Trellix Improves Query Speed While Reducing Costs to Deliver Better Endpoint Security

Trellix, a well-established cybersecurity company with over 40 thousand global customers, has built an open and native platform for extended threat detection and response (XDR). Its endpoint detection and response (EDR) solution gathers telemetry data from global customer endpoints to identify malicious behavior. To better serve customers' evolving needs, Trellix’s unified platform — built on the Snowflake Data Cloud — delivers better speed, scale and performance for its customers. 

“The need for data retention is drastically different for monitoring and incident response (IR) use cases in the cybersecurity industry,” says Ashok Banerjee, senior vice president of XDR engineering at Trellix. “Monitoring use cases often look back three days or fewer, while IR use cases look back 270 days or more. Snowflake enables architectures to support dramatically longer data storage with their ability to scale cost storage and compute independently.”

Over the years, Trellix’s mergers and acquisitions, such as McAfee and FireEye, have sharpened its competitive edge, helping the cybersecurity leader provide unparalleled detection and response to its customers. But multiple backend systems were difficult to integrate, creating challenges for the development and operations teams. As customers began requesting longer and longer data retention periods, it became clear that Trellix needed a new approach to satisfy growing and future needs. 

Trellix previously relied on the usual Cybersecurity Event search paradigms adopted by many vendors in the space. Running analytics required copying data to another environment, which resulted in data silos and multiple copies of customer data. On a regular basis, the data team at Trellix had to decide whether to scale down the platform due to ingestion limits and storage tier costs, or scale up when a customer increased usage. 

Concurrency challenges also meant analytical jobs could only be scheduled during non-peak hours, when customers weren't using Trellix in real time. If scheduled during peak times, query performance suffered. As a result, teams at Trellix spent significant time on manual maintenance.

With Snowflake as the foundation of its EDR solution, Trellix establishes a common data platform for improved insights and analytics across its suite. Teams now analyze larger volumes of data with greater speed and depth, thanks to Snowflake’s native ability to dynamically scale up and down, near-zero maintenance and cost-effective separation of compute and storage. 

No longer bogged down by management and maintenance, engineers focus more on delivering innovation — and Snowflake-based architecture allows them to scale to customers of any size. Since moving to Snowflake, Trellix has reduced costs by 25% compared to its previous cybersecurity event search solution.

As a Snowflake managed application, Trellix’s EDR solution has a single, hot-tier storage for data analysis with 50% faster query speeds. Its redesigned architecture also expands Trellix’s ability to process and analyze streaming data during ingestion.

With Snowflake, Trellix offers greater insights and value to its customers through automation and enhanced analytics across devices, event traces and historical data. Instead of hosting only 30 to 90 days of data, Trellix now supports more than a year’s worth of data and uses third-party data to deliver deeper insights. Snowflake Secure Data Sharing helps Trellix give its customers easy, zero-copy access to their security data while eliminating the need for traditional secure file transfer protocol, which could take weeks to receive data and require high overhead. Customers can access third-party data sets from Snowflake Marketplace to enrich their data.

One of the largest providers of general hospital healthcare services relies on Trellix’s EDR solution when there is an active or suspected threat within its network. With the previous architecture, queries could take minutes to run. Now with the Snowflake-based EDR solution, the healthcare provider saw a 45x performance improvement — with 95% of queries now completing within seconds. 

“When customers are threat hunting, they need to search in near real time to effectively mitigate potential security threats,” Sondhi says. “Building on Snowflake allows us to focus on our expertise in detection and response, and our customers have benefited in higher quality of experience and ongoing trust that we are innovating to keep them secure.”

As Trellix continues to grow and advance its capabilities, the company has begun to use Snowflake for AI and machine learning efforts to increase operational efficiency and serve better security insights to its customers. For example, multi-vector correlation needs a backend receiving all independent vectors, which Snowflake provides for Trellix. As part of its goal to reduce total cost of ownership by $21.1 million, Trellix is deepening its partnership with Snowflake and is considering joining the Powered By Snowflake program for faster go to market and customer adoption.

Trellix is also evaluating offering its EDR solution as a connected application through Snowflake. “Today, partners and customers are asking us to scrape millions of APIs to recreate a database (replicate backups, snapshots, restores, etc.) to create an application on their own events,” says Banerjee. 

Under the previous app model, customer data was loaded into its vendor-managed EDR solution. The new connected app model stores and processes customer data directly on the customer’s data platform. This separates application code from the data, allowing customers to maintain control of their data while eliminating data silos. Banerjee says, “We see connected applications as a simpler and faster way to offer our customers a greater experience and more value.”