Microsoft Defender for Cloud Reviews

For example, the customer wants to restrict USB connections or any output device, or they want to verify any link they open before opening it in their real environment. Mostly, they replace the current security tool they are using, such as Kaspersky, with Defender for Cloud because it integrates well with Office 365.

The biggest advantage is it centralizes management. Customers do not have to manage different vendor products. They feel confident using Microsoft because of the long-recognized technology and detailed technical documentation available online.

The valuable features include the ability to manage devices and the fact that Defender can replace other security tools like SCCM. Since they use Office 365, they need tools that work better in their organization, such as M365 Defender for Cloud.

There are challenges with the licensing policies, which are quite complicated. The documentation is difficult to understand and resellers need proper training to support customers effectively. Microsoft should provide better training for resellers.

I have been working with Defender for Cloud for more than five years.

It is quite stable. It doesn’t have significant stability issues. I would rate it an eight for stability.

I am not the one using it directly yet I haven't heard any complaints, so I would rate it a five.

Working with Microsoft technical support can be challenging. The problem-solving process can be delayed, and not all issues get resolved promptly. If there are ten tickets, maybe only five or six get resolved satisfactorily.

Neutral

Customers are replacing security tools like Kaspersky, Symantec, or Broadcom to use Defender for Cloud because it integrates seamlessly with Office 365.

The initial setup is not very easy yet it is manageable. It is not too difficult for those familiar with the product. It is a medium-complexity setup.

The implementation should be handled by the reseller. Resellers need proper training from Microsoft as the documentation is complicated.

In Vietnam, the cost structure makes it expensive. The licensing is priced publicly on the Microsoft website and it adds up based on the number of users.

The cost is expensive for the Vietnamese market. It is publicly available on the Microsoft website, and the pricing depends on the number of users.

Organizations should ensure resellers are well-trained to support the new technologies. Proper documentation and support are crucial.

I'd rate the solution seven out of ten.

Our company policy is to onboard all the resources, which are supported by Microsoft Defender because it gives us a good amount of recommendations regarding security and vulnerability issues. We have a lot of new users that are not familiar with security protocols and the solution helps protect our systems. Some people don't have experience with security measures like enabling HTTPS, and FTPS security, setting up encryption on virtual machines, or they don't know how to set up private endpoints. For someone who is new, or doesn't have a lot of experience in this field, it is difficult to monitor everything. Microsoft Defender provides recommendations based on severity. High-severity recommendations are more important, while low-severity recommendations may not be as critical. Security reviewers can review all recommendations to make sure they are appropriate. Microsoft Defender is important for a whole variety of reasons, one of which is that it can help improve the security posture of our environment. This is important for organizations of all sizes but is particularly critical for businesses that are delivering services to customers.

Before Microsoft Defender our external team would give us updates on which ports are opening and which vulnerabilities are being attacked. Now with the recommendations of Microsoft Defender, we can find these vulnerabilities sooner and fix them. Before onboarding those respected resources into Microsoft Defender, we faced a few issues. Once we onboarded those resources, we received prompt recommendations that helped us make the organization's resources more secure. If resources are not secured, it can impact the reputation of the organization. The solution helped identify a lot of the issues, at a high priority that we could resolve.

Microsoft Defender helps any organization that needs to follow security baseline recommendations in order to improve its environment. Regarding threats, I recommend Microsoft Sentinel for detecting and hunting the threats. I can identify what exactly happened at that particular time or particular resource with the help of Microsoft Sentinel.

The solution has significantly reduced the overall time it takes us to detect issues. Most of the resources are scanned every 30 minutes, so it doesn't take much time for the solution to give us the respected recommendations.

Depending on the issue, Microsoft Defender for Cloud has helped reduce our overall time to respond. There are a few recommendations that we can fix immediately by just clicking using the UI. However, the overall time to respond to issues depends upon that respected recommendation list. There are a few things that we need to consider when it comes to the security settings of our virtual machines which can take a long time to identify and fix. 

