dave Gruber: Yeah. One of the things that in our research that we dug into a little bit was people's perspective on SIEM. For [00:14:00] those of you who have a SIEM and are using a SIEM, many of you probably feel pretty good about it. Lots of you have invested heavily in bringing data together in the context of the SIEM, building custom rules in the SIEM, leveraging rules from others as well, to be able to detect known threats. And then sort of building the whole data pipeline that loads into that.
So, a very significant amount of work we've seen across the entire industry over the last three to four years, with investments to try to tackle [00:14:30] all these same problems, using SIEM as the mechanism to bring all this data together. So in our research, we picked at that, and wanted to know, so, how are people feeling about all this effort?
And while we heard, interestingly, that most people thought that of the tools that they had in place today, that SIEM was, if not the most valuable one of the most valuable tools that they had in their arsenal for threat detection and response. People were facing a lot of challenges [00:15:00] with it.
57%, in fact, said that they had issues either with the operations of the SIEM, with finding skilled resources that were associated with the SIEM, with keeping up with the data pipeline that was associated with the SIEM. So, 58% said they could see room for improvement with the upfront correlation capabilities. And that's much to do with as the tools and the data are continually changing, or being improved to tackle cloud workloads, [00:15:30] and all the other expanding attack surface, then all that data has to get correlated and loaded into the SIEM as well.
So lots of integration related issues on the data pipeline side of the house with 82% saying that they lacked some ease of integration. And we haven't talked about that yet, but bringing all this data together is a heavy lift. Even with many of the SIEM vendors providing out of the box built-in integrations with many of the security tools in the environment. Virtually [00:16:00] all the organizations that we talked to said, "Yes, that's true." But almost all of them required additional customization of the data ingest process to bring that data together.
And so, that's one of the very specific problems that XDR solutions set out to tackle in the industry.
So, I wanted to talk just for a minute about some of the data that came [00:16:30] from our research. In our study that we did last fall, we saw that those people that employed XDR or XDR techniques saw about half as many successful attacks as those who did not.
60% were less likely to report attack repropagation, and so, remember that means that when someone's experienced an attack, that that attack reoccurs within their organization, so people were on top [00:17:00] of that, and were addressing downstream attacks as well.
And then, over two times more likely to detect a compromise in a much shorter period of time, in the same day, or only a few days, versus many days or weeks for those who were not using.
And again, what we tried to do, is we tried to look at, all right, what organizations were having the best results? What tools, techniques, processes were they [00:17:30] utilizing, and then draw a correlation between those people who were using XDR and XDR approach versus those people who were not. And it was very compelling. And that was our hypothesis going into the research. And sure enough, it proved to be true.
Lori Smith: I think the most compelling stat is on your next slide.
Dave Gruber: So yeah. So one of the questions that we asked [00:18:00] was, all right, so for those of you who are employing an XDR approach, without that XDR approach, what do you think? What's the manual labor that's associated with bringing all this data together, correlating it, and analyzing it? And on average, and the number's much higher than this as well, but on average, people said roughly eight full-time equivalents would be needed to replace the automation that's provided by XDR.
Now, that includes [00:18:30] lots of things, that includes both the system administration, the setup, the tools, configuration, the continuous rules configuration, and rules building that's associated plus the actual analytics that are associated. So you have to take a big picture view of this thing, when you're looking at the custom analytics environments that other organizations have built to try to solve this problem. It sort of requires a significant amount of effort across many different disciplines. [00:19:00] So when you look at it in hard numbers, this was a pretty big number.
Lori Smith: Yeah. And to me, it actually speaks to, there's not really a human alternative to XDR that this really sort of represents sort of a new way of working and providing opportunity for analysis and investigations that otherwise would not really be possible.
Dave Gruber: Yeah, Lori, I [00:19:30] think that's right. So when you look at sort of the history of what's happened here is, the complexity of the environment has increased dramatically over the last few years as the complexity of two things, the threat landscape and the attack surface has increased along with it, right? What has that forced us to do? Employ that many more security controls that produce that much more telemetry and alerts, which creates that much more of an overwhelming process to do all this.
So this thing's been building for a long time. And [00:20:00] this is not a typical for what we see where we invest in automation, as things get more complex, we automate more. So for me, this is a bit of a natural progression for what we should be seeing, where automation is following the complexity of the actual challenges that we have here.
