VMware Carbon Black Endpoint Reviews

I implement the solution as an EDR tool for customers. 

The solution is cloud based which makes it easy to use for remote devices or work-at-home situations. 

The solution supports full trust or signature-based approvals. 

You can get very granular and band out policies or applications without having to do hash values. You can band through the entire environment by execution of the name or desk IDXE. This can be achieved on the policy side because of the signature, IOC, or naming convention itself. This is very effective for pushing more blockage or removing threats across the board. 

The solution has a very nice API on the back end for remoting into a system and executing scripts or utilizing self automation. This is useful for monitoring several different companies in a workspace or workbook-type format. For example, I report and send out mass emails from a clickable button in an Excel workbook. The APIs all exist for each client. I push out automatic endpoint monitoring and reports every single day at a particular time, with a simple clickable button that serves as a scheduled task for fifty clients. 

It would be nice to have additional forensic tools that you can build into the back end. Nothing extensive, but some additional capabilities for forensics or triage would be useful. 

There can be some hiccups with threat intel feeds based on a client's third-party agreements. 

I have been using the solution for a few years. 

I implement the solution for customers. 

I use and recommend various EDR solutions to clients. 

The solution is a top five choice when I recommend EDR solutions to clients. I rate the solution a nine out of ten. 

We use VMware Carbon Black Endpoint to protect endpoints in our company.

The product enables device controls, helping us protect the devices and prevent data leakages.

The product’s most valuable feature is incident detection and response.

It is challenging to reach the product’s technical support team. This particular area needs improvement. The device control feature could also be compatible with the user’s profile as well.

We have been using VMware Carbon Black Endpoint for a year.

The product has good stability.

I rate the platform’s scalability an eight out of ten.

The initial setup process is simple.

VMware Carbon Black Endpoint generates a good return on investment regarding environment protection.

The product’s price is less expensive than other vendors.

I rate VMware Carbon Black Endpoint a seven out of ten. I recommend it to the companies with less budget. If there are no budget constraints, they can use other products like CrowdStrike Falcon or Cylance.

My company uses VMware Carbon Black Endpoint for generic endpoint activity detection. We also use it for some investigation using an osquery in our company. VMware Carbon Black Endpoint is useful for blocking some applications and vulnerability assessment of endpoints.

The most valuable feature of the solution is its EDR functionality. The osquery functionality of the product is also very good since it allows us to investigate special cases. Vulnerability management is another good feature of the product.

VMware Carbon Black Endpoint takes a step back when compared to other solutions in the market. Cortex XDR is a better solution compared to VMware Carbon Black Endpoint. In our company, we also wanted to have network detection, like a host-based IDS on VMware Carbon Black Endpoint, but we did not get it. The aforementioned reasons have forced our company to look for an upgrade or another solution altogether.

In the future, I would like to see VMware Carbon Black Endpoint offering a host-based intrusion detection system with a better incident response within the platform where you can raise an incident, assign it, and have some response functionality in it, like triaging the incident and other stuff.

I have been using VMware Carbon Black Endpoint for three years. I use the solution's cloud version, which is the latest version. I am a customer of the solution.

It is a stable solution.

Around ten to eleven people use the solution in our company.

In our company, we did not face many technical issues with the product. Over the span of the years we have been using the solution, there were only two not-so-difficult instances we encountered using the solution, but we were able to find the answers to resolve the issues. We did not face issues that needed the intervention of technical support.

I rate the technical support a seven out of ten.

Neutral

Previously, we were using a signature-based antivirus, Symantec Antivirus, in our company.

The initial setup of VMware Carbon Black Endpoint was easy.

The solution is deployed on a public cloud.

The deployment phase took about a month to get deployed to all the endpoints using the agent, but the most difficult part was tuning the policy, which took the most time based on the alarm policy and alert policy. I feel the aforementioned phases of deployment are a regular process.

I do not want to discuss the actual number of people involved in the deployment process, but I can say that the deployment was not done for a small company.

I was involved in the implementation phase of the solution.

Price-wise, VMware Carbon Black Endpoint is a highly-priced solution. Regarding the licensing cost of the solution, one needs to opt for an annual subscription.

One of the main advantages of Cortex XDR over VMware Carbon Black Endpoint is that Cortex XDR has an intrusion detection system. Cortex XDR has a host-based IDS, and such a feature doesn't exist in VMware Carbon Black Endpoint. Cortex XDR has VMware Carbon Black Endpoint's functions and much more than they need.

Palo Alto is a product that our company has considered during its current evaluation process.

