We just raised a $30M Series A: Read our story

Carbon Black CB Defense OverviewUNIXBusinessApplication

Carbon Black CB Defense is #1 ranked solution in top Security Incident Response tools, #6 ranked solution in EDR tools, and #8 ranked solution in endpoint security software. IT Central Station users give Carbon Black CB Defense an average rating of 8 out of 10. Carbon Black CB Defense is most commonly compared to CrowdStrike Falcon:Carbon Black CB Defense vs CrowdStrike Falcon. Carbon Black CB Defense is popular among the small business segment, accounting for 39% of users researching this solution on IT Central Station. The top industry researching this solution are professionals from a computer software company, accounting for 27% of all views.
What is Carbon Black CB Defense?

CB Defense is an industry-leading next-generation antivirus (NGAV) and endpoint detection and response (EDR) solution. CB Defense is delivered through the CB Predictive Security Cloud, an endpoint protection platform that consolidates security in the cloud using a single agent, console and data set. CB Defense is certified to replace AV and designed to deliver the best endpoint security with the least amount of administrative effort. It protects against the full spectrum of modern cyber attacks, including the ability to detect and prevent both known and unknown attacks. CB Defense leverages the powerful capabilities of the CB Predictive Security Cloud, applying our unique streaming analytics to unfiltered endpoint data in order to predict, detect, prevent, respond to and remediate cyber threats. In addition, CB Defense provides a suite of response and remediation tools, including Live Response, which allows security personnel to perform remote live investigations, intervene with ongoing attacks and instantly remediate endpoint threats. For peace of mind, CB Defense customers can also leverage CB ThreatSight, Carbon Black’s managed threat alert service, to validate alerts and uncover new threats.

Carbon Black CB Defense is also known as Bit9, Confer.

Carbon Black CB Defense Buyer's Guide

Download the Carbon Black CB Defense Buyer's Guide including reviews and more. Updated: November 2021

Carbon Black CB Defense Customers

Netflix, Progress Residential, Indeed, Hologic, Gentle Giant, Samsung Research America

Carbon Black CB Defense Video

Archived Carbon Black CB Defense Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Mark Adams
Senior Manager, IT Security and Compliance / CISO at Superior Energy Services, Inc.
Real User
Detects and protects against malicious executable files, allows investigation using CLI

What is our primary use case?

We use this solution for endpoint security and protection.

What is most valuable?

The most valuable feature is that it detects and stops malicious executables. Admins can use the portal to obtain a command shell on an endpoint to perform further investigation.

What needs improvement?

This solution works well but needs lots of tuning and optimization.

For how long have I used the solution?

We have been using this solution for two months.

What is our primary use case?

We use this solution for endpoint security and protection.

What is most valuable?

The most valuable feature is that it detects and stops malicious executables.

Admins can use the portal to obtain a command shell on an endpoint to perform further investigation.

What needs improvement?

This solution works well but needs lots of tuning and optimization.

For how long have I used the solution?

We have been using this solution for two months.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
RajaeAl Najjar
Solutions Manager at Samir Group
Real User
A solution with a straightforward setup that offers offline networking

Pros and Cons

  • "The offline networking is the most important feature. Some of our users are engineers that work offsite, and they can still be on the solution, which is also great."
  • "The endpoint machines need improvement."

What is most valuable?

The offline networking is the most important feature. Some of our users are engineers that work offsite, and they can still be on the solution, which is also great.

What needs improvement?

The endpoint machines need improvement.

The solution needs to be more effective for the end-user.

It would be helpful to understand how to do some queries, but we’re still testing the solution right now, so everything is very new and we’re still learning the system.

For how long have I used the solution?

We’re in the process of finalizing a POC right now, so we haven’t used it very long.

How are customer service and technical support?

I’ve never had to reach out to technical support.

How was the initial setup?

The initial setup was very straightforward.

What other advice do I have?

We did a POC with the solution. We’re still in the process of testing it, so we’re still learning the system.

