Microsoft Defender for Cloud Reviews

We are working for a major client in the UK. So, we are moving all the products of clients from their on-premises environment to the cloud. One of the biggest challenges we face, “Once the infrastructure is created in the cloud, how can we make sure that the infrastructure is secure enough?” For that purpose, we are using Azure Security Center, which gives us all the security loopholes and vulnerabilities for our infrastructure. That has been helpful for us.

We use the Azure Security Center to scan the entire infrastructure from a security point of view. It gives us all the vulnerabilities, observations, etc. It reports most of the critical issues.

From an organization or security audit point of view, there are few tools available in the market. The output or score of Azure Security Center has really helped the organization from a business point of view by showing that we are secure enough with all our data, networks, or infrastructure in Azure. This helps the organization from a business point of view to promote the score, e.g., we are secure enough because this is our score in Azure Security Center.

We are using it from a security point of view. If there is a threat or vulnerability, the solution will immediately scan, report, or alert us to those issues.

We are using most of the good services in Azure:

• The load balancing options
• Firewall
• Application Gateway
• Azure AD. 

I value Azure Security Center the most from a security point of view. Everybody is concerned about moving data or infrastructure to the cloud. This solution proves that we are secure enough for that infrastructure, which is why I really value the Azure Security Center. We are secure in our infrastructure.

This is a platform as a service provided by Azure. We don't need to install or maintain Azure Security Center. It is a ready-made service available in Azure. This is one of the main things that we like. If you look at similar tools, we have to install, maintain, and update services. Whereas, Azure Security Center manages what we are using. This is a good feature that has helped us a lot.

From a business point of view, the only drawback is that Azure or Microsoft need to come up with flexible pricing/licensing. Then, I would rate it 10 out of 10.

We have been using it in production for the last three years. I have been part of the cloud migration team for Azure Cloud for the last two years.

We started using Azure Cloud from the initial version. Every week or month, there are updates in Azure. For the last three years, we have been using the latest version.

Whenever we increase the number of our resources, Azure Security Center easily copes with it. Since this is a ready-made service, it will automatically scale.

We are working with around 100 to 150 major clients in the UK. Each client has 200 to 500 users.

From an overall infrastructure point of view, we have a five member team.

We are getting adequate support and documentation from Microsoft. We are a Premium customer of Microsoft, so we are getting support in terms of documentation and manual support.

We were using this service from the onset.

This is a PaaS service. It is a ready-made service available in Azure Cloud. It is very easy to use and set up because you are using the platform. We don't want to maintain this service from our end. 

There are different models when it comes to the cloud:

• Infrastructure as a service
• Platform as a service
• Software as a service.

We are using sort of a hybrid, both infrastructure as a service and platform as a service. 

We are using our own team for the deployment.

We consume or subscribe to the service. Azure takes care of the maintenance and deployment, and we don't need to worry about it.

We are securing our customers' infrastructure using Azure Security Center. That internally helps their overall organization meet their goal/score on security.

So far, the feedback from the customer and our team have been really positive. We are very happy and getting return on investment from this product.

Its pricing is a little bit high in terms of Azure Security Center, but the good thing is that we don't need to maintain and deploy it. So, while the pricing is high, it is native to Azure which is why we prefer using this tool.

One of the main challenges that we have been facing with Azure Security Center is the cost. The costs are really a complex calculation, e.g., to calculate the monthly costs. Azure is calculating on an hourly basis for use of the resource. Because of this, we found it really complex to promote what will be our costs for the next couple of months. I think if Azure could reduce the complex calculation and come up with straightforward cost mapping that would be very useful from a product point of view.

Other than Azure Security Center, we did not find a single tool which could analyze all our infrastructure or resources in Azure Cloud.

We were mainly looking for products or tools native to Azure. The other tools that we evaluated were not native to Azure. Azure Security Center is natively attached to Azure. Because other tools were not natively supporting Azure, then we would have to maintain and deploy them separately.

So far, we have received very positive feedback from the team and customers. Because it is a single tool where we list all the problems or vulnerabilities, we are happy as a team. The customer is also happy.

End users are not interacting with Azure Security Center. This is a back-end service that evaluates security.

There are no other good tools in Azure, other than Azure Security Center, which will evaluate and alert you to security vulnerabilities and threats. So, if somebody is really concerned about the security of their infrastructure in Azure, I suggest you use Azure Security Center. The features that it provides from a security point of view are amazing.

I would rate the product as a seven or eight (out of 10) because it is really helping us to improve our security standards.

