Microsoft 365 Defender OverviewUNIXBusinessApplication

Microsoft 365 Defender is the #6 ranked solution in top Security Information and Event Management (SIEM) tools, #6 ranked solution in XDR Security products, and #10 ranked solution in top Microsoft Security Suite tools. PeerSpot users give Microsoft 365 Defender an average rating of 8.0 out of 10. Microsoft 365 Defender is most commonly compared to Microsoft Defender for Cloud: Microsoft 365 Defender vs Microsoft Defender for Cloud. Microsoft 365 Defender is popular among the large enterprise segment, accounting for 62% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 18% of all views.
Microsoft 365 Defender Buyer's Guide

Download the Microsoft 365 Defender Buyer's Guide including reviews and more. Updated: March 2023

What is Microsoft 365 Defender?

Microsoft 365 Defender, part of Microsoft’s XDR solution, leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, building a complete picture of each attack in a single dashboard. With this breadth and depth of clarity defenders can now focus on critical threats and hunt for sophisticated breaches, trusting that the powerful automation in Microsoft 365 Defender detects and stops attacks anywhere in the kill chain and returns the organization to a secure state.

- Reduce signal noise by viewing prioritized incidents in a single dashboard. 

- Use the automated investigation capabilities to spend less time on detection and response.

- Take care of routine and complex remediation with Microsoft 365 Defender by auto-healing affected assets.

- Hunt across all your data, leveraging your organizational knowledge with custom queries. 

- Develop custom detection and response tools for long-term protection and improved security posture.

To learn more about our solution, ask questions, and share feedback, join our Microsoft Security, Compliance and Identity Community.

Microsoft 365 Defender was previously known as Microsoft Threat Protection, MS 365 Defender.

Microsoft 365 Defender Video

Microsoft 365 Defender Pricing Advice

What users are saying about Microsoft 365 Defender pricing:
  • "The pricing of Microsoft 365 Defender is definitely on the costly side, but with the features and services that Microsoft provides, such as the seamless integration of all the Defender tools, while the price is on the higher side, there is no alternative."
  • "For Defender, they have Endpoint Plan 1 and Endpoint Plan 2, but I don't know on what basis they have classified Endpoint Plan 1 and Plan 2, but it has given me enough pain to pick and design Endpoint Plan 1 or Endpoint Plan 2 for my organization. In fact, we are still struggling with it. Too many SKUs are confusing. There should not be too many SKUs, and they shouldn't charge for every new feature."
  • "Microsoft should provide lower-level licensing options. They should do it in such a way that even an individual could purchase a license, and it should be entirely flexible."
  • "Its licensing and pricing are handled by someone else. My role is limited to incidents or issues with the portal, but you get what you pay for. It is worth the cost."
  • "I would like to have more security features in the lower licenses because not every customer is able to buy E5 licenses. The bundling isn't always easy for our customers to understand. Compared to other tools, it's a good price."
  • "The solution is affordable, and we haven't been hit with any hidden costs. The subscription model is straightforward, and it's easy to understand how much additional features cost. If we need to cancel a license or feature, we do that well in advance to avoid being charged for it, but overall, the pricing and licensing are simple and easy."
  • "They have moved from a licensing model to pay-per-use... The question is: What happens if, for any reason, there's not enough budget to accept this model? That could be a great problem."
  • Microsoft 365 Defender Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Lukasz Rutkowski - PeerSpot reviewer
    Microsoft 365 Consultant at a tech services company with 5,001-10,000 employees
    Real User
    Top 10
    The biggest impact is that we need fewer human resources to deal with a bigger attack surface
    Pros and Cons
    • "There is also one dashboard that shows us the status of many controls at once and the details I can get... It gives a great overview of many areas, such as files, emails, chats, and links. Even with the apps, it gives you a great overview. In one place you can see where you should look into things more deeply..."
    • "There should be better information for experts on features in the solution. What I see when reading about features in Microsoft 365 Defender is that it is always general information. If Microsoft could go deeper into details for the experts about how to use the tools, usage of it would be more familiar and it would be easier to use."

    What is our primary use case?

    Almost every use case is about security layers for messaging in Teams and for email. It especially used for phishing filters, spam filters, and composite authentication, as well as Zero-day advanced protection, and for protection within already received emails. Clients are also looking for link protection in Teams and in SharePoint.

    How has it helped my organization?

    The solution has improved the remediation steps we take for each threat. That has been the biggest impact on our organization because we need fewer human resources to deal with a bigger attack surface.

    And for routine tasks and alerts on issues of high importance, the automation that the system provides has helped greatly. You can set up customized alerts and categorize trends to see a quick overview. As a result, our security officers can focus on the really important tasks, without noisy alerts. Previously, there was a procedure with a rule that was sending all emails that resulted from the SPF and DMARC controls failing to the phishing mailbox. Our security officers had to review every email and accept or decline. Now, using the automation tools within the Microsoft 365 Defender, they don't need to do that. They can check that the tool is working fine from time to time, but they don't need to do that task on a daily basis. It gives them a lot of time to do more important and creative stuff.

    In addition, especially when it comes to Zero-day attacks, the solution's threat intelligence helps prepare you for potential threats before they hit. It identifies, for example, attachments containing something malicious and remediates by blocking additional delivery to other users. For example, an email may only be delivered to three users instead of 100 users. Even if somebody didn't open the email, the Zero-day attack protection has removed the email from their mailbox. This is a great remediation step for protecting that attack surface. Then I can observe how the tool is dealing with the attack instead of trying to figure out how to approach it, what to do, who I should contact, et cetera.

    It also saves me time every day. It was taking me really long to review the message headers to identify what happened. It could take an hour or even more if it was a really complicated case. I needed to check the headers, the content, the links, the attachment. Using Microsoft 365 Defender, I can see in Explorer at a glance, or by clicking through one or two tabs, what is happening. It gives me a lot more time to do more interesting work and to close other cases. Instead of an hour, it takes five or 10 minutes now.

    It's a lifesaver for me and keeps my clients from being threatened and attacked every day. It's not about the money, it's about the information. Attackers can use information to make money.

    I can check the overviews and see trends where somebody wants to use some kind of open gate to gather my information. But the solution does the work on my behalf, so I don't need to observe the environment, traffic, and user behavior. And we don't have to invest a lot of money on repetitive training for users. Training is also good, but I don't need to invest so much money and effort in that process, and that results in savings.

    What is most valuable?

    For me, the email protection features are the most useful because I focus on that area.

    I also really like the integration with the entire Microsoft 365 service because it's not really common to have a tool that is integrated well with Teams, SharePoint, and Exchange. 

    Another feature I like is that inside Explorer I can perform an investigation to check, for example, if any accounts have been breached or accessed by a malicious actor. I can also check the source of emails from which we are receiving something that was not expected by us, such as 

    • XML attachments 
    • meeting invitations with the malicious links
    • JavaScript. 

    And I really like that the tool checks attachments within the hash so that we can investigate who received the malicious file and where.

    There is also one dashboard that shows us the status of many controls at once and the details I can get. Sometimes I'm on a call with somebody from the security team who is asking why we received something or how we can better protect our environment. I can even show them the analysis of a particular Excel file and a macro inside that file. That is something I really like. It gives me a lot of information and I can respond very quickly to a particular case.

    It gives a great overview of many areas, such as files, emails, chats, and links. Even with the apps, it gives you a great overview. In one place you can see where you should look into things more deeply and get knowledge of the details, instead of browsing the details and looking for something that might be of interest.

    And, of course, it helps prioritize threats across the enterprise. The solution identifies threats and categorizes them. I can assess which category is more important for me and react accordingly. This categorization is really important because it gives something like an SLA for each case. You always have limited resources to deal with cases. For example, in one of the companies which I support, over half of the email traffic is filtered by Microsoft 365 Defender's tools as malicious traffic, amounting to about 5,000 emails a day. I can use the tool to see an overall view of the threats, instead of just going through each one, one by one. It gives a great overview and the ability to see trends for a day or a month and I can adjust my focus according to the trends.

