Carbon Black CB Defense OverviewUNIXBusinessApplication

Carbon Black CB Defense is the #1 ranked solution in top Security Incident Response tools, #7 ranked solution in EDR tools, and #12 ranked solution in endpoint security software. PeerSpot users give Carbon Black CB Defense an average rating of 7.6 out of 10. Carbon Black CB Defense is most commonly compared to Crowdstrike Falcon Endpoint Security and XDR: Carbon Black CB Defense vs Crowdstrike Falcon Endpoint Security and XDR. Carbon Black CB Defense is popular among the large enterprise segment, accounting for 54% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 17% of all views.
Carbon Black CB Defense Buyer's Guide

Download the Carbon Black CB Defense Buyer's Guide including reviews and more. Updated: February 2023

What is Carbon Black CB Defense?

CB Defense is an industry-leading next-generation antivirus (NGAV) and endpoint detection and response (EDR) solution. CB Defense is delivered through the CB Predictive Security Cloud, an endpoint protection platform that consolidates security in the cloud using a single agent, console and data set. CB Defense is certified to replace AV and designed to deliver the best endpoint security with the least amount of administrative effort. It protects against the full spectrum of modern cyber attacks, including the ability to detect and prevent both known and unknown attacks. CB Defense leverages the powerful capabilities of the CB Predictive Security Cloud, applying our unique streaming analytics to unfiltered endpoint data in order to predict, detect, prevent, respond to and remediate cyber threats. In addition, CB Defense provides a suite of response and remediation tools, including Live Response, which allows security personnel to perform remote live investigations, intervene with ongoing attacks and instantly remediate endpoint threats. For peace of mind, CB Defense customers can also leverage CB ThreatSight, Carbon Black’s managed threat alert service, to validate alerts and uncover new threats.

Carbon Black CB Defense was previously known as Bit9, Confer.

Carbon Black CB Defense Customers

Netflix, Progress Residential, Indeed, Hologic, Gentle Giant, Samsung Research America

Carbon Black CB Defense Video

Carbon Black CB Defense Pricing Advice

What users are saying about Carbon Black CB Defense pricing:
  • "It is more expensive, but it's worth it. There are no additional costs beyond the standard licensing fee."
  • "The licensing cost is on the more expensive side, but I thought it was worth it because they did a good job. It was one of the vendors I truly didn't have to worry about too much until this latest upgrade."
  • Carbon Black CB Defense Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    IT Infrastructure and Security Manager at a paper AND forest products with 1,001-5,000 employees
    Real User
    Top 20
    The manage, detect, and response feature enables Carbon Black to continuously check logs and advise us on how to improve some of the policies
    Pros and Cons
    • "The new feature that we're deploying, the new offering from Carbon Black, is MDR, which stands for manage, detect, and response. It's the most valuable feature because Carbon Black will be continuously checking the logs, and they will be advising us on how to improve some of the policies as well as review the logs. If there are any nefarious agents or things happening on the end points, they will know."
    • "The node management could be much better. The one thing that they cannot do very easily is change the tenant from a backend."

    What is our primary use case?

    It is a default software that goes on every computer. This is antivirus endpoint protection. It's pretty simple. The standard application goes on every single machine that we deploy that is Windows based. We have it running on machines that are deployed on the cloud, machines that are deployed on-premise, and on machines that people are using strictly on the internet.

    We're using the Carbon Black Endpoint. We're using the latest sensors. We've used 3.7 and 3.8.

    Initially when we deployed it, there were over 2,000 users in terms of giving access to the console. We had roles created for security analysts. There were different roles. For example, the field services who take care of the PCs could go take a look. They could bypass if needed, but they could not change any roles or uninstall the agent. 

    Other roles, such as mine, have full access. We had roles where we had actually created the API integration key where we were sending the Carbon Black logs to a third party who was our SIM for review. There are different roles you can define in there.

    What is most valuable?

    The new feature that we're deploying, the new offering from Carbon Black, is MDR, which stands for manage, detect, and response. It's the most valuable feature because Carbon Black will be continuously checking the logs, and they will be advising us on how to improve some of the policies as well as review the logs. If there are any nefarious agents or things happening on the end points, they will know. 

    They also have the ability to take action based on what we've already agreed upon, what rights we give them, or what we tell them they can or can't do as part of their response. Hypothetically, if there's a rogue machine that is trying to infect other machines, we can tell them that they should try to contact us, but if they don't get a hold of anybody in GreenFirst IT in 15 minutes, they should go ahead and quarantine that machine. They can take actions, they can do remediation or response. Instead of advising, they will be taking action.

    What needs improvement?

    The node management could be much better. The one thing that they cannot do very easily is change the tenant from a backend. As an example, assets were sold from a company called Rayonier Advanced Materials and went to GreenFirst, which became GreenFirst as a startup. We had a tenant where all the machines were registered to the cloud. That is the tenant that was there for Rayonier. It is very hard for them to make changes to the tenants, such as rename or anything like that. What they really would push you to do is, "Your tenant is going to be under your company name. You have to uninstall all the agents and reinstall them again." Making changes at a tenant-level would be a welcome feature to allow divestitures and things like that.

