Carbon Black App Control is an application control product, used to lock down servers and critical systems, prevent unwanted changes and ensure continuous compliance with regulatory mandates.
N/A
VMware AppDefense (discontinued)
Score 4.0 out of 10
N/A
VMware AppDefense was a hypervisor-native workload protection platform for enterprise virtualization and security teams, used to deliver a secure virtual infrastructure and simplify micro-segmentation planning by providing application visibility, reputation scoring, and security. The product is discontinued, and no longer available.
It is more suited to lock down critical systems and servers to prevent unwanted changes, although you can use it on daily basis on laptops and desktops, it needs constant attention and events analysis. For some scenarios i.e. financial institutions it is a must-have solution, as App Control now is a requirement 5 of PCI DSS.
I believe that the product is priced well enough that a small business that is concerned with data center security can justify using the product. My environment hasn't scaled up very far yet, but I am a little concerned that when we get to a certain point, the management console will get full and be more difficult to track. An enterprise customer might see that as a problem.
Device Control - you can view and allow/disallow the ability for certain devices to be used in your environment. Specifically we used this with USB drives. If you have one you want to use - whitelist the serial number. The rest can't be used. Simple and easy.
Software blocking. If you have an extremely dynamic software base (I doubt this is likely) this could get a bit annoying, but for most organizations like ours where we have specific applications that are required, and then the rest are a bit of an afterthought, it's easy to whitelist the correct applications that you want to be able to run in your environment. The rest can't run (in high enforcement). Users are able to easily request new applications, and you can set certain groups to be able to approve it on their own.
Solid platform - with few exceptions setting up new software was very easy (Dragon Medical was a bit tricky, but worked through it with support). Once you have your rules set up and the initial setup done, you tend not to have to do much of anything except to update on occasion and deal with a few requests for applications to be unblocked, or publishes approved.
The big difference between Protect and Barkly/AMP is how exactly it goes about what it's doing. Protect is application whitelisting and program reputation. So the way it's protecting you is using a proprietary reputation service, and hash values to identify applications, and then hitting a list of whitelisted programs to decide if you are able to run that or not, based on the policy you are in. There is a LOT of value in that. We actually are working on transitioning to Cisco Advanced Malware Protection (AMP). The main reason is cost (about the same cost as Cb Protect, but with (most of) the featureset of all 3 Carbon Black products for less than 1/3 of the total spend. AMP works differently, looking at a reputation service powered by Cisco's Talos cloud. You don't really have application whitelisting, but that also reduces how many "requests" you get for applications. So I'll have to find a different way to do whitelisting and USB blocking and the like, but I'm getting more visibility across my network and also built in antivirus (TETRA engine - ClamAV with some work). Barkly is an add that we are looking to put in as it looks at behavior of programs. So specifically it watches for privilege elevation and the like. Thus far all the big name problem children (WannaCry, other ransomware problems) have been caught natively in Barkly day 0.
We were advised that vShield will be retired and its functionality was being integrated with App Defense. Carbon Black is or was the only AV vendor that integrated with it. A priority for us was to use a VMware supported solution. Sophos Intercept X was creating their own module. Trend Micro Deep Security didn't have any plans in place to move from vShield.
For the cost of the upgrade to vSphere Platinum compared to the costs we were already paying for vSphere Enterprise Plus with Operations Management was comparable. It made sense to upgrade and with that, we received the added features of AppDefense.