Microsoft Defender has a lot of features including regulatory compliance and attaching workbooks but the most valuable is the recommendations it provides for each and every resource when we open Microsoft Defender.

The solution provides a security posture score, which indicates how well our environment is protected and what our rating is. It also displays the current percentage of our work that is protected. 

When there is a recommendation by Microsoft Defender that suggests using the Azure Logic App, the remediation step when a user takes action should be created automatically.

Microsoft can improve the pricing by offering a plan that is more cost-effective for small and medium organizations.

I have been using the solution for almost two years.

I give the stability of Microsoft Defender for Cloud an eight out of ten.

Microsoft Defender for Cloud is a tool that is designed to scan our resources regardless of the volume every 30 minutes.

We have the standard support plan. If we need any help, we just raise a support ticket.

Neutral

The initial setup is easy. To enable the solution, we simply need to access Microsoft Defender and enable the on button.

Currently, Microsoft offers only one plan at the enterprise level which is $15 per machine. This plan can be very costly for small and medium businesses and in some parts of the world, it is cheaper for an organization to hire a full-time security engineer instead.

I give the solution a seven out of ten.

Compared to Microsoft Defender, Microsoft Sentinel is a more mature solution. We can connect to Active Directory from Sentinel to identify risky users which is information that we can't get from Defender. If we could establish the connections to Azure Active Directory and Azure Active Threat Production plan, we could define our flow, which would be connected with the workspace. Microsoft Sentinel is more flexible and is ideal for more complex security scenarios.

The solution is applied for resources in the subscription. It does not differentiate the environment. If we select the app services, it will secure all the app services in all the environments. If it's not segregated as per the environment, it can create security issues. We have three different environments: production, QA, and dev and we can only deploy the resources in two regions, which are supported by the geo in India.

We have virtual machines that need to be patched. But the patching analysis isn't done by Defender. Our solutions provide patching recommendations that have to be completed manually.

Mostly, it's related to the vulnerability management.

Earlier, we used to do the vulnerability assessment manually, scheduling it based on our timeline, maybe every six months or once a year. Now, it helps us a lot because we can get the vulnerabilities updated and get recommendations.

The MDVM part is very good. While we were doing the POC, Microsoft Defender was using Qualys for the vulnerability. Now, they have switched to their own MDVM, which is Microsoft Defender Vulnerability Management.

The vulnerabilities are duplicated many times. If it reports that the findings are around 30 or 40, or let's say, 100, it is not the exact number as it is possible that there are multiple findings which are duplicated in nature, and actually, the number is only 62 or 67. 

Another issue after Microsoft Defender upgraded and left Qualys is that whenever the load for the report data is too high, we cannot export the report in one go, so we have to do it in batches.

I have been using the solution for two years.

The quality of the MDVM feature, one of the keys which we are getting, is many times duplicated with the same IDs.

I have contacted Microsoft for the quality issue, and they are working with us.

Positive

I did work with something similar, however, not in the same organization. In my earlier organization, I was working with Check Point and Tenable.

The pricing is good. It is license-based, and we are not utilizing all of the features, like API and other functionalities, so the cost is not that high.

I would definitely recommend Microsoft Defender for Cloud, provided they make some improvements in the MDVM part.

I'd rate the solution eight out of ten. 

My role is more on the FinOps side. My customers use it.

In specific contexts like finance or healthcare area, there are regulations requiring compliance. At this stage, we need to be able to prove we have state-of-the-art endpoint protection and the ability to show that all these tools are up-to-date with the latest updates and identified threats. This is very useful for my customers to be able to prove compliance.

Mainly, the ability to identify threats using signatures, analyze threat behavior, and integrate with other cloud services, specifically Azure Log Analytics and other logging projects. These are the features I like. 

Customers generally find it satisfactory for their needs. Most organizations struggle with the ability to handle this type of product. Sometimes, it's a lack of knowledge or expertise on Microsoft Defender, which leads to issues with certain tasks. That can be a bit difficult to figure out.

