Microsoft Defender for Cloud OverviewUNIXBusinessApplication

Microsoft Defender for Cloud is the #1 ranked solution in top Compliance Management tools, #2 ranked solution in Cloud Workload Protection Platforms, #2 ranked solution in top Cloud Security Posture Management (CSPM) tools, #2 ranked solution in top Cloud-Native Application Protection Platforms (CNAPP) tools, #4 ranked solution in XDR Security products, and #5 ranked solution in top Microsoft Security Suite tools. PeerSpot users give Microsoft Defender for Cloud an average rating of 8.2 out of 10. Microsoft Defender for Cloud is most commonly compared to Microsoft 365 Defender: Microsoft Defender for Cloud vs Microsoft 365 Defender. Microsoft Defender for Cloud is popular among the large enterprise segment, accounting for 67% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 18% of all views.
Microsoft Defender for Cloud Buyer's Guide

Download the Microsoft Defender for Cloud Buyer's Guide including reviews and more. Updated: May 2023

What is Microsoft Defender for Cloud?

Microsoft Defender for Cloud protects your Azure and hybrid resources. Microsoft uses a wide variety of physical, infrastructure, and operational controls to help secure Azure—but there are additional actions you need to take to help safeguard your workloads. Turn on Azure Security Center to strengthen your cloud security posture. Within Azure Security Center, use Azure Defender to protect your hybrid cloud workloads. With Azure Security Center, you can:

- Assess and visualize the security state of your resources in Azure, on-premises, and in other clouds with Azure Secure Score

- Simplify enterprise compliance and view your compliance against regulatory requirements

- Protect all your hybrid cloud workloads with Azure Defender, which is integrated with Security Center

- Use AI and automation to cut through false alarms, quickly identify threats, and streamline threat investigation

To learn more about our solution, ask questions, and share feedback, join our Microsoft Security, Compliance and Identity Community.

Microsoft Defender for Cloud was previously known as Microsoft Azure Security Center, Azure Security Center, Microsoft ASC, Azure Defender.

Microsoft Defender for Cloud Customers

Microsoft Defender for Cloud is trusted by companies such as ASOS, Vatenfall, SWC Technology Partners, and more.

Microsoft Defender for Cloud Video

Microsoft Defender for Cloud Pricing Advice

What users are saying about Microsoft Defender for Cloud pricing:
  • "It is bundled with our enterprise subscription, which makes it easy to go for it. It is available by default, and there is no extra cost for using the standard features."
  • "Pricing depends on your workload size, but it is very cheap. If you're talking about virtual machines, it is $5 or something for each machine, which is minimal. If you go for some agent-based solution for every virtual machine, then you need to pay the same thing or more than that. For an on-premises solution like this, we were paying around $30 to $50 based on size. With Defender, Microsoft doesn't bother about the size. You pay based on the number of machines. So, if you have 10 virtual machines, and 10 virtual machines are being monitored, you are paying based on that rather than the size of the virtual machine. Thus, you are paying for the number of units rather than paying for the size of your units."
  • "The licensing cost per server is $15 per month."
  • "This solution is more cost-effective than some competing products. My understanding is that it is based on the number of integrations that you have, so if you have fewer subscriptions then you pay less for the service."
  • "They have a free version, but the license for this one isn't too high. It's free to start with, and you're charged for using it beyond 30 days. Some other pieces of Defender are charged based on usage, so you will be charged more for a high volume of transactions. I believe Defender for Cloud is a daily charge based on Azure's App Service Pricing."
  • "Although I am outside of the discussion on budget and costing, I can say that the importance of security provided by this solution is of such importance that whatever the cost is, it is not a factor."
  • Microsoft Defender for Cloud Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Associate Principal - Cloud Solutions at Apexon
    Real User
    Top 5Leaderboard
    Provides good recommendations and makes policy administration easy
    Pros and Cons
    • "It is very intuitive when it comes to policy administration, alerts and notifications, and ease of setting up roles at different hierarchies. It has also been good in terms of the network technology maps. It provides a good overview, but it also depends on the complexity of your network."
    • "For Kubernetes, I was using Azure Kubernetes Service (AKS). To see that whatever is getting deployed into AKS goes through the correct checks and balances in terms of affinities and other similar aspects and follows all the policies, we had to use a product called Stackrox. At a granular level, the built-in policies were good for Kubernetes, but to protect our containers from a coding point of view, we had to use a few other products. For example, from a programming point of view, we were using Checkmarx for static code analysis. For CIS compliance, there are no CIS benchmarks for AKS. So, we had to use other plugins to see that the CIS benchmarks are compliant. There are CIS benchmarks for Kubernetes on AWS and GCP, but there are no CIS benchmarks for AKS. So, Azure Security Center fell short from the regulatory compliance point of view, and we had to use one more product. We ended up with two different dashboards. We had Azure Security Center, and we had Stackrox that had its own dashboard. The operations team and the security team had to look at two dashboards, and they couldn't get an integrated piece. That's a drawback of Azure Security Center. Azure Security Center should provide APIs so that we can integrate its dashboard within other enterprise dashboards, such as the PowerBI dashboard. We couldn't get through these aspects, and we ended up giving Reader security permission to too many people, which was okay to some extent, but when we had to administer the users for the Stackrox portal and Azure Security Center, it became painful."

    What is our primary use case?

    We are primarily using Azure Security Center to bring a level of security into the environment. Before I started to work with this solution, I was a Kubernetes and Azure Cloud architect. I was working for a service provider where I did not get the opportunity to look at how do they secure the resources, but in the last one and a half years, I had to get into those aspects because the organization I was working for wanted to introduce Kubernetes into the ecosystem, and the main concern was regarding all the hacking that was going on. For introducing Kubernetes as a platform, all business managers wanted to know if it was secure or how to make it secure. We started to look at Azure Security Center and its capabilities because Azure was their main solution. We also used AWS and GCP to some extent, but predominantly, we had Azure. So, we first took Azure Security Center and started to leverage its features.

    How has it helped my organization?

    Azure gives access to a lot of policies and allows you to group those policies into initiatives. There were about 170 subscriptions spread across sandbox, dev, test, non-prod, and prod environments, which were spread across India, Canada, and the USA. Each geography had its own data resiliency requirements, so these policies had to be applied stringently. For example, if somebody created a virtual machine, it had to be in a specific region, or if someone was storing the data in a database, it had to be only in that region. It could not cross the border. So, we had to first enforce policies at the level where we had to identify where the storage resources were, which network could talk to which network, and who could do what, and then it went on to all levels. Azure provided very good, robust, and built-in policies for each resource, and we had to set some to audit and some to enforce. 

    While setting policies for about 170 subscriptions, we needed to ensure consistency. We needed to apply them consistently across all subscriptions. Azure Security Center helped us in ensuring that we audit certain policies, and we also enforce certain policies. We had set some policies to audit because we wanted to see what's going on, and we had set some policies to enforce because of regulatory purposes or because of the way the entire network and all the systems were designed. We used Azure Security Center as our central place to administer policies. We had to group all the subscriptions into management groups, and there was a hierarchy of groups. We could apply the policies at one specific level, and any subscription that we would create under that group would have the same set of policies. It helped us in getting a bird's-eye view through dashboards. We could see what was happening across the enterprise.

    We started using it for Kubernetes, but it expanded into a wider initiative of more stringent policies across the board. In terms of lift and shift, a lot of people get tempted to go to GCP because it is cheaper, but we were primarily using Microsoft products. So, we started adopting Azure, and we did not pay attention to Azure Security Center at the beginning. When we looked at Azure Security Center for the first time, it had already been three years, and we had done almost 100% lift and shift, but we could recover from any aspect of security. Azure Security Center helped us in recovering from our mistake. If we had worked with it at the start of our journey, it would have been easier, and even though we were looking at it halfway through our journey, it still helped us. I consider it halfway because lift and shift is only one part of the process. You are saving a lot of money, but you are still not cloud-based. The real power of the cloud comes when you start using the platform services, and before starting to use them, we were able to get into a secured environment. Kubernetes was the first platform that we were looking at, and when we were able to secure it, everything else was pretty simple. That's because, with Kubernetes, there is a shared responsibility model where the cloud provider takes care of some of the aspects, and you have to take care of a lot of things. Azure Security Center helps in ensuring that you have taken care of and secured everything.

    What is most valuable?

    Its recommendations are really good. Most of the time, they are appropriate. Azure comes with a lot of default policies that are set to audit only. As the enterprise grew and we started adopting the cloud, initially, we didn't pay much attention to Azure Security Center. For us, Azure Security Center was like an afterthought; it was not planned from day one. In our enterprise journey, when we started looking at it halfway through, we realized that there were so many violations. We started with auditing. We found policies that nobody was using, and then we started enforcing them. It was really good in terms of built-in policies, recommendations, and then applying them across the board with a minimal set of actions.

