Try our new research platform with insights from 80,000+ expert users
it_user835122 - PeerSpot reviewer
Cyber Security Manager at a insurance company with 51-200 employees
Real User
Enhanced logging allowed us to quickly identify/resolve security issues
Pros and Cons
  • "The enhanced logging and data analysis of the incident response and investigation components allowed us to quickly identify and resolve security issues before they could spread."
  • "The ability to quickly isolate a system from the network, while still being able to perform some forensics and mitigation work remotely, was of great value to us since we had many mobile and distributed systems."
  • "We also took full advantage of its incident response reporting capabilities to act as a “black box” for our infrastructure around strings of suspicious activity. The reporting and incident response capabilities were incredibly helpful during active security concerns."
  • "For setup, the server can be given to you as a VM image and with minimal configuration needed."
  • "The biggest issue I encountered was one where old logs were not being overwritten as expected so the system drive kept filling up from time to time. However, support was usually quite responsive and happy to jump on a remote session to take a look at it for us. That log bug has probably been resolved with an update by now."

What is our primary use case?

We used Cb Response for hands-on computer incident response for our infrastructure, installing it on all of our servers and high-value workstations.

How has it helped my organization?

The enhanced logging and data analysis of the incident response and investigation components allowed us to quickly identify and resolve security issues before they could spread.

Cb Response’s root-cause analysis and anomaly detection gave us quick warnings and allowed us to start actively threat hunting, instead of taking a passive approach to security.

What is most valuable?

The ability to quickly isolate a system from the network, while still being able to perform some forensics and mitigation work remotely, was of great value to us since we had many mobile and distributed systems.

We also took full advantage of its incident response reporting capabilities to act as a “black box” for our infrastructure around strings of suspicious activity. The reporting and incident response capabilities were incredibly helpful during active security concerns.

What needs improvement?

Cb Response is really designed to complement Carbon Black’s Defense product. While Response can be used on its own, coupling with Defense seems like the best strategy if you can afford the price tag. In the end, other antivirus tools and log aggregation solutions seem to have started to incorporate many of Cb Response’s signature features, lessening its value proposition for some organizations.

Buyer's Guide
VMware Carbon Black Cloud
October 2024
Learn what your peers think about VMware Carbon Black Cloud. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

We did have a couple bugs/issues. The biggest issue I encountered was one where old logs were not being overwritten as expected so the system drive kept filling up from time to time. However, support was usually quite responsive and happy to jump on a remote session to take a look at it for us. That log bug should have been resolved with an update that was available right around the time I stopped working with the system and left the company.

What do I think about the scalability of the solution?

No issues with scalability. Server deployment was quite easy and the client rollout was handled by remote install tools (we used SCCM to take care of it).

How are customer service and support?

Excellent. The techs were always knowledgeable about the product. On a scale of one to 10, I’d go eight.

Which solution did I use previously and why did I switch?

We did not have a similar, previous solution that we were replacing. This was part of an initial push we were trying to make at the time into better systems security.

How was the initial setup?

Very straightforward. There is excellent documentation and training provided by Carbon Black around setting up this solution; it takes out all the guess work. The server can be given to you as a VM image and with minimal configuration needed. Makes setup a snap for any experienced sysadmin.

What's my experience with pricing, setup cost, and licensing?

We had no issues purchasing through our preferred reseller and were able to get a fair price even when not purchasing direct. Carbon Black Enterprise Response didn’t break the bank, though adding on the matching antivirus and anti-malware components of the Protect product was more than we could afford, even with some discounting.

Which other solutions did I evaluate?

There wasn’t much similar to Response that I was familiar with at the time. Though some other vendors are starting to include similar features now, Response was a leader when we selected it. Now there is a growing number of open-source projects, such as TheHive, and other vendors are incorporating similar features into their general security products, so I believe the landscape has changed a bit and things are getting more competitive for the needs Response fills.

What other advice do I have?

Explore all options in the space and see if you’re ready to really use an incident response platform such as this for threat hunting in your environment, or if you should focus on closing some other large security gaps first. I think everyone should be working towards the kind of threat hunting and incident response that Carbon Black Enterprise Response enables, but many organizations still need to make sure they’re taking care of other security controls before they move on to these more advanced tools.