Lori Smith: Yeah. So let's shift to you, Nathan. So Nathan, as I mentioned at the top of the call, we commissioned ESG to do one [00:20:30] of your economic value validation reports on Trend Micro Vision One on XDR capabilities. And so, can you provide a little summary of what this study entailed and your role in that?
Nathan McAfee: Absolutely. So, we did the economic validation, which means we studied Trend Micro Vision One with a focus on how it changed the way organizations can reach their business goals.
We [00:21:00] quantified the overall financial impact of adopting Trend Micro XDR solution. We did quite a few one on one interviews with existing customers to uncover how Trend Micro Vision One specifically changed their environment. We discussed their overall experience with a Trend Micro XDR solution. And then we also relied on the expertise of our technical analysts.
ESG has a large group of internal technical analysts like Dave, to make sure that everything that we heard was reasonable, was valid, and aligned with [00:21:30] the research that we've already done. And the results was the EVV, the economic value validation, and the paper pulled all the study findings together, and it broke the benefits down into these three major categories we'll talk about in a second.
And we also use all the different information we could find to create a financial model for a sample company to apply the economic benefits to verify and validate what we heard from the customers. And also to [00:22:00] project what a typical company would find. What economic benefits they would find with XDR.
Lori Smith: So let's talk about some of those benefits. Let's go through the three categories.
Nathan McAfee: Well, the first one's really the core, without security effectiveness, nothing else matters. And we need to have rock solid security. And we heard over and over again, how the security posture took a major step forward, when customers adopted Vision [00:22:30] One.
We heard over and over how customers were finding threats they would have missed in the past. They talked about higher levels of detection, they found more, and they found it faster. As Chase was speaking, he definitely supported that.
A very important performance indicator that everyone that I talked to shared, was shorter mean-time-to-detection. I heard stories of dwell times that went from days or even weeks, [00:23:00] and in one case, multiple months, down to just a few minutes. We talked about what it meant in terms of their security team, how it shifted from, I have to maintain this system and hunt down the risk, to the point now where they're more proactive.
We talked about how it allowed the security teams to be the more strategic. I heard stories of how security and the business groups are coming closer together, because now the [00:23:30] security team wasn't hunting things down, they were listening to what the business goals were, the organization, in figuring out how they can better align to support that.
We talked specifically, fewer false positives was a major benefit. Many shared stories about silencing the noise. If you look at the millions of events, they're are passed on to the SIEMs that are broken down to the 10s of 1000s of potential risks, [00:24:00] that with Trend Micro Vision One, were boiled down to the very few the single digit numbers that were the true risks to spend time evaluating and to remedy.
The overall metrics were for our sample company 50% benefit in streamlining workflows, and the automation of manual security processes. And so much of that was again, taking efforts away from, how do I keep something going, and how do I hunt things down [00:24:30] to how I focus on what matters.
A 54% overall benefit and faster investigation. But I took those sample company numbers in each, every one of the interviews that I did with customers, they told me no, that number should be much higher. That we were able to find things in minutes instead of days. In a 70% increase in just overall response time to security event.
One customer told me a story of during their proof of concept, and they're trying [00:25:00] to figure out if Trend Micro Vision One was for them, they uncovered a ransomware, they called a ransomware mess, which is the perfect way to describe it.
He said they were sure that they had been missing it. They found it with Trend Micro Vision One. And another product they were considering at the time, didn't recognize it. Just how quickly it helped them find and locate something that would have a dramatic negative impact on their business.
I love that Chase [00:25:30] called out single pane of glass, because that came up over and over and over about how easy the information was to digest.
I'm an economic analyst, I focus on the financial impact how it changes the way that somebody does business. But I was able to go in and truly understand how simple it was to identify an event, and actually explore through that single pane of glass to find out everything that is impacted and how to remedy. So that was something that came out over [00:26:00] and over.
And one quote that I pulled from Chase's case study, and Chase, I'd love to have you just expound on a little bit. He said, "The best part of a unified suite of integrated products, for identifying suspicious objects, and all that is done automatically, which makes it simple." And the reason I wanted to call this out is, we're going to talk, you're going to hear me say the word complexity so many times to really simplify that complexity. So Chase, can you tell us what that really meant to you?
Chase Renes: I'm going to use a instance, let's kind of [00:26:30] go back a little bit on what you said a little bit ago. You're talking about how it took people a lot less time to find the ransomware or malware in their environment, in which I'll give you an instance that happened to us, actually, two, three weeks ago. And it's not necessarily malware, but I know a lot of other companies will have a third party service, they have a product that they have to get on, and they have to manage, or they do update, or something's wrong with that product and [00:27:00] that company has us as a bank we have to let that company on to a server to fix the issue or updated an issue. And I'm pretty sure that happens for a lot of other companies as well.
