Trend Micro Vision One - Integrating Proactive and Reactive Cybersecurity
Trend Micro is delivering proactive cyber risk reduction and security operations capabilities within a single platform called Vison One. From XDR and identity threat detection and response (ITDR) capabilities, to Attack Surface Risk Management (ASRM) - the platform promises to operationalize risk management and allow all types of stakeholders to benefit: from SOC operations teams to CISO and other executive stakeholders.
We've looked more into the details and tested the platform.
Cyber Attacks and the Attack Surface
Cybersecurity is still mostly a reactive practice - detection and response being the current mantra. Yet cyber attacks exploit weaknesses that are inherent in an organization's infrastructure for a long time - often considered the normal state of affairs.
The weaknesses become apparent only after the attack. Even if antimalware, network protection or Security Operation Center (SOC) capabilities are in place, the attacks are successful because the organization is not aware of the underlying risk factors that need to be continuously identified, prioritized and mitigated.
For example, consider ransomware: it is perhaps the most visible pain and it illustrates the case in point. Post-breach analysis invariably shows some recurring risk factors are driving ransomware:
Poor authentication and identity protection, i.e. password only authentication without Multifactor Authentication (MFA). Credentials are „low hanging fruits” for attackers, so they mostly „log in” rather than „break in”.
Employees not resilient to social engineering attempts, for example Business Email Compromise (BEC) scams. This refers to not only "ordinary" users, but to increasingly service desk personnel (see MGM Resorts attack here).
Internet facing remote access assets such as RDP servers or VPN boxes. These are now routinely exploited in-the-wild even before vulnerability disclosure, let alone patching (see here).
Finally, legacy IT infrastructure such as the omnipresent Active Directory or Vmware make the attack surface exceptionally large: these systems are very hard to defend once initial access is established, allowing attackers to use "living off the land" techniques to persist and spread laterally inside the organization.
It's evident from the above that the usual reactive detection and response approach is not enough. One needs to build a complete picture of the environment, having an always up-to-date asset inventory and continuously re-evaluating the risks which arise from inhouse weaknesses and external threats.
Combine that with criticality (or impact) for each asset, you have a risk management framework. This is in essence the approach taken by many recent regulations such as the NIS2 in the EU.
Vision One implements this approach in practice, by integrating detection and response (XDR) capabilities across a range of protection points and telemetry sources, with attack surface risk management (ASRM). The idea is to make cybersecurity a more proactive exercise, where all stakeholders are focused on continuously reducing the underlying risk factors, making an attack less likely to succeed.
Extended Detection and Response (XDR) - the Protection Workhorse
To illustrate how this works in practice, we connected several typical infrastructure elements within Vision One.
First, Windows endpoints: we've chosen to deploy a very lightweight and inobtrusive agent called Sensor. The platform also offers the possibility to install a full antimalware and XDR agent, but the Sensor provides plenty of actionable telemetry as well. It is also useful in case you already have invested in endpoint antimalware, so it can co-exist without breaking the OS.
The XDR Sensor on the endpoint quickly identified risks such as unpatched vulnerabilities which have recently been exploited in the wild. It also allows forensic search of all relevant artifacts on a typical endpoint: for example, quickly find out which applications or programs have been run, or which emails have been opened on a particular endpoint.
We also connected to a Microsoft365 Exchange online tenant, to provide inline and real-time email scanning against email threats, based on direct API connectivity to MS365. Here, the platform allows also Google Workspace or standard SMTP filtering based on MX record redirection (useful for any other email system). There are also ways to integrate existing Trend Micro on-prem protection products. Notably, the platform also allows integration and protection of collaboration environments such as Onedrive/Sharepoint, MS Teams, Google Drive, Box and Dropbox.
As the platform integrates disparate sources such as email flow, identities and endpoints, you can quickly answer the typical question if a suspicious phishing email gets delivered: who opened it and which accounts and endpoints were affected (as pictured below).
Detection and response is something Trend Micro has been doing for some time, so no wonder malicious operator activities get noticed, typically once a ransomware operator is inside an Active Directory network: credential dumping or copying the Ntds.dit file in the case below.
Identity Threat Detection and Response (ITDR)
To further enrich the threat and risk model Vision One is now building for us, we also connected an Azure Active Directory (now called Entra ID), which is our identity store. Of course, we could have connected an on-prem Active Directory as well, the point is identity is the largest part of the attack surface. That's why Identity Threat Detection and Response (ITDR) is increasingly featured in many vendors' portfolios.
This integration provides the telemetry from Active Directory, highlighting issues such as accounts with excessive administrative privileges or those without multifactor authentication (MFA) enabled - see below.
Also, identity integration allows Vision One to track telltale signs of intrusion or at least worth investigating: a user performing actions on other administrative accounts, such as resetting passwords or disabling admin accounts, etc.
The identity threat response mechanisms allow administrators to take some proactive measures such as logging off or preventing users to logon into applications or devices.
Cloud Posture Management
We've also connected Vision One to a Microsoft Azure cloud tenant. This serves to illustrate a typical IaaS or PaaS environment an organization might have both on-premises and in the private/public cloud. The discovery allows us to quickly build an asset inventory of virtual machines (servers), SQL servers and other IaaS and PaaS services hosted within the environment.
