VMware Carbon Black Cloud Reviews

Our primary use case is to detect any abnormal activity happening on the endpoint. Carbon Black Response works like CCTV which monitors every activity and every single process running on the operating system. We use it on Windows, Linux, and Mac. Once there is an abnormal action, there is a notification that is sent to the administrator.

The administrator will open up the GUI, the console for the Carbon Black Response, and start doing his investigation to get to the root cause for the issue if there is one.

The most valuable feature is its ability to seek out abnormal activity and to create alerts.

The first thing they can do is make it more available. It's not highly available, so you have to have a core server. If the primary server goes down, you need a new one. It's not available at the same time, however. It's not automatically swapped from one server to another.

The second thing is that they need to have a multi-tenancy feature, especially for the MSSP model. We wanted to have this solution in our stock so we could create a different tenant or one tenant per customer.

They also have to have a bigger number of watch lists pre-configured already. They should add file integrity monitoring as well. One of the major things that attackers will try to do to is to modify files.

Stability is good because it's running on top of Linux based operating system which makes it very stable.

The solution is very scalable.

I would rate technical support as 4.5 out of five.

The setup and implementation of the solution were easy.

We are using both on-premises and cloud deployment models.

I would rate the solution eight out of ten. Carbon Black is a very good product, but you still have to work on it from the perspective of MLA analyzing and installation. You have to fine-tune it to create a watch list and so on. These are the main things that they need to work on in order to improve the EDR services on their product.

The market information they gather from the community is really good. Their configuration capabilities are good. 

One of the big issues we're facing is that their solution doesn't support multi-tenants. The second area for improvement is that they have different products, but if we wanted to take their protection and their EPR, then we would need to have two agents. In our scenario, having a client work within the cloud is not an option, so we cannot extend the support for Carbon Black to provide the protection that comes from Carbon Black. This will cause resource consumption.

What I would like to see in the new platform is for it to have a higher visibility for being able to fix the solution. Having also just the visibility to separate the collectors on site. If the informed agent can connect to the collectors the ability to be connected to the management consult or superior management directly.

So far we had an issue connected to the hardware. I think there was an error that happened, so from their software, we had no issue with stability. Not from agents or from the server itself. But an area they need to improve on is that they need to have an option for higher availability. We can't provide a good solution if we need to rely on virtualization, higher availability. So they need to work on building their forum support for higher availability.

In terms of their scalability, so far I think we have around 5,000 endpoints. We had no issues because of the hardware. The resources could prevent the number of endpoints. They should reconsider the design of the solution where you can have them supporting all kinds of designs where you can install an aggregator or connectors for small branches that are our size and have that to provide management consultancy.

Our newest driver manages to the service provider so they cannot just make all the connection there go onto the consult of the management server. We need some kind of component that could communicate to the management. Instead of having each endpoint communicate with management.

They need a big change in the region because they don't have much presence. I think they need to have to train a new manager, but they don't have enough presence. So when we need to work with their office, which is in the U.K, it is kind of a challenge. I think they need to have more support here locally. From a support perspective from our team, they're happy with their support so far, they haven't said of any big issue with them providing us with support. 

The initial setup is straightforward. We already know how to do it but I think for maybe other clients if they do it, it can be a bit challenging.

I would recommend anyone to go ahead with Carbon Black if they are looking for an EDR solution. From my experience with selling, some people have a misunderstanding of what it is they are supposed to do. I would recommend going with it but be aware that you will be overwhelmed with the number of receipts which require somebody to begin to follow up and investigate each incident. This is not something bad, it's something good because of the way that security goes, you need to go through every incident to understand whether it is a false positive or true positive so they need to be reviewed. This is not an automated solution, it's something that somebody needs to take care of.

I would rate this solution as a 9.5 out of 10. We know what we are doing. We know we bought Carbon Black for a reason so we are aware of everything and it's doing its job. We see that there is an area for enhancement, I think the product or business unit or product management, they need to look more into an area for enhancement which is just part of it. So that is why I didn't give it a ten. A 9.5 fair for them. Maybe other people would think to get it lowered but because they have a misunderstanding about what Carbon Black is about.

We use Carbon Black for detection and response. So we receive alerts from Carbon Black if it detects any malicious activity. We also use it to quarantine any devices that we may need to isolate due to the security risk that it presents.  

What we mainly find valuable in the product is exactly what our use case is. We use Carbon Black for the intrusion alerts and quarantine. Those would be our favorite features.  

If Carbon Black could improve in the area or reducing the number of false positives or if there was a better way to filter out false positives that would enhance efficiency and utility. But in general, I think we are happy with the performance of Carbon Black.  

