AWS Partner Network (APN) Blog
Trellix uses AWS GenAI for Cybersecurity Integration
By: Zachary Krider, Director of AI and Innovation – Trellix
By: Shankar Rajagopalan, Sr Solutions Architect – AWS
By: Rick Lobrecht, Sr Customer Solutions Manager – AWS
 |
| Trellix |
 |
In the fast-paced world of cybersecurity, the ability to integrate with multiple solutions and block threats before they impact systems is paramount. Security vendors and defenders are in a constant race against time to provide comprehensive threat detection and visibility across complex systems. This challenge has traditionally required significant human resources, from engineering to researchers, all working to keep pace with the ever-evolving threat landscape. Trellix’s use of agentic AI is changing the game, allowing for faster development and deployment of critical security solutions.
This blog highlights the approach Trellix took to accelerate the development and testing of product integrations and automated rules development. Using agentic AI methodology, Trellix is able to save over 40 hours of development time per integration resulting in a 90% reduction time to market. Trellix used Amazon Bedrock, LangChain, and Anthropic Claude in this effort.
The Current Landscape: Building Integrations Today
Creating and maintaining cybersecurity integrations consumes significant resources. Challenges stem from the complexity of modern systems. Teams must maintain connections with a multitude of vendors, adapt to regular vendor API updates, and meet real-time adaptability. Three essential components comprise security integration development:
- Business analysts to identify and define requirements
- Developers to architect solutions
- QA developers to support reliability
Research requirements begin with threat landscape analysis across multiple attack vectors, combined with regular updates to threat technique documentation. Teams monitor trends across multiple data sources that exceeds over 10s of TB of data that is processed and analyzed on any given day in real-time to maintain current threat intelligence.
The Future of Integration Development
Trellix uses Amazon Bedrock to automate integration development.
Trellix innovated a development approach by leveraging Amazon Bedrock, fundamentally shifting from traditional coding to an autonomous, intent driven process. Envision a system where developers articulate their objectives – ‘integrate these APIs’, ‘block these specific threat techniques‘ – and return to find those tasks executed seamlessly. Within minutes, the system autonomously generates production ready code, which, after a swift QA validation, is ready for deployment into a production environment.
This approach helps accelerate development cycles, minimizing the load on engineers and freeing them to focus on strategic innovation. By abstracting the complexities of low-level coding and configuration, Trellix empowered its development teams to rapidly respond to evolving security threats and customer demands. The ability to autonomously generate and deploy code based on high-level instructions significantly reduced time to market for critical security updates and new features. This shift not only enhanced efficiency but also fostered a culture of rapid iteration and continuous improvement, solidifying Trellix’s position as a leader in cybersecurity.
Key Technologies Driving Innovation
The serverless stack enables efficient AI-powered development. Amazon Bedrock, with its choice of high-performing foundation models (FMs), enabled rapid prototyping and code generation. Amazon API Gateway manages Sidekick’s API frontend. The requests are stored on Amazon Simple Queue Service (Amazon SQS) and processed by agents in order. Amazon Elastic Container Service (Amazon ECS) is used for container orchestration of tools required by the AI agent. Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB are used to store the text output and metadata respectively.
LangChain then acts as the intelligent orchestration layer, facilitating sophisticated reasoning and data analysis across extensive datasets, providing contextually relevant and accurate outputs. Complementing these, LangSmith provides real-time monitoring and dynamic feedback, helping developers to track the agent’s progress, identify performance bottlenecks, and implement targeted optimizations. This continuous improvement loop makes sure the AI agent’s output is not only reliable but also consistently refined.
The integration of these components can deliver measurable enhancements to the development lifecycle. By automating complex reasoning and decision-making processes, these AI agents can significantly reduce development time, minimize errors, and improve code quality. This allows developers to focus on higher-level architectural design and innovation, leading to the creation of more sophisticated and robust applications leveraging the full potential of large language models.
Figure 1: Sidekick Architecture on AWS
The Role of AI Agents
AI agents can enhance development efficiency by automating critical research tasks. They intelligently analyze existing code patterns and documentation. AI Agents can rapidly identify optimal solutions and best practices, which significantly reduces the time spent on manual research. Furthermore, the integration of AI-powered testing methodologies, particularly integration testing, minimizes the need for extensive prototype development. By simulating real world scenarios and identifying potential conflicts early in the development cycle, these agents can streamline the testing process and accelerate time to market.
