Microsoft Defender for Cloud Reviews

I use it for managing our customers' server vulnerability assessments for regular and SQL servers. I also use it to get a security score for the resources of our customers that are on Azure, as well as security posture management. 

We also have regulatory benchmarks to audit our customers' resources that are on Azure to check whether they're meeting regulatory standards like ISO 27000.

It has enabled our organization to have an organized approach to, and quick visibility, or a bird's-eye view, of the current security portion. The way the portal organizes things has allowed us to focus on the specific vulnerabilities and security gaps that have to be fixed quickly. It gives us flexibility on what we should be checking on.

Defender for Cloud has helped us reduce or close some of the key security gaps of our main assets on the cloud. It has also helped us comply with some of the regulatory compliance standards, like CIS and ISO 27000 because of its main features. And it has also helped us in terms of threat detection and vulnerability management.

Another benefit is that it has really helped detect some of the Zero-day-model threats. We've also been able to utilize the automation features to investigate and remediate some of the threats that have been discovered. It has improved the time it takes to remediate threats, mainly because of automation. The logic apps that we've been able to set in either Sentinel or Defender for Cloud are the main components that have really improved that efficiency, and the time needed for remediating threats.

The time to respond is near real time, if the logic apps are in use, because it's just a matter of putting the playbooks into action. This is something that we've tested and found is quite effective for remediation.

The solution has also saved us money over going with a standalone solution where you purchase licenses for servers for a whole year. Now, we pay only for the servers in use. With the subscription-based model for servers, you're only paying per hour and only when the server is being utilized.

The main feature is the security posture assessment through the security score. I find that to be very helpful because it gives us guidance on what needs to be secured and recommendations on how to secure the workloads that have been onboarded.

Another component, although I can't say it's specific to Defender for Cloud, is that the onboarding process is easy. I find that helpful compared with the competitors' solutions. Onboarding the resources into Defender for Cloud is quite easy.

Also, we have integrated Microsoft 365 and Microsoft Defender for Cloud with Microsoft Sentinel and the integration is actually just a click of a button. It's very easy. You just click to connect the data sources and Microsoft Sentinel. Having them work together is an advantage. I like the fact that the main threat notification console has moved to Security Center so that we don't have to go into each of these solutions. It's beneficial having the three solutions working together in terms of the investigations that we have been doing with them.

The threat intelligence is quite good at detecting multi-level threats. If, for example, you integrate Defender for Endpoint and 365 and Defender for Identity, the threat intelligence is able to grab these two signals and provide good insights into, and a good, positive view of the threats.

The solution's portal is very easy to use, but there's one key component that is missing when it comes to managing policies. For example, if I've onboarded my server and I need to specify antivirus policies, there's no option to do that on the portal. I will have to go to Intune to deploy them. That is one main aspect that is missing and it's worrisome.

Defender for Cloud, as a solution, allows you to manage and protect servers from vulnerabilities without using Defender for Servers. I find it a bit weird, if you are to manage the antivirus for servers on the portal, that you can't deploy the antivirus policies on the same portal. For instance, if you want to exclude a particular folder from an antivirus scan or if you want to disable the antivirus from the portal, you'll not ideally do it on the portal. That's a huge part that is currently missing.

Also, some thought has to be put into the issue of false positives. We've been seeing false positives that are related to Sentinel through the integration. We have been giving them this feedback, but I don't know if that is something that Microsoft is working on.

The time for detection is one of the things that we were also supposed to raise with the Microsoft team. There is a slight delay in terms of detection. That "immediate" factor isn't there. There's a need to improve the time to detection. When malware has been detected by Defender for Endpoint, we find that it takes approximately one to two minutes before the signal reaches Defender for Cloud. If that could be reduced to near-real-time, that would be helpful. That's one of the key areas that should be improved because we've done some simulations on that.

I have been using Microsoft Defender for Cloud for three years.

It's quite stable. In my experience, there have been no issues with the stability.

Because we have Premium Support, the support is quite okay. We are able to get answers to most of the queries that we raise.

Positive

The initial setup is quite easy, especially if it's for non-servers. It's just a matter of enabling and disabling servers, using the Azure app.

And the solution doesn't require any maintenance on our side.

There are improvements that have to be made to the licensing. Currently, for servers, it has to be done by grouping the servers on a single subscription and that means that each server is subject to the same planning. We don't have an option whereby, if all those resources are in one subscription, we can have each of the individual servers subject to different planning.

