Carbon Black Cb Response Review

Enhanced logging allowed us to quickly identify/resolve security issues


What is our primary use case?

We used Cb Response for hands-on computer incident response for our infrastructure, installing it on all of our servers and high-value workstations.

How has it helped my organization?

The enhanced logging and data analysis of the incident response and investigation components allowed us to quickly identify and resolve security issues before they could spread.

Cb Response’s root-cause analysis and anomaly detection gave us quick warnings and allowed us to start actively threat hunting, instead of taking a passive approach to security.

What is most valuable?

The ability to quickly isolate a system from the network, while still being able to perform some forensics and mitigation work remotely, was of great value to us since we had many mobile and distributed systems.

We also took full advantage of its incident response reporting capabilities to act as a “black box” for our infrastructure around strings of suspicious activity. The reporting and incident response capabilities were incredibly helpful during active security concerns.

What needs improvement?

Cb Response is really designed to complement Carbon Black’s Defense product. While Response can be used on its own, coupling with Defense seems like the best strategy if you can afford the price tag. In the end, other antivirus tools and log aggregation solutions seem to have started to incorporate many of Cb Response’s signature features, lessening its value proposition for some organizations.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

We did have a couple bugs/issues. The biggest issue I encountered was one where old logs were not being overwritten as expected so the system drive kept filling up from time to time. However, support was usually quite responsive and happy to jump on a remote session to take a look at it for us. That log bug should have been resolved with an update that was available right around the time I stopped working with the system and left the company.

What do I think about the scalability of the solution?

No issues with scalability. Server deployment was quite easy and the client rollout was handled by remote install tools (we used SCCM to take care of it).

How is customer service and technical support?

Excellent. The techs were always knowledgeable about the product. On a scale of one to 10, I’d go eight.

Which solutions did we use previously?

We did not have a similar, previous solution that we were replacing. This was part of an initial push we were trying to make at the time into better systems security.

How was the initial setup?

Very straightforward. There is excellent documentation and training provided by Carbon Black around setting up this solution; it takes out all the guess work. The server can be given to you as a VM image and with minimal configuration needed. Makes setup a snap for any experienced sysadmin.

What's my experience with pricing, setup cost, and licensing?

We had no issues purchasing through our preferred reseller and were able to get a fair price even when not purchasing direct. Carbon Black Enterprise Response didn’t break the bank, though adding on the matching antivirus and anti-malware components of the Protect product was more than we could afford, even with some discounting.

Which other solutions did I evaluate?

There wasn’t much similar to Response that I was familiar with at the time. Though some other vendors are starting to include similar features now, Response was a leader when we selected it. Now there is a growing number of open-source projects, such as TheHive, and other vendors are incorporating similar features into their general security products, so I believe the landscape has changed a bit and things are getting more competitive for the needs Response fills.

What other advice do I have?

Explore all options in the space and see if you’re ready to really use an incident response platform such as this for threat hunting in your environment, or if you should focus on closing some other large security gaps first. I think everyone should be working towards the kind of threat hunting and incident response that Carbon Black Enterprise Response enables, but many organizations still need to make sure they’re taking care of other security controls before they move on to these more advanced tools.

If you’re ready for it, Enterprise Response is a cinch to set up and takes a lot of the guesswork out of trying to track security concerns through your environment, so it may be very worth your while.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest
Sign Up with Email