VMware Carbon Black Endpoint Reviews

My company uses VMware Carbon Black Endpoint for generic endpoint activity detection. We also use it for some investigation using an osquery in our company. VMware Carbon Black Endpoint is useful for blocking some applications and vulnerability assessment of endpoints.

The most valuable feature of the solution is its EDR functionality. The osquery functionality of the product is also very good since it allows us to investigate special cases. Vulnerability management is another good feature of the product.

VMware Carbon Black Endpoint takes a step back when compared to other solutions in the market. Cortex XDR is a better solution compared to VMware Carbon Black Endpoint. In our company, we also wanted to have network detection, like a host-based IDS on VMware Carbon Black Endpoint, but we did not get it. The aforementioned reasons have forced our company to look for an upgrade or another solution altogether.

In the future, I would like to see VMware Carbon Black Endpoint offering a host-based intrusion detection system with a better incident response within the platform where you can raise an incident, assign it, and have some response functionality in it, like triaging the incident and other stuff.

I have been using VMware Carbon Black Endpoint for three years. I use the solution's cloud version, which is the latest version. I am a customer of the solution.

It is a stable solution.

Around ten to eleven people use the solution in our company.

In our company, we did not face many technical issues with the product. Over the span of the years we have been using the solution, there were only two not-so-difficult instances we encountered using the solution, but we were able to find the answers to resolve the issues. We did not face issues that needed the intervention of technical support.

I rate the technical support a seven out of ten.

Previously, we were using a signature-based antivirus, Symantec Antivirus, in our company.

The initial setup of VMware Carbon Black Endpoint was easy.

The solution is deployed on a public cloud.

The deployment phase took about a month to get deployed to all the endpoints using the agent, but the most difficult part was tuning the policy, which took the most time based on the alarm policy and alert policy. I feel the aforementioned phases of deployment are a regular process.

I do not want to discuss the actual number of people involved in the deployment process, but I can say that the deployment was not done for a small company.

I was involved in the implementation phase of the solution.

Price-wise, VMware Carbon Black Endpoint is a highly-priced solution. Regarding the licensing cost of the solution, one needs to opt for an annual subscription.

One of the main advantages of Cortex XDR over VMware Carbon Black Endpoint is that Cortex XDR has an intrusion detection system. Cortex XDR has a host-based IDS, and such a feature doesn't exist in VMware Carbon Black Endpoint. Cortex XDR has VMware Carbon Black Endpoint's functions and much more than they need.

Palo Alto is a product that our company has considered during its current evaluation process.

I would say that VMware Carbon Black Endpoint is a very good solution for those planning to use it. If a person has certain cost constraints, then VMware Carbon Black Endpoint may not be the best solution since many cheaper or even open-source solutions can provide the same functionalities as VMware Carbon Black Endpoint. I feel that with a good budget, a better solution can be available in the market.

I rate the overall a seven and a half out of ten.

We use Cyber Defense to protect our machines from all kinds of attacks. We use this solution to protect ourselves from advanced threat attacks as well as viruses and malware. We also do threat hunting with the help of CyberArk for defense solutions.

Carbon Black CB Defense has helped improve my organization by allowing us to have better data so that we can do correlation and get visibility into the alerts. Previously, we used a different solution for protecting the devices and we were not able to get enough data.

The Carbon Black CB Defense feature I found most valuable is that it gives us the ability to do log analysis as well as the current state of the environment and activity on the user machines.

I would say that the technical support team should be improved since it takes them a lot of time to provide us with support.

In the next release, I would like to see a host-based firewall.

I have been using this solution for more than a year.

I would rate the stability of this solution a seven, on a scale from one to 10, with one being the worst and 10 being the best.

I would rate the scalability of this solution an eight, on a scale from one to 10, with one being the worst and 10 being the best.

The initial setup process was easy. It takes about four or five months to set up the solution. The deployment was done with the help of ten teams and five to six people who had full involvement during the implementation.

