Trellix Network Detection and Response

The primary use case for Trellix Network Detection and Response  is network intrusion detection, which is crucial for protecting environments. It helps secure networks and defend against phishing and other attacks created by the networking sector. We use the solution for detection and forensics investigation, reporting incidents such as the source and network path of attacks.

Trellix NDR provides an essential defense by automatically responding to network incidents that firewalls may not catch. When users break firewall rules, the solution identifies affected areas for immediate action, helping determine the actual reason for attacks. Its ability to report incidents like network paths makes it invaluable in securing the environment. With eight years of experience, I can attest that Trellix NDR is effective in detecting and protecting networks.

The Trellix solution could be improved by enhancing the Central Management Console for faster visibility, which would help in network detection response. Networking often involves complexity that could be simplified. More visibility in the dashboard would help in quickly identifying and responding to incidents. Additionally, there should be improvements in AI intelligence, faster decision-making, and a more responsive technical support team.

I have been using Trellix NDR for approximately eight and a half years.

Technical support needs improvement as sometimes engineers are not available promptly, especially during high-severity incidents. There is a need for technical expertise, specifically in device control and DLP  issues.

Positive

The initial setup of Trellix NDR has some complexities, particularly when dealing with big organizations' network design and path.

While I do not handle pricing directly, it is known that there is a variety of customers with different licensing needs, which depends on the organization's size and policy.

Currently, I would rate Trellix NDR as an eight out of ten. There are various opportunities for improving its response capabilities and dashboard visibility to quickly address incidents, which could improve the overall effectiveness of the solution.

The tool helps to reduce client risks. 

Trellix Network Detection and Response helps increase response to attacks. One benefit is increased visibility and simplicity in maintaining it. AI analyzes and relates data based on past performance over the last five days. 

The solution's support needs to improve their support.

I have been working with the product for two years. 

The tool is stable. However, it has some monthly limitations. 

Trellix Network Detection and Response differs from other products due to its integration. 

Trellix Network Detection and Response's deployment is easy and can be completed in a minute. 

My team helps with the tool's deployment. 

I would recommend the product to others. I rate it a nine out of ten. 

I use the solution in my company's daily operations to conduct threat investigations.

The most valuable feature of the solution stems from how it allows users to do the investigation part. Another important part of the product that is valuable is associated with how it gives information to users in the form of a storyline.

In Trellix Network Detection and Response, I suggest having Trellix EDR like features as it currently does not have the feature to add multiple IOCs to search an environment. If you want to search the hashes in the environment, you need to put in IOCs one by one, making it a very hectic job. In my company, we have to use IOCs daily to search for hashes in our environment, and then we have to put in the IOCs one by one. My company had spoken to Trellix's team to look into the matter concerning IOCs and was told by Trellix that the tool doesn't have a search feature that allows the use of IOCs in one go. The aforementioned area needs improvement in Trellix.

I have been using Trellix Network Detection and Response for two years. I am a user of Trellix.

The product sometimes crashes, but it is up and working most of the time. In general, there is some downtime and certain issues with the product.

I use the product daily in my company.

Multiple people in my company use the product.

In my company, if you face issues with Trellix Network Detection and Response or Trellix EDR, there is a separate team in my organization that offers technical support.

I have almost four years of experience in the area of cybersecurity, and I have used many EDR solutions before Trellix, like Kaspersky and Cybereason. My company decided to use Trellix Network Detection and Response.

I rate the product's initial setup phase a seven on a scale of one to ten, where one is difficult, and ten is easy.

The solution is deployed on an on-premises model.

The product's response capabilities were good. In general, I can say that the solution's response capabilities are neither too good nor very bad, so I can place it somewhere in the medium range.

I rate the tool a five out of ten.

The solution has been in place for quite some time – three or four years. We've renewed it several times, and we upgraded from Gen 3 to Gen 4 hardware at one point as well.

Currently, it's integrated with our firewall and McAfee IPS. We also have network-based sandboxing deployed. It uses static and dynamic analysis engines, so we get alerts if malicious traffic is detected or harmful objects are downloaded.

We've been using their PX solution for packet capture, which is the core of their NDR functionality. But we haven't fully adopted the combined product – NX and PX  – yet because they are still separate. 

The storage requirements for raw packet capture, especially with our traffic levels, make it quite expensive.  And that's true for many security products. I feel like NDR is pretty expensive. 

However, this is especially true about raw packet capture for network telemetry – the storage requirements with RAID 0 become quite expensive, regardless of the solution.

We had a serious incident where an attacker attempted a web shell attack on one of our web servers [DevOps server]. We were able to identify that the hackers used a malicious script and tried to target specific files. The hacker also tried to make a copy of some files. 

We wanted to cross-reference that activity with the network traffic just to be sure there was no lateral movement. With Trellix, we easily confirmed that there was no lateral network involvement and that nothing else was infected. It helped us correlate the events and feel confident in our containment.

Trellix NDR was effective in that situation.

Morevoer, we've integrated this solution with our SIEM. There's a degree of integration provided by Trellix with their solution, and we're satisfied with that. However, without the SIEM, that's the extent of our integrations at the moment.

We're exploring further options due to organizational shifts towards the cloud, potentially moving away from a hybrid environment. We're assessing SaaS-based SIEM solutions. Trellix has its own offering, Helix, which we've evaluated and even purchased in the past. Ultimately, we discontinued its use. To summarize, our primary integration right now is with our SIEM.

The SIEM integrates well with our threat intelligence sources. We also have some secondary integrations in place. Overall, things are running smoothly.

The in-depth investigation capabilities are a major advantage. When the system flags something as malicious, it provides a packet capture of that activity within the environment. 

