IT Central Station is now PeerSpot: Here's why

Carbon Black CB Defense OverviewUNIXBusinessApplication

Carbon Black CB Defense is #1 ranked solution in top Security Incident Response tools, #7 ranked solution in EDR tools, and #8 ranked solution in endpoint security software. PeerSpot users give Carbon Black CB Defense an average rating of 8 out of 10. Carbon Black CB Defense is most commonly compared to Microsoft Defender for Endpoint: Carbon Black CB Defense vs Microsoft Defender for Endpoint. Carbon Black CB Defense is popular among the large enterprise segment, accounting for 37% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 24% of all views.
What is Carbon Black CB Defense?

CB Defense is an industry-leading next-generation antivirus (NGAV) and endpoint detection and response (EDR) solution. CB Defense is delivered through the CB Predictive Security Cloud, an endpoint protection platform that consolidates security in the cloud using a single agent, console and data set. CB Defense is certified to replace AV and designed to deliver the best endpoint security with the least amount of administrative effort. It protects against the full spectrum of modern cyber attacks, including the ability to detect and prevent both known and unknown attacks. CB Defense leverages the powerful capabilities of the CB Predictive Security Cloud, applying our unique streaming analytics to unfiltered endpoint data in order to predict, detect, prevent, respond to and remediate cyber threats. In addition, CB Defense provides a suite of response and remediation tools, including Live Response, which allows security personnel to perform remote live investigations, intervene with ongoing attacks and instantly remediate endpoint threats. For peace of mind, CB Defense customers can also leverage CB ThreatSight, Carbon Black’s managed threat alert service, to validate alerts and uncover new threats.

Carbon Black CB Defense was previously known as Bit9, Confer.

Carbon Black CB Defense Buyer's Guide

Download the Carbon Black CB Defense Buyer's Guide including reviews and more. Updated: May 2022

Carbon Black CB Defense Customers

Netflix, Progress Residential, Indeed, Hologic, Gentle Giant, Samsung Research America

Carbon Black CB Defense Video

Carbon Black CB Defense Pricing Advice

What users are saying about Carbon Black CB Defense pricing:
  • "It is more expensive, but it's worth it. There are no additional costs beyond the standard licensing fee."
  • "The licensing cost is on the more expensive side, but I thought it was worth it because they did a good job. It was one of the vendors I truly didn't have to worry about too much until this latest upgrade."
  • Carbon Black CB Defense Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    IT Infrastructure and Security Manager at a paper AND forest products with 1,001-5,000 employees
    Real User
    Top 20
    The manage, detect, and response feature enables Carbon Black to continuously check logs and advise us on how to improve some of the policies
    Pros and Cons
    • "The new feature that we're deploying, the new offering from Carbon Black, is MDR, which stands for manage, detect, and response. It's the most valuable feature because Carbon Black will be continuously checking the logs, and they will be advising us on how to improve some of the policies as well as review the logs. If there are any nefarious agents or things happening on the end points, they will know."
    • "The node management could be much better. The one thing that they cannot do very easily is change the tenant from a backend."

    What is our primary use case?

    It is a default software that goes on every computer. This is antivirus endpoint protection. It's pretty simple. The standard application goes on every single machine that we deploy that is Windows based. We have it running on machines that are deployed on the cloud, machines that are deployed on-premise, and on machines that people are using strictly on the internet. We're using the Carbon Black Endpoint. We're using the latest sensors. We've used 3.7 and 3.8. Initially when we deployed it, there were over 2,000 users in terms of giving access to the console. We had roles created for security analysts. There were different roles. For example, the field services who take care of the PCs could go take a look. They could bypass if needed, but they could not change any roles or uninstall the agent.  Other roles, such as mine, have full access. We had roles where we had actually created the API integration key where we were sending the Carbon Black logs to a third party who was our SIM for review. There are different roles you can define in there.

    What is most valuable?

    The new feature that we're deploying, the new offering from Carbon Black, is MDR, which stands for manage, detect, and response. It's the most valuable feature because Carbon Black will be continuously checking the logs, and they will be advising us on how to improve some of the policies as well as review the logs. If there are any nefarious agents or things happening on the end points, they will know.  They also have the ability to take action based on what we've already agreed upon, what rights we give them, or what we tell them they can or can't do as part of their response. Hypothetically, if there's a rogue machine that is trying to infect other machines, we can tell them that they should try to contact us, but if they don't get a hold of anybody in GreenFirst IT in 15 minutes, they should go ahead and quarantine that machine. They can take actions, they can do remediation or response. Instead of advising, they will be taking action.

    What needs improvement?

