We use Cb response primarily as our incidence response. Our environment has more than 300 users handling sensitive client information, like financial data and personal identifiable information, so security is a huge concern. When we receive an incident report from our SOC, our first move is to isolate the endpoint, and Cb response does that seamlessly. We are also able to use the product to perform an in-depth binary process analysis to see if there were any suppressed malicious services.
Cb Response is our primary incident response tool. With this product in our hands, we are able to remotely isolate exploited endpoints in seconds and perform a live deep dive of any endpoint into its running processes (as necessary) without the need for extra scripts.
The ability to isolate an endpoint with only the host name and a click of a button is a major time saver. No need to go hunting for an IP or typing in terminal.
The threat intelligence feed could use some fine tweaking. We are subscribed to FS-ISAC threat indicator, but have been unsuccessful in adding it to our alliance feeds. So, rather than Cb Response being able to pull the data from the feed, we have to manually blacklist MD5 hashes.