I would say that VMware Carbon Black Endpoint is a very good solution for those planning to use it. If a person has certain cost constraints, then VMware Carbon Black Endpoint may not be the best solution since many cheaper or even open-source solutions can provide the same functionalities as VMware Carbon Black Endpoint. I feel that with a good budget, a better solution can be available in the market.

I rate the overall a seven and a half out of ten.

It has various use cases like firewalls and antivirus. It's been working great for us so far.

I found the offline scanning to be particularly useful. Compared to CrowdStrike, it had better IT capabilities and beautiful analytics. Overall, it was cost-effective too.

There is room for improvement in the support and service team. The response time could be faster. That's why I switched because the support was not as expected from a company like Carbon Black.

I have been working with this solution for three years. I am using the latest version. 

I would rate it a nine out of ten. It was very stable.

The scalability of the solution is good and affordable. I would rate the scalability a nine out of ten. There are over 300 users in our company using the solution. 

The customer service and support team took too long to respond to our queries, and the local reseller did his best, but it still wasn't fast enough or knowledgeable enough. It was just too slow in addressing our concerns. Unfortunately, the support service was not up to par.

The setup was nice, but the technical aspects of the product can be challenging. It's not easy and requires someone who really knows what they're doing. Two to three people are required for the maintenance of the solution. 

Generally, the deployment process takes one to two weeks but also depends on the user's training. It's a cloud-based solution, so once you identify the IP address and add it to the user name, it will be available in the software market. This is how most cloud-based solutions work, and it's not complicated.

Once the product is stable, it works well. That's why I renewed it for three years. However, we had a big incident where we did not receive the expected support.

We have seen ROI. 

We use a yearly subscription model. It is not cheap, but it is cheaper than CrowdStrike.

I would recommend having a strict SLA with the vendor for support. It's better to buy extra support for the unit.  Overall, I would rate the solution an eight out of ten.

We use Cyber Defense to protect our machines from all kinds of attacks. We use this solution to protect ourselves from advanced threat attacks as well as viruses and malware. We also do threat hunting with the help of CyberArk for defense solutions.

Carbon Black CB Defense has helped improve my organization by allowing us to have better data so that we can do correlation and get visibility into the alerts. Previously, we used a different solution for protecting the devices and we were not able to get enough data.

The Carbon Black CB Defense feature I found most valuable is that it gives us the ability to do log analysis as well as the current state of the environment and activity on the user machines.

I would say that the technical support team should be improved since it takes them a lot of time to provide us with support.

In the next release, I would like to see a host-based firewall.

I have been using this solution for more than a year.

I would rate the stability of this solution a seven, on a scale from one to 10, with one being the worst and 10 being the best.

I would rate the scalability of this solution an eight, on a scale from one to 10, with one being the worst and 10 being the best.

The initial setup process was easy. It takes about four or five months to set up the solution. The deployment was done with the help of ten teams and five to six people who had full involvement during the implementation.

To the people looking to use this solution, I'd say if you want to get better visibility into an environment and see user activity or suspicious activity, then

Carbon Black CB Defense  is the right solution for you.

Overall, I would rate this solution an eight, on a scale from one to 10, with one being the worst and 10 being the best.

It is a default software that goes on every computer. This is antivirus endpoint protection. It's pretty simple. The standard application goes on every single machine that we deploy that is Windows based. We have it running on machines that are deployed on the cloud, machines that are deployed on-premise, and on machines that people are using strictly on the internet.

We're using the Carbon Black Endpoint. We're using the latest sensors. We've used 3.7 and 3.8.

Initially when we deployed it, there were over 2,000 users in terms of giving access to the console. We had roles created for security analysts. There were different roles. For example, the field services who take care of the PCs could go take a look. They could bypass if needed, but they could not change any roles or uninstall the agent. 

Other roles, such as mine, have full access. We had roles where we had actually created the API integration key where we were sending the Carbon Black logs to a third party who was our SIM for review. There are different roles you can define in there.

The new feature that we're deploying, the new offering from Carbon Black, is MDR, which stands for manage, detect, and response. It's the most valuable feature because Carbon Black will be continuously checking the logs, and they will be advising us on how to improve some of the policies as well as review the logs. If there are any nefarious agents or things happening on the end points, they will know. 

They also have the ability to take action based on what we've already agreed upon, what rights we give them, or what we tell them they can or can't do as part of their response. Hypothetically, if there's a rogue machine that is trying to infect other machines, we can tell them that they should try to contact us, but if they don't get a hold of anybody in GreenFirst IT in 15 minutes, they should go ahead and quarantine that machine. They can take actions, they can do remediation or response. Instead of advising, they will be taking action.