To the people looking to use this solution, I'd say if you want to get better visibility into an environment and see user activity or suspicious activity, then

Carbon Black CB Defense  is the right solution for you.

Overall, I would rate this solution an eight, on a scale from one to 10, with one being the worst and 10 being the best.

Our primary use case for this solution involves addressing incidents related to malware outbreaks and malicious signatures.

Sandboxing is one of the features I found to be the most valuable in Carbon Black CB Defense.

It would be good if Splunk integration or something similar to Splunk integration is available for this solution.

I have been using the latest version of Carbon Black CB Defense for the past year.

I am not sure whether Carbon Black CB Defense can be considered to be a stable solution or not.

I feel that this is a scalable solution. There are around 80 to 90 employees at our organization who are using Carbon Black CB Defense.

I have never contacted the tech support team of Carbon Black CB Defense.

In our organization, we have used CTF365 and iZOOlogic in the past. We didn't switch from those since we have a multiple-client setup. One client uses one EDR, while the other one uses the other EDR. So, the intention of having a multiple-client setup at our end is to help our clients, and it is not for the benefit of our company.

I feel that the initial setup was straightforward and not complex. The deployment of the tool is carried out by our engineering team, consisting of 10 members. With the addition of the manager and the other management team members, the total number of individuals involved in the deployment comes to around 25. The engineering team, who are responsible for this activity, ensures the successful deployment of the solution with their expertise.

I would like to see more integration with other platforms. I rate this solution a seven out of ten.

We have a dedicated team using this solution. They create incidents, escalate the incidents, and then respond to the events detected by the EDR.

The best feature of this solution is that we have a live response, which is really tailored to our needs. 

There is no option for the solution to block automatically based on behavior. First, the solution needs a lot of time to record all the behaviors. Then, we manually have to create a behavior analysis rule to detect any malicious activity. The solution would be improved and be more effective if there was a way for this process to be done automatically.

We have been using this solution for six to seven months. 

The solution is not always ideal, but it is pretty stable. We did face a few issues, in the response feature for example, but they were resolved.

At this point we have not encountered any issues with scalability, but time will tell how much scaling is feasible for us.

The customer support is average. At times I feel like they should have responded to us immediately because we had some issues that needed an immediate reply, but their response was a bit slow. However, overall, they're good and the support is acceptable.

Neutral

It was not easy and we faced challenges, but it was okay. We're also dealing with an issue involving multiple unsupported OS's because we have so many Linux products in our infrastructure. I would rate the initial setup as a three out of five, with one being difficult and five being easy.

This is a good solution, but there are a lot of improvements needed. I am overseeing the project part of the solution, not the deep technical side. As far as my knowledge is concerned, it's an easy-to-use solution and it has many good features, but it also has many features that require improvement. I would rate the solution as a six out of ten. 

It is a default software that goes on every computer. This is antivirus endpoint protection. It's pretty simple. The standard application goes on every single machine that we deploy that is Windows based. We have it running on machines that are deployed on the cloud, machines that are deployed on-premise, and on machines that people are using strictly on the internet.

We're using the Carbon Black Endpoint. We're using the latest sensors. We've used 3.7 and 3.8.

Initially when we deployed it, there were over 2,000 users in terms of giving access to the console. We had roles created for security analysts. There were different roles. For example, the field services who take care of the PCs could go take a look. They could bypass if needed, but they could not change any roles or uninstall the agent. 

Other roles, such as mine, have full access. We had roles where we had actually created the API integration key where we were sending the Carbon Black logs to a third party who was our SIM for review. There are different roles you can define in there.

The new feature that we're deploying, the new offering from Carbon Black, is MDR, which stands for manage, detect, and response. It's the most valuable feature because Carbon Black will be continuously checking the logs, and they will be advising us on how to improve some of the policies as well as review the logs. If there are any nefarious agents or things happening on the end points, they will know. 