This information is then fed into the risk model, contributing to the overall risk score. In our case, Vision One quickly identified database servers with unrestricted access from any IP address, storage accounts with no protection from accidental deletion, virtual machine disks without encryption, etc.
Internet facing Assets
Vision One also allows for scanning the internet facing attack surface. In this case, you might want to input domain names and select public IP addresses, for example publicly exposed VPN remote access points or web applications. The idea is to regularly scan these assets for open ports and vulnerabilities, and plug that into the overall risk assessment model.
Vision One detected here assets with weak or deprecated TLS protocols, web servers with self-signed certificates, unexpected open ports, etc.
Security Awareness - Addressing the Human Factor
As seen earlier, the human factor is the primary driver of attacks - phishing and other social engineering techniques are responsible for the vast majority of breaches. Precisely because detection and response technology improves, the future guarantees that attackers will rely more and more on the weaknesses and unpreparedness of employees.
Therefore, strengthening the capacity of employees to resist cyberattacks becomes perhaps the most important segment of cybersecurity. That's why Vision One now includes also the capability to implement phishing simulation attacks and training campaigns.
Security awareness is not a one-time education effort but an integral part of a continuous process or service delivery. This process of monitoring and tracking progress with employee susceptibility to phishing is fed into Vision One threat model and affects the risk score.
Business Email Compromise (BEC) and other type of scams are inflicting significant monetary damage to many organizations. It is difficult to defend against those threats by relying solely on protection technology such as email filtering. One needs to strengthen the resilience of the human factor, namely the employees.
That's why training and phishing simulations delivered from a converged risk management platform such as Vision One is a welcome approach.
Finally: Proactive Risk Management
Now that we've integrated so many protection and telemetry points, it's time to get some actionable insights.
That's where Attack Surface Risk Management (ASRM) comes into play. This functionality groups the attack surface into several areas: devices or endpoints, accounts or identities, internet facing assets, cloud assets and applications used.
All of those areas are continuously tracked and risk is recalculated based on new information, such as risk mitigation measures implemented by the organization, or maybe new threats, vulnerabilities and misconfigurations have been found.
To communicate all this complexity to executive stakeholders, a risk score from 0 to 100 is tracked across time, giving an instant gauge into the current cybersecurity posture of an organization. The methodology here is loosely based on NIST SP 800-30 and Mitre Att&ck, check the details here.
The operations dashboard is what gives the ability to react, i.e. implement risk reduction measures based on actionable information and advice provided by the platform. This is where cyber risk management gets operationalized.
The platform clearly visualizes and points to the key risk areas that need our focus, i.e. the "low hanging fruit" that needs to be addressed to quickly and most effectively bring the risk down.
In our admittedly very simplified case, Vision One pointed to some key areas for improvement: the biggest contributor was of course suspicious activity found on an endpoint (credential dumping) indicating typical ransomware operator actions within an environment - so this requires immediate attention. Another high risk factor was an endpoint which lacked some recent Windows updates, making it vulnerable to some exploits used in the wild. Resuming Windows Updates on that endpoint visibly reduced the overall risk score, as you would expect. Also, cloud asset misconfigurations (databases accessible from any IP address) and some internet facing assets with exposed ports were highlighted.
Although it's an oversimplified scenario, this gives you an idea how the platform can quickly implement a continuous risk management process. Also, our scenario already includes hundreds of telemetry points and it's easy to see how this complexity can overwhelm even the most resourceful organizations. Precisely because of this, Vision One simplifies the whole experience and drives all the stakeholders in the right direction, addressing the most important risk contributors first.
Vision One: Easy Procurement and Consumption
As consolidation is the name of the game, you can expect Vision One to include many functionalities we haven't even touched on. Notably, this includes a ZTNA offering for securing employee internet access, but also enabling private access to on-prem applications without exposing risky VPN inbound ports.
The platform is regularly updated and introduces new features, as well as new integration points for 3rd party vendors (see here). In case an out-of-the-box integration is not available, Vision One offers an API which can be used for custom automation scenarios, but also to bring external data into the risk and threat model.
As outlined above, the platform is addressing all the typical sources of risk and attack enablers we've mentioned at the beginning of this review, and that's not an easy proposition. This usually comes with a complexity that translates into operational costs and complicated purchasing. Users and partners are usually put off by both the usage and purchasing complexity: multiple management consoles with complex bundles and pricing.
With Vision One, that's not the case. Trend Micro is using so called Vision One credits, a common subscription licensing unit that eliminates the need to purchase, activate, and manage several individual licenses or functionalities. For example, you can combine email and endpoint protection with ASRM, and decide to reallocate that to cloud posture management, or simply increase the credit amount to expand platform coverage (see more on that here).
Whether you are a partner or an end-user, Vision One offers a compelling platform approach to cybersecurity and cyber risk management. The level of consolidation and functionalities covered, paired with a flexible consumption model is rarely seen in the industry. In fact it's easy to get started and see for yourself, just apply for a 30-day full access trial here.