    It is very intuitive when it comes to policy administration, alerts and notifications, and ease of setting up roles at different hierarchies. It has also been good in terms of the network technology maps. It provides a good overview, but it also depends on the complexity of your network.

    What needs improvement?

    For Kubernetes, I was using Azure Kubernetes Service (AKS). To see that whatever is getting deployed into AKS goes through the correct checks and balances in terms of affinities and other similar aspects and follows all the policies, we had to use a product called Stackrox. At a granular level, the built-in policies were good for Kubernetes, but to protect our containers from a coding point of view, we had to use a few other products. For example, from a programming point of view, we were using Checkmarx for static code analysis. For CIS compliance, there are no CIS benchmarks for AKS. So, we had to use other plugins to see that the CIS benchmarks are compliant. There are CIS benchmarks for Kubernetes on AWS and GCP, but there are no CIS benchmarks for AKS. So, Azure Security Center fell short from the regulatory compliance point of view, and we had to use one more product. We ended up with two different dashboards. We had Azure Security Center, and we had Stackrox that had its own dashboard. The operations team and the security team had to look at two dashboards, and they couldn't get an integrated piece. That's a drawback of Azure Security Center. Azure Security Center should provide APIs so that we can integrate its dashboard within other enterprise dashboards, such as the PowerBI dashboard. We couldn't get through these aspects, and we ended up giving Reader security permission to too many people, which was okay to some extent, but when we had to administer the users for the Stackrox portal and Azure Security Center, it became painful.

    We were also using it for just-in-time access for developer VMs. Many a time, developers need certain administrative privileges to perform some actions, and that's where we had to use just-in-time privileges. Administering them out of Azure Security Center is good, but it also means that you have to give those permissions to lots of people, which is very cumbersome. So, I ended up giving permissions to the entire Ops team, which defeats the purpose and is also not acceptable at a lot of places.

    These were the two use cases where I felt that I really had to get into the depth of Azure Security Center to figure out how I can use it much better.

    Buyer's Guide
    Microsoft Defender for Cloud
    May 2023
    Learn what your peers think about Microsoft Defender for Cloud. Get advice and tips from experienced pros sharing their opinions. Updated: May 2023.
    708,830 professionals have used our research since 2012.

    For how long have I used the solution?

    I have been working with this solution for the last one and a half years. 

    What do I think about the stability of the solution?

    I didn't find any issues with its stability. When you start using Azure Security Center to look at your on-prem application or resources, you might have issues with monitoring these on-prem resources, but it is not related to the stability or reliability of Azure Security Center. It has nothing to do with Azure Security Center; it is related to how you have configured, what kind of resources you have, and what permissions you have given. 

    Sometimes, the network operations team and security operations team are not in tandem with each other. We had done lift and shift for most of the resources, but there were still some resources that were on-prem. For on-prem resources, people are comfortable with Dynatrace and other similar tools, but they are not really security tools; they come under the observation and monitoring tools. It can be very hard to sell Azure Security Center for something that is on-prem, and because of the corporate silos, someone might not give you access to an on-prem resource. For example, your Oracle Database is still on-prem, and you are systematically strangulating the application and moving it to Cosmos DB or SQL Server on the cloud, but you are not allowed to monitor it. In such situations, Azure Security Center can only report one part of the application, which makes it tough to tell business managers

    why this application is down, what went wrong, why there is latency, what is the problem, etc. So, more than the product, it has to do with ensuring that the SOC team works with the NOC team and ensures that they have the required access so that they can also observe on-prem resources from the security aspect. Otherwise, you won't know what's happening. You won't know if any hacking is going on, or if somebody is doing SQL injections to the on-prem Oracle Database. You wouldn't have a clue.

    How are customer service and support?

    I'm an architect. I don't deal with the regular operations aspects.

    How was the initial setup?

    There is nothing in terms of the setup. It comes by default. It is only about paying attention to the Azure Security Center in terms of giving correct roles to subscription owners, security administrators, etc. It is only about properly setting up those roles.

    It only required going through the documentation in detail and having a couple of brainstorming sessions. We didn't have to hire any special consultants. We could do it ourselves. We spent a week properly going through the documentation. Having a word with the product managers also helped. Many times, such implementations have more to do with the way organizations are structured in terms of departmental silos. So, it helps to get everybody on board and ensure that everybody has the same understanding. It is related to an organization's culture; it has nothing to do with the product. It is more related to outsiders and insiders and different levels of knowledge and backgrounds, but the product itself is pretty simple to start with.

    What about the implementation team?

    We did it ourselves.

    What's my experience with pricing, setup cost, and licensing?

    It is bundled with our enterprise subscription, which makes it easy to go for it. It is available by default, and there is no extra cost for using the standard features.

    Which other solutions did I evaluate?

    I don't know if any other solution was evaluated. Most probably, we didn't because Azure Security Center is available by default, and there is no extra charge for using the standard features.

    What other advice do I have?

    When you're using such platform services, you've got to be a little bit careful because the products are always getting updated. You need to keep an eye on the product roadmap in terms of what's coming up so that you are not duplicating. That's what we had to do with Stackrox. We discussed with Microsoft's technical support team, and we got a confirmation that they're not going to take care of CIS benchmarks in the near future. It was a little bit disheartening, but at least, we knew upfront that Microsoft is not going to look into this area. They were open and candid about what they were going to do and what they were not going to do. So, we started looking at other products. Microsoft keeps on updating its products to keep them relevant. So, you need to know what they are implementing in the next three months or six months so that you can at least tell the security teams that a certain feature is coming up.

    We didn't have to do it for Azure Security Center, but for Azure Firewall, we had to request certain features, and there are a lot of features that are still pending. For example, if I use Azure Firewall, just-in-time permissions do not work. If VMs are behind Azure Firewall, then through Azure Security Center, I can't give permissions, but if I use the Palo Alto firewall, I can do the same. So, we had to set up our VMs by using the Palo Alto firewall. Sometimes, Microsoft does strange things, and they don't talk to the Azure Firewall team. After one and a half years of asking for that feature, it is still a no-go. We want to use Azure Firewall because it is not VM-based. With the Palo Alto firewall, I have to provide one more VM in between and start administering it. So, I have one extra resource that needs to be administered, and it is non-Azure or non-Microsoft.

    When you start enforcing policies across multiple subscriptions, you need to be very careful. You need to pay attention to the notifications that come out. The notification details were where we had to do some customization. We had to prioritize the notifications and then put them into a group mailbox so that instead of one person, a group of teams gets notified. We could write an Azure function around it to integrate with Microsoft Teams. We could push them to the Microsoft Teams channel. It took some amount of effort. It took about a week of tinkering, but we were able to notify the entire development team. As we started auditing and enforcing from our sandbox to the development environment, we started discovering a lot more things. We got formal requests on why we had to disable some policies. We got more specific feedback. When we are able to catch such things early in the life cycle, it becomes easier to protect the higher-level environments properly. It was very good in terms of the dashboard, converting from non-compliance to audit, or enforcing policies across multiple subscriptions. We had to customize the notifications, and it would've been nice if there was a more intuitive way of customizing the notification, but it might also be because of our knowledge level at that time. We could have also integrated it with Slack because it supports integration with Slack, but we predominantly use Microsoft Teams.

    I would advise others to start playing with it. They can start with a sandbox environment. If an enterprise has multiple resources, such as VMs, databases, they should put all of them in different resource groups in a subscription and categorize their resources properly. All resources should be structured properly. Otherwise, it is really difficult to administer policies at the resource level. They have to group them properly so that they are managing resource groups or subscriptions rather than individual resources. So, structuring of the resources is the key to the administration of policies. It took quite some time for us. It was not an easy task. We create Terraform scripts for setting the entire infrastructure. So, we had to reorganize our Terraform scripts to ensure that the resources were created in appropriate resource groups and communication can happen across resource groups. We had to set up the NSGs properly from the network point of view so that they all were accessible. It took us quite some time, but organizing the resources pays very well when it comes to spinning the higher-level environments and ensuring that they're compliant or they work.

    I would rate it an eight out of 10.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Global Cloud Security Architect at a consumer goods company with 5,001-10,000 employees
    Real User
    Improves security posture, offers real-time assessments, and has great compliance policy features
    Pros and Cons
    • "One of the features that I like about the solution is it is both a hybrid cloud and also multi-cloud. We never know what company we're going to buy, and therefore we are ready to go. If they have GCP or AWS, we have support for that as well. It offers a single-panel blast across multiple clouds."
    • "Azure is a complex solution. You have so many moving parts."

    What is our primary use case?