I would rate the solution eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about Carbon Black CB Defense. Get advice and tips from experienced pros sharing their opinions. Updated: November 2021.
552,407 professionals have used our research since 2012.
Darrick Kristich
Founder/CEO at Sedara
Consultant
Symantec opened our eyes to be able to see what's out there, but then we needed Carbon Black to be able to actively fix it

Pros and Cons

  • "The biggest feature out of CarbonBlack is its ability to dive in with more depth. You can look at the entire kill chain and understand, not only if an alarm or identified incident is truly a true security issue versus a false positive, and it allows us to backtrack and figure out why it actually happened and how it got into the environment."
  • "Carbon Black needs to do a better job of proving their platform in the industry, and providing a bit more access to do industry testing with real world examples to help prove their platform."

What is our primary use case?

We are a partner in the managed security service provider (MSSP) space. We service hundreds of customers globally. We implement these solutions on behalf of our customers. 

With Carbon Black, we've been using them for about six years. We're an MSSP and channel partner with them, as well as an incident response partner. We were like the second incident response company registered with them (through that program) to start using the cb Defense platform. We also integrate it with SIEM. However, we're using it in a managed service capacity. We usually implement it, then manage the platform for our clients long-term. It's used for traditional antivirus, real-time threat protection and prevention, and it also provides us with the ability to do more in-depth investigations into endpoints. With the product, we can do a bit of threat hunting along with managed detection and response. The platform works quite well using it in this capacity.

With Symantec, we have been using it for about six years. We integrate it with our SIEM products. We have a lot of customers who actually run it, so we see it quite often. We collect a lot of data from Symantec and help with responding to anything that Symantec finds. We've had a chance to use the product quite a lot.

What is most valuable?

The biggest feature out of Carbon Black is its ability to dive in with more depth. You can look at the entire kill chain and understand, not only if an alarm or identified incident is truly a true security issue versus a false positive, and it allows us to backtrack and figure out why it actually happened and how it got into the environment. It also helps us determine what other things may have been impacted along with it, from an asset standpoint. It allows us to go into more depth than a more traditional antivirus, like Symantec.

Symantec is more of a traditional antivirus. A lot of it is signature-based. It works quite well for normal protection. It is pretty stable and consistent. It seems to work across the board. There are no real issues to speak of it, which is a definitely a positive thing. One of the more beneficial things is that it does include the active endpoint firewall with it, which allows your endpoints to have a bit more above the standard Windows firewall, then collect all the logs from that. This is a good feature from their firewall piece. Also, the logging out of Symantec is quite good, as you put a lot of great logs into a SIEM or any other log collector from the platform.

The difference between the two products is the level of visibility and depth that you get when investigating alarms or issues. You can go a bit deeper with Carbon Black. Symantec does have an additional add-on, which we have not seen since it is a relatively new component. They call it Advanced Threat Protection. It uses the same endpoint, but has a separate license with additional costs, which is meant to allow you to go a little deeper in terms of endpoint and incident investigations. However, it doesn't provide the interactive drill down, prevention, and response capabilities that you need to be able to isolate a system, delete files, or actively kill processes which have been helpful with Carbon Black.

What needs improvement?

Symantec needs more investigative features out-of-the-box. Though, they are using the Advanced Threat Protection add-on to correct some of this. It is also not quite as feature-rich as some of the more advanced MDR platforms out there.

Carbon Black needs to do a better job of proving their platform in the industry, and providing a bit more access to do industry testing with real world examples to help prove their platform. In additional, they have been actively porting over a lot of features from some of their other products, and they should continue to expand on that. Going forward, this will be extremely helpful.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

We've been quite happy with the stability of Carbon Black. 

Symantec has a much longer history of having a good, proven, stable platform. That is the big difference. 

I can't really speak to any particular issues that we've had with one versus the other. They both seem pretty good.

What do I think about the scalability of the solution?

The scalability is about the same between Carbon Black and Symantec. I don't know that we've actually tried to use them in an environment that was large enough to cause us any sort of issues, or even thought twice about scalability. Both of these products work quite well in extremely large environments.

