VMware Carbon Black Endpoint Reviews

It has various use cases like firewalls and antivirus. It's been working great for us so far.

I found the offline scanning to be particularly useful. Compared to CrowdStrike, it had better IT capabilities and beautiful analytics. Overall, it was cost-effective too.

There is room for improvement in the support and service team. The response time could be faster. That's why I switched because the support was not as expected from a company like Carbon Black.

I have been working with this solution for three years. I am using the latest version. 

I would rate it a nine out of ten. It was very stable.

The scalability of the solution is good and affordable. I would rate the scalability a nine out of ten. There are over 300 users in our company using the solution. 

The customer service and support team took too long to respond to our queries, and the local reseller did his best, but it still wasn't fast enough or knowledgeable enough. It was just too slow in addressing our concerns. Unfortunately, the support service was not up to par.

The setup was nice, but the technical aspects of the product can be challenging. It's not easy and requires someone who really knows what they're doing. Two to three people are required for the maintenance of the solution. 

Generally, the deployment process takes one to two weeks but also depends on the user's training. It's a cloud-based solution, so once you identify the IP address and add it to the user name, it will be available in the software market. This is how most cloud-based solutions work, and it's not complicated.

Once the product is stable, it works well. That's why I renewed it for three years. However, we had a big incident where we did not receive the expected support.

We have seen ROI. 

We use a yearly subscription model. It is not cheap, but it is cheaper than CrowdStrike.

I would recommend having a strict SLA with the vendor for support. It's better to buy extra support for the unit.  Overall, I would rate the solution an eight out of ten.

We use Cyber Defense to protect our machines from all kinds of attacks. We use this solution to protect ourselves from advanced threat attacks as well as viruses and malware. We also do threat hunting with the help of CyberArk for defense solutions.

Carbon Black CB Defense has helped improve my organization by allowing us to have better data so that we can do correlation and get visibility into the alerts. Previously, we used a different solution for protecting the devices and we were not able to get enough data.

The Carbon Black CB Defense feature I found most valuable is that it gives us the ability to do log analysis as well as the current state of the environment and activity on the user machines.

I would say that the technical support team should be improved since it takes them a lot of time to provide us with support.

In the next release, I would like to see a host-based firewall.

I have been using this solution for more than a year.

I would rate the stability of this solution a seven, on a scale from one to 10, with one being the worst and 10 being the best.

I would rate the scalability of this solution an eight, on a scale from one to 10, with one being the worst and 10 being the best.

The initial setup process was easy. It takes about four or five months to set up the solution. The deployment was done with the help of ten teams and five to six people who had full involvement during the implementation.

To the people looking to use this solution, I'd say if you want to get better visibility into an environment and see user activity or suspicious activity, then

Carbon Black CB Defense  is the right solution for you.

Overall, I would rate this solution an eight, on a scale from one to 10, with one being the worst and 10 being the best.

Our primary use case for this solution involves addressing incidents related to malware outbreaks and malicious signatures.

Sandboxing is one of the features I found to be the most valuable in Carbon Black CB Defense.

It would be good if Splunk integration or something similar to Splunk integration is available for this solution.

I have been using the latest version of Carbon Black CB Defense for the past year.

I am not sure whether Carbon Black CB Defense can be considered to be a stable solution or not.

I feel that this is a scalable solution. There are around 80 to 90 employees at our organization who are using Carbon Black CB Defense.

I have never contacted the tech support team of Carbon Black CB Defense.

In our organization, we have used CTF365 and iZOOlogic in the past. We didn't switch from those since we have a multiple-client setup. One client uses one EDR, while the other one uses the other EDR. So, the intention of having a multiple-client setup at our end is to help our clients, and it is not for the benefit of our company.

I feel that the initial setup was straightforward and not complex. The deployment of the tool is carried out by our engineering team, consisting of 10 members. With the addition of the manager and the other management team members, the total number of individuals involved in the deployment comes to around 25. The engineering team, who are responsible for this activity, ensures the successful deployment of the solution with their expertise.

I would like to see more integration with other platforms. I rate this solution a seven out of ten.

It is a default software that goes on every computer. This is antivirus endpoint protection. It's pretty simple. The standard application goes on every single machine that we deploy that is Windows based. We have it running on machines that are deployed on the cloud, machines that are deployed on-premise, and on machines that people are using strictly on the internet.

We're using the Carbon Black Endpoint. We're using the latest sensors. We've used 3.7 and 3.8.