    It is our main solution for our Azure cloud infrastructure. We do about 1.1 million dollars in cloud spending every year. It's a quite big infrastructure and pretty much in our main system and we are planning on integrating with Microsoft Sentinel, which is going to be our SIM solution. Right now we don't use a Microsoft solution, however, Microsoft Sentinel is very complete and we're excited to dive into a POC. Right after I joined the company, that was one of the first things that I advised them to do and a couple of weeks later, we caught at least two big vulnerabilities that could have caused a catastrophic problem for our business. That's a true testament to the power of the tool.

    How has it helped my organization?

    The solution has improved how our organization functions. For example, the security score is the biggest improvement, as it's a compilation of all the results. That's where we have been doing established goals. When I joined the company and when we first implemented the product our secure score was about 35%. We are now sitting at 71%.

    That gives us a clear direction as that's the most difficult issue. Azure is a complex solution. You have so many moving parts. If you say "I want to improve my security posture," it's hard to know where to start. That metric's going to give you an idea. You're going to take a look at your identity and access management strategy. You go there and you fix those issues.

    Once that's done, you can take a look at your malware protection, so you see all the machines. You have the ability with this product. All of these actions compile percentages on a score and they drive up the score. That way, you know how good you're actually doing and how you can continue to progress.

    What is most valuable?

    We do a lot of mergers and acquisitions. One of the features that I like about the solution is it is both a hybrid cloud and also multi-cloud. We never know what company we're going to buy, and therefore we are ready to go. If they have GCP or AWS, we have support for that as well. It offers a single-panel blast across multiple clouds.

    The most valuable aspect of the solution is visibility. You truly have visibility. That’s the first thing that you're going to have in the cloud.

    The solution’s capabilities of assessment and real-time assessment is another big thing for us. In terms of remediation and capabilities, most of the time, I even have a quick fix, a quick button that I click and they're going to fix it for me, where they are going to provide me with everything that I need to do to fix that.

    The main thing that I like about the tool is that Microsoft collects trillions of data points across their cloud and they leverage that threat intelligence to teach the machine learning AI-driven models to assess for security. We can even see across the cloud, and it’s so much better than going with a third-party product, where you don't have that advantage.

    The solution has features that have helped improve our security posture. The security score is one of the biggest pluses. They do have a series of metrics that combine into a security posture score. Netsecure started giving me a good snapshot of where we are when it comes to security posture, and then we can drill down.

    If you click on your secure score, you are going to be able to see why you have that calculated score. They have very good documentation surrounding how, for example, if you have 74%, why you do. You are going to be able to drill down and see where your weaknesses are and then you can address those items directly.

    The compliance policy feature is great. They do offer support, such as PCIS. You have access and they can compare to your security posture and they can give you your score based on that, for example, how compliant you are with those tenders. That's another great aspect of the tool as well. That's all visual and on a dashboard.

    The solution positively affected our end-user experience, however, not in any shape or even form that they can notice. They're getting all the benefits from it in the background. For example, security alerts are one of the main values about the users that I like. You have access to security alerts and those security alerts are giving you a real-time type of reading on how you are doing when it comes to threats. If there's something that can affect a user negatively, you have access to fix it before it becomes an issue. Therefore, while it has affected them positively, they never had to change anything that they're doing.

    What needs improvement?

    In the past, when you wanted to compile a list of resources that effected a vulnerability, it was kind of hard to do that. You had to use the graphic interface and write some queries for you to get that information from the Microsoft Graph API. Right now, with Microsoft Cloud Defender, they actually have that and you have access to that. Therefore, for me, it's pretty much a problem that has been solved. That was pretty much the only thing that I thought we could use. Then, yesterday, I saw that they included it. Therefore, as of now, I don't have any big issues with the product.

    In the beginning, the score was shown using a points system. Now they made it into percentages, which is way better. It's hard to show you your C-level points. It required some explanation. For example, if you show them 2000 points, they're going to ask, "Okay, is this bad or good?" If you show them 75%, on the other hand, that they can understand. That's another thing that they made better as well.

    For how long have I used the solution?

    Within this company, I've used the solution for about 10 months. I was also using the solution with my previous company for around a year and a half.

    What do I think about the stability of the solution?

    The product is pretty stable. The only thing that you've got to remember is that it takes some time. Some of the variabilities, for example, the remediation processes, when you apply them, it takes a bit. The remediation in order to count it has got to run the vulnerability assessment agent. Sometimes it takes a couple of hours for some resources. That said, it's pretty stable. I've never had any problems. It runs very well.

    What do I think about the scalability of the solution?

    The scalability potential is one of the biggest aspects that I like, as it works with Microsoft, as an Azure back lane. As you add more subscriptions, all you have to do is just go and enable Azure Defender - in this case now, Azure Defender for all the consumer subscriptions that I have. That's it. It's free scale. It scales out very, very well. You don't have to do anything and you don't have to install anything on the Azure portal - it's already there. That said, you do have to deploy vulnerability agents, however, Azure does that for you due to the fact that the VMs are already being managed by Azure. You have all the security in place. It will deploy the agents and it's going to be seamless. You don't have any downtime either.

    Right now, we have about 7,000 users. It's quite a good number, however, we are growing. We're adding companies every month. We're adding tons of companies and plan to expand usage as we grow.

    How are customer service and support?

    I've been working with Microsoft technical support for more than 15 years. We have really good support, always. We do have an enterprise agreement with Microsoft, which makes support very easy. If you have Azure, you probably have an enterprise type of support. Every single interaction that I have had with them was pleasant. They were very, very precise and effective. We've had no problems.

    Which solution did I use previously and why did I switch?

    We never had a different cloud solution. For us, choosing this solution right off the bat was a no-brainer.

    How was the initial setup?

    The initial setup is very straightforward. It comes with the free version. It's out-of-the-box and already enabled for users for the most part. It gives you just a little bit of visibility, so you have to go with the paid version and the cost is not that bad. 

    It's pretty much diluted into your Azure bill. It is totally worth the price. You basically go to the portal and choose the option and just enable online subscriptions and give it some time so that it can gain visibility. After that, it's going to deploy the agents. It takes 24 to 48 hours. After that, you're going to have tons of visibility and data coming back. It's pretty straightforward, very simple to set up. For me to roll out was about an hour tops.

    You do not need a big maintenance team. I'm an architect and I'm also a very hands-on type of engineer. In most cases, I would say it's good to have at least two people especially if you have a global infrastructure. That way, you can have people in different time zones, such as Europe central time, for example, and in US Eastern time. For most aspects you have auto-remediation and you have automation that you can implement, which is great. I would say that two people would be ideal to manage the solution, especially for the remediation process. With the remediation process, you can engage other people from other teams as you're going to have to talk to the operations guys to say, "Guys, you've got to fix this, this is a liability." Therefore, two people dedicated to Azure would do it. It doesn't need to be dedicated to security, to Defender in this case.

    What was our ROI?

    I was reading some studies that the ROI is 200%. It's really good, due to the risk prevention and threat remediation processes.

    What's my experience with pricing, setup cost, and licensing?

    I like the licensing due to the fact that it's simple. In terms of pricing, there's a very good ROI. The ROI is pretty great, and everything is diluted into your overall Azure costs. It's not a product that you buy, it's a contract. If you want to stop using it, you can stop. It's an on-demand type of product. I like that as well. 

    It's very cost-effective if you compare it to other products, especially if you want to combine other features from a licensing standpoint. You're going to spend a lot of money if you try to implement various other options.

    Which other solutions did I evaluate?

    We do have some security, other security that is still in place. For example, we work with CrowdStrike. We work with a team solution. We have another team solution, which is not an apples-to-apples comparison. What Azure center does is very specific. It's very large. For us to do the same thing with any other security solutions out there, would mean we're going to spend a lot of money. Azure does not have competition per se. You would have to onboard tons of other products to do the same thing that they do. It's also simpler than the other solutions. The orchestration features that you have access to are great. It doesn't make a lot of sense to combine several other solutions and try to protect all your resources.

    What other advice do I have?

    I am just a customer and an end-user.

    I'm using the latest version of the solution, which is now the Microsoft Cloud Defender. They just changed the name of the product. They combined Azure Security Center and Azure Defender into Microsoft Cloud Defender and that's the version that I'm using.

    For now, we are cloud-only, however, we have plans to enroll our on-prem devices as well, including servers, especially through Azure Arc and we are also looking at Azure Sentinel. We are going to have a complete ecosystem, similar to a Microsoft XVR, truly for our Cloud environments.

    I was working with Sentinel in the past with my previous company, however, I was not able to fully roll out the product. Here, we're planning on having a Microsoft partner that's going to help us to onboard our Azure infrastructure and Sentinel, however, we are going to be enrolling a POC first.

    I would advise other potential users that they need this, absolutely. If they have Azure, they need this. It's going to give them the visibility and the remediation capabilities that they're looking for and it's going to make them aware of issues that they are not even seeing. 

