Network and perimeter-based security remains a crucial pillar of enterprise resilience, but with the rise of new computing models like the cloud and mobile, more emphasis is being placed on protecting endpoints than ever before. And with business processes and communications increasingly take place outside of traditional firewall boundaries, vendors like Carbon Black and CrowdStrike are focused on protecting these potential cyber attack entry points wherever they may be, inside or outside the perimeter network.
In a recent report comparing various endpoint cybersecurity solutions, Gartner cited endpoint detection and response (EDR) as being integral to a firm's ideal overall endpoint security strategy, a model it refers to as an Adaptive Protection Architecture. This security framework covers preventive, detective, retrospective and predictive measures for maintaining competent security.
EDR solutions provide the first two—preventative and detective measures—by analyzing endpoints for suspicious changes and activity. For example, both Carbon Black and CrowdStrike provide antivirus and malware protection as a first line of defense again security compromises.
Despite being security providers trusted with protecting some of the largest companies and institutions in the world, both Carbon Black and Crowdstrike have encountered very public setbacks delivering on unrealistic cybersecurity promises. Crowdstrike fought to suppress a product testing report that gave their endpoint protection product the lowest awarded rating. NSS Labs compared Crowdstrike and twelve other advanced endpoint protection products and gave Crowdstrike (and one other product) an advisory "caution" rating. Crowdstrike then sued NSS Labs to prevent them from releasing the findings and lost.
On the other hand, Carbon Black was revealed to have leaked sensitive customer data through the cloud-based multi-scanner. Carbon Black scans for files that are not trusted, and when it encounters a file it doesn't recognize it can upload that file to a central cloud-based database for analysis. For several customers this resulted in terabytes of data being uploaded, including files containing keys to AWS, Azure, Slack, and Google services. That centralized database is browsable by other Carbon Black customers who have paid to subscribe to the multi-scanner service. The writer of the report summarized the multi-scanner flaw as "the world’s largest pay-for-play data exfiltration botnet."
Previously known as Bit9 + Carbon Black, Carbon Black more or less came into its own after merging with Bit9 in 2014. This merger enabled it to combine competencies in endpoint threat prevention with endpoint threat detection and response for delivering so-called "next-generation endpoint security." This investment has clearly paid off—according to a recent IDC report, Carbon Black has 37 percent market share in the endpoint protection space.
The Carbon Black UI. Source: carbonblack.com.
CrowdStrike is another leader in the next-generation endpoint protection space. Founded by McAfee's former CTO, the firm focuses on endpoint security, threat intelligence, and incident response. The company was recently called in to handle the DNC breach, and has been hired to investigate many recent high-profile data breaches.
The CrowdStrike Falcon UI. Source: crowdstrike.com.
Side-by-Side Scoring: Carbon Black vs. CrowdStrike
1. Capability Set
CrowdStrike's Falcon platform utilizes antivirus/antimalware, threat response, anomaly detection and more to provide comprehensive endpoint monitoring and protection. Similarly, Carbon Black's endpoint security platform combines antivirus/antimalware, incident response, and threat management features into a single pane of glass web console.
2. Ease of Use
CrowdStrike's web-based management console has all the trappings of your typical SaaS offering, making it at once familiar and easy to use. Carbon Black's updated web interface also make its platform easy to get up to speed with; that said, both can feel unwieldy due to the volume of information presented in each front-end.
3. Community Support
Carbon Black has made a variety of community support resources available, including its User eXchange community portal and community wiki on GitHub. CrowdStrike also provides a GitHub page as well as a set of free community tools for scanning for specific vulnerabilities and other security functions.
4. Release Rate
Currently on version 5, Carbon Black has not made its release history immediately available on the company's website—suffice to say, its offering has undergone significant transformations over the years, especially with the Bit9 merger: Cb Protection's comprehensive endpoint protection is in fact Bit9, while Cb Response is Carbon Black's real-time endpoint detection and response solution. Similarly, CrowdStrike's release history is not available on the website—the platform is currently on version 2.
5. Pricing and Support
Though pricing is not publicly available, Carbon Black implementations for medium-sized infrastructures can run in the tens of thousands. Similarly, CrowdStrike's solution for complete endpoint protection—including its cloud and intelligence platforms—is certainly out of reach for organizations with modest security budgets.
Both vendors offer standard options for paid-for phone and email support, as well as professional services and custom offerings like incident response and remediation services.
6. API and Extensibility
CrowdStrike provides both a streaming and query REST API for accessing many of the features available through the Falcon Platform's UI. Carbon Black also provides a well-documented REST API for building custom integrations with the platform.
7. 3rd Party Integrations
Carbon Black's integration ecosystem and open API strategy have resulted in numerous integrations with leading security offerings, from SIEM (Splunk, IBM, LogRhythm) to analytics and threat intelligience (Blue Coat, Exabeam, AlienVault, ThreatStream). CrowdStrike also features a myriad of integrations with leading security vendors: IBM QRadar, Splunk, Check Point, zScaler, to name a few.
8. Companies that Use It
CrowdStrike's customers include three of the 10 largest global companies by revenue and five of the 10 largest financial institutions. Some notables include Rackspace, Telstra, and Tribune Media. Carbon Black's customer list also reads like the who's who of leading global enterprises: Nasdaq, NIST, WebMD, Samsung, and Adobe, to name a few.
9. Learning Curve
Both offerings' streamlined UIs make getting acquainted with the platforms easier—however, as mentioned previously, the amount of information presented can be a challenge to grasp. For example, Carbon Black generates a copious number of standard events that may ovewhelm novice users. CrowdStrike's platform is a bit easier in this regard: each panel summarizes important information/metrics for situational awareness at-a-glance.
Carbon Black's CSTAR score of 836, while respectable, falls short due to various security flaws, namely server information leakage and lack of DMARC/DNSSEC. CrowdStrike—with its 789 CSTAR score—suffers due to lack of HTTP Strict Transport Security, secure cookies, and DMARC/ DNSSEC.
Scoreboard and Summary
|Ease of Use|
|Pricing and Support|
|API and Extensibility|
|3rd Party Integrations|
|Companies that Use It|
|Total||4.3 out of 5||4.4 out of 5|
In short, both Carbon Black and CrowdStrike are comprehensive—albeit costly—platforms designed to protect endpoints against today's cyber threats. However, endpoint protection is just one security layer out of many that comprise a competent enterprise framework for cyber resilience, and both offerings come with fully-realized REST APIs and integrations for rounding out the security toolchain. UpGuard's resilience platform is a critical component of this toolchain, ensuring that all configurations are accounted for and security controls are working as expected.
Monitoring tools have come a long way since the early days of Big Brother. Today's solutions have evolved into powerful software troubleshooting and performance analytics platforms capable of deconstructing and analyzing the entire application stack—infrastructure up—for bugs and issues.
As perimeter-based cyber protection falls to the wayside, a new breed of continuous security solutions are emerging that combine traditional endpoint protection with newer technologies like security information and event management (SIEM) and crowdsourced threat intelligence.