    With Defender on end-user devices, we have the ability to monitor them without the need to have them connected to the same network. People are working from home and sometimes they are working on their own devices. We can use conditional access policies to ask them to provide the minimum security standards. That gives us a lot of peace of mind when using Microsoft Defender. We can create rules that look for users who are uploading malicious content to Teams, SharePoint, Android, et cetera.

    What needs improvement?

    There should be better information for experts on features in the solution. What I see when reading about features in Microsoft 365 Defender is that it is always general information.

    If Microsoft could go deeper into details for the experts about how to use the tools, usage of it would be more familiar and it would be easier to use. Right now, I need to spend a lot of time using Defender to check the possibilities and how to connect them together to see things better. If I could read a more detailed article about it and see some use cases and how some threats are remediated, that would be great. Maybe I'm not looking deep enough or maybe there is some room for them to improve in this area.

    And I would really like to see new features.

    Buyer's Guide
    Microsoft 365 Defender
    March 2023
    Learn what your peers think about Microsoft 365 Defender. Get advice and tips from experienced pros sharing their opinions. Updated: March 2023.
    687,947 professionals have used our research since 2012.

    For how long have I used the solution?

    I'm a Microsoft 365 consultant and have been using Microsoft 365 Defender for about three or four years.

    What do I think about the stability of the solution?

    It is really stable.

    Sometimes, when there is a problem with the Microsoft infrastructure, for example, in India, then it can be hard because it's not just that somebody may have a problem. It's not about only one business unit but all of Europe. But it's not that problematic for us because usually this kind of situation is very limited and the fix is delivered really quickly.

    What do I think about the scalability of the solution?

    It is a scalable solution. I haven't had any problems with the scalability of Defender.

    We have the solution deployed in 38 countries. People are connected to their local networks and they use the updates from Intune and SCCM.

    How are customer service and support?

    I haven't had any situation in which I had to ask for support for Defender. 

    But for Microsoft 365, overall, when we contact the exact, dedicated team, it's really good. But before that, when a ticket goes through the first and second lines of support, sometimes it's too repetitive. The first line asks the same things as the second line. I know that it's required because Microsoft is a huge company and it has a lot of customers, so some kind of triage is needed. But when an issue is well-known and there is already a solution or a workaround, the sharing of this knowledge should be better.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    I used regular filters on the email server, running on Linux, with some type of anti-exploit solution that checked for threats inside the files. I filtered the DMARC and SPF with regular controls. That was a nightmare and I'm really happy to now use Microsoft 365 Defender.

    What's my experience with pricing, setup cost, and licensing?

    I don't deal much with the pricing aspect, but the companies I am supporting use an E5 license for Microsoft 365 because they want to include all the features and it's cheaper for them to use E5 than SE3.

    Maybe the solution should be cheaper because I have heard that the licensing is pretty expensive. I can imagine why: The knowledge is expensive and the tests and infrastructure are expensive as well.

    What other advice do I have?

    From time to time there is maintenance in reviewing the rules so that we can focus on how to use it better. But that's not "maintenance" in the standard meaning that you need to check if the processes are working properly. For example, our security department uses phishing attack simulations to check if users are aware of how the tool behaves when we receive a phishing attack and what actions are taken to remediate that attack.

    When trying to decide between a best-of-breed strategy versus a single vendor for security, it depends on the approach, resources, and of course, money. You can have a single vendor and extensively use the solution and really invest time and effort into better understanding how it works. Or you can buy a few solutions but understand each of them less, because it's not possible to have deep knowledge of how every solution works. For me, it's better to use only Microsoft 365 Defender instead of having additional security providers. I can then go deeper into the details and ask the vendor to implement a feature that is useful, and that probably will not only be useful for me. We can build it together instead of blaming each about who should do better work.

    My advice is to go deeper into the details to understand how remediation is utilized inside the solution. Notice that Microsoft 365 Defender is using data collected from every tenant that is using the solution, not only mine. If a company's controls have been attacked, the tool can already protect me because I'm not on the first line of fire. It's great to understand this fact and understand the idea behind it and what the benefits are.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Network & Security Manager at SNP Technologies, Inc.
    Real User
    Top 10
    Combined with Sentinel, we get a wholesale view over entire infrastructure
    Pros and Cons
    • "The most valuable feature is the DLP because that's where we can have an added data protection layer and extend it not just to emails but to the documents that users are working on. We can make sure that sensitive data is tagged and flagged if unauthorized parties are using it."
    • "There is definitely scope for improvement in the automation area. Because the solution is a SaaS platform, we don't have the overall ability to automate stuff.... There is no direct way to go ahead because it's a SaaS platform."

    What is our primary use case?

    We use 365 Defender with Outlook, Teams, and SharePoint. Our organization extensively uses these products as do the clients we serve. Our goal is to secure those email, SharePoint, and Teams environments.

    How has it helped my organization?

    Our Microsoft security solution has helped eliminate having to look at multiple dashboards. For a wholesale view over the entire infrastructure, Sentinel is the place to go. But M365 Defender alone only covers 30 to 40 percent of the infrastructure.

    We have saved a lot of time compared to having to do tasks with other tools. With Microsoft, it's easier for us to manage and handle them. It saves us about 40 percent of the time it would have taken us. That includes the automating of detection and response.

    What is most valuable?

    The most valuable feature is the DLP because that's where we can have an added data protection layer and extend it not just to emails but to the documents that users are working on. We can make sure that sensitive data is tagged and flagged if unauthorized parties are using it.

    The information that the solution provides is pretty clear because I have an overall picture from the compliance dashboard, which is now called the Azure Purview Compliance dashboard or manager. It has all the information, including the DLP information, sensitive data being shared, threat protection, and attacks. All of that is on a single dashboard where I see what the state of security is.

    We use the entire suite of Purview features, including Sentinel, Defender for Cloud Apps, Defender for Endpoint, and even new features like Microsoft Defender for DevOps. Sentinel is the out-of-the-box SIEM tool that should definitely be used for more visibility on the M365 side. Of course, we have the compliance dashboard, but Sentinel acts as the single point of contact for visibility into all devices. That way we can see, if there are any threats or vulnerabilities, what the dependent resources are. Sentinel helps give us that bigger picture. We also use Defender for Identity and Defender for Cloud, with different features for the different aspects within the cloud, such as various servers and DNS, et cetera.

    With its different connectors, Sentinel enables us to collect data from our entire ecosystem. All the logs are injected into a workspace in Sentinel where Sentinel can analyze them. If we unlock the Microsoft threat intelligence program, which is part of Sentinel, we can investigate threats and respond holistically from one.

    Integrating these products is pretty simple. Microsoft Sentinel integrates really fast. Obviously, it's from the same stack so it's easy for us to integrate with just the click of a button. The connectors then help us integrate these services.

    If we have all these products in use, we can achieve a 90 to 95 percent security maturity model, without requiring any other vendors' solutions to protect resources.

    What needs improvement?

    There are two areas where I feel there is no Microsoft solution. One is vulnerability management, where Microsoft is partnered with Qualys. The other is a penetration testing tool on the preventive side. That would be more for an ad hoc request and not for everyday functions. Apart from these, all the other areas can be covered with Microsoft solutions.

    There is definitely scope for improvement in the automation area. Because the solution is a SaaS platform, we don't have the overall ability to automate stuff. By integrating Microsoft 365 Defender with Sentinel, we can definitely automate things. We can leverage playbooks, and execute Terraform scripts. But directly automating tasks in the 365 Defender is something we have to do with PowerShell, which is then connected to Exchange Online. There is no direct way to go ahead because it's a SaaS platform. But if you integrate it with Sentinel, where all the alerts are created and action needs to be taken, it is pretty comfortable for automation.

    Also, I would like to see it be a lot less policy driven. On the M365 side, there are a lot of policies that we need to enable to achieve a certain task. There is no direct solution; rather, there are a lot of workarounds.

    I understand that Microsoft is dealing with a lot of tools at once and having a direct solution is not viable. But I would hope that Microsoft can improve that side of it.

    For how long have I used the solution?

    I have been using Microsoft 365 Defender for more than five years.

    What do I think about the stability of the solution?

