VMware Carbon Black Endpoint Reviews

VMware Carbon Black Endpoint is a log system for one of the clients, and that's the main source where we get logs for their endpoints.

VMware Carbon Black Endpoint is a highly stable solution.

Performing a malware scan usually takes a lot of time, more than 24 hours.

I have been using VMware Carbon Black Endpoint for two months.

I haven’t faced any issues with the solution’s stability.

I rate the solution ten out of ten for stability.

Around 500 users are using VMware Carbon Black Endpoint in our organization.

I rate the solution ten out of ten for scalability.

The solution's integration with our existing security infrastructure is good. Whenever we have any alert in VMware Carbon Black Endpoint, we can easily that alert in our SIEM tool and check logs from the SIEM tool itself. VMware Carbon Black Endpoint is just a secondary security tool for us, and we are just monitoring the alerts from it.

The solution's behavioral analytics feature helps in identifying suspicious activities pretty well. Whenever we have even a small thing, we get an alert. The solution is deployed on the cloud in our organization.

Performance-wise, the solution is doing great in terms of connecting to the host directly. Performing a malware scan usually takes a lot of time, more than 24 hours. A malware scan is something that we do only on Carbon Black for the old endpoint devices and servers. It used to take sometimes three days to perform. I would recommend the solution to other users.

Overall, I rate the solution an eight out of ten.

Our customers use the product for extended visibility and integrations with various solutions they have. They use it for consolidation and advancing their current measures. They also look to reduce costs. If a customer is a VMware client, they may go for Carbon Black to keep it all under one hat.

The tool is pretty stable.

The product must improve its integration. One of my clients wants to move away from Carbon Black because it doesn't integrate well with their SIEM service. They use Rapid7. Carbon Black has limited capability to integrate with Rapid7. It is something the solution must work on.

I have been selling the solution for 20 years.

I rate the stability a nine out of ten.

I rate the tool’s scalability a three out of ten. My clients have more than 500 users.

The initial setup was pretty easy. Overall, I rate the product a ten out of ten. Our customers have the solution deployed on-premise and on the cloud.

Carbon Black provides competitive pricing. I rate the pricing a five out of ten.

Our clients know what they want. Most customers are educated about the products they need. When they request a demo, I organize it with the vendor. I would never recommend the solution. It does the job, but I do not make any money. Overall, I rate the product a five out of ten.

Our primary use case is for protection and as an EDR solution. Moreover, it has all the same features as the other vendors, but what sets it apart is its very good coverage on the VMware side since it's a VMware product. 

When it comes to the pros of Carbon Black CB Defense, it produces a lot of events as per the MitraVax framework, which is good. It provides continuous monitoring and threat detection on endpoints and responds to security incidents. It uses machine learning and behavioral analytics to detect and respond to advanced threats.

The compatibility of Carbon Black CB Defense with operating systems is the only issue. Certain OS are not supported, resulting in an inability to install PDC. The deployment of sensors requires extensive fine-tuning, which should be a simple process. To streamline this process, they should create deployment packages with customized options based on policies and other factors. Creating these packages ourselves is time-consuming, which can impede our productivity. There is also a bypass issue that needs to be considered.

Improvements are needed to address the compatibility issues between operating systems and Carbon Black CB Defense. Sometimes, the sensor enters a block state for unknown reasons. To prevent this, it would be helpful if they added a feature to ensure that it does not cause any problems. Additionally, there are issues with collecting events from machines due to sensor problems. We are working with Gateway to connect to all PCI or DMZ environments, and it would be beneficial to have a simpler configuration at the architecture levels.

In reality, the deployment process is more complicated. We must add a script to customize the deployment process and deploy it on Mission C. Afterward, we install the sensor, which requires a company code, policy name, and other essential details. Furthermore, we are experiencing other issues, such as VMs pausing applications due to CBC. Troubleshooting these problems is time-consuming, and we usually must report the problem to the vendor, whose analysis can take an hour or longer. By that time, critical business functions may have already been impacted.