It would be nice to be able to consolidate all of our tools. We have Imperva for database monitoring, we have Red Cloak, we have Carbon Black, and we have Trend Micro. So when you end up installing multiple different tools that do various different things and they each come with their own agents that need to be on all the endpoints, it takes a toll on the utilization. One of the issues that we tend to encounter — especially when we have all these tools on all the endpoints — the number of agents can affect the performance of desktops and servers. So we get those issues from time to time because there are many agents on the endpoints. So it might be nice to either have a lighter-weight agent or an agent that encompasses multiple functions and different purposes for better integration so we do not have to install various tools.  

I have been using the product since March 2019, so for almost a year now.  

It was a little bit unstable at the beginning, but that was probably because we were getting a lot of false positives. The false positives were probably because of baselining. Baselining takes a little bit of time. Once it was baselined, things got better and we have not really encountered many issues over the last couple of months. So it stabilized maybe two to three months in.  

Once we had the SCCM set up properly, we were able to scale up easily. With the policies set up and images corrected, it became relatively easy for us to scale.  

I personally have not been in contact with the Carbon Black technical support team. Our information security team has worked more closely with them. I would not be able to provide feedback on their support first hand, but I have also not heard anything negative.  

Security-wise, we are using a few different security tools for different purposes. We use Red Cloak which we deployed at the same time as Carbon Black. We tested and are using Trend Micro Tripwire and we are using Imperva as well. Red Cloak is very similar to Carbon Black.  

Deployment was a little bit difficult, but that was mainly because of the way our infrastructure was set up at the time we went to set up Carbon Black about a year ago. We did not have a tool that was mapped to all of our IP assets that we could deploy Carbon Black to automatically. That would have greatly simplified the setup. That is mainly the reason it took some additional time. It was not necessarily an issue with Carbon Black, it was a problem with the setup of our own environment. Sometimes we did have other issues with the agent communicating with Carbon Black when the agent was deployed. We had to uninstall the agents and then reinstall them or we would have to essentially troubleshoot what the reason for the lapse in communication was.  

We were able to deploy it by ourselves without the help of an integrator or some specialist. We eventually did the deployment using SCCM (System Center Configuration Manager). Originally, we began by trying to deploy it manually and that is probably why it took so long. Once we had the SCCM agents deployed on all of our endpoints, then it was a lot easier for us to deploy Carbon Black in bulk.  

I do not think I have a lot of advice for people who are considering implementing the product at this point because most of our experience with the product has been relatively straightforward. I would just suggest that you have your white list set up before deploying if you are using automatic quarantine. Otherwise, it can cause issues in your operating environment. This is especially important if you are a sensitive location like a bank. In that case, automatic quarantine could be a big issue.  

On a scale from one to ten where one is the worst and ten is the best, I would rate Carbon Black CB Response as between an eight or nine. For our use case, I would say it is an eight.  

When a machine gets infected we need to have a memory dump and to interact with it. We use this solution as a good way to extract that information from an infected machine.

When a machine gets infected and the user is not in sight, you cannot go to the user and ask them to analyze their machine, what was in their system. With this solution, you can do so remotely. This is valuable because you don't have to bring the computer onsite to analyze it. Even if the user is doing something wrong, like stealing information from the company, you can detect it remotely, capture it remotely, and have this information to analyze it afterward.

It saves the time required to take an image of a machine onsite. You get to the machine and make it live. You don't have to wait. Whatever activity you have to do on the machine can be done right away.

In addition, it helps us to be sure of the type of infection we have which helps reduce response time and provide a better solution to what is happening. It decreases response time by about 40 percent.

The most valuable features are the threat-hunting and the batch console.

They need to improve the batch console. It needs more capabilities. We are limited by the ones it provides, although we can type commands from the native operating system.

The stability is fine.

It has pretty good scalability.

I have not used technical support.

This system is the only one I have used.

The initial setup was pretty straightforward.

The vendor installed it and gave us some training so we would know how to use the tool and how to deploy it in our systems.

I was not part of the decision-making process. It was the engineers who decided.

You need to analyze your organization's needs. If you just want to protect things, it's very useful.

I rate the solution at eight out of ten because they need to improve the console. We would like it to let us type commands that are native to the operating system, not the ones that are included in the product.

The product, in terms of maturity, is still at the very beginning.

CBR was used as an intrusion detection platform as well as for IOC enhancement during incident response and forensics activities on a 25,000+ host Windows-based environment.

