We just raised a $30M Series A: Read our story

Carbon Black CB Response OverviewUNIXBusinessApplication

Carbon Black CB Response is #4 ranked solution in top Security Incident Response tools. IT Central Station users give Carbon Black CB Response an average rating of 8 out of 10. Carbon Black CB Response is most commonly compared to Carbon Black CB Defense:Carbon Black CB Response vs Carbon Black CB Defense. The top industry researching this solution are professionals from a computer software company, accounting for 39% of all views.
What is Carbon Black CB Response?

CB Response is an industry-leading incident response and threat hunting solution designed
for security operations center (SOC) teams. CB Response continuously records and stores
unfiltered endpoint data, so that security professionals can hunt threats in real time and
visualize the complete attack kill chain. It leverages the CB Predictive Security Cloud’s
aggregated threat intelligence, which is applied to the endpoint activity system of record for
evidence and detection of these identified threats and patterns of behavior.

Buyer's Guide

Download the Security Incident Response Buyer's Guide including reviews and more. Updated: November 2021

Carbon Black CB Response Customers

ALLETE

belk

Carbon Black CB Response Video

Archived Carbon Black CB Response Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
MA
Senior Software Developer Engineer at Diyar United Company
Reseller
Seeks out abnormal activity and creates alerts

Pros and Cons

  • "The most valuable feature is its ability to seek out abnormal activity and to create alerts."
  • "It's not highly available, so you have to have a core server. If the primary server goes down, you need a new one. It's not available at the same time, however. It's not automatically swapped from one server to another."

What is our primary use case?

Our primary use case is to detect any abnormal activity happening on the endpoint. Carbon Black Response works like CCTV which monitors every activity and every single process running on the operating system. We use it on Windows, Linux, and Mac. Once there is an abnormal action, there is a notification that is sent to the administrator.

The administrator will open up the GUI, the console for the Carbon Black Response, and start doing his investigation to get to the root cause for the issue if there is one.

What is most valuable?

The most valuable feature is its ability to seek out abnormal activity and to create alerts.

What needs improvement?

The first thing they can do is make it more available. It's not highly available, so you have to have a core server. If the primary server goes down, you need a new one. It's not available at the same time, however. It's not automatically swapped from one server to another.

The second thing is that they need to have a multi-tenancy feature, especially for the MSSP model. We wanted to have this solution in our stock so we could create a different tenant or one tenant per customer.

They also have to have a bigger number of watch lists pre-configured already. They should add file integrity monitoring as well. One of the major things that attackers will try to do to is to modify files.

What do I think about the stability of the solution?

Stability is good because it's running on top of Linux based operating system which makes it very stable.

What do I think about the scalability of the solution?

The solution is very scalable.

How are customer service and technical support?

I would rate technical support as 4.5 out of five.

How was the initial setup?

The setup and implementation of the solution were easy.

What other advice do I have?

We are using both on-premises and cloud deployment models.

I would rate the solution eight out of ten. Carbon Black is a very good product, but you still have to work on it from the perspective of MLA analyzing and installation. You have to fine-tune it to create a watch list and so on. These are the main things that they need to work on in order to improve the EDR services on their product.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
SD
Cyber Defense Consulunt at a security firm
Reseller
Good configuring capabilities and provides good market information gathered from the community

Pros and Cons

  • "The market information they gather from the community is really good. Their configuration capabilities are good."
  • "They have different products, but if we wanted to take their protection and their EPR, then we would need to have two agents"

What is most valuable?

The market information they gather from the community is really good. Their configuration capabilities are good. 

What needs improvement?

One of the big issues we're facing is that their solution doesn't support multi-tenants. The second area for improvement is that they have different products, but if we wanted to take their protection and their EPR, then we would need to have two agents. In our scenario, having a client work within the cloud is not an option, so we cannot extend the support for Carbon Black to provide the protection that comes from Carbon Black. This will cause resource consumption.

What I would like to see in the new platform is for it to have a higher visibility for being able to fix the solution. Having also just the visibility to separate the collectors on site. If the informed agent can connect to the collectors the ability to be connected to the management consult or superior management directly.

What do I think about the stability of the solution?

So far we had an issue connected to the hardware. I think there was an error that happened, so from their software, we had no issue with stability. Not from agents or from the server itself. But an area they need to improve on is that they need to have an option for higher availability. We can't provide a good solution if we need to rely on virtualization, higher availability. So they need to work on building their forum support for higher availability.

What do I think about the scalability of the solution?