    They can do some of these things, but they're not very user friendly or easily done. They basically tell you to do the hard lifting yourself. For example, they basically kept pushing me and saying, "Uninstall your antivirus on about 500 machines and reinstall it with the new tenant information." I would say "No, everything is a tenant. Rename me the tenant."

    I would like to see the GUI improved and easier troubleshooting. One thing they did that makes it easier in troubleshooting versus the older versions of the software is that now you can actually drill down to see the parent process and go all the way down. 

    In CrowdStrike, they have a timeline where they actually build the whole scenario as to what happened. It's like a playback. It's almost like a movie. You play back and it says, "Okay, this process ran," and then it shows what it caused and everything. You can see all that and if there are any screen outputs it puts it on because CrowdStrike actually maintains some of those things. A playback feature would be very valuable.

    For how long have I used the solution?

    I have worked with this solution for over three years.

    Buyer's Guide
    Carbon Black CB Defense
    February 2023
    Learn what your peers think about Carbon Black CB Defense. Get advice and tips from experienced pros sharing their opinions. Updated: February 2023.
    672,785 professionals have used our research since 2012.

    What do I think about the stability of the solution?

    Carbon Black is a very capable tool. It's a very strong product.

    What do I think about the scalability of the solution?

    There have been no issues with the scalability.

    It's on every single node, so I cannot increase it anymore than that.

    How are customer service and support?

    Their technical support is better than most of the normal tech supports that I've dealt with. My one pet peeve with them is that they respond to your request on their portal. For example, if you need to have a working session with them, they respond to your request in the portal, and you are not always in the portal and you may miss a time that they would be available to assist you. It would be much better if they picked up the phone or actually emailed instead of always using their portal.

    I would rate their technical support a 3.5 out of 5.

    Which solution did I use previously and why did I switch?

    We switched because we wanted to go to a next-gen antivirus that looked at the pattern instead of looking for signature. The second thing is we were trying to get off Kaspersky because it's a Russian company and Rayonier AM was an American company. The biggest reason was to go to a next-gen antivirus.

    This is hardly signature based. It's more than heuristic, and one of the other reasons is that the updates are pushed over the cloud when the nodes are available. We don't need people to be connecting to an internal server on-prem to get their updates. Another reason was security features and the ability to quarantine a machine regardless if it's on-prem or if it's just on the internet.

    How was the initial setup?

    If you're not used to Carbon Black, it can be challenging because these are not regular rules, like the way you would deploy under a normal antivirus. There are a lot of different functionalities that you could do that are not available under normal antivirus things, such as allowing a script or an application to run based on hash, or white listing if an application is signed by a specific code sign or certificate. It can be very challenging.

    When we did it years ago, we went from McAfee and Kaspersky to Carbon Black. At that time, there were 2,000 or so nodes. Deployment took less than a month. That was due to us doing various types of scripting for a massive rollout and automatic installation of the tool and the automatic uninstall of the older tools.

    What about the implementation team?

    Deployment was done in-house.

    What was our ROI?

    It's very subjective to give an ROI on an antivirus. If I was making a piece of equipment and I implemented something that could show that instead of something that takes four hours to complete, now it takes three hours, I could tell you what my ROI would be.

    In this instance it is very subjective. The only thing that you could do is take a look at how many security incidents you've had with a different product versus what you think you will have with going with Carbon Black, or assume you won't have any issues with Carbon Black versus how many issues you had with the other one, and then you can see how long it takes. 

    Speaking from experience, for the former company that I worked for, we were hit with malware, a ransomware where some files were encrypted, but we were able to get them from the backup. However, attacks such as that have failed since we have had Carbon Black.

    What's my experience with pricing, setup cost, and licensing?

    It is more expensive, but it's worth it. There are no additional costs beyond the standard licensing fee.

    Which other solutions did I evaluate?

    We looked at CrowdStrike, the offering from Blackberry called SentinelOne, and we looked at the major other AV providers like Sophos, McAfee, and Norton.

    What other advice do I have?

    I would rate this solution 8 out of 10. 

    Carbon Black gives a different offering. Their ThreatHunter gives you more of the threat hunting features, so if they basically make that a standard feature, then I would rate it higher.

    My advice is to use a deployment tool if you have one because it will come in handy. I would also suggest that you enable the feature in Carbon Defense because uninstallation requires a key so that people can't get rid of it.

    If you are going to be buying it, my advice would be to take a look at their manage, detect, and response feature because you take the onus away from your internal team, and you also take away potential misconfiguration out of your internal IT group because they will be looking at all the logs, and they will be reviewing the policies and they can actually tell you how to do it. If you do not have the manage, detect and response, it all falls on you, and then you would have to integrate it with your own. If you have a SIM, you would have to learn how to integrate it to your SIM.

    Which deployment model are you using for this solution?

    Hybrid Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Lead IT Security Analyst at a government with 501-1,000 employees
    Real User
    Top 20
    Gave us another layer of protection from zero-day threats
    Pros and Cons
    • "We have another piece of that infrastructure that does what they call threat emulation. It's like sandboxing where it takes files that it doesn't know about, puts them in a VM-type environment, and it kicks them off to see if there's any malware or tendencies that might look like malware, that kind of thing."
    • "There could be more knowledge. I think they made a mistake when they took away the Check Point integration, because it provides more automation and also more threat intelligence."