One thing to consider with Carbon Black is you do have much more data. You can define many more policies that are more specific to groups. The management of that becomes more difficult as the environment gets larger. I don't think that necessarily is the case with Symantec. It might end up being a bit more time consuming to manage Carbon Black as it gets larger. In terms of these products' capabilities and the ability to support large environments all the way down to small ones, I don't think it matters.

How are customer service and technical support?

Carbon Black has a great community portal which has all sorts of documentation where you have the ability to ask questions and people answer it quite well. There is a lot of material there with access to content, which assists with the learning and troubleshooting.

Which solution did I use previously and why did I switch?

Because of the limitations that Symantec provided, and the fact that we were seeing data that was extremely helpful from the Symantec logs, yet it didn't provide us a way to investigate it further or respond to it. This led us down a path of looking for a platform like Carbon Black, which has allowed us to handle the data without having to add additional products. This opened our eyes to be able to see what's out there, but then we needed something to be able to actively fix it, as well.

How was the initial setup?

Symantec is a more traditional platform where you set it up and install it. If you're using a cloud platform, then you obtain access to the system. You need to define all the exceptions that you know need to be implemented based on the applications that you are running. Then, you deploy your endpoints, which should pull down the policies with the approved exceptions. Then, you work through any issues. 

With Carbon Black, you have to go through a longer period of monitoring what exists in the environments. We deploy the agents in a monitoring type only mode, which can exist alongside another antivirus product, like Symantec.

You could technically have Symantec installed in normal mode, then Carbon Black in monitoring mode right next to it. We let that run for a period of time to gather information about what is running in the environment actively to help identify the types of things that we'll have to build policies around. The policies can be pretty in-depth, so it can take quite a long time to actually build them, if you want to be extremely careful about not creating any false negatives in the environment. 

It can take quite a bit longer to implement Carbon Black properly. It takes one to two days to implement Symantec. Though, I don't know for certain, because we don't implement it. For Carbon Black, we typically look at three to eight days of active work over a period of a couple of months to get it implemented, working properly, and tuned up correctly.

What's my experience with pricing, setup cost, and licensing?

The licensing costs are comparable between the two products. If you're purchasing the product, they're both typically a traditional license model with an annual type fee or multiyear. The fees are the cost of the professional services to get the system up and running. It depends on the size of the environment. The size and complexity are what it really comes down to. It will be relatively consistent with whether it was MSSP versus a direct purchase.

Carbon Black might be a touch more expensive. They tend to get a premium for their capabilities. They're sort of an industry leader in a lot of areas with the functionality that they provide. 

Symantec gets a bit more aggressive with their pricing, and with their discounts as well. They do have a much larger customer base because they've been around so long.

As an MSSP, we do provide the entire platform on a monthly fee, which a lot of people do like, because that rolls the licensing and all of the management into the cost of the system on a per endpoint basis, paying for the initial costs to get up and running. Even if it's a three to five year implementation, it will be a fixed monthly cost, assuming the number of endpoints doesn't change. That's one good thing about the Carbon Black MSSP program that we have access to is that flexibility with the monthly billing. With very large implementations, this could be a significant difference in spend over three years versus having to do one extremely large capital purchase.

What other advice do I have?

Symantec aligns with a more traditional antivirus that a lot of people are just more familiar with. It has traditional signature sets, exceptions, and policies. When you're talking medium sized implementations, where it's several hundred or a couple thousand endpoints, it's pretty straightforward. 

The learning curve with Carbon Black is considerably more extensive. You have considerably more ability in the platform to do investigations and custom policies, as it can do more in-depth searches and queries about what's actually going on at an endpoint level, which you don't have with Symantec. You really have to understand exactly what you're trying to accomplish. The product itself works quite well. It's pretty intuitive, but there is so much more data and capabilities at your fingertips. It definitely takes more time to learn it.

