VMware Carbon Black Endpoint Reviews

The solution is primarily used for protection. It's used on all of our servers and all of our workstations.

The product has considerably decreased any of our malware or malicious software injection within our organization. Since March of 2018, we have not had a malicious intrusion success. It's kept us quite safe.

The solution's most valuable aspect is its process monitoring due to the fact that it doesn't necessarily use signature-based definitions. It uses processor-based definitions. If a process tries to spawn some type of malicious process, it'll stop it.

The initial setup is easy.

The organization has to protect against users and Carbon Black does just that for the company. What I mean by that is not all users are savvy enough to understand, "Hey, I shouldn't be running this or I get a pop-up on a browser and I don't click on it." Carbon Black stops that if they do.

The solution is extremely scalable.

The alerting mail needs to be customizable. Right now, it isn't. That has to change. Right now, I get a lot of what I call noise email alerts. All I hear from them is, "Well, we're working on it. We're working on it." Well, they've been working on it for four years now, and nothing has changed.

In the past, we've seen some stability issues in the latest version releases. We tend to hang back one version just to make sure issues are fully resolved to avoid user disruption.

We've been using the solution since 2017. It's been a few years at this point.

The solution is generally mostly stable. We tend to try to stay one version back in order to get better stability. I've run into problems already where Carbon Black has flagged certain things in a later release that they weren't flagging previously and it disrupts my user base.

The scalability is very good. It's pretty much unlimited at this point. A company can scale however much they like with no trouble.

We have over 500 licenses. The use cases are mostly for our servers and our workstation user roles are drafters, engineers.

We use the solution enterprise-wide. I'm not going to increase usage except maybe to increase the license count if servers or workstations go up.

Their technical support is beyond compromise. They've been absolutely excellent. We're quite satisfied with their level of attention. 

We were previously using Symantec. We switched for numerous reasons. One of them was the fact that Symantec was just not catching a lot of our intrusion at that time. Again, this would have been back in 2017, and a lot of the malware that was coming out back then, the agents weren't catching as quickly. Nobody really had much sense of what zero-day attacks meant.

The initial setup is not overly complex. It's pretty straightforward.

The deployment was fast and the process took maybe two hours or so. The deployment strategy was just running the installation agent.

There really is no maintenance required. It's just as simple as re-installing or installing the agent.

We didn't need to use any integrators or consultants for the deployment. We handled everything ourselves in-house.

We noticed an ROI after about six months of working with the solution.

Previous to Carbon Black, we had a malware attack that cost us a significant amount of money. We haven't had one since, and therefore, our return on investment has been significant.

We simply auto-renew every year. I can't speak to the exact pricing. My standard license includes everything that I need without any extra costs.

I was looking at the possibility of replacing this solution with Defender, as that's part of our Office 365 licensing package that we have. I was asking myself "will this help? Is it really worth me spending x number of dollars for CBD versus using Defender?" However, after careful examination, we decided to stick with Carbon Black.

We're generally always using the latest version of the solution, minus one. What I mean by that is it's not always current, however, it's always at least within one of the most current versions. We've got too many things going on to really be on the bleeding edge if you will. At times to go up to the next one I want to be sure I have a good stable one. What I'll do is let's say 3.3 comes out next week, I won't necessarily go to it. I will wait until 3.4 comes out to go to 3.3.

While the agents are installed locally, everything basically goes through the cloud. We don't deal with on-premises deployments.

I would advise new users to be cautious or policy settings. I'd also warn them that they should be prepared for lots of emails.

Overall, I would rate the solution at a nine out of ten.

We are a partner in the managed security service provider (MSSP) space. We service hundreds of customers globally. We implement these solutions on behalf of our customers. 

With Carbon Black, we've been using them for about six years. We're an MSSP and channel partner with them, as well as an incident response partner. We were like the second incident response company registered with them (through that program) to start using the cb Defense platform. We also integrate it with SIEM. However, we're using it in a managed service capacity. We usually implement it, then manage the platform for our clients long-term. It's used for traditional antivirus, real-time threat protection and prevention, and it also provides us with the ability to do more in-depth investigations into endpoints. With the product, we can do a bit of threat hunting along with managed detection and response. The platform works quite well using it in this capacity.

