top of page
Search

Carbon Black (P1:Overview): A Practical Guide/An Practical Training

  • Jul 28
  • 3 min read
ree

Welcome to this guide on using Carbon Black as an Endpoint Detection and Response (EDR) tool. Carbon Black has long been recognized for its contributions to the cybersecurity landscape. While it wasn’t the first to introduce EDR (the concept was coined by Gartner analyst Anton Chuvakin in 2013), it has played a pivotal role in the evolution of endpoint security.


In this article, we’ll explore Carbon Black’s features, capabilities, and its journey within the competitive EDR market. By the end, you’ll have a clear understanding of Carbon Black's functionality and how it compares to other EDR solutions.


-------------------------------------------------------------------------------------------------------------


Introduction to Carbon Black

Carbon Black specializes in advanced threat detection and response. Its strength lies in real-time visibility into endpoints, enabling quick detection and mitigation of threats. Over time, it has become an essential tool for organizations aiming to strengthen their cybersecurity posture.


Key Features

  1. Real-Time Endpoint Monitoring: Tracks activities across endpoints to detect unusual behavior.

  2. Threat Hunting Capabilities: Enables deep visibility into endpoint activities for proactive threat hunting.

  3. Application Control: Prevents unauthorized applications from running.

  4. Malware Analysis: Offers cloud-based analysis for suspicious executables.


-------------------------------------------------------------------------------------------------------------


The Evolution of Carbon Black


Carbon Black became part of VMware in 2019 and was later acquired by Broadcom in 2021 as part of Broadcom’s VMware acquisition. While these transitions have provided financial backing and broader integration,


I have notcied a decline in support during the integration phase, especially with the merger of Carbon Black and Symantec(My Personal Comment).

-------------------------------------------------------------------------------------------------------------


Using the Carbon Black Dashboard

The Carbon Black Cloud dashboard is designed for simplicity, providing a centralized view of your environment.

ree

Top Navigation Bar

  • Left Side: Displays the Carbon Black Cloud branding.

  • Right Side: Includes:

    • Notifications: Alerts for recent updates or completed downloads (e.g., reports).

    ree

    • Help Tab: Provides documentation and resources for troubleshooting or learning about features.

ree

Quick Feature Highlight

Near the Right-hand side, you’ll notice a small arrow (>). Clicking this reveals which features are enabled in your environment.


For example, advanced features like Vulnerability Management may require additional licensing. The built-in documentation for these features can be incredibly helpful if you’re stuck.
ree

-------------------------------------------------------------------------------------------------------------


Exploring the Left-Hand Menu

The left-hand menu is where most of the action happens. Here’s a breakdown of its main sections:

ree

1. Dashboard

  • A high-level overview of your environment, including key metrics and activity summaries.

2. Alerts

  • Displays all alerts triggered by suspicious activity.

  • You can investigate and act on alerts from here.

3. Investigate

  • The Investigate tab acts like a tool allowing you to perform advanced threat hunting.

  • Similar to SentinelOne’s Deep Visibility, this feature lets you query endpoint activities in detail.

4. Live Query

ree

  • Run SQL-like queries across endpoints for targeted data retrieval. (Kind a Threat hunting)


5. Enforce

A collection of subset of features:

  • Policies: Create and manage endpoint policies.

  • Reputation: Block malicious hashes or allow trusted ones.

  • Malware Removal: Review and take action on identified malicious files.

  • Cloud Analysis: Upload executables for in-depth analysis by the Carbon Black team.

  • Recommendations: Receive suggestions to optimize your Carbon Black Cloud console.

ree

6. Vulnerability

  • Displays detected vulnerabilities across your environment.

  • Tracks endpoint exposure to CVEs and provides actionable insights.

ree

7. Inventory

Contains several subsections for managing endpoint assets:

  • Endpoints: Lists all endpoints and their details.

  • USB Devices: Tracks allowed or blocked USB devices.

  • Sensor Groups: Create and order sensor groups for automated policy assignments.

ree

8. Settings

Configuration options for customizing your Carbon Black deployment. (We will talk about each in future articles)

ree

-------------------------------------------------------------------------------------------------------------


Comparison: Carbon Black vs. SentinelOne

While Carbon Black is a robust tool, my personal experience suggests that SentinelOne offers more user-friendly capabilities.

-------------------------------------------------------------------------------------------------------------


Having worked extensively with Carbon Black, I can attest to its potential. However, as with any tool, the key is to understand its strengths and limitations. While Broadcom's acquisition of VMware has led to some challenges.

I’ll pause here for now, as it’s time to work on another article! Until then, keep hunting and learning. See you soon! 😊
Happy Carbon Black managing! 🚀

Upcoming article: Carbon Black (P2:Dashboard/Alerts): A Practical Guide/An Practical Training

 
 
 

Comments

bottom of page