The node management could be much better. The one thing that they cannot do very easily is change the tenant from a backend. As an example, assets were sold from a company called Rayonier Advanced Materials and went to GreenFirst, which became GreenFirst as a startup. We had a tenant where all the machines were registered to the cloud. That is the tenant that was there for Rayonier. It is very hard for them to make changes to the tenants, such as rename or anything like that. What they really would push you to do is, "Your tenant is going to be under your company name. You have to uninstall all the agents and reinstall them again." Making changes at a tenant-level would be a welcome feature to allow divestitures and things like that.

They can do some of these things, but they're not very user friendly or easily done. They basically tell you to do the hard lifting yourself. For example, they basically kept pushing me and saying, "Uninstall your antivirus on about 500 machines and reinstall it with the new tenant information." I would say "No, everything is a tenant. Rename me the tenant."

I would like to see the GUI improved and easier troubleshooting. One thing they did that makes it easier in troubleshooting versus the older versions of the software is that now you can actually drill down to see the parent process and go all the way down. 

In CrowdStrike, they have a timeline where they actually build the whole scenario as to what happened. It's like a playback. It's almost like a movie. You play back and it says, "Okay, this process ran," and then it shows what it caused and everything. You can see all that and if there are any screen outputs it puts it on because CrowdStrike actually maintains some of those things. A playback feature would be very valuable.

I have worked with this solution for over three years.

Carbon Black is a very capable tool. It's a very strong product.

There have been no issues with the scalability.

It's on every single node, so I cannot increase it anymore than that.

Their technical support is better than most of the normal tech supports that I've dealt with. My one pet peeve with them is that they respond to your request on their portal. For example, if you need to have a working session with them, they respond to your request in the portal, and you are not always in the portal and you may miss a time that they would be available to assist you. It would be much better if they picked up the phone or actually emailed instead of always using their portal.

I would rate their technical support a 3.5 out of 5.

We switched because we wanted to go to a next-gen antivirus that looked at the pattern instead of looking for signature. The second thing is we were trying to get off Kaspersky because it's a Russian company and Rayonier AM was an American company. The biggest reason was to go to a next-gen antivirus.

This is hardly signature based. It's more than heuristic, and one of the other reasons is that the updates are pushed over the cloud when the nodes are available. We don't need people to be connecting to an internal server on-prem to get their updates. Another reason was security features and the ability to quarantine a machine regardless if it's on-prem or if it's just on the internet.

If you're not used to Carbon Black, it can be challenging because these are not regular rules, like the way you would deploy under a normal antivirus. There are a lot of different functionalities that you could do that are not available under normal antivirus things, such as allowing a script or an application to run based on hash, or white listing if an application is signed by a specific code sign or certificate. It can be very challenging.

When we did it years ago, we went from McAfee and Kaspersky to Carbon Black. At that time, there were 2,000 or so nodes. Deployment took less than a month. That was due to us doing various types of scripting for a massive rollout and automatic installation of the tool and the automatic uninstall of the older tools.

Deployment was done in-house.

It's very subjective to give an ROI on an antivirus. If I was making a piece of equipment and I implemented something that could show that instead of something that takes four hours to complete, now it takes three hours, I could tell you what my ROI would be.

In this instance it is very subjective. The only thing that you could do is take a look at how many security incidents you've had with a different product versus what you think you will have with going with Carbon Black, or assume you won't have any issues with Carbon Black versus how many issues you had with the other one, and then you can see how long it takes. 

Speaking from experience, for the former company that I worked for, we were hit with malware, a ransomware where some files were encrypted, but we were able to get them from the backup. However, attacks such as that have failed since we have had Carbon Black.

It is more expensive, but it's worth it. There are no additional costs beyond the standard licensing fee.

We looked at CrowdStrike, the offering from Blackberry called SentinelOne, and we looked at the major other AV providers like Sophos, McAfee, and Norton.

I would rate this solution 8 out of 10. 

Carbon Black gives a different offering. Their ThreatHunter gives you more of the threat hunting features, so if they basically make that a standard feature, then I would rate it higher.

My advice is to use a deployment tool if you have one because it will come in handy. I would also suggest that you enable the feature in Carbon Defense because uninstallation requires a key so that people can't get rid of it.

