VMware Carbon Black Cloud for Endpoint Security
This is an article about how I used VMware Carbon Black Cloud ONLY as a showcase to secure desktops running on VMC on AWS.
The VMware Carbon Black Cloud is a cloud-native endpoint protection platform (EPP), CB provides what you need to secure your endpoints, using a single lightweight agent and an easy to use console.
VMware Carbon Black provides:
- Superior Protection
- Actionable Visibility
- Simplified Operations
First let’s take a look on the Console. It is a web-based Console hosted in a AWS Datacenter. You can login via SSO or E-Mail and Password. Dashboard give you a good overview about what is going on, any events or issues.
Let’s start to get CB rolling and define some policy groups. In a policy group you can define all kind of settings, what should happen if something get’s detected, or just simple things like, when should the system get scanned. To create a new Policy let’s get to enforce and then policy.
Add a new Policy, name it, add a description and copy setting from the standard Policy Group.
Perfect, now we can do some modifications. We can change as a example what should happen, if a known malware process is running. As default it will terminate the process. It is even possible to terminate the process when it’s trying to communicate over the network.
You also can change the local scans, On-Access File scan, frequency and more. Keep it in mind if you have to exclude any on-access scans on specific files/folders.
On the last, “Sensor” you can edit the sensor settings of the client. I will deploy CB to our demo and test environment, in this case I allow user to disable protection. Usually you will not allow the User to disable the security! Guess what, if user can disable it most of them will do..
Next what we need to do is to create a Endpoint Group. In Endpointgroups you can define different policys or criteria to seperate different Workloads and assign them automatically to a policy. To do this, you have to go to “Endpoint” section on the left side and add a new group.
It makes sense to seperate different Workloads as Horizon, WebServer etc. You can set different criteria like IP Range or Operating System to automatically add the Server to different Endpoint Groups.
Last step, we need to install the Carbon Black Sensor. Basically it should make sense to add the Sensor directly to the basic Images and also define a Default/general Endpoint Group where all clients are added with a basic ruleset. When you change, as a example, the IP address from the Server it will automatically update the Endpointgroup and add the Server to the new Policy Ruleset. In my case i will just install the Sensor manually.
To download the Sensor we need to go to Endpoints -> All Sensors on the top right you will find Sensor Options -> Download Sensor kits.
Run the installer on the target system, agree the terms and enter the License Key. We are done, the Sensor is installed! Take a look back to the Console “Endpoints”, you can see now the VM automatically added to the correct group and policy.