Carbon Black CB Defense Review

Symantec opened our eyes to be able to see what's out there, but then we needed Carbon Black to be able to actively fix it


What is our primary use case?

We are a partner in the managed security service provider (MSSP) space. We service hundreds of customers globally. We implement these solutions on behalf of our customers. 

With Carbon Black, we've been using them for about six years. We're an MSSP and channel partner with them, as well as an incident response partner. We were like the second incident response company registered with them (through that program) to start using the cb Defense platform. We also integrate it with SIEM. However, we're using it in a managed service capacity. We usually implement it, then manage the platform for our clients long-term. It's used for traditional antivirus, real-time threat protection and prevention, and it also provides us with the ability to do more in-depth investigations into endpoints. With the product, we can do a bit of threat hunting along with managed detection and response. The platform works quite well using it in this capacity.

With Symantec, we have been using it for about six years. We integrate it with our SIEM products. We have a lot of customers who actually run it, so we see it quite often. We collect a lot of data from Symantec and help with responding to anything that Symantec finds. We've had a chance to use the product quite a lot.

What is most valuable?

The biggest feature out of Carbon Black is its ability to dive in with more depth. You can look at the entire kill chain and understand, not only if an alarm or identified incident is truly a true security issue versus a false positive, and it allows us to backtrack and figure out why it actually happened and how it got into the environment. It also helps us determine what other things may have been impacted along with it, from an asset standpoint. It allows us to go into more depth than a more traditional antivirus, like Symantec.

Symantec is more of a traditional antivirus. A lot of it is signature-based. It works quite well for normal protection. It is pretty stable and consistent. It seems to work across the board. There are no real issues to speak of it, which is a definitely a positive thing. One of the more beneficial things is that it does include the active endpoint firewall with it, which allows your endpoints to have a bit more above the standard Windows firewall, then collect all the logs from that. This is a good feature from their firewall piece. Also, the logging out of Symantec is quite good, as you put a lot of great logs into a SIEM or any other log collector from the platform.

The difference between the two products is the level of visibility and depth that you get when investigating alarms or issues. You can go a bit deeper with Carbon Black. Symantec does have an additional add-on, which we have not seen since it is a relatively new component. They call it Advanced Threat Protection. It uses the same endpoint, but has a separate license with additional costs, which is meant to allow you to go a little deeper in terms of endpoint and incident investigations. However, it doesn't provide the interactive drill down, prevention, and response capabilities that you need to be able to isolate a system, delete files, or actively kill processes which have been helpful with Carbon Black.

What needs improvement?

Symantec needs more investigative features out-of-the-box. Though, they are using the Advanced Threat Protection add-on to correct some of this. It is also not quite as feature-rich as some of the more advanced MDR platforms out there.

Carbon Black needs to do a better job of proving their platform in the industry, and providing a bit more access to do industry testing with real world examples to help prove their platform. In additional, they have been actively porting over a lot of features from some of their other products, and they should continue to expand on that. Going forward, this will be extremely helpful.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

We've been quite happy with the stability of Carbon Black. 

Symantec has a much longer history of having a good, proven, stable platform. That is the big difference. 

I can't really speak to any particular issues that we've had with one versus the other. They both seem pretty good.

What do I think about the scalability of the solution?

The scalability is about the same between Carbon Black and Symantec. I don't know that we've actually tried to use them in an environment that was large enough to cause us any sort of issues, or even thought twice about scalability. Both of these products work quite well in extremely large environments.

One thing to consider with Carbon Black is you do have much more data. You can define many more policies that are more specific to groups. The management of that becomes more difficult as the environment gets larger. I don't think that necessarily is the case with Symantec. It might end up being a bit more time consuming to manage Carbon Black as it gets larger. In terms of these products' capabilities and the ability to support large environments all the way down to small ones, I don't think it matters.

How are customer service and technical support?

Carbon Black has a great community portal which has all sorts of documentation where you have the ability to ask questions and people answer it quite well. There is a lot of material there with access to content, which assists with the learning and troubleshooting.

If you previously used a different solution, which one did you use and why did you switch?

Because of the limitations that Symantec provided, and the fact that we were seeing data that was extremely helpful from the Symantec logs, yet it didn't provide us a way to investigate it further or respond to it. This led us down a path of looking for a platform like Carbon Black, which has allowed us to handle the data without having to add additional products. This opened our eyes to be able to see what's out there, but then we needed something to be able to actively fix it, as well.