    What is our primary use case?

    I know they have different forms in their Carbon Black Endpoint now, but we were using Carbon Black Prevent, which was basically just a pure whitelisting product. We didn't look at the other kinds of things that it was doing.

    We were basically just using it for, "If Carbon Black picks up a new file in the machine and it's executable or something and it hasn't seen it before, it has to be whitelisted first. It has to be approved before it's allowed to run." That's what we're using it for.

    We were technically one and a half versions behind the current version which is out there right now.

    The solution is deployed on-prem.

    We have cut back the amount of users. At one point, we had about 1,500 or 2,000 users. We're down to about 750 right now.

    How has it helped my organization?

    The solution just gave us another layer of protection from zero-day threats, because you can't always trust what your users are doing. You just have to do what you can technically to try to mitigate that.

    What is most valuable?

    I'm on the security department, so it's just in the layer of our prevention to give us protections against, for example, ransomware that might kick off and try to execute different files. If someone downloads something or whatever, it has to be whitelisted first. It has to be approved before it can run it all.

    That's better to me than some signature-based thing, because it protects against zero-day. There are things that it doesn't know about, so it has to check them. We have Check Point now as well, but we have a Check Point on our firewalls, not our endpoints.

    We have another piece of that infrastructure that does what they call threat emulation. You may have heard of it. It's like sandboxing where it takes files that it doesn't know about, puts them in a VM-type environment, and it kicks them off to see if there's any malware or tendencies that might look like malware, that kind of thing.

    It's also a zero-day type of prevention thing, but it kicks them off in a safe environment so that you can see what it's doing. You need integration with Check Point to do that, but that integration went away with the latest release, the one we just put out there.

    That was a big part of why we liked Carbon Black, because it is integration to not only do the whitelisting, but also we could have automatic rules set up so that if a new file got downloaded by a user, we could automatically send that over to Check Point and it could do its emulation on it in the sandbox. And if it came back clean, then we could automatically approve it.

    We wouldn't have to go through a manual process of having our people approve every single file that comes across as having been seen before. So, it was a really good way to work those two products together. But that went away. And so now I'm like, "Okay, what are we going to do now?" I hadn't looked at the Harmony Endpoint at all.

    I haven't looked at Check Point's piece, but I was wondering to myself, "If it does something like Carbon Black was doing and then we already have Check Point on the other one, that would work." So, that was what I was trying to do.

    What needs improvement?

    There could be more knowledge. I think they made a mistake when they took away the Check Point integration, because it provides more automation and also more threat intelligence. Maybe you didn't see something within Carbon Black's sphere of what it knows, within their product line or their threat cloud or whatever they use for their intelligence. Maybe it didn't see anything of the files that it knows about, but what about somebody else's? And what about kicking into another product that does those kinds of things like sandboxing?

    I don't know why they would take that away. That doesn't make sense to me because they need to expand on that. The more they expand on that, the more confidence you have as a security guy. You have more confidence that that file is clean, and there's nothing bad about it. Bringing back the integration with Check Point would be a good start.

    This product is being used extensively in our organization. I'm actually looking for a replacement because of the fact that we lost that integration. That's really crucial, honestly. Otherwise, it becomes much more manpower-intensive. I need to spend more man-hours going through it instead of using automations.

    I prefer to set up things so my team doesn't have to spend a huge amount of time running down rabbit trails all the time. The more we can automate and still be secure about it, that is what we try to do.

    There are no additional features I would like to see added. I know they already have a cloud offering as well. You can manage things through their cloud for people that are always on-site. We mostly just use it for our own managed devices. We didn't really put it on. We never planned and don't plan to put it on or make it available to a BYOD kind of thing. This is all company-managed devices.

    It just made more sense for us to do it internally than putting it in the cloud. But we could have done either one, I suppose. But since we started out inside, we just kept it that way. It was just easier.

    For how long have I used the solution?

    I have been using this solution for five years.

    What do I think about the stability of the solution?

    It's stable.

    What do I think about the scalability of the solution?

    The solution is scalable. We have never had an issue.

    How are customer service and support?

    I would rate technical support 5 out of 5.

    Which solution did I use previously and why did I switch?

    We did a proof of a couple different products, but we chose CB. And we've been with them since, because they do a good job. They've been pretty easy to manage, and they've had good support. So, we've actually been really happy with them.

    How was the initial setup?

    It was pretty straightforward. It took some time to roll out. We wanted to eventually get to a point where we are now, which was to totally block everything we don't know about. But that didn't come out of the box. You had to let things run for a while.

    It did a good job of reporting things, but not blocking so we could go through there and say, "Okay, these are legitimate files. Or these files were signed with these certificates from these vendors that we can trust," for example. We spent six or eight months going through everything before we actually turned it into full blocking mode. As far as initial rollout, it was fairly simple, and it's been fairly easy to upgrade the agents.

    We ran into some issues with some of the MSIs and things or some systems when we tried to update some things and it broke. I'd probably rate the setup a four out of five.