Container protection is still in the initial stage, where they have integration in the market, but there's a lot of room for improvement, and there are a lot of changes required.

I have been using this solution for more than a year.

In terms of stability, since it is hosted on the AWS side, which is Carbon Black Cloud, if something goes down, we may have to do a lot of patching and monitoring. However, we usually receive updates and educate the users on changes in the background. Proper training should be provided to the users so that they are prepared for any changes happening in the background from the AWS website.

Overall, I would rate the stability a seven out of ten because sometimes the communication breaks down, but they are working to resolve the issue, and many teams are involved. However, we don't have much visibility into their efforts, which need improvement. It should be crystal clear what is happening in the backend, and the administrators should communicate this clearly so that we can work accordingly and meet the requirements.

In terms of reliability, it is a good product. I would rate it an eight out of ten. 

Technical support is very good. They are very interactive. But the problem is the engineering team's workaround is very slow. We have raised a lot of feature requests, and they are still open for a year. But in terms of support, we are getting responses and everything. It's just that finding the correct solution to the issues is lacking time. There's room for improvement in terms of the engineering team's workaround. 

Neutral

The initial setup is a straightforward process. I would rate it a seven out of ten because there should be some customized policy. Moreover, we need a tool for pre-checks, for example, to check Windows operating system compatibility and internet connectivity to connect to the backend. Carbon Black CB Defenses should provide a pre-checklist for successful sensor installation. We are spending a lot of time finding out the exact cause of issues, whether it's a personal issue, an external issue, or something related. It would be helpful if they could provide tools to analyze those issues. They should give us the details, like, these are the things that are recommended to be checked before installing the console.

The deployment process for multiple machines is a bit challenging. We have seen a lot of CBC services or versions being released. For example, if we deploy it today, within two or three months by the time of completion of the application, the newer version might come out. It's very hard to adjust with time. We have to push the upgrade again within a short time. There are many challenges with the application; sometimes, it fails, and we don't know why it's failing due to a lock or backend issue.

Moreover, the number of people required during deployment also depends on the environment. Because each environment has a different configuration setup and process policy that we have to go through before we do the deployment activities. It's hard to tell the exact timeline, but it takes a lot of effort with different policies for each environment.

Hana has experience with NCL, but I have worked with other organizations using NCL and have experience with Carbon Black. Previously, I worked with CrowdStrike, Sentinel, and Windows Defender. These are leaders in the market, including a native product for Microsoft. When we talk about those solutions, they offer good support and features and compatibility with different machines, providing us with a comprehensive solution. For example, we have Linux, some Oracle Linux servers, and some EL product versions that are currently not supported by Carbon Black. However, CrowdStrike or other solutions still support all legacy OS. We chose a solution that covers 100% of the machines we have, whether it's Windows or Linux. In some places, CBC doesn't support all of our OS, but they should provide a solution for that as well.

If the solution can address all the problems we have raised, then I think it would be a good recommendation. In NCR, we have had a very good experience with Carbon Black. Moreover, in our company, Carbon Black offers excellent support. Workaround time and issues with version control have to be put in place. Even the version release sensor can cause frustration because by the time we reach one version, two or three versions might have been released. Sometimes they even remove some of the features. So, it is better to test the version first before using it for the rest of the measures.

Overall, I would rate it a seven out of ten. 

We use Carbon Black agents that are monitored by the Forescout Extended Module for CB. It will check that CB Agents are deployed and are in running state to secure containers across vmware environment.

The dashboard shows the security analyst who looks at the reports of the threats around policies monitoring Carbon Black agents. The discovery happens in Carbon Black, and as part of the discovery, it will monitor multiple Carbon Black agents. Deployment is on hybrid cloud VM cloud on AWS.

Technical support is excellent. It's also stable, scalable, and easy to implement.