    The node management could be much better. The one thing that they cannot do very easily is change the tenant from a backend. As an example, assets were sold from a company called Rayonier Advanced Materials and went to GreenFirst, which became GreenFirst as a startup. We had a tenant where all the machines were registered to the cloud. That is the tenant that was there for Rayonier. It is very hard for them to make changes to the tenants, such as rename or anything like that. What they really would push you to do is, "Your tenant is going to be under your company name. You have to uninstall all the agents and reinstall them again." Making changes at a tenant-level would be a welcome feature to allow divestitures and things like that. They can do some of these things, but they're not very user friendly or easily done. They basically tell you to do the hard lifting yourself. For example, they basically kept pushing me and saying, "Uninstall your antivirus on about 500 machines and reinstall it with the new tenant information." I would say "No, everything is a tenant. Rename me the tenant." I would like to see the GUI improved and easier troubleshooting. One thing they did that makes it easier in troubleshooting versus the older versions of the software is that now you can actually drill down to see the parent process and go all the way down.  In CrowdStrike, they have a timeline where they actually build the whole scenario as to what happened. It's like a playback. It's almost like a movie. You play back and it says, "Okay, this process ran," and then it shows what it caused and everything. You can see all that and if there are any screen outputs it puts it on because CrowdStrike actually maintains some of those things. A playback feature would be very valuable.

    For how long have I used the solution?

    I have worked with this solution for over three years.
    Buyer's Guide
    Carbon Black CB Defense
    May 2022
    Learn what your peers think about Carbon Black CB Defense. Get advice and tips from experienced pros sharing their opinions. Updated: May 2022.
    598,116 professionals have used our research since 2012.

    What do I think about the stability of the solution?

    Carbon Black is a very capable tool. It's a very strong product.

    What do I think about the scalability of the solution?

    There have been no issues with the scalability. It's on every single node, so I cannot increase it anymore than that.

    How are customer service and support?

    Their technical support is better than most of the normal tech supports that I've dealt with. My one pet peeve with them is that they respond to your request on their portal. For example, if you need to have a working session with them, they respond to your request in the portal, and you are not always in the portal and you may miss a time that they would be available to assist you. It would be much better if they picked up the phone or actually emailed instead of always using their portal. I would rate their technical support a 3.5 out of 5.

    Which solution did I use previously and why did I switch?

    We switched because we wanted to go to a next-gen antivirus that looked at the pattern instead of looking for signature. The second thing is we were trying to get off Kaspersky because it's a Russian company and Rayonier AM was an American company. The biggest reason was to go to a next-gen antivirus. This is hardly signature based. It's more than heuristic, and one of the other reasons is that the updates are pushed over the cloud when the nodes are available. We don't need people to be connecting to an internal server on-prem to get their updates. Another reason was security features and the ability to quarantine a machine regardless if it's on-prem or if it's just on the internet.

    How was the initial setup?

    If you're not used to Carbon Black, it can be challenging because these are not regular rules, like the way you would deploy under a normal antivirus. There are a lot of different functionalities that you could do that are not available under normal antivirus things, such as allowing a script or an application to run based on hash, or white listing if an application is signed by a specific code sign or certificate. It can be very challenging. When we did it years ago, we went from McAfee and Kaspersky to Carbon Black. At that time, there were 2,000 or so nodes. Deployment took less than a month. That was due to us doing various types of scripting for a massive rollout and automatic installation of the tool and the automatic uninstall of the older tools.

    What about the implementation team?

    Deployment was done in-house.

    What was our ROI?

    It's very subjective to give an ROI on an antivirus. If I was making a piece of equipment and I implemented something that could show that instead of something that takes four hours to complete, now it takes three hours, I could tell you what my ROI would be. In this instance it is very subjective. The only thing that you could do is take a look at how many security incidents you've had with a different product versus what you think you will have with going with Carbon Black, or assume you won't have any issues with Carbon Black versus how many issues you had with the other one, and then you can see how long it takes.  Speaking from experience, for the former company that I worked for, we were hit with malware, a ransomware where some files were encrypted, but we were able to get them from the backup. However, attacks such as that have failed since we have had Carbon Black.

    What's my experience with pricing, setup cost, and licensing?

    It is more expensive, but it's worth it. There are no additional costs beyond the standard licensing fee.

    Which other solutions did I evaluate?

    We looked at CrowdStrike, the offering from Blackberry called SentinelOne, and we looked at the major other AV providers like Sophos, McAfee, and Norton.

    What other advice do I have?

    I would rate this solution 8 out of 10.  Carbon Black gives a different offering. Their ThreatHunter gives you more of the threat hunting features, so if they basically make that a standard feature, then I would rate it higher. My advice is to use a deployment tool if you have one because it will come in handy. I would also suggest that you enable the feature in Carbon Defense because uninstallation requires a key so that people can't get rid of it. If you are going to be buying it, my advice would be to take a look at their manage, detect, and response feature because you take the onus away from your internal team, and you also take away potential misconfiguration out of your internal IT group because they will be looking at all the logs, and they will be reviewing the policies and they can actually tell you how to do it. If you do not have the manage, detect and response, it all falls on you, and then you would have to integrate it with your own. If you have a SIM, you would have to learn how to integrate it to your SIM.

    Which deployment model are you using for this solution?

    Hybrid Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Lead IT Security Analyst at a government with 501-1,000 employees
    Real User
    Top 20
    Gave us another layer of protection from zero-day threats
    Pros and Cons
    • "We have another piece of that infrastructure that does what they call threat emulation. It's like sandboxing where it takes files that it doesn't know about, puts them in a VM-type environment, and it kicks them off to see if there's any malware or tendencies that might look like malware, that kind of thing."
    • "There could be more knowledge. I think they made a mistake when they took away the Check Point integration, because it provides more automation and also more threat intelligence."

