Trellix CEO Bryan Palma: Our XDR Is The ‘Most Comprehensive In The Market’

In an interview with CRN, Palma also says that the company isn’t focused on pursuing an IPO in the near future, but does have its eye out for potential acquisitions over the next 12 months.

Palma On The Record

Whenever Bryan Palma has a conversation these days with a CIO or CISO about security operations — the day-to-day work of monitoring and responding to security alerts — he hears the same thing. Everyone reports that “they have a lot of pain around security operations,” Palma said, both from outdated tooling and the massive shortage of cybersecurity talent. Palma’s company, Trellix, is among those that believes the answer is extended detection and response (XDR) — a more modern approach to security operations that aims to offer enhanced correlation of data across tooling and ultimately, better prioritization of threats.

[Related: 10 Key Cybersecurity Acquisition Deals In Q1 2023]

More and more customers today recognize that while their security information and event management (SIEM) system may have been fine years ago, it’s no longer sufficient, Palma said. Looking ahead, “I think there’s going to be a big replacement of SIEM and an upgrade to much more modern technology — next-gen SecOps or XDR,” he said.

Palma, formerly a Cisco Systems veteran, has been the CEO of Trellix since it was formed in early 2022. Following the merger of McAfee Enterprise and FireEye in 2021, the combined company was split into two parts, with the endpoint security and XDR business becoming Trellix (and the remaining security service edge business becoming Skyhigh Security).

In a recent interview with CRN, Palma contended that while XDR may be the best answer right now to the security operations crisis, not all XDR is created equal. The Trellix XDR platform stands out by bringing together proven endpoint security technology (both endpoint protection and endpoint detection and response technologies) with security operations and analytics (from the FireEye Helix platform) and data protection technologies, according to Palma. That’s a combination that makes the Trellix XDR platform “the most comprehensive in the market,” he said. “We don’t see anybody else that has those three [capabilities in XDR].”

Palma also discussed the recently launched Trellix Xtend partner program, why an IPO from Trellix is not a probability in the near future and why acquisition activity will be a lot more likely from the company. “We do think over the next 12 months, there may be some opportunities to pick up some great companies,” he said.

What follows is an edited portion of CRN’s interview with Palma.

What can you say about your new partner program, and how that’s a step forward for Trellix?

We’re “one Trellix” now, and so we went from two partner programs to a single partner program. That coincided with a lot of changes we’ve been making inside the company as well, around bringing our price book together and doing a lot of things to make it easier [for partners].

Our No. 1 goal is we want to become much more partner- and channel-friendly. Not that we weren’t, but I’m not sure there was always the strategic focus on it that I believe in. And that is really important to the success of Trellix. So part of that is creating a great partner experience with our global partners, making sure that they’ve got 24/7 support, that they’ve got access to sales resources. We’ve created a new enablement program. And then also really, how do we use that enablement and that content to help them create demand for us? That’s really the biggest piece of the puzzle that we’re focused on — creating demand and co-creating demand with our partners. That’s something I think we can do a lot more of.

And then ultimately, how do we do the service delivery and how do we help the partners be trusted advisors to the customer? I think that’s where we’re seeing the biggest move in the market — many of these partners that maybe historically were transactional, are now much more in an advisor role, and they’re providing services that are high value-add. They’re going beyond what we’ve seen with traditional partners.

How does being “one Trellix” and having a single partner program help you to accelerate your growth?

It absolutely helps us [because] our focus is to be the XDR market leader. And to be the XDR market leader, we have multiple products that come together to form that XDR platform. So by being able to work across the two former companies and be one Trellix, we’re able really to get the full breadth of that portfolio out to our partners. As they’re working with our customers, there’s obviously lots more opportunity for cross-sell and for upsell. I think additionally to that, there’s a lot of opportunity for them to wrap consulting, professional services, managed services around what we do. We’re not interested in being in that business. A lot of our competitors are. You probably saw our recent announcement with Trustwave around using them for MDR. You’ll see some additional [announcements] leading up to RSA with some other partners. But I feel pretty strongly that having these great partners who can come in and do the services is really an advantage for us and for our customers. Some of our competitors want to do that work natively. We take a different approach. And we think it’s better for the folks that are focused on services and have the talent for it, and have the structure for it, to do that. We obviously supplement them with the XDR product suite.

So that removes the conflict that would be created between favoring your own services, if you had those, and the services of your partners?

It’s huge. Many of the partners are very focused on growing their consulting business, their incident response business, their managed security business. We’re fully on board with that. We love that. And we think our platform helps them do that better. So we’ve eliminated some of the friction that they’re starting to see. Many of them are unhappy with some of our other software security folks who are getting more and more into the services space. We’re going in the other direction.

What are the biggest ways that your XDR platform itself is differentiated from competitors?

The core of our XDR is really around that “iron triangle.” It’s about having the platform that works with and in the endpoint. We continue to make great progress, and we’ll be releasing our unified endpoint later this year. We think we’ve got market leadership from an endpoint perspective. Especially when we bring in some of those advanced FireEye capabilities around forensics and threat hunting and guided investigations. That really then integrates nicely with what we’re doing around security operations. So a combination of SIEM and SOAR, really next-generation SecOps. We do that in the cloud. We do that from the basis of a product from the FireEye side, called Helix. But that’s now our XDR engine. That really is the place where we bring together the data from across the set of systems. We’ve got 682 integrations, basically all the major security software players are integrated in our XDR, through APIs, and we’re able to bring in their data. Then obviously we have a core set of our own technologies. But one of our differentiators, unlike some of our competitors, is that our system is completely open. So we’re not proprietary.