They also have the ability to take action based on what we've already agreed upon, what rights we give them, or what we tell them they can or can't do as part of their response. Hypothetically, if there's a rogue machine that is trying to infect other machines, we can tell them that they should try to contact us, but if they don't get a hold of anybody in GreenFirst IT in 15 minutes, they should go ahead and quarantine that machine. They can take actions, they can do remediation or response. Instead of advising, they will be taking action.

The node management could be much better. The one thing that they cannot do very easily is change the tenant from a backend. As an example, assets were sold from a company called Rayonier Advanced Materials and went to GreenFirst, which became GreenFirst as a startup. We had a tenant where all the machines were registered to the cloud. That is the tenant that was there for Rayonier. It is very hard for them to make changes to the tenants, such as rename or anything like that. What they really would push you to do is, "Your tenant is going to be under your company name. You have to uninstall all the agents and reinstall them again." Making changes at a tenant-level would be a welcome feature to allow divestitures and things like that.

They can do some of these things, but they're not very user friendly or easily done. They basically tell you to do the hard lifting yourself. For example, they basically kept pushing me and saying, "Uninstall your antivirus on about 500 machines and reinstall it with the new tenant information." I would say "No, everything is a tenant. Rename me the tenant."

I would like to see the GUI improved and easier troubleshooting. One thing they did that makes it easier in troubleshooting versus the older versions of the software is that now you can actually drill down to see the parent process and go all the way down. 

In CrowdStrike, they have a timeline where they actually build the whole scenario as to what happened. It's like a playback. It's almost like a movie. You play back and it says, "Okay, this process ran," and then it shows what it caused and everything. You can see all that and if there are any screen outputs it puts it on because CrowdStrike actually maintains some of those things. A playback feature would be very valuable.

I have worked with this solution for over three years.

Carbon Black is a very capable tool. It's a very strong product.

There have been no issues with the scalability.

It's on every single node, so I cannot increase it anymore than that.

Their technical support is better than most of the normal tech supports that I've dealt with. My one pet peeve with them is that they respond to your request on their portal. For example, if you need to have a working session with them, they respond to your request in the portal, and you are not always in the portal and you may miss a time that they would be available to assist you. It would be much better if they picked up the phone or actually emailed instead of always using their portal.

I would rate their technical support a 3.5 out of 5.

We switched because we wanted to go to a next-gen antivirus that looked at the pattern instead of looking for signature. The second thing is we were trying to get off Kaspersky because it's a Russian company and Rayonier AM was an American company. The biggest reason was to go to a next-gen antivirus.

This is hardly signature based. It's more than heuristic, and one of the other reasons is that the updates are pushed over the cloud when the nodes are available. We don't need people to be connecting to an internal server on-prem to get their updates. Another reason was security features and the ability to quarantine a machine regardless if it's on-prem or if it's just on the internet.

If you're not used to Carbon Black, it can be challenging because these are not regular rules, like the way you would deploy under a normal antivirus. There are a lot of different functionalities that you could do that are not available under normal antivirus things, such as allowing a script or an application to run based on hash, or white listing if an application is signed by a specific code sign or certificate. It can be very challenging.

When we did it years ago, we went from McAfee and Kaspersky to Carbon Black. At that time, there were 2,000 or so nodes. Deployment took less than a month. That was due to us doing various types of scripting for a massive rollout and automatic installation of the tool and the automatic uninstall of the older tools.

Deployment was done in-house.

It's very subjective to give an ROI on an antivirus. If I was making a piece of equipment and I implemented something that could show that instead of something that takes four hours to complete, now it takes three hours, I could tell you what my ROI would be.

In this instance it is very subjective. The only thing that you could do is take a look at how many security incidents you've had with a different product versus what you think you will have with going with Carbon Black, or assume you won't have any issues with Carbon Black versus how many issues you had with the other one, and then you can see how long it takes. 