    It's a pretty stable solution and in terms of the SLAs it is pretty good. When it comes to applying policies and the standard documentation that Microsoft provides, everything works according to that. I would rate the stability a nine out of 10.

    What do I think about the scalability of the solution?

    It surely is a scalable solution, being a service that Microsoft offers.

    How are customer service and support?

    The technical support is not great. I have been working with these Microsoft products for quite some time, and I have raised issues and contacted them. Every support case I have raised has needed escalation. From my experience, the first-line support team doesn't have anything other than out-of-the-box solutions. Everything with that level of support is pretty standard, SOP-driven, and documentation driven. That is nice, but only to a certain point. When we are talking about the SOP that a level-one engineer does, that's when the support is very poor.

    How would you rate customer service and support?

    Negative

    Which solution did I use previously and why did I switch?

    We previously had on-prem solutions. For Exchange and for endpoints, we used to have McAfee, but that was more than five years ago. Previously, Defender for M365 used to be ATP, Advanced Threat Protection, and that's when we started using it.

    Previously, we had many things on-prem, such as Exchange Servers, SharePoint, and database servers. But as Microsoft drove toward cloud-native solutions and moved Exchange, SharePoint, and Dynamics 365 online, moving to M365 was a part of the move.

    How was the initial setup?

    There is no straightforward solution with Microsoft. There are definitely a few restrictions and limitations. We should go ahead and call that out and there were definitely challenges.

    The major challenge was moving the mailboxes from on-prem Exchange to Exchange Online. That was not straightforward because the goal was not to lose any emails, and that certain format-related issues be taken care of.

    We followed a waterfall method with a proper plan of action. We performed a PoC first, to make sure that the test users were migrated successfully. Once that was done, we did a proper plan in terms of department hierarchy for migrating our departments and detailed a plan of action in case there were any failures. We then did a proper pilot where we chose about 25 mailboxes for migration, and then we went ahead and migrated everyone. 

    One of the reasons it took six months was there were only five of us involved.

    Because it is a SaaS service, Microsoft promises three nines of uptime. There is no maintenance on our side.

    What was our ROI?

    We are seeing a return on investment compared to the same types of solutions that we used to have five years ago. We would have spent more than what we are spending right now. It's not just about the licensing, it's also about the team that manages it and the operations side of it. But compared to how things were, the return on investment has been positive.

    I doubt that we are saving money with this solution because all the features are only available with a Microsoft 365 E5 license, which is the highest. And that doesn't come cheap because it's on a per-user basis. If there are 1,000 users, you are investing a lot.

    What's my experience with pricing, setup cost, and licensing?

    The pricing model of Sentinel is entirely different from any other standalone SIEM tool. Other tools work on a licensing model with a fixed price based on the different modules that are enabled. Sentinel is not a fixed price. It depends on how much data is injected into it. With Microsoft, if there are 100 GB per month, it's about $2.30 per GB, or around $2,000 on a monthly basis. Compared to a fixed licensing cost, where organizations know that there is a certain budget they need to put aside for the license, on the Microsoft side, we really can't anticipate the cost.

    The pricing of Microsoft 365 Defender is definitely on the costly side, but with the features and services that Microsoft provides, such as the seamless integration of all the Defender tools, while the price is on the higher side, there is no alternative.

    What other advice do I have?

    My advice would be to try out Microsoft and compare it with other vendors. If your vision for Microsoft includes needing customizations and a lot of use cases, I don't think Microsoft M365 would support that. Where Microsoft shines is the seamless integration and dealing with less configuration management. But at the same time, organizations are adopting other solutions, such as Linux, and they want customization and that is not possible on the Microsoft side.

    Microsoft 365 Defender helps prioritize threats to the enterprise, but not alone. Rather, it is through combining it with other Defender products like Defender for Cloud Apps and Defender for Endpoint. All these, in combination, can provide really good security, visibility, and threat protection against any vulnerabilities or threats. But with just M365, our hands are tied with the scope, which is limited to emails, Teams, and SharePoint.

    We can't 100 percent automate things, but we can automate about 80 percent of our tasks. It has made life easier. But, at the same time, if a scenario is not something that repeats, performing an activity automatically would reduce the time spent, but not by that much. We have automated a few areas for things that occur on a regular basis, but at the same time, we come across situations now and again that we think about automating, but we also think about the effort that we would have to put into doing so. Will it be a recurring solution or not?

    There are also some advancements that Microsoft has launched to automate threat surface reduction, some features that we could try to help us analyze steps to be taken before an attack happens, but nothing that I have tried yet.

    Hypothetically, when looking at whether a single vendor or a best-of-breed strategy is best, being an architect the last couple of years, what I've seen is that having a multi-vendor system is definitely a good approach rather than going with a single vendor solution. Even though Microsoft has all these tools, we can't achieve 100 percent security. There are the areas for improvement that I mentioned, where Microsoft doesn't have a single solution, like pen testing and vulnerability management. My suggestion is always to go with a multi-vendor solution. Microsoft might reach a level where, at a certain point, they will have 100 percent coverage, but my approach would still be multi-vendor.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Microsoft 365 Defender
    March 2023
    Learn what your peers think about Microsoft 365 Defender. Get advice and tips from experienced pros sharing their opinions. Updated: March 2023.
    687,947 professionals have used our research since 2012.
    Nimesh Aggarwal - PeerSpot reviewer
    Principal Consultant - Cyber Security & Cloud Infra. at RPS Consulting Pvt. Ltd.
    Real User
    Top 5
    Provides good email and endpoint security, but needs mature dashboard and better support for third-party solutions
    Pros and Cons
    • "It has been great for us. Previously, we didn't have a solution to protect us, especially from malware, whereas now, we are getting protection up front, especially from the malware attacks coming through emails or endpoints."
    • "The Defender agent itself is more compatible with Windows 10 and Windows 11. Other than these two lines, there are so many compatibility issues. Security is not only about Microsoft. The core technical aspects of it are quite good, but it would be good if they can better support non-Microsoft solutions in terms of putting the agents directly into VMware and other virtualization solutions. There should be more emphasis on RHEL and other operating systems that we use, other than Windows, in the server category."

    What is our primary use case?

    In our organization, we are mainly using it for email security and SharePoint security.

    How has it helped my organization?

    It has been great for us. Previously, we didn't have a solution to protect us, especially from malware, whereas now, we are getting protection up front, especially from the malware attacks coming through emails or endpoints.

    It helps us to prioritize threats across our enterprise, which is very important. It has sorted many things.

    We use Defender for Endpoint, and we also use Sentinel. In my organization, they are all integrated. Sentinel pulls the data from M365 Defender via connectors. The integration is very easy. There are no problems. These solutions work natively together to deliver coordinated detection and response across our environment, which is good. We rely a lot on Microsoft products. Together Defender for Endpoint and Sentinel give me a clear picture to defend against threats and investigate the threats.

    Sentinel enables us to ingest data from our entire ecosystem. It's always good to get a centralized, holistic view of our security operations. We are using centralized Sentinel dashboards mainly to get all the threats and information in one place. It's good.

    Microsoft security products provide comprehensive and deep threat protection. I'm pretty satisfied with that.

    It has saved us time. It has saved more than 50% of our time. 

    It has decreased our time to detect and time to respond. It has been helpful, and the time to detect is really fast. We don't have to do anything. We just have to rely on it. In terms of the time to respond, if something is under the radar or intelligence of Defender, the tool itself responds and gives us what happened. When it comes to something that is not on Defender's radar, Sentinel is generally where we go. So, it saved more than 50% time in terms of detection and response.

    What is most valuable?

    Email security and endpoint security are valuable.

    What needs improvement?

    It provides good visibility of Microsoft products but not for third-party products. It's a good product if we have Microsoft product lines to protect or defend, but it lags when it comes to a mixed environment or non-Microsoft products. The Defender agent itself is more compatible with Windows 10 and Windows 11. Other than these two lines, there are so many compatibility issues. Security is not only about Microsoft. The core technical aspects of it are quite good, but it would be good if they can better support non-Microsoft solutions in terms of putting the agents directly into VMware and other virtualization solutions. There should be more emphasis on RHEL and other operating systems that we use, other than Windows, in the server category.