There's no option for specifying that "Server A should be in Plan 1 and server B should be in Plan 2," because the servers are in the same subscription. That's something that can be fixed. 

Also, there needs to be a clear description by Microsoft for those customers who have Defender for Endpoint for Servers and Defender for Servers because now they don't know which subscription they should purchase.

I've used many solutions, but Defender for Cloud is in its own class. You can't compare it with third-party solutions because those solutions either have a third-party antivirus or they're not integrated in the same way as Defender for Cloud is. Because Defender for Cloud integrates multiple solutions within it, like Defender for Endpoint, other workloads, and the firewall manager, it stands on its own as a single solution that contains all these solutions. 

We use Microsoft Defender for Cloud for our cloud security.

I like Defender's bidirectional sync. It's a behind-the-scenes feature, but it's very important. I like how it's integrated with and collaborates with other products by design. This is especially true between Sentinel, Security Center, and Defender.

The entire Defender Suite is tightly coupled, integrated, and collaborative. This allows me to have more flexibility in the roles and responsibilities of my teams, the access to their tooling, and the ability to report accurately on the current threat posture. For example, if I have Sentinel and CloudApp, and someone closes an incident in CloudApp, it will also close in Sentinel. However, if I had CloudApp in Splunk, this would not be the case. This integration is what I like.

The documentation could be much clearer. I also think that Microsoft should stop rebranding everything constantly. I'm tired of every name changing every 90 days. It's ridiculous. I understand that they're coupling tools together but look at AIP. It has had over 14 names in the last five years. That's absurd. Microsoft needs to stop rebranding everything and stick with one brand. They can build them out from there.

I like the fact that the dashboards are integrated, but I don't like that the CloudApp is now mapped to the Security dashboard. I hate that. I should be able to map dashboards myself. Having one dashboard is great for some people, but I have people who do Endpoint Management and they don't do Incident Management. They're two different groups. I should be able to send them to different portals if I want to. They're not all working out of the same portal. I do like that the dashboards have the option to be put into one portal, the Security portal, but I don't like that now I have to figure out where Microsoft moved everything. I liked it better when they were separate, so I could isolate and assign groups to each tool. Now that they're putting all the portals together, it's more complicated. I like the idea of a single pane of glass, but I think they're adding too much change too quickly without explaining the main purpose or mission of each product. And they're not making a clear distinction between them. When we put them all in one portal, it just adds more confusion. For example, in CloudApps, I see incidents in the "Incidents" section, but in the new Security portal, incidents are not in the CloudApp section. People don't need to search for stuff. They knew how to do it before. Microsoft needs to stop changing things so often. I believe in change, but not every other month.

Defenders threat intelligence is useless, I think, because it didn't see SolarWinds coming. After SolarWinds, if we even mention their analytics and threat intelligence, it's just evidence that it doesn't exist. It didn't even see SolarWinds coming. The only value I see in their threat intelligence, from a marketing perspective, is that it allows me to leave logs in their native location and tell clients to leave them longer. So if they find something like SolarWinds later on, they can go back and look through older logs and find it again. After SolarWinds, I'm not impressed at all by anything Microsoft says about their multi-billion dollar login.

I have been using Microsoft Defender for Cloud for over ten years since it was part of the Defender Suite.

We have not had any complaints from our clients about the stability of Microsoft Defender for Cloud.

I've questioned Microsoft's claims about the scalability of Defender for Cloud. I don't think their claims are accurate. I don't think we could scale Defender for Cloud to the level that Microsoft claims. Microsoft tells me that I could let my Log Analytics scale, but I think there must be a limit.

We have always had good experiences with the technical support through the portal.

Positive

The deployment is easy as long as we understand the licensing and what we are doing. The deployment was completed as a team.

Our clients complain about the cost of Microsoft Defender for Cloud. Microsoft needs to bring the cost down. What we're doing to their detriment is simply lowering the amount of log retention we're keeping, which is not what I want to do. Storage is so cheap in every other aspect of Azure except for Log Analytics, which makes it even more difficult to explain to clients why we're charging them so much for terabytes of storage. In comparison, data lakes and storage accounts store terabytes of data for much less cost.

