The use of end-user devices such as computers, mobile devices, Internet-of-things (IoT), and other network devices in corporate networks creates attack paths for security threats. This has created a big market for what is now known as endpoint security. The endpoint security market has evolved over the years from the traditional antivirus software into a modern security solution that includes next-generation antivirus, threat detection, and response, firewall, device management, anti-theft, encryption, intrusion prevention, data leak protection (DLP), parental control, and other technologies to mitigate evolving threats.
This modern endpoint security solution is known as Endpoint Detection and Response (EDR) solution. EDR tools continually monitor endpoints to identify malware, suspicious behavior, advanced persistent threats, and alert administrators accordingly. It does this by collecting and aggregating data from endpoints and other sources. One of the leading EDR tools in the market today is the VMware Carbon Black. In this article, we will x-ray the Carbon Black endpoint security solution in detail including how it works, key security features, protection performance capabilities, as well as available alternatives. Hopefully, this will guide you in choosing the right endpoint security solution for your business.
What is VMware Carbon Black?
VMware Carbon Black EDR is an incident response and threat-hunting solution that combines next-gen antivirus with EDR technology to create a comprehensive endpoint protection solution against cyberattacks. The solution includes an on-premises and cloud-based endpoint protection capability known as Carbon Black Cloud. This enables it to apply behavioral analytics to endpoint events to achieve greater efficiency in detection, prevention, and response to cyber-attacks.
The solution is ideal for Security Operations Center (SOC) teams responsible for threat hunting and incident response in a hybrid (on-premises and cloud) environment. Other common use cases include breach preparation, alert validation and triage, root cause analysis, forensic investigations, and host isolation.
Key features and capabilities are as follows:
- Centralized access to continuously recorded endpoint data means that security teams have the information they need to detect and respond to threats in real time.
- Carbon Black’s robust partner ecosystem and the open platform allow security teams to integrate this EDR tool into their existing security stack.
- Automated watchlists and multiple customizable threat intel feeds enable rapid identification of attacker activities and root cause.
- Provides intuitive attack chain visualization to make identifying root cause fast and easy
- Interactive attack chain visualization, and live response for rapid remediation
Carbon Black EDR can be deployed on-premise, in the cloud, or a combination of both (hybrid deployment). It is also available via managed security service providers (MSSP) or directly as a subscription-based SaaS offering. Supported platforms include Windows, macOS, and Linux (Red Hat, CentOS, and SuSE).
How Does Carbon Black Work?
The real power of Carbon Black EDR comes from its ability to leverage AI and behavioral analytics to improve its ability to detect and prevent attacks. This sets it apart from traditional antivirus software, which relies primarily on file-based malware signatures.
Carbon Black EDR works by deploying sensors and applying security policies to endpoints. Once you have deployed sensors to endpoints and applied policies, you will be able to view information such as attack vectors, prevented attacks, and a summary of overall endpoint health and your organization’s overall security status on the Carbon Black dashboard.
The sensors continuously monitor and record endpoint activity data which provides security teams with the visibility required to effectively respond to attacks in real-time. It leverages the VMware Carbon Black Cloud’s aggregated threat intelligence, which is applied to the endpoint activity records for the detection of threats and abnormal patterns of behavior. It then alerts security teams and blocks observed threats.
Carbon Black EDR Protection and Performance Capabilities
In recent AV-Test results, the VMware Carbon Black Cloud (Endpoint Standard) had a protection and performance score of 5.0/6.0 respectively in preventing attacks, and a usability score of 6.0/6.0, which measures its impact on the usability of the endpoint. Carbon Black also met all the certification criteria for AV-Comparatives and thus was given the AV-Comparatives Approved Business Security Product Award for December 2021.
In the latest MITRE Engenuity ATT&CK, VMware Carbon Black Cloud delivered robust telemetry coverage with correlated, high-fidelity alerts at every step of the detection test, ensuring complete visibility into any similar real-world threat. VMware Carbon Black recently pioneered the use of network detection and response (NDR) via NSX Advanced Threat Prevention, together with VMware Carbon Black Cloud, to correlate detected threats across endpoint and network telemetry.
Carbon Black Pricing and Support
VMware does not display Carbon Black pricing details publicly on its website and does not offer free trials. This seems out of tune with most modern security providers. Notwithstanding, a hands-on simulation lab and online demo are available on schedule, and the product can be purchased through a network of partners and resellers. This means that you’ll have to request quotes from these partners to get an idea of the total cost of ownership. However, pricing depends on factors such as the number of endpoints you’re buying protection for, and the subscription term measured in years. Multi-year subscriptions provide greater discounts.
Carbon Black support consists of phone, email, and an online self-service portal containing a knowledge base of articles and documents detailing how to use the product, and training options from on-demand videos to instructor-led classes. Carbon Black community forum also provides support from other users. However, you will be required to log in to view content.
Is VMware Carbon Black Worth It?