In terms of their scalability, so far I think we have around 5,000 endpoints. We had no issues because of the hardware. The resources could prevent the number of endpoints. They should reconsider the design of the solution where you can have them supporting all kinds of designs where you can install an aggregator or connectors for small branches that are our size and have that to provide management consultancy.

Our newest driver manages to the service provider so they cannot just make all the connection there go onto the consult of the management server. We need some kind of component that could communicate to the management. Instead of having each endpoint communicate with management.

How are customer service and technical support?

They need a big change in the region because they don't have much presence. I think they need to have to train a new manager, but they don't have enough presence. So when we need to work with their office, which is in the U.K, it is kind of a challenge. I think they need to have more support here locally. From a support perspective from our team, they're happy with their support so far, they haven't said of any big issue with them providing us with support. 

How was the initial setup?

The initial setup is straightforward. We already know how to do it but I think for maybe other clients if they do it, it can be a bit challenging.

What other advice do I have?

I would recommend anyone to go ahead with Carbon Black if they are looking for an EDR solution. From my experience with selling, some people have a misunderstanding of what it is they are supposed to do. I would recommend going with it but be aware that you will be overwhelmed with the number of receipts which require somebody to begin to follow up and investigate each incident. This is not something bad, it's something good because of the way that security goes, you need to go through every incident to understand whether it is a false positive or true positive so they need to be reviewed. This is not an automated solution, it's something that somebody needs to take care of.

I would rate this solution as a 9.5 out of 10. We know what we are doing. We know we bought Carbon Black for a reason so we are aware of everything and it's doing its job. We see that there is an area for enhancement, I think the product or business unit or product management, they need to look more into an area for enhancement which is just part of it. So that is why I didn't give it a ten. A 9.5 fair for them. Maybe other people would think to get it lowered but because they have a misunderstanding about what Carbon Black is about.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
Find out what your peers are saying about VMware, Dell EMC, IBM and others in Security Incident Response. Updated: November 2021.
554,676 professionals have used our research since 2012.
MY
Senior Information Security Specialist at a tech services company with 1,001-5,000 employees
Real User
A scalable solution that integrates well across platforms

Pros and Cons

  • "Integration and scalability are the most valuable."
  • "It's not simple."

What is our primary use case?

We use it for platform metrics, for all use cases. This is the only thing that works, this product. Carbon black is a process listener. You can call back all processes, each process on the client side or the server side. You can retrieve all the information on a process level, and you can combine all the things with an end use case.

What is most valuable?

Integration and scalability are the most valuable. For example, if you chose a cloud solution, it's not very scalable, because it doesn't support any integration. But on the client side, you can combine materials, you can combine everything. You can add anything. 

What needs improvement?

It's maybe it's too verbose. For a junior user or admin. You have to know some basic rules. It's not simple. For a junior engineer, it's confusing. It's hard to use Carbon Black Response. It will take time. It may take more than one year to understand the uses of the product.

I'd like the ability to see all the kernel-side features also on the client side.

For how long have I used the solution?

I've been using the solution for one and a half years.

What do I think about the stability of the solution?

I think it's very stable. It depends on Linux kernel stability. That's all. 

What do I think about the scalability of the solution?

Scalability of integration features is low, on the client-side.

How was the initial setup?

Initial setup, with two people, it's easy. We deployed it easily.

What about the implementation team?

We've implemented it ourselves in the past but have also used an integrator in some instances.

What other advice do I have?

I would rate this solution a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Imad Taha
Group CIO at a construction company with 10,001+ employees
Real User
Top 20
An endpoint line of defense against malware and ransomware with scheduled network scans

Pros and Cons

  • "Carbon Black insures the probability that any ransomware will be stopped before spreading."
  • "The cloud console has a lot of bugs and issues in the analysis part."

What is our primary use case?

Our primary usage for this solution is as an endpoint response. We use Carbon Black as a threat line of defense for the endpoints.

How has it helped my organization?

Carbon Black ensures the probability that any ransomware will be stopped before spreading. This is very important. The solution provides this for our business.

What is most valuable?

The feature we have found most valuable in Carbon Black is the defense.

What needs improvement?

This product has room for improvement in the cloud console. The cloud console has a lot of bugs and issues in the analysis part.

The additional features I would like to see included in the next release are IT access components. We need to have IT access as a feature like CloudStrike.

For how long have I used the solution?

We have been using Carbon Black for one year now.

What do I think about the stability of the solution?