Typically, when we have a scenario where a client wants to migrate their resources to Azure, they might migrate their IaaS platforms, such as virtual machines; they might migrate their applications or their databases; they could also migrate into Kubernetes services. There are a variety of projects. I work for many types of customers where all these different scenarios are involved, including applications, app services, database as a service, IaaS by default, and Kubernetes.

With a project that I recently completed for one of our customers, the requirement was around their bidding application on-prem, utilizing different cognitive services and AI modules on Azure. They wanted to containerize this entire application with AKS, Azure Kubernetes Services. They did so, and Security Center was integrated with this entire AKS system. What Security Center provided us with was a solution for how we could better secure this entire environment. It provided some recommendations on pod security and how the pods do not need to communicate with each other. It recommended isolating these pods for better security, so that even if a certain user got access to a pod, or a certain threat was detected for one of the pods, we wouldn't have to worry about the entire system being compromised. By implementing the recommendation, if a pod is compromised, only that pod is affected and can be destroyed anytime by the AKS system.

Another recommendation was for enabling some edge layer WAF services, by leveraging a Microsoft out-of-the-box solution like Front Door. Security Center said, "Okay, now that the application is being accessed over the public internet, it is not as secure as it could be." An edge solution, like an application delivery controller such as a WAF or a CDN service was another option. It could be anything that sits at the edge and manages the traffic so that only authorized access is allowed within the network. Security Center recommended Front Door, or we could leverage other solutions like Cloudflare, or a vendor-specific solution like F5. We could then make sure that any Layer 7 security is handled at the edge and doesn't affect the application inside. SSL offloading is taken care of at the edge. Any region-specific blocking is also taken care of at the edge. If an application is only accessed in the U.S., we can block locations at scale with this solution. That is how Security Center provided us with some recommendations for better securing the environment.

Another way that Security Center can help is that it can benchmark the infrastructure in terms of compliance. Compliance-based infrastructure is one of the norms nowadays. If an application is health-based or it's a Fintech-based application, certain standards like HIPAA, NIST, or PCI need to be followed by default. Auditors or compliance teams used to run through a manual checklist to make sure that the environment was secure. But with Security Center, we can do it via an automated layer, introducing regulatory compliance policies. Security Center performs scanning of the entire environment, in regard to the policies, in real time. Using the example of the bidding system, it's a Fintech environment and, while having NIST is not mandatory, we could enable a benchmark run-through, to make sure the infrastructure is NIST-compliant.

With Security Center, we applied policies that align with these types of compliance. Security Center takes these policies and runs through the infrastructure to see what the gaps are and provides us with a report on what is compliant on the infrastructure and what is non-compliant. We can fix those non-compliant parts.

For any type of service, I would recommend the go-to solution for security on Azure is Security Center. The advantage is, firstly, is that it has seamless integration with any of the services I mentioned, on Azure, such as IaaS platforms, virtual machines, applications, or databases, because it's an in-house product from Microsoft within the Azure ecosystem. It has seamless integration with their Log Analytics workspaces, and it also provides some insights into what can be a better solution when it comes to securing their environment.

When it comes to improving the security posture, whenever we have a small project for a customer where they want to migrate their resources into Azure, once the resources are migrated, such as the ones I noted above, we go ahead and integrate Security Center in various ways. One of those ways is to use an agent that can be installed on virtual machines so that we can extensively monitor security alerts or threats that happen on the device. 

But for platforms as a service, we can't have an agent installed, so it integrates with the Log Analytics workspace. For any PaaS services, or a database as a service, or data lakes, we take their Log Analytics workspace and integrate it with Security Center. Once we have integrated it, Security Center discovers the resources, determines what the different configurations are, and provides us with some recommendations for the best practices that Microsoft suggests.

For example, if the Security Center agent is installed on a virtual machine and it scans the environment and identifies that the access to this VM is public and also doesn't have any MFA, it will recommend that blocking public access is one of the best practices to make sure that only safe access is allowed. Along with that, it can also provide us with some insights about enabling MFA solutions that can provide an additional security layer. Those are examples of things that Security Center can recommend for providing a more secure infrastructure

There is a slight gap between the real-time monitoring and real-time alerts. While Security Center has the ability to detect sophisticated attacks or understand potential threats, I feel that if the response time could be improved, that would be a good sign.

In addition, when it provides recommendations, those recommendations have a standard structure. But not all the recommendations work for a given environment. For example, if a customer is already using a third-party MFA solution, Microsoft doesn't understand that, because Microsoft looks into its own MFA and, if not, it will provide a recommendation like, "MFA is suggested as a way to improve." But there are already some great solutions out there like Okta or Duo, multi-factor authentication services. If a customer is already using Okta as an SSO in its entire environment, they will want to continue with it. But Security Center doesn't understand that and keeps making recommendations. It would help if it let us resolve a recommendation, even if it is not implemented.