How was the initial setup?

Symantec is a more traditional platform where you set it up and install it. If you're using a cloud platform, then you obtain access to the system. You need to define all the exceptions that you know need to be implemented based on the applications that you are running. Then, you deploy your endpoints, which should pull down the policies with the approved exceptions. Then, you work through any issues. 

With Carbon Black, you have to go through a longer period of monitoring what exists in the environments. We deploy the agents in a monitoring type only mode, which can exist alongside another antivirus product, like Symantec.

You could technically have Symantec installed in normal mode, then Carbon Black in monitoring mode right next to it. We let that run for a period of time to gather information about what is running in the environment actively to help identify the types of things that we'll have to build policies around. The policies can be pretty in-depth, so it can take quite a long time to actually build them, if you want to be extremely careful about not creating any false negatives in the environment. 

It can take quite a bit longer to implement Carbon Black properly. It takes one to two days to implement Symantec. Though, I don't know for certain, because we don't implement it. For Carbon Black, we typically look at three to eight days of active work over a period of a couple of months to get it implemented, working properly, and tuned up correctly.

What's my experience with pricing, setup cost, and licensing?

The licensing costs are comparable between the two products. If you're purchasing the product, they're both typically a traditional license model with an annual type fee or multiyear. The fees are the cost of the professional services to get the system up and running. It depends on the size of the environment. The size and complexity are what it really comes down to. It will be relatively consistent with whether it was MSSP versus a direct purchase.

Carbon Black might be a touch more expensive. They tend to get a premium for their capabilities. They're sort of an industry leader in a lot of areas with the functionality that they provide. 

Symantec gets a bit more aggressive with their pricing, and with their discounts as well. They do have a much larger customer base because they've been around so long.

As an MSSP, we do provide the entire platform on a monthly fee, which a lot of people do like, because that rolls the licensing and all of the management into the cost of the system on a per endpoint basis, paying for the initial costs to get up and running. Even if it's a three to five year implementation, it will be a fixed monthly cost, assuming the number of endpoints doesn't change. That's one good thing about the Carbon Black MSSP program that we have access to is that flexibility with the monthly billing. With very large implementations, this could be a significant difference in spend over three years versus having to do one extremely large capital purchase.

What other advice do I have?

Symantec aligns with a more traditional antivirus that a lot of people are just more familiar with. It has traditional signature sets, exceptions, and policies. When you're talking medium sized implementations, where it's several hundred or a couple thousand endpoints, it's pretty straightforward. 

The learning curve with Carbon Black is considerably more extensive. You have considerably more ability in the platform to do investigations and custom policies, as it can do more in-depth searches and queries about what's actually going on at an endpoint level, which you don't have with Symantec. You really have to understand exactly what you're trying to accomplish. The product itself works quite well. It's pretty intuitive, but there is so much more data and capabilities at your fingertips. It definitely takes more time to learn it.

If you are evaluating these products: Evaluate what your enterprise looks like and what your current security controls are. Understand what exists, what needs to be protected, and what other tools there are in the organization. This makes a big difference in the decision-making process. For example, Carbon Black is 100 percent cloud-based. There is no on-premise option. If you have requirements for systems that can't access the internet, whether it be classified environments or otherwise, it's more difficult to get as much value out of a system which is only cloud-based if you have air gaps. A more traditional on-premise solution might work better, like Symantec, in this scenario. However, if you have a largely mobile workforce with a lot of high risk employees who travel, having cloud-based works perfectly for that sort of environment, as you're getting data with the ability to access and respond to issues regardless of where systems are, as long as they're online.

However, if EDR tools already exist in an environment, you might not need a full in-depth product, like CarbonBlack, where a more traditional antivirus coupled with another EDR product might get you the capabilities that you need. Albeit, it would require multiple products to cover the environment. 

I would rate Carbon Black as a nine out of ten, because it provides industry leading features, which give us the ability to do the investigations that we need to. It just makes an enormous difference.

I would rate Symantec as a seven out of ten. It works quite well. It is feature-rich, stable, more traditional product.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
Add a Comment
Guest

Sign Up with Email