    If a company has resources exposed to the outside, chances are that people are trying to get in. I'm catching people every single day trying to get in. It's really amazing what you see when you have visibility. Businesses that bring this on really need to involve the team. It's got to be a team project. Everybody's got to be playing on the same team. That way, a company can make sure they have effective implementation.

    I would say, a company has got to watch very carefully the recommendations and the security alerts, especially recommendations, which is pretty much what's going to drive the score up and increase the positive security posture.

    The alerts are going to give them real-time insight, like a temperature reading on security, including what's happening, who's trying to get in, who reports or attacks you and weren't successful, and how many times did they try? What kind of accounts did they use? Recommendations are going to help you look for activity and the security alerts are going to help you with the reactivity. You can react to events that are happening, however, you can't remediate issues that haven't happened yet. 

    Overall, I would rate the solution at a ten out of ten. I'm a big fan. It makes my life way easier and gives me some peace of mind so I can sleep at night better.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Microsoft Defender for Cloud
    May 2023
    Learn what your peers think about Microsoft Defender for Cloud. Get advice and tips from experienced pros sharing their opinions. Updated: May 2023.
    708,830 professionals have used our research since 2012.
    Senior Cloud Solutions Architect at a tech services company with 11-50 employees
    MSP
    Top 20
    The portal provides you auditing and logging capabilities
    Pros and Cons
    • "When you have commissioned Defender, you have these things visible already on your dashboard. This gives the efficiency to the people to do their actual work rather than bothering about the email, sorting out the email, or looking at it through an ITSM solution, whey they have to look at the description and use cases. Efficiency increases with this optimized, ready-made solution since you don't need to invest in something externally. You can start using the dashboard and auditing capability provided from day one. Thus, you have fewer costs with a more optimized, easier-to-use solution, providing operational efficiency for your team."
    • "The solution could extend its capabilities to other cloud providers. Right now, if you want to monitor a virtual machine on another cloud, you can do that. However, this cannot be done with other cloud platform services. I hope once that is available then Defender for Cloud will be a unified solution for all cloud platform services."

    What is our primary use case?

    Defender for Cloud is a unified platform. Within that, you have Defender for virtual machines, Defender for Servers, Defender for App Services, and Defender for Containers. It is a centralized solution, which you can leverage to bring your security practices in place so centralized security auditing can be done. 

    You can use it for approximately 90% to 95% of Azure workloads for infrastructure, platform as a service, or database as a service. You can use it for all these.

    I am working for a service-based company. We provide Azure Cloud Services. We are a Gold-Certified partner from Microsoft in the GCC region. We are the only ones for whom Microsoft hands over their business. 

    We mostly use it for public cloud, but it can also be used with hybrid cloud and on-premises. We also use private clouds with government entities.

    We have had many customers where we deployed this solution. They are secured and guarded by this solution, so they are happy now.

    It can be done as a multi-regional deployment.

    How has it helped my organization?

    It can be used to secure GCP, AWS, and your on-premise infrastructure. You need a security solution like Defender to secure any type of workload. Your workload may consist of infrastructure, platform, database, or anything in between those. Obviously, you want it to be secure from day one. When you start from anything on the cloud, you want it secured right away. If it is not secured, then you are at risk of a data breach. There are many security issues, which is why it is important to secure your application infrastructure from day one. This is 100% important.

    Most customers have an on-premises ITSM solution. If they want P1 or P2 tickets to be initiated, then within Defender for Cloud, it will trigger the ticket or invoke the ITSM solution. Also, they can use SMS- or email-based ticketing. If they don't have anything, then they can utilize the dashboard provided by Defender for Cloud and get everything from one place.

    If you don't have this solution then you will be analyzing things with some sort of algorithm or writing some code, then your team will be monitoring emails or some kind of logs every day. When you have commissioned Defender, you have these things visible already on your dashboard. This gives the efficiency to the people to do their actual work rather than bothering about the email, sorting out the email, or looking at it through an ITSM solution, whey they have to look at the description and use cases. Efficiency increases with this optimized, ready-made solution since you don't need to invest in something externally. You can start using the dashboard and auditing capability provided from day one. Thus, you have fewer costs with a more optimized, easier-to-use solution, providing operational efficiency for your team.

    Within a SOC team, you monitor tickets and emails, but you cannot automate them unless your company bought some solutions. In the case of Defender, a solution is already provided. You just need to extend it per your needs.

    What is most valuable?

    All of the features are valuable. When you are designing a solution, you are designing not only the infrastructure but designing the application solution and database. On top of that, you are designing the connectivity solution. Defender takes care of all kinds of security, starting from infrastructure to platform to database. All of them are useful, depending on the workload of different clients. 

    I work at a service-based company. We use this for almost all our customers. Usually, it will be on your infrastructure, which is a virtual machine and needs an antivirus solution. Then, if you have a platform as a service, you would need OWASP 10 security. All of these are given.

    When you commission Defender for Cloud, it provides a portal. The portal has auditing and tracing capabilities. If you want to secure your virtual machines, then you can enable the RDP port by default, if you don't have a security solution. Now, when you are using Defender for Cloud, you can access the machine on an ad-hoc basis through Defender for Server, where you are securing your application. Then, even if someone gets into your account, they still cannot enable RDP. 

    The portal provides you with auditing and logging capabilities. Along with that, there is a machine learning algorithm. You can even have your own workbook, where you can write in Python, then you can bring it into Defender for Cloud where you can do the injection, verification, and blocking of IPs. 

    It offers a ready-made solution. In addition, you can enable a customized workbook, which will secure your application. Therefore, you are provided a portal, customer facility, and in-built security from day one and can start using it.

    Microsoft works day in, and day out to look for new vulnerabilities happening in the market, which cannot be resolved with human intervention. Every day, they keep searching for vulnerability signatures in the market, then adding those. They automatically get built into Defender for Cloud. For example, there are some vulnerabilities that have been going around. If you are on-premises, then you need to download the signatures out there, then your antivirus software should be capable enough to identify them. With the Microsoft platform, the signature is already provided from Microsoft, i.e., Datastore. This is by default enabled as soon as Microsoft figures it out. This is the first thing that it provides.

    What needs improvement?

    The solution could extend its capabilities to other cloud providers. Right now, if you want to monitor a virtual machine on another cloud, you can do that. However, this cannot be done with other cloud platform services. I hope once that is available then Defender for Cloud will be a unified solution for all cloud platform services.

    For how long have I used the solution?

    I have been using it for more than three years.

    What do I think about the stability of the solution?

    The maintenance part is taken care of by Microsoft. The platform's responsibility lies with Microsoft, not with the customer.

    Stability-wise, it is stable.

    What do I think about the scalability of the solution?

    it can be extended to multiple regions as well as to on-premises.

    How are customer service and support?

    When upgrading the solution, by default, no technical support is required. If it is required, it will then depend on your SLA, i.e., what kind of agreement you have. You may have an eContract, CSP, open agreement, or a normal one by default. Microsoft uses that SLA to deliver the solution at a particular time. 

    I would rate the technical support as 6.5 out of 10. In general, you don't need to reach out to Microsoft's support.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    Before Defender for Cloud, the solution was on-premises or some kind of third-party managed solution that we bought from the Azure portal. This integration had issues because you needed to go through the VPN tunnel, look for your solution, raise a ticket, and then have your teams look at the logs and ticket. If you had some networking issues or a major security issue, your ticket would not be raised.

    There have been a couple of customers who start on their own with their own tenants. Then, at a certain time, they figure out that something wrong has happened, e.g., a hacking issue or a security breach. They then come to us through Microsoft because their security appliances and security practices are not proper, asking us, "Can you please help us to secure them?" 

    The first step is to start securing their virtual machine. So, you enable Defender for Cloud. From the first instance, all their workloads are automatically added and enabled by default. So, if a customer is not secured enough when they go for Defender for Cloud, then it will automatically enable all kinds of security practices for them. Anyone can enable it. You can have Defender as the front face security for your cloud. Because of this, all our clients are secure.

    How was the initial setup?

    This is a cloud service. It is provided as a platform as a service. So, it is not infrastructure or something which you deploy. No configuration is required by default.

    Azure Sentinel is a SIEM solution. Within the SIEM solution, you get logs. On top of that, you receive some kind of tracing. You then have your runbook. So, the integration is very easy. It is just click, click, and click. You can integrate it within five seconds. Azure Sentinel also takes care of Defender. This means that when you go into Azure Sentinel, you say, "I want Azure Sentinel to have whatever logs you have in Defender." Whatever workload is secure, you want to have the auditing part of that in Azure Sentinel, then you want to trigger or invoke something. Therefore, it just takes five to 10 seconds with three clicks, then it is enabled for you.

    The external integration component has been provided. You have a ready-made appliance where you download the appliance and install it onto that particular machine, then it will start monitoring your virtual machine. This is easier on the Azure side to integrate. With on-premises, you need to download something called Agent. You download and execute that, then everything is connected. You just provide the security token already shown on your portal, then you integrate.