Security Center provides what it calls secure score. This secure score is dependent on the recommendations. It tells you that if you resolve this recommendation, your secure score will be improved. In the case where a client is already using MFA, but the particular recommendation is not resolved, there is no improvement in the secure score. There is a huge mismatch in terms of recommendations and the alignment of secure score. MFA is just one small example, but there are many recommendations that depend on the client environment. There is room for improvement here and it would help a lot.

I'm a network and security architect for a Microsoft Gold partner. I have been extensively using Azure for five years and have been involved in multiple security and network projects. I have been using Security Center, specifically, for more than three years on Azure, applying recommendations and working on integrations with other services, etc.

The performance is pretty crisp. Because it is a platform service, we don't have to worry about the availability or response time. It's all managed via Microsoft. The performance is good for now, but it can be improved. It could be more real-time. There are many things that Security Center does in the background, so that may make the response time a bit slow. If we apply certain policies, it will run through the entire environment and give us a report after about 30 to 45 minutes. That layer could be improved.

This is a platform service and Microsoft has scalability under its control. It can scale to all of Azure.

As a Microsoft Gold partner, most of the time we work directly with the engineering team or with the Microsoft sales team. Because we are working day-in and day-out with Security Center, we are well aware of its issues, capabilities, features, and the depth of its tools. The basic, level-one or level-two support team just follow a standard. 

But there has been a huge improvement in terms of Microsoft support and they provide some really good support for Security Center.

The initial setup is very straightforward. There's nothing complex about it.

Implementation generally doesn't take a huge amount of time. Because Security Center is a service, the agents need to be installed on a virtual machine or servers. If it's an IaaS application or platform services, the log analytics need to be integrated. In an environment with about 30 or 50 servers, we could run the script and complete the onboarding of the servers into Security Center within a day, and the same is true for platform services.

But it's not just about onboarding it because Security Center also provides some recommendations, and we work on those.

I lead a team of four people who work specifically on Security Center. There are other sections of Azure Security that they work on, such as Azure Sentinel, Azure ADP, Microsoft 365 security and compliance for our portals. But for these four people, about 25 to 30 percent of their roles involves managing Security Center.

The return on investment is pretty great in terms of the feature set that Security Center provides. There are so many solutions out there that can do similar things, but at the same time, they do not have such seamless integration with other services on Azure. The return of investment is in the ease of management and the great visibility.

Pricing and licensing is a standard process. It's not as complicated as other Microsoft licensing solutions. Security Center charges $15 per resource for any workload that you onboard into it. They charge per VM or per data-base server or per application. It's not like Microsoft 365 licensing, where there are levels like E3 and E5. Security Center is pretty straightforward. With Security Center, there are no other fees in addition to the standard licensing fees.

We have other, third-party vendor solutions, but Security Center provides that seamless integration, along with some insights that other platform services do not. There aren't a lot of other vendors out there that can integrate with Azure platform services. It's the only solution that we recommend.

Other solutions include Qualys, Rapid7, Tenable, and Nessus. As system integrators, we generally recommend Security Center. But if a client has already made a huge investment in Tenable or Qualys, they will want to continue with that. If a client does switch, they will see the advantages of all the integrations and services that can all work together. They will have a single plane of control.

The seamless integration is one of the key benefits. It integrates well with the whole Azure ecosystem. A second advantage is not having to worry if Security Center will be able to scale. A third advantage is that it is an all-in-one service. You don't have to have multiple services for threat protection, for endpoint protection, for recommendations, and for compliance. This is one tool that can do a lot.

In terms of the cons of Security Center, there are a lot of things. Vulnerability management is available, but vulnerability assessment is not available within Security Center. That is a huge gap. As of now, Security Center relies on third-party tools in this area and we have to integrate it with them. There is also the lack of custom recommendations for the environment. That is a feature that would be helpful.

When it comes to endpoint solutions, Microsoft ATP is available, but some of our clients already have a solution such as CrowdStrike.

My advice is to go with Security Center. It's a really good tool and provides some good recommendations for the environment. Other tools can provide recommendations, but then we have to do them manually. Security Center does them automatically. That's one of the advantages that stands out compared to other tools. For anyone who asks, "Why Security Center?" I would tell them that if all their resources are being deployed, or all their applications are being hosted on Azure, this is the only solution, the best solution, out there.