I would rate Microsoft Defender for Cloud eight out of ten, mostly because of documentation and availability of information. The difference between the Azure Active Directory Premium P1 and P2 licenses lies not only in their capabilities but also in the amount of logging that is performed for each user. I need to know what is and is not being logged, and which security events are not being logged. I can't find a list of these events anywhere. What is the difference between a one-year retention license and a 180-day license? What additional logging is performed with the one-year license? Microsoft has mentioned that advanced auditing is occurring, but I don't know which events they are getting. I would like to see a list of all the events that are logged, from least to most. This list would probably look like a triangle, with a few items at the top and more and more items as we go down. I would like to see this list for both the AAD Premium P1 and P2 licenses. I can't get this list. My client has asked me what events we are not capturing, and my answer is that I don't know because I can't find it. Microsoft won't give me a list of the events that are logged, either. They can only reference the services that the events map to. I want to know the events. The uncertainty and doubt around this is a security feature. Microsoft is trying to make me buy the product because they know that if I get hacked, I could be liable for malpractice. But I'm not going to buy it without more details. I'm very upset that they didn't provide more information.

We use Microsoft Defender for Cloud as one of the sources for our Azure environment. We have a managed detection response solution, and we add data sources to it, like SOC, SIEM, and SOAR solutions. We also want to have data in our Azure cloud environment.

We deploy this solution in multiple regions like Europe and Oceania.

We have multiple solutions like our data analytics platform and our system development platform. Our web shops use it. Almost everything is in the cloud.

We have approximately 2,000 end users.

The solution is deployed on the Microsoft Azure cloud.

The solution helps our teams to be more aware of security and protects our environment.

Most importantly, it's an integrated solution. We also use Defender for Endpoint. For Office 365, we use Defender for Identity. 

We have integrated some of these products into our MDR solution. It's not a Microsoft Sentinel SOC, but we have a SOC/SIEM from a third party.

It's really easy to integrate because it's just an interface, a Microsoft Graph security API. We can collect all the data and forward it to our solution.

This solution is for detection and response, so it helps us prepare for potential threats. We have special teams for threat hunting the data.

We use this solution for extra security in our environment. We secured our Azure cloud environment with firewalls and application gateways, but we also want to have trust in our resource groups. That's an extra line of defense for our security.

We don't use the interface a lot because we use it as a data source for our MDR solution. The MDR solution is our main interface.

These solutions work natively together because we don't just use Microsoft products as a data source. We use all kinds of security products as data sources, like our firewalls, gateways, and event collections from Windows and Unix.

Threat protection is comprehensive and simple. We have an enterprise agreement with Microsoft itself, but we also have CSP contracts with several parties, so we can easily get the licenses we need. It's very easy to install.

Sometimes it's very difficult to determine when I need Microsoft Defender for Cloud for a special resource group or a special kind of product.

In Defender for Endpoint, the software is capable of acting immediately if something occurs. If an attacker wants to encrypt the disc, for instance, we're able to react immediately. I don't know if Defender for Cloud has the same capabilities.

I have used this solution for about a year and a half.

At the moment, I think it's a very stable solution. We haven't had any problems with it.

It's scalable.

From Microsoft's perspective, it's fine. We don't have any issues at the moment.

I would rate technical support an eight out of ten. 

The initial setup is straightforward. It took 10 seconds.

We have a Cloud Security Provider, so I don't know how much time they spent on deployment.

The solution hasn't required any maintenance yet. We are trying to innovate each solution. It's an ongoing business process to innovate.

We haven't seen ROI yet, but we plan to. The first sign is safety first. Safety will cost money, so it shouldn't be too much.

Pricing is difficult because each license has its own metrics and cost.

We evaluated other options. We have a lot of other products like McAfee, but we are changing everything to Microsoft Defender.

We decided to switch because we want to have an overall standard that's enterprise-wide so that everything is easier to manage and the data it delivers is all the same. We wanted to have one view of everything.

I would rate this solution an eight out of ten because we don't use all of the capabilities yet. At the moment, we still only use the data sources. I'm happy with it so far.

Instead of a single vendor security suite, I like having at least two so that they can challenge each other.

Microsoft Defender helps us prioritize threats across our enterprise, but we only prioritize our high-risk resources with Defender products.

It's difficult to say if the solution saved us time because we use it for our Azure cloud environment, so we're working in the cloud.

At the moment, we're not saving money. The solution costs our company money. It's like having insurance: It doesn't save costs, but it might save us costs if something happens. It's about risk.

It hasn't decreased our time to detect and respond yet, but it should be because we have our data source on Endpoint and in the cloud. It's an integrated solution. When we find something anywhere, we can act everywhere. We have more possibilities.