Most customer teams need more training on this type of product.

Due to the lack of expertise or hands-on experience with the product, it's sometimes difficult to determine whether the issue lies with Microsoft Defender or another related project. In the cloud, everything is tightly connected, making it challenging to pinpoint which part is failing. So, the lack of a deep understanding of the product leads to some difficulties.

In future releases, I would like to see integration of artificial intelligence to ease the administrative burden would help a lot, especially when it comes to deploying the product to fit specific contexts, architectures, or infrastructures. That would fill the gap caused by the lack of expertise or knowledge.

There are some promises that Microsoft has made, but I'm not aware if they've been fully implemented.

I have been using it for three years. 

I worked with Cybereason and other standard antivirus programs, but nothing as full-fledged as Microsoft Defender.

Overall, I would rate the solution as eight out of ten.

My recommendation heavily depends on the context, the customer's IT landscape, the maturity of the team working there, and many other factors that need to be taken into account when selecting a product. 

Microsoft Defender by itself is a good choice, but ultimately, the best option depends on the specific context.

We use the solution as a VPN and for endpoint security. 

I've seen benefits since implementing Microsoft Defender for Cloud. It's easy to manage for our large organization as an endpoint security solution. It integrates well with Office 365 and Windows 11, which is better than before. Patching, updates, and threat protection are all handled together now. Its AI features help predict threats. 

We've automated some processes, like batch updating and vulnerability detection, using AI. Our dashboard tracks every machine's IP and identifies vulnerable software. Using AI, we can gather this information and provide it to users. We also use chatbots to provide solution steps.

Microsoft Defender for Cloud is not compatible with Linux machines. 

I have been working with the product for three to four years. 

I rate the tool's stability a ten out of ten.

I rate Microsoft Defender for Cloud's scalability as nine out of ten. My company has more than 300 users. In our environment, we're using it on over 130,000 machines.

The solution's deployment process is not complex and is completed in 20 minutes. 

The solution helps to reduce costs by 20 percent. 

The solution is expensive, and I rate it a five to six out of ten. 

I would recommend the solution to others and rate it a nine out of ten. 

I use the solution for threat hunting. We've installed it on a lot of devices. I look for specific version numbers or threats within the environment.

The product has given us more insight into potential avenues for attack paths.

I like that the solution shows me recent log-ins for certain servers and devices. It's pretty helpful to track down activities and identify or tie them to specific users.

The product must improve its UI. Looking at multiple devices for the same issue or vulnerability is very cumbersome.

The solution should provide built-in features related to trending and graphing over time. If it’s already present, we haven’t found it. It doesn't seem intuitive to find it quite as easily as some other tools with ready-to-go dashboards.

I have been using the solution for two years.

The tool’s stability seems to be pretty good. I'm sure Microsoft takes care of its backend structure since it is a cloud solution.

Scalability, in general, is fine. We can deploy it on as many devices as we want. However, getting meaningful results and data out of that is not easy, especially when some of the things you're looking for might be across your entire enterprise. For example, if we want to know whether a DLL version is installed on any device, trying to get that information by going one by one through the devices is ridiculously cumbersome.

We used LogRhythm for a little bit. We switched to Microsoft Defender for Cloud because we wanted to do a cloud homogenization. We wanted to bring things away from on-premise and into the cloud because we had cloud assets. It just made more sense to have a cloud solution to manage the tools instead of pulling back into our network and opening the tunnel paths to our on-premise LogRhythm server.

The solution is deployed on-premise as well as on the public cloud. Our cloud providers are Azure and AWS. We also have some GCP assets. We have around 20,000 total devices. They don’t always correspond to an end user. Of those, maybe 12,000 to 13,000 are enrolled in Microsoft Defender for Cloud.

Other devices we have are either outdated Linux or outdated Windows. We’re trying to migrate all the ones we can, and then some of them will be those narrow use-case devices where it wouldn't really make sense or be feasible for them to have a definitive cloud. They're limited processing power devices, like iPads and tablets.