If you are going to be buying it, my advice would be to take a look at their manage, detect, and response feature because you take the onus away from your internal team, and you also take away potential misconfiguration out of your internal IT group because they will be looking at all the logs, and they will be reviewing the policies and they can actually tell you how to do it. If you do not have the manage, detect and response, it all falls on you, and then you would have to integrate it with your own. If you have a SIM, you would have to learn how to integrate it to your SIM.

Carbon Black is an EDR solution and a Next Generation AV. It works on the basis of machine learning and artificial intelligence. It's used to manage multiple endpoints from a central location and detects alerts on the basis of AI. If we have any custom alerts, they can be triggered or flagged. In that case, we can have a centralized alerting system. It can also be used to isolate, repair, or remediate a machine when it is taken by an attack.

We aren't responsible for managing the infrastructure of this particular tool. We're using it for investigation purposes and to monitor products that are being used by our clients.

It's deployed on a public cloud.

The solution has a library where we can have multiple threat intels onboarded. We just have to subscribe to a particular site intel and they'll provide us with all of the truncated details so that we can create IOCs and alerts on the basis of those IOCs. 

It's one of the best features because there are multiple third-party vendors who can provide us with site intel in one location. You just have to subscribe to them, and they'll start providing you with IOCs. If a new attack starts, you will have all the basic IOCs on that list, which can be used to identify if the same attack is happening in your environment.

We can isolate devices in just two clicks. That's also a great feature. We can remediate and repair devices from a central location. It's not too difficult to use that particular tool. The user interface is very easy to understand. You are not required to roam around the console to find where the alert went. It's easy to resolve that.

When we onboarded Carbon Black, there weren't many EDR solutions available in the market. It was one of the best tools when it was launched. We don't have any complaints with the tool. The tool is very good. It highlights many of the alerts and events.

When you're investigating an alert, you will get a graph and will see the details related to the process that triggered the alert. Below the graph, there are network connections, file modifications, industry modifications, and multiple other activities. If you want to specifically find which additional modification has been performed, you will have to find the log you're searching for. There isn't a search bar to check for file modifications or network connections. In that case, you don't have a search bar, so you have to check each and every event, which could be more than 1,000.

You would have to check 1,000 events manually, or you would have to export sheets to view what you are searching for. If they added a search bar, it would reduce the time it takes to do investigations.

If you want to log into a device, there's a process named winlogon.exe, which is supposed to be initiated. If I'm using Carbon Black, I will have to check where winlogon.exe is being observed or at what time it was being observed. Because there's no search bar, I will have to check for the event in all the device events.

A search bar in the investigation page and some AI-related tasks like outgoing alerts, or recent tactics that are being used in the market, must be embedded in the tool so that it's easier to find alerts. The AI must be stronger so it can identify activity that is actually malicious.

I have used this solution for a year and a half.

It's a stable product.

It's scalable because it's based on the cloud.

It's sensor-based, so you have to install the machine associated with your application. You will have the configuration file and the agent installation file. You'll have to run the configuration file, and then you'll be onboarded to Carbon Black. It's easy.

Deployment was fast. It took 15 minutes.

We have a group of about eight people for maintenance and supervision.

I would rate this solution as eight out of ten.

It's a good tool, but it requires some updates. It doesn't have new features like multi-tactics, which other EDR products are providing.

My advice is to acknowledge or resolve a particular alert because once they resolve, it will be very difficult for you to find that alert. Handle it with care because with just a click, the device will be isolated. It could be a server, host, or network device. If you click the wrong button out of curiosity, it will destroy the machine. It has multiple accesses and won't ask if you're sure if you want to do an activity or not.

I know they have different forms in their Carbon Black Endpoint now, but we were using Carbon Black Prevent, which was basically just a pure whitelisting product. We didn't look at the other kinds of things that it was doing.

We were basically just using it for, "If Carbon Black picks up a new file in the machine and it's executable or something and it hasn't seen it before, it has to be whitelisted first. It has to be approved before it's allowed to run." That's what we're using it for.

We were technically one and a half versions behind the current version which is out there right now.

The solution is deployed on-prem.

We have cut back the amount of users. At one point, we had about 1,500 or 2,000 users. We're down to about 750 right now.

The solution just gave us another layer of protection from zero-day threats, because you can't always trust what your users are doing. You just have to do what you can technically to try to mitigate that.

I'm on the security department, so it's just in the layer of our prevention to give us protections against, for example, ransomware that might kick off and try to execute different files. If someone downloads something or whatever, it has to be whitelisted first. It has to be approved before it can run it all.