    On the Defender side, for custom detection queries, KQL and the dashboard are not that great, but we are not doing automation directly from the Defender side. We leave Defender intelligence as it is, and we collect everything from Defender to Sentinel and handle the response from the Sentinel side. So, all our automation is happening through Sentinel only. We don't have any extra customization on top of Defender.

    The maturity of the portal or dashboard is missing. The dashboard is something that Microsoft is changing every month, and we are seriously not liking it. As a management person, I am not bothered about it, but my team is suffering because there are many versions. You are working on a version and then a new version comes and then the preview toggle button comes. Now, they are combining all the parts into a single console. It confuses technical teams a lot. I'm not happy with their approach or experiments when it comes to the Defender portal. They shouldn't change it again and again.

    The SOAR side of Sentinel is zero. If any subscriber subscribes to Azure Sentinel, SOAR is zero. Microsoft says that Sentinel is a SOAR solution, but I don't agree because they are only exposing the existing Azure automation engine towards Sentinel. My automation ask is that when there are already so many detection rules and connectors, why is the SOAR capability not in-built? Why can't they make the Azure functions behind it available in a template form and let us modify and use them? It will save my team's time in preparing the automation of the response. If my team has to create the logic, they have to invest a lot of time.

    Their support needs to be improved. I'm not happy with their support.

    For how long have I used the solution?

    I have been using this solution for more than a year.

    What do I think about the stability of the solution?

    For stability, the product must be mature enough. It should not keep on changing every month.

    What do I think about the scalability of the solution?

    It's scalable. Target points are in my capacity, and I can scale it without any problems. There is no limit to the agents for Defender, but on the server side, Microsoft would have the answer. 

    Location-wise, we are spread in five locations within one country, and department-wise, we have around 11 departments.

    How are customer service and support?

    Their support is bad. They weren't at all able to solve my problems. They buy the time but never get back. I have to follow up with them again and again. They just take the logs and sleep on them. I'm not happy with their support. I would rate them one out of ten.

    How would you rate customer service and support?

    Negative

    Which solution did I use previously and why did I switch?

    We were using another solution. Our organization at the time was too much dependent on the on-premises infrastructure. We were using Symantec, but it was a very quick shift within one quarter or two toward the cloud products and services. We are now heavily reliant on Microsoft Cloud products. We have the Azure environment and a lot of cloud applications, and we have shifted to M365 and Sentinel.

    How was the initial setup?

    We have a hybrid deployment. Within the cloud, it's straightforward, and when it comes to the target points, it's doable. 

    Our biggest challenge was removing the old Symantec signatures from the registries, devices, and servers. That was what we mainly struggled with a lot. Otherwise, deployment was going very smoothly. We had around 46 virtual machines or servers. The problem was that the MDATP agent was not ready to protect them. We struggled a lot there. We went to Microsoft, and Microsoft said to go back to Symantec, and when we went to Symantec, they asked us to go back to Microsoft. That took a long time for us. Everything else was smooth. When the target point is Windows, it's very smooth.

    It took around 20 to 25 working days. In terms of the staff, other than the infrastructure team, there were five people including me.

    In terms of maintenance, we have to just work on the detection rules and nothing else. There is no other maintenance. It's a complete cloud solution.

    What was our ROI?

    It's quite hard to measure the money saved from using this solution because we have not got any attacks that have resulted in any kind of ransom or monetary loss. It's defending us, and as of now, as per my report, there are no financial losses due to any attacks.

    What's my experience with pricing, setup cost, and licensing?

    Microsoft's pricing differs geographically. We are based in India, and we have India-based licenses. Money-wise, it varies from product to product or OEM to OEM. We pay less for some, and we pay more for some. 

    Microsoft has a lot of CSPs, indirect partners, and direct partners to deal with customers. There is so much difference in the price, which is something we are a little confused about. For Defender, they have Endpoint Plan 1 and Endpoint Plan 2, but I don't know on what basis they have classified Endpoint Plan 1 and Plan 2, but it has given me enough pain to pick and design Endpoint Plan 1 or Endpoint Plan 2 for my organization. In fact, we are still struggling with it. Too many SKUs are confusing. There should not be too many SKUs, and they shouldn't charge for every new feature.

    Which other solutions did I evaluate?

    We evaluated Okta products and QRadar.

    What other advice do I have?

    To a security colleague who says it's better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that a single vendor security suite is always better. It's simple. It saves the time to detect and respond and administer.

    This product is best if you have mostly Microsoft solutions in your ecosystem. If more than 20% of your solutions are third-party solutions, you can also look at and compare other products.

    Sentinel enables us to investigate threats from one place, but when it comes to response, we have to put a lot of effort into it because Microsoft is not giving anything ready-made on the SOAR side. We have to put a lot of effort into orchestration and automation. The SIEM of it in terms of the collection of security events and information is wonderful, but when it comes to the SOAR capabilities, there is nothing in-built. They are just the analytical rules for the detection purpose, not for the response. The response is something we have to sit and design. So, the defending capabilities of Defender are good. It has some intelligence, but on the response side, Sentinel is blank. We have to start from scratch. It's a circle, and we have to keep on evolving. When comparing the cost, I am not that exposed to other products' costs, but as per my understanding, the cost of Sentinel is a little bit on the higher side because Microsoft generally charges on a log ingestion basis. It also depends on the amount of log data we are ingesting in Sentinel.

    Its threat intelligence hasn't helped to prepare us for potential threats before they hit and to take proactive steps because it depends on the type of attack, the type of payload exploits, and other things. However, as per my previous report, in the last six months especially, there have been quite impressive preventive features, especially related to the process memory injection attacks or attacks coming from emails and links. It's very good for those.

    Overall, I would rate this solution a seven out of ten.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Tochukwu Josiah Okafor - PeerSpot reviewer
    Security and Compliance Engineer - Data Protection at a tech services company with 1,001-5,000 employees
    Real User
    Top 10
    Vast range of audit log search options helps analysts carry out a full search
    Pros and Cons
    • "Many people don't realize that Microsoft Azure, Exchange Online, and the security and compliance portal all sync together. For instance, within the Azure portal you can set security restrictions and policies to help secure your tenants... The good part of it is that these products have already been integrated. When you sign on as an admin you have global admin rights and that gives you access to all these features."
    • "The message trace feature for investigating mail flow issues should add more detailed information to the summary report... if they could extend the summary report a little bit, make it more descriptive, ordinary administrators could understand what happened and that the emails failed at this or that point. That way they would know the location to go to try to correct it and to prevent it from occurring again."

    What is our primary use case?

    We are a Microsoft partner and we have clients who are Microsoft 365 administrators in several companies. They are looking for ways to secure their tenants and make sure that their security is top-notch. That's where Microsoft Defender comes in. We use Microsoft 365 Defender for security and compliance to secure tenants from malicious attacks, including spam and phishing attacks. And when it comes to compliance, it is used for data privacy and data protection to ensure that very sensitive data doesn't go out to the wrong location.

    How has it helped my organization?

    It makes security and protection very seamless.

    And Defender saves me time. For instance, if I get notified that a user isn't receiving emails from a particular person, I know that the first thing I have to do is a message trace. It saves me time to an extent because I have a go-to location. With message trace, I'm able to trace emails from, for example, abc@givendomain.com over the past two days. It gives me information about what actually happened in the mail flow. I'd rate the time it saves me as a seven out of 10. 

    It has also saved us money, on the order of 50 percent. And our time to respond has improved to the level of a six out of 10.

    What is most valuable?

    The features of the solution are vast and wide.

    The most valuable feature is the content search feature in the compliance portal. It is very useful because it covers both audit log search and content search. The audit log search is very useful because, most of the time, you see several changes within the admin portal and it's hard to keep track of what happened. Our customers want to get to the root cause and see the activity that must have triggered those changes. That's where the audit log search comes in. They've enhanced the feature in such a way that it has a vast range of search options so that an analyst can carry out a full search.

