VMware Carbon Black Endpoint Reviews

We are an MSP, and we deployed this solution for a banking client. We use it to help us defend against advanced persistent threats.

I like its reporting.

Its compatibility can be improved. It did crash a server during deployment, which is not something that I want to happen.

Its deployment should also be easier. The whole deployment cycle needs to be simplified. It is an enterprise solution, and to set it up right now, you have to be an expert.

I have been working with Carbon Black CB Defense for six months.

After the initial system crash, I haven't had any issues.

It will be very scalable.

I haven't contacted them.

The initial setup was complex because we needed to set up a server, deploy it to the server, and push it up from there. We had the on-premises server setup. Its cloud version may be easier.

It took one week to fully deploy it. The strategy was just to rip and replace the solution that we had before.

I would advise making sure that it won't cause problems with your servers. Whenever possible, it is good to fully test a product before deploying it.

I would rate this solution an eight out of ten. It needs better ease of use and deployment.

We primarily use the solution as endpoint security.

The security, specifically the endpoint security that the solution provides, is its most valuable aspect.

The initial setup is pretty straightforward.

The solution needs better overall compatibility with other products.

I've been using the solution for less than a year. I've only really been using it for the last one or two quarters of this fiscal year. It hasn't been a very long time yet.

The solution is quite stable. We find it to be a reliable product. There aren't bugs or glitches. It doesn't crash or freeze.

The solution can scale if you need it to. That's not a problem at all.

We have more than 10,000 people using the solution currently.

When it comes to technical support, so far it's been good. We've been pretty satisfied with their level of support. They are responsive and knowledgeable and we know we can get help when we need it.

We were not using any other product before we started using this solution. That said, we registered for other products too and finally decided to go with Carbon Black after trying out other options.

The initial setup isn't really complex. It's pretty straightforward. Those implementing the solution shouldn't have a problem getting it up and running.

The deployment only really took a few months. It was an okay process.

You need very little maintenance on the product. We have about two people here who manage it without any issues.

We're just a customer. We don't have any business affiliation with Carbon Black.

We're currently using the latest version of the solution.

Overall, I would rate the solution seven out of ten.

We are using the Carbon Black CB Defense for endpoint security.

I like the historical features, interface, and integration.

The feature set for the firewall needs improvement.

I am looking forward to learning more about the integration with VMware at the hypervisor layer.

I dealt with Carbon Black CB Defense approximately seven years ago, but have recently dealt with them again in the last six months.

At this stage, we have not experienced any issues.

We have not raised the case at this point with technical support.

The initial setup was straightforward.

We are still deploying this solution but it will probably take four to six weeks.

It's reasonable in price. We got a good price.

We were looking at either keeping our Symantec Endpoint, and evaluating Trend Micro, and CrowdStrike.

We chose Carbon Black because of Its integration, features, and usability.

I would recommend Carbon Black CB Defense for anyone who is interested in implementing this solution.

I would rate Carbon Black CB Defense and eight out of ten.

The primary use case is for stopping spyware, malware, and viruses in their tracks. 

It's very good at doing that. It has intelligent learning behind it and we have been very successful in preventing attacks.

We had a six-figure revenue stream knowing that we would be cleaning up viruses, malware, and spyware on PCs, every year. That was a revenue stream that we could just budget we were going to get. When we implemented Carbon Black, that revenue stream went to zero. That means that it's doing its job. 

From a business perspective, we've been able to virtually eliminate cyber attacks from spyware, malware, and virus perspectives.

It has intelligent learning behind it and we have been very successful in preventing attacks.

I have been using Carbon Black CB Defense for approximately three years.

We are using the most recent version.

The stability is fantastic!

The scalability is pretty easy.

Their offer to add to a tenant or spin up a new tenant, given the client sizes is large enough, has been pretty easy management so far.

I'm a managed service provider, and within my organization we only have between 40 and 50 employees managing endpoints for several thousand. My perspective will be slightly different. So, even though we use it as a company, we use this for our clients as well.

100% of our staff is trained on the use of Carbon Black because from the technical perspective, we need to be able to handle that as technicians and engineers. 

As far as our clients, they don't know the difference. They don't see issues, they don't have attacks.

My interaction over the phone has been mostly on the business side of Carbon Black and they're fantastic over the phone. They're fantastic to deal with.

As far as the support side, I've never had to make a call to them. 

I'm sure our lead engineer has had to make some calls for various reasons.

The initial setup is straightforward. It's super easy.

Our staff deployed this solution. We did not use an integrator or reseller, it was in-house.

I am currently reviewing Cylance and products from other vendors as part of our processes. We want to see what price points and feature sets and things like that, to see what would be better.