    What was our ROI?

    We have seen a 50% reduction in costs.

    What's my experience with pricing, setup cost, and licensing?

    It is a ready-made solution that you just start using from the day one until whenever you want to use it, paying as you go. Or, you can do either a one-year or three-year RI.

    Pricing depends on your workload size, but it is very cheap. If you're talking about virtual machines, it is $5 or something for each machine, which is minimal. If you go for some agent-based solution for every virtual machine, then you need to pay the same thing or more than that. For an on-premises solution like this, we were paying around $30 to $50 based on size. With Defender, Microsoft doesn't bother about the size. You pay based on the number of machines. So, if you have 10 virtual machines, and 10 virtual machines are being monitored, you are paying based on that rather than the size of the virtual machine. Thus, you are paying for the number of units rather than paying for the size of your units.

    In case you want your own signatures in-built, you have the workbook where you can enable it to couple with your Defender solution. It will start analyzing your specific algorithm or signature. If there is data specific to your organization or your developer knows something that no one else knows, and you want to restrict that. So, you have a free hand to customize it and a standard way is already provided. Every day, you will get a security update by default. You don't need to bother doing it manually. This has already been given to you free of cost. There are no costs other than the Microsoft workload itself.

    Which other solutions did I evaluate?

    If you have the solution with Microsoft Azure, then you will not need to look at other products. For on-premises, we were also using F5.

    What other advice do I have?

    When you are designing the solution, you should activate the solution from day one.

    I would rate this solution as 8.5 out of 10.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    Azure Solution Architect at a tech services company with 10,001+ employees
    Real User
    Top 20
    Good setting recommendations and regulator compliance with very helpful technical support
    Pros and Cons
    • "The solution is very easy to deploy."
    • "You cannot create custom use cases."

    What is our primary use case?

    We use the solution internally.

    Azure Security Center works with Azure Defender. Azure Defender is used for identifying the vulnerabilities and loopholes inside our system that we can deploy on multiple layers either from the subscription level, the source level, or on the devices. You can connect multiple devices to this. That's not specific to only servers. You can connect with ER80 as well as SQL servers. Most of the services are covered within the Microsoft Defender.

    What is most valuable?

    We find two things inside the Azure Security Center to be quite valuable. One is the recommendations, and the second is the regulatory compliance. Both help to keep everything running smoothly. This will give you the security score as well. You can try to get the highest security score, which is 100%. You can get there just from the recommendations from Microsoft. Not all the recommendations will be applicable on the enrollment side.

    Regulatory compliance is PCI compliance. There are multiple compliance options you can follow.

    Azure Defender helps improve our security posture. You enable it for each and every server. It is a monthly-based subscription and about $15 per month per server. You can see right on there that the vulnerability is automatically run with the help of a Messages scanner. Messages is running behind Azure Defender. It automatically runs and scans, and that will show up on your portal. You do have to take any necessary steps to run recommendations. Either you can see if any energy port is open, for example, if RDP is open, it will realize, “Okay, just close RDP for outside work." These kinds of recommendations are very helpful from the Azure Security Center.

    You have inventory on Azure Security Center, as well as Workbooks. You can create Workbooks. These are automatic playbooks where you can see the entire dashboard. If you prepare a monthly report, or a weekly report, it's better to create it in Azure Security Center instead of Workbooks with the help of JSON, or use drag and drop as an option. That will help you to keep updated more on things.

    Inside Azure Security Center, with Workbooks, you can create your own workbooks according to your users. If you have a system update setting inside Azure, with the help of an automation account, if you click it, inside the system update Workbook, you can see all the systems which are taking updates. If that is updated, you can see whether the system is compliant with updates. All the reports are visible. You can see reports on the basis of subscriptions or on the basis of resources if you want.

    Azure Security Center does not affect the end-user experience in any way. End users don't feel its presence in the organization.

    The solution offers collaborative services. If you enable Azure Defender for servers or any services, basically, you can automatically subscribe for Azure Defender for Endpoints, which is easy.

    You can install the EDR on each and every server. That will give you all of the process logs and what a user is doing. You can tell if a URL is open on your system, for example.

    You can remediate with automation as well if you want to. That's for malware or any malicious files if they are present on the system. It will detect using the intelligence of the Defender Endpoint. You can take hybrid action on an alert, you can take a fully automated action, or you can take 100% manual action.

    With Defender Endpoint, if you find out if one system is compromised, you can actually separate it from the network. If you have to deal with ransomware. If one system is affected by ransomware, you can remove the system from the network.

    There is a security alert inside Defender that's per the recommendations and activities that happen inside your network. You will see security events there. If you do not have any other SIEM solution in your environment, you can leverage this. 

    What needs improvement?

    The team is already working on one of the latest features, which is having migration techniques right on the portal available. It's possible to use it now. That's one good new feature.

    For MIM, they are still improving things on Azure Security Center. There are a few flaws in backend technologies. If you do not have the correct access to the system, you cannot access the files and most of the reported resources.

    For example, a general huge storage account, which is exposed for public access. If there are ten storage accounts available, you can see the names. You can identify, those storage accounts that are supposed to be accessed from the outside, maybe, due to some feature happening behind the scenes on a storage account, and these are supposed to be exempt from the portal. You shouldn't see them again and again and this should not affect your security score overall. However, they are not easily exempted from the portal. There's no way to exempt them properly.

    You cannot create custom use cases. You can use what is already present on the Microsoft side in terms of security alerts. You can, however, customize whitelisting for alerts.

    For how long have I used the solution?

    I've been using the solution for four years now. For one year, I have been working as an architect on Azure Security Center.

    What do I think about the stability of the solution?

    The stability is 99.9%. I never have seen any failure. Sometimes you find the service is slow. However, that could be related to an internet connection or something else. Every service has downtime. There is very, very minimal downtime here. I haven't faced any challenges in four years.

    What do I think about the scalability of the solution?

    The scalability is very good. You don't need to put any extra agent or anything from your side. Everything is automated. It's the easiest security feature, which you can get from Microsoft.

    How are customer service and support?

    For every project, an architect from the Microsoft side is assigned to the team. You can directly connect with them. You can also create a technical ticket. They will respond immediately. If the issue requires a certain level of severity, you will get a call directly. If it's not as serious and they email you, however, you do not respond to their email, they will call you. Otherwise, they will keep communicating via emails.

    I'm in India. When I open a ticket, it may be assigned to the Indian parties and they take time to remediate your problems. If I am routed to the senior team of Microsoft, they won't take much time. They give you new solutions quickly. It's a good thing. 

    Which solution did I use previously and why did I switch?

    We do use Azure Sentinel. I'm also familiar with Google Cloud Platform, GCP. It's a bit complex as the structure is not as good as Microsoft. Microsoft, from top-down, offers a management group, subscriptions, and tenants under one group. Inside that resource group, you will find resources. That is easy. On the other hand, inside GCP, there are folders inside folders. Then you can create multiple folders inside one folder. That makes things very complex. There are not too many security solutions available on GCP. I do not have too much experience with GCP, however, given the experience I have, according to that, GCP isn't as good.

    You can handle many things on Azure with the UI. There's no need to go for the PowerShell if you don't know it. If you know PowerShell best, you can use it if you want to. If you want any report from the GCP, however, you'll have to first understand the shell scripting. It's hard to find projects due to the way GCP is laid out. There's too much complexity.

    How was the initial setup?

    The solution is very easy to deploy. This is automatically installed on the Portal. There is no need to install anything on the Portal. There are just a few buttons inside the settings if you want to enable the Defender, et cetera. That will automatically install on all the servers. The agents are already present.

    The solution takes six seconds to deploy. If you are on the Portal, you can do it in seconds. The first remediation will show within 30 minutes due to the fact that the scan takes time. The message takes a little bit of time to scan the entire infrastructure. That completely depends on how big a company's infrastructure is.

    If there is another service, such as Azure Sentinel, you need to install agents on all the machines. If there is a Linux machine, you have to install the OMS agents. However, that's not the case over here.

    One person can easily handle maintenance. A single person handles both Azure and Sentinel. Ours is a small environment. 

    What was our ROI?

    In terms of ROI for Azure Security Center, the solution offers basic security features, which Microsoft is providing. That's the main thing. There's no need to go and get any technical team to handle anything. If you know a little bit about the security, you just go and toggle the button and you install it on all the servers and services. With this product, you will start getting recommendations and security alerts. 

    In contrast, if you go on any other products, you need a specialized team for security, especially. You need a complete specialized team for different services and for different actions. It's better to use Azure Security Center. There's no need to go and install anything and it's offering good security.

    What's my experience with pricing, setup cost, and licensing?

    The licensing cost per server is $15 per month. This is the same for SQL which is also $15 per server. It covers the Defender licensing as well. According to my experience, it's a good deal.