But we were doing a core upgrade about two, three weeks ago. And all of our endpoints have to be updated at the same time. And they were working on a script to update [00:27:30] those automatically. And they said, "Well, hey, we'll holler at you when we restart it."
Well, as I'm sitting there, we're doing our side of the upgrade, and they're doing their side of the upgrade. I'm sitting and all of a sudden, well, my email starts blowing up. And before they before said, "Hey, we're starting to practice on it." I knew within a minute that they were already running this PowerShell script, and it was trying to populate to all of our endpoints, and Trend Micro said, "Hey, look at this." [00:28:00] Because it was not whitelisted. Nothing about what they were doing was whitelisted. So to Trend Micro it was a suspicious.
It was, they were letting me know, hey, this is going on. And so, before the company told me, "Hey, we're working on your network,' or, 'trying to do this update." Trend Micro told me before they even let me know that they were fixing to do it.
And I know that's not necessarily a malware problem, but you never know when... [00:28:30] I mean, that could easily been a malicious act on our network. And that just proves the point that, if Trend Micro will show you almost instantaneously that, hey, this happened, go look at it within minutes, instead of saying, finding out a days later, or weeks later, or a months later, like you said, what was actually happening.
And the funny thing about it is, how you [00:29:00] talked about automation, by the time it was detected, and by the time, before they called us, it was automatically blocked on our endpoints, it was automatically blocked at our tipping point, which is an IPS, IDS solution, which sits right in for ingress, egress traffic for 443 or internet traffic.
So I had to start going in back behind them and tell them, "All right, you got to wait because I got to go start whitelisting all your PowerShell scripts, so your BAT files, because [00:29:30] Trend Micro has already blacklisted them."
So to me, this is one example to what Trend Micro Vision One gives you when you start integrating all the Trends products as their host suite and one, and it's just one way to prove to us as a company that invest in Trend Micro that they don't stay stagnant. They're constantly evolving with the landscape, because a hacker, [00:30:00] whatever they're doing or trying, they're not going to stay the same. What's working today may not work tomorrow, well, they're not going to give up, they're going to constantly evolving. They're constantly changing. And Trend Micro evolves right along with them.
They're constantly coming up with ways to let us know as a customer, saying, "Hey, we're constantly staying up-to-date on what's going on in the hacker world, [00:30:30] I guess you could call it. And to us, that's very important.
And I know that's not malware instance, but I can see if somebody, we're also moving our server environment, and they were getting on to do an a IP scan, just to see what we had and what our IP addresses were, and what servers we had. Before they let us know, Trend Micro told me, "Hey, somebody scanned in your server network, is this known?" [00:31:00] And of course, we called them and it was supposed to be... Simple stuff like that as an example. I'm sorry, I kind of rattled on.
Nathan McAfee: No. But you told us a great story. Plus, you hit something right on the head that I've heard from a few of the customers. We talked about how they no longer have to spend a lot of energy, keeping things running. It just ran, they could do it. But they said the easy thing is to teach a junior security person how to remediate.
There's a few different methods [00:31:30] you would use when you understand that the hard thing is to get a junior person to be able to recognize the bad actors. And I think you hit on right then, and it expands beyond that story of what customers Trend Micro Vision One say they're able to do, and we'll get to that in a minute or so. But it's the ability to empower less expensive, less experienced, easier to find, or junior people to be effective security professionals. And that was a big part of the story I've heard from quite a few customers.
[00:32:00] And then that rolls into the quote that's on the screen. I love this quote, "The reduction in complexity has led to a reduction in human caused errors of over 25%. It gives us faster detection and remediation."
But I was really going in with my interviews and focusing on, what are the risks? What are the problems? And I had a few stop in saying, "Stop, you need to understand that security is not an exact science. Security is recognizing, and understanding, and coming up with methods [00:32:30] to remediate. And there's a lot of human error in that." And some of it is just, hey, this first time we've seen it, some of it is inexperience.
And we didn't get the point of quantifying the value of reducing human caused errors by 25%. But everybody that I spoke to said, "Yes, that's accurate. That's true. And it is a big difference." So I think that sort of piggybacks on the comments that you shared, Chase.