In the next release, it would help if we can get better control over containers. This will help secure the containers in multiple environments. For example, we need to secure the Kubernetes containers. Apart from admin user login to see containers processes running, developers & operate team users also should be seeing the container's processes running.

I have been using Carbon Black CB Defense for the past year.

Carbon Black CB Defense is a stable product.

Carbon Black CB Defense is a scalable product.

We have extended support from the IT technical team and the engineering team from VMware. Their support is excellent. I don't see any issue with technical support.

The initial setup and installation are straightforward. Typically it takes just two days to set up Carbon Black agents for the post cloud. A team of about 15 technical people deployed this solution.

There is a very big team from VMware, including VMware support, who implemented this solution. 

The licensing costs depend on how many policies you have on the extended module for CB. We pay between $5,000 to $7,000 for a license for the Carbon Black monitoring agents.

On a scale from one to ten, I would give Carbon Black CB Defense a seven.

We are a partner in the managed security service provider (MSSP) space. We service hundreds of customers globally. We implement these solutions on behalf of our customers. 

With Carbon Black, we've been using them for about six years. We're an MSSP and channel partner with them, as well as an incident response partner. We were like the second incident response company registered with them (through that program) to start using the cb Defense platform. We also integrate it with SIEM. However, we're using it in a managed service capacity. We usually implement it, then manage the platform for our clients long-term. It's used for traditional antivirus, real-time threat protection and prevention, and it also provides us with the ability to do more in-depth investigations into endpoints. With the product, we can do a bit of threat hunting along with managed detection and response. The platform works quite well using it in this capacity.

With Symantec, we have been using it for about six years. We integrate it with our SIEM products. We have a lot of customers who actually run it, so we see it quite often. We collect a lot of data from Symantec and help with responding to anything that Symantec finds. We've had a chance to use the product quite a lot.

The biggest feature out of Carbon Black is its ability to dive in with more depth. You can look at the entire kill chain and understand, not only if an alarm or identified incident is truly a true security issue versus a false positive, and it allows us to backtrack and figure out why it actually happened and how it got into the environment. It also helps us determine what other things may have been impacted along with it, from an asset standpoint. It allows us to go into more depth than a more traditional antivirus, like Symantec.

Symantec is more of a traditional antivirus. A lot of it is signature-based. It works quite well for normal protection. It is pretty stable and consistent. It seems to work across the board. There are no real issues to speak of it, which is a definitely a positive thing. One of the more beneficial things is that it does include the active endpoint firewall with it, which allows your endpoints to have a bit more above the standard Windows firewall, then collect all the logs from that. This is a good feature from their firewall piece. Also, the logging out of Symantec is quite good, as you put a lot of great logs into a SIEM or any other log collector from the platform.

The difference between the two products is the level of visibility and depth that you get when investigating alarms or issues. You can go a bit deeper with Carbon Black. Symantec does have an additional add-on, which we have not seen since it is a relatively new component. They call it Advanced Threat Protection. It uses the same endpoint, but has a separate license with additional costs, which is meant to allow you to go a little deeper in terms of endpoint and incident investigations. However, it doesn't provide the interactive drill down, prevention, and response capabilities that you need to be able to isolate a system, delete files, or actively kill processes which have been helpful with Carbon Black.

Symantec needs more investigative features out-of-the-box. Though, they are using the Advanced Threat Protection add-on to correct some of this. It is also not quite as feature-rich as some of the more advanced MDR platforms out there.

Carbon Black needs to do a better job of proving their platform in the industry, and providing a bit more access to do industry testing with real world examples to help prove their platform. In additional, they have been actively porting over a lot of features from some of their other products, and they should continue to expand on that. Going forward, this will be extremely helpful.

We've been quite happy with the stability of Carbon Black. 

Symantec has a much longer history of having a good, proven, stable platform. That is the big difference. 

I can't really speak to any particular issues that we've had with one versus the other. They both seem pretty good.