With Symantec, we have been using it for about six years. We integrate it with our SIEM products. We have a lot of customers who actually run it, so we see it quite often. We collect a lot of data from Symantec and help with responding to anything that Symantec finds. We've had a chance to use the product quite a lot.

The biggest feature out of Carbon Black is its ability to dive in with more depth. You can look at the entire kill chain and understand, not only if an alarm or identified incident is truly a true security issue versus a false positive, and it allows us to backtrack and figure out why it actually happened and how it got into the environment. It also helps us determine what other things may have been impacted along with it, from an asset standpoint. It allows us to go into more depth than a more traditional antivirus, like Symantec.

Symantec is more of a traditional antivirus. A lot of it is signature-based. It works quite well for normal protection. It is pretty stable and consistent. It seems to work across the board. There are no real issues to speak of it, which is a definitely a positive thing. One of the more beneficial things is that it does include the active endpoint firewall with it, which allows your endpoints to have a bit more above the standard Windows firewall, then collect all the logs from that. This is a good feature from their firewall piece. Also, the logging out of Symantec is quite good, as you put a lot of great logs into a SIEM or any other log collector from the platform.

The difference between the two products is the level of visibility and depth that you get when investigating alarms or issues. You can go a bit deeper with Carbon Black. Symantec does have an additional add-on, which we have not seen since it is a relatively new component. They call it Advanced Threat Protection. It uses the same endpoint, but has a separate license with additional costs, which is meant to allow you to go a little deeper in terms of endpoint and incident investigations. However, it doesn't provide the interactive drill down, prevention, and response capabilities that you need to be able to isolate a system, delete files, or actively kill processes which have been helpful with Carbon Black.

Symantec needs more investigative features out-of-the-box. Though, they are using the Advanced Threat Protection add-on to correct some of this. It is also not quite as feature-rich as some of the more advanced MDR platforms out there.

Carbon Black needs to do a better job of proving their platform in the industry, and providing a bit more access to do industry testing with real world examples to help prove their platform. In additional, they have been actively porting over a lot of features from some of their other products, and they should continue to expand on that. Going forward, this will be extremely helpful.

We've been quite happy with the stability of Carbon Black. 

Symantec has a much longer history of having a good, proven, stable platform. That is the big difference. 

I can't really speak to any particular issues that we've had with one versus the other. They both seem pretty good.

The scalability is about the same between Carbon Black and Symantec. I don't know that we've actually tried to use them in an environment that was large enough to cause us any sort of issues, or even thought twice about scalability. Both of these products work quite well in extremely large environments.

One thing to consider with Carbon Black is you do have much more data. You can define many more policies that are more specific to groups. The management of that becomes more difficult as the environment gets larger. I don't think that necessarily is the case with Symantec. It might end up being a bit more time consuming to manage Carbon Black as it gets larger. In terms of these products' capabilities and the ability to support large environments all the way down to small ones, I don't think it matters.

Carbon Black has a great community portal which has all sorts of documentation where you have the ability to ask questions and people answer it quite well. There is a lot of material there with access to content, which assists with the learning and troubleshooting.

Because of the limitations that Symantec provided, and the fact that we were seeing data that was extremely helpful from the Symantec logs, yet it didn't provide us a way to investigate it further or respond to it. This led us down a path of looking for a platform like Carbon Black, which has allowed us to handle the data without having to add additional products. This opened our eyes to be able to see what's out there, but then we needed something to be able to actively fix it, as well.

Symantec is a more traditional platform where you set it up and install it. If you're using a cloud platform, then you obtain access to the system. You need to define all the exceptions that you know need to be implemented based on the applications that you are running. Then, you deploy your endpoints, which should pull down the policies with the approved exceptions. Then, you work through any issues. 

With Carbon Black, you have to go through a longer period of monitoring what exists in the environments. We deploy the agents in a monitoring type only mode, which can exist alongside another antivirus product, like Symantec.