We want to know how Carbon Black compares to others; we've seen a little bit of that. I've got some documentation to review that. At this point, we're test-bedding several other providers right now to see if there's anything that does equally or better and that comes at a better price point.

We have the cloud center, however, the application's installed on each endpoint individually.

Each client machine has it installed, locally, so it's off-premises for us. I'm assuming that they would be running on individual client PC. 

The software is run here, we manage it within the cloud atmosphere.

We were an authorized reseller or we were an authorized business associate of Carbon Black. Since that's moved under Dell, I don't think that's a thing anymore. I would state that as we are mainly a Dell shop, we're an all in Dell shop. And so that's just a business decision we've made. 

We were a Dell VMware Carbon Black client and we had a relationship with them that preexisted our Dell partnership. Before Dell acquired Carbon Black, we were a partner of Carbon Black's. We had acquired this technology and we were utilizing this technology for several years in advance of that acquisition.

I'd recommended Carbon Black CB Defense 100%.

I would rate this solution an eight out of ten.

We are a distributor of Carbon Black in Asia. Generally our customers are looking for endpoint features such as EDR (endpoint detection and response). Their existing solutions are usually from another vendor that has provided a normal antivirus solution. They are looking for endpoint protection and detection and response.

• The triage feature that shows you the whole kill chain of the attack/malware is useful. It shows how the malware get into the endpoints and show what it has been done
• The solution is easy to use and easy to deploy as it is cloud solution, no appliance is needed to deploy on premise

When you view the triage, it will show you everything within a given time frame, and not only the attack that caused the alert, which is what I want to see. It shows you all the events during that time, and that can be quite confusing. If they could focus on the alert and the event that the user wants to see, that would be better.

There is also room for improvement on the reporting side, because it doesn't have reports. Many of our customers would prefer some kind of exportable report, like a summary. Carbon Black should have this feature.

We haven't encountered any bugs.

I have not needed to contact their technical support yet.

The setup and configuration are very straightforward. The time it takes depends on the number of endpoints. For one endpoint, it takes a few minutes, tops.

Although I'm more on the technical side and not involved in the pricing, it's more or less the same as other similar solutions.

I would recommend this product to other people.

We use this solution for endpoint security and protection.

The most valuable feature is that it detects and stops malicious executables.

Admins can use the portal to obtain a command shell on an endpoint to perform further investigation.

This solution works well but needs lots of tuning and optimization.

The offline networking is the most important feature. Some of our users are engineers that work offsite, and they can still be on the solution, which is also great.

The endpoint machines need improvement.

The solution needs to be more effective for the end-user.

It would be helpful to understand how to do some queries, but we’re still testing the solution right now, so everything is very new and we’re still learning the system.

I’ve never had to reach out to technical support.

The initial setup was very straightforward.

We did a POC with the solution. We’re still in the process of testing it, so we’re still learning the system.

I would rate the solution eight out of ten.

We are a partner in the managed security service provider (MSSP) space. We service hundreds of customers globally. We implement these solutions on behalf of our customers. 

With Carbon Black, we've been using them for about six years. We're an MSSP and channel partner with them, as well as an incident response partner. We were like the second incident response company registered with them (through that program) to start using the cb Defense platform. We also integrate it with SIEM. However, we're using it in a managed service capacity. We usually implement it, then manage the platform for our clients long-term. It's used for traditional antivirus, real-time threat protection and prevention, and it also provides us with the ability to do more in-depth investigations into endpoints. With the product, we can do a bit of threat hunting along with managed detection and response. The platform works quite well using it in this capacity.

With Symantec, we have been using it for about six years. We integrate it with our SIEM products. We have a lot of customers who actually run it, so we see it quite often. We collect a lot of data from Symantec and help with responding to anything that Symantec finds. We've had a chance to use the product quite a lot.

The biggest feature out of Carbon Black is its ability to dive in with more depth. You can look at the entire kill chain and understand, not only if an alarm or identified incident is truly a true security issue versus a false positive, and it allows us to backtrack and figure out why it actually happened and how it got into the environment. It also helps us determine what other things may have been impacted along with it, from an asset standpoint. It allows us to go into more depth than a more traditional antivirus, like Symantec.

Symantec is more of a traditional antivirus. A lot of it is signature-based. It works quite well for normal protection. It is pretty stable and consistent. It seems to work across the board. There are no real issues to speak of it, which is a definitely a positive thing. One of the more beneficial things is that it does include the active endpoint firewall with it, which allows your endpoints to have a bit more above the standard Windows firewall, then collect all the logs from that. This is a good feature from their firewall piece. Also, the logging out of Symantec is quite good, as you put a lot of great logs into a SIEM or any other log collector from the platform.