If you are evaluating these products: Evaluate what your enterprise looks like and what your current security controls are. Understand what exists, what needs to be protected, and what other tools there are in the organization. This makes a big difference in the decision-making process. For example, Carbon Black is 100 percent cloud-based. There is no on-premise option. If you have requirements for systems that can't access the internet, whether it be classified environments or otherwise, it's more difficult to get as much value out of a system which is only cloud-based if you have air gaps. A more traditional on-premise solution might work better, like Symantec, in this scenario. However, if you have a largely mobile workforce with a lot of high risk employees who travel, having cloud-based works perfectly for that sort of environment, as you're getting data with the ability to access and respond to issues regardless of where systems are, as long as they're online.

However, if EDR tools already exist in an environment, you might not need a full in-depth product, like CarbonBlack, where a more traditional antivirus coupled with another EDR product might get you the capabilities that you need. Albeit, it would require multiple products to cover the environment. 

I would rate Carbon Black as a nine out of ten, because it provides industry leading features, which give us the ability to do the investigations that we need to. It just makes an enormous difference.

I would rate Symantec as a seven out of ten. It works quite well. It is feature-rich, stable, more traditional product.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
MN
Sr. Security Analyst, Enterprise Architecture and Security at a tech services company with 5,001-10,000 employees
Real User
Fewer false positives but the UI interface needs improvement

Pros and Cons

  • "The data analysis is the most valuable because of the whitelist database. It is different than standard IDS solutions."
  • "The UI interface needs improvement. The management needs further work in future versions."

What is our primary use case?

We use this solution as an endpoint solution for protection.

How has it helped my organization?

It has improved our protection to have less false-positives. We have a greater ability to find malware notifications. It has improved between 30-35% more than prior to our use of the solution.

What is most valuable?

Data analysis is the most valuable feature because of the whitelist database. It is different than standard IDS solutions.

What needs improvement?

The UI interface needs improvement. The management needs further work in future versions.

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

It is a stable product.

What do I think about the scalability of the solution?

We are not a very big company, so scalability is not very relevant to us.

How is customer service and technical support?

Our experience with tech support is very positive.

How was the initial setup?

We had experience with this product in our team prior to our setup, so it was simple for us. We had it up in a week. It may be less easy for non-technical people. 

What's my experience with pricing, setup cost, and licensing?

I am not really involved in the pricing of this product. From my understanding, the price is okay for us.

Which other solutions did I evaluate?

We did consider other products but we chose this solution.

What other advice do I have?

I would advise Carbon Black to work on the automation and make it a bit easier for the solution.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Andre B.
Executive Business Analyst & Advisor at a financial services firm with 10,001+ employees
Real User
The most valuable Feature is the time-lining capability for any breach activity. It actually does some heuristics, and some behavioral analysis.

Pros and Cons

  • "It actually does some heuristics, and some behavioral analysis."
  • "The most valuable asset is the time-lining capability for any breach activity."
  • "This product has the capability of uploading scripts to the tool and this is a very comprehensive feature."
  • "The tech support communicates, but it's just not with movement."
  • "I would personally give the tech support a rating of seven out of ten."

What is our primary use case?

We use it for endpoint visibility and endpoint detection and response. It is our central mechanism for the cyber defense or endpoint detection, response and visibility.

How has it helped my organization?

We've integrated it with Splunk, with ThreatConnect, and a couple of others. It has a lot of modules for integration that has streamlined our ability to respond and decrease the amount of time for response, but also allowing us not to have to pivot to so many tools where we can actually work from more of a single pane of glass perspective.

What is most valuable?

I think something that is the most valuable is the time-lining capability for any breach activity. It gives us the ability for us to actively threat hunt. This is not something where it's a passive response tool where we watch things happen. In contrast, it actually does some heuristics, and some behavioral analysis, and we're able to do some prevention with it as well. I think that's really the strongest attribute, and it makes this a more aggressive tool than others.

What needs improvement?

