VMware Carbon Black Cloud Reviews

I have been dealing with VMware Carbon Black Cloud and on-prem, as we mainly deployed the agents everywhere, both cloud and on-premises. I am using it for my customer, but I am fully dedicated to just one customer, specifically, I am working for an entity, a DG part of the European Commission, which signed an agreement with VMware Carbon Black Cloud for five years, and every DG, every department needs to deploy it to keep consistent with the security policies.

The features I find most valuable in VMware Carbon Black Cloud are hard to determine since I'm not the person who actively works with the tool. In this case, I can answer a few questions about my experience with my current solution.

The features I find most valuable in VMware Carbon Black Cloud are hard to determine since I'm not the person who actively works with the tool. In this case, I can answer a few questions about my experience with my current solution.

I see room for improvement as I remember some problems on compatibility with some operating systems; I recall we couldn't upgrade because the sensor was not compatible, and the latest VMware Carbon Black Cloud version was not compatible with the latest Red Hat version, so we couldn't actually update since it's a security tool, and it does not allow us to update. When it comes to performance, there is some room for improvement as well for VMware Carbon Black Cloud.

I have been dealing with VMware Carbon Black Cloud for two years.

The customer service experience was rated 3 out of 5.

Neutral

I was not involved in the deployment and to be honest, I'm working with other tools; I could talk about plenty of things, but I don't know the scope of this question, so I don't know to a certain extent should I talk.

Overall, I think VMware Carbon Black Cloud is a good solution, but we are considering to roll out Sysdig. VMware Broadcom Carbon Black and Sysdig are different solutions; VMware Carbon Black Cloud is an EDR, mainly to detect threats and respond.

I am not really looking for a new solution, actually, I was preparing for an interview and wanted to have a comparison between both tools. I have not worked with any of these products before, but we had a training demonstration yesterday with Dynatrace, and I have investigated the Wiz solution better. In terms of experience, it will be my first time with CDR. I am working with something for EDR, specifically, we have an EDR, it's VMware Carbon Black Cloud. They have a hybrid environment, both on-prem and cloud. I would usually recommend this product for big companies, because it's not cheap, so only big companies would I expect to pay for that. The review rating for VMware Carbon Black Cloud is 6 out of 10.

I use the solution for any endpoint in a system, such as a host. The EDR can detect any malicious activity, such as malware, anomalous behavior, or any other possibility of a threat.

VMware Carbon Black Cloud is a user-friendly solution that can isolate machines from the rest of the network. When a machine is quarantined, it cannot communicate with any other machines on the network except for the Carbon Black Cloud server. This allows you to investigate the machine without the risk of malware escaping to the network.

Carbon Black Cloud's server can communicate with the quarantined machine through DNS and VSCP. This allows you to collect data from the machine, such as system logs, process activity, and registry changes. This data can be used to investigate the infection and determine the next steps.

CrowdStrike and Cybereason are also popular EDR solutions. They offer similar features to VMware Carbon Black Cloud but may have different strengths and weaknesses. It is important to evaluate all of your options before choosing an EDR solution.

Additionally, it is complex to use, and the pricing should be improved. 

I have started to use it recently. 

The stability looks alright and reliable. 

A couple of users are using it, but this agent is going to be installed on more than 200 systems. 

They have their own community that you can contact. At the moment, we have a direct contact. We can contact them for pre-sell, or post-sell. But I'm not sure when it gets to the production line, and you face a problem, how and where you need to contact. 

It is not an easy tool to work with. 

The solution is deployed on the cloud. 

They have their own consultants who explain a lot of things up and down. But we are using managed services. 

You need to pay for the licensing of the product. The pricing is costly. 

So far, it has been easy to quarantine a machine if it has been affected by a threat in the network. If you suspect that a machine is infected, you can quarantine it from the network.

Tools themselves are not that different. They may have a few different features, but you have to understand how they are analyzing things. This is the most important part of a tool. The analysis is what makes a tool complex, simple and user-friendly. However, there is a balance between a tool's ability to investigate something thoroughly and its user-friendliness. Thorough investigations obviously require more complexity. Some tools are more simple and eye-catching, but some don’t look very user-friendly, but they are good at deep analysis.

