VMware Carbon Black vs CrowdStrike

Both VMWare Carbon Black and CrowdStrike Falcon Insight offer endpoint protection systems that are delivered from the cloud. Although most of the work of the cybersecurity suite is performed in the cloud, both systems include on-device elements. The cloud system coordinates events for a fleet of devices and the onboard software ensures continuity if the device gets isolated from the network.

If you manage the IT system for a business, you will need to provide cybersecurity for all of its devices. Endpoint security will be your priority to protect against malicious software, such as Trojans and ransomware, and block manual hacker access attempts.

Endpoint security

The first cybersecurity product was an antivirus system. This provided endpoint security. The aim of endpoint security systems is not to protect the hardware of the endpoint fleet, but the software and data that they hold.

Although endpoint protection focuses on activities on desktops, servers, and laptops, the fact that these assets are the destinations of a local area network, forming the ends points of all of the network wires, it is possible to protect a network from these devices as well.

There are many ways that malware can get onto a device. However, it is the network-bound malicious systems that pose the greatest threat to data security. Today, the main aim of endpoint security is the protection of the data that these systems hold.

Ransomware becomes more deadly when it includes propagation routines for lateral movement – infecting endpoint after endpoint until all of the computers on the system are controlled. Similarly, hackers can move around a network and explore the contents of different computers inside the business.

Focusing all security measures creates a dark zone of overlooked loopholes on the devices that manage the movement of traffic and sit between endpoints. Although it seems negligent to only protect endpoints, it should be noted that endpoint security is one element that should be deployed to manage an IT system.

Network monitoring systems are all resident on endpoints and they query the statuses of switches and routers while running on endpoints. Therefore, protecting endpoints also prevents hackers and malware from damaging network monitoring systems. System managers can buy SIEM systems to get full network and endpoint monitoring capabilities in addition to endpoint protection.

Cloud-based endpoint protection

Endpoints can be contacted across a network and endpoint protection software can divulge a lot of useful activity data, which would be easier to process centrally. Offloading threat detection work to a larger computer reduces the impact that endpoint protection software will have on the performance of the protected device. Collecting data from many endpoints into one place offers the opportunity to correlate event data sourced from many locations around the network – this is the essence of SIEM systems.

A centralized coordinator of data from all endpoints on the network enables the creation of a private threat intelligence system. This is an early warning system for all endpoints, given that both malware and hackers cause more damage to a business if they can move laterally across the network.

Threat detection systems scour incoming data from endpoints and if malicious activity is identified, an alert is sent out to all endpoints to check for that same activity and also to harden against it. Thus, networked endpoint protection systems perform most of the data processing in a server unit while endpoint-resident units are reduced to just collecting and forwarding event data and implementing instructions from the server.

Response capabilities don’t have to be programmed into those endpoint units because the most effective remediation actions are those that are implemented by the operating system, access rights management services, and firewalls. So, the endpoint protection system passes on instructions to other tools through a process that is known as Security Orchestration, Automation, and Response (SOAR).

These days, cloud-based Software-as-a-Service (SaaS) packages are coming to dominate as the most cost-effective delivery model for all types of software systems. As processing can be offloaded from endpoints onto a central server, there is no reason why that server can’t be hosted elsewhere as a cloud system.

In the cloud-based endpoint protection model, not all of the software is hosted off-site. There still needs to be those device-hosted units in the mix. These endpoint systems are called agents. They communicate with a collector, which is a prime agent that uploads data to the cloud server and downloads instructions to send back to the endpoint agents.

The complexity of the endpoint agents in a SaaS endpoint protection system is a variable that is down to the design decisions of each provider. More comprehensive software on each endpoint provides stronger continuity of service if the device gets disconnected from the network – which is a hacker attack strategy. However, lighter agents, that do little more than pass data in one direction and instructions to third-party systems in the other, use up less of the endpoint’s processing power.

An advantage of cloud-based endpoint protection systems is that they reduce the need to update the software on each device. The constant requirement for software and virus signature database updates was the bane of computer ownership for early anti-virus package owners. If all of the processing for an endpoint protection system takes place in the cloud, it is only that copy of the software that needs to be updated.

Threat intelligence is stored on the provider’s server. This creates greater opportunities for data sharing. While network-resident endpoint protection systems share threat notifications within the business, a SaaS service can instantly inform every endpoint of every customer all over the world.

Both VMWare Carbon Black and CrowdStrike Insight use the SaaS delivery model for endpoint protection.

About VMWare Carbon Black

Carbon Black dates back to the foundation of Bit9 in 2002. The company bought startup, Carbon Black in 2014 and took the name of Carbon Black for the entire group in 2016. The key advantage that the business has is a data analytical tool, called Predictive Cloud Security (PCS). this gave the system an edge in the field of endpoint protection, where identification of anomalies has come to replace virus signatures for threat hunting.

The company started a managed security service, along with Rapid7 and others in 2015. The services of the company extended into the production of cybersecurity tools, which included an endpoint protection system that evolved from the acquisition of antivirus producer, Confer.

The business floated on NASDAQ in May 2018 and then was bought entirely by VMWare in October 2019. Now, as a subsidiary of VMWare, the business has more than 1,000 employees and is headquartered in Waltham, Massachusetts.