In some areas one of the big issues for me is responsiveness to issues that arise with the solution. There are some components that leave a bit to be desired and/or that are bugs, or that even if it's a feature update request. These kinds of things are not the fastest company to respond to those. We did have a bug that was persistent for it's now going on two months and it hasn't been fixed. That is one of the drawbacks. This is really impacting what we need to do with it. But, the bigger issue is the organizational responsiveness to clients.

In addition, I think there should be a cloud gateway. It needs to move into a transitory space between our On-Premise and external where it does not have to be in two separate instances. It should marry the two. Also, it would be good to have them working in the containerization space, as well. To have a mechanism for securing cloud modules a bit better. This would be ideal. It would help encompass more of the broad range security so we do not have to couple this with other outside solutions.

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

 It implements and integrates very well with other security tools, cybersecurity tools.

How is customer service and technical support?

The tech support communicates, but it's just not with movement. They are responsive, yet there is no quick motion often in regards to resolving the issue. I would personally give the tech support a rating of seven out of ten. 

How was the initial setup?

The setup really depends on a few crucial elements. It depends on where we are, what region, what country we're in, and what PIA rules they have in place. For the most part, it is a fairly straightforward setup. I will say in the initial setup, Carbon Black was very responsive. They were really good at providing the assistance and the support we needed to get it set up, but it was not an extremely hard task.

What was our ROI?

It has the ability for you to upload the scripts or anything you want to run anywhere. The capabilities of this tool are almost limitless. That is why Carbon Black is a leader. You can run whatever script you want by uploading it to the tool. This is a very, very comprehensive feature.

Which other solutions did I evaluate?

We also looked at Rsam and ESET. We've used a multitude. So yes, we have.

What other advice do I have?

  • Make ssure that your firewall ports open and really test communication back to their server. 
  • Make sure you don't have anything else that may be impeding it. 
  • If you are dealing with any PIA countries or GSA (also known as TAA) countries, make sure you're working through their work councils.
  • Make sure you look at a holistic perspective and have a plan in place on how to use this tool.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
KB
Senior Security Consultant at a manufacturing company with 10,001+ employees
Consultant
It has a higher detection ratio because it's cloud-based and it also does a lookup to virus total.

Pros and Cons

  • "Carbon Black Defense has a higher detection ratio because it's cloud-based and it also does a lookup to virus total."
  • "It gives you all of the information in a short and sweet fashion."
  • "Adding an application and a device control feature would be a great help for this solution."
  • "Report generation can be improved."
  • "But here, we hardly can take any kind of a report out of Carbon Black, so I think that should be something that should be more user-friendly."

What is our primary use case?

It was basically for an EDR solution. We were apparently in the migration phase, to be frank. We were using McAfee VSE, and we wanted a media solution which would give us more insight in terms of the events that are happening with respect to Malware threats. So that's the reason why we went for the Carbon Black Defense.

How has it helped my organization?

It has improved the number of alerts or the number of threat events that we are able to recognize in our environment. And it also highlights the usage of potentially unwanted programs. So these are the ways in which that highlighted the possible vectors through which we can have an incident happening in our environment. That is one thing that we have seen. 

In addition, the detection ratio compared to that of a typical anti-virus and the EDR solution or the next gen AV as they call it, is on the ratio of one to ten when you compare it with a Symantec Endpoint Protection, McAfee AVR, or VirusScan Enterprise versus Carbon Black Defense.

What is most valuable?

Carbon Black Defense has a higher detection ratio because it's cloud-based and it also does a lookup to virus total, so it is out of like 65 vendors that are normally listed in virus total, if there are any kind of hits out of those, in that case, it is getting recognized as a known Malware or a suspected Malware. Under these categorizations, we are able to see a spike in the detection ratio. It is enlightening us with respect to what are the programs that are generally used in our environment and how they are compliant with our environment.

What needs improvement?

It is still evolving, as we see. We started using the version 3.0. We've been migrating and upgrading as well, laterally, until version 3.2. So, we have been seeing a lot of improvements in general in terms of bug fixes and in terms of what are the things that we had encountered.