Then we also when we look at security effectiveness, [00:33:00] we talked about things that we didn't quantify in the study. Things like higher job satisfaction, people that were used to working nights and weekends to be able to be home with their families, because everything was easier, or more concise. The empowerment of junior people, which we just mentioned. And how securities become an asset, not a business hurdle. That specifically because of Trend Micro Vision One XDR, they were able to go to business units and say, "How [00:33:30] can we help you reach your goals?" Not, "Here's the hurdle you must get over to approach an opportunity." And that's the next thing we're really talking about, is business enablement.
And I say complexity over and over and over because it consistently came up in every conversation, the complexity and the risk in opening a partner portals, sometimes constrained business. There was this hurdle you had to get over, and if it wasn't quite valuable enough to get over the hurdle, we might walk away from that opportunity. We [00:34:00] might not partner with that. We might not extend access to a contract or a short term business opportunity. And we miss out on some value.
I heard stories of conservative growth plans, specifically, because of the challenges of making sure the change didn't alter their security posture.
I've heard examples of how Trend Micro Vision One made it easier to expand, not just with partnerships and acquisitions, but you could stretch the boundaries of a traditional office, and then I certainly heard stories of force changes with COVID. [00:34:30] How rapid changes had to happen first with the employee base, then the customer base, then general business in general. And how Trend Micro Vision One they said, it would take us months to do the planning we were able to do in days with Trend Micro Vision One.
I heard quite a few stories about companies able to streamline operations because they lowered the risk of that rapid change.
And then we get into [00:35:00] costs or cost reduction. In customer sharing, their overall security spend has gone down an average of 50%. We've got some great quotes, when they've shared, that the average company said it would take us about eight FTEs to duplicate what we get, the value we get from XDR.
We've got the quote, "Our overall product spend has gone down almost 50% when you look at all the products Trend Micro has replaced." [00:35:30] We have another quote, they said a company estimated that they have Trend Micro Vision One managed services, their security spend would be five or six times if they tried to duplicate all the capabilities that Trend Micro Vision One managed services gave them.
So in our EVV report, we modeled a sample company. We used 2000 employees using 3400 devices. And found they saved an average of 63% when [00:36:00] you compare it to Trend Micro Vision One to an ad hoc system. And then when you look at the added capabilities of Trend Micro managed XDR, the savings jumps to 79%.
So Chase, when you guys adopted Trend Micro, was cost one of the driving factors, was security posture? When you look at your true pain points, what pushed you towards Trend Micro Vision One?
Chase Renes: Both were. Cost [00:36:30] is always going to be everybody's biggest, or I would assume be a big deal. The thing that drove us to Trend Micro was, I know this is a little bit different point you were making. But we looked into the same solution by another vendor, the kind of EDR solution.
We are a smaller bank, we're about 240 employees, [00:37:00] around there. Most of these, or at the time most of these solutions were offered, I would say five, six, seven times the price that we were quoted for Trend Micro. And I know you're talking about employee cost reductions. But I think it's also a good point to point out that Trend Micro also has, [00:37:30] they offer all these products, and sometimes people think, well, this is for high large enterprises. Well, they also have it for smaller people like us. Resolutions affordable ways to make it work for us the same way as a large enterprise does for your small medium businesses.
And outside of what you're talking about for MDR, that saves us. It [00:38:00] saves us at least one or two people. And that's a lot for a bank our size. And you saw about the MDR. I've talked about earlier where it's 24/7. Somebody watching rate five. Then another thing is, as a bank, we get audited. We have to report to regulators.
And another thing MDR offers is reporting. They do a quarterly or a monthly report. And you can have it set up to anything that is in your XDR. And these reports [00:38:30] are something that saves hours for us. I know there's reporting capabilities inside of your one offs on, it picks one and so forth. But just the MDR they'll tell you what they solve, they'll tell you what they did, if it was flagged for critical or hot. And these reports are not just your basic executive, they're a detailed full audit report for either the month or the quarter, whichever way you have set up. And that is a huge time saver.
[00:39:00] It practically does away with even the audit prepare you have to do when you are getting audited. Because you have to give the examiners or somebody a huge list of items. And when it comes to Trend Micro, all I do is copy and paste these XDR reports, and it's fantastic. It saves us tons of time.
Now, I know we didn't really touch on reporting, but it goes back to [00:39:30] instead of me sitting here all day long, putting together reports and putting this and that together, and trying to explain what this did and this that to the others, I just print it out, throw it to them and I can continue working on something else, instead of having to spend my time doing other things.