VMware Carbon Black is certainly one of the emerging and top-rated EDR tools in the available market today. Its ability to analyze and make sense of billions of endpoint events and a single central administrative console empowers security teams with higher levels of control and visibility. Similarly, its investigation and remediation features make it ideal for SOC and incident response (IR) teams and MSSPs.
Smaller networks with limited IT staff and no dedicated security team will lack the bandwidth to fully utilize the software’s full capabilities. Organizations and security teams looking to keep Mean Time To Resolution (MTTR) as low as possible will find Carbon Black very appealing. But if you figured out that VMware Carbon Black is not the right EDR solution for your business, check out the possible EDR alternatives below.
VMware Carbon Black Alternatives
If you figured out that VMware Carbon Black is not best suited for your business and environment, below are some possible alternatives for your consideration:
- CrowdStrike Falcon An award-winning endpoint security suite that combines next-generation antivirus, EDR, and identity protection capabilities delivered from the cloud. It is ideal for the modern work environment with stringent compliance requirements. CrowdStrike was named a Leader in the 2021 Gartner Magic Quadrant for Endpoint Protection Platforms. It was also recognized in the 2021 Gartner Peer Insights Customers’ Choice. A free trial is available on request.
- Microsoft Defender for Endpoint Microsoft Defender for Endpoint is well-positioned as an undisputed top-notch endpoint security tool that offers endpoint protection, endpoint detection and response (EDR), vulnerability management, and more for Windows, macOS, Linux, Android, and iOS devices. Microsoft Defender for Endpoint is built into Windows 10 and Microsoft’s cloud service. Microsoft was named a Leader in the 2021 Gartner Magic Quadrant for Endpoint Protection Platforms.
- Trend Micro Apex One Trend Micro Apex One is a well-recognized endpoint security solution that keeps endpoints secure from modern security threats. Some of its industry recognition includes 2021 Gartner Peer Insights Customers’ Choice, a leader in the 2021 Gartner Magic Quadrant for Endpoint Protection Platforms, and a leader in the Forrester Wave Endpoint Security Software as a Service, Q2 2021. Apex One offers threat detection, response, and investigation within a single agent that resides at the endpoint and the Apex One server that manages all Security Agents. The software supports both SaaS and on-premises deployment options. A 30-day free trial is available on request.
- SentinelOne Singularity A relatively young company that has emerged as one of the leading next-generation endpoint security solution providers. For SentinelOne to have gotten to this position within a short period, they must be doing something right. SentinelOne Singularity is an autonomous, single-agent solution that combines endpoint protection (EPP), endpoint detection and response (EDR), IoT security, and cloud workload protection (CWPP) into a centralized platform that delivers top-notch enterprise-grade security across Windows, Linux, and macOS. SentinelOne was named a Leader in the 2021 Gartner Magic Quadrant for Endpoint Protection Platforms. A free online demo is available on request.
- Trellix MVISION Endpoint Security (formerly known as McAfee MVISION) Offers centrally managed protection with integrated capabilities such as EDR (Endpoint Detection and Response), XDR (Extended Detection and Response), machine learning behavioral analysis, exploit prevention, and a firewall, safeguarding Windows, Mac, and Linux systems. A free online demo and a free trial are available on request.
- Sophos Intercept X One of the industry-leading endpoint security solutions that combine EDR, extended detection and response (XDR), managed threat response (MTR), anti-exploit, anti-ransomware, and deep learning AI with real-time threat intelligence from SophosLabs to prevent, detect and remediate threats before they impact your systems. Sophos is recognized as a Leader in the 2021 Gartner Magic Quadrant for Endpoint Protection Platforms. A free trial is available on request.
- Kaspersky Lab One of the largest antivirus and endpoint security vendors in the market. Kaspersky Endpoint Security for Business provides on-premises or in-the-cloud protection and EDR capabilities for organizations across Windows, Mac, iOS, and Android devices. Kaspersky has consistently been recognized as a Gartner Peer Insights Customers’ Choice for Endpoint Protection Platforms, among other industry recognitions. A free online demo and a free trial are available on request.
- Symantec Endpoint Security Symantec Endpoint Security software suite by Broadcom provides malware protection and EDR capabilities alongside intrusion prevention, firewall, and DLP features. It is typically installed on a server running Windows, Linux, or macOS. Symantec is known for its large market share in endpoint security.
- ESET Endpoint Security ESET is a Slovak internet security company that offers cloud-based and on-premises endpoint security software and solutions for individuals, small businesses, and large enterprises. ESET’s EDR solutions leverage multiple layers of defense including machine learning and human expertise to prevent, detect and respond to malware attacks. A free 30-day trial is available.
- Cybereason EDR Cybereason is a US-based cybersecurity company founded in 2012. It delivers antivirus and EDR capabilities with one agent and a suite of managed services. Its security research arm known as Nocturnus specializes in discovering new attack methodologies, reverse-engineering malware, and exposing new system vulnerabilities. It was credited for being the first to discover a vaccination for NotPetya and Bad Rabbit ransomware attacks. A free online demo is available on request.