That's better to me than some signature-based thing, because it protects against zero-day. There are things that it doesn't know about, so it has to check them. We have Check Point now as well, but we have a Check Point on our firewalls, not our endpoints.

We have another piece of that infrastructure that does what they call threat emulation. You may have heard of it. It's like sandboxing where it takes files that it doesn't know about, puts them in a VM-type environment, and it kicks them off to see if there's any malware or tendencies that might look like malware, that kind of thing.

It's also a zero-day type of prevention thing, but it kicks them off in a safe environment so that you can see what it's doing. You need integration with Check Point to do that, but that integration went away with the latest release, the one we just put out there.

That was a big part of why we liked Carbon Black, because it is integration to not only do the whitelisting, but also we could have automatic rules set up so that if a new file got downloaded by a user, we could automatically send that over to Check Point and it could do its emulation on it in the sandbox. And if it came back clean, then we could automatically approve it.

We wouldn't have to go through a manual process of having our people approve every single file that comes across as having been seen before. So, it was a really good way to work those two products together. But that went away. And so now I'm like, "Okay, what are we going to do now?" I hadn't looked at the Harmony Endpoint at all.

I haven't looked at Check Point's piece, but I was wondering to myself, "If it does something like Carbon Black was doing and then we already have Check Point on the other one, that would work." So, that was what I was trying to do.

There could be more knowledge. I think they made a mistake when they took away the Check Point integration, because it provides more automation and also more threat intelligence. Maybe you didn't see something within Carbon Black's sphere of what it knows, within their product line or their threat cloud or whatever they use for their intelligence. Maybe it didn't see anything of the files that it knows about, but what about somebody else's? And what about kicking into another product that does those kinds of things like sandboxing?

I don't know why they would take that away. That doesn't make sense to me because they need to expand on that. The more they expand on that, the more confidence you have as a security guy. You have more confidence that that file is clean, and there's nothing bad about it. Bringing back the integration with Check Point would be a good start.

This product is being used extensively in our organization. I'm actually looking for a replacement because of the fact that we lost that integration. That's really crucial, honestly. Otherwise, it becomes much more manpower-intensive. I need to spend more man-hours going through it instead of using automations.

I prefer to set up things so my team doesn't have to spend a huge amount of time running down rabbit trails all the time. The more we can automate and still be secure about it, that is what we try to do.

There are no additional features I would like to see added. I know they already have a cloud offering as well. You can manage things through their cloud for people that are always on-site. We mostly just use it for our own managed devices. We didn't really put it on. We never planned and don't plan to put it on or make it available to a BYOD kind of thing. This is all company-managed devices.

It just made more sense for us to do it internally than putting it in the cloud. But we could have done either one, I suppose. But since we started out inside, we just kept it that way. It was just easier.

I have been using this solution for five years.

It's stable.

The solution is scalable. We have never had an issue.

I would rate technical support 5 out of 5.

We did a proof of a couple different products, but we chose CB. And we've been with them since, because they do a good job. They've been pretty easy to manage, and they've had good support. So, we've actually been really happy with them.

It was pretty straightforward. It took some time to roll out. We wanted to eventually get to a point where we are now, which was to totally block everything we don't know about. But that didn't come out of the box. You had to let things run for a while.

It did a good job of reporting things, but not blocking so we could go through there and say, "Okay, these are legitimate files. Or these files were signed with these certificates from these vendors that we can trust," for example. We spent six or eight months going through everything before we actually turned it into full blocking mode. As far as initial rollout, it was fairly simple, and it's been fairly easy to upgrade the agents.

We ran into some issues with some of the MSIs and things or some systems when we tried to update some things and it broke. I'd probably rate the setup a four out of five.

We do deployment slowly and in phases. We could have deployed it pretty fast, actually. But it took us about three months to deploy everything because we wanted to make sure we had test groups of machines that we put into each department or each part of the organization, because they do different things. We didn't want to inadvertently start breaking certain things. So, we took our time pulling it out. But I think, essentially, it could have been deployed in probably a few weeks at the most.

We have a team of about five people who take care of maintenance.

We implemented it through an in-house team.

The licensing cost is on the more expensive side, but I thought it was worth it because they did a good job. It was one of the vendors I truly didn't have to worry about too much until this latest upgrade.

I would rate this solution 8 out of 10. 

I'd say, "go for it" if you don't have or need Check Point for an integration. But if you're relying on that kind of integration, if you really need that like we did, then of course I wouldn't go that route.

If I were to make a recommendation to somebody else just starting out, my advice is to check out the cloud first.