We’re also not a cloud provider. We don’t care where you want to [locate] your storage or how you want to go after that. That’s really up to our customers. What we care about is giving you the best abstracted security over the top. I think that’s focused on helping security operations centers do better, higher-fidelity investigations. If you want to simplify it, it’s down to that guided investigation concept. Where the rubber meets the road is in our XDR engine, which we think is a market leader.

And then the final leg of that stool is really around data protection. We think that’s becoming more and more important — what data is ingressing and egressing from your network? How are you managing that? What level of controls do you have? And how does that then play into the security operations data and how you’re interacting with the endpoint? That’s the core of what we do. And then we’re able to plug in our own email — either in the cloud or on-prem — networking, sandboxing, IPS. But we’re also open, so we work with other market leaders in that as well.

So for XDR competitors that maybe have the endpoint detection but don’t have the security operations component, or vice versa, what’s going to be lacking for partners and customers?

I think the struggle is if you’re really thinking about what is XDR — it’s extended detection and response. Well, if you can’t extend it — if all you got is an endpoint, which some folks do — then it’s not XDR, it’s just EDR. A lot of people that are claiming to have XDR, I won’t name them by name, actually only have EDR, because they don’t really have any extension. That’s one part of it. If you think about the other components — [such as] the detection and the response capability — that’s when it really becomes important that you have true, native, cloud-based security operations capabilities. If you don’t have those, it’s pretty hard to say that you’re actually doing detection and response. I think on the data protection side, we just think that’s an important vector that’s being overlooked by a lot of folks today. They’re not actually looking at what’s happening with the data. Where’s it going? Is it going out to the cloud, is it being taken by attackers? We think that’s a very important piece and component of the overall XDR solution. That’s why we think the bedrock of our solution is the most comprehensive [XDR platform]. It’s the most comprehensive in the market, because we don’t see anybody else that has those three legs of the stool.

What are some other areas you’re looking at over the next year, in terms of your product capabilities?

One of the things obviously that everyone’s looking at is the ChatGPT and Bard-type tools, and what is that going to mean in security — both from how are those going to be used against the good guys and our customers, how are they going to enable bad guys to do things better, faster, quicker. And then the same for [defenders] how can we use those tools to improve what we’re doing? We’ve got a cross-functional team working on that. That’s a big area of focus for us. We think it’s going to be a really critical vector. We think SecOps is a major place for transformation. I think there’s going to be a big replacement of SIEM and an upgrade to much more modern technology — next-gen SecOps or XDR.

How do you see generative AI factoring into what you do?

AI/ML is a big part of what we do, in guided investigation. We’re going to do more with that, with those engines. That’s going to be a critical piece of the puzzle going forward. Because you have to use that to be more efficient. [When it comes to] the shortage of people, I’d love to say we’re going to stop it or make it better. But my 20-year history says, probably not. It’s going to continue to widen. So it’s the combination of people and talent, with technology, specifically with AI and ML.

But generative AI could be very relevant on the SecOps side.

Absolutely. We think there’s just a ton of upside. That’s what we’re looking at it for. We think that, as we start to build that into our XDR platform, that to your point, customers will be using it, and it’ll be generating better and better solutions, guided investigations, whatever it may be. Now, the converse of that is, bad guys will use it, too. It’s no different than some of the other simple use cases you’ve heard — like, what happens when ChatGPT gets used to take tests for kids in college. And then what happens when the professor builds a thing to detect ChatGPT. Security is similar. The bad guys are going to use it and it’s going to make them better, but the good guys are going to use it too. Hopefully like everything else we can stay one step ahead of the bad guys when it comes to generative AI.

Any thoughts about pursuing an IPO in the near future, or is that a ways off?

We’re executing in the business. We’re coming into my sixth quarter since we put the two businesses together. We’re getting through the last phases of the integration over the next quarter or two. Those are progressing on time and in some cases ahead of schedule. So by the summer, from a back office perspective, from a selling / go-to-market perspective, and from a product perspective, will be “one Trellix.” I think at that point, we start to look at, “How do we continue to accelerate growth? And what’s the right construct, from an ownership perspective?” But that’s not something we have on the immediate radar. We feel really comfortable where we are. Symphony Technology Group is a great set of owners. They’re invested in the business. I have a great relationship with them. So we’re pretty happy with our current structure.

We’ve got work to do. We want to have a big impact on the industry. So at some point, that sounds great, but that’s not in the short term.

Given the economic environment, and the fact that a lot of vendors might be more open to getting acquired, how interested are you in possibly making acquisitions right now?

We’re there. We’re looking. And to your point, there’s a lot of companies that are starting to come on to some hard times. We’ve seen that. There’s venture-backed companies that are no longer being funded. So we are always keeping our eyes out for great technology that would fit in the Trellix portfolio, that would help [with] detection and response, and battling back against the attackers. That’s a lot more likely in the next 12 months than going public. In the cycle right now, we want to be able to continue to grow the company and bring in the best technology. We do think over the next 12 months, there may be some opportunities to pick up some great companies.

What’s your overall message to partners?

The main thing for us is just continuing to make sure that our channel partners know how committed [we are], and that we’re doubling down on the channel — and that under my leadership, the channel is really going to be critical for us. I’ve been out meeting with a lot of our resellers and MSSPs and a wide variety of partners. What I’m telling all of them is, we’ve got a focused strategy. We’re back. And we’ve got the technology to help their customers. I think we’re getting good traction with that. We’re starting to see a number of different partners have more growth with Trellix. I think the biggest opportunity there is that we are very committed to letting them build their services practice around, and on top of, our platform. And we will continue to be committed to that, and to not competing with that, which is critical.