The product certainly requires maintenance.

Just based on costs, I do not see an ROI. However, evaluating a return on investment for something that provides insight into risks and vulnerabilities is not my area of expertise. In my opinion, a lot of it can't be quantified.

We have the full E5 license. The tool is pretty expensive.

We evaluated Splunk. Splunk's really expensive. It would also have been an on-premise solution. We needed a cloud solution.

We use Microsoft Defender for Cloud to support Azure natively. The solution’s ability to protect hybrid and multi-cloud environments is pretty important for us. Just as much as anyone else.

The unified portal for managing and providing visibility across hybrid and multi-cloud environments could be better with some of the ways things are displayed. Overall, it’s all right.

We have had the solution since we started cloud. I cannot provide a comparison for it. I don't pay too much attention to Microsoft Secure Score. However, I’m sure the product has affected it. We use the product to track down vulnerabilities and missing patches. When those get passed, I'm sure that it changes the score.

We have integrated Microsoft 365 and Microsoft Defender for Cloud with Microsoft Sentinel. However, I don't deal with it specifically. The tool’s UI could be better. As it is right now, we can only view information from one device at a time. It is extremely limiting.

The solution is pretty good at keeping our multi-cloud infrastructure and cloud resources secure. We use AWS, and we also have some Windows devices in AWS. We have Microsoft Defender on those.

Microsoft Defender for Cloud has helped save some of our SOC time. The reporting features, being able to search multiple devices for a specific vulnerability or incident and tying it back, are very difficult to do in the UI. There's some scripting that can be done, but that doesn't make it easier for a lot of people.

We have set up alerts in the tool. That, combined with other industry scanners like Tenable Nessus, Invicti, and a couple of others that we utilize in our environment, sends updates and alerts to us so that we can quickly respond to issues. We were not measuring TTR. So, the effect on the overall TTR is negligible.

It is hard to quantify whether the product has saved us money. We haven't seen any attacks from ransomware gangs. Possibly, those are being prevented, and we don't get alerts for some of these attacks. It has not saved us money. It's expensive. However, it is not expensive compared to all our computers being locked up, and someone demanded two million dollars.

People evaluating the product must look at other options to determine what works best for their environment and organization. It may not necessarily be the best option, but it might be. It certainly works well in a wholly Microsoft Windows environment, especially with other Microsoft software as a primary. If they’re using OfficeSuite, like Microsoft Word and Microsoft Excel, it works well. If they have other things within their environment, they must do their homework and research to see if it works.

Overall, I rate the tool a seven out of ten.

The solution provides a security score based on the environment and gives recommendations for improving that score. For example, a manual server may require patches to strengthen security, and MS Defender for Cloud informs us. We can also run a vulnerability assessment in the background of work processes to detect server vulnerabilities. We primarily operate a hybrid cloud environment with some specific on-prem integrations.

One of our clients, operating in the electronics industry, has around 1,300 endpoints, 700 users on the Windows server, and 300 other devices. There are also 100-150 users on Unix servers.

We use multiple Microsoft security products, including Defender for Cloud, Sentinel, and Defender for Endpoint. The products are integrated, and there is nothing complicated about integrating them; we provide the APIs or the credentials, and they are automatically integrated.

The product helps us prioritize threats across the enterprise, which is essential when interacting with clients, as we can show them their high-risk vulnerabilities and tackle them first.

The solution helps automate routine tasks and the finding of high-value alerts. Additionally, following the resolution of an issue, we can set up a logic app to trigger an automatic system response if it happens again.

The integrated security suite saves us time, as multiple security solutions work together seamlessly in the cloud, allowing us to take actions that could take 24-48 hours to replicate using third-party products. 

Defender for Cloud reduced our time to detect and respond; if we are faced with an issue known to the threat intelligence database or that occurred before, we don't need to invest any time at all. The solution reduced our time to detect and respond by around 50%. 

