VMware Carbon Black Cloud Reviews

VMware Carbon Black Cloud is a good home office tool for people working outside the office.

VMware Carbon Black Cloud helped us to get a better view of the security of endpoints and workstations.

The most valuable feature of VMware Carbon Black Cloud is the possibility of securing any PC worldwide.

The solution's support could be improved.

I have been using VMware Carbon Black Cloud for a couple of months.

I rate VMware Carbon Black Cloud a nine out of ten for stability.

I rate VMware Carbon Black Cloud ten out of ten for scalability.

VMware Carbon Black Cloud's initial setup is neither hard nor easy.

We have seen a good return on investment with VMware Carbon Black Cloud.

VMware Carbon Black Cloud is deployed on-cloud in our organization.

I recommend users test the solution and check the use cases before buying it.

Overall, I rate VMware Carbon Black Cloud a nine out of ten.

We used Cb Response for hands-on computer incident response for our infrastructure, installing it on all of our servers and high-value workstations.

The enhanced logging and data analysis of the incident response and investigation components allowed us to quickly identify and resolve security issues before they could spread.

Cb Response’s root-cause analysis and anomaly detection gave us quick warnings and allowed us to start actively threat hunting, instead of taking a passive approach to security.

The ability to quickly isolate a system from the network, while still being able to perform some forensics and mitigation work remotely, was of great value to us since we had many mobile and distributed systems.

We also took full advantage of its incident response reporting capabilities to act as a “black box” for our infrastructure around strings of suspicious activity. The reporting and incident response capabilities were incredibly helpful during active security concerns.

Cb Response is really designed to complement Carbon Black’s Defense product. While Response can be used on its own, coupling with Defense seems like the best strategy if you can afford the price tag. In the end, other antivirus tools and log aggregation solutions seem to have started to incorporate many of Cb Response’s signature features, lessening its value proposition for some organizations.

We did have a couple bugs/issues. The biggest issue I encountered was one where old logs were not being overwritten as expected so the system drive kept filling up from time to time. However, support was usually quite responsive and happy to jump on a remote session to take a look at it for us. That log bug should have been resolved with an update that was available right around the time I stopped working with the system and left the company.

No issues with scalability. Server deployment was quite easy and the client rollout was handled by remote install tools (we used SCCM to take care of it).

Excellent. The techs were always knowledgeable about the product. On a scale of one to 10, I’d go eight.

We did not have a similar, previous solution that we were replacing. This was part of an initial push we were trying to make at the time into better systems security.

Very straightforward. There is excellent documentation and training provided by Carbon Black around setting up this solution; it takes out all the guess work. The server can be given to you as a VM image and with minimal configuration needed. Makes setup a snap for any experienced sysadmin.

We had no issues purchasing through our preferred reseller and were able to get a fair price even when not purchasing direct. Carbon Black Enterprise Response didn’t break the bank, though adding on the matching antivirus and anti-malware components of the Protect product was more than we could afford, even with some discounting.

There wasn’t much similar to Response that I was familiar with at the time. Though some other vendors are starting to include similar features now, Response was a leader when we selected it. Now there is a growing number of open-source projects, such as TheHive, and other vendors are incorporating similar features into their general security products, so I believe the landscape has changed a bit and things are getting more competitive for the needs Response fills.

Explore all options in the space and see if you’re ready to really use an incident response platform such as this for threat hunting in your environment, or if you should focus on closing some other large security gaps first. I think everyone should be working towards the kind of threat hunting and incident response that Carbon Black Enterprise Response enables, but many organizations still need to make sure they’re taking care of other security controls before they move on to these more advanced tools.

If you’re ready for it, Enterprise Response is a cinch to set up and takes a lot of the guesswork out of trying to track security concerns through your environment, so it may be very worth your while.

We use Carbon Black for detection and response. So we receive alerts from Carbon Black if it detects any malicious activity. We also use it to quarantine any devices that we may need to isolate due to the security risk that it presents.  

What we mainly find valuable in the product is exactly what our use case is. We use Carbon Black for the intrusion alerts and quarantine. Those would be our favorite features.  

If Carbon Black could improve in the area or reducing the number of false positives or if there was a better way to filter out false positives that would enhance efficiency and utility. But in general, I think we are happy with the performance of Carbon Black.  

It would be nice to be able to consolidate all of our tools. We have Imperva for database monitoring, we have Red Cloak, we have Carbon Black, and we have Trend Micro. So when you end up installing multiple different tools that do various different things and they each come with their own agents that need to be on all the endpoints, it takes a toll on the utilization. One of the issues that we tend to encounter — especially when we have all these tools on all the endpoints — the number of agents can affect the performance of desktops and servers. So we get those issues from time to time because there are many agents on the endpoints. So it might be nice to either have a lighter-weight agent or an agent that encompasses multiple functions and different purposes for better integration so we do not have to install various tools.  

I have been using the product since March 2019, so for almost a year now.  