The stability of use for Carbon Black CB Response is high. I give it a 9/10.

What do I think about the scalability of the solution?

Carbon Black is scalable enough for us. We require two staff for deployment and maintenance. I am happy with it. I'm planning to send a full group on it next.

How are customer service and technical support?

The technical support did help us to solve some issues. It is not fully satisfactory here in the region. I rate it at 7/10. 

It's good but it can be better, especially for installation and on-site support.

Which solution did I use previously and why did I switch?

We switched because of the effectiveness of Carbon Black. The software has a feature that it does not remove a threat but it kills their effect. 

Then later, you can do the scan in the night or the next day. I don't want to make the killing an unwatched process until the IT professionals decide what to do as a next step. 

Carbon Black stops malware from spreading. It stops the spreading of bad effects from illicit users, viruses, and malware.

How was the initial setup?

The initial setup is complex, but once you build it, it is smooth. In the beginning, it's a little bit confusing.

What about the implementation team?

In the first installation, we went with a consultant.

What other advice do I have?

I recommend using Carbon Black, but get enough training before deploying. This is very important.

On a scale from 1 to 10, I would rate this product an 8.5 overall.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user1009236
SOC Analyst at a tech services company with 201-500 employees
Real User
Automatically detects many viruses, malware, and other threats on our network

What is our primary use case?

I did some tests when they came out with the solution because my manager wants an assessment with Carbon Black. I tested the solution for two weeks. It was good. 

How has it helped my organization?

The tools are good. Carbon Black detects many threats, and problems for me.

What needs improvement?

The dashboard should be more user-friendly. The additional features I would like to see included in the next release are better analytics and report generation.

For how long have I used the solution?

I have been using Carbon Black less than one year.

What do I think about the stability of the solution?

They're highly stable in comparison with other solutions I have.

What do I think about the scalability of the solution?

The scalability, in my…

What is our primary use case?

I did some tests when they came out with the solution because my manager wants an assessment with Carbon Black. I tested the solution for two weeks. It was good. 

How has it helped my organization?

The tools are good. Carbon Black detects many threats, and problems for me.

What needs improvement?

The dashboard should be more user-friendly. The additional features I would like to see included in the next release are better analytics and report generation.

For how long have I used the solution?

I have been using Carbon Black less than one year.

What do I think about the stability of the solution?

They're highly stable in comparison with other solutions I have.

What do I think about the scalability of the solution?

The scalability, in my testing, is very good.

How are customer service and technical support?

The support with the platform by Carbon Black is good. I don't have a problem with it.

How was the initial setup?

The initial setup was very easy.

What about the implementation team?

We used an integrator company for the setup.

Which other solutions did I evaluate?

Carbon Black is the leader in the market on many web boards.

What other advice do I have?

On a scale from one to ten, I would rate Carbon Black CB Response at a nine. They should improve the dashboard and provide more helpful tools.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
AD
Security Analyst at a financial services firm with 10,001+ employees
Real User
Enables us to remotely analyze infected machines without delay

Pros and Cons

  • "The most valuable features are the threat-hunting and the batch console."
  • "They need to improve the batch console. It needs more capabilities. We are limited by the ones it provides..."

What is our primary use case?

When a machine gets infected we need to have a memory dump and to interact with it. We use this solution as a good way to extract that information from an infected machine.

How has it helped my organization?

When a machine gets infected and the user is not in sight, you cannot go to the user and ask them to analyze their machine, what was in their system. With this solution, you can do so remotely. This is valuable because you don't have to bring the computer onsite to analyze it. Even if the user is doing something wrong, like stealing information from the company, you can detect it remotely, capture it remotely, and have this information to analyze it afterward.

It saves the time required to take an image of a machine onsite. You get to the machine and make it live. You don't have to wait. Whatever activity you have to do on the machine can be done right away.

In addition, it helps us to be sure of the type of infection we have which helps reduce response time and provide a better solution to what is happening. It decreases response time by about 40 percent.

What is most valuable?

The most valuable features are the threat-hunting and the batch console.

What needs improvement?

They need to improve the batch console. It needs more capabilities. We are limited by the ones it provides, although we can type commands from the native operating system.

What do I think about the stability of the solution?

The stability is fine.

What do I think about the scalability of the solution?

It has pretty good scalability.

How are customer service and technical support?

I have not used technical support.

Which solution did I use previously and why did I switch?

This system is the only one I have used.

How was the initial setup?

The initial setup was pretty straightforward.