Integration with Defender for Endpoint allows us to see the health of our endpoints in terms of workload protection, which is one of the benefits of these integrations.

Microsoft solutions working natively together to provide integrated protection and coordinated detection and response is essential from a business point of view. We don't have to manage multiple tools and services from different dashboards; we can monitor and manage everything from a single point. All the generated alerts from numerous services are ingested into one solution that a single team can monitor. That's one of the best parts of using the integrated Microsoft security suite.

The solution's robust security posture is the most valuable feature.

We have a lot of firewalls, and we can manage them in the solution through the firewall manager. We can set up an Azure firewall and centralize the management policy.

The solution provides excellent visibility into threats, and it's a cloud-based integrated solution, so we don't have to worry about any third-party products or services. Microsoft provides so many options, and that's great.

Defender for Cloud generates reports we can use as an assessment, as it allows us to see the services in our environment and our points of highest risk.

The solution's threat intelligence helps us prepare for threats before they hit and take proactive steps, which is very useful for analysis. 

The most significant areas for improvement are in the security of our identity and endpoints and the posture of the cloud environment. Better protection for our cloud users and cloud apps is always welcome.

Several features are already in the pipeline, including one called External Attack Surface Management, which will be welcome additions.

The solution's stability is impressive; it's very stable.

The scalability is excellent; if we grow or shrink in the future, the scalability is there to accommodate us. I rate the solution ten out of ten in this regard.

When we have a critical issue, customer service is very prompt, and we often get support rapidly. We also get good help in our production environment.

Positive

I previously used Symantec Endpoint Detection and Response and switched because of the benefits of having a cloud-native solution. Additionally, the market is moving towards Microsoft, including many of our customers, so it makes sense for us to go with this trend.

The initial setup consists of three steps for us; first, we conduct an assessment or discovery with a client to determine their requirements and develop an understanding of their environment. Second, we design and plan the deployment to fulfill the client's requirements. Third, we implement and conduct a POC, and if successful, we roll out the entire deployment. The complexity of the setup and the number of staff required depends on the size of the business.

An example of an organization with 500-1,000 staff is that the initial information gathering takes four weeks, the design and planning stage takes two weeks, and the implementation and POC take another two weeks. Therefore, the deployment can take between eight and 15 weeks for a two-person team.

In terms of maintenance, the solution requires monitoring and routine inspection of the details across the services.

I rate the solution nine out of ten. 

DevOps security features are in the preview phase, so we may utilize the solution for that in the future.

We use Microsoft Sentinel, enabling us to ingest data from our entire ecosystem. This data ingestion is important to our security operations because information on our critical applications and services provides us with activity, audit, and application logs. This logging capability means Sentinel allows us to investigate threats and respond holistically from one place. 

To a security colleague who says it's better to go with a best-of-breed strategy rather than a single vendor's security suite, I'd say there are benefits in going with a single vendor.

I use it for managing our customers' server vulnerability assessments for regular and SQL servers. I also use it to get a security score for the resources of our customers that are on Azure, as well as security posture management. 

We also have regulatory benchmarks to audit our customers' resources that are on Azure to check whether they're meeting regulatory standards like ISO 27000.

It has enabled our organization to have an organized approach to, and quick visibility, or a bird's-eye view, of the current security portion. The way the portal organizes things has allowed us to focus on the specific vulnerabilities and security gaps that have to be fixed quickly. It gives us flexibility on what we should be checking on.

Defender for Cloud has helped us reduce or close some of the key security gaps of our main assets on the cloud. It has also helped us comply with some of the regulatory compliance standards, like CIS and ISO 27000 because of its main features. And it has also helped us in terms of threat detection and vulnerability management.

Another benefit is that it has really helped detect some of the Zero-day-model threats. We've also been able to utilize the automation features to investigate and remediate some of the threats that have been discovered. It has improved the time it takes to remediate threats, mainly because of automation. The logic apps that we've been able to set in either Sentinel or Defender for Cloud are the main components that have really improved that efficiency, and the time needed for remediating threats.