It was a little bit unstable at the beginning, but that was probably because we were getting a lot of false positives. The false positives were probably because of baselining. Baselining takes a little bit of time. Once it was baselined, things got better and we have not really encountered many issues over the last couple of months. So it stabilized maybe two to three months in.  

Once we had the SCCM set up properly, we were able to scale up easily. With the policies set up and images corrected, it became relatively easy for us to scale.  

I personally have not been in contact with the Carbon Black technical support team. Our information security team has worked more closely with them. I would not be able to provide feedback on their support first hand, but I have also not heard anything negative.  

Security-wise, we are using a few different security tools for different purposes. We use Red Cloak which we deployed at the same time as Carbon Black. We tested and are using Trend Micro Tripwire and we are using Imperva as well. Red Cloak is very similar to Carbon Black.  

Deployment was a little bit difficult, but that was mainly because of the way our infrastructure was set up at the time we went to set up Carbon Black about a year ago. We did not have a tool that was mapped to all of our IP assets that we could deploy Carbon Black to automatically. That would have greatly simplified the setup. That is mainly the reason it took some additional time. It was not necessarily an issue with Carbon Black, it was a problem with the setup of our own environment. Sometimes we did have other issues with the agent communicating with Carbon Black when the agent was deployed. We had to uninstall the agents and then reinstall them or we would have to essentially troubleshoot what the reason for the lapse in communication was.  

We were able to deploy it by ourselves without the help of an integrator or some specialist. We eventually did the deployment using SCCM (System Center Configuration Manager). Originally, we began by trying to deploy it manually and that is probably why it took so long. Once we had the SCCM agents deployed on all of our endpoints, then it was a lot easier for us to deploy Carbon Black in bulk.  

I do not think I have a lot of advice for people who are considering implementing the product at this point because most of our experience with the product has been relatively straightforward. I would just suggest that you have your white list set up before deploying if you are using automatic quarantine. Otherwise, it can cause issues in your operating environment. This is especially important if you are a sensitive location like a bank. In that case, automatic quarantine could be a big issue.  

On a scale from one to ten where one is the worst and ten is the best, I would rate Carbon Black CB Response as between an eight or nine. For our use case, I would say it is an eight.  

When a machine gets infected we need to have a memory dump and to interact with it. We use this solution as a good way to extract that information from an infected machine.

When a machine gets infected and the user is not in sight, you cannot go to the user and ask them to analyze their machine, what was in their system. With this solution, you can do so remotely. This is valuable because you don't have to bring the computer onsite to analyze it. Even if the user is doing something wrong, like stealing information from the company, you can detect it remotely, capture it remotely, and have this information to analyze it afterward.

It saves the time required to take an image of a machine onsite. You get to the machine and make it live. You don't have to wait. Whatever activity you have to do on the machine can be done right away.

In addition, it helps us to be sure of the type of infection we have which helps reduce response time and provide a better solution to what is happening. It decreases response time by about 40 percent.

The most valuable features are the threat-hunting and the batch console.

They need to improve the batch console. It needs more capabilities. We are limited by the ones it provides, although we can type commands from the native operating system.

The stability is fine.

It has pretty good scalability.

I have not used technical support.

This system is the only one I have used.

The initial setup was pretty straightforward.

The vendor installed it and gave us some training so we would know how to use the tool and how to deploy it in our systems.

I was not part of the decision-making process. It was the engineers who decided.

You need to analyze your organization's needs. If you just want to protect things, it's very useful.

I rate the solution at eight out of ten because they need to improve the console. We would like it to let us type commands that are native to the operating system, not the ones that are included in the product.

The product, in terms of maturity, is still at the very beginning.

CBR was used as an intrusion detection platform as well as for IOC enhancement during incident response and forensics activities on a 25,000+ host Windows-based environment.

Carbon Black Cb Response significantly reduced time to containment in the environment which enabled the isolation of incidents to single hosts or network segments.

Carbon Black Cb Response excels at providing context to indicators when responding to incidents. It allows responders to understand the entire scope of an incident and quickly contain it to minimize impact and disruption. In incident response speed is of the utmost importance, as many incidents can quickly spread through the entire organization if not immediately contained.

The solution needs to simplify the process of adding custom watchlists, as well as embrace YARA for rule creation.

It is an incredibly stable product, and I do not remember any significant stability issues on the server side. On the client side, there may be some performance issues related to Citrix servers.

Scales very well up to 50,000 nodes. It is simply a matter of adding more Solr shards. Beyond that, I do not have experience.

While their Professional Services are expensive, their team is second to none in problem-solving.

Setup is incredibly complex and poorly documented. Every time an upgrade was needed we would need to engage Professional Services for troubleshooting help. Certificates and web services proved to be the most significant sticking points. Since the product runs on a Linux platform, perhaps having staff with more Linux experience could have alleviated some difficulty.

Purchase Professional Services up front as part of the implementation package, then renew hours annually to ensure you have adequate support for upgrades and enhancements. Overbuy by at least 10% to account for infrastructure growth.