I think they can probably bring in because there is a little bit of a gap between the native Antivirus solutions like Symantec or McAfee. So, you really can't say whether an end user will not be able to judge whether it's a Malware-free software that they are downloading or not. In those cases, if you have an application and a device control feature, I think it would be of great help.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

We had some issues with the stability. In regards to the driver file, and the CTI files, there were some issues.  In addition, there were a couple of issues with servers and the workstations. It was an intermittent issue, and not widespread. But it was basically because the current organization I'm working with, we created a lot of in-house applications. They don't go very much hand-in-hand with Carbon Black enabled. They have certain behaviors, like they inject code into themselves, which is a design that they have. Even the Microsoft authorized or licensed tools exhibit such kind of a behavior. And these behaviors are being identified as a malicious behavior. 

I think it would be better if they can have an application database, where if these kind of applications are performing this, you can bypass, or you can overlook them. Something like that would be helpful. Otherwise, we will have to manually bypass them or allow them logs, as per the policy configuration for these applications. It takes a little bit of an extra time in terms of developing a new tool in the in-house application, as concerned.

What do I think about the scalability of the solution?

I would say, not really. But we have a, how to say, our hands are tied down in terms of generating reports to understand or analyze the trend or anything of that sort. Because when you look at the EPO, you will be able to do certain trend analysis on the basis of the data that is already available in the database. But ,we can hardly take any kind of a report out of Carbon Black, so I think that should be something that should be more user-friendly. They are asking us to use API's, and not everybody is well-versed with API's or scripting.

They also do have a limitation on that, in terms of pulling out the raw data of events. The event generation is like a 1:10 ratio like I said. That detection is also on the same base. So if you have to pull out a report for an end-point count of, say, 35,000 to 40,000 endpoints, the events will be on the higher side. So, the limitation is set to 5,000, which is not realistic.

How are customer service and technical support?

Tech support with Carbon Black is a current point of contact in the tech support. So whatever it is we interact with a single point of contact. And more of a liaison where he can bring in people from the developer side, or the account manager, or the technical manager, or whatever it is. We can get them into loop. That's the kind of the support level that we have subscribed. We don't reach out to the normal tech support by call-dialing into a number. They are responsive. We have really not tried off-business hours out of US time zones. I think that causes a little bit of a challenge because we are not able to catch hold of the right person at the right time in case of any kind of outages or something like that.

The service response is pretty much satisfactory. But if you look into a 24-7 support, then you might have to wait in the morning. I'm located in India, so if we have to look into reaching out to a person in the US during the Indian business hours, in that case, it's night. So, we will not be able to reach our support person. So we might have to rely on calling someone during that time. But we normally don't do that. Until now, we have not got any kind of an issue where we really have to contact tech support during the off-business hours. Because we do have our US counterpart, so we work on that particular region timings so that we can involve Carbon Black support to get the maximum out of them.

Which solution did I use previously and why did I switch?

We did a comparison of products and analyzed how many of them are getting detected on a weekly basis. We also did a trend chart for a monthly threat review. Which basically was with McAfee VSE and Carbon Black. And we thought, that is the reason why  it was like one is to ten over a week or a monthly trend.

How was the initial setup?

I was part of the initial set up. We were doing a comparison with FireEye HX and other tools, as far as CrowdStrike ,Avira and Carbon Black. We chose Carbon Black, and I was part of the initial setup. And since we don't have an in-house setup, we have a cloud-based console, we don't have a dedicated server set up. It's much easier to implement with a cloud-base. So the resource requirement is much lesser in terms of the hardware is concerned.

I think it took somewhere around four to six weeks of time. We had the implementation done and then we were into the testing phase by doing UT testing and stuff like that, internally with a closed group. And then we moved on to selected groups and users who might be important in terms of revenue generation, and stuff internally, so we did that. And then we moved on to the global deployment. I think, over a period of time, I would say the initial implementation was done with a maximum of four to six weeks. And then, I think within six months of time, we actually had the complete deployment done.