    We do deployment slowly and in phases. We could have deployed it pretty fast, actually. But it took us about three months to deploy everything because we wanted to make sure we had test groups of machines that we put into each department or each part of the organization, because they do different things. We didn't want to inadvertently start breaking certain things. So, we took our time pulling it out. But I think, essentially, it could have been deployed in probably a few weeks at the most.

    We have a team of about five people who take care of maintenance.

    What about the implementation team?

    We implemented it through an in-house team.

    What's my experience with pricing, setup cost, and licensing?

    The licensing cost is on the more expensive side, but I thought it was worth it because they did a good job. It was one of the vendors I truly didn't have to worry about too much until this latest upgrade.

    What other advice do I have?

    I would rate this solution 8 out of 10. 

    I'd say, "go for it" if you don't have or need Check Point for an integration. But if you're relying on that kind of integration, if you really need that like we did, then of course I wouldn't go that route.

    If I were to make a recommendation to somebody else just starting out, my advice is to check out the cloud first.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Carbon Black CB Defense
    February 2023
    Learn what your peers think about Carbon Black CB Defense. Get advice and tips from experienced pros sharing their opinions. Updated: February 2023.
    672,785 professionals have used our research since 2012.
    Founding Partner, Security Architect at ISS
    Reseller
    Well organized documentation, overall superior functionality, and helpful visualizations
    Pros and Cons
    • "Some of the valuable features I have found are the online documentation of the solution is well organized and thorough. I like the simplicity of bypass and the visualization of the active components."
    • "This solution could have greater granular control on how certain applications work."

    What is our primary use case?


    Some of my client's use cases are typical endpoint protection, telemetry, and threat hunting. We are using all three of the most popular services that point back to the cloud central console.

    What is most valuable?

    Some of the valuable features I have found are the online documentation of the solution is well organized and thorough. I like the simplicity of bypass and the visualization of the active components. If I want to know which file is being utilized and what sub-files it is calling, the visualization given is very helpful.

    I would like to see them continue to run some of the AI-type comparisons. I know everyone is really secretive about what they do and what they have engineered, but I think Cylance was a good market disruptor years ago with their approach. Now we see SentinelOne and everyone is approaching that piece of the puzzle similarly now. I just would like to see more of a comparison. We have done our own technical comparison but it is fairly expensive. All solutions have pros and cons, if more third-party organizations or teams could evaluate how each product works in pros and cons many people would benefit.

    What needs improvement?

    This solution could have greater granular control on how certain applications work. You are able to do the operation of allowing or disallow, or you can block unusual usage of an application, but they do not define it well. 

    The PowerShell is being called in any way that the threat actor might use it versus an administrator. You are in a way taking this solutions' best guess at it or their understanding of it. They do not clearly tell you in technical terms how they make that determination. They should be more forthright about it, or if they can not tell us, they should just give us the control to make those selections. We are choosing it because at least we have that control where we do not have that same amount of control with other solutions like Cylance. However, they are still not telling us precisely what constitutes suspicious behavior, what actions, or what calls. It is a check box to say, lock if we have inappropriate use, or block if we have suspicious behavior. It would be helpful to tell us what that actually meant.

    In the future, I would like to see more granular control of PowerShell and more administrative tools.

    For how long have I used the solution?

    I have been using the solution for approximately six months.

    What do I think about the stability of the solution?

    The stability of the solution has been good. I like the fact that their call home is a single port, 443, a well-known port with a backup port, 54443. Their architecture, that way is easy for network admin to understand and open up and passing firewalls. In contrast with ATP, ATP has a lot of port requirements, It is much more complex and easy to misunderstand ATP communications until you really dig hard to see how does it work. This solution is much simpler that way. Additionally, performance-wise, user agents seem to hover around 1%-2%, it is fairly efficient and lightweight.

    What do I think about the scalability of the solution?

    The scalability of the solution has been good. We implemented a couple of large POCs. We have some clients and colleagues that are running it at scale, with more than 5,000 endpoints with great success. We are pleased overall. Most of our clients are mid-cap or small enterprises.

    How are customer service and technical support?

    I have found the solution support has been strong. 

    I would rate the support of Carbon Black CB Defense a seven out of ten.

    Companies need to work on the timeliness of support. Getting directed to a strong enough, experienced enough technical person sooner is important. That just is not the way support is currently built. Usually, they start at tier one and move up. I am sure there are a lot of customers that call in support with simpler questions that you do not want to tie up a tier-three person's time. However, I do not think my request for support to improve is not unique to this solution. 

    We have a very knowledgeable technical team. When we call for support we are wanting to interact with tier two or tier three right away. It is frustrating to have to work through the tiers to get where we want to go.

    Which solution did I use previously and why did I switch?

    We previously used Cylance and we are coming off of a direct comparison of the two. In the current version of this solution, they have a stronger AI version or component. The overall general quality of the breadth of the solution is better. To receive the same functionality in Cylance, we needed to add the CylanceOPTICS product and we have not had great success with it.

    What I do not like about Cylance is it is very binary. You either allow AST to be a 56-bit hash or you do not. I think there is room for more granular control, which we now receive by using this solution.

    Overall this solution is better than Cylance.

    How was the initial setup?

    The initial setup has been straightforward. I think their user interfaces in mature and understandable, they did a good job in it. I would not say any end-point solution is simple, but I think it is more intuitive than many of them.