That helps my team quickly identify additional context that most other tools wouldn't offer – like source IP or base64 encoded data. We can also see DNS requests and other details that aren't readily available in solutions like Check Point or others that we've tried.

The detection itself is solid, and their sandboxing is powerful. 

There's a learning curve – you need a strong grasp of OS-level changes, process forking, registry changes, and the potential impact of those. But with that knowledge, the level of information Trellix provides is far greater than what we've seen elsewhere.

The real-time response capability of Trellix has been quite effective, although it's not very fast.  The key is this solution's concept of 'preference zero.' They don't immediately act on a zero-day. For example, the solution has seen a piece of malware for the first time. It'll let it in, then do sandboxing. Maybe after four or five minutes, it identifies that specific file's DNX Secure Store as malicious. At that point, they update the static analysis engine, and it gets detected if anything else tries to download the same file.

There is that initial 'preference zero' concept, like with Panda. You may not hold traffic in the network. That's standard in the industry; we don't do much about it. To address that, we also have endpoint solutions. We use SentinelOne in our environment, which helps us identify threats like Western Bureaus and others.

The analytics could be better. It seems heavily influenced by the McAfee and FireEye integration, and that integration still isn't seamless. 

STG needs to... I'm not sure what their roadmap is; they've mentioned full integration, but it hasn't materialized yet. Both the McAfee and FireEye engineering teams need to accelerate the process, as it would definitely benefit customers. The integration between Nextiva and Trellix could also use some work.

I have been using it for seven years. I have been involved since the FireEye days. That's when I started working with it.

We're on version 9.1.5.

I would rate the stability an eight out of ten. It's quite stable.

We've upgraded without any major hiccups – I'd rate scalability a nine out of ten. We've smoothly transitioned from a lower-capacity appliance to a higher one. The current appliance supports 2.5 Gbps of traffic, and we're currently handling around 300-500 Mbps without issue. Scalability is definitely there, we've never faced any problems in that regard.

We have approximately 500+ users. However, we also have applications hosted here, along with multiple IPC tunnels. We're using Netskope's Zero Trust Web DNA as well. So, 500+ users, but typical traffic averages around 300 to 400 Mbps.

The customer service and support are really good. Trellix offer multiple contact options – you can call and get immediate assistance from someone in Israel, Singapore, Japan, or even India. Plus, they offer chat support through Teams or Webex. 

Trellix's documentation portal is also good.

Positive

We've used Forcepoint, NetFlow, SentinelOne, Trellix, Arista…some Splunk, and some Elastic as well. It's a mix of tools across different security domains.

These are all security-focused products. Security is my primary focus.

The initial setup was really straightforward. It took maybe a day to complete the upgrade. 

We spent some time getting the prerequisites ready, which took a bit longer, but the actual deployment was very fast.

So you just identify the network where you want to connect it and just plug it in. It only took half a day. 

Therefore, the preparation took some time, but the deployment itself was quick.

Handling upgrades:

We have a practice where network device upgrades take priority - starting with the App Firewall and working our way through Web Proxy and so on. We avoid parallel endpoint upgrades as we've had challenges with those.

Trellix releases sandbox system updates yearly, which are fine. Those don't require downtime. However, operating system upgrades are a factor. 

We review KBR details thoroughly. Three or four months ago, we went from 9.1.4 to 9.1.5, and we're evaluating a possible upgrade to version 10, perhaps next month.

Generally, we follow the n-1 version strategy. But if there are significant new features in a release, we might upgrade sooner. Overall, it's manageable – we upgrade frequently, and this particular solution hasn't caused downtime issues. Plus, we use DNS-based global [settings/configuration?], so downtime isn't a major concern.

For the deployment process, we needed two or three engineers. The physical appliance mounting and setup require multiple people. Trellix's appliances are very heavy.

The pricing is fair, a little expensive, but fair. We've evaluated other products, and they're similarly priced. It's a bit on the expensive side, but we don't want to compromise with cheap, less reliable solutions. 

We want quality. It's like... you might not opt for the top-of-the-line Apple product, but Samsung is a good choice. We wouldn't go for an Oppo, VIVO or ASUS type of device.

Overall, I would rate the pricing an eight out of ten, with one being expensive and ten being very cheap. 

Overall, I would rate the solution a nine out of ten.

Potential customers should definitely evaluate their specific use cases, budget, and commercial considerations. The product itself is good, there's no doubt. But it's essential to understand your use cases – then I'd definitely recommend it.

We use the solution in our servers and workstations for Endpoint Detection and Response. 

Over the thirteen years of using the product, we have not experienced a single compromise in our environment. During the COVID period, we faced numerous DDoS attacks, and the tool proved highly effective in mitigating these threats. The IP devices played a crucial role in blocking and reducing the amount of malicious traffic entering our company. Its endpoint security, EDR, and insights are valuable. The automation functionality, particularly the ability to automatically handle and mitigate detected threats, has proven to be immensely beneficial for our security operations.

Certain features in Trellix Network Detection and Response, such as using AL-type commands, may initially pose a challenge for those unfamiliar with such commands. However, once users become accustomed to the system, it becomes easier to use.

I have been using the product for 13 years. 

I rate the product’s stability a nine out of ten. 

We are using Trellix Network Detection and Response on approximately 3,500 servers and 33,000 workstations. I rate its scalability a ten out of ten. 

We handle the first-line support for Trellix Network Detection and Response on our own, performing troubleshooting and maintenance. For more advanced issues, we rely on Trellix Network Detection and Response's classic support as the third-line support.

The tool's integration with our existing security infrastructure was not difficult. Following the provided processes made the integration relatively straightforward. Its deployment was not difficult for us. We received support from Trellix professional services, which made the process smoother. The process took two months to complete. 

I rate the tool a nine out of ten.