What is our primary use case?
I know they have different forms in their Carbon Black Endpoint now, but we were using Carbon Black Prevent, which was basically just a pure whitelisting product. We didn't look at the other kinds of things that it was doing.
We were basically just using it for, "If Carbon Black picks up a new file in the machine and it's executable or something and it hasn't seen it before, it has to be whitelisted first. It has to be approved before it's allowed to run." That's what we're using it for.
We were technically one and a half versions behind the current version which is out there right now.
The solution is deployed on-prem.
We have cut back the amount of users. At one point, we had about 1,500 or 2,000 users. We're down to about 750 right now.
How has it helped my organization?
The solution just gave us another layer of protection from zero-day threats, because you can't always trust what your users are doing. You just have to do what you can technically to try to mitigate that.
What is most valuable?
I'm on the security department, so it's just in the layer of our prevention to give us protections against, for example, ransomware that might kick off and try to execute different files. If someone downloads something or whatever, it has to be whitelisted first. It has to be approved before it can run it all.
That's better to me than some signature-based thing, because it protects against zero-day. There are things that it doesn't know about, so it has to check them. We have Check Point now as well, but we have a Check Point on our firewalls, not our endpoints.
We have another piece of that infrastructure that does what they call threat emulation. You may have heard of it. It's like sandboxing where it takes files that it doesn't know about, puts them in a VM-type environment, and it kicks them off to see if there's any malware or tendencies that might look like malware, that kind of thing.
It's also a zero-day type of prevention thing, but it kicks them off in a safe environment so that you can see what it's doing. You need integration with Check Point to do that, but that integration went away with the latest release, the one we just put out there.
That was a big part of why we liked Carbon Black, because it is integration to not only do the whitelisting, but also we could have automatic rules set up so that if a new file got downloaded by a user, we could automatically send that over to Check Point and it could do its emulation on it in the sandbox. And if it came back clean, then we could automatically approve it.
We wouldn't have to go through a manual process of having our people approve every single file that comes across as having been seen before. So, it was a really good way to work those two products together. But that went away. And so now I'm like, "Okay, what are we going to do now?" I hadn't looked at the Harmony Endpoint at all.
I haven't looked at Check Point's piece, but I was wondering to myself, "If it does something like Carbon Black was doing and then we already have Check Point on the other one, that would work." So, that was what I was trying to do.
What needs improvement?
There could be more knowledge. I think they made a mistake when they took away the Check Point integration, because it provides more automation and also more threat intelligence. Maybe you didn't see something within Carbon Black's sphere of what it knows, within their product line or their threat cloud or whatever they use for their intelligence. Maybe it didn't see anything of the files that it knows about, but what about somebody else's? And what about kicking into another product that does those kinds of things like sandboxing?
I don't know why they would take that away. That doesn't make sense to me because they need to expand on that. The more they expand on that, the more confidence you have as a security guy. You have more confidence that that file is clean, and there's nothing bad about it. Bringing back the integration with Check Point would be a good start.
This product is being used extensively in our organization. I'm actually looking for a replacement because of the fact that we lost that integration. That's really crucial, honestly. Otherwise, it becomes much more manpower-intensive. I need to spend more man-hours going through it instead of using automations.
I prefer to set up things so my team doesn't have to spend a huge amount of time running down rabbit trails all the time. The more we can automate and still be secure about it, that is what we try to do.
There are no additional features I would like to see added. I know they already have a cloud offering as well. You can manage things through their cloud for people that are always on-site. We mostly just use it for our own managed devices. We didn't really put it on. We never planned and don't plan to put it on or make it available to a BYOD kind of thing. This is all company-managed devices.
It just made more sense for us to do it internally than putting it in the cloud. But we could have done either one, I suppose. But since we started out inside, we just kept it that way. It was just easier.
For how long have I used the solution?
I have been using this solution for five years.
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
The solution is scalable. We have never had an issue.
How are customer service and support?
I would rate technical support 5 out of 5.
Which solution did I use previously and why did I switch?
We did a proof of a couple different products, but we chose CB. And we've been with them since, because they do a good job. They've been pretty easy to manage, and they've had good support. So, we've actually been really happy with them.
How was the initial setup?
It was pretty straightforward. It took some time to roll out. We wanted to eventually get to a point where we are now, which was to totally block everything we don't know about. But that didn't come out of the box. You had to let things run for a while.
It did a good job of reporting things, but not blocking so we could go through there and say, "Okay, these are legitimate files. Or these files were signed with these certificates from these vendors that we can trust," for example. We spent six or eight months going through everything before we actually turned it into full blocking mode. As far as initial rollout, it was fairly simple, and it's been fairly easy to upgrade the agents.
We ran into some issues with some of the MSIs and things or some systems when we tried to update some things and it broke. I'd probably rate the setup a four out of five.
We do deployment slowly and in phases. We could have deployed it pretty fast, actually. But it took us about three months to deploy everything because we wanted to make sure we had test groups of machines that we put into each department or each part of the organization, because they do different things. We didn't want to inadvertently start breaking certain things. So, we took our time pulling it out. But I think, essentially, it could have been deployed in probably a few weeks at the most.
We have a team of about five people who take care of maintenance.
What about the implementation team?
We implemented it through an in-house team.
What's my experience with pricing, setup cost, and licensing?
The licensing cost is on the more expensive side, but I thought it was worth it because they did a good job. It was one of the vendors I truly didn't have to worry about too much until this latest upgrade.
What other advice do I have?
I would rate this solution 8 out of 10.
I'd say, "go for it" if you don't have or need Check Point for an integration. But if you're relying on that kind of integration, if you really need that like we did, then of course I wouldn't go that route.
If I were to make a recommendation to somebody else just starting out, my advice is to check out the cloud first.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.