If you’re ready for it, Enterprise Response is a cinch to set up and takes a lot of the guesswork out of trying to track security concerns through your environment, so it may be very worth your while.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1259415 - PeerSpot reviewer
Senior Manager at a financial services firm with 1,001-5,000 employees
Real User
Malicious activity detection response and automatic quarantining for endpoint security of your environment
Pros and Cons
  • "The detection response and quarantining are very good features."
  • "The product detects too many false positives initially and it could integrate better with other security solutions."

What is our primary use case?

We use Carbon Black for detection and response. So we receive alerts from Carbon Black if it detects any malicious activity. We also use it to quarantine any devices that we may need to isolate due to the security risk that it presents.  

What is most valuable?

What we mainly find valuable in the product is exactly what our use case is. We use Carbon Black for the intrusion alerts and quarantine. Those would be our favorite features.  

What needs improvement?

If Carbon Black could improve in the area or reducing the number of false positives or if there was a better way to filter out false positives that would enhance efficiency and utility. But in general, I think we are happy with the performance of Carbon Black.  

It would be nice to be able to consolidate all of our tools. We have Imperva for database monitoring, we have Red Cloak, we have Carbon Black, and we have Trend Micro. So when you end up installing multiple different tools that do various different things and they each come with their own agents that need to be on all the endpoints, it takes a toll on the utilization. One of the issues that we tend to encounter — especially when we have all these tools on all the endpoints — the number of agents can affect the performance of desktops and servers. So we get those issues from time to time because there are many agents on the endpoints. So it might be nice to either have a lighter-weight agent or an agent that encompasses multiple functions and different purposes for better integration so we do not have to install various tools.  

For how long have I used the solution?

I have been using the product since March 2019, so for almost a year now.  

What do I think about the stability of the solution?

It was a little bit unstable at the beginning, but that was probably because we were getting a lot of false positives. The false positives were probably because of baselining. Baselining takes a little bit of time. Once it was baselined, things got better and we have not really encountered many issues over the last couple of months. So it stabilized maybe two to three months in.  

What do I think about the scalability of the solution?

Once we had the SCCM set up properly, we were able to scale up easily. With the policies set up and images corrected, it became relatively easy for us to scale.  

How are customer service and technical support?

I personally have not been in contact with the Carbon Black technical support team. Our information security team has worked more closely with them. I would not be able to provide feedback on their support first hand, but I have also not heard anything negative.  

Which solution did I use previously and why did I switch?

Security-wise, we are using a few different security tools for different purposes. We use Red Cloak which we deployed at the same time as Carbon Black. We tested and are using Trend Micro Tripwire and we are using Imperva as well. Red Cloak is very similar to Carbon Black.  

How was the initial setup?

Deployment was a little bit difficult, but that was mainly because of the way our infrastructure was set up at the time we went to set up Carbon Black about a year ago. We did not have a tool that was mapped to all of our IP assets that we could deploy Carbon Black to automatically. That would have greatly simplified the setup. That is mainly the reason it took some additional time. It was not necessarily an issue with Carbon Black, it was a problem with the setup of our own environment. Sometimes we did have other issues with the agent communicating with Carbon Black when the agent was deployed. We had to uninstall the agents and then reinstall them or we would have to essentially troubleshoot what the reason for the lapse in communication was.  

What about the implementation team?

We were able to deploy it by ourselves without the help of an integrator or some specialist. We eventually did the deployment using SCCM (System Center Configuration Manager). Originally, we began by trying to deploy it manually and that is probably why it took so long. Once we had the SCCM agents deployed on all of our endpoints, then it was a lot easier for us to deploy Carbon Black in bulk.  

What other advice do I have?

I do not think I have a lot of advice for people who are considering implementing the product at this point because most of our experience with the product has been relatively straightforward. I would just suggest that you have your white list set up before deploying if you are using automatic quarantine. Otherwise, it can cause issues in your operating environment. This is especially important if you are a sensitive location like a bank. In that case, automatic quarantine could be a big issue.  

On a scale from one to ten where one is the worst and ten is the best, I would rate Carbon Black CB Response as between an eight or nine. For our use case, I would say it is an eight.  