Our use case for the solution is focused on cost management and security in a multi-cloud environment. We use it alongside solutions like SIEM tools and deploy it as part of a broader security strategy.

The platform has improved our security posture by providing comprehensive threat detection and response capabilities. It helps in managing security across various environments effectively. However, we occasionally encounter issues when on-site products conflict with this solution.

The product's most valuable features offer the latest threat detection and response capabilities. These features are crucial for our SMB customers, especially given the high inflation in Turkey, which impacts cost considerations.

The product's advanced analytics and reporting features could be improved.

I have been using Microsoft Defender for Cloud for about three to four years.

The product performs reliably across various environments.

The platform's scalability is excellent. It is well-suited for both small and large organizations.

The support team is responsive and offers valuable assistance.

Positive

The initial setup can vary in complexity depending on the existing environment and the number of users. It's relatively straightforward for smaller setups, but larger deployments can be more complex.

We handle the deployment and integration ourselves.

The solution's ROI is positive, given its comprehensive security features and integration capabilities, which justify the investment.

The product's pricing policy is generally favorable.

We evaluated other options, but Microsoft Defender for Cloud was chosen for its strong integration with other Microsoft products and comprehensive feature set.

The solution is robust, but staying updated with the latest features and best practices is crucial to maximize its benefits.

Overall, I rate it a nine out of ten. 

We use Microsoft Defender to scan for vulnerabilities related to any container or server in the cloud environment in Azure. Microsoft Defender suggests recommendations and security alerts according to the default framework. We can also use other frameworks like ISO benchmarks to assess our infrastructure and get recommendations on what can be fixed.

The solution is deployed on a public cloud, and Azure is the cloud provider.

We use Microsoft Defender for Cloud to natively support Azure.

We are resellers. We customize the solution and sell it to clients.

The solution has improved our organization in terms of benchmarking. Our Secure Score has improved a lot, and we're compliant with particular benchmarks.

The single-pane-of-glass view gives us the Secure Score in a single dashboard. It shows us all of the collective resources we have, including what is on-premises and on the cloud. It's a single graphical representation and a unified view that we can customize according to the client. We can adjust the Secure Score dashboard to show whatever the client wants to see. It can show the Secure Score, security alerts, and compliance score. The compliance score shows how compliant the environment is.

Our current security posture is a combination of the benchmark plus Zero Trust. We have a set of policies in Zero Trust that covers all six layers of the cloud, like the identity network, infrastructure, applications, endpoint, and end data. It's structured to cover every aspect of the cloud using the customized policy in Microsoft Defender.

The solution has improved our Microsoft Security Score a lot. 

Microsoft Defender is set to scan the virtual machines, SQL databases, and private endpoints every 30 minutes. For some of them, we just clicked "quick fix" and it created a private endpoint instantly and showed that it was rectified. Those quick fixes were instantaneous.

For our response time, critical findings take approximately two days while medium findings take three to seven days.

The solution has increased our efficiency.

The security policy is the most valuable feature for us. We can go into the environment settings and attach any globally recognized framework like ISO or any benchmark. We can also use our customized benchmark, like Zero Trust, if we want to implement it.

We can deploy different net agents on the on-premises assets, and Defender will scan those on-premises resources and give us recommendations to fix them.

The solution gives us recommendations to enable a DDoS protection plan on our virtual network. Right now, the DDoS, enforcing MFA, and conditional access policies make our organization more secure.

It's a good tool for keeping multi-cloud infrastructure and cloud resources secure. It's a market leader right now.

Right now, the solution covers a limited set of resources. If taken into scope, it will improve more.

After getting a recommendation, it takes time for the solution to refresh properly to show that the problem has been eliminated. 

Sometimes we'll receive a recommendation, but the problem still won't be fixed. This could be due to end-of-life machines. If the solution isn't properly refreshed, we need to wait for two or three days to remove those recommendations. Sometimes we have to reach out to Microsoft to check why the problem hasn't been fixed after following the recommendations.

For example, after a recommendation about AML files, it didn't show that the fix had been applied even though it was. It took more than four days to show that the fix had been applied. 

There are some policies that we're not able to use due to some business justifications. For instance, the storage account should be private, but it's public because a third party is interacting with that storage account and we can't limit the public access because there is no whitelisting available in terms of IPs.

I have used this solution for three years.

It's scalable, but it's an additional cost to increase the scalability.

