XDR vendor Trellix sees new relationship with OCSF around Amazon Security Lake as redefining security

The changes, announced at last week’s AWS Re:Invent event, makes it much easier for customers to move between vendors, and eliminates many of the lock-in barriers which have impacted the industry in the past.

Martin Holste, CTO, Cloud, at Trellix

XDR-focused cybersecurity company Trellix announced its support last week for two new Amazon Web Services [AWS] services. Both the Amazon Security Lake and AWS Verified Access were announced at the event, and Trellix has integrated them into its own solutions. Even more significant however, is Trellix’s adoption of the Open Cybersecurity Schema Framework [OCSF], which lets Trellix customers combine hundreds of data sources with Amazon Security Lake data to more easily apply Trellix machine learning, threat intelligence, and predictive analytics.

While Trellix also speaks well of AWS’s hyperscaler competitors, Azure and GCP, the AWS relationship is the most significant one for them.

“We still see the vast majority of our customers running the most workloads in AWS,” said Martin Holste, CTO, Cloud, at Trellix. “That’s why we were brought in early in the process. Before now, we have partnered with them around pretty much everything, from objecting scanning from their cloud, to completely secure environments with firewall and identity policy, to quarantining workloads using native firewalling.”

Holste sees Trellix becoming involved with OCSF, which AWS organized and then announced last August, as the most significant of the announcements.

“This is not kind the kind of thing that draws headlines because it is more of an organizational shift,” he said. “It is, however, important in the way that it removes barriers. In that sense it marks a new epoch in the industry. I’ve worked with telemetry in blog files for almost 20 years. The log formats are different, and it is hard to go from one vendor to another. AWS has got us all together to agree what we will put in these log files. This completely changes the whole velocity from onboarding, and democratizes the onboarding process. It makes it easier to move between vendors. We are working together with between 20-30 other security vendors on this, some of whom are competitors, and some not.”

Holste acknowledged that this will not remove all issues relating to vendor lock-in, which has been an eternal sore spot among customers, but it will come close.

“There could still be lock-in potential in contracts, but this will remove vendor lock-in to a significant extent because the inability to rip out one vendor is gone,” he said.

Holste said that the newly announced Amazon Security Lake takes this new concept and puts it in a centralized location in the Amazon cloud.

“That’s what the Security Lake is,” he stressed. “Prior to this this, the concept did not exist. The Security Lake is really about treating all data the same way. Customers have been encouraged to have one account for all their telemetry. That’s not new. What has changed now is that with the Security Lake, doing this  is completely push button.  It enables a new era where customers come to hold all the data themselves. That’s why the consortium of vendors speaking the same language is so pivotal about this.”

The other new announcement at the event, Trellix for AWS Verified Access, leverages a new capability of Amazon Virtual Private Cloud that makes it easier for IT admins to secure access to corporate applications in AWS or on premises, without using a VPN. Trellix and AWS customers now gain visibility across ten unique AWS products and services to more quickly identify and respond to XDR-related risks.

“With Trellix for AWS Verified Access, you can write security policy for compliance with specific policies, and it will go directly into the Security Lake,” Holste stated. “This adds the ability to add this directly into the security policy.

Holste acknowledged that basically all the security vendors – including their competitors – will also be able to work with these new AWS tools, but emphasized that Trellix and their customers will enjoy specific advantages that others do not.

Britt Norwood, Senior Vice President, Global Channels & Commercial at Trellix

“We have such a breadth of product lines that we run that it gives us unparalleled access,” he said. “We see everything. We connect with so many third parties, and in so many areas like authentication logs, backup logs and email. No one else comes close to having this kind of information to tell AWS if a connection should be allowed. We can do that better than anybody.”

“In the grand scheme of things, this all puts customers at the centre of everything that we do,” said Britt Norwood, Senior Vice President, Global Channels & Commercial at Trellix. “AWS is a very strategic partner to many of them and that’s where they put their data. There is a very strategic relationship between Trellix and AWS. This is just the beginning.”