    The content search feature has also advanced to a point where you can carry out several searches with your keywords. You can point it to a certain location, such as Exchange Online or SharePoint Online, or Teams Online. You can narrow the search down to a particular individual or group of individuals. When administrators report that they have lost content or accidentally deleted a mailbox or the mailbox content, the content search feature is a good way to recover the content.

    Another top feature is threat management. It helps prioritize threats across the enterprise.

    In addition, you can navigate to the security compliance portal and set restrictions to block IP addresses from different locations. You can also choose to flag domains that are sending malicious attacks and block them and update the anti-spam policy to make it more strict to prevent attacks from happening in the future.

    Many people don't realize that Microsoft Azure, Exchange Online, and the security and compliance portal all sync together. For instance, within the Azure portal, you can set security restrictions and policies to help secure your tenants, but most administrations do not know about that, including things like multi-factor authentication, conditional access policies, and privileged access.

    We've had reports from clients about compromised accounts because someone got access to a password that they shouldn't have. Multi-factor authentication helps eliminate this. As for conditional access policies, you can set certain policy restrictions to certain locations or IP addresses so that emails or sign-ins only come from particular locations. That helps secure your environment against malicious sign-ons to your accounts.

    The good part of it is that these products have already been integrated. When you sign on as an admin you have global admin rights and that gives you access to all these features. You will see Exchange Online, security and compliance, and Microsoft Azure. All you need to do is click and it takes you to the portals.

    Overall, the comprehensiveness of the threat protection is at 95 percent. It's not 100 percent because of updates not being done on the Knowledge Base and technical know-how.

    The alert feature allows you to set the severity of alerts. If there is a malicious or suspicious sign-on, an alert triggers immediately letting you know, as an administrator, to check what's going on in that account. For example, there was a time when one of our users' accounts was about to be compromised. We got an email notification which was sent to all administrators on the tenant. I was able to block that activity in real-time and then set the system to trigger more alerts for such sign-ons in the future. I also blocked the IP address. That particular feature has helped. The alert arrived in real time to prevent the account from being compromised.

    What needs improvement?

    When changes are done within either the admin or security and compliance portals, there should be a real-time update to administrators about the changes. Many times I'm supporting a case where someone says, "I used to do this like this, but I'm unable to do it that way anymore. What happened?" And I will have to say, "Oh, sorry. That doesn't work like that anymore. It's now done this way." So there should be a way to notify people about changes like that, and prompt information when changes are done within a portal.

    I would also like to see regular updates about new features in the Knowledge Base. There are cases where I'm using a Knowledge Base article to try to educate a customer, but when I check the feature on the admin portal, and in the article, they don't look alike. For instance, it's saying, "Go to settings. From settings, go to options." Meanwhile, on the portal itself, I'm seeing "Settings, go to more settings, then go to options." It would help a whole lot if feature updates were updated in real-time in the documentation.

    Also, the message trace feature for investigating mail flow issues should add more detailed information to the summary report. The summary report is what the administrators are able to understand. The extended reports are a very deep dive and the administrators will only understand them if they reach out to support engineers. But if they could extend the summary report a little bit, and make it more descriptive, ordinary administrators could understand what happened and that the emails failed at this or that point. That way they would know the location to go to try to correct it and prevent it from occurring again. Making that summary report more extensive and detailed would be of great help.

    For how long have I used the solution?

    I have been using Microsoft 365 Defender for a little over three years.

    What do I think about the stability of the solution?

    Overall, it is stable. 

    There are a few bugs but they generally don't impact the reliability. The bugs are not the kind that impact the work done by an organization. Processes can continue while they fix the bugs.

    What do I think about the scalability of the solution?

    It is scalable.

    It is used across multiple departments with anywhere between one and 200 endpoints.

    How are customer service and support?

    Their response time is okay, it works fine, but the time it takes to resolve escalated cases needs improvement. An escalated case is when there is a bug. You could literally have reported a bug and it's still not resolved the following week. Bug fixes take a long time, especially when a very essential feature is not working as expected.

    How would you rate customer service and support?

    Neutral

    How was the initial setup?

    It took me three to five months to understand it because it has a vast number of features. If you do not understand it, one click could mess up a whole lot of things.

    What's my experience with pricing, setup cost, and licensing?

    Microsoft should provide lower-level licensing options. They should do it in such a way that even an individual could purchase a license, and it should be entirely flexible. An individual should be able to access the solution at a very affordable rate.

    Which other solutions did I evaluate?

    Most administrators, in my experience so far, are reaching out to third parties for email filtering and to manage threats in their organization. According to them, Microsoft 365 Defender isn't giving them the information they need. And I realize that this is not correct. What they're missing out on is the proper information or technical know-how to utilize the features.

    For example, if someone uses Barracuda as their third-party filtering service, I begin to ask questions such as, "Okay, why did you choose to use the Barracuda service when we have the ability to create good anti-spam policies that could help secure your tenant? You can create anti-phishing policies and rules that will help restrict IP addresses." Often, what they say is that Barracuda is better because it gives them more information and real-time data. At that point, I ask them to let me provide a deep dive into the features of Microsoft 365 Defender. I use the documentation and Knowledge Base articles to explain its features, one after the other, and they begin to say, "Oh wow." They didn't know these features actually exist. They'll begin to look at the possibility of utilizing the Microsoft solution since they have paid for it. Why should they pay additional money to a third party to get services that Microsoft provides? They feel very happy about the information I provide.

    So far so good. The Microsoft 365 product hasn't given me a reason to want to check for other products and move to something else.

    What other advice do I have?

    For the best and most seamless user experience, it's best to go with a single vendor because there could be a lot of complications going with a best-of-breed strategy. It's easier to understand things with a single vendor.

    When you don't understand a feature, ask questions and reach out for support. There are some features that are being used wrongly or that are underutilized.

    Also, test the product beforehand. They provide trials so you can test the solution and see if it meets your expectations.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Support Engineer at a tech services company with 1,001-5,000 employees
    Real User
    Top 20
    Provides good insights, allows us to prioritize threats, and comes with a centralized portal
    Pros and Cons
    • "The EDR features are valuable. By getting the EDR features, we have more control over the device. We have information about events in real-time and more protection against zero-day threats and zero-day vulnerabilities. We can monitor every event or action that a device is going through. We can get an idea if it is something malicious or if we have to take any actions."
    • "The onboarding and offboarding need improvement. I work with other vendors as well, and they have an option to add a device or remove a device from the portal, whereas with Microsoft 365 Defender, we need to do that manually. However, once you do that, everything can be controlled through the portal, but getting the device onboarded and offboarded is currently manual. If we have an option to simply remove a device from the portal or get a device added from the portal, it would be more convenient. The rest of the features are similar. This is the only area where I found it different from others. I would also like to be able to simply filter with a few of the queries that are already there."

    What is our primary use case?

    Microsoft 365 Defender is an extension of Windows Defender. Windows Defender is an AV that is integrated with Windows OS, and with this extension, you also get the EDR functionality for security purposes. Microsoft 365 Defender gets more access to the device and provides more insights and control over that. Apart from the Windows platform, it also includes other OSs, such as Linux and macOS.

    We do have multiple options for deployment. We did deploy it on the cloud. We got the on-cloud license, and we onboarded our devices to the portal. The portal is deployed on the Azure cloud.

    How has it helped my organization?

    It helps us prioritize threats across the enterprise. We also have options to prioritize a specific device and monitor it. We can keep a device on high alert or on the watch out for each and every event. There are different severity levels, such as critical, high, medium, and low. We can set severities on any of the devices. Based on the set severity level, Microsoft 365 Defender can track events, and we can monitor those events from the console.

    We get more insights and more information about the devices that we have. Because most of them are Windows devices, we have integrations with Intune or SCCM. It is easy to transfer all the information and see everything in one single portal. If we want to configure anything or control the devices in the whole organization, it is easy because all of them are in the same environment. It is easy to manage and control them.

    There are fewer compatibility issues and errors and a better ability to track events. With third-party solutions, I used to see more issues related to compatibility and setting the ports. For each and everything, we had to either go through the support documents or through the support to get information. Most of the Microsoft documentation is publicly available. It is not that you only get that when you open a support case. That's an advantage compared to others.