I would rate the technical support a seven out of ten. They respond quickly and give us detailed information.

Neutral

We have also used CSPMs and other tools, but there were some limitations there. Defender gives us more customization in terms of frameworks, which is why we chose it.

The initial setup was straightforward. It took one day. We used two full-time team members for deployment. 

We deployed the solution in-house and designed the architecture.

This solution saved us money.

There are two different plans. We're using the secure basic plan, but we have used the end security plan as well. There are additional costs, but it gives us more functionalities compared to the basic plan. It provides threat detection and integration capabilities. We have not enabled that due to the cost, but it's a possibility.

I would rate this solution an eight out of ten. Using this solution gave us confidence.

I work on micro-segmentation for my master's thesis, and I was looking for ways to implement micro-segmentation using Defender. I work on the assumption that small businesses can't implement expensive virtualization solutions, so I'm looking for alternatives to implement micro-segmentation for their network security.

I use the latest version of the solution.

It's a test deployment. I created the entire network. It's more like a laboratory setup.

The solution does what I want it to do. If you're already on Microsoft, this solution comes bundled with it. It's seamlessly integrated, and it improves security because I can determine who can access what applications and who or what my applications communicate with. It improves the transparency and visibility of the traffic in and out of the network of each workload on my system.

The benefits were realized almost immediately.

Compared to other products, it hasn't helped save SOC time or increase efficiency. I'm focused on micro-segmentation, so compared to other products, it wasn't built for that, but it can be adapted to it.

I'm not sure that the effect on my overall time for detection can be measured, but for non-threats, it's almost effective. The notification system is effective too. It lets me know as soon as there's a problem.

I use this solution to natively support Azure. It works seamlessly on the Azure platform because it's a Microsoft app. Its setup is similar, so if you already have a Microsoft account, it just flows into it.

It's very important to me that the solution has the ability to protect hybrid and multi-cloud environments. 

I'm looking to implement the solution in SMEs that might use different environments. Most SMEs don't have the resources to own their infrastructure entirely, so I can't really predict what environment they will be used in, therefore, I need a solution that is flexible enough to work in multiple environments, both online and offline. The only limiting factor is that I can not this solution use on platforms that aren't Microsoft.

The single pane of glass view is very important for me. It's great to be able to see everything at once and go where I need to very quickly. It's also easy to use if you've used any Microsoft product before. It allows me to see everything I want at a glance. I didn't think it was important until I started to use it, and then I realized how convenient it was.

For micro-segmentation, the unified portal has had an effect on my cloud security posture, but it's a lot of work because I have to configure the rules individually. It's difficult to compare this solution to a product like NSX or any other specialized micro-segmentation product, but because I'm trying to get a solution for small businesses that have about 10 PCs or 10 systems at the most.

It effectively defends against known threats. It also updates regularly, so the threat signatures are updated regularly, but I don't know how often the database is updated on Microsoft, so I can't really quantify its effectiveness against either zero-day threats or new threats.

I've only tried it on Azure cloud and it's effective. I've only used it on a single-cloud structure.

Right now, I'm setting rules for incoming and outgoing traffic for different applications.

From my own perspective, they just need a product that is tailored to micro-segmentation so I can configure rules for multiple systems at once and manage it. Instead of having to set up individual rules for individual applications, there should be a system that can allow me to set up multiple rules at once and can automatically update the rules as the infrastructure changes.

The solution is stable.

In general, the scalability is good. It wasn't built for my use case, which is micro-segmentation. If I had 100 systems, it would be a lot of work for me.

I have not had to call or get in touch with them, but there's a lot of documentation online. I've found a lot of what I need without having to contact anyone.

The documentation is excellent. There's a lot from Microsoft and other providers. I think it's a fairly popular system.

It was straightforward. I was the only person that deployed and tested the solution.

Initial deployment took a day, but the initial configuration rule setting took a while because it was my first time using the system.

The first step was to set up the cloud, install some test applications that I needed to protect, and then configure rules for traffic between the applications, and then between the application and external networks.

The solution doesn't really require any maintenance. It's fairly automatic. Once it's up and running, it pretty much works.

The cost is fair. There aren't any costs in addition to the standard licensing fee.

I didn't evaluate other options because I use this solution for thesis research. I researched which solution was the most used cloud and picked Azure.

I would rate this solution six out of ten. 

As a perimeter defense system, I would rate the solution a seven. As a micro-segmentation system or application, I would rate it a four.