    What other advice do I have?

    My advice to others is to take advantage of the POC and work with your POC rigorously. I think we have good responses on the POC as they get closer and closer to wanting to close. We were able to get stronger and stronger and more timely support. It is a good program and they are very fair about it. In any EDR, I would test them heavily and do not rely on marketing.

    When applying an overall rating to this solution I do not think there are any tens in the marketplace. We very pleased and we evaluate this every year or two. In our POC, we had 200 samples including ones that were available but not as popular and we received a 100% efficacy. We were very pleased with the results.

    I rate Carbon Black CB Defense an eight out of ten.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
    PeerSpot user
    Andrew Nai - PeerSpot reviewer
    Lead Infrastructure Engineer at Government of Singapore
    MSP
    Well priced with a good visualization tree but doesn't allow for high availability configuration
    Pros and Cons
    • "The solution is stable."
    • "There's some disparity between the on-premise and the cloud type of application."

    What is our primary use case?

    We're providing this product to our customers. The main intention of using this product is to detect small malware and for vulnerabilities and scanning detection in real-time.

    What is most valuable?

    The Intel fit was very extensive and comprehensive enough. The visualization tree product feature in this CB defense is quite good. These are the two more notable product features.

    The pricing is excellent.

    The solution is stable.

    What needs improvement?

    There's some disparity between the on-premise and the cloud type of application. We basically manage applications versus SaaS-based ones. We were hoping that some of the more advanced features that they offer in the SaaS actually could be similarly offered for the on-premise managed applications. We find that cloud-based solutions are particularly more advanced in product roadmaps compared to on-prem.

    There should be more roles in support. There needs to be support for multi-tenancy, the likes of multiple names space. When you use that in a very large organization, you have many departments. It doesn't really provide grouping by department, et cetera. 

    There's actually a lagging feature that we saw in the SaaS, yet not on the on-premise setup. It seems like the on-premise one was really, really meant for a single department setup rather than for multiple departments.

    The solution doesn't allow for high availability configuration. That's also a negative impact relating to the product.

    For how long have I used the solution?

    We have been using this solution for about two years.

    What do I think about the stability of the solution?

    Stability-wise, the product has been quite stable. There's no issue. The maintenance was quite straightforward, and if you don't really touch it, you won't have stability problems. 

    What do I think about the scalability of the solution?

    Medium to large companies will be selecting Carbon Black solutions mainly due to the fact that they needed this to better the security posture checks in the environment, typically in the more regulated environment. Regulatory, regulated environments or companies that are more security-centric will go for this type of product.

    While it can scale, it only supports non-HA. Scalability is quite limited. You can only scale vertically - not horizontally.

    How are customer service and support?

    Technical support can be much improved. They're quite lagged in terms of their support and post-sales. In terms of the roadmap to sell, they tend to sell more towards endpoints and very large enterprises. For a server base, it would lose itself. That's not really their main focus at this point in time. Therefore, it's not as good there.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    I'm also familiar with Trend Micro. Trend Micro is advancing the product, keeping it fairly up to date, and covering some aspects of the EDR over time and they're doing a lot of catching up. They actually have caught up. The technology now is quite fairly similar - it's just that the initial focus was in different areas, however, they are filling this gap. It's actually a very strong competitor. In terms of user, features-wise, et cetera, this solution is quite on par. Trend Micro is a security-focused company, so from an enterprise point, probably they are more focused than Carbon Black nowadays being bought over by VMware. Security is probably not their main area of focus at this point in time. 

    How was the initial setup?

    The initial setup is a bit of a mix. It is simple in the sense the setup was quite straightforward, however, when it comes to configuring for other supports, like emails, notifications, Syslog, et cetera, this identity provider's power integration, which we did for our SML 2.0, is powered based, rather than supported directly through the GUI. That was not so user-friendly, or more complex in terms of configuration.

    On a scale from one to five in terms of ease of setup, it'll be about three. It probably takes about half a day just to complete the configuration setup.

    The maintenance so far has been quite fairly straightforward. We don't really have any issues with the maintenance. Obviously, I didn't want the downside of the product side, maybe one of the cons is that it doesn't really support HA high availability setup configuration. 

    What's my experience with pricing, setup cost, and licensing?

    We have a contract, we have actually a BOT tender contract where our different customers from different departments actually purchase their licensing. Generally, the pricing is from a unique cost perspective. I wouldn't know exactly how much they buy typically, as they procure their licenses on their own. Typically, if you compared the pricing to Trend Micro, it's probably about half the cost.

    What other advice do I have?

    We're not quite a partner. We are a systems integrator and reseller. 

    We do not have the latest update. We integrate that into our Azure AD itself.

    We have the solution deployed both on the cloud and on-premises. 

    I'd recommend the solution based on the cost. It's really subjective to the organization's needs. If it's for a single, small department, it's fine. If it's for a large organization itself, some of it lacks. Enterprise capabilities are probably a hindrance for a large organization to take up such a product. The limitations of supporting multiple departments with different roles and users, for them to configure what they need, would be a problem. When you talk about alerts et cetera, and also certain tracks, different departments actually probably they have their own different needs, so they wanted something to be a little bit independent, where the configuration settings are unique to the department, rather than something that can only be common for all departments in the current setup.