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
VMware Carbon Black Cloud
October 2024
Learn what your peers think about VMware Carbon Black Cloud. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
Security83d6 - PeerSpot reviewer
Security Analyst at a financial services firm with 10,001+ employees
Real User
Enables us to remotely analyze infected machines without delay
Pros and Cons
  • "The most valuable features are the threat-hunting and the batch console."
  • "They need to improve the batch console. It needs more capabilities. We are limited by the ones it provides..."

What is our primary use case?

When a machine gets infected we need to have a memory dump and to interact with it. We use this solution as a good way to extract that information from an infected machine.

How has it helped my organization?

When a machine gets infected and the user is not in sight, you cannot go to the user and ask them to analyze their machine, what was in their system. With this solution, you can do so remotely. This is valuable because you don't have to bring the computer onsite to analyze it. Even if the user is doing something wrong, like stealing information from the company, you can detect it remotely, capture it remotely, and have this information to analyze it afterward.

It saves the time required to take an image of a machine onsite. You get to the machine and make it live. You don't have to wait. Whatever activity you have to do on the machine can be done right away.

In addition, it helps us to be sure of the type of infection we have which helps reduce response time and provide a better solution to what is happening. It decreases response time by about 40 percent.

What is most valuable?

The most valuable features are the threat-hunting and the batch console.

What needs improvement?

They need to improve the batch console. It needs more capabilities. We are limited by the ones it provides, although we can type commands from the native operating system.

What do I think about the stability of the solution?

The stability is fine.

What do I think about the scalability of the solution?

It has pretty good scalability.

How are customer service and technical support?

I have not used technical support.

Which solution did I use previously and why did I switch?

This system is the only one I have used.

How was the initial setup?

The initial setup was pretty straightforward.

What about the implementation team?

The vendor installed it and gave us some training so we would know how to use the tool and how to deploy it in our systems.

Which other solutions did I evaluate?

I was not part of the decision-making process. It was the engineers who decided.

What other advice do I have?

You need to analyze your organization's needs. If you just want to protect things, it's very useful.

I rate the solution at eight out of ten because they need to improve the console. We would like it to let us type commands that are native to the operating system, not the ones that are included in the product.

The product, in terms of maturity, is still at the very beginning.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
PeerSpot user
it_user870717 - PeerSpot reviewer
Consulting IT Architect
Real User
Excels at providing context to indicators when responding to incidents
Pros and Cons
  • "Carbon Black Cb Response excels at providing context to indicators when responding to incidents. It allows responders to understand the entire scope of an incident and quickly contain it to minimize impact and disruption."
  • "The solution needs to simplify the process of adding custom watchlists, as well as embrace YARA for rule creation."
  • "Setup is incredibly complex and poorly documented. Every time an upgrade was needed we would need to engage Professional Services for troubleshooting help. Certificates and web services proved to be the most significant sticking points. Since the product runs on a Linux platform, perhaps having staff with more Linux experience could have alleviated some difficulty."

What is our primary use case?

CBR was used as an intrusion detection platform as well as for IOC enhancement during incident response and forensics activities on a 25,000+ host Windows-based environment.

How has it helped my organization?

Carbon Black Cb Response significantly reduced time to containment in the environment which enabled the isolation of incidents to single hosts or network segments.

What is most valuable?

Carbon Black Cb Response excels at providing context to indicators when responding to incidents. It allows responders to understand the entire scope of an incident and quickly contain it to minimize impact and disruption. In incident response speed is of the utmost importance, as many incidents can quickly spread through the entire organization if not immediately contained.

What needs improvement?

The solution needs to simplify the process of adding custom watchlists, as well as embrace YARA for rule creation.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It is an incredibly stable product, and I do not remember any significant stability issues on the server side. On the client side, there may be some performance issues related to Citrix servers.

What do I think about the scalability of the solution?

Scales very well up to 50,000 nodes. It is simply a matter of adding more Solr shards. Beyond that, I do not have experience.

How is customer service and technical support?

While their Professional Services are expensive, their team is second to none in problem-solving.

How was the initial setup?

Setup is incredibly complex and poorly documented. Every time an upgrade was needed we would need to engage Professional Services for troubleshooting help. Certificates and web services proved to be the most significant sticking points. Since the product runs on a Linux platform, perhaps having staff with more Linux experience could have alleviated some difficulty.

What's my experience with pricing, setup cost, and licensing?

