Microsoft Defender XDR Reviews

We are a security consulting company that assists clients with their Microsoft 365 and Azure security and workloads. We can help optimize the use of their purchased feature sets and licensing, ensuring they get the most out of their investment for security and other workloads and features within the 365 and Azure environments. As information flows between their 365 and Azure environments, we offer expertise to ensure clients are utilizing all available resources effectively.

The majority of our deployments follow a hybrid model, which is currently the norm. Although there have been instances where organizations have fully migrated to the cloud, many larger enterprise solutions in the industry are still in the process of transitioning from on-premise to cloud-based infrastructure. Consequently, most of these solutions are currently in a hybrid state.

The visibility provided by Azure is multi-dimensional, and one aspect that I appreciate is the Microsoft 365 Defender portal. It not only offers Azure security but also a single-pane-of-glass experience where we can view our SaaS applications, email hygiene, and threats and alerts, all on the same page. The monitoring is exceptional, and the quality and depth of the telemetry are impressive. Clients appreciate the fact that we can access incident or alert details, including the affected entities and the timeline of events. For instance, we can identify where an email was opened, a link was clicked, and how malware or viruses spread across the network, causing damage. Additionally, the portal's ability to provide automated responses is second to none, and we can see how Microsoft's AI technology can isolate or stop these instances from further propagation. In summary, Microsoft 365 Defender is a powerful tool.

Microsoft 365 Defender assists in prioritizing threats within our enterprise by utilizing CVE security, a standard security prioritization method. This means that the product has incorporated industry standards into the Microsoft tenant, providing prioritized threats and best practice remediation. With the help of Defender, we gain insights on how to remediate and prevent future threats from similar malware or incidents.

We utilize several security products to ensure the protection of our data and identity. Our product offerings include Defender for Identity, Defender for Cloud, built-in tools for data governance and data protection, as well as compliance and monitoring through the compliance portal. Typically, clients with E5 or A5 licenses can benefit from these products, which cover a wide range of features for protecting data, and identity, and detecting risky behavior such as risky sign-ins and user behavior analytics. The behavior analytics feature, which is a part of our Defender product, has been particularly crucial for federal governments and other organizations with highly sensitive data. While all of our products are valuable and important, we believe that identity is the most crucial foundation to start with since it feeds into everything else.

The integration of Microsoft products is almost seamless, as long as we have the licensing piece. To enable sharing or maintaining telemetry across different solutions, we turn on Connect and switches for products like SharePoint, OneDrive, Teams, and Exchange. Setting up connectors for SharePoint on-premise or Exchange online may be necessary, but Microsoft provides setup wizards and good documentation on their website, making it easy to implement solutions. Any difficulties usually arise from user error or trying to integrate insecure legacy third-party software. However, most modern authentication and protocol software integrate seamlessly within the Microsoft environment. The Microsoft documentation site is excellent, with built-in training and links to assist with implementation.

The security solutions work together seamlessly to provide coordinated detection and response across our environment. One of the things I appreciate about these products is that the Defender products share telemetry across the board. For instance, if we set up Defender for Identity on our domain controllers, we need to grant permissions for that telemetry to be accessible from Microsoft 365 Defender in the cloud. This means we may have to give permissions to our on-premise domain controllers. While the integration is simple, it is essential to follow the documentation to ensure a seamless and easy-to-maintain setup, monitoring, and management of our Microsoft 365 and Azure ecosystems.

Microsoft covers all current threats that have been identified by various security organizations and standards. These threats are typically integrated into the Microsoft ecosystem, including zero-day detections. Microsoft is plugged into world-class cybersecurity organizations, ensuring that all vulnerabilities and updates are current and available in the Microsoft portals. The comprehensiveness of Microsoft's security coverage is top-notch, with seamless integration with other clouds and on-premise products. While there are other products competing in this space, Microsoft 365 users and organizations should not rely on third parties when Microsoft already has integrated solutions available.

Microsoft Defender for Cloud's bi-directional sync capability is crucial as it enables the transmission of telemetry data regarding SaaS application usage from client systems, on-premise devices, and any other systems that access the Microsoft 365 cloud. This feature ensures that real-time data is accessible for managed systems, providing immediate access to any detection of sanctioned or unsanctioned applications. The bi-directional sync capability offers immediate data feedback, which is essential for prompt action.

