What is our primary use case?
Trellix Cloud Workload Security offers use cases including data center or cloud to cloud, multi-cloud, and hybrid multi-cloud visibility. Zero-day defense and ransomware protection are also highlighted as use cases. When these terms attract clients, they naturally question what specific zero-day or ransomware defense capabilities are being provided. Ultimately, the product utilizes UEBA only, which is adaptive threat protection tier only, or behavior analysis only, yet these terms are still claimed as use cases.
The first use case is hybrid multi-cloud capabilities. The second is ransomware and zero-day defense. Trellix Cloud Workload Security is also very effective with microservices, product services, such as Kubernetes and container services. Microsegmentation is another strong use case because these products make it very easy to perform microsegmentation and visualization of traffic, and they have a very nice user interface. All of these are part of cloud security posture management, which encompasses configuration management, risk, priority, compliance, and governance.
Multi-cloud visibility and integration with DevOps workflow are also tasks and activities underneath security posture management. In summary, the primary use cases are security posture management, network microsegmentation and segmentation, ransomware defense or zero-day defense, microservices defense including containers or Kubernetes security and containers and orchestration security, and hybrid multi-cloud visibility.
How has it helped my organization?
The installation process of Trellix Cloud Workload Security is very easy because the ePolicy Orchestrator is integrated. When an orchestrator is present, it becomes very easy to deploy the solution. An orchestrator allows visibility of the overall strength and identification of which machines, servers, and equipment have been started and are capturing data. Balance and gap analysis become very easy to identify. The ePolicy Orchestrator is very good in deployment and installation. It is easy and not that much tough. If the deployment manual is followed, then installation is pretty straightforward.
What is most valuable?
The advantages of Trellix Cloud Workload Security are reflected in the use cases mentioned, as those are all definitely the advantages. The product is heterogeneous and can be used for Azure, AWS, open source or OpenStack cloud, and VMware. All of these can be put into a single console, which is the reason many organizations are moving to third-party solutions, especially Palo Alto's Panorama which offers 360-degree visibility. Trellix Cloud Workload Security has a similar single console approach with something called ePolicy Orchestrator, which is the McAfee EPO that has been very popular since around 2000 to 2001. The product has a very nice user interface that consolidates all heterogeneous computing into a single pane of glass.
Defense in depth is one of the advantages of Trellix Cloud Workload Security. Reporting is another significant advantage because when everything is consolidated in a single pane of glass, it becomes very easy to provide reporting. The reporting includes benchmarks such as ISO 27001, CIS benchmarks, PCI DSS, and HIPAA compliance reporting.
Automated threat detection is obviously important in Trellix Cloud Workload Security. Threat intelligence is critical because the visibility and data being generated must feed into day-to-day activities. For example, if a CIO requests a report on traffic between specific workloads, Trellix Cloud Workload Security can provide information about what workloads exist and the traffic flow among them. When an organization is capable of providing this information, it should also be able to score risk. Risk scores can be calculated based on location, availability zones, and other information to create automated responses. Threat intelligence is what enables XDR or SOAR to perform this process.
In essence, the network traffic and all data received from any tool must be fed into the threat intelligence server of EPO, which provides a comprehensive workload traffic data report with risk scores organized by availability zones, reasons, locations, and other information. DevSecOps integration is part and parcel of cloud security posture management in Trellix Cloud Workload Security. When any security tool is integrated with DevOps, that framework is called DevSecOps, where Dev means development, Sec means security, and Ops means operations.
Trellix ePolicy Orchestrator is very good in services and has a service called SIEM and XDR service, which stands for Security Information and Event Manager and Extended Defense and Response. When someone is providing SIEM and XDR, they should also provide SOAR, which automates the events captured in SIEM. The ePolicy Orchestrator has a very nice tool for SIEM, XDR, and SOAR services. When SIEM and SOAR are present, threat intelligence enrichment should be there as well. Threat intelligence server or threat intelligence manager functionality must be present to create a SOAR solution. SOAR is nothing but an automation of events that are detected in the systems and automatically resolved with the help of SOAR. To build that SOAR capability, a threat intelligence server is needed.
Runtime protection in Trellix Cloud Workload Security is nothing but microservices. Microservices is runtime protection because these are SDKs provided by the vendor. When the vendor provides SDKs for anyone to manage, then runtime protection is also supported. Runtime security means you cannot configure security separately because you must do it during the runtime. This applies to containers, microservices, and Kubernetes security, which all deal with runtime security.