The scalability is about the same between Carbon Black and Symantec. I don't know that we've actually tried to use them in an environment that was large enough to cause us any sort of issues, or even thought twice about scalability. Both of these products work quite well in extremely large environments.

One thing to consider with Carbon Black is you do have much more data. You can define many more policies that are more specific to groups. The management of that becomes more difficult as the environment gets larger. I don't think that necessarily is the case with Symantec. It might end up being a bit more time consuming to manage Carbon Black as it gets larger. In terms of these products' capabilities and the ability to support large environments all the way down to small ones, I don't think it matters.

Carbon Black has a great community portal which has all sorts of documentation where you have the ability to ask questions and people answer it quite well. There is a lot of material there with access to content, which assists with the learning and troubleshooting.

Because of the limitations that Symantec provided, and the fact that we were seeing data that was extremely helpful from the Symantec logs, yet it didn't provide us a way to investigate it further or respond to it. This led us down a path of looking for a platform like Carbon Black, which has allowed us to handle the data without having to add additional products. This opened our eyes to be able to see what's out there, but then we needed something to be able to actively fix it, as well.

Symantec is a more traditional platform where you set it up and install it. If you're using a cloud platform, then you obtain access to the system. You need to define all the exceptions that you know need to be implemented based on the applications that you are running. Then, you deploy your endpoints, which should pull down the policies with the approved exceptions. Then, you work through any issues. 

With Carbon Black, you have to go through a longer period of monitoring what exists in the environments. We deploy the agents in a monitoring type only mode, which can exist alongside another antivirus product, like Symantec.

You could technically have Symantec installed in normal mode, then Carbon Black in monitoring mode right next to it. We let that run for a period of time to gather information about what is running in the environment actively to help identify the types of things that we'll have to build policies around. The policies can be pretty in-depth, so it can take quite a long time to actually build them, if you want to be extremely careful about not creating any false negatives in the environment. 

It can take quite a bit longer to implement Carbon Black properly. It takes one to two days to implement Symantec. Though, I don't know for certain, because we don't implement it. For Carbon Black, we typically look at three to eight days of active work over a period of a couple of months to get it implemented, working properly, and tuned up correctly.

The licensing costs are comparable between the two products. If you're purchasing the product, they're both typically a traditional license model with an annual type fee or multiyear. The fees are the cost of the professional services to get the system up and running. It depends on the size of the environment. The size and complexity are what it really comes down to. It will be relatively consistent with whether it was MSSP versus a direct purchase.

Carbon Black might be a touch more expensive. They tend to get a premium for their capabilities. They're sort of an industry leader in a lot of areas with the functionality that they provide. 

Symantec gets a bit more aggressive with their pricing, and with their discounts as well. They do have a much larger customer base because they've been around so long.

As an MSSP, we do provide the entire platform on a monthly fee, which a lot of people do like, because that rolls the licensing and all of the management into the cost of the system on a per endpoint basis, paying for the initial costs to get up and running. Even if it's a three to five year implementation, it will be a fixed monthly cost, assuming the number of endpoints doesn't change. That's one good thing about the Carbon Black MSSP program that we have access to is that flexibility with the monthly billing. With very large implementations, this could be a significant difference in spend over three years versus having to do one extremely large capital purchase.

Symantec aligns with a more traditional antivirus that a lot of people are just more familiar with. It has traditional signature sets, exceptions, and policies. When you're talking medium sized implementations, where it's several hundred or a couple thousand endpoints, it's pretty straightforward. 

The learning curve with Carbon Black is considerably more extensive. You have considerably more ability in the platform to do investigations and custom policies, as it can do more in-depth searches and queries about what's actually going on at an endpoint level, which you don't have with Symantec. You really have to understand exactly what you're trying to accomplish. The product itself works quite well. It's pretty intuitive, but there is so much more data and capabilities at your fingertips. It definitely takes more time to learn it.