Microsoft Sentinel enables us to gather data from our entire ecosystem. However, it is important to note that using Sentinel requires a Microsoft subscription and a storage account. Therefore, it is necessary to consider the cost of data ingestion and aggregation. It is crucial to only ingest data that is relevant and beneficial for our security monitoring and data log aggregation. Simply collecting data without a specific purpose is not advisable. I advise our clients to focus on maintaining a lean monitoring and data log aggregation approach that yields security benefits. We can detect and query threats using the crystal query language that is integrated with Sentinel, making it a key component of our Microsoft security journey with our clients. Sentinel connects with everything and has native connectors and third-party options available. Additionally, Sentinel can be set up as a provider of security operations center capability by connecting it to another cloud.

Microsoft Sentinel allows us to investigate threats and respond to them in a comprehensive manner, all from one platform. What I find particularly impressive about Sentinel is its ability to provide both reporting and analysis through workbooks, and actionable response strategies through playbooks. In addition, Sentinel includes UEBA and threat intelligence capabilities. This raises the question of how we can evaluate the effectiveness of Sentinel's security protection. One advantage of Sentinel is that it not only detects threats but also responds to them using advanced DAI and intelligence technology. This allows us to take proactive measures and set up playbooks and other capabilities that integrate seamlessly with Sentinel. By taking telemetry from different products and environments, Sentinel provides a three-dimensional perspective that other products may lack. This helps us take the right steps toward risk mitigation or remediation by giving us current, broad coverage. With telemetry, we can take a holistic approach to secure entities affected by any type of alert or environmental compromise. Sentinel's ability to bring together reporting, analysis, and actionable response strategies makes it a superior product in terms of security protection.

The cost of Sentinel depends on the amount of data being processed. This is likely true for other similar products as well. Typically, the cost of using these products is associated with ingesting and aggregating data logs. However, I believe Sentinel's cost is competitive and provides an advantage, as it offers more than just a SIEM or SOAR solution. Sentinel includes response capabilities, which is where it excels. Therefore, I believe the cost is reasonable considering the benefits it provides.

After implementing Microsoft 365 Defender, our organization has observed a significant improvement in our security measures. We have noticed a substantial decrease in compromised accounts, access issues, and entry problems resulting from phishing attempts, emails, and other security threats. This improvement can be attributed to the robust exchange of online protection capabilities. The impact has been remarkable and has made a noticeable difference in our overall security. Additionally, addressing insecure applications operating within our environment and managing data governance has been a challenge. Data governance, in particular, can be time-consuming since data is ubiquitous and it takes time to establish the appropriate tools, labels, and policies to protect it. It requires a marathon-like approach rather than a sprint and Microsoft 365 Defender has helped reduce the time.

Our Microsoft security solutions automate routine tasks and aid in detecting high-value alerts. The ranking of these alerts is customizable, allowing us to adjust their priority based on our industry or organization's specific needs. While the default settings are effective, we appreciate the ability to modify them to better suit our purposes. This customization feature is particularly valuable as it allows us to tailor the alerts and detections to our particular use case.

The solution has helped our clients by eliminating the need for multiple dashboards and providing one comprehensive XDR dashboard. This has been the most significant feedback from our clients who prefer to have all information in one place instead of having to navigate through multiple portals. With the integration of Microsoft tools like Power BI, our telemetry can be displayed in different views and graphics, making it easily understandable for all stakeholders and users. Power BI can also import Sentinel queries, allowing for customized dashboards with a unique look and feel. I appreciate the flexibility and versatility of Power BI in creating informative and visually appealing dashboards.

The solution's threat intelligence helps us prepare for potential threats before they strike, allowing us to take proactive measures. I have witnessed some excellent updates that are posted on the Microsoft Defender portal. These updates have enabled us to stay ahead of any potential threats. When there is an attack, Microsoft is quick to disable affected services, such as service principals or services, across many servers and other devices, taking affirmative action ahead of time. I have observed many proactive notifications, including day-one or zero-day notifications, that are promptly released on the Defender side. This approach allows us to get ahead of the potential issues and prevent any significant impact.

The amount of time saved by using automation tools is significant and exceeds our expectations. While we sleep, these tools perform tasks such as deleting phishing and malicious emails and conducting automated investigations. This has resulted in a substantial reduction in the number of man-hours needed for Microsoft security and Defender product tasks, which has more than justified their cost.

Microsoft 365 Defender has saved our organization money.

Microsoft 365 Defender has significantly reduced our detection and response times. The proactive nature of the software alerts us to suspicious activity, such as a user logging in from an unknown location, allowing us to trigger conditional access responses accordingly.

In Microsoft 365 vendor products, monitoring and connectivity across all Microsoft and third-party connectors enable viewing of all activity within those environments. This is a key advantage for maintaining and monitoring usage, implementing security guardrails, and protecting data integrity and privacy from oversharing. Many clients face challenges in managing guest account access, SharePoint links, and access control. Thus, we recommend starting with access and entry as a foundational principle of security, using tools such as the identity secure score to assess the security journey progress. 

