DATA SHEET

Trellix Endpoint Detection

®

and Response (EDR)

Powerful threat detection, investigation,
and response enhanced with AI

Overview
Adversaries maneuver in covert ways, camouflaging their actions
Key Benefits
within trusted components already in your environment. They don’t
ƒ Provides high-quality always install something tangible like malware, but they always leave
actionable threat detection behind a behavioral trail. Trellix Endpoint Detection and Response (EDR)
without the noise continuously monitors and gathers data to provide the visibility and
ƒ Offers proactive insight on context needed to detect and respond to threats. But current approaches
threats before the attack often dump too much information on already stretched security teams.
ƒ AI automatically correlates
alerts and attacker TTPs to Trellix EDR helps manage a high volume of alerts, empowering analysts of
previous breaches all skill levels to investigate more alerts, more effectively. Unique to Trellix
EDR is Trellix® Insights,* the first technology to proactively prioritize threats
ƒ Uses AI-guided investigations before they affect your organization and simultaneously predict if your
to provide analysts with countermeasures will stop them, all while prescribing exactly what you
machine-generated insights need to do if they won’t.
into attacks
ƒ 1- click report generation so you Strengthen, accelerate, and simplify EDR
can close investigations fast
Trellix EDR reduces mean time to detect and respond to threats by
ƒ Simplified deployment using enabling all analysts to understand alerts, fully investigate, and quickly
Trellix® ePO software or SaaS- respond. Advanced analytics broaden detection and make sense of alerts.
based ePO Trellix Wise™ artificial intelligence (AI) reduces security analyst burnout
ƒ Enables analysts to focus on with automated investigation, alert correlation, and report generation..
strategic incident response
without burdensome Detect advanced endpoint threats & respond faster
administration overhead Without the right data, context, and analytics, EDR systems either
generate too many alerts or miss emerging threats, wasting precious time
and resources without improving security. Trellix EDR offers always-on
data collection and multiple analytic engines throughout detection and
investigation stages to help accurately surface suspicious behavior, make
sense of alerts, and inform action.
*Trellix Insights requires Trellix Endpoint
Security telemetry (opt-in) to function properly.
If you do not want to provide this telemetry, you
should not choose this product, as you won’t be
able to receive full value.
 DATA SHEET

Gain context and visibility

Endpoint event information is streamed to the cloud, providing the
context and visibility necessary to uncover stealthy threats. Endpoint
information is available for immediate inspection, real-time search, and
historical search. Flexible data retention options support the varied needs
of diverse security operations teams and organizations.

Obtain new, proactive context

from Trellix Insights
Dashboard notifications or email
alerts on prioritized campaigns are
defined by the Trellix® Intelligent
Sandbox. You also get campaign
information, local assessment of
systems, prediction of potential
impact to your EPP, and
prescriptive guidance to prevent
breaches. This allows analysts to
get ahead of adversaries. It takes a
fraction of the time and resources
to prioritize, predict, and prescribe
compared to penetration testing
with red/blue team exercises. These
three Ps are automated, to notify
your team about threats before the
attack. What used to take weeks
can take minutes, shifting your SOC
team from reactive to proactive.

Uncover more with powerful cloud-based analytics

Analytics engines inspect endpoint activity to uncover a broad spectrum
of suspicious behavior and detect threats—from file-based malware
to fileless attacks—that have slipped by other security defenses.
Cloud-based deployment enables rapid adoption of new analytic engines
and techniques.

Think like an attacker

Behavior-based detection results map to the MITRE ATT&K® framework,
supporting a more consistent process to determine the phase of a threat
and its associated risk, and to prioritize a response.

Trellix Endpoint Detection and Response (EDR)

2
 DATA SHEET

Easily navigate
Alert ranking further helps analysts understand risk severity and
formulate an appropriate response. Flexible data display and visualization
at this stage help analysts with different levels of experience easily
navigate the data to quickly understand why an alert was raised and
determine next steps: dismiss, respond, or investigate.