Overall, I would rate the solution a six out of ten. 

Firstly, we use it as part of our Zero Trust networking solution as it acts as a mitigating response for any vulnerabilities with applications or the operating system. Secondly, we use it to track device compliance to check whether things are updated because it collects so much information about devices. Most importantly, we use it for peace of mind knowing that we have a flexible and robust solution for endpoint security.

The best feature is that it collects so much information. Its search functionality on the console works well as far as being able to drill down and find compliance issues. Also, something was executed on a machine or across a bunch of machines and how it relates to those bits of data. In that case, you can look at the whole picture in your environment.

The support team of Carbon Black CB Response needs improvement. At present, they need a lot of information. Then they give you an answer that they already gave you. You tell them it didn't work, and then they take a long time. They then come back with a solution that may need to be more practical. Like, most of the suite I've supported over the years is MacOS. However, I have some Windows experience under my belt management for SCCM. The support from the Windows side is much better. But for Carbon Black, the support will tell you that you need to disable SIP and uninstall the Carbon Black agent.

We've looked at a few other products recently that seem to have a bit more granularity compared to Carbon Black. For example, what sort of network communications am I receiving using Carbon Black to connect catch in the binary running on a machine and the files? Regarding the things that I've received from Carbon Black, I don't get a sense that I could necessarily get good information if someone launched a fake Notepad executable or if it opened a bunch of backdoors and called out to the command control server because it was a piece of malware. I don't think Carbon Black at this current iteration will get me that information in a straightforward and easy-to-search way. So Carbon Black should improve and get more network communications information because it just stopped running out of giving anything.

I have been using Carbon Black CB Response for eight years now.

It's generally a stable solution when you have a client that goes off the reservation, where it's not operating nominally; getting it off that client can be a problem, reinstalled or configured correctly for running again. And so that's problematic. If I can push to a hundred thousand devices, it works great.

But if I can only push it to ninety-nine per cent of those hundred thousand devices, I have to spend a lot of time fixing it.

If we're in a situation where it's not working on this device, we can wipe it. But in that case, the user's already tasked with the work they've been doing on their device. And the wiping is something they want to avoid letting happen.

It is a scalable solution. In my current organization, there are five hundred machines. Still, back when I was at Chicago Public Schools, we were looking at implementing Carbon Black. We had hundreds or thousands of devices in that environment to deal with. So it could handle that kind of scale and traffic because it was one of the finest contenders for what we would implement there. I rate the scalability a ten out of ten.

The initial setup is easy. It is not easy to connect, but once you figure out what setting your clients want to implement, deploy it through Microsoft Intune, AGPM, GenPro, and Workspace One from VMware. Almost all the solutions follow a similar process. You have an agent push out a configuration file. Once it is installed, there is a call back to the server to check in, and that's how you know you installed it correctly and the device is operating nominally.

When I joined, the deployment was already done, but I have done a number of updates, and each update took about a week. I give it two weeks for testing, and then we push that. And within a week, we've got it running on all our machines. Aside from a handful of users, that is difficult as far as having them get their machine online and get it updated.

So it is straightforward when I've had to interact with the console, manage devices there, responding to security incidents. It is nice when you're in a situation where you think someone's device is compromised and that there's some malware getting into your fleet. In that case, if you are trying to solve the problem you're dealing with regarding the security event, then it works great.

I rate the solution a nine out of ten.

We use VMware Carbon Black Cloud for endpoint detection and response.

Threat hunting is the most valuable feature of VMware Carbon Black Cloud.

Technical support for the solution should be improved because there is a scarcity of support teams in the Middle East.

I have been using VMware Carbon Black Cloud for six years.

VMware Carbon Black Cloud is a stable solution.

I rate VMware Carbon Black Cloud an eight out of ten for stability.

We have not faced any issues with the solution’s scalability. The solution can be used by small, medium, and enterprise businesses.

I rate VMware Carbon Black Cloud a nine out of ten for scalability.

The solution's initial setup is smooth. The solution can be seamlessly deployed since the setup depends on using AD DNS. I rate VMware Carbon Black Cloud an eight or nine out of ten for the ease of its initial setup.