As a perimeter defense solution, it's excellent. As a micro-segmentation product, it's not so great, especially if you have a lot of systems. It's not the product's fault because I don't think that's what it was built for.

Typically, when we have a scenario where a client wants to migrate their resources to Azure, they might migrate their IaaS platforms, such as virtual machines; they might migrate their applications or their databases; they could also migrate into Kubernetes services. There are a variety of projects. I work for many types of customers where all these different scenarios are involved, including applications, app services, database as a service, IaaS by default, and Kubernetes.

With a project that I recently completed for one of our customers, the requirement was around their bidding application on-prem, utilizing different cognitive services and AI modules on Azure. They wanted to containerize this entire application with AKS, Azure Kubernetes Services. They did so, and Security Center was integrated with this entire AKS system. What Security Center provided us with was a solution for how we could better secure this entire environment. It provided some recommendations on pod security and how the pods do not need to communicate with each other. It recommended isolating these pods for better security, so that even if a certain user got access to a pod, or a certain threat was detected for one of the pods, we wouldn't have to worry about the entire system being compromised. By implementing the recommendation, if a pod is compromised, only that pod is affected and can be destroyed anytime by the AKS system.

Another recommendation was for enabling some edge layer WAF services, by leveraging a Microsoft out-of-the-box solution like Front Door. Security Center said, "Okay, now that the application is being accessed over the public internet, it is not as secure as it could be." An edge solution, like an application delivery controller such as a WAF or a CDN service was another option. It could be anything that sits at the edge and manages the traffic so that only authorized access is allowed within the network. Security Center recommended Front Door, or we could leverage other solutions like Cloudflare, or a vendor-specific solution like F5. We could then make sure that any Layer 7 security is handled at the edge and doesn't affect the application inside. SSL offloading is taken care of at the edge. Any region-specific blocking is also taken care of at the edge. If an application is only accessed in the U.S., we can block locations at scale with this solution. That is how Security Center provided us with some recommendations for better securing the environment.

Another way that Security Center can help is that it can benchmark the infrastructure in terms of compliance. Compliance-based infrastructure is one of the norms nowadays. If an application is health-based or it's a Fintech-based application, certain standards like HIPAA, NIST, or PCI need to be followed by default. Auditors or compliance teams used to run through a manual checklist to make sure that the environment was secure. But with Security Center, we can do it via an automated layer, introducing regulatory compliance policies. Security Center performs scanning of the entire environment, in regard to the policies, in real time. Using the example of the bidding system, it's a Fintech environment and, while having NIST is not mandatory, we could enable a benchmark run-through, to make sure the infrastructure is NIST-compliant.

With Security Center, we applied policies that align with these types of compliance. Security Center takes these policies and runs through the infrastructure to see what the gaps are and provides us with a report on what is compliant on the infrastructure and what is non-compliant. We can fix those non-compliant parts.

For any type of service, I would recommend the go-to solution for security on Azure is Security Center. The advantage is, firstly, is that it has seamless integration with any of the services I mentioned, on Azure, such as IaaS platforms, virtual machines, applications, or databases, because it's an in-house product from Microsoft within the Azure ecosystem. It has seamless integration with their Log Analytics workspaces, and it also provides some insights into what can be a better solution when it comes to securing their environment.

When it comes to improving the security posture, whenever we have a small project for a customer where they want to migrate their resources into Azure, once the resources are migrated, such as the ones I noted above, we go ahead and integrate Security Center in various ways. One of those ways is to use an agent that can be installed on virtual machines so that we can extensively monitor security alerts or threats that happen on the device. 

But for platforms as a service, we can't have an agent installed, so it integrates with the Log Analytics workspace. For any PaaS services, or a database as a service, or data lakes, we take their Log Analytics workspace and integrate it with Security Center. Once we have integrated it, Security Center discovers the resources, determines what the different configurations are, and provides us with some recommendations for the best practices that Microsoft suggests.

For example, if the Security Center agent is installed on a virtual machine and it scans the environment and identifies that the access to this VM is public and also doesn't have any MFA, it will recommend that blocking public access is one of the best practices to make sure that only safe access is allowed. Along with that, it can also provide us with some insights about enabling MFA solutions that can provide an additional security layer. Those are examples of things that Security Center can recommend for providing a more secure infrastructure

There is a slight gap between the real-time monitoring and real-time alerts. While Security Center has the ability to detect sophisticated attacks or understand potential threats, I feel that if the response time could be improved, that would be a good sign.