    What other advice do I have?

    I worked on all the Defenders, ten now, and, right now, we are more focused on Azure Defender, which is a part of the Azure Security Center on the Azure Portal. Defender is actually deployed on servers including other staff services, second path services, servers and community, and SQL databases. On each of these, you can deploy Defender.

    This product is a Saas solution that is automatically updated from the Microsoft side. Any clients will not need to update manually.

    If you have a hybrid cloud network or hybrid environment inside your organization, this solution will still work for you.

    I'd rate the solution at an eight out of ten.

    When it comes to Microsoft, the education surrounding Azure services and training is very easily available online without having to make any calls. If you want to join their webinars, you can join. If you want to get any certification, it is almost free for everyone. For a student they offer the training at 50% or 40% of the cost, or if you work at a good company. I did not pay anything for any certification. I have eight certifications from Microsoft. 

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Senior DevSecOps Engineer at a consumer goods company with 11-50 employees
    Real User
    Top 20
    Provides centralized management and helps with regulatory compliance, but getting the best information requires a lot of work
    Pros and Cons
    • "With respect to improving our security posture, it helps us to understand where we are in terms of compliance. We can easily know when we are below the standard because of the scores it calculates."
    • "The overview provides you with good information, but if you want more details, there is a lot more customization to do, which requires knowledge of the other supporting solutions."

    What is our primary use case?

    I use this solution in two different scenarios. The first is for the security and monitoring of Azure accounts. Another is for SIEM integration and the Azure Gateway WAF. Essentially, it's a one-stop solution where you can integrate all of the other Azure security products. This means that instead of maybe going to Firewall Manager, Azure Defender, or WAF, you can have all of them send statistics or logs to Azure Security Center, and you can do your analysis from there.

    How has it helped my organization?

    This product helps us with regulatory compliance.

    With respect to improving our security posture, it helps us to understand where we are in terms of compliance. We can easily know when we are below the standard because of the scores it calculates.

    It helps us with alerts. You're able to automatically channel these alerts to emails and get the team readily looking into the issue.

    We don't need a distributed team looking at the various security solutions. Instead, they just look into Azure Security Center and then get everything from one place.

    It also supports multiple cloud integration, where you can add other clouds like AWS and GCP. However, we don't use that feature. 

    What is most valuable?

    The most valuable feature is the help with regulatory compliance, as it gives us security scores and the CVE details.

    Centralized management is another feature that is key for me.

    What needs improvement?

    This product has a lot of features but to get the best out of it, it requires a lot of insight into Azure itself. An example of this is customizing Azure Logic Apps to be able to send the right logs to Security Center.

    The overview provides you with good information, but if you want more details, there is a lot more customization to do, which requires knowledge of the other supporting solutions. You can get the best out of it, but then you will also need to do a lot of work.

    Improvements are needed with respect to how it integrates the subscriptions in various Azure accounts. You can have a lot of accounts, but you don't get detailed information. Specifically, it gives you overall score statistics, although it's not very intuitive, especially when you want to see information from individual subscriptions.

    For example, if there are five subscriptions sending traffic to Azure Security Center, it gives you the summary of everything. If you want to narrow it down to one particular subscription and then get deep into the events, you really have to do some work. This is where they could improve.

    In terms of narrowing things down, per account, it is not granular enough. In general, it gives you good summaries of what is happening everywhere, with consolidated views. You're able to get this information on your dashboard. But, if you wanted to narrow down per subscription, you don't want to have to jump into the subscriptions and then look at them one by one. Simply, we should be able to get more insights from within Azure Security Center. It's possible, but this is where it requires a lot more customization.

    For how long have I used the solution?

    I have been using Azure Security Center for approximately two years.

    What do I think about the stability of the solution?

    In terms of stability and availability, Security Center is very good. It doesn't change. Because it's cloud-based, you don't actually have to manage infrastructure to get it up. If you are using the SIEM portion of it, it's what you are sending to it that will determine what you get out of it.

    If you are using a hybrid solution from your own site then you have to make sure that your internet connection to the cloud is reliable. Your VPNs that are pushing data have to be stable, as well. Also, if you are using a third-party solution, you have to manage your keys well. But in terms of it being stable, I would say it's highly available and highly stable.

    What do I think about the scalability of the solution?

    This solution is very scalable. You can integrate as many subscriptions as possible. They could be Azure subscriptions, AWS accounts, GCP, and other resources. Because it's cloud-based, I have not actually encountered any limits.

    I know that with cloud providers when there are limits, you can request an increase, but in terms of how many, I have not seen any limitations so far. As such, I would say it's highly scalable.

    We are using it a lot. For Azure, there are 20-plus subscriptions. We don't really use it for AWS accounts. Instead, we prefer to use AWS Security Hub on AWS, so we don't push AWS account data there. But for Azure, we used it for at least 20 subscriptions.

    We have a distributed team. I have used it for the past two years in the company, and it's a huge organization. In the whole of the organization, Microsoft Azure is used as the main cloud. AWS was also used, but that was mostly for specific projects. In terms of the number of people using it, I estimate it is between 50 and 100.

    How are customer service and technical support?

    Microsoft support is very good, although it may depend on the kind of support you have. We have enterprise-level support, so any time we needed assistance, there was a solution architect to work with us.

    With the highest support level, we had sessions with Microsoft engineers and they were always ready to help. I don't know the other levels of support, but ours was quite good.

    Which solution did I use previously and why did I switch?

    We began with the Security Center because it was for projects on Azure.

    How was the initial setup?

    The initial setup is somewhat straightforward and of medium complexity. Especially when it comes to integrating subscriptions, I would not say that it's complex. At the same time, it is not as simple as just pressing the Next button several times. There are knowledge prerequisites before you can set it up fully and properly.

    Setting this solution up was an ongoing project where we kept integrating subscription after subscription. If you know what you're doing, in a couple of days, or even a few minutes, you can get going.

    If you need to build the knowledge as you go, it's something you could do in one day. You would integrate one subscription, and then start getting feedback. It's plug and play, in that sense.

    What was our ROI?

    The company has seen great returns on investment with this solution. In terms of security, you want to match the spending with how effective it is. Top management generally wants more reports. They want statistics and an analysis of what is happening. For example, reports need to say "We had this number of attempts on our systems."

    As additional functionality, it's also able to support the business in terms of knowing and reporting the relevant statistics.

    What's my experience with pricing, setup cost, and licensing?

    This solution is more cost-effective than some competing products. My understanding is that it is based on the number of integrations that you have, so if you have fewer subscriptions then you pay less for the service.

    Which other solutions did I evaluate?

    We did not evaluate anything else before choosing this product.

    For example, we are now considering different products for SEIM integration. One of them is Palo Alto Prisma Cloud. However, the price is too expensive when compared to Azure. It is also a multi-cloud product, although, in the beginning, it didn't support AWS and GCP. It now has support for those cloud providers, as well as additional features that Azure doesn't have.

    What other advice do I have?

    My advice for anybody who is implementing this product is to start building knowledge about it. Go to the Microsoft documentation and learn about it. As much as they show all of its great functionalities, you really need knowledge of other supporting resources that work with Azure Security Center, because it is just like a hub. It's what you push into it and how you customize it that determines what you get.

    This means that if you don't have knowledge of Firewall Manager and you just want to use Security Center, it becomes a problem for you. This is something that you need to know. So, I advise people to get a holistic knowledge of all of the supporting resources that work with Azure Security Center to be able to maximize its value.

    If you are looking to build on Azure then I would recommend the Security Center, mainly because of the cost and you will immediately get all of the functionality that you need.

    The biggest lesson that I learned from using this product is that you don't get the best value right out of the box. You need further customization and configuration. The capabilities are there but if you don't have a dedicated security team with good technical know-how, such as scripting skills, or being able to work with the Logic App, or maybe the basic functionalities of security, then when you want more in-depth details into your subscriptions, it will become a problem.

    I would rate this solution a seven out of ten.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    PratikSavla - PeerSpot reviewer
    Principal Product Security Officer at a tech vendor with 201-500 employees
    Real User
    Top 5Leaderboard
    It gave us more substantial visibility into our security, helping us increase our overall security posture and manage risks throughout the entire organization
    Pros and Cons
    • "The vulnerability reporting is helpful. When we initially deployed Defender, it reported many more threats than we currently see. It gave us insight into areas we had not previously considered, so we knew where we needed to act."
    • "Microsoft sources most of their threat intelligence internally, but I think they should open themselves up to bodies that provide feel intelligence to build a better engine. There may be threats out there that they don't report because their team is not doing anything on that and they don't have arrangements with another party that is involved in that research."

    What is our primary use case?