    What is our primary use case?

    I know they have different forms in their Carbon Black Endpoint now, but we were using Carbon Black Prevent, which was basically just a pure whitelisting product. We didn't look at the other kinds of things that it was doing.

    We were basically just using it for, "If Carbon Black picks up a new file in the machine and it's executable or something and it hasn't seen it before, it has to be whitelisted first. It has to be approved before it's allowed to run." That's what we're using it for.

    We were technically one and a half versions behind the current version which is out there right now.

    The solution is deployed on-prem.

    We have cut back the amount of users. At one point, we had about 1,500 or 2,000 users. We're down to about 750 right now.

    How has it helped my organization?

    The solution just gave us another layer of protection from zero-day threats, because you can't always trust what your users are doing. You just have to do what you can technically to try to mitigate that.

    What is most valuable?

    I'm on the security department, so it's just in the layer of our prevention to give us protections against, for example, ransomware that might kick off and try to execute different files. If someone downloads something or whatever, it has to be whitelisted first. It has to be approved before it can run it all.

    That's better to me than some signature-based thing, because it protects against zero-day. There are things that it doesn't know about, so it has to check them. We have Check Point now as well, but we have a Check Point on our firewalls, not our endpoints.

    We have another piece of that infrastructure that does what they call threat emulation. You may have heard of it. It's like sandboxing where it takes files that it doesn't know about, puts them in a VM-type environment, and it kicks them off to see if there's any malware or tendencies that might look like malware, that kind of thing.

    It's also a zero-day type of prevention thing, but it kicks them off in a safe environment so that you can see what it's doing. You need integration with Check Point to do that, but that integration went away with the latest release, the one we just put out there.

    That was a big part of why we liked Carbon Black, because it is integration to not only do the whitelisting, but also we could have automatic rules set up so that if a new file got downloaded by a user, we could automatically send that over to Check Point and it could do its emulation on it in the sandbox. And if it came back clean, then we could automatically approve it.

    We wouldn't have to go through a manual process of having our people approve every single file that comes across as having been seen before. So, it was a really good way to work those two products together. But that went away. And so now I'm like, "Okay, what are we going to do now?" I hadn't looked at the Harmony Endpoint at all.

    I haven't looked at Check Point's piece, but I was wondering to myself, "If it does something like Carbon Black was doing and then we already have Check Point on the other one, that would work." So, that was what I was trying to do.

    What needs improvement?

    There could be more knowledge. I think they made a mistake when they took away the Check Point integration, because it provides more automation and also more threat intelligence. Maybe you didn't see something within Carbon Black's sphere of what it knows, within their product line or their threat cloud or whatever they use for their intelligence. Maybe it didn't see anything of the files that it knows about, but what about somebody else's? And what about kicking into another product that does those kinds of things like sandboxing?

    I don't know why they would take that away. That doesn't make sense to me because they need to expand on that. The more they expand on that, the more confidence you have as a security guy. You have more confidence that that file is clean, and there's nothing bad about it. Bringing back the integration with Check Point would be a good start.

    This product is being used extensively in our organization. I'm actually looking for a replacement because of the fact that we lost that integration. That's really crucial, honestly. Otherwise, it becomes much more manpower-intensive. I need to spend more man-hours going through it instead of using automations.

    I prefer to set up things so my team doesn't have to spend a huge amount of time running down rabbit trails all the time. The more we can automate and still be secure about it, that is what we try to do.

    There are no additional features I would like to see added. I know they already have a cloud offering as well. You can manage things through their cloud for people that are always on-site. We mostly just use it for our own managed devices. We didn't really put it on. We never planned and don't plan to put it on or make it available to a BYOD kind of thing. This is all company-managed devices.

    It just made more sense for us to do it internally than putting it in the cloud. But we could have done either one, I suppose. But since we started out inside, we just kept it that way. It was just easier.

    For how long have I used the solution?

    I have been using this solution for five years.

    What do I think about the stability of the solution?

    It's stable.

    What do I think about the scalability of the solution?

    The solution is scalable. We have never had an issue.

    How are customer service and support?

    I would rate technical support 5 out of 5.

    Which solution did I use previously and why did I switch?

    We did a proof of a couple different products, but we chose CB. And we've been with them since, because they do a good job. They've been pretty easy to manage, and they've had good support. So, we've actually been really happy with them.

    How was the initial setup?

    It was pretty straightforward. It took some time to roll out. We wanted to eventually get to a point where we are now, which was to totally block everything we don't know about. But that didn't come out of the box. You had to let things run for a while.

    It did a good job of reporting things, but not blocking so we could go through there and say, "Okay, these are legitimate files. Or these files were signed with these certificates from these vendors that we can trust," for example. We spent six or eight months going through everything before we actually turned it into full blocking mode. As far as initial rollout, it was fairly simple, and it's been fairly easy to upgrade the agents.

    We ran into some issues with some of the MSIs and things or some systems when we tried to update some things and it broke. I'd probably rate the setup a four out of five.