You could technically have Symantec installed in normal mode, then Carbon Black in monitoring mode right next to it. We let that run for a period of time to gather information about what is running in the environment actively to help identify the types of things that we'll have to build policies around. The policies can be pretty in-depth, so it can take quite a long time to actually build them, if you want to be extremely careful about not creating any false negatives in the environment. 

It can take quite a bit longer to implement Carbon Black properly. It takes one to two days to implement Symantec. Though, I don't know for certain, because we don't implement it. For Carbon Black, we typically look at three to eight days of active work over a period of a couple of months to get it implemented, working properly, and tuned up correctly.

The licensing costs are comparable between the two products. If you're purchasing the product, they're both typically a traditional license model with an annual type fee or multiyear. The fees are the cost of the professional services to get the system up and running. It depends on the size of the environment. The size and complexity are what it really comes down to. It will be relatively consistent with whether it was MSSP versus a direct purchase.

Carbon Black might be a touch more expensive. They tend to get a premium for their capabilities. They're sort of an industry leader in a lot of areas with the functionality that they provide. 

Symantec gets a bit more aggressive with their pricing, and with their discounts as well. They do have a much larger customer base because they've been around so long.

As an MSSP, we do provide the entire platform on a monthly fee, which a lot of people do like, because that rolls the licensing and all of the management into the cost of the system on a per endpoint basis, paying for the initial costs to get up and running. Even if it's a three to five year implementation, it will be a fixed monthly cost, assuming the number of endpoints doesn't change. That's one good thing about the Carbon Black MSSP program that we have access to is that flexibility with the monthly billing. With very large implementations, this could be a significant difference in spend over three years versus having to do one extremely large capital purchase.

Symantec aligns with a more traditional antivirus that a lot of people are just more familiar with. It has traditional signature sets, exceptions, and policies. When you're talking medium sized implementations, where it's several hundred or a couple thousand endpoints, it's pretty straightforward. 

The learning curve with Carbon Black is considerably more extensive. You have considerably more ability in the platform to do investigations and custom policies, as it can do more in-depth searches and queries about what's actually going on at an endpoint level, which you don't have with Symantec. You really have to understand exactly what you're trying to accomplish. The product itself works quite well. It's pretty intuitive, but there is so much more data and capabilities at your fingertips. It definitely takes more time to learn it.

If you are evaluating these products: Evaluate what your enterprise looks like and what your current security controls are. Understand what exists, what needs to be protected, and what other tools there are in the organization. This makes a big difference in the decision-making process. For example, Carbon Black is 100 percent cloud-based. There is no on-premise option. If you have requirements for systems that can't access the internet, whether it be classified environments or otherwise, it's more difficult to get as much value out of a system which is only cloud-based if you have air gaps. A more traditional on-premise solution might work better, like Symantec, in this scenario. However, if you have a largely mobile workforce with a lot of high risk employees who travel, having cloud-based works perfectly for that sort of environment, as you're getting data with the ability to access and respond to issues regardless of where systems are, as long as they're online.

However, if EDR tools already exist in an environment, you might not need a full in-depth product, like CarbonBlack, where a more traditional antivirus coupled with another EDR product might get you the capabilities that you need. Albeit, it would require multiple products to cover the environment. 

I would rate Carbon Black as a nine out of ten, because it provides industry leading features, which give us the ability to do the investigations that we need to. It just makes an enormous difference.

I would rate Symantec as a seven out of ten. It works quite well. It is feature-rich, stable, more traditional product.

We use Cyber Defense to protect our machines from all kinds of attacks. We use this solution to protect ourselves from advanced threat attacks as well as viruses and malware. We also do threat hunting with the help of CyberArk for defense solutions.

Carbon Black CB Defense has helped improve my organization by allowing us to have better data so that we can do correlation and get visibility into the alerts. Previously, we used a different solution for protecting the devices and we were not able to get enough data.

The Carbon Black CB Defense feature I found most valuable is that it gives us the ability to do log analysis as well as the current state of the environment and activity on the user machines.

I would say that the technical support team should be improved since it takes them a lot of time to provide us with support.

In the next release, I would like to see a host-based firewall.

I have been using this solution for more than a year.