Initially when we deployed it, there were over 2,000 users in terms of giving access to the console. We had roles created for security analysts. There were different roles. For example, the field services who take care of the PCs could go take a look. They could bypass if needed, but they could not change any roles or uninstall the agent. 

Other roles, such as mine, have full access. We had roles where we had actually created the API integration key where we were sending the Carbon Black logs to a third party who was our SIM for review. There are different roles you can define in there.

The new feature that we're deploying, the new offering from Carbon Black, is MDR, which stands for manage, detect, and response. It's the most valuable feature because Carbon Black will be continuously checking the logs, and they will be advising us on how to improve some of the policies as well as review the logs. If there are any nefarious agents or things happening on the end points, they will know. 

They also have the ability to take action based on what we've already agreed upon, what rights we give them, or what we tell them they can or can't do as part of their response. Hypothetically, if there's a rogue machine that is trying to infect other machines, we can tell them that they should try to contact us, but if they don't get a hold of anybody in GreenFirst IT in 15 minutes, they should go ahead and quarantine that machine. They can take actions, they can do remediation or response. Instead of advising, they will be taking action.

The node management could be much better. The one thing that they cannot do very easily is change the tenant from a backend. As an example, assets were sold from a company called Rayonier Advanced Materials and went to GreenFirst, which became GreenFirst as a startup. We had a tenant where all the machines were registered to the cloud. That is the tenant that was there for Rayonier. It is very hard for them to make changes to the tenants, such as rename or anything like that. What they really would push you to do is, "Your tenant is going to be under your company name. You have to uninstall all the agents and reinstall them again." Making changes at a tenant-level would be a welcome feature to allow divestitures and things like that.

They can do some of these things, but they're not very user friendly or easily done. They basically tell you to do the hard lifting yourself. For example, they basically kept pushing me and saying, "Uninstall your antivirus on about 500 machines and reinstall it with the new tenant information." I would say "No, everything is a tenant. Rename me the tenant."

I would like to see the GUI improved and easier troubleshooting. One thing they did that makes it easier in troubleshooting versus the older versions of the software is that now you can actually drill down to see the parent process and go all the way down. 

In CrowdStrike, they have a timeline where they actually build the whole scenario as to what happened. It's like a playback. It's almost like a movie. You play back and it says, "Okay, this process ran," and then it shows what it caused and everything. You can see all that and if there are any screen outputs it puts it on because CrowdStrike actually maintains some of those things. A playback feature would be very valuable.

I have worked with this solution for over three years.

Carbon Black is a very capable tool. It's a very strong product.

There have been no issues with the scalability.

It's on every single node, so I cannot increase it anymore than that.

Their technical support is better than most of the normal tech supports that I've dealt with. My one pet peeve with them is that they respond to your request on their portal. For example, if you need to have a working session with them, they respond to your request in the portal, and you are not always in the portal and you may miss a time that they would be available to assist you. It would be much better if they picked up the phone or actually emailed instead of always using their portal.

I would rate their technical support a 3.5 out of 5.

We switched because we wanted to go to a next-gen antivirus that looked at the pattern instead of looking for signature. The second thing is we were trying to get off Kaspersky because it's a Russian company and Rayonier AM was an American company. The biggest reason was to go to a next-gen antivirus.

This is hardly signature based. It's more than heuristic, and one of the other reasons is that the updates are pushed over the cloud when the nodes are available. We don't need people to be connecting to an internal server on-prem to get their updates. Another reason was security features and the ability to quarantine a machine regardless if it's on-prem or if it's just on the internet.

If you're not used to Carbon Black, it can be challenging because these are not regular rules, like the way you would deploy under a normal antivirus. There are a lot of different functionalities that you could do that are not available under normal antivirus things, such as allowing a script or an application to run based on hash, or white listing if an application is signed by a specific code sign or certificate. It can be very challenging.

When we did it years ago, we went from McAfee and Kaspersky to Carbon Black. At that time, there were 2,000 or so nodes. Deployment took less than a month. That was due to us doing various types of scripting for a massive rollout and automatic installation of the tool and the automatic uninstall of the older tools.

Deployment was done in-house.

It's very subjective to give an ROI on an antivirus. If I was making a piece of equipment and I implemented something that could show that instead of something that takes four hours to complete, now it takes three hours, I could tell you what my ROI would be.