    We do deployment slowly and in phases. We could have deployed it pretty fast, actually. But it took us about three months to deploy everything because we wanted to make sure we had test groups of machines that we put into each department or each part of the organization, because they do different things. We didn't want to inadvertently start breaking certain things. So, we took our time pulling it out. But I think, essentially, it could have been deployed in probably a few weeks at the most.

    We have a team of about five people who take care of maintenance.

    What about the implementation team?

    We implemented it through an in-house team.

    What's my experience with pricing, setup cost, and licensing?

    The licensing cost is on the more expensive side, but I thought it was worth it because they did a good job. It was one of the vendors I truly didn't have to worry about too much until this latest upgrade.

    What other advice do I have?

    I would rate this solution 8 out of 10. 

    I'd say, "go for it" if you don't have or need Check Point for an integration. But if you're relying on that kind of integration, if you really need that like we did, then of course I wouldn't go that route.

    If I were to make a recommendation to somebody else just starting out, my advice is to check out the cloud first.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Buyer's Guide
    Carbon Black CB Defense
    May 2022
    Learn what your peers think about Carbon Black CB Defense. Get advice and tips from experienced pros sharing their opinions. Updated: May 2022.
    598,116 professionals have used our research since 2012.
    Randy Lahti - PeerSpot reviewer
    Founding Partner, Security Architect at ISS
    Reseller
    Top 20
    Well organized documentation, overall superior functionality, and helpful visualizations
    Pros and Cons
    • "Some of the valuable features I have found are the online documentation of the solution is well organized and thorough. I like the simplicity of bypass and the visualization of the active components."
    • "This solution could have greater granular control on how certain applications work."

    What is our primary use case?


    Some of my client's use cases are typical endpoint protection, telemetry, and threat hunting. We are using all three of the most popular services that point back to the cloud central console.

    What is most valuable?

    Some of the valuable features I have found are the online documentation of the solution is well organized and thorough. I like the simplicity of bypass and the visualization of the active components. If I want to know which file is being utilized and what sub-files it is calling, the visualization given is very helpful.

    I would like to see them continue to run some of the AI-type comparisons. I know everyone is really secretive about what they do and what they have engineered, but I think Cylance was a good market disruptor years ago with their approach. Now we see SentinelOne and everyone is approaching that piece of the puzzle similarly now. I just would like to see more of a comparison. We have done our own technical comparison but it is fairly expensive. All solutions have pros and cons, if more third-party organizations or teams could evaluate how each product works in pros and cons many people would benefit.

    What needs improvement?

    This solution could have greater granular control on how certain applications work. You are able to do the operation of allowing or disallow, or you can block unusual usage of an application, but they do not define it well. 

    The PowerShell is being called in any way that the threat actor might use it versus an administrator. You are in a way taking this solutions' best guess at it or their understanding of it. They do not clearly tell you in technical terms how they make that determination. They should be more forthright about it, or if they can not tell us, they should just give us the control to make those selections. We are choosing it because at least we have that control where we do not have that same amount of control with other solutions like Cylance. However, they are still not telling us precisely what constitutes suspicious behavior, what actions, or what calls. It is a check box to say, lock if we have inappropriate use, or block if we have suspicious behavior. It would be helpful to tell us what that actually meant.

    In the future, I would like to see more granular control of PowerShell and more administrative tools.

    For how long have I used the solution?

    I have been using the solution for approximately six months.

    What do I think about the stability of the solution?

    The stability of the solution has been good. I like the fact that their call home is a single port, 443, a well-known port with a backup port, 54443. Their architecture, that way is easy for network admin to understand and open up and passing firewalls. In contrast with ATP, ATP has a lot of port requirements, It is much more complex and easy to misunderstand ATP communications until you really dig hard to see how does it work. This solution is much simpler that way. Additionally, performance-wise, user agents seem to hover around 1%-2%, it is fairly efficient and lightweight.

    What do I think about the scalability of the solution?

    The scalability of the solution has been good. We implemented a couple of large POCs. We have some clients and colleagues that are running it at scale, with more than 5,000 endpoints with great success. We are pleased overall. Most of our clients are mid-cap or small enterprises.

    How are customer service and technical support?

    I have found the solution support has been strong. 

    I would rate the support of Carbon Black CB Defense a seven out of ten.

    Companies need to work on the timeliness of support. Getting directed to a strong enough, experienced enough technical person sooner is important. That just is not the way support is currently built. Usually, they start at tier one and move up. I am sure there are a lot of customers that call in support with simpler questions that you do not want to tie up a tier-three person's time. However, I do not think my request for support to improve is not unique to this solution. 

    We have a very knowledgeable technical team. When we call for support we are wanting to interact with tier two or tier three right away. It is frustrating to have to work through the tiers to get where we want to go.

    Which solution did I use previously and why did I switch?

    We previously used Cylance and we are coming off of a direct comparison of the two. In the current version of this solution, they have a stronger AI version or component. The overall general quality of the breadth of the solution is better. To receive the same functionality in Cylance, we needed to add the CylanceOPTICS product and we have not had great success with it.

    What I do not like about Cylance is it is very binary. You either allow AST to be a 56-bit hash or you do not. I think there is room for more granular control, which we now receive by using this solution.

    Overall this solution is better than Cylance.