Carbon Black Cb Response significantly reduced time to containment in the environment which enabled the isolation of incidents to single hosts or network segments.

Carbon Black Cb Response excels at providing context to indicators when responding to incidents. It allows responders to understand the entire scope of an incident and quickly contain it to minimize impact and disruption. In incident response speed is of the utmost importance, as many incidents can quickly spread through the entire organization if not immediately contained.

The solution needs to simplify the process of adding custom watchlists, as well as embrace YARA for rule creation.

It is an incredibly stable product, and I do not remember any significant stability issues on the server side. On the client side, there may be some performance issues related to Citrix servers.

Scales very well up to 50,000 nodes. It is simply a matter of adding more Solr shards. Beyond that, I do not have experience.

While their Professional Services are expensive, their team is second to none in problem-solving.

Setup is incredibly complex and poorly documented. Every time an upgrade was needed we would need to engage Professional Services for troubleshooting help. Certificates and web services proved to be the most significant sticking points. Since the product runs on a Linux platform, perhaps having staff with more Linux experience could have alleviated some difficulty.

Purchase Professional Services up front as part of the implementation package, then renew hours annually to ensure you have adequate support for upgrades and enhancements. Overbuy by at least 10% to account for infrastructure growth.

Ensure that you have sufficient resources to dedicate to maintaining and utilizing the product, including maintenance staff as well as incident responders and threat hunters. Be prepared to define metrics and use them to quantify the ROSI. Ensure that this product meets a defined goal within your organization's WISP.

VMware Carbon Black Cloud is a good home office tool for people working outside the office.

VMware Carbon Black Cloud helped us to get a better view of the security of endpoints and workstations.

The most valuable feature of VMware Carbon Black Cloud is the possibility of securing any PC worldwide.

The solution's support could be improved.

I have been using VMware Carbon Black Cloud for a couple of months.

I rate VMware Carbon Black Cloud a nine out of ten for stability.

I rate VMware Carbon Black Cloud ten out of ten for scalability.

VMware Carbon Black Cloud's initial setup is neither hard nor easy.

We have seen a good return on investment with VMware Carbon Black Cloud.

VMware Carbon Black Cloud is deployed on-cloud in our organization.

I recommend users test the solution and check the use cases before buying it.

Overall, I rate VMware Carbon Black Cloud a nine out of ten.

My clients are in a range of verticals, so we have clients in healthcare, education, manufacturing, etc. We provide solutions to anybody who's insightful enough and forethinking enough to understand that cybersecurity is not like insurance. So my use cases are all across the board. But, essentially, my customer base boils down to anyone who doesn't want to get owned by a ransomware attack. My company chooses the best-in-breed technology for tools, then adds cybersecurity management services on top of that.

Probably the most valuable feature of CB Response is its ability to isolate a host and take it off the network, so it's not spreading anything. We have two security operations centers around the globe. When an SOC analyst sees something on an endpoint, they can use Carbon Black Response to isolate that host from the customer's environment and prevent any kind of lateral spread. 

I've been using CB Respons for about two and a half years. 

Overall, it has been absolutely stable. However, there have been some performance issues when deploying on Windows Server, but I believe Carbon Black is working on that.

I'm in sales, but I've watched people deploy the software. It looks pretty straightforward, just a quick installer. Most of my customers have one or two folks who ensure that it's deployed correctly in their environment.

I rate Carbon Black CB Respons nine out of 10. I don't have much to say about it because endpoint detection and response tools are pretty much a commodity nowadays. There are so many good tools out there. What matters is the ability to manage those tools and utilize them in a threat-hunting mode.

We use it for platform metrics, for all use cases. This is the only thing that works, this product. Carbon black is a process listener. You can call back all processes, each process on the client side or the server side. You can retrieve all the information on a process level, and you can combine all the things with an end use case.

Integration and scalability are the most valuable. For example, if you chose a cloud solution, it's not very scalable, because it doesn't support any integration. But on the client side, you can combine materials, you can combine everything. You can add anything. 

It's maybe it's too verbose. For a junior user or admin. You have to know some basic rules. It's not simple. For a junior engineer, it's confusing. It's hard to use Carbon Black Response. It will take time. It may take more than one year to understand the uses of the product.

I'd like the ability to see all the kernel-side features also on the client side.

I think it's very stable. It depends on Linux kernel stability. That's all. 

Scalability of integration features is low, on the client-side.

Initial setup, with two people, it's easy. We deployed it easily.

We've implemented it ourselves in the past but have also used an integrator in some instances.

I would rate this solution a nine out of ten.