Respond with speed

Trellix EDR preconfigured responses enable immediate action. Your team
can easily contain threats by killing a process, quarantining a machine,
and deleting files. Analysts can act on a single endpoint or scale response
to the entire estate with a single click.

AI automates investigation, speeds response

If immediate response to an alert and root cause of the incident is not
obvious—and often it is not—security analysts must step outside their
EDR solution and investigate to truly understand all the facets of a
complex threat or campaign and the associated risk.

EDR solutions traditionally enable investigations by providing raw data,

context, and search functions, but still require knowledgeable analysts to
perform the inquiry and analysis. Experienced analysts often do not have
time to validate and investigate numerous alerts, while inexperienced
analysts may not know where to start.

With Trellix EDR, analysts at any level can take the next step and rapidly
investigate with Trellix Wise. Wise guides investigations, correlates threat
activity, and automates manual tasks such as report generation.

Dynamic investigation guides

Combining the expertise of Trellix® forensic investigators with AI,
investigation guides in Trellix EDR force-multiply the investigation
process, exploring many hypotheses in parallel for maximum speed
and accuracy. Unlike playbooks that automate scripted tasks for known
threats, investigation guides dynamically adjust to each case, combining
different investigation strategies and data. Trellix EDR automatically
asks and answers questions to prove or disprove the hypotheses. Trellix
EDR automatically gathers, summarizes, and visualizes evidence from
multiple sources and iterates as the investigation evolves.

Trellix Endpoint Detection and Response (EDR)

3
 DATA SHEET

Broad data collection and local relevancy

The AI-powered investigation engine gathers and processes artifacts and
complex event sequences—from endpoints, security information and
event management (SIEM) systems, and Trellix Insights, to make sense
of alerts. Trellix EDR compares evidence against known normal activity
for each organization and threat intelligence sources to improve local
relevancy and reduce false positives. Trellix Wise automatically correlates
alerts, related breaches, attacker TTPs, and provides recommended
next steps.

Different views for different users

The flexible data display applies the appropriate lens for users with
different levels of experience, so all analysts can quickly understand how
artifacts and events are connected without pivoting to multiple screens.

AI-enhanced investigations
Trellix EDR with Wise automatically collects and correlates related
breaches, artifacts, network connections, and more into a visual graph
to accelerate investigation. Wise provides detailed recommendations
of next steps to take based on the nature and severity of the threat
identified, cutting down response time. It also provides one-click report
generation so analysts can focus on security instead of paperwork.

Trellix Endpoint Detection and Response (EDR)

4
 DATA SHEET

Trellix EDR reduces the expertise and effort needed to perform

investigations and increases the speed with which analysts can
determine the risk of the incident and its root cause. At an organizational
level, the benefits multiply. Each analyst can be more efficient, more cases
can be dispositioned by junior analysts, and senior analysts can spend
time on the highest value activities.

The right data at the right time for the task at hand
In addition to guided investigation, analysts and threat hunters can use
the powerful Trellix EDR search and data collection capabilities to expand
inquiries across systems, and look deeply into and across those systems.

Historical search
The comprehensive and always-on data collection feature streams
endpoint event information from all monitored systems to the cloud.
Analysts can search this centralized data—regardless of online or
offline status of endpoints—to find indicators of compromise (IoCs) and
indicators of attack that may be present along with deleted files.

Real-time search
For active incident inquiries, real-time search reaches out to endpoints
across your estate to quickly query for up-to-the-moment information.
Flexible syntax enables capabilities like simple queries for searching
workstations. You can also run more complex searches that return more
data from the workstation, such as identifying a user at the time of event,
command-line execution, and when the suspected application was
started. Trellix EDR can easily scale queries across the enterprise to tens of
thousands of machines.