The difference between the two products is the level of visibility and depth that you get when investigating alarms or issues. You can go a bit deeper with Carbon Black. Symantec does have an additional add-on, which we have not seen since it is a relatively new component. They call it Advanced Threat Protection. It uses the same endpoint, but has a separate license with additional costs, which is meant to allow you to go a little deeper in terms of endpoint and incident investigations. However, it doesn't provide the interactive drill down, prevention, and response capabilities that you need to be able to isolate a system, delete files, or actively kill processes which have been helpful with Carbon Black.

Symantec needs more investigative features out-of-the-box. Though, they are using the Advanced Threat Protection add-on to correct some of this. It is also not quite as feature-rich as some of the more advanced MDR platforms out there.

Carbon Black needs to do a better job of proving their platform in the industry, and providing a bit more access to do industry testing with real world examples to help prove their platform. In additional, they have been actively porting over a lot of features from some of their other products, and they should continue to expand on that. Going forward, this will be extremely helpful.

We've been quite happy with the stability of Carbon Black. 

Symantec has a much longer history of having a good, proven, stable platform. That is the big difference. 

I can't really speak to any particular issues that we've had with one versus the other. They both seem pretty good.

The scalability is about the same between Carbon Black and Symantec. I don't know that we've actually tried to use them in an environment that was large enough to cause us any sort of issues, or even thought twice about scalability. Both of these products work quite well in extremely large environments.

One thing to consider with Carbon Black is you do have much more data. You can define many more policies that are more specific to groups. The management of that becomes more difficult as the environment gets larger. I don't think that necessarily is the case with Symantec. It might end up being a bit more time consuming to manage Carbon Black as it gets larger. In terms of these products' capabilities and the ability to support large environments all the way down to small ones, I don't think it matters.

Carbon Black has a great community portal which has all sorts of documentation where you have the ability to ask questions and people answer it quite well. There is a lot of material there with access to content, which assists with the learning and troubleshooting.

Because of the limitations that Symantec provided, and the fact that we were seeing data that was extremely helpful from the Symantec logs, yet it didn't provide us a way to investigate it further or respond to it. This led us down a path of looking for a platform like Carbon Black, which has allowed us to handle the data without having to add additional products. This opened our eyes to be able to see what's out there, but then we needed something to be able to actively fix it, as well.

Symantec is a more traditional platform where you set it up and install it. If you're using a cloud platform, then you obtain access to the system. You need to define all the exceptions that you know need to be implemented based on the applications that you are running. Then, you deploy your endpoints, which should pull down the policies with the approved exceptions. Then, you work through any issues. 

With Carbon Black, you have to go through a longer period of monitoring what exists in the environments. We deploy the agents in a monitoring type only mode, which can exist alongside another antivirus product, like Symantec.

You could technically have Symantec installed in normal mode, then Carbon Black in monitoring mode right next to it. We let that run for a period of time to gather information about what is running in the environment actively to help identify the types of things that we'll have to build policies around. The policies can be pretty in-depth, so it can take quite a long time to actually build them, if you want to be extremely careful about not creating any false negatives in the environment. 

It can take quite a bit longer to implement Carbon Black properly. It takes one to two days to implement Symantec. Though, I don't know for certain, because we don't implement it. For Carbon Black, we typically look at three to eight days of active work over a period of a couple of months to get it implemented, working properly, and tuned up correctly.

The licensing costs are comparable between the two products. If you're purchasing the product, they're both typically a traditional license model with an annual type fee or multiyear. The fees are the cost of the professional services to get the system up and running. It depends on the size of the environment. The size and complexity are what it really comes down to. It will be relatively consistent with whether it was MSSP versus a direct purchase.

Carbon Black might be a touch more expensive. They tend to get a premium for their capabilities. They're sort of an industry leader in a lot of areas with the functionality that they provide. 

Symantec gets a bit more aggressive with their pricing, and with their discounts as well. They do have a much larger customer base because they've been around so long.

As an MSSP, we do provide the entire platform on a monthly fee, which a lot of people do like, because that rolls the licensing and all of the management into the cost of the system on a per endpoint basis, paying for the initial costs to get up and running. Even if it's a three to five year implementation, it will be a fixed monthly cost, assuming the number of endpoints doesn't change. That's one good thing about the Carbon Black MSSP program that we have access to is that flexibility with the monthly billing. With very large implementations, this could be a significant difference in spend over three years versus having to do one extremely large capital purchase.

Symantec aligns with a more traditional antivirus that a lot of people are just more familiar with. It has traditional signature sets, exceptions, and policies. When you're talking medium sized implementations, where it's several hundred or a couple thousand endpoints, it's pretty straightforward. 

