Trellix Network Detection and Response Reviews

The solution has been in place for quite some time – three or four years. We've renewed it several times, and we upgraded from Gen 3 to Gen 4 hardware at one point as well.

Currently, it's integrated with our firewall and McAfee IPS. We also have network-based sandboxing deployed. It uses static and dynamic analysis engines, so we get alerts if malicious traffic is detected or harmful objects are downloaded.

We've been using their PX solution for packet capture, which is the core of their NDR functionality. But we haven't fully adopted the combined product – NX and PX  – yet because they are still separate. 

The storage requirements for raw packet capture, especially with our traffic levels, make it quite expensive.  And that's true for many security products. I feel like NDR is pretty expensive. 

However, this is especially true about raw packet capture for network telemetry – the storage requirements with RAID 0 become quite expensive, regardless of the solution.

We had a serious incident where an attacker attempted a web shell attack on one of our web servers [DevOps server]. We were able to identify that the hackers used a malicious script and tried to target specific files. The hacker also tried to make a copy of some files. 

We wanted to cross-reference that activity with the network traffic just to be sure there was no lateral movement. With Trellix, we easily confirmed that there was no lateral network involvement and that nothing else was infected. It helped us correlate the events and feel confident in our containment.

Trellix NDR was effective in that situation.

Morevoer, we've integrated this solution with our SIEM. There's a degree of integration provided by Trellix with their solution, and we're satisfied with that. However, without the SIEM, that's the extent of our integrations at the moment.

We're exploring further options due to organizational shifts towards the cloud, potentially moving away from a hybrid environment. We're assessing SaaS-based SIEM solutions. Trellix has its own offering, Helix, which we've evaluated and even purchased in the past. Ultimately, we discontinued its use. To summarize, our primary integration right now is with our SIEM.

The SIEM integrates well with our threat intelligence sources. We also have some secondary integrations in place. Overall, things are running smoothly.

We use the solution in our servers and workstations for Endpoint Detection and Response. 

Over the thirteen years of using the product, we have not experienced a single compromise in our environment. During the COVID period, we faced numerous DDoS attacks, and the tool proved highly effective in mitigating these threats. The IP devices played a crucial role in blocking and reducing the amount of malicious traffic entering our company. Its endpoint security, EDR, and insights are valuable. The automation functionality, particularly the ability to automatically handle and mitigate detected threats, has proven to be immensely beneficial for our security operations.

The primary use case for Trellix Network Detection and Response is network intrusion detection, which is crucial for protecting environments. It helps secure networks and defend against phishing and other attacks created by the networking sector. We use the solution for detection and forensics investigation, reporting incidents such as the source and network path of attacks.

Trellix NDR provides an essential defense by automatically responding to network incidents that firewalls may not catch. When users break firewall rules, the solution identifies affected areas for immediate action, helping determine the actual reason for attacks. Its ability to report incidents like network paths makes it invaluable in securing the environment. With eight years of experience, I can attest that Trellix NDR is effective in detecting and protecting networks.

In my company, the solution is used for our endpoints.

The product's integration capabilities are an area of concern where improvements are required.

We use FireEye Network Security to secure the internet link. The solution works as an inline sandbox. Additionally, it can scan and monitor all uploads and downloads, and internet browsed links.

The sandbox feature of FireEye Network Security is very good. The operating system itself has many features and it supports our design.

We implement this solution for our clients for the complete protection of their network.

It protects from signature-based attacks and signature-less attacks. The sandboxing technology, invented by FireEye, is very valuable. Our customers go for FireEye because of the sandboxing feature. When there is a threat or any malicious activity with a signature, it can be blocked by IPS. However, attacks that do not have any signatures and are very new can only be blocked by using the sandboxing feature, which is available only in FireEye. So, FireEye has both engines. It has an IPS engine and a sandbox engine, which is the best part. You can get complete network protection by using FireEye. 

I also like its logging method. Its logging is very powerful and useful for forensic purposes. You can see the traffic or a specific activity or how something entered your network and where it went.

The server appliance is good.

Technical packaging could be improved.

It would be helpful to receive access to the administration of the product.

I use the solution in my company's daily operations to conduct threat investigations.

The most valuable feature of the solution stems from how it allows users to do the investigation part. Another important part of the product that is valuable is associated with how it gives information to users in the form of a storyline.