I would rate the stability of this solution a seven, on a scale from one to 10, with one being the worst and 10 being the best.

I would rate the scalability of this solution an eight, on a scale from one to 10, with one being the worst and 10 being the best.

The initial setup process was easy. It takes about four or five months to set up the solution. The deployment was done with the help of ten teams and five to six people who had full involvement during the implementation.

To the people looking to use this solution, I'd say if you want to get better visibility into an environment and see user activity or suspicious activity, then

Carbon Black CB Defense  is the right solution for you.

Overall, I would rate this solution an eight, on a scale from one to 10, with one being the worst and 10 being the best.

Carbon Black CB Defense is a sensor for ongoing monitoring. It was deployed and is being used in conjunction with a cloud product called Red Canary.

The feature I found most valuable in Carbon Black CB Defense is the ongoing monitoring, though I'm not sure if it's because of the solution, or if it's because of Red Canary. The ongoing monitoring feature works by emailing updates about any detections found.

Currently, it's hard to comment on areas for improvement, because I haven't used Carbon Black CB Defense long enough.

What was rolled out to my company are mixed versions of Carbon Black CB Defense, so what I'd like to see in the next release is more synchronization, where it can detect the endpoint that's running an old version and suggest updates. That's the only thing I can think of right now.

I've been using Carbon Black CB Defense since October of last year.

I haven't had any major degradation in the performance of Carbon Black CB Defense, so I find it stable. It's holding up very well.

I have no comment on the scalability of Carbon Black CB Defense at this point.

I haven't even had to reach out to the technical support team of Carbon Black CB Defense at this point, so no comment.

I did not use a different solution. This was the first time I used this type of solution.

In terms of initial setup, rolling out Carbon Black CB Defense was pretty straightforward. It wasn't that big of a deal.

The deployment of Carbon Black CB Defense was done in-house, and took two weeks total, because it was a hybrid deployment, which means that it was done on a one-on-one basis.

In terms of ROI from Carbon Black CB Defense, it's a little early to see it.

In terms of licensing costs, Carbon Black CB Defense was all associated with CROW and the services my company is using with them, so it came all-inclusive.

My company didn't evaluate other options, because Carbon Black CB Defense was suggested by CROW. My company just went with what they suggested.

I have experience with Carbon Black CB Defense. My company has already adopted a solution that uses Carbon Black CB Defense, particularly with a company called CROW.

Carbon Black CB Defense was deployed hybrid in terms of what my company does. The cloud provider used was CROW.

My company has 200 users of Carbon Black CB Defense. It's being used in the whole environment. Three people from IT are in charge of the maintenance and full deployment of the solution.

In terms of increasing usage, the solution is being used in the entire environment, and usage will be increased if there's growth in personnel.

At this junction, I'm rating Carbon Black CB Defense an eight.

We use Carbon Black agents that are monitored by the Forescout Extended Module for CB. It will check that CB Agents are deployed and are in running state to secure containers across vmware environment.

The dashboard shows the security analyst who looks at the reports of the threats around policies monitoring Carbon Black agents. The discovery happens in Carbon Black, and as part of the discovery, it will monitor multiple Carbon Black agents. Deployment is on hybrid cloud VM cloud on AWS.

Technical support is excellent. It's also stable, scalable, and easy to implement.

In the next release, it would help if we can get better control over containers. This will help secure the containers in multiple environments. For example, we need to secure the Kubernetes containers. Apart from admin user login to see containers processes running, developers & operate team users also should be seeing the container's processes running.

I have been using Carbon Black CB Defense for the past year.

Carbon Black CB Defense is a stable product.

Carbon Black CB Defense is a scalable product.

We have extended support from the IT technical team and the engineering team from VMware. Their support is excellent. I don't see any issue with technical support.

The initial setup and installation are straightforward. Typically it takes just two days to set up Carbon Black agents for the post cloud. A team of about 15 technical people deployed this solution.

There is a very big team from VMware, including VMware support, who implemented this solution. 

The licensing costs depend on how many policies you have on the extended module for CB. We pay between $5,000 to $7,000 for a license for the Carbon Black monitoring agents.