What about the implementation team?

The vendor installed it and gave us some training so we would know how to use the tool and how to deploy it in our systems.

Which other solutions did I evaluate?

I was not part of the decision-making process. It was the engineers who decided.

What other advice do I have?

You need to analyze your organization's needs. If you just want to protect things, it's very useful.

I rate the solution at eight out of ten because they need to improve the console. We would like it to let us type commands that are native to the operating system, not the ones that are included in the product.

The product, in terms of maturity, is still at the very beginning.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
it_user870717
Consulting IT Architect
Real User
Excels at providing context to indicators when responding to incidents

Pros and Cons

  • "Carbon Black Cb Response excels at providing context to indicators when responding to incidents. It allows responders to understand the entire scope of an incident and quickly contain it to minimize impact and disruption."
  • "The solution needs to simplify the process of adding custom watchlists, as well as embrace YARA for rule creation."
  • "Setup is incredibly complex and poorly documented. Every time an upgrade was needed we would need to engage Professional Services for troubleshooting help. Certificates and web services proved to be the most significant sticking points. Since the product runs on a Linux platform, perhaps having staff with more Linux experience could have alleviated some difficulty."

What is our primary use case?

CBR was used as an intrusion detection platform as well as for IOC enhancement during incident response and forensics activities on a 25,000+ host Windows-based environment.

How has it helped my organization?

Carbon Black Cb Response significantly reduced time to containment in the environment which enabled the isolation of incidents to single hosts or network segments.

What is most valuable?

Carbon Black Cb Response excels at providing context to indicators when responding to incidents. It allows responders to understand the entire scope of an incident and quickly contain it to minimize impact and disruption. In incident response speed is of the utmost importance, as many incidents can quickly spread through the entire organization if not immediately contained.

What needs improvement?

The solution needs to simplify the process of adding custom watchlists, as well as embrace YARA for rule creation.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

It is an incredibly stable product, and I do not remember any significant stability issues on the server side. On the client side, there may be some performance issues related to Citrix servers.

What do I think about the scalability of the solution?

Scales very well up to 50,000 nodes. It is simply a matter of adding more Solr shards. Beyond that, I do not have experience.

How is customer service and technical support?

While their Professional Services are expensive, their team is second to none in problem-solving.

How was the initial setup?

Setup is incredibly complex and poorly documented. Every time an upgrade was needed we would need to engage Professional Services for troubleshooting help. Certificates and web services proved to be the most significant sticking points. Since the product runs on a Linux platform, perhaps having staff with more Linux experience could have alleviated some difficulty.

What's my experience with pricing, setup cost, and licensing?

Purchase Professional Services up front as part of the implementation package, then renew hours annually to ensure you have adequate support for upgrades and enhancements. Overbuy by at least 10% to account for infrastructure growth.

What other advice do I have?

Ensure that you have sufficient resources to dedicate to maintaining and utilizing the product, including maintenance staff as well as incident responders and threat hunters. Be prepared to define metrics and use them to quantify the ROSI. Ensure that this product meets a defined goal within your organization's WISP.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user835122
Cyber Security Manager at a insurance company with 51-200 employees
Real User
Enhanced logging allowed us to quickly identify/resolve security issues

Pros and Cons

  • "The enhanced logging and data analysis of the incident response and investigation components allowed us to quickly identify and resolve security issues before they could spread."
  • "The ability to quickly isolate a system from the network, while still being able to perform some forensics and mitigation work remotely, was of great value to us since we had many mobile and distributed systems."
  • "We also took full advantage of its incident response reporting capabilities to act as a “black box” for our infrastructure around strings of suspicious activity. The reporting and incident response capabilities were incredibly helpful during active security concerns."
  • "For setup, the server can be given to you as a VM image and with minimal configuration needed."
  • "The biggest issue I encountered was one where old logs were not being overwritten as expected so the system drive kept filling up from time to time. However, support was usually quite responsive and happy to jump on a remote session to take a look at it for us. That log bug has probably been resolved with an update by now."

What is our primary use case?

We used Cb Response for hands-on computer incident response for our infrastructure, installing it on all of our servers and high-value workstations.

How has it helped my organization?

The enhanced logging and data analysis of the incident response and investigation components allowed us to quickly identify and resolve security issues before they could spread.

Cb Response’s root-cause analysis and anomaly detection gave us quick warnings and allowed us to start actively threat hunting, instead of taking a passive approach to security.

What is most valuable?