    I'd rate the solution six out of ten.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: My company has a business relationship with this vendor other than being a customer: Integrator
    Flag as inappropriate
    PeerSpot user
    System Eng at a wholesaler/distributor with 1,001-5,000 employees
    Real User
    Easy to deploy, extremely scalable, and offers very good protection
    Pros and Cons
    • "The solution is extremely scalable."
    • "In the past, we've seen some stability issues in the latest version releases. We tend to hang back one version just to make sure issues are fully resolved to avoid user disruption."

    What is our primary use case?

    The solution is primarily used for protection. It's used on all of our servers and all of our workstations.

    How has it helped my organization?

    The product has considerably decreased any of our malware or malicious software injection within our organization. Since March of 2018, we have not had a malicious intrusion success. It's kept us quite safe.

    What is most valuable?

    The solution's most valuable aspect is its process monitoring due to the fact that it doesn't necessarily use signature-based definitions. It uses processor-based definitions. If a process tries to spawn some type of malicious process, it'll stop it.

    The initial setup is easy.

    The organization has to protect against users and Carbon Black does just that for the company. What I mean by that is not all users are savvy enough to understand, "Hey, I shouldn't be running this or I get a pop-up on a browser and I don't click on it." Carbon Black stops that if they do.

    The solution is extremely scalable.

    What needs improvement?

    The alerting mail needs to be customizable. Right now, it isn't. That has to change. Right now, I get a lot of what I call noise email alerts. All I hear from them is, "Well, we're working on it. We're working on it." Well, they've been working on it for four years now, and nothing has changed.

    In the past, we've seen some stability issues in the latest version releases. We tend to hang back one version just to make sure issues are fully resolved to avoid user disruption.

    For how long have I used the solution?

    We've been using the solution since 2017. It's been a few years at this point.

    What do I think about the stability of the solution?

    The solution is generally mostly stable. We tend to try to stay one version back in order to get better stability. I've run into problems already where Carbon Black has flagged certain things in a later release that they weren't flagging previously and it disrupts my user base.

    What do I think about the scalability of the solution?

    The scalability is very good. It's pretty much unlimited at this point. A company can scale however much they like with no trouble.

    We have over 500 licenses. The use cases are mostly for our servers and our workstation user roles are drafters, engineers.

    We use the solution enterprise-wide. I'm not going to increase usage except maybe to increase the license count if servers or workstations go up.

    How are customer service and technical support?

    Their technical support is beyond compromise. They've been absolutely excellent. We're quite satisfied with their level of attention. 

    Which solution did I use previously and why did I switch?

    We were previously using Symantec. We switched for numerous reasons. One of them was the fact that Symantec was just not catching a lot of our intrusion at that time. Again, this would have been back in 2017, and a lot of the malware that was coming out back then, the agents weren't catching as quickly. Nobody really had much sense of what zero-day attacks meant.

    How was the initial setup?

    The initial setup is not overly complex. It's pretty straightforward.

    The deployment was fast and the process took maybe two hours or so. The deployment strategy was just running the installation agent.

    There really is no maintenance required. It's just as simple as re-installing or installing the agent.

    What about the implementation team?

    We didn't need to use any integrators or consultants for the deployment. We handled everything ourselves in-house.

    What was our ROI?

    We noticed an ROI after about six months of working with the solution.

    Previous to Carbon Black, we had a malware attack that cost us a significant amount of money. We haven't had one since, and therefore, our return on investment has been significant.

    What's my experience with pricing, setup cost, and licensing?

    We simply auto-renew every year. I can't speak to the exact pricing. My standard license includes everything that I need without any extra costs.

    Which other solutions did I evaluate?

    I was looking at the possibility of replacing this solution with Defender, as that's part of our Office 365 licensing package that we have. I was asking myself "will this help? Is it really worth me spending x number of dollars for CBD versus using Defender?" However, after careful examination, we decided to stick with Carbon Black.

    What other advice do I have?

    We're generally always using the latest version of the solution, minus one. What I mean by that is it's not always current, however, it's always at least within one of the most current versions. We've got too many things going on to really be on the bleeding edge if you will. At times to go up to the next one I want to be sure I have a good stable one. What I'll do is let's say 3.3 comes out next week, I won't necessarily go to it. I will wait until 3.4 comes out to go to 3.3.

    While the agents are installed locally, everything basically goes through the cloud. We don't deal with on-premises deployments.

    I would advise new users to be cautious or policy settings. I'd also warn them that they should be prepared for lots of emails.

    Overall, I would rate the solution at a nine out of ten.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Other
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Ashish Dubey - PeerSpot reviewer
    Lead Security Analyst at SecurityHQ
    Real User
    Top 5Leaderboard
    Manages multiple endpoints from a central location and detects alerts on the basis of AI
    Pros and Cons
    • "The solution has a library where we can have multiple threat intels onboarded. We just have to subscribe to a particular site intel and they'll provide us with all of the truncated details so that we can create IOCs and alerts on the basis of those IOCs."
    • "A search bar in the investigation page and some AI-related tasks like outgoing alerts, or recent tactics that are being used in the market, must be embedded in the tool so that it's easier to find alerts."

    What is our primary use case?