I don't think there is much effect on end-user experience here, because whenever you talk about Security Center, the agents or tools are applicable to the underlying infrastructure rather than the end-user. For example, an application is hosted on a server or, for platform services, it's being integrated with these services. While a user is accessing these applications, Security Center just scans the data to understand what the incoming traffic is like. It provides intelligence reports such as where the traffic is coming from and what kind of data is being accessed for the end-user. Apart from that, it doesn't affect anything for the end-user.

Our primary use case is for cloud endpoint IoT security and overall cybersecurity implementations. We handle aspects from presales, installation, post-sales, and ongoing consulting to optimize customer security.

Implementing Microsoft Defender for Cloud has helped our organization in terms of providing robust cloud workload protection with minimal false positives. It also allows us to integrate with other tools like Splunk for observability and Qualys for vulnerability assessments, ensuring comprehensive security for our clients.

Some of the most valuable features of Microsoft Defender for Cloud include its effectiveness in threat detection through unsupervised machine learning, CTI, and advanced sandboxing. These features have consistently minimized false positives. The rich history of signature-based technology from Microsoft also adds to its reliability.

Integration into other third-party products, particularly those from tier three vendors like ManageEngine and Hexcode, has proven difficult. While there is ample documentation from Microsoft, the company needs to improve on making their integrations less challenging.

I have been working with Microsoft products for six to seven years.

We used to resell CyberX before it was acquired. The switch was made to enhance our security offerings with more comprehensive solutions.

The initial setup of Microsoft Defender for Cloud is manageable. Our team handles the presales, installation, and post-sales, ensuring the customer achieves a level of compliance with their security and regulatory needs.

We perform the presales, installation, and post-sales for clients. For compliance and consultancy, a dedicated consulting team works with the customers.

The pricing of Microsoft Defender for Cloud is very expensive. Although it is overpriced, many of our enterprise customers have a Microsoft ELA, making it the solution of choice.

Our customers also use products like CrowdStrike, Cyber Reason, TrendMicro, and AllGuard. Many are on Microsoft Azure, while some also use OCI and AWS.

The primary piece of advice would be to improve third-party integrations, especially with products from tier-three vendors. This would make the overall solution more versatile and easier to manage for diverse customer needs.

I'd rate the solution nine out of ten.

We use it to keep our Azure infrastructure up to date with the security best practices that Microsoft suggests. We also use it to have better visibility into changes in our databases.

It helps me know if a new virtual machine or an app gateway or a functional service has come online that doesn't have the best security practices enforced on them. The impact we've had is a better security posture being enforced throughout our Azure environment.

The solution has also simplified management of endpoints and servers and gives us visibility in a single pane of glass. And it's easy to identify security corrections in the environment.

It has helped save us SOC time and increased their efficiency. While we haven't measured by how much, we see it in their day-to-day activities. And it has likely improved our time to detection, but we just haven't had anything to detect.

The most valuable features of the solution are the insights, meaning the remediation suggestions, as well as the incident alerts.

We have also integrated Microsoft 365 and Microsoft Defender for Cloud with Microsoft Sentinel and the integration was easy.

In addition, it's good at helping us proactively discover unknowns and defend against threats.

I would like to see better automation when it comes to pushing out security features to the recommendations, and better documentation on the step-by-step procedures for enabling certain features.

I have been using Microsoft Defender for Cloud on a day-to-day basis for about a year.

It's quite stable. We don't have many problems.

The scalability is very good.

We have 100 internal users and we are deployed across multiple sites. It's 100 percent cloud and our infrastructure handles API responses for our clients.

For the cloud infrastructure, their technical support is good.

Positive

In my previous company, I used the native portal, which is pretty much what Defender does, on AWS.

The intelligent threat hunting provided by Microsoft 365 and Microsoft Sentinel based on the alerts, incidents, and logs passed along by Microsoft Defender for Cloud is moderate.

The ability of Microsoft solutions to work natively together to deliver integrated protection as well as coordinated detection and responses across the environment is improving a lot, but it still has a ways to go.

Overall, if you are worried about security, you should have Microsoft Defender for Cloud. It's the minimum you should have.

The log analysis and threat prevention analysis are good.

Technical support is helpful.

We haven't really received any customer feedback yet. Once we have some, we'll be able to better discuss areas of improvement.

The solution needs to keep improving its log analysis and threat mechanisms.

The product was a bit complex to set up earlier, however, it is a bit streamlined now.

Basically, we are looking at unique specimens. Linux works best with ONELAB. With Linux, we have a lot of Metasploit, however, it is undetectable sometimes. We want to improve that particular aspect of the Defender.