    It helps to automate routine tasks and the finding of high-value alerts. We have KQL or SQL queries that we can set up. We can schedule them so that it automatically queries for a specific device or all the devices and gives us a report that we can simply export.

    Its threat intelligence helps to prepare us for potential threats before they hit and take proactive steps. It has helped us to recover a few devices. Because it is integrated with the OS, we get information about failed logins.

    It saves time and manual labor. Previously, we used to use a deployment portal such as Filezilla or GPOs. We used to manually update the signatures, but now, it is automatic. It saved me pretty much half a day's work.

    It has decreased our time to detect and our time to respond. It has saved half a day's work. The sensor constantly connects to the console. In case of an issue, we get an email immediately. We also get a notification in the console. Previously, we used to manually scan the device or query something and then get the results. Because it is automated, we don't need to manually do that. Previously, we used to manually isolate or block a device, or we used to work with different teams to get the device offline, but now, we can simply search the device name in the console and isolate a device from there, which is convenient for us.

    What is most valuable?

    The EDR features are valuable. By getting the EDR features, we have more control over the device. We have information about events in real-time and more protection against zero-day threats and zero-day vulnerabilities. We can monitor every event or action that a device is going through. We can get an idea if it is something malicious or if we have to take any actions.

    Because Microsoft 365 Defender is integrated with the OS, we get more insight into the events or threat activities. With a third-party solution, we could have some limitations or compatibility issues with the OS, whereas with Microsoft 365 Defender, there are no compatibility issues for Windows, and we get more insights and more information on the threats simply by logging into the console.

    What needs improvement?

    The onboarding and offboarding need improvement. I work with other vendors as well, and they have an option to add a device or remove a device from the portal, whereas with Microsoft 365 Defender, we need to do that manually. However, once you do that, everything can be controlled through the portal, but getting the device onboarded and offboarded is currently manual. If we have an option to simply remove a device from the portal or get a device added from the portal, it would be more convenient. The rest of the features are similar. This is the only area where I found it different from others. I would also like to be able to simply filter with a few of the queries that are already there. 

    For how long have I used the solution?

    It has been almost three months.

    What do I think about the stability of the solution?

    I would rate it a seven out of ten in terms of stability. It is quite stable but it can be improved for a few scenarios. It is still new for macOS and Linux, and for these OSs, I would rate it a six out of ten in terms of stability.

    What do I think about the scalability of the solution?

    It is scalable. We are using it pretty extensively. It is for multiple departments, and there are multiple teams handling it. In the tenant I have, there are 2,000 devices that are currently onboarded. We also get information about which devices are not onboarded. I can see that a few hundred devices are not onboarded. We also have a few other clients or partners who are using it but on a small scale. 

    How are customer service and support?

    It is good. We do get constant responses and inputs from them whenever we raise a case. They are quite helpful. I would rate them an eight out of ten.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    I started working with this solution because I changed my organization. That was the major reason. 

    Being able to get the information simply from a single portal and the integration with other portals have been some of the benefits. Previously, we used to get data manually, and then we used a SIEM or event collector to send that data to other portals. Now, we can integrate with other Microsoft portals, such as Intune, and get the same information there as well. That's one convenience I have found.

    How was the initial setup?

    I am not involved with tenant deployment. I am involved with the onboarding of the devices. If you have the right knowledge, it is completely fine. They do have an admin console. You can deploy multiple tenants and also control through that console, but I don't have access to that. I only have access to my own tenant. I only have control over that. We can also include a tenant for a specific organization from the admin console. That admin console is deployed on Azure.

    Most of the maintenance is automatic. Because we allow Windows updates, most of the Defender updates are also included in Windows updates. We don't have to specifically go and check. If we see any alert or we find any suspicious events or something on the console while we are investigating, then it might need manual checks. We do get some recommendations through the console itself for what we can do to improve the device security score. So, it requires some maintenance, but that's only when we detect something or we are investigating something. For maintenance, we have different teams in each section. We have around 15 to 20 people.

    What was our ROI?

    I don't have the metrics, but we started to see its benefits within a couple of weeks from the time of deployment.

    What's my experience with pricing, setup cost, and licensing?

    Its licensing and pricing are handled by someone else. My role is limited to incidents or issues with the portal, but you get what you pay for. It is worth the cost.

    Which other solutions did I evaluate?

    We did compare it with VMware Carbon Black and McAfee. We did check Symantec as well, but Symantec didn't have EDR capabilities. So, we dropped it. The final call was Microsoft because we found the integrations and other things easy. It saves time for us because we don't need to go through another team or get a separate team involved just for data transfers.

    What other advice do I have?

    I would definitely recommend this solution. Getting the product is easy. You simply get the license, but after getting the product, you need to go through the deployment and configuration of the product to match your environment. You can just try out the product and experiment in your own way and learn each and every feature. The documentation is completely public. 

    I would rate it an eight out of ten because there are a few areas where it can be improved.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Florian Stamer - PeerSpot reviewer
    Regional Director, Cloud Lead Architect at Cloudeteer GmbH
    Real User
    Top 10
    Provides extended security features, easy integration with other tools, and gives us a clear view of our customers' security environments
    Pros and Cons
    • "I like the easy integration and advanced possibilities. We can implement it at customer sites in a few clicks, but we can also dive deep and drill down to extended features. There's a very good starting point to get into this product and all the features from Defender."
    • "I would like more of the features in Defender for 365 to be included in the smaller licenses. Even if I buy a small license and don't need everything, security shouldn't be a question. Security is one of the main aspects of all projects from our side, so it would be nice to have more features in the smaller licenses."

    What is our primary use case?

    We mainly use this solution for security reasons. We use it for the complete stack of email security so we don't have to use a third-party tool, and we use the extended security features that are included in M365, like sandboxing.

    The solution is deployed on the Azure cloud. We're a cloud-only company, so we only deploy cloud workloads, but we also have customers with legacy systems. If we're not able to migrate them to Azure, Defender for the server can be deployed on-premise.

    The solution is deployed across Germany in four regions: Munich, Cologne, Bremen, and Hamburg. However, most people work from home.

    There are about 50 endpoint users, but we have customers with thousands of users. We focus on customers with a thousand seats or more.

    We use the entire M365 E5 license for everything that's going on in the M365 world. We try to accomplish everything we need with Microsoft products.

    It was very easy to integrate the solutions. We integrated them so we could have an overall good view of our assets. The installation was fully automated via Intune.

    How has it helped my organization?

    Overall, the solution has decreased our time to detect and respond. If there is any issue, it's not complicated to get the information we need and respond quickly. We offer managed services to some customers, and we have a very clear view of what's going on in their security environments.

    One of our main focuses is IT security. This solution has a huge impact on how we use tools and what we do in IT.

    One of the biggest points is that Defender is included in the license. It's integrated fully into the M365 world. There's no need to have a third party, which is more complex and includes additional costs. Especially because we're partners, it's very good to have 100 free licenses. We're able to distribute all the information to our customers and integrate it into our projects in a very streamlined way.

    We saw all of these benefits instantly. It's different with customers because they are often heterogeneous in the software they use. There's a little bit of explaining and promoting, but it's a huge benefit for most of our customers when they understand that they can have a centralized view of all these security topics. If we are able to deploy the solution to new customers, the benefits are realized in about six months because we have to train them and implement all of the security.

    The solution helps with finding high alerts. I wouldn't say it helps with automation because we are piping the problem into the Jira automation, so our managed service kicks in. I would say that it's half-automated.

    It helps save time when it comes to the operation and receiving information because we don't have to skip around with different products and customer situations.

    This solution enabled our security operations. The legacy approach, in which the tools are in place and someone occasionally checks them, is not secure as it's meant to be today. 

    It eliminates the need to look at multiple dashboards and gives us one XDR dashboard. The consolidated dashboard helps our customers get a faster view, which wasn't possible with the former solution.

    The solution's threat intelligence helps us prepare for potential threats before they hit and to take proactive steps. Our security team is able to work well with it, and a lot of information is getting to our internal users. We distribute everything we learn to our customers.

