Carbon Black Cb Defense
Strengths: One of the most efficient user interfaces we’ve seen, made particularly to speed up analysis and remediation with the option of automatic response. Solid response to streaming attacks.
Weaknesses: Can get a bit pricey in large environments. We found deployment challenging.
Verdict: For a mix of threat analysis and incident response – where the core of the alert is malware-based – this one demands your attention. The Carbon Black experience is obvious.
Carbon Black always has been a leader in anti-malware protection. Its approach was among the earliest to use cloud-based analysis along with threat intelligence. The result has been universally satisfactory and this product is no exception. Although Cb Defense has a lot of endpoint protection features, it really shows its malware roots. But among the high points of the product is its visualisation.
Visualisation starts out fairly plain vanilla, but the deeper you drill down the more you understand what has happened in an attack and what is likely to continue to happen if the attack is allowed to go on. The level of detail is excellent and the graphical representation is intuitive. One little feature that can make a lot of difference is a space for you to take notes that are preserved with the record of the alert.
The system can respond automatically to an alert or let users respond manually. That includes quarantining the affected device if necessary. Automatic actions are dictated by policies. Default policies are provided out of the box, but modifying them to fit your enterprise is simple. Policies are, basically, just sets of rules that you can modify to suit your situation. The rules/policies are applied to devices on the enterprise and dictate how they respond to the issues defined by the rules in the policies. You can use existing rules or build them up yourself from a series of drop-down menus.
In addition to policies, Cb Defense uses reputation that covers sources of files that are deemed malicious. In addition to the existing reputations, you can build up your own. So, an attack from a source that is not yet recognised can become the starting point for creating a reputation. You can do the same thing with a malicious file simply by creating a reputation based on its hash.
For our review, we dropped into the dashboard landing page. This is fairly typical of what we see in many other, similar products. However, when we started to drill down we got to an increasingly useful level of detail. Depending on who you are - executive, analyst, IT engineer, security engineer - you can drill into information that suits your individual requirements. We used some creative filtering to get rid of noise to leave us with events of particular interest or severity. That resulted in seeing an alert that appeared to be worth following up. More drill-down...
This got us to the graphical representation of the attack and its behaviour on our enterprise. This allowed us to take manual action, but we could have set up policies that took the action automatically. The graphical representation allowed us to see exactly how the threat evolved within our enterprise including infection branches, PowerShell spawns and memory compromises among other things.
We always have been fans of Carbon Black. The company seems to have carved a niche in the area of threat intelligence applied to malware protection. This latest offering is typical of what we've expected to see from them. Their website is complete and their support is comprehensive. There is eight-hours-a-day/five-days-a-week standard support at no additional cost, plus the company offers premium support for an extra fee.
On large enterprises, this tool can be a bit pricey but for what it does it's reasonable. The Carbon Black cloud system is quite advanced and the user experience is quite good making discovery and remediation of events efficient.