If you are evaluating these products: Evaluate what your enterprise looks like and what your current security controls are. Understand what exists, what needs to be protected, and what other tools there are in the organization. This makes a big difference in the decision-making process. For example, Carbon Black is 100 percent cloud-based. There is no on-premise option. If you have requirements for systems that can't access the internet, whether it be classified environments or otherwise, it's more difficult to get as much value out of a system which is only cloud-based if you have air gaps. A more traditional on-premise solution might work better, like Symantec, in this scenario. However, if you have a largely mobile workforce with a lot of high risk employees who travel, having cloud-based works perfectly for that sort of environment, as you're getting data with the ability to access and respond to issues regardless of where systems are, as long as they're online.

However, if EDR tools already exist in an environment, you might not need a full in-depth product, like CarbonBlack, where a more traditional antivirus coupled with another EDR product might get you the capabilities that you need. Albeit, it would require multiple products to cover the environment. 

I would rate Carbon Black as a nine out of ten, because it provides industry leading features, which give us the ability to do the investigations that we need to. It just makes an enormous difference.

I would rate Symantec as a seven out of ten. It works quite well. It is feature-rich, stable, more traditional product.

We use it for endpoint visibility and endpoint detection and response. It is our central mechanism for the cyber defense or endpoint detection, response and visibility.

We've integrated it with Splunk, with ThreatConnect, and a couple of others. It has a lot of modules for integration that has streamlined our ability to respond and decrease the amount of time for response, but also allowing us not to have to pivot to so many tools where we can actually work from more of a single pane of glass perspective.

I think something that is the most valuable is the time-lining capability for any breach activity. It gives us the ability for us to actively threat hunt. This is not something where it's a passive response tool where we watch things happen. In contrast, it actually does some heuristics, and some behavioral analysis, and we're able to do some prevention with it as well. I think that's really the strongest attribute, and it makes this a more aggressive tool than others.

In some areas one of the big issues for me is responsiveness to issues that arise with the solution. There are some components that leave a bit to be desired and/or that are bugs, or that even if it's a feature update request. These kinds of things are not the fastest company to respond to those. We did have a bug that was persistent for it's now going on two months and it hasn't been fixed. That is one of the drawbacks. This is really impacting what we need to do with it. But, the bigger issue is the organizational responsiveness to clients.

In addition, I think there should be a cloud gateway. It needs to move into a transitory space between our On-Premise and external where it does not have to be in two separate instances. It should marry the two. Also, it would be good to have them working in the containerization space, as well. To have a mechanism for securing cloud modules a bit better. This would be ideal. It would help encompass more of the broad range security so we do not have to couple this with other outside solutions.

 It implements and integrates very well with other security tools, cybersecurity tools.

The tech support communicates, but it's just not with movement. They are responsive, yet there is no quick motion often in regards to resolving the issue. I would personally give the tech support a rating of seven out of ten. 

The setup really depends on a few crucial elements. It depends on where we are, what region, what country we're in, and what PIA rules they have in place. For the most part, it is a fairly straightforward setup. I will say in the initial setup, Carbon Black was very responsive. They were really good at providing the assistance and the support we needed to get it set up, but it was not an extremely hard task.

It has the ability for you to upload the scripts or anything you want to run anywhere. The capabilities of this tool are almost limitless. That is why Carbon Black is a leader. You can run whatever script you want by uploading it to the tool. This is a very, very comprehensive feature.

We also looked at Rsam and ESET. We've used a multitude. So yes, we have.

• Make ssure that your firewall ports open and really test communication back to their server. 
• Make sure you don't have anything else that may be impeding it. 
• If you are dealing with any PIA countries or GSA (also known as TAA) countries, make sure you're working through their work councils.
• Make sure you look at a holistic perspective and have a plan in place on how to use this tool.

Customers want solutions that provide endpoint detection and response. The traditional antivirus solutions and the market trend are changing. Customers are asking for the latest technologies. Carbon Black has very good market strategies. We do the marketing activities and promote the product to the customers.

