VMware Carbon Black Endpoint Reviews

We're providing this product to our customers. The main intention of using this product is to detect small malware and for vulnerabilities and scanning detection in real-time.

The Intel fit was very extensive and comprehensive enough. The visualization tree product feature in this CB defense is quite good. These are the two more notable product features.

The pricing is excellent.

The solution is stable.

There's some disparity between the on-premise and the cloud type of application. We basically manage applications versus SaaS-based ones. We were hoping that some of the more advanced features that they offer in the SaaS actually could be similarly offered for the on-premise managed applications. We find that cloud-based solutions are particularly more advanced in product roadmaps compared to on-prem.

There should be more roles in support. There needs to be support for multi-tenancy, the likes of multiple names space. When you use that in a very large organization, you have many departments. It doesn't really provide grouping by department, et cetera. 

There's actually a lagging feature that we saw in the SaaS, yet not on the on-premise setup. It seems like the on-premise one was really, really meant for a single department setup rather than for multiple departments.

The solution doesn't allow for high availability configuration. That's also a negative impact relating to the product.

We have been using this solution for about two years.

Stability-wise, the product has been quite stable. There's no issue. The maintenance was quite straightforward, and if you don't really touch it, you won't have stability problems. 

Medium to large companies will be selecting Carbon Black solutions mainly due to the fact that they needed this to better the security posture checks in the environment, typically in the more regulated environment. Regulatory, regulated environments or companies that are more security-centric will go for this type of product.

While it can scale, it only supports non-HA. Scalability is quite limited. You can only scale vertically - not horizontally.

Technical support can be much improved. They're quite lagged in terms of their support and post-sales. In terms of the roadmap to sell, they tend to sell more towards endpoints and very large enterprises. For a server base, it would lose itself. That's not really their main focus at this point in time. Therefore, it's not as good there.

Neutral

I'm also familiar with Trend Micro. Trend Micro is advancing the product, keeping it fairly up to date, and covering some aspects of the EDR over time and they're doing a lot of catching up. They actually have caught up. The technology now is quite fairly similar - it's just that the initial focus was in different areas, however, they are filling this gap. It's actually a very strong competitor. In terms of user, features-wise, et cetera, this solution is quite on par. Trend Micro is a security-focused company, so from an enterprise point, probably they are more focused than Carbon Black nowadays being bought over by VMware. Security is probably not their main area of focus at this point in time. 

The initial setup is a bit of a mix. It is simple in the sense the setup was quite straightforward, however, when it comes to configuring for other supports, like emails, notifications, Syslog, et cetera, this identity provider's power integration, which we did for our SML 2.0, is powered based, rather than supported directly through the GUI. That was not so user-friendly, or more complex in terms of configuration.

On a scale from one to five in terms of ease of setup, it'll be about three. It probably takes about half a day just to complete the configuration setup.

The maintenance so far has been quite fairly straightforward. We don't really have any issues with the maintenance. Obviously, I didn't want the downside of the product side, maybe one of the cons is that it doesn't really support HA high availability setup configuration. 

We have a contract, we have actually a BOT tender contract where our different customers from different departments actually purchase their licensing. Generally, the pricing is from a unique cost perspective. I wouldn't know exactly how much they buy typically, as they procure their licenses on their own. Typically, if you compared the pricing to Trend Micro, it's probably about half the cost.

We're not quite a partner. We are a systems integrator and reseller. 

We do not have the latest update. We integrate that into our Azure AD itself.

We have the solution deployed both on the cloud and on-premises. 

I'd recommend the solution based on the cost. It's really subjective to the organization's needs. If it's for a single, small department, it's fine. If it's for a large organization itself, some of it lacks. Enterprise capabilities are probably a hindrance for a large organization to take up such a product. The limitations of supporting multiple departments with different roles and users, for them to configure what they need, would be a problem. When you talk about alerts et cetera, and also certain tracks, different departments actually probably they have their own different needs, so they wanted something to be a little bit independent, where the configuration settings are unique to the department, rather than something that can only be common for all departments in the current setup.

I'd rate the solution six out of ten.

We use VMware Carbon Black Endpoint to protect endpoints in our company.

The product enables device controls, helping us protect the devices and prevent data leakages.

The product’s most valuable feature is incident detection and response.

It is challenging to reach the product’s technical support team. This particular area needs improvement. The device control feature could also be compatible with the user’s profile as well.

We have been using VMware Carbon Black Endpoint for a year.

The product has good stability.

I rate the platform’s scalability an eight out of ten.

The initial setup process is simple.

VMware Carbon Black Endpoint generates a good return on investment regarding environment protection.

The product’s price is less expensive than other vendors.

