NEWSLETTER
This publication is co -written with Martin Holste de Trellix.
Security teams are dealing with an universe in evolution of cybersecurity threats. These threats are expanding in the form factor, sophistication and attack surface to which they are directed. Represented by the limitations of talent and budget, the teams are often forced to prioritize the events that are carried out for research, which limits the ability to detect and identify new threats. Trellix Wise is a technology with ai that allows safety equipment to automate threat research and add risk scores to events. With Trellix, security equipment can now complete what used to take multiple analysts to investigate in seconds, allowing them to expand the security events they can cover.
TrellixA leading company that delivers the Cybernetic ai platform with more than 53,000 clients worldwide, emerged in 2022 from the fusion of McAfee Enterprise and Fireeye. The comprehensive, open and native security platform of the company helps organizations helps operational resilience against advanced threats. Trellix Wise is available for customers as part of the Trellix security platform. This publication analyzes the adoption and evaluation of the Models of the amazon Nova Foundation (FMS) of Trellix.
With the growing adoption and use, the Trellix team has been exploring ways to optimize the Trelix Wise's research cost structure. The smallest and profitable FMS seemed promising and amazon Nova Micro stood out as an option due to their quality and cost. In early evaluations, the Trellix team observed that amazon Nova Micro delivered three times faster and with an almost 100 times lower cost.
The following figures are the results of the tests when comparing amazon Nova Micro with other models in amazon Bedrock.
The Trellix team identified areas where amazon Nova Micro can complement its use of Anthrope Claude sonnet, offering lower costs and higher general speeds. In addition, the Trellix Professional Services team found that amazon Nova Lite was a strong model for code generation and code understanding and is now using amazon Nova Lite to accelerate its workflows of delivery of personalized solutions.
Trellix Wise, threat research generated by ai to help security analysts
Trellix Wise is built on amazon Bedrock and uses Anthrope Claude sonnet as his main model. The platform uses the amazon OpenSearch service stores billions of security events collected from the monitored environments. The OpenSearch service comes with a built -in vector database capacity, which makes it easy to use the data stored in the OpenSearch service as context data in an architecture of generating increased generation generation (RAG) with knowledge bases with bases from amazon Bedrock. Using the Opensearch and Rock Service of amazon, Trellix Wise takes its automated threats research on each event. This includes the recovery of the data required for the analysis, the analysis of the data using information from other custom automatic learning models (ML) and risk score. This sophisticated approach allows the service to interpret complex security data patterns and make intelligent decisions about each event. Trellix Wise's research gives each event a risk score and allows analysts to deepen the analysis results, to determine if human follow -up is necessary.
The next screen capture shows an example of an event on the Trellix Wise board.
With the growing adoption scale, Trellix has been evaluating ways to improve cost and speed. The Trellix team has determined that not all stages in research need the precision of Claude's sonnet, and that some stages can benefit from faster cost models that, however, are highly precise for the target task. This is where amazon Nova Micro has helped improve the cost structure of research.
Improve the cost of research with amazon Nova Micro, RAG and repeated inferences
The threat research workflow consists of multiple steps, from data collection to the analysis, to the allocation of a risk score for the event. The collections stage recovers information related to the event for analysis. This is implemented through one or more calls for inference to a model at amazon Bedrock. The priority at this stage is to maximize the integrity of recovery data and minimize inaccuracy (hallucinations). The Trellix team identified this stage as the optimal stage in the workflow to optimize speed and cost.
The Trellix team concluded, according to its tests, amazon Nova Micro offered two key advantages. Its speed allows you to process 3-5 inferences at the same time as a single inference to Claude's sonnet and its inference cost is almost 100 times lower. The Trellix team determined that by executing multiple inferences, it can maximize the coverage of the required data and the even lower costs in a factor of 30. Although the model responses had a greater variability than the largest models, executing multiple passes allows reach a more exhaustive response set. The response limitations applied through patented rapid engineering and reference data limit the response space, limiting hallucinations and inaccuracies in the response.
Before implementing the approach, the Trellix team conducted detailed tests to review the integrity of the response, cost and speed. The team realized at the beginning of its generative trip that the standardized reference points are not enough when evaluating the models for a specific use case. A test harness was configured that replicates the information collection flows and detailed evaluations of multiple models, to validate the benefits of this approach before advancing. The speed and cost benefits observed by Trellix helped validate the benefits before moving the new production approach. The approach is now implemented in a limited pilot environment. Detailed evaluations are being carried out as part of a deployment in phases in production.
Conclusion
In this publication, we share how Trellix adopted and evaluated the amazon Nova models, which resulted in a significant inference acceleration and lower costs. Reflecting on the project, the Trellix team recognizes the following as key habilitators that allow them to achieve these results:
- Access to a wide range of models, which include smaller models highly capable as amazon Nova Micro and amazon Nova Lite, accelerated the team's ability to easily experience and adopt new models, as appropriate.
- The ability to restrict answers to avoid hallucinations, the use of previously constructed specific scaffolding that incorporated patented data, processes and policies, reduced the risk of hallucinations and inaccuracies.
- The data services that allowed the effective integration of data together with the base models simplified the implementation and reduced the time to the production of new components.
“amazon Bedrock facilitates the evaluation of new models and approaches as they are available. The use of amazon Nova Micro along with Claude Sonnet from Anthrope allows us to offer the best coverage to our customers, fast and the best operational cost, “says Martin Holste, senior director of Engineering, Trellix.” We are very happy with the flexibility that amazon Bedrock allows us as we continue evaluating and improving Trellix and the Trellix security platform. “
Start with amazon Nova at amazon's Bedrock console. Get more information on the amazon Nova product page.
About the authors
Martin Holste It is the CTO for Cloud and Genai in Trellix.
Header He is the main product manager at amazon Agi.
Deepak Mohan He is a main product marketing manager in AWS.