The learning curve with Carbon Black is considerably more extensive. You have considerably more ability in the platform to do investigations and custom policies, as it can do more in-depth searches and queries about what's actually going on at an endpoint level, which you don't have with Symantec. You really have to understand exactly what you're trying to accomplish. The product itself works quite well. It's pretty intuitive, but there is so much more data and capabilities at your fingertips. It definitely takes more time to learn it.

If you are evaluating these products: Evaluate what your enterprise looks like and what your current security controls are. Understand what exists, what needs to be protected, and what other tools there are in the organization. This makes a big difference in the decision-making process. For example, Carbon Black is 100 percent cloud-based. There is no on-premise option. If you have requirements for systems that can't access the internet, whether it be classified environments or otherwise, it's more difficult to get as much value out of a system which is only cloud-based if you have air gaps. A more traditional on-premise solution might work better, like Symantec, in this scenario. However, if you have a largely mobile workforce with a lot of high risk employees who travel, having cloud-based works perfectly for that sort of environment, as you're getting data with the ability to access and respond to issues regardless of where systems are, as long as they're online.

However, if EDR tools already exist in an environment, you might not need a full in-depth product, like CarbonBlack, where a more traditional antivirus coupled with another EDR product might get you the capabilities that you need. Albeit, it would require multiple products to cover the environment. 

I would rate Carbon Black as a nine out of ten, because it provides industry leading features, which give us the ability to do the investigations that we need to. It just makes an enormous difference.

I would rate Symantec as a seven out of ten. It works quite well. It is feature-rich, stable, more traditional product.

We use this solution as an endpoint solution for protection.

It has improved our protection to have less false-positives. We have a greater ability to find malware notifications. It has improved between 30-35% more than prior to our use of the solution.

Data analysis is the most valuable feature because of the whitelist database. It is different than standard IDS solutions.

The UI interface needs improvement. The management needs further work in future versions.

It is a stable product.

We are not a very big company, so scalability is not very relevant to us.

Our experience with tech support is very positive.

We had experience with this product in our team prior to our setup, so it was simple for us. We had it up in a week. It may be less easy for non-technical people. 

I am not really involved in the pricing of this product. From my understanding, the price is okay for us.

We did consider other products but we chose this solution.

I would advise Carbon Black to work on the automation and make it a bit easier for the solution.

We use it for endpoint visibility and endpoint detection and response. It is our central mechanism for the cyber defense or endpoint detection, response and visibility.

We've integrated it with Splunk, with ThreatConnect, and a couple of others. It has a lot of modules for integration that has streamlined our ability to respond and decrease the amount of time for response, but also allowing us not to have to pivot to so many tools where we can actually work from more of a single pane of glass perspective.

I think something that is the most valuable is the time-lining capability for any breach activity. It gives us the ability for us to actively threat hunt. This is not something where it's a passive response tool where we watch things happen. In contrast, it actually does some heuristics, and some behavioral analysis, and we're able to do some prevention with it as well. I think that's really the strongest attribute, and it makes this a more aggressive tool than others.

In some areas one of the big issues for me is responsiveness to issues that arise with the solution. There are some components that leave a bit to be desired and/or that are bugs, or that even if it's a feature update request. These kinds of things are not the fastest company to respond to those. We did have a bug that was persistent for it's now going on two months and it hasn't been fixed. That is one of the drawbacks. This is really impacting what we need to do with it. But, the bigger issue is the organizational responsiveness to clients.

In addition, I think there should be a cloud gateway. It needs to move into a transitory space between our On-Premise and external where it does not have to be in two separate instances. It should marry the two. Also, it would be good to have them working in the containerization space, as well. To have a mechanism for securing cloud modules a bit better. This would be ideal. It would help encompass more of the broad range security so we do not have to couple this with other outside solutions.

 It implements and integrates very well with other security tools, cybersecurity tools.

The tech support communicates, but it's just not with movement. They are responsive, yet there is no quick motion often in regards to resolving the issue. I would personally give the tech support a rating of seven out of ten. 

The setup really depends on a few crucial elements. It depends on where we are, what region, what country we're in, and what PIA rules they have in place. For the most part, it is a fairly straightforward setup. I will say in the initial setup, Carbon Black was very responsive. They were really good at providing the assistance and the support we needed to get it set up, but it was not an extremely hard task.

It has the ability for you to upload the scripts or anything you want to run anywhere. The capabilities of this tool are almost limitless. That is why Carbon Black is a leader. You can run whatever script you want by uploading it to the tool. This is a very, very comprehensive feature.

We also looked at Rsam and ESET. We've used a multitude. So yes, we have.

• Make ssure that your firewall ports open and really test communication back to their server. 
• Make sure you don't have anything else that may be impeding it. 
• If you are dealing with any PIA countries or GSA (also known as TAA) countries, make sure you're working through their work councils.
• Make sure you look at a holistic perspective and have a plan in place on how to use this tool.