It was pretty straightforward. The console was easy to understand because we have had complex consoles with EPO. This was a pretty straightforward console. And the user guide basically gave us the information about what we can do and what is available. Though it can still be more extravagant in terms of describing itself. But, it just gives you the right information in a short and sweet fashion.

What was our ROI?

They're still evolving. I think they should reach there in a couple of years, I would say. I'm not really sure what is their roadmap, so that is one thing that I can say. But that should be something that would come up as an add-on or something like that which can be purchased or which can be given as a free component as well. I'm really not sure, but I think they might think in these lines, to bring about a better security control with the Carbon Black AV, to be specific.

I think the only advice that I would like to give is you need to really test it on different platforms. That's the only advice I can give you, because if you have a versatile environment, such as ours, while we do create a lot of in-house applications, we need to have an extensive testing done so that we don't end up creating a roadblock for other teams who are into software development and software testing. And those kind of lines. That might create a lot of issues with Carbon Black. If you test it prior, then probably you would have a better idea as to what you're getting into. And implementing it would be even more easier in that case. I think we did the right thing in terms of that because we know our environment better. If you know your environment better, you would do the right thing.

What's my experience with pricing, setup cost, and licensing?

I just told you the price point that's one of the factors, basically because that is what the higher management gave us as an input. But, we didn't play a major role in terms of deciding. That was done by another person from the organization. So, that was just a communication that we received. So, that's how much I know about it.

Which other solutions did I evaluate?

We also had a review of FireEye HX as well, but we chose this in terms of the utility and also in terms of the cost involved. So that is the reason why we chose CB Defense. And, so, that's the reason why we are currently using CB Defense. We wanted to have an insight about Malware, the vectors for which they come into and what kind of a behavior they exhibit. So these are the things that we are basically looking to the Carbon Black Defense.

I think they can probably bring in because there is a little bit of a gap between the native Antivirus solutions like Symantec or McAfee. McAfee does have a separate product, the application control. And Symantec Endpoint has the application and device control as a built-in component in 11, 12, and I think in 14 it has the same. But the EDR solutions currently don't have that kind of a feature. So, if they can incorporate that, it would be a better security control and an antivirus, basically, because you do have instances where Malwares are getting into the network through an RFD or through a particular free software that users might download from the internet.

What other advice do I have?

In terms of the fixes from what the behavior was with the environment, it has been evolving. And the only thing that could be improved is enabling Carbon Black to be a part of the image so that when we are doing a image refresh, Carbon Black would be present by default. But in the current conditions, by definition, it needs to have an internet connection for you to install Carbon Black. Because it connects to the cloud as a first step after you start the installation. So, since we cannot have that kind of a set up for an image, we are not able to put it into an image, basically. So if there comes any kind of a version where it can be done, probably it might be more helpful in terms of a mass deployment.

They might have to create a little bit of better knowledge base articles which will give us an insight as to how this is working and what logs we can look into for analysis. The gap can be made much shorter in that aspect. The report generation and trend analysis or data analysis can be improved.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
System Analyst at a hospitality company with 1,001-5,000 employees
Real User
The software uses very few resources; it is almost invisible to the end user

Pros and Cons

  • "The software uses very few resources; it is almost invisible to the end user."
  • "Behavioral Monitoring stops known malicious events before they even begin."
  • "The directions for Splunk are spot on, but it is difficult to find anything on integration with AlienVault,"

What is our primary use case?

We include it as another layer of security for our endpoints/servers. The software is based off TTP (tactics, techniques, and procedures), and it complements our antivirus products. The software basically takes a snapshot of the system, then if anything happens which is out of the norm, the software alerts us. In some cases, it denies execution and will quarantine the endpoint from other systems.

How has it helped my organization?

During the company’s transition, we had a memory scraper infiltrate our network, and  with the help of Carbon Black, we isolated the outbreak to a few point of sale machines.. We saw a step-by-step account of how the software was introduced into the environment, the host it originated from, and the destination address it was connecting too. Carbon Black stopped the spread in its tracks.