    Defender acts as a CSPM solution, a post-share management solution for cloud security. We use it to find weak spots in our cloud configuration and strengthen the overall security posture of our cloud environment. With this particular tool, we seek to protect workloads across various environments. We have about 3,000 endpoints and 100 users in the United States alone. 

    How has it helped my organization?

    Defender gave us more substantial visibility into our security, helping us increase our overall security posture and manage risks throughout the entire organization. It helps us make decisions about specific kinds of risks. If we see a glaring vulnerability, we can determine whether this is an acceptable risk or something that requires urgent action. The risk level determines our investment and budgeting, and the amount of work needed to remedy that. It provides a lot of valuable information for informing our comprehensive risk management strategy.

    The solution does a pretty good job of finding previously unknown threats. It helps keep us aware of the kinds of threats that are out there and how we could potentially be impacted. Defender gives us a high level of information about unknown or zero-day threats. It's sometimes hard to gauge whether everything is there because the report is customized based on our infrastructure and what might be pertinent to us.

    They've always notified us when there was a zero-day threat. I think there have been a few instances where they altered us about a new threat before it was publicized, which is a good sign that they value us as a customer. They've warned us about something before releasing it to the wider public.

    Defender improved our SOC efficiency and saved us from having to add more personnel on the SOC side. It definitely improved that whole area, giving us the bandwidth to work on other things. Defender reduced our detection time because they are proactive about notifying us. I haven't seen too much of a time lag. There were a few instances, but it was never something critical where we had to call them out and ask if this was an issue or something. 

    Time-to-response has also gone down. The sooner we get the notification, the quicker we can jump on something. It helped us respond to any potential breach or attack faster. 

    It also saved us money because we don't need to deploy a second product to get some additional coverage. It also saved us from adding more security staff. Overall, it has had a positive financial impact on the company. 

    What is most valuable?

    The vulnerability reporting is helpful. When we initially deployed Defender, it reported many more threats than we currently see. It gave us insight into areas we had not previously considered, so we knew where we needed to act.

    Defender's ability to protect multi-cloud environments is essential for us. Our company's offerings are based on tasks, and these cloud service providers are critical infrastructure for us. If anything bad happens, it compromises our services. We need to understand and improve our posture.

    It also seamlessly integrates with Sentinel. It was fairly easy because we already leveraged Microsoft 365 earlier, so adding the Sentinel piece was pretty quick. It took a day to figure out and go ahead with the actual deployment. This integration with 365 and Sentinel provided timely intelligence over time. It becomes a problem if we don't get a threat notification in time. They are highly proactive about delivering that information in the initial alert and backing it up with more details as the situation develops.

    Microsoft has a relatively sizeable threat-hunting group constantly digging up many things. That helps because it gives us confidence if we face some threats that not many other players are exploring. With this particular product, we're confident they'll let us know where we stand. 

    What needs improvement?

    Microsoft sources most of their threat intelligence internally, but I think they should open themselves up to bodies that provide feel intelligence to build a better engine. There may be threats out there that they don't report because their team is not doing anything on that and they don't have arrangements with another party that is involved in that research. 

    Opening up to more collaboration with different entities in the private or public sector would help them feed more information to the customers and improve their security posture. More partnerships with other players who can feed them intelligence will help them develop the engine powering this product, ultimately benefiting every customer who uses it. 

    For how long have I used the solution?

    I have been using Defender for Cloud for about a year and a half. 

    What do I think about the stability of the solution?

    We've had a positive experience overall with Defender's unified portal. We seldom see any bugs. Sometimes, there is a lag in the reporting and some inconsistencies with our searches, but it's rare. There were some periods when their service was not running properly.

    While there hasn't been a significant outage, we've experienced some performance degradation where Microsoft notified us that they were having a problem. They informed us ahead of time when there are issues, but I've never had a complete outage thus far. 

    What do I think about the scalability of the solution?

    Defender for Cloud is scalable, given the licensing model. The performance doesn't suffer under a heavy workload. Many organizations I know have a massive workload, and they're still leveraging Defender without any issues. I rate Defender an eight out of ten for scalability.

    How are customer service and support?

    I rate Microsoft support an eight out of ten. Their support is great, so we have no complaints. They were responsive when we had issues.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We used SentinelOne only for endpoint threat detection. That's probably the closest competitor. We haven't used any other solutions besides that. 

    How was the initial setup?

    Setting up Defender for Cloud was relatively straightforward. We worked with a person assigned from Microsoft, who gave us a walkthrough of the steps we needed to take.

    Defender doesn't require much maintenance after deployment other than a few pieces of infrastructure we have internally. We need to monitor the solutions to check alerts and security advisories, but we've never had to deal with any maintenance.

    What about the implementation team?

    We ended up using a reseller. They were good. I used them for other vendors, and we've had a productive relationship working on multiple initiatives. This one was nothing new. 

    What's my experience with pricing, setup cost, and licensing?

    They have a free version, but the license for this one isn't too high. It's free to start with, and you're charged for using it beyond 30 days. Some other pieces of Defender are charged based on usage, so you will be charged more for a high volume of transactions. I believe Defender for Cloud is a daily charge based on Azure's App Service Pricing. 

    It's a negligible cost if your usage isn't that high, like a few cents. It's appealing for people to try it. If you don't plan to use it much, you won't have a high bill.

    Which other solutions did I evaluate?

    Other options were considered, but it came down to the level of value we would get from a holistic vulnerability intelligence product like Defender for Cloud. Also, Microsoft products are pervasive, with a much broader customer base. That was a deciding factor. We saw much more potential from Defender compared to the alternatives. Even though the competition solutions may have functioned better in terms of providing more intelligence, other factors weighed in favor of Microsoft Defender.

    What other advice do I have?

    I rate Microsoft Defender for Cloud an eight out of ten. I recommend doing a PoC. You shouldn't implement something after only reviewing the documentation and marketing materials. Put it through a PoC for a month at least to get a feel for how it functions and whether it satisfies your requirements. 

    Which deployment model are you using for this solution?

    Private Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Cloud Architect at a legal firm with 5,001-10,000 employees
    Real User
    Insightful recommendations and alerting, reports a security score metric, and the support is good
    Pros and Cons
    • "Using Security Center, you have a full view, at any given time, of what's deployed, and that is something that is very useful."
    • "Consistency is the area where the most improvement is needed. For example, there are some areas where the UI is not uniform across the board."

    What is our primary use case?

    Security is at the forefront of everything that we have been doing, fundamentally. Both in my previous organization and the current one, Azure Security Center has given us a great overview of the current state of security, through the recommendations given by Microsoft. There are potential situations where risk exists because you're not compliant with a specific recommendation, or to specific regulatory compliance. Such guidance is critical for us.

    We implement a wide range of solutions in our environment. We have solutions that are purely SaaS. We have some things that are just purely IaaS, and, of course, we have PaaS for services as well. So, we really have a wide range of deployments on all services as a service.

    How has it helped my organization?

    Overall, Azure Security Center has greatly improved our company's security posture. At a very quick glance, you can see where you are the most vulnerable. I'm greatly oversimplifying what the tool does, but at the very minimum, at a quick glance, even if you are not an expert, or even if you have just started using it, this tool will give you a basic idea of where the biggest problems are.

    Security Center has not affected our end-user experience in a negative way. To my thinking, security is something that if your users don't experience it then it's great because there are no problems. Since I have been in this company, there have not been any security incidents. The only experience that the end-users have is the fact that there have not been any disruptions due to security issues. We have been monitoring what has been going on.

    What is most valuable?

    The most valuable feature is the recommendations. Azure Security Center is a product that can be useful in various grades and stages, depending on the state of maturity of both your application and your organization.

    The alerts are also valuable, and they go hand-in-hand with the recommendations.

    With respect to our security posture, there are at least two features that have been very useful. The first of these is the inventory section, where you can quickly see everything that you have. Especially in a larger organization where there have been mergers and acquisitions, it can be difficult to readily see everything that has been deployed. Using Security Center, you have a full view, at any given time, of what's deployed, and that is something that is very useful.

    The security score has been very useful. This is another numeric metering system that basically tells you how well you have been doing.

    What needs improvement?

    Consistency is the area where the most improvement is needed. For example, there are some areas where the UI is not uniform across the board. You can create exemptions, but not everywhere are the exemptions the same. In some areas, we can do quick fixes, but that is not true across the board. So in general, consistency is the number one item that needs attention.

    For how long have I used the solution?

    We have been using Azure Security Center for approximately three years.

    What do I think about the stability of the solution?

    With respect to stability, so far I have not encountered any specific issues with the way it behaves. I cannot say that it has performed badly in any way.

    What do I think about the scalability of the solution?

    It's a really scalable product, fundamentally, the way Microsoft designed it. I don't think that scalability is an issue at all.

    We have implemented this solution in environments that differ quite significantly in terms of scope and in range but, given the way that it works, within 24 hours it discovers everything in the environment, no matter what it is. 