Microsoft 365 security portals cover four pillars: identity, applications, devices, and data, with Defender products geared towards identity protection being the most useful. These products help set up conditional access controls, privilege identity management, and risk mitigation strategies for legacy authentication and protocols. Defender products also provide visibility across third-party services such as AWS cloud, Box, Workforce, and other enterprise tools. Microsoft Sentinel, another useful product, provides a great solution for infrastructure visibility across Azure and on-premise infrastructure, albeit with associated costs for storage and subscriptions.

At times, there may be delays in the execution of certain actions and their effects. These delays are often related to Microsoft tasks that run in the background. For instance, when we perform an improvement action such as improving the secure score, it may take a few days before we see any changes. This delay can be frustrating, but it is still beneficial. We have also encountered issues with the secure score feedback when we set it up to work with third-party tools. We have reported these issues to Microsoft. To improve the situation, we need to fix this aspect of the solution so that we can receive secure score feedback closer to real-time or more promptly. This would be a significant improvement.

I have been using the solution for five years.

Stability has been good overall, but there was a recent incident where some of the most searched URLs were incorrectly tagged. This included URLs for services like Zoom, which caused concern among many of our clients. However, Microsoft has since corrected the issue.

Our licensing for Microsoft 365 Defender enables automatic scaling based on our needs. This means that the software's capacity will increase or decrease depending on our licensed usage.

The technical support we receive is of high quality. They effectively address specific incidents that arise, and their overall response time is satisfactory. We usually receive a response on the same day. In the rare event that an issue requires advanced technical escalation, they are able to provide us with a specialist within a day or two.

Positive

We have previously used CrowdStrike, McAfee, and Norton products but Microsoft 365 Defender is already included in the license we have with Microsoft so there is no need to pay for additional licenses.

The initial setup is usually straightforward, but it can become more complicated when we are dealing with scenarios such as bringing your own device or managed devices. In these cases, deploying can be a bit more challenging. However, I still believe that the process is generally straightforward.

Before deploying we typically do a pilot with the IT organization and once that goes well, we continue with the rest of the organization and their devices. We usually require between 10 and 20 staff for deployment.

The implementation was completed in-house.

The return on investment is significant. We have observed Microsoft 365 Defender's value in terms of saving man-hours that would have been spent sifting through logs and connecting information during investigations. The Microsoft tool provides us with an advantage by performing this task automatically, allowing us to take action on the information it has already gathered during the investigation. 

The cost of the solution appears to be appropriate, and we get what we pay for. Although I am aware that Microsoft has recently introduced licensing adjustments with plan one and plan two options, I have observed that they offer a higher level of benefits and value compared to our current solution. Nevertheless, we are taking steps to make our solution more accessible to various organizations, including educational institutions, by utilizing the licenses we have and pursuing certification for federal cloud services, despite the additional obstacles. Overall, I believe that the pricing of the licensing is fair.

I give the solution a nine out of ten.

We have a cloud environment, and for Microsoft 365 cloud services, our remote workforce is currently working from various locations. However, some resources and applications are still located on-premise and need to be accessed. To accommodate these hybrid environments, we usually use Azure AD sync to synchronize on-premise AD. This process can add some complexity.

Microsoft 365 Defender needs to be fine-tuned for optimal performance. In order to achieve this, adjustments need to be made based on the specific needs of the user. For instance, when tuning for phishing email security, there are different levels of aggressiveness available for the products. Fortunately, maintenance is quite minimal as Microsoft handles virus signatures, updates, and other related tasks. However, tuning is necessary for individual use cases, such as adding specific emails to an exception or whitelist.

Determining the best-of-breed in a given space can be subjective due to varying perceptions. While a best-of-breed strategy is effective in certain cases, it has limitations when compared to integration. For instance, when trying to identify the best tool for different security areas, having disparate solutions that don't communicate with each other can be problematic. Therefore, integration becomes a critical component in this context. Although having the best-of-breed approach is a great strategy, we also need to consider the benefits of integration and having a single pane of glass that provides an overview of all security aspects. This will help us avoid having to navigate multiple best-of-breed solutions in a sporadic manner.

My suggestion is for people to carefully review the documentation provided by Microsoft to gain an understanding of how the product works and how it fits with their particular use case and solution scenario. Negative feedback is often the result of a lack of knowledge or understanding. By taking the time to conduct a proper POC, engaging with the appropriate Microsoft representatives or consulting organizations, and being inquisitive, we can evaluate our current tenant and solution, and conduct a security assessment. This will enable us to make an informed decision about Microsoft products.