Speaking from experience, for the former company that I worked for, we were hit with malware, a ransomware where some files were encrypted, but we were able to get them from the backup. However, attacks such as that have failed since we have had Carbon Black.

It is more expensive, but it's worth it. There are no additional costs beyond the standard licensing fee.

We looked at CrowdStrike, the offering from Blackberry called SentinelOne, and we looked at the major other AV providers like Sophos, McAfee, and Norton.

I would rate this solution 8 out of 10. 

Carbon Black gives a different offering. Their ThreatHunter gives you more of the threat hunting features, so if they basically make that a standard feature, then I would rate it higher.

My advice is to use a deployment tool if you have one because it will come in handy. I would also suggest that you enable the feature in Carbon Defense because uninstallation requires a key so that people can't get rid of it.

If you are going to be buying it, my advice would be to take a look at their manage, detect, and response feature because you take the onus away from your internal team, and you also take away potential misconfiguration out of your internal IT group because they will be looking at all the logs, and they will be reviewing the policies and they can actually tell you how to do it. If you do not have the manage, detect and response, it all falls on you, and then you would have to integrate it with your own. If you have a SIM, you would have to learn how to integrate it to your SIM.

We need it to secure some PCs and virtual machines inside the company.

We have a single point of view of all the security systems, and it has some interesting tools.

For Carbon Black Endpoint, the possibility of integration with different other software's log servers is the important thing. Having just one point of view is more interesting so you don't need to go to different places to see all the information.

There is room for improvement in the proxy servers. The implementation and management of those servers are difficult.

The proxy servers have proxy servers in place to not connect directly to the Internet, and the implementation and management of those servers are difficult.

Moreover, some customers request disabling Bluetooth in endpoints, but Carbon Black doesn't do that. So, there should be some flexibility for customization.

I have been using this solution for a couple of months. 

I would rate the stability a nine out of ten.

It is easy to scale. I would rate the scalability a ten out of ten.

The customer service and support are solid.

Positive

The initial setup is complex. 

It's a good return on investment. The single point of view is very important for the client.

The solution has almost the same price as other different kinds of infrastructures, but it offers a lot of different features.

I would recommend trying it first. Overall, I would rate the solution a nine out of ten. It's a great product. 

I am associated with the incident response team, and we use Carbon Visibility for converged networks.

Right now, Carbon Black CB Defense doesn't support cloud computing and Kubernetes. However, if it does support them, then it would be better.

I have been using Carbon Black CB Defense since 2019.

It is mostly a stable solution, but sometimes there are stability issues.

It is a scalable solution.

The technical support is nice. We can reach them 24/7. I rate technical support a seven out of ten.

Neutral

The initial setup was straightforward. We use it for the environment server, clients like end users, and competitors. We use some automation tools like SCCM for Windows, Linksys, and some other automation tools, and we use a lot of them to deploy. So, it depends since it is a circle and because every day, there is a new server that joins the environment. And when your server line client enters the server environment, they automatically install blockings.

But the environment contains over twenty thousand clients. It may take three or three months, depending on whether the employee works in their home. They can only join the network once they log in to VPN. So as a result of that, sometimes deployment time takes too much time. We have very big environments, but a lot of the domain is managed by some administration. Less than ten people were required for the deployment.

We used local support to deploy it.

There are more expensive products than Carbon Black CB Defense, so we are using the solution for its availability.

I recommend the solution to others planning to use it. I rate the overall solution an eight out of ten.

CB Defense could be more compatible with Linux, and its cloud provision could be improved.

I've been using CB Defense for two years.

CB Defense is scalable so long as the deployment has been done correctly.

Carbon Black's support team are very slow to answer questions.

The initial setup was fairly easy. Deployment will take one to two weeks, depending on how many endpoints there are.

CB Defense is available on a yearly subscription and is priced by the number of endpoints.

I would recommend CB Defense for users who want an on-prem solution that lets them see the whole process of any event. I would give CB Defense a rating of six out of ten.