About CrowdStrike

CrowdStrike began as a cybersecurity consultancy in 2011.  The business began to produce its tools and systems in 2013. However, it wasn’t until 2015 that the sales of those protection systems took off. The consultancy attracted worldwide attention to the CrowdStrike name by discovering and planning a recovery strategy for the Sony Pictures data hack. The brand’s fame increased when the consultancy worked on uncovering the US Democratic Party email hacks of 2015 and 2016.

CrowdStrike Holdings, Inc. has been listed on NASDAQ since 2019. By the end of 2021, the company had 3,394 employees and a revenue of $1.45 billion for that year. In December 2021, it moved its headquarters from Sunnyvale, California to Austin, Texas.

CrowdStrike still maintains a consultancy and research branch as well as its cybersecurity software division. These two departments contribute to a list of managed services offered by the company.

The first product of CrowdStrike was Falcon Prevent and this is still the company’s linchpin package. Falcon Prevent is a software package for installation on endpoints and it is a next-generation anti-virus system.

All of the other tools produced by CrowdStrike are SaaS systems. The Falcon platform includes a vulnerability scanner, a firewall manager, and an endpoint detection and response (EDR) system, called Falcon Insight. In all cases, the Falcon Prevent unit acts as an endpoint agent. So, whatever cloud service you choose, it needs to be built upon the purchase of the Prevent package with one installation on each endpoint on your site. Thus, all of the Falcon services are hybrid systems.

VMWare Carbon Black Endpoint

VMWare Carbon Black Endpoint is part of the VMWare Security platform. This endpoint protection system requires an agent to be installed on each monitored endpoint. However, these are SOAR packages that collect and upload event data and then implement remediation rules through interaction with third-party tools and operating systems.

The result of the Carbon Black architecture is that endpoints are not weighed down by processing requirements, keeping CPU capacity available for other software. However, the system is almost inoperable if the computer gets disconnected from the network and is unable to communicate with the Carbon Balc server in the cloud.

The proprietary Predictive Cloud Security system enables Carbon Black to identify threats very quickly. A secondary scan is performed with a pool of all event data from all clients, which involves searching through very large amounts of data. This global search can spot gathering hacker campaigns, and even spots links between malware and hacker activity, which shows how specific attack campaigns and methods are evolving.

CrowdStrike Insight

The success of the antivirus system Falcon Prevent is extended by the cloud-based service, Falcon Insight. Users of the Falcon Insight system have to install Falcon Prevent on each endpoint – Falcon Insight won’t work without Falcon Prevent.

The Falcon Prevent system provides continuous protection for endpoints, even if they are disconnected from the network and the internet. While online, Falcon Prevent uploads its threat detection data to the Falcon platform. This provides two levels of detection, one on the device and one network-wide, covering all devices within an organization. That inclusion can extend to multiple sites, just as long as each device has Prevent installed on it.

The Falcon Insight system represents a private threat intelligence sharing system. The Insight system takes threat identification from Prevent instances and also searches for threats through its algorithms. The system notifies each Prevent installation, together with any necessary software updates or extra tools. All clients of the Insight platform also pool threat intelligence, creating greater protection from attack.

VMWare Carbon Black vs CrowdStrike: Head-to-head

Both VMware Carbon Black and CrowdStrike use anomaly detection instead of a signature-based approach to threat hunting. This is a common strategy in the endpoint protection field and qualifies both systems for the distinction “next generation”.

The use of multiple levels of threat intelligence is common in both systems. However, a key difference is the use of processing power on each endpoint. CrowdStrike carries out a full threat detection process on the endpoint with its Falcon Prevent system but Carbon Black only has an agent on the protected device.

The threat intelligence collection system of CrowdStrike is enhanced by the capabilities of the company’s research team, who manually intervene in assessing data with live analysis. The Carbon Black system uses speedy big data processing to rapidly search across the world for indicators of new hacker attack strategies.

VMWare Carbon Black and CrowdStrike endpoint protection pricing

There is no published price list for VMWare Carbon Black services and the same is true for CrowdStrike products.

CrowdStrike offers Falcon Insight in several packages rather than as an individual tool. The packages that include CrowdStrike Falcon Insight are:

  • Falcon Enterprise Includes Falcon Prevent and Falcon Insight.
  • Falcon Elite Includes Falcon Prevent, Falcon Insight, Falcon Identity. Protection, and Falcon Discover, a security auditing tool.
  • Falcon Complete A custom-built package.

You can get a 15-day free trial of the CrowdStrike system. However, this provides a copy of Falcon Prevent and not Falcon Insight. VMWare Carbon Black is available for a demo.

VMWare Carbon Black vs CrowdStrike: The verdict

Both CrowdStrike Insight and VMWare Carbon Black Endpoint quickly communicate system hardening and threat remediation instructions to all protected endpoints. Both systems use SOAR to block communication with suspicious IP addresses in firewalls, suspend compromised user accounts in access rights managers, shut down malicious processes, and delete virus software and data staging storage files.

Each strategy has its merits and each will appeal to companies depending on whether the business can afford endpoints with spare CPU capacity or whether offloading processing is a priority.