How Trellix Saved 35% on COGS by Migrating to Amazon OpenSearch Service

Trellix, founded in 2022 after a merger between security companies McAfee and FireEye, provides cybersecurity solutions to over 40,000 customers worldwide.

The company offers security monitoring solutions, one of which helps customers monitor and search security events and activities. It ingests and stores billions of daily customer logs and processes the data, making it searchable using a web interface. Trellix was using self-managed Elasticsearch clusters on Amazon Elastic Compute Cloud (Amazon EC2), which provides secure and resizable compute capacity for virtually any workload. But data storage costs were increasing, and managing the clusters was time-consuming for the small engineering team. The company needed a more cost-effective solution that would reduce operational overhead.

After evaluating several solutions, the Trellix team determined that the capabilities of Amazon OpenSearch Service best matched the company’s needs. After completing a successful proof of concept in March 2024, Trellix green-lit the migration.

Before the migration began, Trellix worked alongside AWS to enhance the OpenSearch Ingestion (OSI) pipeline, rendering it even better suited to the varied data types and dynamic ingestion patterns of Trellix customers. “We collaborated with the AWS engineering team over 6 months to architect Amazon OpenSearch Service domains and OSI pipelines to meet our complex requirements,” says Leeneksh Dubey, senior DevOps engineer at Trellix. The Trellix team worked closely alongside the AWS teams to simplify the migration process and improve its efficiency.

The Trellix team first deployed, tested, and integrated Amazon OpenSearch Service in its staging environment. It began using the new service in March 2024, at that stage in parallel with its existing setup. The migration was completed in August 2024 with no downtime and minimal impact on the end customer experience.

The new solution (see figure 1) ingests data from customers’ systems and stores it in Amazon Simple Storage Service (Amazon S3)—object storage built to retrieve any amount of data from anywhere. Trellix processes that data and then uses Amazon Simple Notification Service (Amazon SNS)—a fully managed Pub/Sub service for A2A and A2P messaging—to send it to Amazon Simple Queue Service (Amazon SQS), which provides fully managed message queuing for microservices, distributed systems, and serverless applications. Amazon SQS then sends the data to an OSI pipeline. Customers can use a web interface to search their indexed data for auditing, filtering, malware detection, or other purposes.

The migration led Trellix to save 35 percent on COGS as of Q3 2024. It also reduced operational costs by using UltraWarm and “hot” storage in Amazon OpenSearch Service. Most customers need to quickly retrieve recent data—that which is 24–48 hours old—so Trellix stores such data in hot storage, which provides the fastest possible performance for indexing and searching data. Data that users do not actively write to, that they query less frequently, and from which they do not need the same performance is stored in the more cost-effective UltraWarm nodes.

Performance improvements were another benefit: Data processing increased by 40 percent. “We have improved ingestion performance and can now ingest all types of data seamlessly,” says Jagadeesh Kodavati, senior DevOps engineer at Trellix. Scalability is faster too, taking about 15 minutes now, whereas it was previously 45–90 minutes. At the click of a button, Trellix can scale up—for sudden spikes in customer data ingestion—or down, if customers send relatively low data volumes for a prolonged period, for instance.

Trellix has high availability on Amazon OpenSearch Service. The service reacted quickly in a disaster recovery test: Nodes were taken down but were back up in 9 minutes without data loss, which exceeded the team’s expectations. Trellix also uses OR1 instances to store an additional backup of its customer data to enhance availability in case of hardware or node failure. OR1 instances are cost-effective and are designed for indexing-heavy workloads like log and security analytics.

The fully managed service, including the OSI pipeline that replaced Trellix’s self-managed ingestion pipeline, reduced maintenance and freed up engineering time. The system has hardly any production issues, and infrastructure management decreased from 8–10 hours a week to 30–60 minutes. “Our DevOps team now focuses on several new initiatives rather than being stuck with managing infrastructure,” says Leeneksh Dubey. “Amazon OpenSearch Service works seamlessly based on the policies and automations we’ve deployed with it, without us actively needing to maintain it.”

Monitoring improved as well, with some help from other AWS services. Trellix uses Amazon CloudWatch, a service for observing and monitoring resources and applications on AWS, along with Amazon Managed Grafana, which provides scalable and secure data visualization for operational metrics, logs, and traces. “Integrating other AWS services with Amazon OpenSearch Service is simple, especially in monitoring and creating our own alerts,” says Kodavati.

Trellix’s customers are satisfied with the fast data ingestion in the new system. “We’ve had no indexing issues since we migrated,” says Kodavati. “Customers feel secure that their data is being indexed in near real time.” Indexing performance improved by 40 percent, and there was a 90 percent reduction in operational indexing issues.

With more efficient infrastructure, the DevOps team can work on building new features and exploring generative artificial intelligence (AI) use cases to add customer value. One of these is Trellix Wise, a generative AI tool that helps analysts delve deeper into security incidents and determine follow-up action. Trellix Wise uses data stored in Amazon OpenSearch Service along with Amazon Bedrock, the easiest way to build and scale generative AI applications with foundation models. Trellix has also begun using Amazon Nova Foundation Models—which deliver frontier intelligence and industry-leading price performance—to lower costs and speed up delivery for Trellix Wise. “By migrating to Amazon OpenSearch Service, we have opened many more doors for the future,” says Leeneksh Dubey.