VMware Carbon Black Cloud can be deployed in one month. The deployment requires privileged users on AD. A domain-linked desktop will result in a seamless deployment. If it is a workgroup, manual intervention is required to visit the desktops, and the deployment will be a little difficult. If it is in Active Directory, you can use the WMA tool for a seamless deployment, which can be done remotely.

VMware Carbon Black Cloud is an expensive solution. On a scale from one to ten, where one is cheap, and ten is expensive, I rate the solution's pricing an eight out of ten.

Overall, I rate VMware Carbon Black Cloud an eight out of ten.

I use VMware Carbon Black Cloud for endpoint protection, serving as a defense against malware and viruses on client devices.

The most valuable features of VMware Carbon Black Cloud are its lightweight design, ensuring minimal impact on end-users, and its real-time protection.

One area for improvement in VMware Carbon Black Cloud is the maturity of its vulnerability features. Currently, these features aren't robust enough to replace our existing vulnerability management tools.

I have been working with VMware Carbon Black Cloud for three months.

The stability of the solution is a perfect ten out of ten.

I would rate the scalability as an eight out of ten. We have not had any issues with it. At our company, approximately 2,100 clients and 600 servers are currently using VMware Carbon Black Cloud. The usage is 24/7.

I haven't personally dealt with VMware's technical support for this product. Instead, we go through a third-party partner. Whenever there is an issue, we raise a ticket with our partner, and they have VMware support as a backup. So far, we haven't needed to submit any tickets directly to VMware.

Switching to VMware Carbon Black Cloud at our organization has made a big difference. We made the switch from Fortinet to Carbon Black Cloud primarily for detection, stability, and ease of use. We are way better at catching and stopping cyber threats compared to using Fortinet.

I would rate the easiness of the initial setup as an eight out of ten. The initial setup of VMware Carbon Black Cloud was relatively straightforward, especially with the assistance of a partner. It took about two months to deploy it. Our deployment process involved replacing Fortinet, so we aimed to replicate the functionality we had with it in VMware Carbon Black Cloud. We started with a monitoring mode to let the system learn how our devices behave. This way, we could step in if there were any false alarms before fully rolling out the solution. We made sure that things like exclusions, which we had in Fortinet, were also available in Carbon Black Cloud. We deployed it with one person from a third party and three of our team members. For maintenance, we only need one person to monitor what the tool detects and decide if any action is needed. It is not about keeping the tool running all the time but more about checking its results.

We have seen a return on investment from using Carbon Black Cloud and I would rate it as a six out of ten.

I would rate the price of Carbon Black Cloud around a seven out of ten, considering the quality it delivers. While it offers good value, the cost might be a challenge for smaller businesses. There aren't any additional fees beyond the standard licensing fees.

Before choosing Carbon Black Cloud, we evaluated other options, including Microsoft Defender and a different version of the Fortinet environment. We ultimately decided on Carbon Black Cloud because of its seamless integration with our Workspace ONE platform, which is our client management system, and also from VMware. The collaboration between Carbon Black Cloud and Workspace ONE was a significant advantage. Additionally, the third-party support provided for Carbon Black Cloud was a positive aspect. Price-wise, it was comparable to the other options we considered.

My advice to anyone considering implementing Carbon Black Cloud for their environment would be to go for it, especially if you are using a Workspace ONE environment from VMware for client management. The integration between Carbon Black Cloud and Workspace ONE is excellent. Overall, I would rate the solution as an eight out of ten.

I use the solution to do back-end architecture and management for a response. 

The solution is very inexpensive but still provides good process-level management. 

The solution does very well as a baseline EDR, especially between the endpoint and launching scripts or pulling data back. 

There is a back-end Python library for reporting.

The solution can only handle about 500 bans or blocks. You will start having performance issues and lagging for the agent and endpoint if you go beyond 500 blocks. If you need to add additional stuff, you really should move to Carbon Black Defense.

Training is needed to understand the built-in Python library because there is no console access. You need to build the back-end system or understand the server to utilize the Python library scripts for running reports. Otherwise, the library's capabilities are unutilized. 

