No Summer Camp for me this year. Instead I had a small family style vacation, hence why there was no post last week.
This week, I figure on ranting about CarbonBlack again. Seems while I was on vacation they did back end upgrades to Defense. These wonderful upgrades, that should have been properly tested, have caused a lot of prior fixes to not work. What does this mean? Well a ton more false positive alerts, poorer performance, a recurrence of VDI sensors getting stuck in bypass mode (or spinning up in bypass mode and issues with grouping and dismissing alerts. How do you release something without proper testing?
The statement from CB is that most of this will be fixed in the next sensor update, which comes out this month, but in the mean time there is not much that can be done. I have been a huge fan of CB Response and CB Protect in the past. Well tested, well thought out, and all the controls one needed to be able to tune properly. Defense honestly seems like they do not care. This latest update seems to have not been tested with the current sensor. New sensors usually have some issues of their own (they keep breaking prior fixes for instance) and have to be tested and vetted by organizations to make sure that they do not break anything. Meanwhile, CarbonBlack breaks things on our end by making our job that much more difficult with their back end upgrades. These are lessons to be learned from by any company out there on what not to do. This also shows the problem with going with a cloud based solution that a company has no control over the update/upgrade cycle on.
Last year’s Blackhat, CarbonBlack put out a beautiful marketing claim about Defense stopping Mimikatz. Look up the video of someone proving that wrong within days. Some people I know over at CarbonBlack knew that would happen and were not happy with their marketing department over it.
I hope that CarbonBlack realizes what a pain these items are. I know the whole first to market, gotta keep things fresh and make changes is part of the industry. Forcing people to use that latest immediately upon release is the wrong way to do things though. Why this happens with Defense (which I have picked apart before) is beyond my understanding. Confer was bought by Carbon Black a few years ago now, but it seems like it is the item they are still not sure what to do with.