On a scale from one to ten, I would give Carbon Black CB Defense a seven.

We have a dedicated team using this solution. They create incidents, escalate the incidents, and then respond to the events detected by the EDR.

The best feature of this solution is that we have a live response, which is really tailored to our needs. 

There is no option for the solution to block automatically based on behavior. First, the solution needs a lot of time to record all the behaviors. Then, we manually have to create a behavior analysis rule to detect any malicious activity. The solution would be improved and be more effective if there was a way for this process to be done automatically.

We have been using this solution for six to seven months. 

The solution is not always ideal, but it is pretty stable. We did face a few issues, in the response feature for example, but they were resolved.

At this point we have not encountered any issues with scalability, but time will tell how much scaling is feasible for us.

The customer support is average. At times I feel like they should have responded to us immediately because we had some issues that needed an immediate reply, but their response was a bit slow. However, overall, they're good and the support is acceptable.

Neutral

It was not easy and we faced challenges, but it was okay. We're also dealing with an issue involving multiple unsupported OS's because we have so many Linux products in our infrastructure. I would rate the initial setup as a three out of five, with one being difficult and five being easy.

This is a good solution, but there are a lot of improvements needed. I am overseeing the project part of the solution, not the deep technical side. As far as my knowledge is concerned, it's an easy-to-use solution and it has many good features, but it also has many features that require improvement. I would rate the solution as a six out of ten. 

What I like the most about it is the dynamic grouping, where you get to group endpoints based on setup criteria. That's pretty cool. I like the simplified policy management and simplified white-listing process. Coming from McAfee, management has been much simpler and much easier to look at. 

I like the simplified management, it has a nice UI, and it's very simple.

The EDR portion could be better. I'm not a big fan, but it works.

The End Point Detection Response and the way it lays our processes with our endpoint and its detection engine, in the way that it detects the admin or alerts we based on a threat. I feel that they're a little behind on the market from my perspective.  

Overall, areas of improvement would be the EDR part, the detection, also the cloud console. If you're trying to write queries or something, it's very slow, just not robust.

It's a cloud console so it should be fast. If I run a query and I press enter, if it took two seconds, it wouldn't give me a nice loading interface, because it's stuck. I would see an operating system most of the time. 

I feel like it should be faster. But as far as the price and everything, I think it's a good product.

We're actually doing a migration from McAfee to Carbon Black. The migration project has been about 12 months right now. We're slowly migrating.

Stability is one thing that's not robust. Other products are faster, but as far as the CB Defense, it's slow. We had some issues with the sensors and we also saw slowness on the Windows side, Windows file share, which actually was fixed in the next new version of the sensor.

I'm the only network security person here. But the other users who have different roles have access as well. In my team, there are five or six people. But I'm the only one actually directing changes.

We use it on a daily basis. 

There are always alerts so I'll always have to check into alerts and see what's going on and then do some more analysis. If it's a new application we are implementing that will also need to be configured on Carbon. 

The deployment process is straightforward. 

We're still deploying it slowly, little by little because we use a lot of critical applications and if Carbon Black interferes with the application, it will stop working. It needs to be tested thoroughly. It's a long process. 

All of its applications need to be tested thoroughly and then tested in a testing environment. Then we deploy and monitor, make changes, and stuff like that. As far as general users, laptops, and stuff, that's pretty straightforward. It's just part of the image. I have to write that script to uninstall McAfee, the whole migration. It's pretty straightforward. It wasn't complex as far as the installation or deployment.

There was also a technical lead for this project. It automatically comes with professional services for 10 hours and the documentation is pretty clear. The professors helped through the process. 

I think it's 28 per employee a year. 

We also looked at CrowdStrike but it was a little too expensive. 

The implementation is very easy but the security aspects could be better. 

If you don't have a SIEM solution in your organization, you're probably engaging via email.But there's no way to point me to customize the email templates if I want to see more information on that email before going to the console. It's still a business and company, but I'm the only one who is managing everything. So when I see the email on my phone, I want to see more information before logging into the console. I want to see more filtering options to narrow down more field training. 

I also wish it was easier and more intuitive in terms of searching for queries. I feel like it should be simpler. It doesn't make sense to have it this hard.