Ensure that you have sufficient resources to dedicate to maintaining and utilizing the product, including maintenance staff as well as incident responders and threat hunters. Be prepared to define metrics and use them to quantify the ROSI. Ensure that this product meets a defined goal within your organization's WISP.

My clients are in a range of verticals, so we have clients in healthcare, education, manufacturing, etc. We provide solutions to anybody who's insightful enough and forethinking enough to understand that cybersecurity is not like insurance. So my use cases are all across the board. But, essentially, my customer base boils down to anyone who doesn't want to get owned by a ransomware attack. My company chooses the best-in-breed technology for tools, then adds cybersecurity management services on top of that.

Probably the most valuable feature of CB Response is its ability to isolate a host and take it off the network, so it's not spreading anything. We have two security operations centers around the globe. When an SOC analyst sees something on an endpoint, they can use Carbon Black Response to isolate that host from the customer's environment and prevent any kind of lateral spread. 

I've been using CB Respons for about two and a half years. 

Overall, it has been absolutely stable. However, there have been some performance issues when deploying on Windows Server, but I believe Carbon Black is working on that.

I'm in sales, but I've watched people deploy the software. It looks pretty straightforward, just a quick installer. Most of my customers have one or two folks who ensure that it's deployed correctly in their environment.

I rate Carbon Black CB Respons nine out of 10. I don't have much to say about it because endpoint detection and response tools are pretty much a commodity nowadays. There are so many good tools out there. What matters is the ability to manage those tools and utilize them in a threat-hunting mode.

The market information they gather from the community is really good. Their configuration capabilities are good. 

One of the big issues we're facing is that their solution doesn't support multi-tenants. The second area for improvement is that they have different products, but if we wanted to take their protection and their EPR, then we would need to have two agents. In our scenario, having a client work within the cloud is not an option, so we cannot extend the support for Carbon Black to provide the protection that comes from Carbon Black. This will cause resource consumption.

What I would like to see in the new platform is for it to have a higher visibility for being able to fix the solution. Having also just the visibility to separate the collectors on site. If the informed agent can connect to the collectors the ability to be connected to the management consult or superior management directly.

So far we had an issue connected to the hardware. I think there was an error that happened, so from their software, we had no issue with stability. Not from agents or from the server itself. But an area they need to improve on is that they need to have an option for higher availability. We can't provide a good solution if we need to rely on virtualization, higher availability. So they need to work on building their forum support for higher availability.

In terms of their scalability, so far I think we have around 5,000 endpoints. We had no issues because of the hardware. The resources could prevent the number of endpoints. They should reconsider the design of the solution where you can have them supporting all kinds of designs where you can install an aggregator or connectors for small branches that are our size and have that to provide management consultancy.

Our newest driver manages to the service provider so they cannot just make all the connection there go onto the consult of the management server. We need some kind of component that could communicate to the management. Instead of having each endpoint communicate with management.

They need a big change in the region because they don't have much presence. I think they need to have to train a new manager, but they don't have enough presence. So when we need to work with their office, which is in the U.K, it is kind of a challenge. I think they need to have more support here locally. From a support perspective from our team, they're happy with their support so far, they haven't said of any big issue with them providing us with support. 

The initial setup is straightforward. We already know how to do it but I think for maybe other clients if they do it, it can be a bit challenging.

I would recommend anyone to go ahead with Carbon Black if they are looking for an EDR solution. From my experience with selling, some people have a misunderstanding of what it is they are supposed to do. I would recommend going with it but be aware that you will be overwhelmed with the number of receipts which require somebody to begin to follow up and investigate each incident. This is not something bad, it's something good because of the way that security goes, you need to go through every incident to understand whether it is a false positive or true positive so they need to be reviewed. This is not an automated solution, it's something that somebody needs to take care of.

I would rate this solution as a 9.5 out of 10. We know what we are doing. We know we bought Carbon Black for a reason so we are aware of everything and it's doing its job. We see that there is an area for enhancement, I think the product or business unit or product management, they need to look more into an area for enhancement which is just part of it. So that is why I didn't give it a ten. A 9.5 fair for them. Maybe other people would think to get it lowered but because they have a misunderstanding about what Carbon Black is about.

We use it for platform metrics, for all use cases. This is the only thing that works, this product. Carbon black is a process listener. You can call back all processes, each process on the client side or the server side. You can retrieve all the information on a process level, and you can combine all the things with an end use case.

Integration and scalability are the most valuable. For example, if you chose a cloud solution, it's not very scalable, because it doesn't support any integration. But on the client side, you can combine materials, you can combine everything. You can add anything. 

It's maybe it's too verbose. For a junior user or admin. You have to know some basic rules. It's not simple. For a junior engineer, it's confusing. It's hard to use Carbon Black Response. It will take time. It may take more than one year to understand the uses of the product.

I'd like the ability to see all the kernel-side features also on the client side.

I think it's very stable. It depends on Linux kernel stability. That's all. 

Scalability of integration features is low, on the client-side.

Initial setup, with two people, it's easy. We deployed it easily.

We've implemented it ourselves in the past but have also used an integrator in some instances.

I would rate this solution a nine out of ten.