In this instance it is very subjective. The only thing that you could do is take a look at how many security incidents you've had with a different product versus what you think you will have with going with Carbon Black, or assume you won't have any issues with Carbon Black versus how many issues you had with the other one, and then you can see how long it takes. 

Speaking from experience, for the former company that I worked for, we were hit with malware, a ransomware where some files were encrypted, but we were able to get them from the backup. However, attacks such as that have failed since we have had Carbon Black.

It is more expensive, but it's worth it. There are no additional costs beyond the standard licensing fee.

We looked at CrowdStrike, the offering from Blackberry called SentinelOne, and we looked at the major other AV providers like Sophos, McAfee, and Norton.

I would rate this solution 8 out of 10. 

Carbon Black gives a different offering. Their ThreatHunter gives you more of the threat hunting features, so if they basically make that a standard feature, then I would rate it higher.

My advice is to use a deployment tool if you have one because it will come in handy. I would also suggest that you enable the feature in Carbon Defense because uninstallation requires a key so that people can't get rid of it.

If you are going to be buying it, my advice would be to take a look at their manage, detect, and response feature because you take the onus away from your internal team, and you also take away potential misconfiguration out of your internal IT group because they will be looking at all the logs, and they will be reviewing the policies and they can actually tell you how to do it. If you do not have the manage, detect and response, it all falls on you, and then you would have to integrate it with your own. If you have a SIM, you would have to learn how to integrate it to your SIM.

Customers want solutions that provide endpoint detection and response. The traditional antivirus solutions and the market trend are changing. Customers are asking for the latest technologies. Carbon Black has very good market strategies. We do the marketing activities and promote the product to the customers.

Getting the right technical support is a challenge.

I have been using the solution for four years.

The support is poor.

Negative

I have worked with traditional antivirus solutions like Symantec, McAfee, Trend Micro, Kaspersky, Sophos, and F-Secure. Broadcom acquired Symantec, and Trellix acquired McAfee. The market is disturbed as other solutions are acquiring the traditional leaders. Getting support is becoming a challenge.

Carbon Black provides endpoint detection and response. CrowdStrike provides vulnerability assessment and application testing features. It gives additional threat prevention to the customer. So, I prefer CrowdStrike over Carbon Black. Carbon Black and CrowdStrike provide very good market strategies.

Customers have to understand the product and implement it. It takes time to understand the product. The implementation takes around 12 months.

The pricing is very high. There are no discounts, and there is minimal margin.

We conduct market and customer events for the solution. We help customers understand the product. Customers need monitoring software with a bundle of features, including DLP, signature lists, and sandboxing technologies. When these features can be merged within a single product, it will become a complete product. Overall, I rate the solution a two out of ten.

We're providing this product to our customers. The main intention of using this product is to detect small malware and for vulnerabilities and scanning detection in real-time.

The Intel fit was very extensive and comprehensive enough. The visualization tree product feature in this CB defense is quite good. These are the two more notable product features.

The pricing is excellent.

The solution is stable.

There's some disparity between the on-premise and the cloud type of application. We basically manage applications versus SaaS-based ones. We were hoping that some of the more advanced features that they offer in the SaaS actually could be similarly offered for the on-premise managed applications. We find that cloud-based solutions are particularly more advanced in product roadmaps compared to on-prem.

There should be more roles in support. There needs to be support for multi-tenancy, the likes of multiple names space. When you use that in a very large organization, you have many departments. It doesn't really provide grouping by department, et cetera. 

There's actually a lagging feature that we saw in the SaaS, yet not on the on-premise setup. It seems like the on-premise one was really, really meant for a single department setup rather than for multiple departments.

The solution doesn't allow for high availability configuration. That's also a negative impact relating to the product.

We have been using this solution for about two years.

Stability-wise, the product has been quite stable. There's no issue. The maintenance was quite straightforward, and if you don't really touch it, you won't have stability problems. 

Medium to large companies will be selecting Carbon Black solutions mainly due to the fact that they needed this to better the security posture checks in the environment, typically in the more regulated environment. Regulatory, regulated environments or companies that are more security-centric will go for this type of product.

While it can scale, it only supports non-HA. Scalability is quite limited. You can only scale vertically - not horizontally.

Technical support can be much improved. They're quite lagged in terms of their support and post-sales. In terms of the roadmap to sell, they tend to sell more towards endpoints and very large enterprises. For a server base, it would lose itself. That's not really their main focus at this point in time. Therefore, it's not as good there.