I would rate it a seven out of ten. 

We're providing this product to our customers. The main intention of using this product is to detect small malware and for vulnerabilities and scanning detection in real-time.

The Intel fit was very extensive and comprehensive enough. The visualization tree product feature in this CB defense is quite good. These are the two more notable product features.

The pricing is excellent.

The solution is stable.

There's some disparity between the on-premise and the cloud type of application. We basically manage applications versus SaaS-based ones. We were hoping that some of the more advanced features that they offer in the SaaS actually could be similarly offered for the on-premise managed applications. We find that cloud-based solutions are particularly more advanced in product roadmaps compared to on-prem.

There should be more roles in support. There needs to be support for multi-tenancy, the likes of multiple names space. When you use that in a very large organization, you have many departments. It doesn't really provide grouping by department, et cetera. 

There's actually a lagging feature that we saw in the SaaS, yet not on the on-premise setup. It seems like the on-premise one was really, really meant for a single department setup rather than for multiple departments.

The solution doesn't allow for high availability configuration. That's also a negative impact relating to the product.

We have been using this solution for about two years.

Stability-wise, the product has been quite stable. There's no issue. The maintenance was quite straightforward, and if you don't really touch it, you won't have stability problems. 

Medium to large companies will be selecting Carbon Black solutions mainly due to the fact that they needed this to better the security posture checks in the environment, typically in the more regulated environment. Regulatory, regulated environments or companies that are more security-centric will go for this type of product.

While it can scale, it only supports non-HA. Scalability is quite limited. You can only scale vertically - not horizontally.

Technical support can be much improved. They're quite lagged in terms of their support and post-sales. In terms of the roadmap to sell, they tend to sell more towards endpoints and very large enterprises. For a server base, it would lose itself. That's not really their main focus at this point in time. Therefore, it's not as good there.

Neutral

I'm also familiar with Trend Micro. Trend Micro is advancing the product, keeping it fairly up to date, and covering some aspects of the EDR over time and they're doing a lot of catching up. They actually have caught up. The technology now is quite fairly similar - it's just that the initial focus was in different areas, however, they are filling this gap. It's actually a very strong competitor. In terms of user, features-wise, et cetera, this solution is quite on par. Trend Micro is a security-focused company, so from an enterprise point, probably they are more focused than Carbon Black nowadays being bought over by VMware. Security is probably not their main area of focus at this point in time. 

The initial setup is a bit of a mix. It is simple in the sense the setup was quite straightforward, however, when it comes to configuring for other supports, like emails, notifications, Syslog, et cetera, this identity provider's power integration, which we did for our SML 2.0, is powered based, rather than supported directly through the GUI. That was not so user-friendly, or more complex in terms of configuration.

On a scale from one to five in terms of ease of setup, it'll be about three. It probably takes about half a day just to complete the configuration setup.

The maintenance so far has been quite fairly straightforward. We don't really have any issues with the maintenance. Obviously, I didn't want the downside of the product side, maybe one of the cons is that it doesn't really support HA high availability setup configuration. 

We have a contract, we have actually a BOT tender contract where our different customers from different departments actually purchase their licensing. Generally, the pricing is from a unique cost perspective. I wouldn't know exactly how much they buy typically, as they procure their licenses on their own. Typically, if you compared the pricing to Trend Micro, it's probably about half the cost.

We're not quite a partner. We are a systems integrator and reseller. 

We do not have the latest update. We integrate that into our Azure AD itself.

We have the solution deployed both on the cloud and on-premises. 

I'd recommend the solution based on the cost. It's really subjective to the organization's needs. If it's for a single, small department, it's fine. If it's for a large organization itself, some of it lacks. Enterprise capabilities are probably a hindrance for a large organization to take up such a product. The limitations of supporting multiple departments with different roles and users, for them to configure what they need, would be a problem. When you talk about alerts et cetera, and also certain tracks, different departments actually probably they have their own different needs, so they wanted something to be a little bit independent, where the configuration settings are unique to the department, rather than something that can only be common for all departments in the current setup.

I'd rate the solution six out of ten.