    How are customer service and technical support?

    We only used technical support once, and it was for an item that was behaving in a strange way. It ended up being a known issue, and they said that they were going to fix it. Overall, it was a very good interaction.

    Which solution did I use previously and why did I switch?

    In both companies where I have used this solution, there was no other cloud-based tool that was handling security. It was done using traditional security products that basically examined the logs and raised alerts.

    We switched because it gives us an expansive view of everything which is deployed. It is really unparalleled by anything else that you could potentially use. The moment you turn it on for a subscription, it will identify, almost immediately, every component that you have. From there, it will also identify what is at risk in that component.

    How was the initial setup?

    The initial setup was pretty straightforward, although I came to this product from a network and security background. When I started working with a Security Center, it was not like a tool that I had never seen before.

    Fundamentally, it takes 24 hours before you start to see everything accurately. From the moment you turn Security Center on for your subscription, within the 24-hour range, you have a full view of what's going on.

    Our implementation strategy includes turning it on for every subscription that we have. Security is critical for us, so the cost, in this case, was not a factor. The benefit was definitely outpacing any potential financial cost. Once we turn the feature on for a subscription, we look at every recommendation that we see in the list. In cases where it is not compliant with our security policy, we fix the issue and have been doing that ever since we started using it.

    What about the implementation team?

    My in-house team was responsible for the deployment, and this was true for both organizations where I have used it.

    On average, three people can deploy it. There should be an architect and principal engineers.

    What's my experience with pricing, setup cost, and licensing?

    Although I am outside of the discussion on budget and costing, I can say that the importance of security provided by this solution is of such importance that whatever the cost is, it is not a factor.

    Microsoft does a good job with respect to the pricing model, so anything comparable will cost almost the same. I don't think that there is really an alternative.

    Which other solutions did I evaluate?

    We are perfectly satisfied with what this product gives us. So, there's really no reason to even look at anything else.

    What other advice do I have?

    The first piece of advice that I would give somebody who's going to try to use Security Center is to try to understand their environment as much as possible, and then try to match their environment with the recommendation section of the tool and start remediating from there.

    There are going to be recommendations in Security Center that will make sense if the team looking at the security infrastructure understands what is going on. If the team does not have a full understanding then it will be very difficult to know what to do, or how to remedy it.

    The fact that I had to deal with many components, of which I don't know very much about, has been really great because it forced me to learn about their security. Typically, I don't have to deal with that. My learning has definitely increased, and of course, that's always good.

    I would rate this solution a nine out of ten.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Cloud Architect at CloudShapers
    Real User
    Top 20
    From the Azure portal, you can roll it out over all the servers covered by the entire subscription and on-prem, using Azure Arc
    Pros and Cons
    • "Defender lets you orchestrate the roll-out from a single pane. Using the Azure portal, you can roll it out over all the servers covered by the entire subscription."
    • "Another thing is that Defender for Cloud uses more resources than CrowdStrike, which my current company uses. Defender for Cloud has two or three processes running simultaneously that consume memory and processor time. I had the chance to compare that with CrowdStrike a few days ago, which was significantly less. It would be nice if Defender were a little lighter. It's a relatively large installation that consumes more resources than competitors do."

    What is our primary use case?

    My client, a construction company, needed to replace their antivirus solution, including their Azure and on-prem services. They decided they wanted to use Defender for Cloud, so I started to implement it for them. The license for their antivirus software was about to expire, and they didn't want to spend much money. They opted for Defender for Cloud to replace Symantec. System Center (endpoint protection), Security Center and Advanced Threat Protection were all consolidated into one product called  Defender for Cloud. 

    The company I worked for was divided into several teams. We had an Azure Infrastructure team and workplace teams providing local on-premise services. The client was the biggest construction company in the country, with multiple locations. 

    The strong point of Defender, especially when using Azure Arc to bring in on-premises systems, is that it doesn't matter where these systems are. They're just resources in the portal. If you see them and can install agents on them, it's fine. It doesn't matter how it's distributed or where the locations are. 

    How has it helped my organization?

    I believe that Microsoft Defender for Cloud raised our client's Microsoft Security Score to around 79 percent. That includes other security components. It's not just antivirus. There are all sorts of things that contribute to the score, for instance, the use of public IP addresses on VMs.

    Our clients also saw some financial benefits because they didn't need to renew the Symantec license, but the biggest benefit was the ability to install Defender on Azure and on-premises machines from a single point.

    What is most valuable?

    Defender lets you orchestrate the roll-out from a single pane. Using the Azure portal, you can roll it out over all the servers covered by the entire subscription. Having that unified portal was nice, but it was a challenge. We first implemented Azure Arc, which allowed us to incorporate our on-prem machines like they were actual Azure resources. The single-pane-of-glass management is highly practical. We are accustomed to managing systems across different portals or interfaces, so it's convenient to do it from one place. That's a bonus, although it's in no small part thanks to Azure Arc. Defender then takes all the services it finds in Azure Arc and it rolls them out seamlessly as long as they ause Server 2016 version or above.

    What needs improvement?

    It's a severe issue when you need to install Defender for Cloud on Microsoft operating systems older than 2016. Operating systems released after 2016 will seamlessly integrate with Defender with no problems. Older operating systems don't integrate smoothly. The 2012 operating systems will continue to be used for years. The 2008 systems will be phased out, so that won't be a problem for long, but you need some quick fixes to install on a 2012 OS.

    The older the operating system, the more difficult it is to detect if the solution is working. That was a significant problem. It works fine on a newer OS. On the older ones, we had to do some tricks to determine if it was correctly deployed and working since the integration of Defender in the older OS is a lot less. Microsoft couldn't help us with that.

    Another thing is that Defender for Cloud uses more resources than for instance, CrowdStrike, which my current company uses. Defender for Cloud has two or three processes running simultaneously that consume memory and processor time. I had the chance to compare that with CrowdStrike a few days ago, which was significantly less. It would be nice if Defender were a little lighter. It's a relatively large installation that consumes more resources than competitors do.

    For how long have I used the solution?

    I have been implementing Microsoft Defender for a large construction company. We started the contract about three or four months ago. I was only responsible for the installation. We aren't the team that monitors or maintains the solution. That was not my task. We were just responsible for installing it and ensuring it worked on every machine.

    What do I think about the stability of the solution?

    Defender is relatively stable as far as I can tell. It works great except for the issues with older operating systems. In some cases, you may need to come up with a workaround. 

    What do I think about the scalability of the solution?

    The solution is scalable if you activate the Defender plan for all servers and containers. When you deploy new ones, it automatically picks them up and installs the components. It's perfectly scalable in that sense.

    How are customer service and support?

    I rate Microsoft support five out of ten. You can open up a support ticket and get into Microsoft's general support chain. You need to explain the issue, and they'll get back to you. Nine times out of ten, you will get someone new and need to explain the situation again. That doesn't help much. In the end, we had to fix it all ourselves.

    We had a contact at Microsoft Amsterdam who was helpful. He was more of a sales contact. He told us the best approach and turned out to be correct.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    It wasn't my decision to go with Defender for Cloud.  That doesn't mean that I would've chosen anything else per se, but those decisions are made on the managerial level. 

    How was the initial setup?

    Installing Defender was straightforward as long as you're dealing with a more current operating system. On a post-2016 operating system, it's only a few mouse clicks. That's the beauty of the cloud. It arranges everything for you. The on-premise solution usually works the same. It's seamless. You activate the plan, select for which resource types you want to enable Defender, (including on-prem machines using Azure Arc) then hit "go." All that changes on older operating systems.

    We had to create a design, test it, and get approval from management. We first tried it on a 2019 operating system, which was a piece of cake, but we faced challenges deploying it on 2008 and 2012 systems. That's why it ultimately took us three weeks to complete the deployment. If you don't have any older operating systems, it's quite effortless. 

    We had four people working on the implementation, including three technicians. I was the only one from our Azure team, and there was another person from the workplace team who had access to the on-premise servers. He could log in to run some scripts and see if everything worked. We also had a project manager and a person from the client's team to test as soon as we were ready. 

    What other advice do I have?

    I rate Defender for Cloud eight out of ten. It uses more resources than competing solutions, but that's the only issue. If you plan to implement Defender for Cloud, I recommend considering the operating systems you use. 

    If there are a lot of Server 2008 and 2012 VMs, it might not be the best solution. It is still possible, but it's harder to monitor and manage. It's tricky to check if everything works. These issues don't exist as long as you use the 2016 version or above. 

    Which deployment model are you using for this solution?

    Hybrid Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Buyer's Guide
    Download our free Microsoft Defender for Cloud Report and get advice and tips from experienced pros sharing their opinions.
    Updated: May 2023
    Buyer's Guide
    Download our free Microsoft Defender for Cloud Report and get advice and tips from experienced pros sharing their opinions.