Neutral

I'm also familiar with Trend Micro. Trend Micro is advancing the product, keeping it fairly up to date, and covering some aspects of the EDR over time and they're doing a lot of catching up. They actually have caught up. The technology now is quite fairly similar - it's just that the initial focus was in different areas, however, they are filling this gap. It's actually a very strong competitor. In terms of user, features-wise, et cetera, this solution is quite on par. Trend Micro is a security-focused company, so from an enterprise point, probably they are more focused than Carbon Black nowadays being bought over by VMware. Security is probably not their main area of focus at this point in time. 

The initial setup is a bit of a mix. It is simple in the sense the setup was quite straightforward, however, when it comes to configuring for other supports, like emails, notifications, Syslog, et cetera, this identity provider's power integration, which we did for our SML 2.0, is powered based, rather than supported directly through the GUI. That was not so user-friendly, or more complex in terms of configuration.

On a scale from one to five in terms of ease of setup, it'll be about three. It probably takes about half a day just to complete the configuration setup.

The maintenance so far has been quite fairly straightforward. We don't really have any issues with the maintenance. Obviously, I didn't want the downside of the product side, maybe one of the cons is that it doesn't really support HA high availability setup configuration. 

We have a contract, we have actually a BOT tender contract where our different customers from different departments actually purchase their licensing. Generally, the pricing is from a unique cost perspective. I wouldn't know exactly how much they buy typically, as they procure their licenses on their own. Typically, if you compared the pricing to Trend Micro, it's probably about half the cost.

We're not quite a partner. We are a systems integrator and reseller. 

We do not have the latest update. We integrate that into our Azure AD itself.

We have the solution deployed both on the cloud and on-premises. 

I'd recommend the solution based on the cost. It's really subjective to the organization's needs. If it's for a single, small department, it's fine. If it's for a large organization itself, some of it lacks. Enterprise capabilities are probably a hindrance for a large organization to take up such a product. The limitations of supporting multiple departments with different roles and users, for them to configure what they need, would be a problem. When you talk about alerts et cetera, and also certain tracks, different departments actually probably they have their own different needs, so they wanted something to be a little bit independent, where the configuration settings are unique to the department, rather than something that can only be common for all departments in the current setup.

I'd rate the solution six out of ten.

I know they have different forms in their Carbon Black Endpoint now, but we were using Carbon Black Prevent, which was basically just a pure whitelisting product. We didn't look at the other kinds of things that it was doing.

We were basically just using it for, "If Carbon Black picks up a new file in the machine and it's executable or something and it hasn't seen it before, it has to be whitelisted first. It has to be approved before it's allowed to run." That's what we're using it for.

We were technically one and a half versions behind the current version which is out there right now.

The solution is deployed on-prem.

We have cut back the amount of users. At one point, we had about 1,500 or 2,000 users. We're down to about 750 right now.

The solution just gave us another layer of protection from zero-day threats, because you can't always trust what your users are doing. You just have to do what you can technically to try to mitigate that.

I'm on the security department, so it's just in the layer of our prevention to give us protections against, for example, ransomware that might kick off and try to execute different files. If someone downloads something or whatever, it has to be whitelisted first. It has to be approved before it can run it all.

That's better to me than some signature-based thing, because it protects against zero-day. There are things that it doesn't know about, so it has to check them. We have Check Point now as well, but we have a Check Point on our firewalls, not our endpoints.

We have another piece of that infrastructure that does what they call threat emulation. You may have heard of it. It's like sandboxing where it takes files that it doesn't know about, puts them in a VM-type environment, and it kicks them off to see if there's any malware or tendencies that might look like malware, that kind of thing.

It's also a zero-day type of prevention thing, but it kicks them off in a safe environment so that you can see what it's doing. You need integration with Check Point to do that, but that integration went away with the latest release, the one we just put out there.

That was a big part of why we liked Carbon Black, because it is integration to not only do the whitelisting, but also we could have automatic rules set up so that if a new file got downloaded by a user, we could automatically send that over to Check Point and it could do its emulation on it in the sandbox. And if it came back clean, then we could automatically approve it.

We wouldn't have to go through a manual process of having our people approve every single file that comes across as having been seen before. So, it was a really good way to work those two products together. But that went away. And so now I'm like, "Okay, what are we going to do now?" I hadn't looked at the Harmony Endpoint at all.