What is most valuable?

  • The software uses very few resources; it is almost invisible to the end user. 
  • Behavioral Monitoring stops known malicious events before they even begin. 
  • The whitelist: Being a Casino, we have some odd software packages. Being able to whitelist them is a must.
  • The option to quarantine a device and use the cloud-based portal to gain a “shell” on the infected machine. With this, we can dump the entire system memory to a machine in our lab, then run analysis.

What needs improvement?

It works the way we want and how we want. 

For one improvement, an easier integration with an AlienVault USM appliance would be good. The directions for Splunk are spot on, but it is difficult to find anything on integration with AlienVault,

For how long have I used the solution?

Three to five years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Jayandra Wickramasinghe
Senior Systems engineer at SAT
Real User
Identifies endpoint and infrastructure loopholes

Pros and Cons

  • "Carbon Black Cb Defense improved our endpoint level security. It helped to identify endpoint and infrastructure loopholes."
  • "Carbon Black Cb Defense has a nice component called Alert Triage. It contains full details of the process execution "kill chain" and "go live" for immediate remediation."
  • "It would be a better solution if Carbon Black Cb Defense had an on-promise solution and a virus auto delete or quarantine."

What is our primary use case?

This product would help any organization to increase its detection and prevention with event investigations and immediate response to data infiltration. 

How has it helped my organization?

Carbon Black Cb Defense improved our endpoint level security. It helped to identify endpoint and infrastructure loopholes.

What is most valuable?

Carbon Black Cb Defense has a nice component called Alert Triage. It has helped to detect threats across the data. It contains full details of the process execution "kill chain" and "go live" for immediate remediation.

What needs improvement?

It would be a better solution if Carbon Black Cb Defense had an on-promise solution and a virus auto delete or quarantine.

For how long have I used the solution?

One to three years.

What do I think about the scalability of the solution?

No scalability issues.

How was the initial setup?

The initial setup is straightforward. The configurations are a bit complex.  

What about the implementation team?

The vendor has a high level of expertise.

What's my experience with pricing, setup cost, and licensing?

The cost is a considerable factor, but the benefit factor is the most important. When you compare it with other products, the price is high. Carbon Black will negotiate the price.

Which other solutions did I evaluate?

We evaluated McAfee and Symantec.

What other advice do I have?

I have done a few PoCs and implementations with Carbon Black Cb Defense.

Disclosure: My company has a business relationship with this vendor other than being a customer: Our company has engaged with Carbon Black as an exclusive partner in Sri Lanka.
it_user835107
Incident Response Analyst at a security firm with 51-200 employees
Real User
​Provides visibility into the chain of attack and threats that use valid operating system processes to execute attacks

Pros and Cons

  • "​Provides visibility into the chain of attack and threats that use valid operating system processes to execute attacks.​"
  • "Needs improvement in the area of infrastructure for on-premise installation.​"

What is our primary use case?

The first case was in a financial institution with offices in several states which needed to increase the ability to detect and respond to threats.

How has it helped my organization?

Provides visibility into the chain of attack and threats that use valid operating system processes to execute attacks.

What is most valuable?

The go live, because it is possible to answer incidents while they are still occurring and minimize the effects.

What needs improvement?

Needs improvement in the area of infrastructure for on-premise installation.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

No issues.

What do I think about the scalability of the solution?

No issues.

How are customer service and technical support?

Technical support is high level.

Which solution did I use previously and why did I switch?

No previous solution was used.

How was the initial setup?

No problem with the initial setup because it is a cloud platform.

What's my experience with pricing, setup cost, and licensing?

The cost/benefit factor has great relevance in Cb Defense implementations.

Which other solutions did I evaluate?

We did not evaluate any other solution. We are partners of Carbon Black.

What other advice do I have?

It is a product which will bring enough information and effectiveness in the detection and response to advanced threats.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partners in Brazil.
Buyer's Guide
Download our free Carbon Black CB Defense Report and get advice and tips from experienced pros sharing their opinions.