I rate VMware Carbon Black Endpoint a seven out of ten. I recommend it to the companies with less budget. If there are no budget constraints, they can use other products like CrowdStrike Falcon or Cylance.

We include it as another layer of security for our endpoints/servers. The software is based off TTP (tactics, techniques, and procedures), and it complements our antivirus products. The software basically takes a snapshot of the system, then if anything happens which is out of the norm, the software alerts us. In some cases, it denies execution and will quarantine the endpoint from other systems.

During the company’s transition, we had a memory scraper infiltrate our network, and  with the help of Carbon Black, we isolated the outbreak to a few point of sale machines.. We saw a step-by-step account of how the software was introduced into the environment, the host it originated from, and the destination address it was connecting too. Carbon Black stopped the spread in its tracks.

• The software uses very few resources; it is almost invisible to the end user. 
• Behavioral Monitoring stops known malicious events before they even begin. 
• The whitelist: Being a Casino, we have some odd software packages. Being able to whitelist them is a must.
• The option to quarantine a device and use the cloud-based portal to gain a “shell” on the infected machine. With this, we can dump the entire system memory to a machine in our lab, then run analysis.

It works the way we want and how we want. 

For one improvement, an easier integration with an AlienVault USM appliance would be good. The directions for Splunk are spot on, but it is difficult to find anything on integration with AlienVault,

My company uses VMware Carbon Black Endpoint for generic endpoint activity detection. We also use it for some investigation using an osquery in our company. VMware Carbon Black Endpoint is useful for blocking some applications and vulnerability assessment of endpoints.

The most valuable feature of the solution is its EDR functionality. The osquery functionality of the product is also very good since it allows us to investigate special cases. Vulnerability management is another good feature of the product.

VMware Carbon Black Endpoint takes a step back when compared to other solutions in the market. Cortex XDR is a better solution compared to VMware Carbon Black Endpoint. In our company, we also wanted to have network detection, like a host-based IDS on VMware Carbon Black Endpoint, but we did not get it. The aforementioned reasons have forced our company to look for an upgrade or another solution altogether.

In the future, I would like to see VMware Carbon Black Endpoint offering a host-based intrusion detection system with a better incident response within the platform where you can raise an incident, assign it, and have some response functionality in it, like triaging the incident and other stuff.

I have been using VMware Carbon Black Endpoint for three years. I use the solution's cloud version, which is the latest version. I am a customer of the solution.

It is a stable solution.

Around ten to eleven people use the solution in our company.

In our company, we did not face many technical issues with the product. Over the span of the years we have been using the solution, there were only two not-so-difficult instances we encountered using the solution, but we were able to find the answers to resolve the issues. We did not face issues that needed the intervention of technical support.

I rate the technical support a seven out of ten.

Neutral

Previously, we were using a signature-based antivirus, Symantec Antivirus, in our company.

The initial setup of VMware Carbon Black Endpoint was easy.

The solution is deployed on a public cloud.

The deployment phase took about a month to get deployed to all the endpoints using the agent, but the most difficult part was tuning the policy, which took the most time based on the alarm policy and alert policy. I feel the aforementioned phases of deployment are a regular process.

I do not want to discuss the actual number of people involved in the deployment process, but I can say that the deployment was not done for a small company.

I was involved in the implementation phase of the solution.

Price-wise, VMware Carbon Black Endpoint is a highly-priced solution. Regarding the licensing cost of the solution, one needs to opt for an annual subscription.

One of the main advantages of Cortex XDR over VMware Carbon Black Endpoint is that Cortex XDR has an intrusion detection system. Cortex XDR has a host-based IDS, and such a feature doesn't exist in VMware Carbon Black Endpoint. Cortex XDR has VMware Carbon Black Endpoint's functions and much more than they need.

Palo Alto is a product that our company has considered during its current evaluation process.

I would say that VMware Carbon Black Endpoint is a very good solution for those planning to use it. If a person has certain cost constraints, then VMware Carbon Black Endpoint may not be the best solution since many cheaper or even open-source solutions can provide the same functionalities as VMware Carbon Black Endpoint. I feel that with a good budget, a better solution can be available in the market.

I rate the overall a seven and a half out of ten.

We need it to secure some PCs and virtual machines inside the company.

We have a single point of view of all the security systems, and it has some interesting tools.

For Carbon Black Endpoint, the possibility of integration with different other software's log servers is the important thing. Having just one point of view is more interesting so you don't need to go to different places to see all the information.

There is room for improvement in the proxy servers. The implementation and management of those servers are difficult.

The proxy servers have proxy servers in place to not connect directly to the Internet, and the implementation and management of those servers are difficult.