    Sentinel enables us to ingest data from our entire ecosystem because we're cloud-only, so there is no other architecture to monitor.

    I would say the logging and analyzers are about 80% of our security operations. The ability to have a clear view of the security information is a big win. For legacy implementations, it's normal to have the security installed but not be able to monitor, detect anything, or get the information to the right people.

    For the most part, Sentinel enables us to investigate threats and respond holistically from one place. Today, there are different views, different websites, and different portals to use in order to drill down and get to the real problem. It's a good starting point.

    What is most valuable?

    I like the easy integration and advanced possibilities. We can implement it at customer sites in a few clicks, but we can also dive deep and drill down to extended features. There's a very good starting point to get into this product and all the features from Defender. We use Plan 1 for email security because it's a common vector for phishing and attacks. The Plan 2 version goes more into advanced features and logging, which we also use for our internal security operations center.

    The solutions work natively together to deliver coordinated detection and response across our environment by about 80%. There should be something to get a consolidated view, which doesn't exist at the moment. We have a known tool in place to consolidate all the information into one view for us. That would be a perfect function to have in the future.

    I have more than 15 years of experience in IT security, so I have a very good understanding of the tools we need for a use case. I think the documentation helps us and all of our customers comprehend the product. For cloud products, it's normal that something new today is almost outdated tomorrow. Company-wide, we have a very good view of all these products, and we're very firm in deploying them.

    What needs improvement?

    I would like more of the features in Defender for 365 to be included in the smaller licenses. Even if I buy a small license and don't need everything, security shouldn't be a question. Security is one of the main aspects of all projects from our side, so it would be nice to have more features in the smaller licenses.

    I would also like a more aesthetically pleasing dashboard. For German customers, it's important that the solution is in German. Multi-language support should be in all the features if possible. In many projects, we want to use digital signatures on emails. It would be perfect to have better integration of digital signing in a standard way.

    In the last few months, the dashboard changed very often. When they restructure it, it's a little bit painful. Otherwise, the technology is very helpful.

    The visibility into threats could be better. For the last six months, getting information from the access points has been difficult. However, the newest version fits very well. It's easy if you've found the right spot to view what's happening.

    For legacy organizations or legacy customers, I would say it's possible to save time, but time-saving isn't always the best with security because it needs to be deployed and managed.

    It can be installed quickly, but it takes time to check out false positives, have everything in place, and train each end user.

    For how long have I used the solution?

    We have been using this solution for five years since our company started. The solution had a different name, but we have been using it since it's been available. We use company-wide E5 licenses.

    What do I think about the stability of the solution?

    The solution is stable.

    What do I think about the scalability of the solution?

    We haven't had any scalability problems.

    How are customer service and support?

    I haven't had a lot of contact with technical support.

    Which solution did I use previously and why did I switch?

    For my personal project, I used many other legacy projects, but not at my company. We aren't selling anything other than the new Microsoft solution at the moment.

    How was the initial setup?

    The solution doesn't require any maintenance.

    What was our ROI?

    We have seen ROI in project situations because we removed legacy email gateways and legacy antivirus on-premise solutions.

    What's my experience with pricing, setup cost, and licensing?

    I would like to have more security features in the lower licenses because not every customer is able to buy E5 licenses. The bundling isn't always easy for our customers to understand. Compared to other tools, it's a good price.

    What other advice do I have?

    I would rate this solution as eight out of ten. 

    My advice to those who are looking to implement this solution is to get help from the right company so you can use the solution properly.

    Defender helps us prioritize threats, but I would say it's a combination of all the information that we're getting from the internet and from other resources.

    To a security colleague who says it's better to go with a best-of-breed strategy rather than a single vendor security suite, I would say that it depends on the customer. If someone has their own VSOCK implemented and many security guys on board, then maybe best-of-breed is what they need. 

    If someone is a classic customer who doesn't know a lot about security, then they should stick to a one-vendor strategy.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    SysAdmin Engineer at FileVine, LLC
    Real User
    Features a straightforward and user-friendly interface, excellent visibility into threats, and integration with other Microsoft security products
    Pros and Cons
    • "The Endpoint Manager is incredible; it has a very straightforward interface and is exceedingly easy to use. Pulling out and deploying different tags or resources is a simple task across various departments with different levels of security. The notifications are also simple and satisfying; it's great to see the bubble informing us which devices are compliant and which are waiting to update."
    • "Correctly updated records are the most significant area for improvement. There have been times when we were notified of a required fix; we would carry out the fix and confirm it but still get the same notification a week later. This seems to be a delay in records being updated and leads to false reporting, which is something that needs to be fixed."

    What is our primary use case?

    At FileVine, we provide case management software for attorneys, so we have considerable SOC 2 compliance requirements. We need more than a firewall; we also need a solution that helps us upkeep and manage devices, laptops, etc. 365 Defender fulfills these requirements, and SOC 2 compliance is our primary use case.

    We're a hybrid company using both Macs and Dells, deployed across multiple regions.

    How has it helped my organization?

    The solution helps us improve compliance regarding end users installing updates. It clarifies which users need to update and how they can go into Terminal or PowerShell to perform that process. We don't have to waste time looking for what needs to be done, which is a useful functionality. The product automatically informs us of high and low priorities, which is great; it allows us to deal with the most significant priorities first.

    365 Defender helps us automate routine tasks, and we get updated daily. We can integrate Splunk to see what's going on and what needs to be updated. Automation significantly impacts our security operations; it feels like we have a vault around us that nobody can breach.  

    What is most valuable?

    The Endpoint Manager is incredible; it has a very straightforward interface and is exceedingly easy to use. Pulling out and deploying different tags or resources is a simple task across various departments with different levels of security. The notifications are also simple and satisfying; it's great to see the bubble informing us which devices are compliant and which are waiting to update.

    The visibility into threats provided by the solution is excellent. When a threat triggers a response based on our set rules, it's stopped, and we are notified via email. We can then analyze the threat and make a decision; this entire process is straightforward and user-friendly. 

    The product helps us prioritize threats across the enterprise, especially in the legal domain. It is very valuable, and one of the reasons we have been so successful at Filevine is the security measures we have in place. We use many tools, one of them being Microsoft 365 Defender, which significantly contributes to our IT team and company's success.   

    Our integration of multiple solutions helps to deliver a coordinated detection and response in our environment. We integrate with Zscalar, which is very easy and manageable. We thought it might be difficult, but it works very well. Much like a car, our security system is composed of many moving parts working together, which helps us move forwards as a company and thrive in a relatively challenging economic time. 

    The comprehensiveness of the threat protection provided by using multiple Microsoft security products is excellent. It's a simple system; we have incoming and outgoing traffic rules. When a rule is triggered, we are notified by email to look over the situation. For example, we can see viruses and malicious actors attempting to breach our security and respond by blacklisting the IP address. Sometimes, we gather information and pass it on to the FBI, as we have many SOC 2 clients.

    365 Defender helped eliminate multiple dashboards, which is great because I like to be as minimalistic as possible regarding dashboards. Now, I only have to look at one or two at most, simplifying the security landscape, and I love that about the tool.  

    The solution's threat intelligence helps us prepare for potential threats before they hit; most recently, we were protected from the August 2022 Apple hack. We had measures in place, so none of our devices were affected. We were spared any data compromise, and it's an excellent example of why we invest in security solutions. It builds our confidence and strengthens our case with the higher-ups for increasing and maintaining our cybersecurity budget. 

    The product certainly saves us time. We trust in the protection and can focus on different projects, including automation, so we don't have to spend time dealing with issues and security breaches. I'd say we save four or five hours a week.  

    365 Defender saves us a lot of money because we don't have to recover data or hire outside lawyers to help us with legal trouble. We don't need to invest in physical products or external security teams and solutions. We can keep our security operation within the company, so all our money is invested in people who care about our product and business.  

    The solution quickly notifies us when a threat is detected, increasing our response speed. Other products I used in the past sometimes had significant delays with notifications, which is far from ideal when dealing with potential security threats. 