    How was the initial setup?

    The initial setup has been straightforward. I think their user interfaces in mature and understandable, they did a good job in it. I would not say any end-point solution is simple, but I think it is more intuitive than many of them.

    What other advice do I have?

    My advice to others is to take advantage of the POC and work with your POC rigorously. I think we have good responses on the POC as they get closer and closer to wanting to close. We were able to get stronger and stronger and more timely support. It is a good program and they are very fair about it. In any EDR, I would test them heavily and do not rely on marketing.

    When applying an overall rating to this solution I do not think there are any tens in the marketplace. We very pleased and we evaluate this every year or two. In our POC, we had 200 samples including ones that were available but not as popular and we received a 100% efficacy. We were very pleased with the results.

    I rate Carbon Black CB Defense an eight out of ten.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
    System Eng at a wholesaler/distributor with 1,001-5,000 employees
    Real User
    Easy to deploy, extremely scalable, and offers very good protection
    Pros and Cons
    • "The solution is extremely scalable."
    • "In the past, we've seen some stability issues in the latest version releases. We tend to hang back one version just to make sure issues are fully resolved to avoid user disruption."

    What is our primary use case?

    The solution is primarily used for protection. It's used on all of our servers and all of our workstations.

    How has it helped my organization?

    The product has considerably decreased any of our malware or malicious software injection within our organization. Since March of 2018, we have not had a malicious intrusion success. It's kept us quite safe.

    What is most valuable?

    The solution's most valuable aspect is its process monitoring due to the fact that it doesn't necessarily use signature-based definitions. It uses processor-based definitions. If a process tries to spawn some type of malicious process, it'll stop it.

    The initial setup is easy.

    The organization has to protect against users and Carbon Black does just that for the company. What I mean by that is not all users are savvy enough to understand, "Hey, I shouldn't be running this or I get a pop-up on a browser and I don't click on it." Carbon Black stops that if they do.

    The solution is extremely scalable.

    What needs improvement?

    The alerting mail needs to be customizable. Right now, it isn't. That has to change. Right now, I get a lot of what I call noise email alerts. All I hear from them is, "Well, we're working on it. We're working on it." Well, they've been working on it for four years now, and nothing has changed.

    In the past, we've seen some stability issues in the latest version releases. We tend to hang back one version just to make sure issues are fully resolved to avoid user disruption.

    For how long have I used the solution?

    We've been using the solution since 2017. It's been a few years at this point.

    What do I think about the stability of the solution?

    The solution is generally mostly stable. We tend to try to stay one version back in order to get better stability. I've run into problems already where Carbon Black has flagged certain things in a later release that they weren't flagging previously and it disrupts my user base.

    What do I think about the scalability of the solution?

    The scalability is very good. It's pretty much unlimited at this point. A company can scale however much they like with no trouble.

    We have over 500 licenses. The use cases are mostly for our servers and our workstation user roles are drafters, engineers.

    We use the solution enterprise-wide. I'm not going to increase usage except maybe to increase the license count if servers or workstations go up.

    How are customer service and technical support?

    Their technical support is beyond compromise. They've been absolutely excellent. We're quite satisfied with their level of attention. 

    Which solution did I use previously and why did I switch?

    We were previously using Symantec. We switched for numerous reasons. One of them was the fact that Symantec was just not catching a lot of our intrusion at that time. Again, this would have been back in 2017, and a lot of the malware that was coming out back then, the agents weren't catching as quickly. Nobody really had much sense of what zero-day attacks meant.

    How was the initial setup?

    The initial setup is not overly complex. It's pretty straightforward.

    The deployment was fast and the process took maybe two hours or so. The deployment strategy was just running the installation agent.

    There really is no maintenance required. It's just as simple as re-installing or installing the agent.

    What about the implementation team?

    We didn't need to use any integrators or consultants for the deployment. We handled everything ourselves in-house.

    What was our ROI?

    We noticed an ROI after about six months of working with the solution.

    Previous to Carbon Black, we had a malware attack that cost us a significant amount of money. We haven't had one since, and therefore, our return on investment has been significant.

    What's my experience with pricing, setup cost, and licensing?

    We simply auto-renew every year. I can't speak to the exact pricing. My standard license includes everything that I need without any extra costs.

    Which other solutions did I evaluate?

    I was looking at the possibility of replacing this solution with Defender, as that's part of our Office 365 licensing package that we have. I was asking myself "will this help? Is it really worth me spending x number of dollars for CBD versus using Defender?" However, after careful examination, we decided to stick with Carbon Black.

    What other advice do I have?

    We're generally always using the latest version of the solution, minus one. What I mean by that is it's not always current, however, it's always at least within one of the most current versions. We've got too many things going on to really be on the bleeding edge if you will. At times to go up to the next one I want to be sure I have a good stable one. What I'll do is let's say 3.3 comes out next week, I won't necessarily go to it. I will wait until 3.4 comes out to go to 3.3.

    While the agents are installed locally, everything basically goes through the cloud. We don't deal with on-premises deployments.

    I would advise new users to be cautious or policy settings. I'd also warn them that they should be prepared for lots of emails.