Purchase Professional Services up front as part of the implementation package, then renew hours annually to ensure you have adequate support for upgrades and enhancements. Overbuy by at least 10% to account for infrastructure growth.

What other advice do I have?

Ensure that you have sufficient resources to dedicate to maintaining and utilizing the product, including maintenance staff as well as incident responders and threat hunters. Be prepared to define metrics and use them to quantify the ROSI. Ensure that this product meets a defined goal within your organization's WISP.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Ricardo Franco Mahecha - PeerSpot reviewer
VMware Consultant at V2S Corporation
Real User
Top 5Leaderboard
A highly scalable solution that can be used to get a better view of the security of endpoints and workstations
Pros and Cons
  • "The most valuable feature of VMware Carbon Black Cloud is the possibility of securing any PC worldwide."
  • "The solution's support could be improved."

What is our primary use case?

VMware Carbon Black Cloud is a good home office tool for people working outside the office.

How has it helped my organization?

VMware Carbon Black Cloud helped us to get a better view of the security of endpoints and workstations.

What is most valuable?

The most valuable feature of VMware Carbon Black Cloud is the possibility of securing any PC worldwide.

What needs improvement?

The solution's support could be improved.

For how long have I used the solution?

I have been using VMware Carbon Black Cloud for a couple of months.

What do I think about the stability of the solution?

I rate VMware Carbon Black Cloud a nine out of ten for stability.

What do I think about the scalability of the solution?

I rate VMware Carbon Black Cloud ten out of ten for scalability.

How was the initial setup?

VMware Carbon Black Cloud's initial setup is neither hard nor easy.

What was our ROI?

We have seen a good return on investment with VMware Carbon Black Cloud.

What other advice do I have?

VMware Carbon Black Cloud is deployed on-cloud in our organization.

I recommend users test the solution and check the use cases before buying it.

Overall, I rate VMware Carbon Black Cloud a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
CBresponse677 - PeerSpot reviewer
Cyber Defense Consulunt at a security firm with 11-50 employees
Reseller
Good configuring capabilities and provides good market information gathered from the community
Pros and Cons
  • "The market information they gather from the community is really good. Their configuration capabilities are good."
  • "They have different products, but if we wanted to take their protection and their EPR, then we would need to have two agents"

What is most valuable?

The market information they gather from the community is really good. Their configuration capabilities are good. 

What needs improvement?

One of the big issues we're facing is that their solution doesn't support multi-tenants. The second area for improvement is that they have different products, but if we wanted to take their protection and their EPR, then we would need to have two agents. In our scenario, having a client work within the cloud is not an option, so we cannot extend the support for Carbon Black to provide the protection that comes from Carbon Black. This will cause resource consumption.

What I would like to see in the new platform is for it to have a higher visibility for being able to fix the solution. Having also just the visibility to separate the collectors on site. If the informed agent can connect to the collectors the ability to be connected to the management consult or superior management directly.

What do I think about the stability of the solution?

So far we had an issue connected to the hardware. I think there was an error that happened, so from their software, we had no issue with stability. Not from agents or from the server itself. But an area they need to improve on is that they need to have an option for higher availability. We can't provide a good solution if we need to rely on virtualization, higher availability. So they need to work on building their forum support for higher availability.

What do I think about the scalability of the solution?

In terms of their scalability, so far I think we have around 5,000 endpoints. We had no issues because of the hardware. The resources could prevent the number of endpoints. They should reconsider the design of the solution where you can have them supporting all kinds of designs where you can install an aggregator or connectors for small branches that are our size and have that to provide management consultancy.

Our newest driver manages to the service provider so they cannot just make all the connection there go onto the consult of the management server. We need some kind of component that could communicate to the management. Instead of having each endpoint communicate with management.

How are customer service and technical support?

They need a big change in the region because they don't have much presence. I think they need to have to train a new manager, but they don't have enough presence. So when we need to work with their office, which is in the U.K, it is kind of a challenge. I think they need to have more support here locally. From a support perspective from our team, they're happy with their support so far, they haven't said of any big issue with them providing us with support. 

How was the initial setup?

The initial setup is straightforward. We already know how to do it but I think for maybe other clients if they do it, it can be a bit challenging.

What other advice do I have?

