Cb has provided us visibility into threat behavior beyond any product out there today. The ability to ban malicious files, create feeds, watch lists, open API, integrations with many other products (and ability to add other products easily), Live Response, isolation and much more, make Cb the differentiator over any other ETDR product on the market today.
Carbon Black provides the ability to also go back in time, which defeats a lot of other products in the space that only can go back a short period of time without disrupting the endpoint. The centralized infrastructure methodology makes sense for Cb as it technically can save money vs other products that will run CPU/mem to the max and begin to overwhelm the workstation/server. Cb is a very lightweight sensor, we see around 0-1% CPU, and 10-28Mb of memory. 28Mb on the high end for instances where it is a busy server like TMG or Exchange.
Cb is deployed to around 60k endpoints with no issues. We've had minor hiccups over time caused by Cb, but nothing widespread and nothing that wasn't fixed on the new patch level etc.
Working with Cb is probably one of the best things about the product. The PM team, engineering, executive team are all great people. Not forgetting the sales team, they are good people too. Everyone at Cb is committed to working and ensuring their product is the best. We have been with Cb since 4.2 and it has really grown a lot since.
the API - is probably one of the most important features to Carbon Black that many products out there fail at. The ability to automate and orchestrate a lot of threat hunting, or even remediation tasks is incredible. Many products fail at this part, or place in API in after the fact. Cb is also 100% committed to ensuring the API is very flexible. They have some of the best developers working it.
Integrations - Cb allows for many integrations, whether ones they've created or ones you create. It's very flexible.
Splunk - we use the cb-event-forwarder to dump most all data to Splunk. This allows us to quickly perform analytics on raw endpoint data. With this, we've taken our detection and response to the next level.
Not a deal breaker in any sense -
1. High availability. Not really an issue since the sensors cache data until the cluster is back online.
2. Cluster upgrade process could be better.
3. Solr has got to go...
Carbon Black is not traditional IR. It's not slow in any sense and it provides a lot of data. The point being, it will change the game and disrupt the attacker far faster than you will ever do with MIR or HX. Nothing truly compares to what Cb can provide you. If you are having issues, or want to go beyond waiting hours for triage to appear, you should really look at and consider Cb.
Many problems have been solved with Carbon Black including what I believe to be the most important - dwell time. If a breach takes 200+ days to detect, Carbon Black can assist with dropping that dwell time to far less than 1 month. The ability to decrease dwell time and detect things beyond malware is gold.