We've been using the solution for the last four and a half years. 

While, right now, the solution, in terms of size, is fine, one year or two years down the line, we will need to scale up and we will need to check that particular scale-up process then. As of now, we haven't done so.

Technical support has been good.

Neutral

The initial setup was hard at first. It's gotten easier. It gets simpler with time. 

In terms of maintenance, we are in a hybrid culture. There are data center staff, as well as cloud-centric staff which defaults as per the client requirement. We as a service company, need to rigorously go through cloud solutions, even with the clients and their compliance. We have to honor that compliance.

We have a channel partner with Microsoft. They have consulted with some other third-party people from their end.

The solution has a license renewal on a yearly basis.

The licensing part is not my area of interest. It is a different team that looks after that.

We are channel partners for Microsoft. We are a gold partner and a channel partner.

We earlier were using the on-premises deployment. Then we moved to the cloud for the last two-and-a-half years. It's a hybrid cloud.

I'd advise new users that they can implement it, however, it is complex in nature. No doubt it is useful as per the log analysis and threat protection analysis. 

I would rate the solution a seven out of ten.

I primarily use the solution just for the networking of virtual machines.

It is very scalable.

The product has been very easy to use and simple set up. 

The maintenance and updating are part of the service, so that brings great value.

It's a stable product.

Technical support is helpful.

It's got a lot of great features. 

I can't speak to any features that are missing. I need time to get a little bit more into it before making any kinds of suggestions. 

They could always work to make the pricing a bit lower.

I've been using the solution for a few months. 

The stability is great. There are no bugs or glitches. It doesn't crash or freeze. It's reliable and the performance has been quite good in general.

Its ability to scale is impressive. It's one of the main selling points. If a company needs to expand it, it can do so. It's not a problem.

We have about 25 or so people using the solution. Some of them are new.

From my experience, technical support is good. They're quick to respond and knowledgeable. I haven't seen a need for improvement in any aspect of their support services. We are quite satisfied with them.

We did use other solutions, however, they were more for training or educational purposes. 

The setup is extremely straightforward and simple. It's not a complex or difficult process. You can get as involved as you want in it, or you can keep it simple.

The maintenance is also part of their service, which means we don't have to worry about it at all. They take care of everything. It doesn't require personnel watching over it. 

The pricing is mid to high. It's not the cheapest or least expensive option.

It's a good solution for, I'd say, small to medium business startups. It's also viable for enterprise solutions.

I'd rate the solution at a ten out of ten. We have been very happy with its capabilities. 

We are primarily using Azure Security Center to bring a level of security into the environment. Before I started to work with this solution, I was a Kubernetes and Azure Cloud architect. I was working for a service provider where I did not get the opportunity to look at how do they secure the resources, but in the last one and a half years, I had to get into those aspects because the organization I was working for wanted to introduce Kubernetes into the ecosystem, and the main concern was regarding all the hacking that was going on. For introducing Kubernetes as a platform, all business managers wanted to know if it was secure or how to make it secure. We started to look at Azure Security Center and its capabilities because Azure was their main solution. We also used AWS and GCP to some extent, but predominantly, we had Azure. So, we first took Azure Security Center and started to leverage its features.

Azure gives access to a lot of policies and allows you to group those policies into initiatives. There were about 170 subscriptions spread across sandbox, dev, test, non-prod, and prod environments, which were spread across India, Canada, and the USA. Each geography had its own data resiliency requirements, so these policies had to be applied stringently. For example, if somebody created a virtual machine, it had to be in a specific region, or if someone was storing the data in a database, it had to be only in that region. It could not cross the border. So, we had to first enforce policies at the level where we had to identify where the storage resources were, which network could talk to which network, and who could do what, and then it went on to all levels. Azure provided very good, robust, and built-in policies for each resource, and we had to set some to audit and some to enforce. 

While setting policies for about 170 subscriptions, we needed to ensure consistency. We needed to apply them consistently across all subscriptions. Azure Security Center helped us in ensuring that we audit certain policies, and we also enforce certain policies. We had set some policies to audit because we wanted to see what's going on, and we had set some policies to enforce because of regulatory purposes or because of the way the entire network and all the systems were designed. We used Azure Security Center as our central place to administer policies. We had to group all the subscriptions into management groups, and there was a hierarchy of groups. We could apply the policies at one specific level, and any subscription that we would create under that group would have the same set of policies. It helped us in getting a bird's-eye view through dashboards. We could see what was happening across the enterprise.