On-demand data collection

To support investigations, Trellix EDR can take a snapshot of an
endpoint, capturing a comprehensive view of active processes, network
connections, services, and autorun entries. Trellix EDR provides associated
severity and additional information, such as hash, reputation, and the
parent process/service/user that executed a suspect file. Enabled by a
non-persistent data collection tool, snapshots can be captured on both
monitored and non-monitored systems.

Trending campaigns
Orchestrated and targeted attacks (based on region or industry) are
alerted upon, identifying IoCs to proactively search for with Trellix EDR.

Trellix Endpoint Detection and Response (EDR)

5
 DATA SHEET

This empowers the analyst to execute proactive searches before the

attacks occur.

Integration expands visibility, increases operational

efficiency, and improves outcomes
Trellix EDR is a key component of an integrated security ecosystem.
It extends endpoint protection capabilities and visibility while supporting
the workflows and processes of the security team. You can also use the
solution to help reduce mean time to detect and respond and increase
operational efficiency.

Correlate data from across the

enterprise for complete visibility
Collaboration and easy integration
with data sources beyond the
Can you predict if my endpoint are key to closing data
countermeasures would gaps for multifaceted threat
stop this threat?
investigations. Tight integration
Predict and prioritize with network solutions, such as
breaches by IoCs fromt Trellix Network Detection and
these three campaigns.
Response, enables Trellix EDR to
expand investigation capabilities
and insights. It does so by
correlating endpoint artifacts with
network information and other
data collected.

Can you prescribe exactly

What IoCs are associated what I need to do to fix
with this threat? my countermeasures?

Figure 1. The Trellix Insights dashboard ƒ Trellix EDR leverages the proactive context on new outside
automatically surfaces threats that threats provided by Trellix Insights, accelerating investigation and
matter and guidance on what to do
before the attack. It offers additional EDR remediation efforts.
insights to accelerate investigation and
response efforts. ƒ Trellix Insights alerts you to potential campaigns, prioritized
according to whether they are targeting your sector or
geographies. It predicts which endpoints lack protection against
the campaigns and what to do to improve this threat detection.
It also informs analysts of campaign attack operation and the
objective of attack, and provides strategic and mitigation advice
across countermeasures. Trellix Insights gives your organization
a complete set of IoCs to proactively search for with Trellix EDR.
Analysts can execute proactive searches or use other tools to carry
out further research.

Trellix Endpoint Detection and Response (EDR)

6
 DATA SHEET

ƒ If Trellix Insights telemetry shows that you might be affected by

a campaign, it will pivot to where information is automatically
populated. A complete set of campaign IoCs are provided with
each campaign, greatly speeding investigation of potential
breaches.

Support team collaboration and workflows

Trellix EDR plugs into current security operations workflows and supports
collaboration by sharing investigation data and updates through security
incident response platforms.

Scalable, simple deployment

Trellix EDR is available as a software as a service (SaaS) application.
Management with Trellix ePO—the industry’s foremost centralized
security management platform—simplifies deployment and ongoing
maintenance of Trellix EDR and your entire security infrastructure.
Now available both on-premises and in the cloud, Trellix ePO offers
management flexibility to fit diverse organizational needs.

Figure 2. Trellix EDR with Wise investigates for you. It automatically collects
artifacts and presents the key findings. This visualization clarifies relationships and
speeds analyst understanding.

Trellix Endpoint Detection and Response (EDR)

7
 DATA SHEET

Figure 3. Trellix Insights offers IoCs of a

high-priority threat, with an option to
search in Trellix EDR.

Looking for managed endpoint

detection and response?
An MDR security service is a 24x7 security team that often includes
a range of fundamental security activities. MDR services combine
advanced analytics, threat intelligence, and human expertise in incident
investigation and response deployed at the host and network levels. Our
certified partners offer 24x7 critical alert monitoring, managed threat
hunting, advanced investigations, and response to significantly improve
your security posture.

To learn more about Trellix, visit trellix.com.

Trellix Endpoint Detection and Response (EDR)

Copyright © 2024 Musarubra US LLC 8