    Carbon Black is an EDR solution and a Next Generation AV. It works on the basis of machine learning and artificial intelligence. It's used to manage multiple endpoints from a central location and detects alerts on the basis of AI. If we have any custom alerts, they can be triggered or flagged. In that case, we can have a centralized alerting system. It can also be used to isolate, repair, or remediate a machine when it is taken by an attack.

    We aren't responsible for managing the infrastructure of this particular tool. We're using it for investigation purposes and to monitor products that are being used by our clients.

    It's deployed on a public cloud.

    What is most valuable?

    The solution has a library where we can have multiple threat intels onboarded. We just have to subscribe to a particular site intel and they'll provide us with all of the truncated details so that we can create IOCs and alerts on the basis of those IOCs. 

    It's one of the best features because there are multiple third-party vendors who can provide us with site intel in one location. You just have to subscribe to them, and they'll start providing you with IOCs. If a new attack starts, you will have all the basic IOCs on that list, which can be used to identify if the same attack is happening in your environment.

    We can isolate devices in just two clicks. That's also a great feature. We can remediate and repair devices from a central location. It's not too difficult to use that particular tool. The user interface is very easy to understand. You are not required to roam around the console to find where the alert went. It's easy to resolve that.

    When we onboarded Carbon Black, there weren't many EDR solutions available in the market. It was one of the best tools when it was launched. We don't have any complaints with the tool. The tool is very good. It highlights many of the alerts and events.

    What needs improvement?

    When you're investigating an alert, you will get a graph and will see the details related to the process that triggered the alert. Below the graph, there are network connections, file modifications, industry modifications, and multiple other activities. If you want to specifically find which additional modification has been performed, you will have to find the log you're searching for. There isn't a search bar to check for file modifications or network connections. In that case, you don't have a search bar, so you have to check each and every event, which could be more than 1,000.

    You would have to check 1,000 events manually, or you would have to export sheets to view what you are searching for. If they added a search bar, it would reduce the time it takes to do investigations.

    If you want to log into a device, there's a process named winlogon.exe, which is supposed to be initiated. If I'm using Carbon Black, I will have to check where winlogon.exe is being observed or at what time it was being observed. Because there's no search bar, I will have to check for the event in all the device events.

    A search bar in the investigation page and some AI-related tasks like outgoing alerts, or recent tactics that are being used in the market, must be embedded in the tool so that it's easier to find alerts. The AI must be stronger so it can identify activity that is actually malicious.

    For how long have I used the solution?

    I have used this solution for a year and a half.

    What do I think about the stability of the solution?

    It's a stable product.

    What do I think about the scalability of the solution?

    It's scalable because it's based on the cloud.

    How was the initial setup?

    It's sensor-based, so you have to install the machine associated with your application. You will have the configuration file and the agent installation file. You'll have to run the configuration file, and then you'll be onboarded to Carbon Black. It's easy.

    Deployment was fast. It took 15 minutes.

    We have a group of about eight people for maintenance and supervision.

    What other advice do I have?

    I would rate this solution as eight out of ten.

    It's a good tool, but it requires some updates. It doesn't have new features like multi-tactics, which other EDR products are providing.

    My advice is to acknowledge or resolve a particular alert because once they resolve, it will be very difficult for you to find that alert. Handle it with care because with just a click, the device will be isolated. It could be a server, host, or network device. If you click the wrong button out of curiosity, it will destroy the machine. It has multiple accesses and won't ask if you're sure if you want to do an activity or not.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    IT Cybersecurity at a manufacturing company with 10,001+ employees
    Real User
    Good alerts, easy to manually override, and allows remote access to machines
    Pros and Cons
    • "We can access computers remotely if we need to."
    • "Occasionally, we'll have issues with the latest version and they'll basically tell us that they will improve it in the next iteration. They need to work on their version release quality."

    What is our primary use case?

    The solution is  deployed in our computers in the company. However, I can't speak to the use cases, as I'm still quite new to the company.

    After we apply some policies we will receive, for example, alerts. We'll look at the devices that have given us alerts and we'll look to see if there is an issue. Then we can prioritize the issues into high and low categories.

    We try to know what is a malicious file or malicious application and we can investigate what's happening according to the alerts in Carbon Black. Many times we've found that our policies avoid false positives. That said, sometimes, we have false positives and we get many alerts. We're working with this in Carbon Black.

    Carbon black is basically blocking my application. I cannot open files and I cannot install software without it passing the policies. Not just any application can be installed on our computers. They need to be pre-approved. If we need to, however, we can manually bypass to finish an installation.

    What is most valuable?

    The solution allows you to override it and manually install an application if you need it ti.

    It's very good at alerting you to malicious content or unauthorized software. 

    We can access computers remotely if we need to.

    What needs improvement?

    Sometimes the solution blocks items that were previously approved and we don't know why.

    It is sometimes hard when I attempt to investigate, to know the commands. It's not easy to do that. You need to upload the right information.

    Occasionally, when we get alerts, we don't get all the information we need, such as the computer's serial number.

    If I reveal an alert in a new window, I need to go back to the main link as it doesn't work.

    Sometimes we need to close the solution and then open it up again.