We started using it for Kubernetes, but it expanded into a wider initiative of more stringent policies across the board. In terms of lift and shift, a lot of people get tempted to go to GCP because it is cheaper, but we were primarily using Microsoft products. So, we started adopting Azure, and we did not pay attention to Azure Security Center at the beginning. When we looked at Azure Security Center for the first time, it had already been three years, and we had done almost 100% lift and shift, but we could recover from any aspect of security. Azure Security Center helped us in recovering from our mistake. If we had worked with it at the start of our journey, it would have been easier, and even though we were looking at it halfway through our journey, it still helped us. I consider it halfway because lift and shift is only one part of the process. You are saving a lot of money, but you are still not cloud-based. The real power of the cloud comes when you start using the platform services, and before starting to use them, we were able to get into a secured environment. Kubernetes was the first platform that we were looking at, and when we were able to secure it, everything else was pretty simple. That's because, with Kubernetes, there is a shared responsibility model where the cloud provider takes care of some of the aspects, and you have to take care of a lot of things. Azure Security Center helps in ensuring that you have taken care of and secured everything.

Its recommendations are really good. Most of the time, they are appropriate. Azure comes with a lot of default policies that are set to audit only. As the enterprise grew and we started adopting the cloud, initially, we didn't pay much attention to Azure Security Center. For us, Azure Security Center was like an afterthought; it was not planned from day one. In our enterprise journey, when we started looking at it halfway through, we realized that there were so many violations. We started with auditing. We found policies that nobody was using, and then we started enforcing them. It was really good in terms of built-in policies, recommendations, and then applying them across the board with a minimal set of actions.

It is very intuitive when it comes to policy administration, alerts and notifications, and ease of setting up roles at different hierarchies. It has also been good in terms of the network technology maps. It provides a good overview, but it also depends on the complexity of your network.

For Kubernetes, I was using Azure Kubernetes Service (AKS). To see that whatever is getting deployed into AKS goes through the correct checks and balances in terms of affinities and other similar aspects and follows all the policies, we had to use a product called Stackrox. At a granular level, the built-in policies were good for Kubernetes, but to protect our containers from a coding point of view, we had to use a few other products. For example, from a programming point of view, we were using Checkmarx for static code analysis. For CIS compliance, there are no CIS benchmarks for AKS. So, we had to use other plugins to see that the CIS benchmarks are compliant. There are CIS benchmarks for Kubernetes on AWS and GCP, but there are no CIS benchmarks for AKS. So, Azure Security Center fell short from the regulatory compliance point of view, and we had to use one more product. We ended up with two different dashboards. We had Azure Security Center, and we had Stackrox that had its own dashboard. The operations team and the security team had to look at two dashboards, and they couldn't get an integrated piece. That's a drawback of Azure Security Center. Azure Security Center should provide APIs so that we can integrate its dashboard within other enterprise dashboards, such as the PowerBI dashboard. We couldn't get through these aspects, and we ended up giving Reader security permission to too many people, which was okay to some extent, but when we had to administer the users for the Stackrox portal and Azure Security Center, it became painful.

We were also using it for just-in-time access for developer VMs. Many a time, developers need certain administrative privileges to perform some actions, and that's where we had to use just-in-time privileges. Administering them out of Azure Security Center is good, but it also means that you have to give those permissions to lots of people, which is very cumbersome. So, I ended up giving permissions to the entire Ops team, which defeats the purpose and is also not acceptable at a lot of places.

These were the two use cases where I felt that I really had to get into the depth of Azure Security Center to figure out how I can use it much better.

I have been working with this solution for the last one and a half years. 

I didn't find any issues with its stability. When you start using Azure Security Center to look at your on-prem application or resources, you might have issues with monitoring these on-prem resources, but it is not related to the stability or reliability of Azure Security Center. It has nothing to do with Azure Security Center; it is related to how you have configured, what kind of resources you have, and what permissions you have given. 

Sometimes, the network operations team and security operations team are not in tandem with each other. We had done lift and shift for most of the resources, but there were still some resources that were on-prem. For on-prem resources, people are comfortable with Dynatrace and other similar tools, but they are not really security tools; they come under the observation and monitoring tools. It can be very hard to sell Azure Security Center for something that is on-prem, and because of the corporate silos, someone might not give you access to an on-prem resource. For example, your Oracle Database is still on-prem, and you are systematically strangulating the application and moving it to Cosmos DB or SQL Server on the cloud, but you are not allowed to monitor it. In such situations, Azure Security Center can only report one part of the application, which makes it tough to tell business managers

why this application is down, what went wrong, why there is latency, what is the problem, etc. So, more than the product, it has to do with ensuring that the SOC team works with the NOC team and ensures that they have the required access so that they can also observe on-prem resources from the security aspect. Otherwise, you won't know what's happening. You won't know if any hacking is going on, or if somebody is doing SQL injections to the on-prem Oracle Database. You wouldn't have a clue.