    Overall, I would rate the solution at a nine out of ten.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Other
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Cyber Security Consultant with 1,001-5,000 employees
    Real User
    Very customizable with good documentation and an easy initial setup
    Pros and Cons
    • "There's lots of very useful documentation online to help troubleshoot and learn about the product."
    • "I'm not sure as to the logic of how we've decided to customize it. We've only really used it since February and therefore there may be more to do on that front. That's why it's hard to say if something is missing or if we just aren't utilizing it."

    What is our primary use case?

    Basically we use the solution for protecting and detecting misuse of end-users while using their end-points to access the internet, especially for browsing websites, or suspicious activity as far as misusing their web browser. It protects them from web-based attacks such as DDos (Denial of Service) or ransomware. 

    What is most valuable?

    What I find most interesting is the performance of the end-point client, as well as the capability of detecting any activity on the end-user while using their browsers to navigate the internet. 

    To monitor that activity from a security standpoint, detecting cross-site scripting or SQL injection activities that might be coming out from the browser. That's a very needed feature that allows it to distribute the security across the company and not centralizing it only on the firewalls or in the intrusion detection systems. 

    The solution is quite customizable.

    It's easy to set up the solution.

    There's lots of very useful documentation online to help troubleshoot and learn about the product.

    What needs improvement?

    I can't think of any feature that needs to be enhanced or reviewed at this time.

    Some of the features that I see as an end-user, unfortunately, I haven't been able to see from a project management standpoint. I'm not sure if we're actually taking advantage of all the available features. I don't know if it's because we haven't configured it yet, or we are not using it. 

    I'm not sure as to the logic of how we've decided to customize it. We've only really used it since February and therefore there may be more to do on that front. That's why it's hard to say if something is missing or if we just aren't utilizing it.

    For how long have I used the solution?

    I've been using the solution for about a year and a half.

    What do I think about the stability of the solution?

    It's pretty stable. We haven't heard of any issues and we don't know yet about usage and security issues outside of the performance or any stabilities in the product itself. So far I would say that I consider it stable - very stable in fact.

    What do I think about the scalability of the solution?

    Given the number of people that are using it, I would consider it as scalable without having specific details on the performance, on the central management, or the management points. I would say that, due to the behavior of the solution with the end-users, it's a good solution. It is scalable.

    How are customer service and technical support?

    I haven't used technical support myself just yet. I've only really gone as far as looking at their documentation on their website, including the blog, user support page, and other related documentation. I would say that is good. It's enough. 

    There is more than enough information for tech-savvy people, and knowledgeable people that are looking for specific things. There are details telling them how to fix certain issues related to the product, or how to manage some of the product software. I would say that the documentation and the support are okay. It's what I would use personally. I prefer either looking at the documentation myself and then calling the call center after that if it's still necessary.

    How was the initial setup?

    We found the initial setup to be relatively straightforward. It's easy. It's not complex at all.

    The time it takes to deploy depends upon the number of end-points that you are deploying. That said, as far as I know, it took us probably six to nine months. This is due to the fact that there were some other technical issues not related to the service. That was my understanding at the time.

    What other advice do I have?

    We're just customers and end-users. We don't implement this solution for clients or anything like that.

    I'm not sure which version of the solution I'm using. It might be the latest, however, I can't say for sure. We use it at a bank for our endpoints. Therefore, it's likely the latest.

    There are between 20,000-30,000 people using the solution within our organization. It's definitely 20,000 at least.

    I would advise others to basically set the expectations as far as the features they expect or need from a security solution. This solution can't solve problems related to security practices within the company. Internal policies must be in place. Then, figure out how to integrate this solution and its available features into your internal security protocols. 

    Overall, I would rate the solution at a nine out of ten. We've been pretty happy with the product so far.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    IT Cybersecurity at a manufacturing company with 10,001+ employees
    Real User
    Good alerts, easy to manually override, and allows remote access to machines
    Pros and Cons
    • "We can access computers remotely if we need to."
    • "Occasionally, we'll have issues with the latest version and they'll basically tell us that they will improve it in the next iteration. They need to work on their version release quality."

    What is our primary use case?

    The solution is  deployed in our computers in the company. However, I can't speak to the use cases, as I'm still quite new to the company.

    After we apply some policies we will receive, for example, alerts. We'll look at the devices that have given us alerts and we'll look to see if there is an issue. Then we can prioritize the issues into high and low categories.

    We try to know what is a malicious file or malicious application and we can investigate what's happening according to the alerts in Carbon Black. Many times we've found that our policies avoid false positives. That said, sometimes, we have false positives and we get many alerts. We're working with this in Carbon Black.

    Carbon black is basically blocking my application. I cannot open files and I cannot install software without it passing the policies. Not just any application can be installed on our computers. They need to be pre-approved. If we need to, however, we can manually bypass to finish an installation.

    What is most valuable?

    The solution allows you to override it and manually install an application if you need it ti.

    It's very good at alerting you to malicious content or unauthorized software. 

    We can access computers remotely if we need to.

    What needs improvement?

    Sometimes the solution blocks items that were previously approved and we don't know why.

    It is sometimes hard when I attempt to investigate, to know the commands. It's not easy to do that. You need to upload the right information.