This has revolutionized its security content creation process, yielding dramatic improvements across the entire lifecycle: from in-depth research and analysis to rapid content generation, rigorous testing and validation, and impact assessment. Intelligent agents continuously monitor diverse datasets and threat intelligence feeds. This enables proactive identification of emerging threats and vulnerabilities requiring immediate content development or modification of existing detection rules. AI Agents help Trellix remain ahead of evolving threat landscapes.
Leveraging advanced AI, the system autonomously generates detection rules and optimizes content for seamless cross system deployment. By leveraging years of Trellix’s proprietary research and threat hunting expertise, the AI accurately models how threats exploit system vulnerabilities and propagate within complex network environments. Furthermore, agents dynamically refine detection rules, intelligently mitigating false positives, minimizing performance impacts on critical systems, and continuously improving overall detection accuracy.
In contrast, the legacy approach relied on manual monitoring of data and feeds by dedicated research and development teams. This process was not only labor intensive but also inherently limited by human constraints. The constant need for onboarding and training new team members, coupled with the inability to maintain 24/7 vigilance, resulted in significant backlogs and delayed security content.
Moreover, the specialized knowledge required to craft effective security content was often siloed within specific teams or individuals, creating a bottleneck and hindering scalability. The agentic AI approach has democratized this knowledge, empowering even junior engineers to rapidly create, validate, and deploy high quality security content in a controlled environment. This shift has dramatically reduced content creation and deployment times from a laborious 24 hour cycle to 30 minutes.
The implementation of an agentic AI system facilitates continuous, around-the-clock monitoring and content creation, with human oversight for final review and deployment. This proactive approach has freed the security content team from the constraints of reactive threat response, allowing them to dedicate their expertise to developing innovative features and enhancing the overall efficacy of Trellix’s security products. The result is a more robust and agile system, capable of effectively combating the ever-evolving threat landscape.
Figure 2: Agentic Content Creation
Methodology and Impact
Trellix implemented a sophisticated multi-agent system, orchestrating four distinct yet interconnected functions: requirement analysis, code skeleton development, iterative code generation and testing, and automated technical documentation. This structured workflow can accelerate development cycles, enhance code accuracy, and improve scalability across diverse products and systems.
Uniquely, Trellix took a different approach than traditional model training in favor of a human-centric onboarding approach, mirroring the collaborative dynamics of a seasoned development team. They architected their agentic workflow around specialized roles: a business analyst agent to gather and interpret user requirements, senior and junior developer agents to collaboratively translate those requirements into robust code, and a dedicated QA agent to rigorously validate code soundness and adherence to Trellix standards.
Figure 3: Development Process
To facilitate code uniformity and alignment with established Trellix best practices, the developer agents were guided by a few-shot prompting strategy. This technique provided concrete examples and contextual information, enabling them to generate code that not only met functional requirements but also seamlessly integrated into the existing Trellix framework. This approach allowed for consistency and efficiency, streamlining the development process and accelerating time to market.
Enhancing Detection Content Across Systems
The Trellix Advantage
Trellix’s security framework offers broad and deep protection, seamlessly weaving together endpoint defense with solutions for data, network, email, cloud, sandbox, and SecOps. This extensive coverage, while powerful, presents a complex content creation challenge due to the diverse detection logic and data schemas inherent in each technology.
Traditional Content Creation Challenges
Creating effective security content requires expertise across domains, product specific customization, rigorous validation, and false positive mitigation, all of which are time intensive processes.
Conclusion
Trellix is redefining cybersecurity development by strategically deploying AI agents with Amazon Bedrock and LangChain. This pioneering approach significantly accelerates the delivery of critical features, while simultaneously elevating the quality and efficacy of Trellix Helix.
Key insights from this implementation include:
- Agentic AI can effectively automate complex, multi-stage workflows
- AI can democratize specialized knowledge, enabling broader organizational access and application
- Task-specific AI solutions can be rapidly deployed by emulating established human onboarding processes, without requiring extensive model training
In the face of increasingly sophisticated threat actors, AI-driven development empowers Trellix to maintain a decisive advantage, making sure end customers receive the most advanced and adaptive cybersecurity protections. The future of cybersecurity hinges on the synergistic partnership between human intelligence and AI capabilities, and Trellix is leading this transformative evolution.
.
.
Trellix – AWS Partner Spotlight
Trellix is an AWS Advanced Technology Partner and AWS Competency Partner that empowers SecOps worldwide with the industry’s broadest GenAI-powered security platform.