Nathan McAfee: I also heard in an interview about reporting, not only did it save the time, as you just mentioned, but it [00:40:00] upped the person's level of certainty of the information in the report. He talked me through there were so much at stake for getting these things just spot on right. And his level of assuredness that the information I'm providing is completely accurate and went up because Trend Micro Vision One. Do you agree with that?
Chase Renes: I agree with that, because... Here's another thing. Thankfully, we have not had our share of [00:40:30] malware and ransomware issues as much as other companies have. I'm sure. Sometimes you wonder, is it really doing anything? I mean, what is it doing? I mean, I'm not trashing or trying to say anything bad. What I'm saying is, when you see the report, or if you could start going into the backend things of the XDR, because there's a search capabilities inside XDR. I don't think [00:41:00] I saw where you could talk about that. I mean, you can get into the details upon details about it inside XDR for people who want to do their investigations. The capability is there.
But when you get these reports, you're going to go, okay. It will not just say, "Everything's fine." If there was no malware for that month, it's not going to say, "Everything's great." Give you two thumbs up, and that's it. No, it's going to give you the same amount of pages, and it's just details after [00:41:30] details, and categories after explaining this, or, hey, here's this list of things.
And it's reassuring to know that, hey, Trend Micro is truly watching our back. Second pair of eyes. 24/7, and it's a comfort feeling, it's an ease of mind feeling for us. I know 100%.
Lori Smith: I love that Chase.
Nathan McAfee: Oh, go ahead Lori, sorry.
Lori Smith: I was just going to say I love [00:42:00] that. I think for us, what I was really happy to see coming out of this research, and that's been echoed by Chase, is really the value that Trend Micro Vision One can bring to that security team, to even the individual analysts in terms of how they do their work, how they can contribute. Obviously, a lot of the benefits that we've talked about is talking sort [00:42:30] of organization wide, but really as a result of the analyst having the tools, and possibly the supporting services like our MDR, just the ability for them to do their jobs better, right?
We profess Trend Micro Vision One as being able to narrow in quickly on what's critical, being able to investigate with context or have that context and that reporting in terms [00:43:00] of what's happening in their environment. Being able to respond completely and directly, and all from a single place. And so, I was really happy to see that proven out, and I love hearing Chase's examples, just showing that, that even with sort of limited IT teams, or security teams, that we've got the tools and the services to [00:43:30] really provide a level of contribution and security maturity for the organization.
Dave Gruber: Yeah. Lori, hey, one of the things I heard too, that's really worth pointing out here is, and I think this is the point you were just making, is, as a small company, when you use Trend Micro Vision One, you can be equipped with many of the same level of capabilities and security maturity that larger companies, only [00:44:00] those companies that had big budgets, lots of resources and skills, you're providing a solution here that's really upping the game, upping the security posture for smaller companies who otherwise may never have been able to get there.
Lori Smith: Yeah, exactly. And so, at Trend Micro we've got a wide range of sort of customers using Trend Micro Vision One, and we do have the very large mature organizations [00:44:30] that are leveraging XDR as sort of incremental value and helping streamline processes. And it complements their use of SIEM and adds value to that. It fits within that broader ecosystem.
And then we have all the way down to the sort of the smaller organizations, and Vision Bank in particular is a smaller one, but given it's a bank has sort of a high security needs, and so [00:45:00] they're leveraging our managed XDR service, as sort of relying on us to stay on top of their environments for them, and to provide the resources and the expertise that they may not have in house. So there's the full range of where XDR, so it can fit depending on the use case.
Dave Gruber: Excellent. It makes sense. And I talked to companies every day that [00:45:30] are very, very large, who want this as bad as the smaller companies do. I mean, you're right, it's a scale issue. And even though large companies have lots of expertise, lots of money that they put in their teams, the potential impact that a mechanism like this can provide a larger company, the numbers just get bigger.
Lori Smith: Nathan or Dave, anything surprised you in any of the results? Anything that you weren't expecting, [00:46:00] or was it pretty validating in terms of what you've seen from the sort of broader XDR?
Nathan McAfee: I had a couple. As part of our process, the interviews are isolated or insulated. Trend Micro is not part of our customer interviews, and the customers generally open up and they're honest with us. One question I always ask when I talk to them about certain products or platforms, if costs were an issue, everything costs $0, [00:46:30] would you still adopt it? Every single one said, "Oh, yes, Trend Micro Vision One has changed us."