I'm an architect. I don't deal with the regular operations aspects.

There is nothing in terms of the setup. It comes by default. It is only about paying attention to the Azure Security Center in terms of giving correct roles to subscription owners, security administrators, etc. It is only about properly setting up those roles.

It only required going through the documentation in detail and having a couple of brainstorming sessions. We didn't have to hire any special consultants. We could do it ourselves. We spent a week properly going through the documentation. Having a word with the product managers also helped. Many times, such implementations have more to do with the way organizations are structured in terms of departmental silos. So, it helps to get everybody on board and ensure that everybody has the same understanding. It is related to an organization's culture; it has nothing to do with the product. It is more related to outsiders and insiders and different levels of knowledge and backgrounds, but the product itself is pretty simple to start with.

We did it ourselves.

It is bundled with our enterprise subscription, which makes it easy to go for it. It is available by default, and there is no extra cost for using the standard features.

I don't know if any other solution was evaluated. Most probably, we didn't because Azure Security Center is available by default, and there is no extra charge for using the standard features.

When you're using such platform services, you've got to be a little bit careful because the products are always getting updated. You need to keep an eye on the product roadmap in terms of what's coming up so that you are not duplicating. That's what we had to do with Stackrox. We discussed with Microsoft's technical support team, and we got a confirmation that they're not going to take care of CIS benchmarks in the near future. It was a little bit disheartening, but at least, we knew upfront that Microsoft is not going to look into this area. They were open and candid about what they were going to do and what they were not going to do. So, we started looking at other products. Microsoft keeps on updating its products to keep them relevant. So, you need to know what they are implementing in the next three months or six months so that you can at least tell the security teams that a certain feature is coming up.

We didn't have to do it for Azure Security Center, but for Azure Firewall, we had to request certain features, and there are a lot of features that are still pending. For example, if I use Azure Firewall, just-in-time permissions do not work. If VMs are behind Azure Firewall, then through Azure Security Center, I can't give permissions, but if I use the Palo Alto firewall, I can do the same. So, we had to set up our VMs by using the Palo Alto firewall. Sometimes, Microsoft does strange things, and they don't talk to the Azure Firewall team. After one and a half years of asking for that feature, it is still a no-go. We want to use Azure Firewall because it is not VM-based. With the Palo Alto firewall, I have to provide one more VM in between and start administering it. So, I have one extra resource that needs to be administered, and it is non-Azure or non-Microsoft.

When you start enforcing policies across multiple subscriptions, you need to be very careful. You need to pay attention to the notifications that come out. The notification details were where we had to do some customization. We had to prioritize the notifications and then put them into a group mailbox so that instead of one person, a group of teams gets notified. We could write an Azure function around it to integrate with Microsoft Teams. We could push them to the Microsoft Teams channel. It took some amount of effort. It took about a week of tinkering, but we were able to notify the entire development team. As we started auditing and enforcing from our sandbox to the development environment, we started discovering a lot more things. We got formal requests on why we had to disable some policies. We got more specific feedback. When we are able to catch such things early in the life cycle, it becomes easier to protect the higher-level environments properly. It was very good in terms of the dashboard, converting from non-compliance to audit, or enforcing policies across multiple subscriptions. We had to customize the notifications, and it would've been nice if there was a more intuitive way of customizing the notification, but it might also be because of our knowledge level at that time. We could have also integrated it with Slack because it supports integration with Slack, but we predominantly use Microsoft Teams.

I would advise others to start playing with it. They can start with a sandbox environment. If an enterprise has multiple resources, such as VMs, databases, they should put all of them in different resource groups in a subscription and categorize their resources properly. All resources should be structured properly. Otherwise, it is really difficult to administer policies at the resource level. They have to group them properly so that they are managing resource groups or subscriptions rather than individual resources. So, structuring of the resources is the key to the administration of policies. It took quite some time for us. It was not an easy task. We create Terraform scripts for setting the entire infrastructure. So, we had to reorganize our Terraform scripts to ensure that the resources were created in appropriate resource groups and communication can happen across resource groups. We had to set up the NSGs properly from the network point of view so that they all were accessible. It took us quite some time, but organizing the resources pays very well when it comes to spinning the higher-level environments and ensuring that they're compliant or they work.

I would rate it an eight out of 10.