    Occasionally, we'll have issues with the latest version and they'll basically tell us that they will improve it in the next iteration. They need to work on their version release quality.

    It would be good to have more information about the devices. If you get an alert that a malicious file is on your computer, Carbon Black really doesn't give you the full picture. We also need to wait for the user who owns the computer to be online before we can investigate everything. It's hard when you are working across time zones.

    For how long have I used the solution?

    I started using the solution two weeks ago. I don't have a lot of experience with it just yet.

    What do I think about the stability of the solution?

    The stability could be better. It changes from version to version and from day to day. Sometimes it works perfectly, and sometimes there are issues and we need to close it and re-open the application.

    How are customer service and technical support?

    We do have a person at Carbon Black that, if we have issues, we can reach out to. We let them know when we are having problems and they try to assist. I can't recall if it's email or some other type of internal support system that we go through.

    Sometimes they have answers for us, and sometimes we have to wait for a new version. There's no guarantee our problems will be fixed immediately.

    How was the initial setup?

    By the time I joined the company, the solution was already deployed. I was not part of the implementation process. I can't speak to how easy or difficult the solution is to implement.

    What other advice do I have?

    We have deployed different versions of the solution. At this moment we have 3.5 or we have, for example, for Windows we have 3.1. We deploy it to many computers and in different countries. You need to upgrade or maybe you need to downgrade, depending on the device it's attached to. For example, we have many servers including 2016 and 2019 versions, and then we have different versions of Windows.

    When we decide to deploy a new version we deploy it throughout the region. We have been in America, Asia, and Europe. 

    I'd advise other potential users that, like any solution, you need to know how to use it, you need to know how to implement, and you need to know how to do the best configuration and update that configuration. If you don't have a good configuration on any application, it will work not for you.

    In general, the solution is good. I would rate it at an eight out of ten.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Information Security Specialist at a comms service provider with 5,001-10,000 employees
    Real User
    Scalable, lightweight, and easy to deploy
    Pros and Cons
    • "The visibility provided has been great."
    • "The solution needs expanded endpoint query tools."

    What is our primary use case?

    The product is an endpoint security product. It's kind of like a replacement for a traditional antivirus.

    How has it helped my organization?

    One of the strong features of the product is its endpoint visibility. It gives you more visibility than a traditional antivirus would give you.

    What is most valuable?

    The visibility provided has been great.

    The ease of deployment is definitely a great selling feature.

    The stability is good and the product is pretty lightweight.

    The solution scales well.

    What needs improvement?

    The reporting could be improved. Some of the built-in reporting isn't ideal. They have an API and everything you need that you can kind of hook into the product pretty easily, however, it'd be nice to have some built-in reports instead of having to seek them elsewhere.

    The solution needs expanded endpoint query tools.

    For how long have I used the solution?

    I've been using the solution for about a year.

    What do I think about the stability of the solution?

    The stability of the solution is good. There are no bugs or glitches. It doesn't crash or freeze. It seems to be a little bit lighter on resources than our previous antivirus.

    What do I think about the scalability of the solution?

    The product can be scaled pretty high. We have about 3000 sensors deployed. However, it can go a lot higher than that. It depends on your internet connection for the reporting or the information, basically.

    We have kind of a desktop security team that is about five individuals that administer the product part-time, and that can access the console. A couple of them are the ones that spend the most time in it.

    We use the solution extensively and we may look at expanding the EDR  - stepping up to one of the other products and adding capabilities. Therefore, we're likely to increase usage in some form in the future.

    How are customer service and technical support?

    Technical support needs some improvement. They don't seem to respond so well to technical help. The good thing is we don't need that much, however, they need to probably improve that a little bit for others who might require more assistance.

    Which solution did I use previously and why did I switch?

    We had McAfee antivirus and it was difficult to tune the policy without compromising security, I would say. Its footprint was a little high. Its performance wasn't that great in terms of end-point performance.

    How was the initial setup?

    The solution is easy to deploy. The implementation process is simple. It's not overly complex or difficult. 

    While the rollout is pretty easy, you have to kind of tune it a little bit for applications as it discovers them.

    To deploy a sensor, it takes just a couple of minutes or so. Then, to kind of tune the policy itself, you are probably looking at a couple of weeks.

    What about the implementation team?

    Initially, we use the services provided by the vendor, like an on-ramp kind of service. They were great. The team was pretty helpful. 

    What's my experience with pricing, setup cost, and licensing?

    We pay about $15 a node. It's just a standard licensing fee and that's it.

    What other advice do I have?

    I'm just a customer and an end-user.

    I've been using the latest version of the solution.

    The sensors are on-premises, however, the console is in the cloud. It's a VMware product that runs on Amazon.

    I'd advise those considering the solution to seek out some of the training to see if you can get it bundled in with the deployment. The more advanced training, to kind of how to tune the policy and stuff like that, would be helpful to have.

    I'd rate the solution at an eight out of ten as there's still room for improvement in things like reporting. However, the impact on performance and the ability to have greater visibility were pluses in my book.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Download our free Carbon Black CB Defense Report and get advice and tips from experienced pros sharing their opinions.
    Updated: February 2023
    Buyer's Guide
    Download our free Carbon Black CB Defense Report and get advice and tips from experienced pros sharing their opinions.