Getting the right technical support is a challenge.

I have been using the solution for four years.

The support is poor.

Negative

I have worked with traditional antivirus solutions like Symantec, McAfee, Trend Micro, Kaspersky, Sophos, and F-Secure. Broadcom acquired Symantec, and Trellix acquired McAfee. The market is disturbed as other solutions are acquiring the traditional leaders. Getting support is becoming a challenge.

Carbon Black provides endpoint detection and response. CrowdStrike provides vulnerability assessment and application testing features. It gives additional threat prevention to the customer. So, I prefer CrowdStrike over Carbon Black. Carbon Black and CrowdStrike provide very good market strategies.

Customers have to understand the product and implement it. It takes time to understand the product. The implementation takes around 12 months.

The pricing is very high. There are no discounts, and there is minimal margin.

We conduct market and customer events for the solution. We help customers understand the product. Customers need monitoring software with a bundle of features, including DLP, signature lists, and sandboxing technologies. When these features can be merged within a single product, it will become a complete product. Overall, I rate the solution a two out of ten.

What I like the most about it is the dynamic grouping, where you get to group endpoints based on setup criteria. That's pretty cool. I like the simplified policy management and simplified white-listing process. Coming from McAfee, management has been much simpler and much easier to look at. 

I like the simplified management, it has a nice UI, and it's very simple.

The EDR portion could be better. I'm not a big fan, but it works.

The End Point Detection Response and the way it lays our processes with our endpoint and its detection engine, in the way that it detects the admin or alerts we based on a threat. I feel that they're a little behind on the market from my perspective.  

Overall, areas of improvement would be the EDR part, the detection, also the cloud console. If you're trying to write queries or something, it's very slow, just not robust.

It's a cloud console so it should be fast. If I run a query and I press enter, if it took two seconds, it wouldn't give me a nice loading interface, because it's stuck. I would see an operating system most of the time. 

I feel like it should be faster. But as far as the price and everything, I think it's a good product.

We're actually doing a migration from McAfee to Carbon Black. The migration project has been about 12 months right now. We're slowly migrating.

Stability is one thing that's not robust. Other products are faster, but as far as the CB Defense, it's slow. We had some issues with the sensors and we also saw slowness on the Windows side, Windows file share, which actually was fixed in the next new version of the sensor.

I'm the only network security person here. But the other users who have different roles have access as well. In my team, there are five or six people. But I'm the only one actually directing changes.

We use it on a daily basis. 

There are always alerts so I'll always have to check into alerts and see what's going on and then do some more analysis. If it's a new application we are implementing that will also need to be configured on Carbon. 

The deployment process is straightforward. 

We're still deploying it slowly, little by little because we use a lot of critical applications and if Carbon Black interferes with the application, it will stop working. It needs to be tested thoroughly. It's a long process. 

All of its applications need to be tested thoroughly and then tested in a testing environment. Then we deploy and monitor, make changes, and stuff like that. As far as general users, laptops, and stuff, that's pretty straightforward. It's just part of the image. I have to write that script to uninstall McAfee, the whole migration. It's pretty straightforward. It wasn't complex as far as the installation or deployment.

There was also a technical lead for this project. It automatically comes with professional services for 10 hours and the documentation is pretty clear. The professors helped through the process. 

I think it's 28 per employee a year. 

We also looked at CrowdStrike but it was a little too expensive. 

The implementation is very easy but the security aspects could be better. 

If you don't have a SIEM solution in your organization, you're probably engaging via email.But there's no way to point me to customize the email templates if I want to see more information on that email before going to the console. It's still a business and company, but I'm the only one who is managing everything. So when I see the email on my phone, I want to see more information before logging into the console. I want to see more filtering options to narrow down more field training. 

I also wish it was easier and more intuitive in terms of searching for queries. I feel like it should be simpler. It doesn't make sense to have it this hard.

I would rate it a seven out of ten.