Security is at the forefront of everything that we have been doing, fundamentally. Both in my previous organization and the current one, Azure Security Center has given us a great overview of the current state of security, through the recommendations given by Microsoft. There are potential situations where risk exists because you're not compliant with a specific recommendation, or to specific regulatory compliance. Such guidance is critical for us.

We implement a wide range of solutions in our environment. We have solutions that are purely SaaS. We have some things that are just purely IaaS, and, of course, we have PaaS for services as well. So, we really have a wide range of deployments on all services as a service.

Overall, Azure Security Center has greatly improved our company's security posture. At a very quick glance, you can see where you are the most vulnerable. I'm greatly oversimplifying what the tool does, but at the very minimum, at a quick glance, even if you are not an expert, or even if you have just started using it, this tool will give you a basic idea of where the biggest problems are.

Security Center has not affected our end-user experience in a negative way. To my thinking, security is something that if your users don't experience it then it's great because there are no problems. Since I have been in this company, there have not been any security incidents. The only experience that the end-users have is the fact that there have not been any disruptions due to security issues. We have been monitoring what has been going on.

The most valuable feature is the recommendations. Azure Security Center is a product that can be useful in various grades and stages, depending on the state of maturity of both your application and your organization.

The alerts are also valuable, and they go hand-in-hand with the recommendations.

With respect to our security posture, there are at least two features that have been very useful. The first of these is the inventory section, where you can quickly see everything that you have. Especially in a larger organization where there have been mergers and acquisitions, it can be difficult to readily see everything that has been deployed. Using Security Center, you have a full view, at any given time, of what's deployed, and that is something that is very useful.

The security score has been very useful. This is another numeric metering system that basically tells you how well you have been doing.

Consistency is the area where the most improvement is needed. For example, there are some areas where the UI is not uniform across the board. You can create exemptions, but not everywhere are the exemptions the same. In some areas, we can do quick fixes, but that is not true across the board. So in general, consistency is the number one item that needs attention.

We have been using Azure Security Center for approximately three years.

With respect to stability, so far I have not encountered any specific issues with the way it behaves. I cannot say that it has performed badly in any way.

It's a really scalable product, fundamentally, the way Microsoft designed it. I don't think that scalability is an issue at all.

We have implemented this solution in environments that differ quite significantly in terms of scope and in range but, given the way that it works, within 24 hours it discovers everything in the environment, no matter what it is. 

We only used technical support once, and it was for an item that was behaving in a strange way. It ended up being a known issue, and they said that they were going to fix it. Overall, it was a very good interaction.

In both companies where I have used this solution, there was no other cloud-based tool that was handling security. It was done using traditional security products that basically examined the logs and raised alerts.

We switched because it gives us an expansive view of everything which is deployed. It is really unparalleled by anything else that you could potentially use. The moment you turn it on for a subscription, it will identify, almost immediately, every component that you have. From there, it will also identify what is at risk in that component.

The initial setup was pretty straightforward, although I came to this product from a network and security background. When I started working with a Security Center, it was not like a tool that I had never seen before.

Fundamentally, it takes 24 hours before you start to see everything accurately. From the moment you turn Security Center on for your subscription, within the 24-hour range, you have a full view of what's going on.

Our implementation strategy includes turning it on for every subscription that we have. Security is critical for us, so the cost, in this case, was not a factor. The benefit was definitely outpacing any potential financial cost. Once we turn the feature on for a subscription, we look at every recommendation that we see in the list. In cases where it is not compliant with our security policy, we fix the issue and have been doing that ever since we started using it.

My in-house team was responsible for the deployment, and this was true for both organizations where I have used it.

On average, three people can deploy it. There should be an architect and principal engineers.

Although I am outside of the discussion on budget and costing, I can say that the importance of security provided by this solution is of such importance that whatever the cost is, it is not a factor.

Microsoft does a good job with respect to the pricing model, so anything comparable will cost almost the same. I don't think that there is really an alternative.

We are perfectly satisfied with what this product gives us. So, there's really no reason to even look at anything else.

The first piece of advice that I would give somebody who's going to try to use Security Center is to try to understand their environment as much as possible, and then try to match their environment with the recommendation section of the tool and start remediating from there.

There are going to be recommendations in Security Center that will make sense if the team looking at the security infrastructure understands what is going on. If the team does not have a full understanding then it will be very difficult to know what to do, or how to remedy it.

The fact that I had to deal with many components, of which I don't know very much about, has been really great because it forced me to learn about their security. Typically, I don't have to deal with that. My learning has definitely increased, and of course, that's always good.

I would rate this solution a nine out of ten.