    What needs improvement?

    Correctly updated records are the most significant area for improvement. There have been times when we were notified of a required fix; we would carry out the fix and confirm it but still get the same notification a week later. This seems to be a delay in records being updated and leads to false reporting, which is something that needs to be fixed.

    For how long have I used the solution?

    I have been using the solution for a few years. 

    What do I think about the stability of the solution?

    The solution is very stable with low latency. 

    What do I think about the scalability of the solution?

    The product is highly scalable, which is fantastic because we have been expanding significantly. It's up and running and good to go very quickly, which has been excellent for our expansion in Florida, New York, Maine, and Canada.

    How are customer service and support?

    I have yet to contact support. One thing that helps in this regard is that I have an AZ-900 handbook with Microsoft fundamentals. 

    Which solution did I use previously and why did I switch?

    365 Defender was already in place when I was brought into the company, but they previously used Jamf Protect. They switched because it cost too much and wasn't fulfilling the requirements. It didn't perform as well as 365.

    How was the initial setup?

    I can't speak to the setup as the solution was in place when I arrived at the company. However, 365 Defender is one of the most lightweight tools we use in terms of maintenance. We keep it up to date, and it works very well.

    What was our ROI?

    I would say the solution gives us a significant ROI, especially considering the issues in the industry recently. Russia and China hacked many companies, but we never had that problem, and that's a lot of money saved for us. That's not entirely because of 365 Defender, but also thanks to our excellent security team and the robust toolset at our disposal to protect our operation.

    What's my experience with pricing, setup cost, and licensing?

    The solution is affordable, and we haven't been hit with any hidden costs. The subscription model is straightforward, and it's easy to understand how much additional features cost. If we need to cancel a license or feature, we do that well in advance to avoid being charged for it, but overall, the pricing and licensing are simple and easy.

    What other advice do I have?

    I would rate the solution an eight out of ten. 

    We use multiple Microsoft security products, including Defender for Endpoint, MFA as a standard on all work laptops and computers, and Endpoint Manager. We use additional tools to protect the Mac side of our operation. We use Microsoft Intune, some other MDMs, and some other assets from Defender for Cloud, and for cloud security, we use GCP, Azure, and AWS. 

    Many of these products are integrated, and the integration was relatively straightforward. It was somewhat time-consuming as we previously used Jamf Protect for a long time, so switching our entire infrastructure over to the new products took some time.   

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Deputy Director of Infrastructures and IT Services at a government with 10,001+ employees
    Real User
    Integration with other Microsoft products has eliminated the need for multiple dashboards
    Pros and Cons
    • "The most valuable feature of all is the full integration with the rest of the software in the operating system and Office 365, as well as Microsoft SCCM. It is quite easy for us to work with the whole instance of Microsoft products. This integration improves the benefits of the whole suite of products."
    • "I'd like to see a wider solution that includes not only desktop devices but also other devices, such as servers, storage cabinets, switching equipment, et cetera."

    What is our primary use case?

    I am the head of IT of the police force in the Madrid municipality. I have deployed the product to all 6,000 policemen and police women here and we are trying to protect all our devices with it.

    How has it helped my organization?

    It has helped eliminate having to look at multiple dashboards. This is a part of the benefit of the integration. It's quite helpful to receive information and data that is correlated with other information, in the form of a graph or chart. It's a good added value. We are provided with consolidated information, which is very valuable for making decisions and moving forward in improving our devices and our security.

    It's very well known by all our technicians and it has helped to decrease the time to detection and response.

    And while I can't demonstrate it with metrics, my intuition is that we have saved money. Because we are a very large organization, we have very large needs in IT systems. Perhaps the best thing we did, years before, was to have everything, all applications and the operating system, come from Microsoft. Perhaps that means potential money savings.

    What is most valuable?

    The most valuable feature of all is the full integration with the rest of the software in the operating system and Office 365, as well as Microsoft SCCM. It is quite easy for us to work with the whole instance of Microsoft products. This integration improves the benefits of the whole suite of products. Even the desktop devices seem more productive by having all these products integrated. That's the best advantage.

    What needs improvement?

    I'd like to see a wider solution that includes not only desktop devices but also other devices, such as servers, storage cabinets, switching equipment, et cetera. That is where they should put in more effort. I don't have a global risk solution coming from Microsoft, one that could help me in all these different IT areas.

    For how long have I used the solution?

    I have been using Microsoft 365 Defender for about two years.

    What do I think about the stability of the solution?

    I would rate its stability at seven or eight out of 10. It's quite good. Up until today, we haven't had any big problems with the solution. I'm quite comfortable with it.

    What do I think about the scalability of the solution?

    The solution is deployed to more than 25,000 in the municipality, but my responsibility is only over 6,000 people in the police corps.

    How are customer service and support?

    Microsoft provides quite good support across their different areas of activity. The people attending to your requests are quite professional. They take care of your requests and respond to your needs. They try to help you. The documentation is not the best in the world, but it's quite sufficient for our needs.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    Years ago we had solutions from other companies, such as Trend Micro for the desktop devices, and Trend Micro and Sophos for servers.

    We used to work in different ways. Some people were in the office with desktop devices, but most of our people work outside with mobile devices. The latter group is at much more risk and we wanted to protect all these devices from potential damage and risks.

    The switch was a company decision made by higher management within the municipality. We started to work with Microsoft Office 365 years ago, and then a decision came down imposing the use of Microsoft 365. I feel comfortable with the decision, but I know inside our organization that we've had plenty of problems deploying all facilities given by M365.

    How was the initial setup?

    I'm not aware of having more or fewer problems with this product than the ones we had before, when it comes to deployment or interfaces. It's quite standard and the deployment was quite easy, but it was equally easy to deploy all the products years ago.

    It has been easy to integrate with the rest of our devices and software. In addition, there was no impact on the user experience. The solution is transparent. The users may not even know of the existence of this product. There was no problem deploying and starting to use Microsoft 365 Defender. We have some other products, beyond the desktop level, that work in a coordinated way Defender.

    The deployment took a few months, but we needed at least a year to stabilize our organization. The first days were awful because people couldn't understand the change in mentality required to work with this paradigm of software. During the first year, we had to cope with plenty of incidents and problems. Having passed the one-year mark since we deployed, we have started to see some of the benefits.

    I generally use an "onion" deployment methodology. I start deploying new solutions in desktops that are quite close to my area of activity in the IT department. We implement, let's say, 50 to 100 desktops per day and we wait for a week to see if everything is okay and whether there are incidents. Once we are assured everything is fine, we implement by regional police units in different locations.

    We had 10 to 12 operations technicians involved in the deployment.

    Every software solution requires maintenance. In this case, there isn't a lot of maintenance. We have to keep an eye on the status of the solution every day. That process involves two or three people.

    What's my experience with pricing, setup cost, and licensing?

    As most software companies have done during the last few years, they have moved from a licensing model to pay-per-use. It was difficult to understand and accept this change. When we had to accept that model, it had a great risk for companies like ours that always have to cope with annual budgets. The question is: What happens if, for any reason, there's not enough budget to accept this model? That could be a great problem.

    Which other solutions did I evaluate?

    There was a possibility of continuing with the solutions we had been working with.

    But we cannot compare them because the other solutions were built eight years ago. Technology has changed so much.

    What other advice do I have?

    Fortunately, we haven't had the chance to see if the solution's threat intelligence helps prepare us for potential threats before they hit. But I'm quite sure that it's working together with other tools to help us to stop potential breaches and risks.

    Give this product a chance. Is it the best in the market? I don't know. Is it the worst? I don't know. But what is quite good is the integration with the rest of Microsoft's software products. That's the added value.

    Try it, prove it, and see how it integrates. It depends on the situation. If a colleague is using Linux in their data center and desktops, of course, I wouldn't recommend this solution. But here in Spain, most companies have Microsoft products.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free Microsoft 365 Defender Report and get advice and tips from experienced pros sharing their opinions.
    Updated: March 2023
    Buyer's Guide
    Download our free Microsoft 365 Defender Report and get advice and tips from experienced pros sharing their opinions.