The time to respond is near real time, if the logic apps are in use, because it's just a matter of putting the playbooks into action. This is something that we've tested and found is quite effective for remediation.

The solution has also saved us money over going with a standalone solution where you purchase licenses for servers for a whole year. Now, we pay only for the servers in use. With the subscription-based model for servers, you're only paying per hour and only when the server is being utilized.

The main feature is the security posture assessment through the security score. I find that to be very helpful because it gives us guidance on what needs to be secured and recommendations on how to secure the workloads that have been onboarded.

Another component, although I can't say it's specific to Defender for Cloud, is that the onboarding process is easy. I find that helpful compared with the competitors' solutions. Onboarding the resources into Defender for Cloud is quite easy.

Also, we have integrated Microsoft 365 and Microsoft Defender for Cloud with Microsoft Sentinel and the integration is actually just a click of a button. It's very easy. You just click to connect the data sources and Microsoft Sentinel. Having them work together is an advantage. I like the fact that the main threat notification console has moved to Security Center so that we don't have to go into each of these solutions. It's beneficial having the three solutions working together in terms of the investigations that we have been doing with them.

The threat intelligence is quite good at detecting multi-level threats. If, for example, you integrate Defender for Endpoint and 365 and Defender for Identity, the threat intelligence is able to grab these two signals and provide good insights into, and a good, positive view of the threats.

The solution's portal is very easy to use, but there's one key component that is missing when it comes to managing policies. For example, if I've onboarded my server and I need to specify antivirus policies, there's no option to do that on the portal. I will have to go to Intune to deploy them. That is one main aspect that is missing and it's worrisome.

Defender for Cloud, as a solution, allows you to manage and protect servers from vulnerabilities without using Defender for Servers. I find it a bit weird, if you are to manage the antivirus for servers on the portal, that you can't deploy the antivirus policies on the same portal. For instance, if you want to exclude a particular folder from an antivirus scan or if you want to disable the antivirus from the portal, you'll not ideally do it on the portal. That's a huge part that is currently missing.

Also, some thought has to be put into the issue of false positives. We've been seeing false positives that are related to Sentinel through the integration. We have been giving them this feedback, but I don't know if that is something that Microsoft is working on.

The time for detection is one of the things that we were also supposed to raise with the Microsoft team. There is a slight delay in terms of detection. That "immediate" factor isn't there. There's a need to improve the time to detection. When malware has been detected by Defender for Endpoint, we find that it takes approximately one to two minutes before the signal reaches Defender for Cloud. If that could be reduced to near-real-time, that would be helpful. That's one of the key areas that should be improved because we've done some simulations on that.

I have been using Microsoft Defender for Cloud for three years.

It's quite stable. In my experience, there have been no issues with the stability.

Because we have Premium Support, the support is quite okay. We are able to get answers to most of the queries that we raise.

Positive

The initial setup is quite easy, especially if it's for non-servers. It's just a matter of enabling and disabling servers, using the Azure app.

And the solution doesn't require any maintenance on our side.

There are improvements that have to be made to the licensing. Currently, for servers, it has to be done by grouping the servers on a single subscription and that means that each server is subject to the same planning. We don't have an option whereby, if all those resources are in one subscription, we can have each of the individual servers subject to different planning.

There's no option for specifying that "Server A should be in Plan 1 and server B should be in Plan 2," because the servers are in the same subscription. That's something that can be fixed. 

Also, there needs to be a clear description by Microsoft for those customers who have Defender for Endpoint for Servers and Defender for Servers because now they don't know which subscription they should purchase.

I've used many solutions, but Defender for Cloud is in its own class. You can't compare it with third-party solutions because those solutions either have a third-party antivirus or they're not integrated in the same way as Defender for Cloud is. Because Defender for Cloud integrates multiple solutions within it, like Defender for Endpoint, other workloads, and the firewall manager, it stands on its own as a single solution that contains all these solutions.