    Occasionally, when we get alerts, we don't get all the information we need, such as the computer's serial number.

    If I reveal an alert in a new window, I need to go back to the main link as it doesn't work.

    Sometimes we need to close the solution and then open it up again.

    Occasionally, we'll have issues with the latest version and they'll basically tell us that they will improve it in the next iteration. They need to work on their version release quality.

    It would be good to have more information about the devices. If you get an alert that a malicious file is on your computer, Carbon Black really doesn't give you the full picture. We also need to wait for the user who owns the computer to be online before we can investigate everything. It's hard when you are working across time zones.

    For how long have I used the solution?

    I started using the solution two weeks ago. I don't have a lot of experience with it just yet.

    What do I think about the stability of the solution?

    The stability could be better. It changes from version to version and from day to day. Sometimes it works perfectly, and sometimes there are issues and we need to close it and re-open the application.

    How are customer service and technical support?

    We do have a person at Carbon Black that, if we have issues, we can reach out to. We let them know when we are having problems and they try to assist. I can't recall if it's email or some other type of internal support system that we go through.

    Sometimes they have answers for us, and sometimes we have to wait for a new version. There's no guarantee our problems will be fixed immediately.

    How was the initial setup?

    By the time I joined the company, the solution was already deployed. I was not part of the implementation process. I can't speak to how easy or difficult the solution is to implement.

    What other advice do I have?

    We have deployed different versions of the solution. At this moment we have 3.5 or we have, for example, for Windows we have 3.1. We deploy it to many computers and in different countries. You need to upgrade or maybe you need to downgrade, depending on the device it's attached to. For example, we have many servers including 2016 and 2019 versions, and then we have different versions of Windows.

    When we decide to deploy a new version we deploy it throughout the region. We have been in America, Asia, and Europe. 

    I'd advise other potential users that, like any solution, you need to know how to use it, you need to know how to implement, and you need to know how to do the best configuration and update that configuration. If you don't have a good configuration on any application, it will work not for you.

    In general, the solution is good. I would rate it at an eight out of ten.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Dhrubo Roy - PeerSpot reviewer
    Threat and Vulnerability Engineer at Horizon Blue Cross Blue Shield of New Jersey
    Real User
    Top 20
    Has simplified management, has a nice UI, and it's very simple but EDR needs improvement
    Pros and Cons
    • "What I like the most about it is the dynamic grouping, where you get to group endpoints based on setup criteria. That's pretty cool. I like the simplified policy management and simplified white-listing process."
    • "The EDR portion could be better. I'm not a big fan, but it works."

    What is most valuable?

    What I like the most about it is the dynamic grouping, where you get to group endpoints based on setup criteria. That's pretty cool. I like the simplified policy management and simplified white-listing process. Coming from McAfee, management has been much simpler and much easier to look at. 

    I like the simplified management, it has a nice UI, and it's very simple.

    What needs improvement?

    The EDR portion could be better. I'm not a big fan, but it works.

    The End Point Detection Response and the way it lays our processes with our endpoint and its detection engine, in the way that it detects the admin or alerts we based on a threat. I feel that they're a little behind on the market from my perspective.  

    Overall, areas of improvement would be the EDR part, the detection, also the cloud console. If you're trying to write queries or something, it's very slow, just not robust.

    It's a cloud console so it should be fast. If I run a query and I press enter, if it took two seconds, it wouldn't give me a nice loading interface, because it's stuck. I would see an operating system most of the time. 

    I feel like it should be faster. But as far as the price and everything, I think it's a good product.

    For how long have I used the solution?

    We're actually doing a migration from McAfee to Carbon Black. The migration project has been about 12 months right now. We're slowly migrating.

    What do I think about the stability of the solution?

    Stability is one thing that's not robust. Other products are faster, but as far as the CB Defense, it's slow. We had some issues with the sensors and we also saw slowness on the Windows side, Windows file share, which actually was fixed in the next new version of the sensor.

    I'm the only network security person here. But the other users who have different roles have access as well. In my team, there are five or six people. But I'm the only one actually directing changes.

    We use it on a daily basis. 

    There are always alerts so I'll always have to check into alerts and see what's going on and then do some more analysis. If it's a new application we are implementing that will also need to be configured on Carbon. 

    How was the initial setup?

    The deployment process is straightforward. 

    We're still deploying it slowly, little by little because we use a lot of critical applications and if Carbon Black interferes with the application, it will stop working. It needs to be tested thoroughly. It's a long process. 

    All of its applications need to be tested thoroughly and then tested in a testing environment. Then we deploy and monitor, make changes, and stuff like that. As far as general users, laptops, and stuff, that's pretty straightforward. It's just part of the image. I have to write that script to uninstall McAfee, the whole migration. It's pretty straightforward. It wasn't complex as far as the installation or deployment.

    What about the implementation team?

    There was also a technical lead for this project. It automatically comes with professional services for 10 hours and the documentation is pretty clear. The professors helped through the process. 

    What's my experience with pricing, setup cost, and licensing?

    I think it's 28 per employee a year. 

    Which other solutions did I evaluate?

    We also looked at CrowdStrike but it was a little too expensive. 

    What other advice do I have?

