An expanded and more security-focused XDR platform was the highlight of Trellix’s product announcements at their first Xpand Live event.

LAS VEGAS – On Wednesday, in the opening keynote at Trellix’s inaugural Xpand Live customer event here, CEO Bryan Palma emphasized the company’s strategic priority of becoming the clear leader in the XDR space. Aparna Rayasam, Trellix’s Chief Product Officer, then took the stage to discuss the security transformations which had already taken place, and those that will be forthcoming soon.

A key element of this strategy is the Trellix XConsole, which will be available in early 2023 and will become the overarching control centre for Trellix XDR. Trellix XConsole will simplify the user experience across all the solutions within Trellix XDR and provide a single interface for security operations teams that will let them quickly baseline their overall threat posture through added visibility across network, endpoint, data, email, and cloud attack surfaces.

“It will create a uniform view across all the XDR consoles into XConsole, and provide a full set of APIs and workflows,” Rayasam said. “It’s not just another dashboard. XConsole takes advantage of the data through all the different point solutions.”

Rayasam reviewed the design principles behind the Trellix xConsole and the ecosystem that surrounds it.

“Simplicity is key and it’s very hard to be simple, and it involves focusing on the problem not the solution,” she said.

The second principle is the need to emphasize personalization.

“Every customer’s platform is different, and they all need to have the ability to be customized,” Rayasam indicated.

Third was scale, which Rayasam noted meant customer scale.

“It’s about customer scale, so they don’t have to go after every attack,” she said.

The other two elements are effective use of intelligence, in which next-generation techniques are layered on top of decades of expertise that come from McAfee and FireEye, and platform agnosticism, which Rayasam said was essential for customers in different stages on the public cloud.

Rayasam said that the core engines of the five individual consoles – network, endpoint, data, email, and cloud – were previously in some of the point products.

“Now they have been consolidated into five product lines with the unification of the products of both companies,” Rayasam said. This upgraded XDR engine will be available in the fourth quarter of 2022. In addition to the upgraded threat intelligence through the integration of McAfee and FireEye assets, it will also see  the launch of the Trellix Event Fabric. The fabric bridges disparate security data from any cloud provider allowing security analysts to access and correlate data from anywhere.  Security teams will also be provided with enhanced playbooks for guided investigations.

In many ways, Trellix’s plan resembles ePolicy Orchestrator, McAfee’s platform from a previous generation which aspired to have the same transformative effects on the unification and management of point solutons.

“I think that ePo was indeed very successful for its time, although the move to cloud did not happen quick enough,” Rayasam said. “But they had strong technology which will live on. We are not throwing everything away. ePo and [FireEye’s] Helix are a lot of what I was looking at in rethinking the xConsoles. We are also building on top of a strong existing base so I’m less concerned about creating something with the five separate consoles that will not have relevance.”

It’s quite possible that the number of separate consoles under the xConsole could be expanded going forward.

“Our partnerships will be key there,” Rayasam stated. We are also looking at identity closely to see if it has a role in XDR. We are also doubling down on the data protection piece, and are looking at the SIEM vector as well.”

One element of the solution set that is available now is Trellix Network Detection & Response (NDR). Trellix Network Investigator provides a holistic solution to detect, investigate and address threats across the kill chain, to rapidly deploy NDR capabilities across their existing Trellix network products.  Using signals from Trellix Intrusion Prevention System, Trellix Network Security, and Trellix Network Forensics products to identify activity after initial infection, customers are now able to prevent lateral movement and data exfiltration. Trellix Network Investigator is complemented by the company’s Detection as a Service subscription.

The new Trellix Endpoint console, scheduled for availability in early 2023, will unify the best of McAfee and FireEye technologies across endpoint protection, endpoint detection and response, and forensics to deliver best-in-class layered endpoint defense.

Attacks are mapped using the MITRE ATT&CK Framework.

“You need to connect the data to look at the bigger picture,” said Amol Mathur, SVP Products at Trellix. “Point products often generate low confidence signals which do not show an attack as happening. It is this combination with other things that let us show an attack is going on.”

“What we are doing with XDR involves two things,” Rayasam said. “It makes the SIEM ops job much easier, although it can’t completely take away the pain with things like ticket management. It also provides an opportunity for other vendors to participate, and the talent shortage around security in will help makes it come together.”