What is our primary use case?
Our primary use case is to detect any abnormal activity happening on the endpoint. Carbon Black Response works like CCTV which monitors every activity and every single process running on the operating system. We use it on Windows, Linux, and Mac. Once there is an abnormal action, there is a notification that is sent to the administrator.
The administrator will open up the GUI, the console for the Carbon Black Response, and start doing his investigation to get to the root cause for the issue if there is one.
What is most valuable?
The most valuable feature is its ability to seek out abnormal activity and to create alerts.
What needs improvement?
The first thing they can do is make it more available. It's not highly available, so you have to have a core server. If the primary server goes down, you need a new one. It's not available at the same time, however. It's not automatically swapped from one server to another.
The second thing is that they need to have a multi-tenancy feature, especially for the MSSP model. We wanted to have this solution in our stock so we could create a different tenant or one tenant per customer.
They also have to have a bigger number of watch lists pre-configured already. They should add file integrity monitoring as well. One of the major things that attackers will try to do to is to modify files.
What do I think about the stability of the solution?
Stability is good because it's running on top of Linux based operating system which makes it very stable.
What do I think about the scalability of the solution?
The solution is very scalable.
How are customer service and technical support?
I would rate technical support as 4.5 out of five.
How was the initial setup?
The setup and implementation of the solution were easy.
What other advice do I have?
We are using both on-premises and cloud deployment models.
I would rate the solution eight out of ten. Carbon Black is a very good product, but you still have to work on it from the perspective of MLA analyzing and installation. You have to fine-tune it to create a watch list and so on. These are the main things that they need to work on in order to improve the EDR services on their product.
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.