This post was co-authored with Martin Holste of Trellix.
Security teams are dealing with the evolving universe of cybersecurity threats. These threats are magnified in form factors, refinement, and the attack surface they target. Teams that are constrained by talent and budget constraints are often forced to prioritize events pursued for investigation, limiting their ability to detect and identify new threats. Trellix Wise is an AI-powered technology that allows security teams to automate threat investigations and add risk scores to events. Trellix Wise allows security teams to spend time investigating multiple analysts in seconds to explore and expand security events they can cover.
Trellix, a leading company that offers the broadest range of cybersecurity AI-powered platforms to over 53,000 customers worldwide, emerged in 2022 with the merger of McAfee Enterprise and Fireeye. The company’s comprehensive, open, native AI-powered security platform helps organizations build operational resilience to sophisticated threats. Trellix Wise is available to customers as part of the Trellix security platform. In this post, we will discuss Trellix’s adoption and evaluation of the Amazon Nova Foundation model (FMS).
With increasing adoption and use, the Trellix team is looking for ways to optimize the cost structure of their Trellix Wise research. The smaller, cost-effective FM looked promising, and the Amazon Nova Micro stood out as an option due to its quality and cost. In an early evaluation, the Trellix team observed that the Amazon Nova Micro provided inference at 3x faster and at almost 100x lower costs.
The following diagram shows the results of a test by Trellix comparing the Amazon Nova Micro to other models from Amazon Bedrock.
The Trellix team has identified areas where Amazon Nova Micro could complement Anthropic’s Claude Sonnet use, providing lower costs and higher speeds. Additionally, Trellix’s professional services team has discovered that Amazon Nova Lite is a powerful model of code generation and code understanding, and is currently using Amazon Nova Lite to speed up custom solution delivery workflows.
Trellix Wise, Generator-AI-powered Threat Investigation Helps Security Analysts
The Trellix Wise is built on Amazon Bedrock and uses Anthropic’s Claude Sonnet as its main model. The platform uses billions of security events collected from the environment where the Amazon OpenSearch Service Store is being monitored. OpenSearch Service incorporates vector database capabilities, making it easy to use data stored in OpenSearch Service as contextual data for a Search Extended Generation (RAG) architecture with an Amazon bedrock knowledge base. Using OpenSearch Service and Amazon Bedrock, Trellix Wise performs its own automated threat investigation steps at each event. This includes obtaining the data needed for analysis, analyzing data using insights from other custom built machine learning (ML) models, and risk scoring. This sophisticated approach allows services to interpret complex security data patterns and make intelligent decisions about each event. Trellix Wise’s research gives each event a risk score, allowing analysts to dig deeper into the results of their analysis to determine whether human follow-up is necessary.
The following screenshot shows an example of an event on the Trellix Wise dashboard.
With the increasing scale of recruitment, Trellix is evaluating ways to improve costs and speed. The Trellix team can benefit from a faster, lower cost model that is very accurate for the target task, not all stages of the investigation require Claude Sonnet accuracy. I judged. This is where Amazon Nova Micro helped improve the cost structure of its research.
Improved investigation costs with Amazon Nova Micro, Rag, and repeated inference
The threat investigation workflow consists of multiple steps, from data collection to analysis to assigning risk scores for events. The collection stage retrieves event-related information for analysis. This is implemented through one or more inference calls to Amazon Bedrock’s models. The priority at this stage is to maximize the integrity of the search data and minimize inaccuracy (haptic illusion). The Trellix team identified this stage as the optimal stage in their workflow, optimizing speed and cost.
Based on the test, the Trellix team concluded that the Amazon Nova Micro offered two important benefits: Its speed allows you to process 3-5 inferences at the same time as a single Claude Sonnet inference, and costs per inference are almost 100 times lower. The Trellix team determined that by performing multiple inferences, it would maximize the coverage of the data needed, reducing costs by 30 times. Although the model responses vary more strongly than larger models, we determined that multiple passes could be achieved more thoroughly. Response set. The restriction of responses implemented through proprietary rapid engineering and reference data constrains the response space and limits the hallucinations and inaccuracies of responses.
Before implementing the approach, the Trellix team conducted detailed tests to determine the integrity, cost and speed of the response. The team recognized early in the AI journey that standardized benchmarks were not sufficient when evaluating models for a particular use case. A test harness was set up to replicate the information gathering workflow, and detailed evaluations of multiple models were performed to examine the benefits of this approach before moving forward. The speed and cost benefits observed by Trellix helped to validate profits before moving the new approach into production. Today, this approach is deployed in a limited pilot environment. A detailed evaluation is being conducted as part of a gradual expansion into production.
Conclusion
In this post, we share how Trellix adopted and evaluated the Amazon Nova model, resulting in a significant reduction in the speed and cost of inference. Reflecting the project, the Trellix team recognizes the following as key enablers to achieve these results:
- Access to a wide range of models, including small, advanced models such as the Amazon Nova Micro and Amazon Nova Lite, has accelerated the ability to easily experiment and adopt new models when needed.
- Using pre-built use case-specific scaffolding that incorporates unique data, processes, and policies, the ability to constrain responses to avoid hallucinations reduced the risk of hallucinations and inaccuracies.
- Data services that enable effective data integration along with foundation models simplify implementation and reduce the time to production of new components.
“Amazon Bedrock is easily evaluated as new models and approaches become available. Martin Holste, senior director of The Engineering, said that using the Amazon Nova Micro with Anthropic’s Claude Sonnet, will provide a comprehensive look at the latest trends in the industry.になったんです。 English: The first thing you can do is to find the best one to do. We can provide the best coverage for our customers. “As we continue to evaluate and improve our Trellix Wise and Trellix Security Platform, we are truly pleased with the flexibility that Amazon Bedrock allows us.”
Get started with Amazon Nova with the Amazon Bedrock console. For more information, please visit the Amazon Nova product page.
About the author
Martin Holst I’m CTO of Trellix’s Cloud and Genai.
Firat Elbey He is the leading product manager for Amazon AGI.
Deepak Mohan He is the leading product marketing manager at AWS.