In addition, when it provides recommendations, those recommendations have a standard structure. But not all the recommendations work for a given environment. For example, if a customer is already using a third-party MFA solution, Microsoft doesn't understand that, because Microsoft looks into its own MFA and, if not, it will provide a recommendation like, "MFA is suggested as a way to improve." But there are already some great solutions out there like Okta or Duo, multi-factor authentication services. If a customer is already using Okta as an SSO in its entire environment, they will want to continue with it. But Security Center doesn't understand that and keeps making recommendations. It would help if it let us resolve a recommendation, even if it is not implemented.

Security Center provides what it calls secure score. This secure score is dependent on the recommendations. It tells you that if you resolve this recommendation, your secure score will be improved. In the case where a client is already using MFA, but the particular recommendation is not resolved, there is no improvement in the secure score. There is a huge mismatch in terms of recommendations and the alignment of secure score. MFA is just one small example, but there are many recommendations that depend on the client environment. There is room for improvement here and it would help a lot.

I'm a network and security architect for a Microsoft Gold partner. I have been extensively using Azure for five years and have been involved in multiple security and network projects. I have been using Security Center, specifically, for more than three years on Azure, applying recommendations and working on integrations with other services, etc.

The performance is pretty crisp. Because it is a platform service, we don't have to worry about the availability or response time. It's all managed via Microsoft. The performance is good for now, but it can be improved. It could be more real-time. There are many things that Security Center does in the background, so that may make the response time a bit slow. If we apply certain policies, it will run through the entire environment and give us a report after about 30 to 45 minutes. That layer could be improved.

This is a platform service and Microsoft has scalability under its control. It can scale to all of Azure.

As a Microsoft Gold partner, most of the time we work directly with the engineering team or with the Microsoft sales team. Because we are working day-in and day-out with Security Center, we are well aware of its issues, capabilities, features, and the depth of its tools. The basic, level-one or level-two support team just follow a standard. 

But there has been a huge improvement in terms of Microsoft support and they provide some really good support for Security Center.

The initial setup is very straightforward. There's nothing complex about it.

Implementation generally doesn't take a huge amount of time. Because Security Center is a service, the agents need to be installed on a virtual machine or servers. If it's an IaaS application or platform services, the log analytics need to be integrated. In an environment with about 30 or 50 servers, we could run the script and complete the onboarding of the servers into Security Center within a day, and the same is true for platform services.

But it's not just about onboarding it because Security Center also provides some recommendations, and we work on those.

I lead a team of four people who work specifically on Security Center. There are other sections of Azure Security that they work on, such as Azure Sentinel, Azure ADP, Microsoft 365 security and compliance for our portals. But for these four people, about 25 to 30 percent of their roles involves managing Security Center.

The return on investment is pretty great in terms of the feature set that Security Center provides. There are so many solutions out there that can do similar things, but at the same time, they do not have such seamless integration with other services on Azure. The return of investment is in the ease of management and the great visibility.

Pricing and licensing is a standard process. It's not as complicated as other Microsoft licensing solutions. Security Center charges $15 per resource for any workload that you onboard into it. They charge per VM or per data-base server or per application. It's not like Microsoft 365 licensing, where there are levels like E3 and E5. Security Center is pretty straightforward. With Security Center, there are no other fees in addition to the standard licensing fees.

We have other, third-party vendor solutions, but Security Center provides that seamless integration, along with some insights that other platform services do not. There aren't a lot of other vendors out there that can integrate with Azure platform services. It's the only solution that we recommend.

Other solutions include Qualys, Rapid7, Tenable, and Nessus. As system integrators, we generally recommend Security Center. But if a client has already made a huge investment in Tenable or Qualys, they will want to continue with that. If a client does switch, they will see the advantages of all the integrations and services that can all work together. They will have a single plane of control.

The seamless integration is one of the key benefits. It integrates well with the whole Azure ecosystem. A second advantage is not having to worry if Security Center will be able to scale. A third advantage is that it is an all-in-one service. You don't have to have multiple services for threat protection, for endpoint protection, for recommendations, and for compliance. This is one tool that can do a lot.

In terms of the cons of Security Center, there are a lot of things. Vulnerability management is available, but vulnerability assessment is not available within Security Center. That is a huge gap. As of now, Security Center relies on third-party tools in this area and we have to integrate it with them. There is also the lack of custom recommendations for the environment. That is a feature that would be helpful.