And then if you look at the three areas that we discussed, security posture, enablement and cost, we had sort of a trifecta, because every single person that I talked to, it wasn't 70, 80%, every single company or person that I talk to, says, "Yes, we are more secure. Yes, this has changed the way we do business, [00:47:00] this has opened up, this is turned us into a strategic asset instead of again, our hurdle. And it is so much easier to use, and it cost less."
So that surprised me. It's rare when I have one where every single interview that I do, all three of my major benefit buckets. Some say, "Well, is about the same. Is a little more. Is a little less." Across the board, every person I've talked to in all three big benefit areas were a [00:47:30] strong yeses, it has changed the security in our products.
Dave Gruber: Nathan, just for me, the business enablement piece is the piece that doesn't get talked about enough. We regularly talk about efficacy and efficiency associated with any different type of security solution.
We don't often talk about business enablement, that third dimension is a really critical part of the conversation, when organizations feel like they have [00:48:00] eyes on every asset, every capability, that they have the confidence that when risk occurs, they're going to have visibility to it, and they're going to be able to do something about it. It frees them to be able to go off and invest.
So it's the other side of the equation, we often look at security as it's an expense driven investment. What you're talking about here is, with this type of investment, it's actually an enablement, and it's on [00:48:30] the other side of the business equation, which is just terrific to see.
Nathan McAfee: Especially is amplified by the forced rapid changes with COVID. In addition to how do I manage my employees, how do I work with my vendors? The rules have changed across the board. And if I had a traditional security platform, I'd have to work through all these different vendors, and systems, and devices and policies. And it seems like a very, very, very hard [00:49:00] task. And if people at Trend Micro Vision One said, "It was simple, it was easy, and it allowed us to change on a dime when we needed to change, because the rules changed"
Lori Smith: And I would say one of the key influencing factor for that business enablement, which we've touched on a little bit, is that vendor solution consolidation, right? And obviously, [00:49:30] third party integration is critical, you need to fit within an ecosystem and have it all work together, but where there's opportunity to capitalize on consolidating, there are significant business benefits to doing so.
And I know, Chase that was a consideration in your organization's decision making. And I think it's interesting how we sort of shifted from this best of breed to what can we do [00:50:00] from a sort of integrated platform perspective?
Chase Renes: The guy who's taught me a lot, he would be my boss. We agreed always on one thing, never have all your eggs in one basket. You have layers, upon layers, upon layers, upon layers, and those layers upon layers were usually, you get this product, go with a completely different product, and go [00:50:30] with a completely different product. And by that time, I'm not trying to backtrack, but you're looking at 15, that maybe exaggeration. Three or four different dashboards, and then you're having to put that together in your head.
To me today, that path has changed, and XDR is the reason why. Is because more you feed into it, the better it is. Not only with its own products, but [00:51:00] some people wouldn't want their IPs, IDs solution to be the same as their AV solution, or their whitelisting solution, but so forth. But the more Trend Micro products, the more data you can give XDR, better it works.
And not only does it work so well within itself with its own products, you can also feed in other data. I'm [00:51:30] pretty sure almost everybody is, not everybody, I should say majority of people are moving to Office 365, if they haven't. And XDR integrates with Office 365. They have a direct API integration to exchange, it's not a hop, it's not a flow in traffic, there is a direct integration.
And they also do have the flow and traffic, but I'm sure we'll [00:52:00] talk about that some other time. But my point is, not only can I put in what it's seen through exchange with its cloud app security, or with its SharePoint or OneDrive, or teams, all that's covered. But it will take in your Azure Active Directory data. And to us, that is huge. Because if you give it an admin account, I mean, the data it constantly feeds in and [00:52:30] the correlation between it, what it sees what's going on with your users, and see what's going on with Office 365. And we're not even a hybrid.
I know most companies are hybrid for Office 365, but our practice, what we believe in is, we want to keep our office 365 password separate from your internal ID separate. So some may get your office 365, VPN, all that separate.
But even [00:53:00] with that being separate, correlation that it still does is phenomenal. And you may think, well, you can do your office 365, and I think there's one for... Well, I don't want to say because I don't want to over speak and then be wrong. Because they have another stuff like Office 365 they can integrate with. I know Dropbox, because we use Dropbox.