The dashboard is impressive as the user interfaces are very nice. AWS and Azure are different platforms, yet Trellix Cloud Workload Security shows all these platforms in a single website and single dashboard. Whoever is capable enough to bring that information onto a single screen can also bring single monitoring and control. This is one of my favorites. Even Palo Alto Panorama is very good, and similarly, the ePolicy Orchestrator console is very effective.
What needs improvement?
The disadvantages of Trellix Cloud Workload Security include some global aspects where minor improvements could be done. When doing pairwise comparisons between products on the same topic, such as posture management and how it is managed in Palo Alto, Check Point, Symantec, and Trellix, certain gaps emerge. One key limitation is that Trellix Cloud Workload Security will not provide support for China and Russia based cloud vendors. If a customer is an enterprise or global enterprise customer, this product cannot be suggested because the company does not deal with China's cloud providers. China has very good cloud options such as Alibaba Cloud and Tencent, and Trellix Cloud Workload Security does not support these platforms.
Another limitation is related to CNAPP capabilities. In comparison with other CNAPP vendors, Trellix Cloud Workload Security has some drawbacks. The product does not provide full-fledged CNAPP like others do. It provides only top-level or top-layer information and lacks in-depth CNAPP capabilities, which is a key limitation.
Regarding SIEM functionality, Trellix Cloud Workload Security has a native SIEM component, but it appears to be using a third-party SIEM functionality. The company is not providing their own SIEM tools but rather receiving a third-party tool and managing it. This is a disadvantage because the integration will not be as perfect as it would be with a native solution. The SIEM tool integration presents a problem.
Pricing is another significant disadvantage, especially for small and medium-sized enterprises. SMEs will likely not choose Trellix Cloud Workload Security because it is very expensive. The product is not prominent in the Gartner market share rankings, and the numbers are very small. Trellix Cloud Workload Security is not competing with market leaders such as SentinelOne, which has a 5% market share. The company claims CWPP, which stands for Cloud Workload Platform Protection, but the market share is very small.
The reason market share is less is because service-oriented companies with service-oriented mindsets look at who is providing the best services. They consult Gartner reports or Forrester reports, and if Trellix Cloud Workload Security is not present in those reports, they may not suggest this product to customers. Additionally, the product is expensive for SMEs, although enterprise customers can afford it. The minimum 25 user bundle requirement means licensing is sold in basic tiers of 25 users at a time.
For how long have I used the solution?
I have been using Trellix Cloud Workload Security for about three to five years.
What do I think about the stability of the solution?
The stability of Trellix Cloud Workload Security differs from customer to customer and is nothing to do with the product itself. It is related to the infrastructure, such as HVAC and cooling systems, power supply, backup systems, and UPS functionality. Many factors are involved in maintaining a software system at 99.9% runtime.
What do I think about the scalability of the solution?
Trellix Cloud Workload Security is scalable.
How are customer service and support?
The customer service and support for Trellix Cloud Workload Security is very good. The support is particularly strong as far as APAC is concerned.
What was our ROI?
Regarding return on investment for Trellix Cloud Workload Security, I would say that 20 to 30% would be the expected range, and nothing beyond that. The time to detect or resolve is a concern, and I am not fully satisfied with that aspect. This is the reason some customers reject the product. While the product has efficient capabilities and the benchmarking related features are very good, benchmarking will not be counted in ROI calculations. ROI is calculated based on various parameters related to security, such as the absence of any issues or especially malware related issues. Based on these criteria, I would say the ROI is 20 to 30%.
Which other solutions did I evaluate?
Regarding the price and licensing model of Trellix Cloud Workload Security, it is expensive for small and medium-sized enterprises. The product has SKUs such as basic, essentials, and advanced tiers based services, but it is still expensive for SME companies. When suggested to customers, many have said no and picked up something else. Some customers have even picked SentinelOne instead, even though SentinelOne is more pricey than Trellix Cloud Workload Security. The company has a minimum 25 user bundle requirement, which is why they sell their license in basic tiers of 25 users and upward.
What other advice do I have?
Trellix Cloud Workload Security is scalable. My overall review rating for this product is 8.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)