I would recommend anyone to go ahead with Carbon Black if they are looking for an EDR solution. From my experience with selling, some people have a misunderstanding of what it is they are supposed to do. I would recommend going with it but be aware that you will be overwhelmed with the number of receipts which require somebody to begin to follow up and investigate each incident. This is not something bad, it's something good because of the way that security goes, you need to go through every incident to understand whether it is a false positive or true positive so they need to be reviewed. This is not an automated solution, it's something that somebody needs to take care of.

I would rate this solution as a 9.5 out of 10. We know what we are doing. We know we bought Carbon Black for a reason so we are aware of everything and it's doing its job. We see that there is an area for enhancement, I think the product or business unit or product management, they need to look more into an area for enhancement which is just part of it. So that is why I didn't give it a ten. A 9.5 fair for them. Maybe other people would think to get it lowered but because they have a misunderstanding about what Carbon Black is about.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
PeerSpot user
reviewer1166325 - PeerSpot reviewer
Sales Engineer at a computer software company with 201-500 employees
MSP
Can isolate a host and take it off the network so it's not spreading anything
Pros and Cons
  • "Probably the most valuable feature of CB Response is its ability to isolate a host and take it off the network, so it's not spreading anything. We have two security operations centers around the globe. When an SOC analyst sees something on an endpoint, they can use Carbon Black Response to isolate that host from the customer's environment and prevent any kind of lateral spread."
  • "There have been some performance issues when deploying on Windows Server, but I believe Carbon Black is working on that."

What is our primary use case?

My clients are in a range of verticals, so we have clients in healthcare, education, manufacturing, etc. We provide solutions to anybody who's insightful enough and forethinking enough to understand that cybersecurity is not like insurance. So my use cases are all across the board. But, essentially, my customer base boils down to anyone who doesn't want to get owned by a ransomware attack. My company chooses the best-in-breed technology for tools, then adds cybersecurity management services on top of that.

What is most valuable?

Probably the most valuable feature of CB Response is its ability to isolate a host and take it off the network, so it's not spreading anything. We have two security operations centers around the globe. When an SOC analyst sees something on an endpoint, they can use Carbon Black Response to isolate that host from the customer's environment and prevent any kind of lateral spread. 

For how long have I used the solution?

I've been using CB Respons for about two and a half years. 

What do I think about the stability of the solution?

Overall, it has been absolutely stable. However, there have been some performance issues when deploying on Windows Server, but I believe Carbon Black is working on that.

How was the initial setup?

I'm in sales, but I've watched people deploy the software. It looks pretty straightforward, just a quick installer. Most of my customers have one or two folks who ensure that it's deployed correctly in their environment.

What other advice do I have?

I rate Carbon Black CB Respons nine out of 10. I don't have much to say about it because endpoint detection and response tools are pretty much a commodity nowadays. There are so many good tools out there. What matters is the ability to manage those tools and utilize them in a threat-hunting mode.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
SeniorIn8d7c - PeerSpot reviewer
Senior Information Security Specialist at a tech services company with 1,001-5,000 employees
Real User
A scalable solution that integrates well across platforms
Pros and Cons
  • "Integration and scalability are the most valuable."
  • "It's not simple."

What is our primary use case?

We use it for platform metrics, for all use cases. This is the only thing that works, this product. Carbon black is a process listener. You can call back all processes, each process on the client side or the server side. You can retrieve all the information on a process level, and you can combine all the things with an end use case.

What is most valuable?

Integration and scalability are the most valuable. For example, if you chose a cloud solution, it's not very scalable, because it doesn't support any integration. But on the client side, you can combine materials, you can combine everything. You can add anything. 

What needs improvement?

It's maybe it's too verbose. For a junior user or admin. You have to know some basic rules. It's not simple. For a junior engineer, it's confusing. It's hard to use Carbon Black Response. It will take time. It may take more than one year to understand the uses of the product.

I'd like the ability to see all the kernel-side features also on the client side.

For how long have I used the solution?

I've been using the solution for one and a half years.

What do I think about the stability of the solution?

I think it's very stable. It depends on Linux kernel stability. That's all. 

What do I think about the scalability of the solution?

Scalability of integration features is low, on the client-side.

How was the initial setup?

Initial setup, with two people, it's easy. We deployed it easily.

What about the implementation team?

We've implemented it ourselves in the past but have also used an integrator in some instances.

What other advice do I have?

I would rate this solution a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user