But another thing they also do is sharing suspicious objects with other [00:53:30] security vendors. And to me, that's huge. That's not them saying, "Buy our product or we won't... Buy all our stuff." To me that's them saying, "Hey, we want to do what's best for you, we'll work with this vendor, and we'll work with this other security vendor."
You don't have to have, or if it's something we don't even offer, like for instance, a firewall. A true firewall, they're integrating firewall things, and [00:54:00] now we'll get into the depths of that because... But feeding constant data from other products, and other security vendors, and are allowing sharing of suspicious objects with other security vendors. To me, Trend Micro is not more of a me show, it's more of the help you and more data you give them, the better it works. I mean, it's constantly updating.
[00:54:30] For instance, our firewall wasn't on there, and then I looked the other day, and I was like, "Oh, look, our firewall company is now on there. And it's something I can't wait to get working, and see how it works together." But I'm sorry if I rambled on, but it's something that I feel like our landscape has changed instead of having completely different vendors.
You want a central data collection [00:55:00] of data. And you want a centralization of all data being fed to one place. And the more you feed it, I'm telling you, it's going to help your hands down.
Lori Smith: Thank you for that Chase. I think that's a fantastic place to end. I appreciate everyone sharing their view. We've just got a couple of minutes for questions. One came in here that [00:55:30] maybe I'll throw over to you, Dave, and Nathan, or Chase you can follow up if you have anything else to add.
But where do you think we are in terms of the market understanding of XDR? Is it still a buzzword, or do you believe companies are understanding the definition and the difference in what vendors are offering?
Dave Gruber: Yeah, I'll take that one. So I'm actually happy that we're [00:56:00] starting to zero in on the foundational aspects about what XDR needs to be, needs to have. There's lots of XDR solutions in the marketplace today, and everybody has their own spin on what XDR features make up the best solution set. But I'll say, the core of the equation comes down to data ingest from all the security telemetry, [00:56:30] aggregation, correlation, and analytics is the power of it all. And the richer the analytics, the better solution set, but it doesn't stop there.
As mentioned throughout the session, the ability to aggregate, or correlate, and then visualize, which is super important and take the complexity out of it to help the analyst get clear eyes on what's actually happening, is a critical part of the solution set.
And then the ability to respond, [00:57:00] and with some level of automation is also a critical component. So I think we're landing on what the core of the XDR solution set. Trend Micro, you've been out in front with this thing for a while now. You're one of the very earliest players to go after this opportunity, so you have a bit of a head start. You guys also have at some level a broader perspective with Trend Micro Vision One than the average XDR provider has in the marketplace. And so, while your solution, [00:57:30] you could quibble over one feature, another feature that some other vendor may bring to the table, you're delivering on all the foundational core aspects in a very integrated type fashion, and presenting that in a relatively turnkey approach, so that organizations can recognize these types of benefits.
Lori Smith: Yeah, that's great. And we're seeing too, as you said, we were one of the [00:58:00] first sort of with an entry into the XDR market. And we are seeing now sort of kind of landing on sort of some general understanding of baseline of what an XDR solution should be delivering.
We obviously started with a lot of education, right? Us sort of sharing with the customer and the prospects what XDR is, what it can do for them. And [00:58:30] we're now really seeing like that inbound inquiry, and the inbound interest. So understanding what they need and what XDR can deliver for them. So yeah.
Dave Gruber: Absolutely. And I just want to say, Chase, thank you so much for sharing all the anecdotal stories that you did. Because it takes the perspective of, sometimes even as analysts or vendors, we're very narrow and we're building these [00:59:00] tools for very specific reasons. You brought to bear a number of use cases that don't often get talked about enough when it comes to solutions like this. And so, we really appreciate your perspective there.
Chase Renes: Yeah, thanks for having me.
Lori Smith: Yeah, I would echo that, Chase. Thank you so much, and Nathan. And we've got a couple of questions that are a little more Trend Micro Vision One product specific. So I can follow up offline on that. So, [00:59:30] stay tuned for those that have asked those questions.
But thank you everyone, for your time and joining us today. Thank you to our presenters here. I appreciate the insight. And Chase, again, thank you for sharing some of that individual perspective.
I hope everyone has a great day. Again, the copy of the slides are in the resource widget, and we will be sending out an on-demand version [01:00:00] recording of this presentation within 24 hours. So, i appreciate everyone, and thanks so much. Goodbye.
Chase Renes: Bye everyone.
Nathan McAfee: Goodbye. Thank you.