VMware Carbon Black
Endpoint protection with continuous recording and threat hunting
Overview
VMware Carbon Black (now under Broadcom) is an EDR platform known for its continuous endpoint recording capability, which stores a complete history of endpoint activity. This makes forensic investigation and threat hunting significantly more powerful compared to alert-only platforms.
Why Use It
Carbon Black's continuous recording is unmatched for forensic investigations. For organisations with a mature security operations team that needs to perform detailed threat hunting and incident response, the complete endpoint history is invaluable.
Why Not
The Broadcom acquisition has created uncertainty around the product's long-term direction and support. Many organisations are migrating to CrowdStrike or SentinelOne as a result. New deployments should carefully evaluate roadmap commitments.
Pros & Cons
Pros
- Continuous recording creates a full audit trail for forensics
- Excellent threat hunting capabilities for skilled security teams
- Carbon Black Audit and Remediation for live endpoint queries
- Strong custom detection rule capabilities
- Good integration with VMware vSphere environments
Cons
- Broadcom acquisition has created product and support uncertainty
- Less polished console than CrowdStrike or SentinelOne
- Continuous recording generates significant data storage requirements
- Requires dedicated security analyst to maximise value
- Smaller UK partner ecosystem than CrowdStrike
How to Get the Most Out of It
- Use Live Response to remotely access any endpoint for immediate investigation or remediation
- Configure custom watchlists to hunt for TTPs (Tactics, Techniques, Procedures) specific to your industry
- Use the Process Explorer to investigate suspicious parent-child process relationships
- Export continuous recording data to your SIEM for long-term retention and correlation
- Use Audit and Remediation to query all endpoints simultaneously for indicators of compromise