I have used the solution for years. 

The solution has performance or lagging issues when you try to go beyond 500 blocks. 

The solution is very inexpensive so there is great cost savings to using it. At the end of the year, you can purchase it for $20 and that covers an entire year. Resellers sell it for about $25 to provide a bit of a profit margin. This is a bargain because the solution used to cost $60 per year. 

The solution stopped doing development about two years ago. It was actually supposed to roll into Defense, but that never happened. Part of the reason is because Defense can't be made into an on-premises product. 

The solution still exists because government and other industries do not want to move to cloud-based environments so they need on-premises services for their networks. 

I rate the solution an eight out of ten. 

The education and awareness of customers here in Vietnam for Carbon Black CB Response is not good at the moment. Not a lot of customers know about this solution.

Here in Vietnam, we mostly use Symantec and Trend Micro. I know Carbon Black CB Response is a very good product, but educating customers on why and how to use it, and how to market it, VMware Vietnam has not been doing a very good job, so that area could be improved. Areas for improvement would be training and education for both partner and customer, plus the marketing, particularly how to reach out to the customers.

The customers are not well educated on the product, so once they use it, they don't know what more they can do with it. They don't know that they can integrate Carbon Black CB Response with other VMware solutions or other products.

We've been using Carbon Black CB Response for a very long time, because we have a team handling a product called FPT EagleEye which is big on Carbon Black CB Response here in Asia.

The product is stable.

Our project doesn't handle very big corporations, but we have no problem with scalability. This product runs just fine and is very good.

We don't have any issues with this product's technical support.

Our customers here in Vietnam depend on us for the setup of this solution, so setting it up and managing the setup is okay.

We implemented Carbon Black CB Response for our customers, in-house.

Pricing could be lower for this product.

We are SI (system integrator), so we are not implementing for ourselves, but implementing for our customers. We are familiar with the Workspace ONE or Microsoft EMS which includes Intune and other products for EMS, e.g. Sophos Mobile or ManageEngine. Mostly what we are using is CB Response, because we have a product on Carbon Black CB Response.

I'm rating Carbon Black CB Response a nine for the technical part, but for the pricing, it's a seven for me, so my overall rating is an eight out of ten.

My clients are in a range of verticals, so we have clients in healthcare, education, manufacturing, etc. We provide solutions to anybody who's insightful enough and forethinking enough to understand that cybersecurity is not like insurance. So my use cases are all across the board. But, essentially, my customer base boils down to anyone who doesn't want to get owned by a ransomware attack. My company chooses the best-in-breed technology for tools, then adds cybersecurity management services on top of that.

Probably the most valuable feature of CB Response is its ability to isolate a host and take it off the network, so it's not spreading anything. We have two security operations centers around the globe. When an SOC analyst sees something on an endpoint, they can use Carbon Black Response to isolate that host from the customer's environment and prevent any kind of lateral spread. 

I've been using CB Respons for about two and a half years. 

Overall, it has been absolutely stable. However, there have been some performance issues when deploying on Windows Server, but I believe Carbon Black is working on that.

I'm in sales, but I've watched people deploy the software. It looks pretty straightforward, just a quick installer. Most of my customers have one or two folks who ensure that it's deployed correctly in their environment.

I rate Carbon Black CB Respons nine out of 10. I don't have much to say about it because endpoint detection and response tools are pretty much a commodity nowadays. There are so many good tools out there. What matters is the ability to manage those tools and utilize them in a threat-hunting mode.

We use Carbon Black for detection and response. So we receive alerts from Carbon Black if it detects any malicious activity. We also use it to quarantine any devices that we may need to isolate due to the security risk that it presents.  

What we mainly find valuable in the product is exactly what our use case is. We use Carbon Black for the intrusion alerts and quarantine. Those would be our favorite features.  

If Carbon Black could improve in the area or reducing the number of false positives or if there was a better way to filter out false positives that would enhance efficiency and utility. But in general, I think we are happy with the performance of Carbon Black.  

