Endpoint security solutions from McAfee and Carbon Black both offer solid functionality for enterprise users. Carbon Black made eSecurity Planet‘s list of top endpoint detection and response (EDR) solutions, while McAfee’s new MVISION EDR product is just coming to market now. What follows is an examination of several key features and recent additions to each product, as well as a look at some key strengths and weaknesses.
The Bottom Line
Both of these solutions are very new. Carbon Black’s CB ThreatHunter was announced in October 2018, and McAfee’s MVISION EDR is expected to launch in Q1 2019. Both are cloud-based, and offer benefits such as ease of implementation and minimal impact on endpoints. One key difference likely lies in price – while McAfee hasn’t yet announced pricing for its new offering, Carbon Black’s EDR offerings are consistently at the higher end in terms of cost per endpoint to acquire and operate. For that price, Carbon Black users get sophisticated features like threat hunting capabilities.
McAfee Product Highlights
Overview: McAfee MVISION EDR, announced in October 2018, is the next evolution of the company’s EDR offering. The cloud-based solution leverages advanced analytics to identify and prioritize suspicious behavior, helps guide and automate in-depth investigations, and enables rapid response with direct actions and broader integration to the security ecosystem. MVISION uses AI to accelerate investigation and evidence gathering, as well as cloud-based analytics leveraging the MITRE ATT&CK framework to uncover and prioritize a broad range of suspicious behaviors.
Recent developments: MVISION EDR is a brand new product, launching in Q1 2019. The new solution combines McAfee Active Response and McAfee Investigator, along with enhancements including expanded data collection, expanded detection analytics, cloud-based deployment, and guided investigations to tackle EDR alerts.
Analysts’ take: While it hasn’t yet covered the company’s new EDR solution, Gartner says McAfee’s investment in developing an EDR solution has resulted in an offering with a useful feature set, and its solutions integrate well with more than 130 third-party applications. Still, the research firm notes that McAfee remains in the early stages of customer adoption compared to other EDR vendors, and many clients are looking for alternate vendors. Clearly, the company hopes that the new offering will change that.
Carbon Black Product Highlights
Overview: CB ThreatHunter is also a new offering, announced in October 2018. The solution expands on the core functionalities of Carbon Black’s CB Response, bringing the offering to the company’s CB Predictive Security Cloud (PSC) and providing unfiltered endpoint visibility for security operations centers and incident response teams. Security teams can leverage the solution to record all endpoint activity, overlay custom and out-of-the-box sources of threat intelligence, and visualize the activity to identify the root cause of an attack.
Recent developments: The new solution brings all the core functionality from CB Response to the PSC cloud platform, including the ability to capture and search unfiltered data from endpoints across the enterprise, as well as customizable watchlists, third-party threat intelligence feeds, automatic upload of each unique binary, expandable process tree visualization, and integrations with Splunk and IBM QRadar. Because it’s built on Carbon Black’s cloud platform, CB ThreatHunter also offers cloud-powered deployment and elastic scalability, rapid release cycles, more granular control over watchlist and threat feed alerts, and enhanced search capabilities.
Analysts’ take: In its comments on CB Response, Gartner said Carbon Black has earned a strong reputation as one of the leading EDR solutions, with threat hunting capabilities typically found in more complex environments with very mature security operations teams. Still, the research firm said Carbon Black continues to be at the premium end in cost per endpoint to acquire and operate, and the company has a poor record of participation in public tests, so it’s hard to determine its efficacy in comparison to its peers.
EDR Product Ratings
With the key (and very significant) caveat that McAfee’s MVISION EDR product hadn’t been released at the time of publication, here are eSecurity Planet‘s preliminary ratings of each solution’s key features.
Performance
McAfee – TBD
Carbon Black – Very Good
While McAfee’s new solution hasn’t yet been rated, the most recent Forrester Wave report on EDR solutions gave Carbon Black a rating of 3.48 out of five (though the research firm evaluated CB Response, not CB ThreatHunter). The rating is based on a range of criteria, including configurability, agent effectiveness, forensic capabilities, deployment options and response actions.
Detection and Response
McAfee – TBD
Carbon Black – Very Good
In recent testing, Forrester rated Carbon Black’s detection capabilities at 4.0 out of five, and its response capabilities at 3.8 out of five. McAfee’s detection and response capabilities have not yet been rated. McAfee says integrated artificial intelligence will help MVISION EDR detect threats faster and reduce false positives.
Value
McAfee – Very Good
Carbon Black – Good
While Carbon Black’s offering is more expensive than those from many competitors, the performance and the range of included services provide solid value for the money. Users of McAfee’s previous products consistently reported satisfaction with the value provided for the cost of the solution.
Implementation and Management
McAfee – Very Good
Carbon Black – Very Good
Users of Carbon Black’s offering report relatively easy deployments thanks to their cloud-based architecture, and McAfee’s cloud-based solution is likely to offer the same benefits.
Support
McAfee – Very Good
Carbon Black – Good
Most reviewers report positive experience with Carbon Black’s support services, though some report frustration with inconsistent support experiences and relatively slow response times. Reviewers generally reported positive support experiences with McAfee’s previous products.
Cloud Features
McAfee – Best
Carbon Black – Best
Both solutions are now fully cloud-based.
User Reviews
Writing about previous versions of each company’s offerings, Gartner Peer Insights users gave McAfee 4.6 stars out of five, and Carbon Black 4.5 out of five. On the other hand, just 79 percent say they would recommend McAfee to others, compared to 87 percent who say the same of Carbon Black.
Regarding McAfee Endpoint Threat Defense and Response, reviewers said the solution “has proven to be very thorough and accurate,” keeps “all the devices in your work network safe,” and that “configuration and deployment were done through ePO with great success.” One reviewer said “the scanning time in some endpoints takes too long but otherwise it is excellent,” and another said “the interface is a little bit kludgey and could be more intuitive.”
Regarding Carbon Black CB Response, reviewers said the solution “is easy to deploy, maintain and support,” “implementation was very smooth and well explained,” “after all the time and money it saves you, it’s a must have,” and that the solution “provides great insight into what is occurring on your endpoints.” One reviewer said “CB Response is very noisy on its own” and “definitely needs a third party service to reduce the noise and isolate the real alerts from the noise.”
Deployment
McAfee MVISION EDR is a cloud-based solution offering flexible, streamlined agent deployment and management with McAfee ePO (on-premises) or McAfee MVISION ePO (cloud).
As part of the CB Predictive Security Cloud, CB ThreatHunter is also cloud-based, eliminating the need to purchase or implement any on-premises infrastructure.
Pricing Structure
MVISION EDR will be licensed on a per-user subscription basis.
CB ThreatHunter leverages a tiered yearly subscription pricing model.