Carbon Black Cb Response Review

Excels at providing context to indicators when responding to incidents


What is our primary use case?

CBR was used as an intrusion detection platform as well as for IOC enhancement during incident response and forensics activities on a 25,000+ host Windows-based environment.

How has it helped my organization?

Carbon Black Cb Response significantly reduced time to containment in the environment which enabled the isolation of incidents to single hosts or network segments.

What is most valuable?

Carbon Black Cb Response excels at providing context to indicators when responding to incidents. It allows responders to understand the entire scope of an incident and quickly contain it to minimize impact and disruption. In incident response speed is of the utmost importance, as many incidents can quickly spread through the entire organization if not immediately contained.

What needs improvement?

The solution needs to simplify the process of adding custom watchlists, as well as embrace YARA for rule creation.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It is an incredibly stable product, and I do not remember any significant stability issues on the server side. On the client side, there may be some performance issues related to Citrix servers.

What do I think about the scalability of the solution?

Scales very well up to 50,000 nodes. It is simply a matter of adding more Solr shards. Beyond that, I do not have experience.

How is customer service and technical support?

While their Professional Services are expensive, their team is second to none in problem-solving.

How was the initial setup?

Setup is incredibly complex and poorly documented. Every time an upgrade was needed we would need to engage Professional Services for troubleshooting help. Certificates and web services proved to be the most significant sticking points. Since the product runs on a Linux platform, perhaps having staff with more Linux experience could have alleviated some difficulty.

What's my experience with pricing, setup cost, and licensing?

Purchase Professional Services up front as part of the implementation package, then renew hours annually to ensure you have adequate support for upgrades and enhancements. Overbuy by at least 10% to account for infrastructure growth.

What other advice do I have?

Ensure that you have sufficient resources to dedicate to maintaining and utilizing the product, including maintenance staff as well as incident responders and threat hunters. Be prepared to define metrics and use them to quantify the ROSI. Ensure that this product meets a defined goal within your organization's WISP.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest
Sign Up with Email