Trellix Wise: Leveraging GenAI with Amazon Bedrock to Enhance Data Security and SecOps

By Martin Holste and Zak Krider · June 10, 2024

In the ever-evolving landscape of cybersecurity, organizations face numerous challenges when it comes to implementing and managing effective data security measures. One of the most significant obstacles is the ability to operationalize technology efficiently. With the vast amount of sensitive data being monitored across various channels, security teams often find themselves overwhelmed by the sheer volume of events and policies they must handle. This is where Trellix Wise comes in, revolutionizing the way security operations centers (SOCs) tackle data security challenges.

What is Trellix Wise?

Trellix Wise is a groundbreaking concept that harnesses the power of generative AI to enhance security decision-making, automate manual investigation processes, and transform the way security teams approach remediation. By leveraging the extensive Trellix Platform and large language models on Amazon Bedrock, Trellix Wise gains access to a wide array of data sources, including Trellix Data Security, enabling it to make informed decisions based on comprehensive situational awareness.

Operationalizing Data Security with Trellix Wise

One of the key benefits of Trellix Wise is its ability to assist organizations in operationalizing their data security programs. When monitoring data in motion, data at rest, removable media, and databases storing sensitive information, the sheer volume of events and policies can be overwhelming for security teams. Trellix Wise helps tackle this challenge by providing intelligent solutions for data loss prevention (DLP) and database security.

Data Loss Prevention (DLP):

1. Rule Creation: Trellix Wise understands an organization's business practices and compliance requirements, providing custom-built rules that align with their specific needs, eliminating the guesswork involved in setting up DLP.

2. Alert Prioritization: When faced with an abundance of alerts, Trellix Wise analyzes events, creates cases with relevant information, and raises the severity based on contextual factors such as user business unit, location, and event frequency. This helps security teams focus on the most critical incidents.

3. Event Summarization: Trellix Wise generates summaries of events, including non-technical explanations that can be used to educate end-users and provide investigation steps for the SOC team. It also offers tuning recommendations to reduce false positives.

4. Automated Classification: Trellix Wise assists in automating the classification of material within an organization's environment, relieving administrators of this burdensome task.

Real-World Use Case: Investigating a Brute-Force Attack with Trellix Wise for XDR and Data Security

To illustrate the power of Trellix Wise as a comprehensive GenAI platform, let's consider a real-world use case involving a brute-force attack alert from Trellix Helix Connect. While such attacks are common and often ignored by security teams, Trellix Wise performs a background level one auto-investigation, gathering information from multiple data sources to determine the severity of the alert.

By considering factors such as the attacker's identity, host vulnerability, additional alerts, and the presence of sensitive data on the device, Trellix Wise can differentiate between a low-priority alert and a serious incident that requires immediate attention. This comprehensive situational awareness enables security teams to respond appropriately and efficiently.

Consider a security alert from Trellix Helix regarding a brute-force attack. Is the alert important? This is an interesting question because brute-force attacks are common, occurring all day every day as thousands of mass scan attempts occur, and as such, many security teams largely ignore them. Unless there are further signs of compromise or the asset has high sensitivity, there is no immediate cause for concern, but therein lies the question at the heart of each one of these alerts: Is there something else happening that means someone needs to investigate this? In order to know this, multiple sources of information need to be considered. In this case, Trellix Wise in Helix will perform a background level one auto-investigation, asking these questions, and getting answers from connected data sources:

Alert: Brute-force attack

Armed with this comprehensive situational awareness, Trellix Wise has everything it needs to know if this is an alert that should be ignored or if this is a serious incident. Consider these two possible scenarios based on different answers to these questions:

Scenario A:

• The attacker is a relatively unknown IP address in a foreign country.
• The host has no exposed vulnerabilities.
• The only other alerts are for other brute force attempts.
• The device does not have any Trellix Data Security alerts for sensitive data.

Scenario B:

• The attacker is using an anonymized proxy service.
• The host has several medium-severity exposed vulnerabilities.
• There are several low-severity alerts for service account creation on the endpoint.
• The device is known to have accessed several different types of sensitive data across various data stores.

Scenario A is a classic example of an alert that security teams should not waste time investigating, but scenario B may be a serious incident and should be investigated immediately! At face-value, there was no way to know that this low-level alert was significant, but with the power of full situational awareness and the ability to have it evaluated automatically by Trellix Wise, a security team will know how to respond and have the capability to do so.

The Arc of Detection, Investigation, and Response

In scenario B, Trellix Wise sees that other alerts regarding account creation indicate the attack was successful, and that this alert involves particularly sensitive assets that warrant extra care, so it will determine an analyst should investigate this alert. It will create a case, attach all of the relevant information to it, and notify an analyst.

The analyst can then use the powerful Trellix Wise auto investigation tools built into Trellix EDR to perform a complete, deep-dive investigation on hosts affected, which will confirm what happened. After the one-click investigation, Trellix Wise will also perform the full write-up for documenting what has occurred in another click by using Dossier Mode.

Finally, the analyst can use the Trellix Wise generative AI-enabled response capabilities in Trellix Security Orchestration to craft a swift, customized remediation, which may include changes to the directory, network configuration, or host.

With these solutions put together, Trellix Wise is able to call attention to a threat that wouldn’t have been noticed by performing an automated level one investigation informed by Trellix Data Security. It could then save analyst time by making the full host-based level two investigation a single click, and then assist in the remediation phase with AI-driven customization. This frees security staff to focus on human-level activities, and lets the machines do the machine-level work. This is what we mean when we say Trellix Wise delivers GenAI for the SOC.

Welcome to Trellix Wise

Trellix Wise represents a paradigm shift in how SOCs approach data security and incident response. By leveraging GenAI and the power of the Trellix Platform, Trellix Wise streamlines the process of detecting, investigating, and responding to threats. It enables security teams to focus on high-level, human-centric activities while allowing machines to handle the repetitive, time-consuming tasks. With Trellix Wise, organizations can enhance their data security posture, improve operational efficiency, and stay ahead of evolving cyber threats.

Want to Learn More?

Start leveraging the speed and efficiency used between Trellix and AWS to respond to security issues today. Please contact AWS@Trellix.com to learn more or attend our latest AWS and XDR Dev Days on June 25th in DC to get hands-on with Trellix today! See how Trellix and AWS work together and view our marketplace listings on the AWS Marketplace.