When it comes to endpoint solutions, Microsoft ATP is available, but some of our clients already have a solution such as CrowdStrike.

My advice is to go with Security Center. It's a really good tool and provides some good recommendations for the environment. Other tools can provide recommendations, but then we have to do them manually. Security Center does them automatically. That's one of the advantages that stands out compared to other tools. For anyone who asks, "Why Security Center?" I would tell them that if all their resources are being deployed, or all their applications are being hosted on Azure, this is the only solution, the best solution, out there.

I don't think there is much effect on end-user experience here, because whenever you talk about Security Center, the agents or tools are applicable to the underlying infrastructure rather than the end-user. For example, an application is hosted on a server or, for platform services, it's being integrated with these services. While a user is accessing these applications, Security Center just scans the data to understand what the incoming traffic is like. It provides intelligence reports such as where the traffic is coming from and what kind of data is being accessed for the end-user. Apart from that, it doesn't affect anything for the end-user.

There were many use cases. We were monitoring auto IT applications and creating internal processes to understand which ones were going to be allowed and which were going to be blocked. We created the policies internally. 

It's an IT tool to monitor employees' usage on the internet and of web apps. We created policies so that, for example, when employees reached certain websites, like games, they would be blocked. We created a message for the email that they would receive, and there were links for whom to contact if they needed to override it. We created all the processes behind it.

From a security perspective, it reduced the amount of risk for employees, contractors, and users who might try to go to dangerous sites, as we blocked them. It helped us to identify dangerous sites so that we could make decisions on blocking them or not.

The effect on time to detection using Microsoft Defender for Cloud was very positive. The policies we created were providing information as threats arrived. When someone clicked on a website or on a link that was dangerous, it detected that and our team was able to control the situation right away. It was very highly effective because they got a live notification as soon as it happened. It improved things very positively.

It also had a positive effect on time to respond. As soon as an alert was received or something potentially dangerous happened, a process behind the scenes that we created helped them to react immediately.

The first valuable feature was the fact that it gave us a list of everything that users were surfing on the web. Having the list, we could make decisions about those sites. 

Second, it tried to categorize the apps, from riskier to less risky, with a behind-the-scenes algorithm. Even though we didn't use that, it was a starting point for our first review of the applications. We started with the riskiest ones and decided whether each one should be blocked or not. The fact that it provided a risk rating was very valuable. 

And it's very easy to use. Those are the top three.

Six months to a year ago, which was the last time I used the solution, the algorithm that was designed to define whether or not a site is dangerous or not needed to be improved. It didn't have enough variables to make the decision. 

Another thing that could be improved was that they could recommend processes on how to react to alerts, or recommend best practices based on how other organizations do things if they receive an alert about XYZ. 

Also, the complexity in the amount of information for this process could be reduced to facilitate those of us who are implementing and using the system, and guide us as to exactly what is needed.

I used Microsoft Defender for Cloud for a year and a half.

The stability was very high. We never had any issues with it.

With Microsoft products, you can keep adding more information if needed. For the purposes of the tool, it covers everything.

We never used their technical support.

We didn't replace anything with this solution. It was something we added to what was already in place. Our threat department continued to use all the products that it had been using. This one was additional and brought more alerts.

The initial setup was straightforward because the platform was already in place. It comes with the system and you just activate it.

The first phase was creating all of the policies. Then we did a total review of the more than 10,000 apps and we started categorizing them in a different way than the tool does. It was a challenge because what the tool recommended was different from what we wanted to implement. We created our own policies.

We used a security consultant to help us, but that was for the processes we put in place, not for the tool, per se. It was along the lines of, "Okay, when we receive this, what do we do?" They helped us create policies and told us what the best practices are; everything that the tool doesn't give you.

It's very expensive in terms of the need to maintain it actively. You need a group of people in the organization to do the job because if the tool is sending information, a bunch of alerts on policies that we created, and nobody is reviewing it, it is doing nothing. Once you create policies, you have to have a very established group that, based on the design of all of the policies, will follow a process to take action on each of them. Some of them were very complex and some of them were very simple. Some of them were automated and others were escalated, depending on the danger. So it can be very complex, depending on how you implement it in your organization.

The tool doesn't solve the problem, it just gives you the information so that you can solve the problem. Solving the problem takes a lot of resources, a lot of time and, it turns out, money. So it's expensive.

I don't think it saves time because it discovers things that would never have been discovered in any other way.