I haven't looked at Check Point's piece, but I was wondering to myself, "If it does something like Carbon Black was doing and then we already have Check Point on the other one, that would work." So, that was what I was trying to do.

There could be more knowledge. I think they made a mistake when they took away the Check Point integration, because it provides more automation and also more threat intelligence. Maybe you didn't see something within Carbon Black's sphere of what it knows, within their product line or their threat cloud or whatever they use for their intelligence. Maybe it didn't see anything of the files that it knows about, but what about somebody else's? And what about kicking into another product that does those kinds of things like sandboxing?

I don't know why they would take that away. That doesn't make sense to me because they need to expand on that. The more they expand on that, the more confidence you have as a security guy. You have more confidence that that file is clean, and there's nothing bad about it. Bringing back the integration with Check Point would be a good start.

This product is being used extensively in our organization. I'm actually looking for a replacement because of the fact that we lost that integration. That's really crucial, honestly. Otherwise, it becomes much more manpower-intensive. I need to spend more man-hours going through it instead of using automations.

I prefer to set up things so my team doesn't have to spend a huge amount of time running down rabbit trails all the time. The more we can automate and still be secure about it, that is what we try to do.

There are no additional features I would like to see added. I know they already have a cloud offering as well. You can manage things through their cloud for people that are always on-site. We mostly just use it for our own managed devices. We didn't really put it on. We never planned and don't plan to put it on or make it available to a BYOD kind of thing. This is all company-managed devices.

It just made more sense for us to do it internally than putting it in the cloud. But we could have done either one, I suppose. But since we started out inside, we just kept it that way. It was just easier.

I have been using this solution for five years.

It's stable.

The solution is scalable. We have never had an issue.

I would rate technical support 5 out of 5.

We did a proof of a couple different products, but we chose CB. And we've been with them since, because they do a good job. They've been pretty easy to manage, and they've had good support. So, we've actually been really happy with them.

It was pretty straightforward. It took some time to roll out. We wanted to eventually get to a point where we are now, which was to totally block everything we don't know about. But that didn't come out of the box. You had to let things run for a while.

It did a good job of reporting things, but not blocking so we could go through there and say, "Okay, these are legitimate files. Or these files were signed with these certificates from these vendors that we can trust," for example. We spent six or eight months going through everything before we actually turned it into full blocking mode. As far as initial rollout, it was fairly simple, and it's been fairly easy to upgrade the agents.

We ran into some issues with some of the MSIs and things or some systems when we tried to update some things and it broke. I'd probably rate the setup a four out of five.

We do deployment slowly and in phases. We could have deployed it pretty fast, actually. But it took us about three months to deploy everything because we wanted to make sure we had test groups of machines that we put into each department or each part of the organization, because they do different things. We didn't want to inadvertently start breaking certain things. So, we took our time pulling it out. But I think, essentially, it could have been deployed in probably a few weeks at the most.

We have a team of about five people who take care of maintenance.

We implemented it through an in-house team.

The licensing cost is on the more expensive side, but I thought it was worth it because they did a good job. It was one of the vendors I truly didn't have to worry about too much until this latest upgrade.

I would rate this solution 8 out of 10. 

I'd say, "go for it" if you don't have or need Check Point for an integration. But if you're relying on that kind of integration, if you really need that like we did, then of course I wouldn't go that route.

If I were to make a recommendation to somebody else just starting out, my advice is to check out the cloud first.

We use this solution as our endpoint security system. The solution is cloud-based.

The solution is very useful and easy to handle. You don't need much intervention with this product.

The client performance could be improved. When you install it in the client, the performance gets a bit disturbed.

In the user interface, the user needs to have more visibility regarding what's happening because it gives you a very simple client for the user. It doesn't give a full output for the user. It would be great if that could be improved.

I have been using this solution for more than four years. We are working with the latest version.

The solution is really stable. 

It is scalable.

The local technical support is very poor, but the support from headquarters is very nice.

For the local technical support, I would rather rate it at one, even zero, out of five. I would rate the global support at three or four out of five.

We previously used Kaspersky, and we switched to Carbon Black because it's a cloud-based application. It also requires minimum handling and basically runs on its own when you set the policy, so it's very easy.

The solution is a bit complex. Deployment took around six months.

The partners helped us. 

The license is annual. It's a standard license.

I would rate this solution 7 out of 10 because of the support.

The product is very smooth and pretty simple. I like it, and anyone can use it. My advice is to be careful about the partners when you're selecting.