    The implementation is very easy but the security aspects could be better. 

    If you don't have a SIEM solution in your organization, you're probably engaging via email.But there's no way to point me to customize the email templates if I want to see more information on that email before going to the console. It's still a business and company, but I'm the only one who is managing everything. So when I see the email on my phone, I want to see more information before logging into the console. I want to see more filtering options to narrow down more field training. 

    I also wish it was easier and more intuitive in terms of searching for queries. I feel like it should be simpler. It doesn't make sense to have it this hard.

    I would rate it a seven out of ten. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Senior Infrastructure and Security Engineer at a manufacturing company with 51-200 employees
    Real User
    Allows us to lock the environment pretty tightly and protects our organization
    Pros and Cons
    • "I like its protection very much. It protects and allows us to lock the environment pretty tightly. Nothing that is not approved through Carbon Black can run in the environment. There is no default. Everything goes through Carbon Black Protect, and everything has to be first approved. Every software is considered to be guilty before prove innocent."
    • "It could be a bit complicated. You have to be very familiar with Carbon Black to understand what it is doing and why it is doing. I would like to have more explanations and simplification in the user interface. It would be good to get help and see more explanations. It should tell us that a software is blocked and the reason for it. It would be good to be able to build chains in terms of what caused what, what worked, and what caused an issue. We are now moving from Carbon Black to Cortex XDR. While choosing antivirus software, we were also looking at Carbon Black because it also has an antivirus package, and it is next-generation, but we were told that Carbon Black doesn't support firewalls. We have Palo Alto firewalls. We would have chosen this solution if it supported firewalls, in particular next-generation firewalls, but unfortunately, it doesn't. Therefore, we decided on Cortex XDR because it integrates with Palo Alto firewalls."

    How has it helped my organization?

    It has allowed us to protect our organization from viruses. We've seen many cases when people try to install innocent application, such as a web browser or something like that, and then there are attachments that are not so innocent. Carbon Black tells about such things.

    What is most valuable?

    I like its protection very much. It protects and allows us to lock the environment pretty tightly. Nothing that is not approved through Carbon Black can run in the environment. There is no default. Everything goes through Carbon Black Protect, and everything has to be first approved. Every software is considered to be guilty before prove innocent.

    What needs improvement?

    It could be a bit complicated. You have to be very familiar with Carbon Black to understand what it is doing and why it is doing. I would like to have more explanations and simplification in the user interface. It would be good to get help and see more explanations. It should tell us that a software is blocked and the reason for it. It would be good to be able to build chains in terms of what caused what, what worked, and what caused an issue.

    We are now moving from Carbon Black to Cortex XDR. While choosing antivirus software, we were also looking at Carbon Black because it also has an antivirus package, and it is next-generation, but we were told that Carbon Black doesn't support firewalls. We have Palo Alto firewalls. We would have chosen this solution if it supported firewalls, in particular next-generation firewalls, but unfortunately, it doesn't. Therefore, we decided on Cortex XDR because it integrates with Palo Alto firewalls.

    For how long have I used the solution?

    I have been using this solution for one and a half years. In our company, it has been used for around five years.

    What do I think about the stability of the solution?

    It works. I was actually very surprised about its stability. It is in a virtual environment. It works in a VMware environment for us. Sometimes, latency discrepancies are very high, but it is pretty stable.

    What do I think about the scalability of the solution?

    It is scalable. We have about 400 machines here, and everyone is using it. It protects 400 nodes. We have one server that serves all nodes. The number of machines is growing slowly. We had 350 machines earlier, and in one year, the number is 400.

    How are customer service and technical support?

    I never had a need to use the tech support. My boss, who actually implemented this product, used their technical support, and he was okay with it. 

    Which solution did I use previously and why did I switch?

    We have Symantec Endpoint Protection, and it has some functions similar to Carbon Black, but not all. Carbon Black is definitely better because Symantec Endpoint provides some protection as a part of their antivirus solution, but it is not as powerful as Carbon Black.

    How was the initial setup?

    When I joined this company, Carbon Black was already very well established. All rules and all groups were in place. The person who worked before me did a great job.

    What other advice do I have?

    It does everything that we need. We can configure it very strongly and lock the environment, which sometimes can create an administrative headache for us and some hassle for users because the users cannot install some of the software and have to ask us to enable the software, but it is exactly what we wanted.

    I'm pretty happy with this solution, but unfortunately, at this point, we will have to stop using this solution, but this is not what we want. We are going to use Cortex XDR, but we are not sure if it is possible to work back to back with Carbon Black. Cortex initially told us that Carbon Black and Cortex XDR are not compatible, but it was just word of mouth. At the same time, Carbon Black is not on their incompatible products list. It would be good if these two are compatible because I can imagine the amount of time it would take to translate all the rules from Carbon Black to Cortex and handle all errors and other things.

    I would rate Carbon Black CB Defense a nine out of ten. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Buyer's Guide
    Download our free Carbon Black CB Defense Report and get advice and tips from experienced pros sharing their opinions.
    Updated: May 2022
    Buyer's Guide
    Download our free Carbon Black CB Defense Report and get advice and tips from experienced pros sharing their opinions.