It would be nice to be able to consolidate all of our tools. We have Imperva for database monitoring, we have Red Cloak, we have Carbon Black, and we have Trend Micro. So when you end up installing multiple different tools that do various different things and they each come with their own agents that need to be on all the endpoints, it takes a toll on the utilization. One of the issues that we tend to encounter — especially when we have all these tools on all the endpoints — the number of agents can affect the performance of desktops and servers. So we get those issues from time to time because there are many agents on the endpoints. So it might be nice to either have a lighter-weight agent or an agent that encompasses multiple functions and different purposes for better integration so we do not have to install various tools.  

I have been using the product since March 2019, so for almost a year now.  

It was a little bit unstable at the beginning, but that was probably because we were getting a lot of false positives. The false positives were probably because of baselining. Baselining takes a little bit of time. Once it was baselined, things got better and we have not really encountered many issues over the last couple of months. So it stabilized maybe two to three months in.  

Once we had the SCCM set up properly, we were able to scale up easily. With the policies set up and images corrected, it became relatively easy for us to scale.  

I personally have not been in contact with the Carbon Black technical support team. Our information security team has worked more closely with them. I would not be able to provide feedback on their support first hand, but I have also not heard anything negative.  

Security-wise, we are using a few different security tools for different purposes. We use Red Cloak which we deployed at the same time as Carbon Black. We tested and are using Trend Micro Tripwire and we are using Imperva as well. Red Cloak is very similar to Carbon Black.  

Deployment was a little bit difficult, but that was mainly because of the way our infrastructure was set up at the time we went to set up Carbon Black about a year ago. We did not have a tool that was mapped to all of our IP assets that we could deploy Carbon Black to automatically. That would have greatly simplified the setup. That is mainly the reason it took some additional time. It was not necessarily an issue with Carbon Black, it was a problem with the setup of our own environment. Sometimes we did have other issues with the agent communicating with Carbon Black when the agent was deployed. We had to uninstall the agents and then reinstall them or we would have to essentially troubleshoot what the reason for the lapse in communication was.  

We were able to deploy it by ourselves without the help of an integrator or some specialist. We eventually did the deployment using SCCM (System Center Configuration Manager). Originally, we began by trying to deploy it manually and that is probably why it took so long. Once we had the SCCM agents deployed on all of our endpoints, then it was a lot easier for us to deploy Carbon Black in bulk.  

I do not think I have a lot of advice for people who are considering implementing the product at this point because most of our experience with the product has been relatively straightforward. I would just suggest that you have your white list set up before deploying if you are using automatic quarantine. Otherwise, it can cause issues in your operating environment. This is especially important if you are a sensitive location like a bank. In that case, automatic quarantine could be a big issue.  

On a scale from one to ten where one is the worst and ten is the best, I would rate Carbon Black CB Response as between an eight or nine. For our use case, I would say it is an eight.  

Our primary use case is to detect any abnormal activity happening on the endpoint. Carbon Black Response works like CCTV which monitors every activity and every single process running on the operating system. We use it on Windows, Linux, and Mac. Once there is an abnormal action, there is a notification that is sent to the administrator.

The administrator will open up the GUI, the console for the Carbon Black Response, and start doing his investigation to get to the root cause for the issue if there is one.

The most valuable feature is its ability to seek out abnormal activity and to create alerts.

The first thing they can do is make it more available. It's not highly available, so you have to have a core server. If the primary server goes down, you need a new one. It's not available at the same time, however. It's not automatically swapped from one server to another.

The second thing is that they need to have a multi-tenancy feature, especially for the MSSP model. We wanted to have this solution in our stock so we could create a different tenant or one tenant per customer.

They also have to have a bigger number of watch lists pre-configured already. They should add file integrity monitoring as well. One of the major things that attackers will try to do to is to modify files.

Stability is good because it's running on top of Linux based operating system which makes it very stable.

The solution is very scalable.

I would rate technical support as 4.5 out of five.

The setup and implementation of the solution were easy.

We are using both on-premises and cloud deployment models.

I would rate the solution eight out of ten. Carbon Black is a very good product, but you still have to work on it from the perspective of MLA analyzing and installation. You have to fine-tune it to create a watch list and so on. These are the main things that they need to work on in order to improve the EDR services on their product.