The ability to quickly isolate a system from the network, while still being able to perform some forensics and mitigation work remotely, was of great value to us since we had many mobile and distributed systems.

We also took full advantage of its incident response reporting capabilities to act as a “black box” for our infrastructure around strings of suspicious activity. The reporting and incident response capabilities were incredibly helpful during active security concerns.

What needs improvement?

Cb Response is really designed to complement Carbon Black’s Defense product. While Response can be used on its own, coupling with Defense seems like the best strategy if you can afford the price tag. In the end, other antivirus tools and log aggregation solutions seem to have started to incorporate many of Cb Response’s signature features, lessening its value proposition for some organizations.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

We did have a couple bugs/issues. The biggest issue I encountered was one where old logs were not being overwritten as expected so the system drive kept filling up from time to time. However, support was usually quite responsive and happy to jump on a remote session to take a look at it for us. That log bug should have been resolved with an update that was available right around the time I stopped working with the system and left the company.

What do I think about the scalability of the solution?

No issues with scalability. Server deployment was quite easy and the client rollout was handled by remote install tools (we used SCCM to take care of it).

How are customer service and technical support?

Excellent. The techs were always knowledgeable about the product. On a scale of one to 10, I’d go eight.

Which solution did I use previously and why did I switch?

We did not have a similar, previous solution that we were replacing. This was part of an initial push we were trying to make at the time into better systems security.

How was the initial setup?

Very straightforward. There is excellent documentation and training provided by Carbon Black around setting up this solution; it takes out all the guess work. The server can be given to you as a VM image and with minimal configuration needed. Makes setup a snap for any experienced sysadmin.

What's my experience with pricing, setup cost, and licensing?

We had no issues purchasing through our preferred reseller and were able to get a fair price even when not purchasing direct. Carbon Black Enterprise Response didn’t break the bank, though adding on the matching antivirus and anti-malware components of the Protect product was more than we could afford, even with some discounting.

Which other solutions did I evaluate?

There wasn’t much similar to Response that I was familiar with at the time. Though some other vendors are starting to include similar features now, Response was a leader when we selected it. Now there is a growing number of open-source projects, such as TheHive, and other vendors are incorporating similar features into their general security products, so I believe the landscape has changed a bit and things are getting more competitive for the needs Response fills.

What other advice do I have?

Explore all options in the space and see if you’re ready to really use an incident response platform such as this for threat hunting in your environment, or if you should focus on closing some other large security gaps first. I think everyone should be working towards the kind of threat hunting and incident response that Carbon Black Enterprise Response enables, but many organizations still need to make sure they’re taking care of other security controls before they move on to these more advanced tools.

If you’re ready for it, Enterprise Response is a cinch to set up and takes a lot of the guesswork out of trying to track security concerns through your environment, so it may be very worth your while.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user835119
Technical Support Specialist at a financial services firm
Real User
We are able to remotely isolate exploited endpoints in seconds

Pros and Cons

  • "We are able to remotely isolate exploited endpoints in seconds and perform a live deep dive of any endpoint into its running processes (as necessary) without the need for extra scripts.​"
  • "​The ability to isolate an endpoint with only the host name and a click of a button is a major time saver."
  • "The threat intelligence feed could use some fine tweaking."
  • "We are subscribed to FS-ISAC threat indicator, but have been unsuccessful in adding it to our alliance feeds."

What is our primary use case?

We use Cb response primarily as our incidence response. Our environment has more than 300 users handling sensitive client information, like financial data and personal identifiable information, so security is a huge concern. When we receive an incident report from our SOC, our first move is to isolate the endpoint, and Cb response does that seamlessly. We are also able to use the product to perform an in-depth binary process analysis to see if there were any suppressed malicious services.

How has it helped my organization?

Cb Response is our primary incident response tool. With this product in our hands, we are able to remotely isolate exploited endpoints in seconds and perform a live deep dive of any endpoint into its running processes (as necessary) without the need for extra scripts.

What is most valuable?

The ability to isolate an endpoint with only the host name and a click of a button is a major time saver. No need to go hunting for an IP or typing in terminal.

What needs improvement?

The threat intelligence feed could use some fine tweaking. We are subscribed to FS-ISAC threat indicator, but have been unsuccessful in adding it to our alliance feeds. So, rather than Cb Response being able to pull the data from the feed, we have to manually blacklist MD5 hashes.

For how long have I used the solution?

Less than one year.
Disclosure: I am a real user, and this review is based on my own experience and opinions.