Moreover, some customers request disabling Bluetooth in endpoints, but Carbon Black doesn't do that. So, there should be some flexibility for customization.

I have been using this solution for a couple of months. 

I would rate the stability a nine out of ten.

It is easy to scale. I would rate the scalability a ten out of ten.

The customer service and support are solid.

Positive

The initial setup is complex. 

It's a good return on investment. The single point of view is very important for the client.

The solution has almost the same price as other different kinds of infrastructures, but it offers a lot of different features.

I would recommend trying it first. Overall, I would rate the solution a nine out of ten. It's a great product. 

The product's most valuable feature is its ability to be fully integrated with the VMware environment.

The product's stability could be improved.

I have been using VMware Carbon Black Endpoint for one or two years as a system integrator.

Stability-wise, the product could be better. 

The platform is very easy to scale. It is suitable for small and medium businesses.

The technical support services are good.

Positive

VMware Carbon Black Endpoint's installation is easy. The deployment takes one or two days, but the training administrator takes more time.

I rate VMware Carbon Black Endpoint a ten out of ten.

We use the solution for threat detection and endpoint protection. It generates alerts in case of invalid signatures while installing software.

The solution's most valuable feature is live response. We can verify and view the task list and the processes. Also, we can create policies with its help.

It is challenging to extract a report on the status of ongoing scans. They should work on this particular area of the solution.

The solution's customer service team responds quickly.

Positive

I rate the solution as seven.

Carbon Black is an EDR solution and a Next Generation AV. It works on the basis of machine learning and artificial intelligence. It's used to manage multiple endpoints from a central location and detects alerts on the basis of AI. If we have any custom alerts, they can be triggered or flagged. In that case, we can have a centralized alerting system. It can also be used to isolate, repair, or remediate a machine when it is taken by an attack.

We aren't responsible for managing the infrastructure of this particular tool. We're using it for investigation purposes and to monitor products that are being used by our clients.

It's deployed on a public cloud.

The solution has a library where we can have multiple threat intels onboarded. We just have to subscribe to a particular site intel and they'll provide us with all of the truncated details so that we can create IOCs and alerts on the basis of those IOCs. 

It's one of the best features because there are multiple third-party vendors who can provide us with site intel in one location. You just have to subscribe to them, and they'll start providing you with IOCs. If a new attack starts, you will have all the basic IOCs on that list, which can be used to identify if the same attack is happening in your environment.

We can isolate devices in just two clicks. That's also a great feature. We can remediate and repair devices from a central location. It's not too difficult to use that particular tool. The user interface is very easy to understand. You are not required to roam around the console to find where the alert went. It's easy to resolve that.

When we onboarded Carbon Black, there weren't many EDR solutions available in the market. It was one of the best tools when it was launched. We don't have any complaints with the tool. The tool is very good. It highlights many of the alerts and events.

When you're investigating an alert, you will get a graph and will see the details related to the process that triggered the alert. Below the graph, there are network connections, file modifications, industry modifications, and multiple other activities. If you want to specifically find which additional modification has been performed, you will have to find the log you're searching for. There isn't a search bar to check for file modifications or network connections. In that case, you don't have a search bar, so you have to check each and every event, which could be more than 1,000.

You would have to check 1,000 events manually, or you would have to export sheets to view what you are searching for. If they added a search bar, it would reduce the time it takes to do investigations.

If you want to log into a device, there's a process named winlogon.exe, which is supposed to be initiated. If I'm using Carbon Black, I will have to check where winlogon.exe is being observed or at what time it was being observed. Because there's no search bar, I will have to check for the event in all the device events.

A search bar in the investigation page and some AI-related tasks like outgoing alerts, or recent tactics that are being used in the market, must be embedded in the tool so that it's easier to find alerts. The AI must be stronger so it can identify activity that is actually malicious.

I have used this solution for a year and a half.

It's a stable product.

It's scalable because it's based on the cloud.

It's sensor-based, so you have to install the machine associated with your application. You will have the configuration file and the agent installation file. You'll have to run the configuration file, and then you'll be onboarded to Carbon Black. It's easy.

Deployment was fast. It took 15 minutes.

We have a group of about eight people for maintenance and supervision.

I would rate this solution as eight out of ten.

It's a good tool, but it requires some updates. It doesn't have new features like multi-tactics, which other EDR products are providing.

My advice is to acknowledge or resolve a particular alert because once they resolve, it will be very difficult for you to find that alert. Handle it with care because with just a click, the device will be isolated. It could be a server, host, or network device. If you click the wrong button out of curiosity, it will destroy the machine. It has multiple accesses and won't ask if you're sure if you want to do an activity or not.