What is our primary use case?
I am closely dealing with alerts related to cloud workloads. We are integrating the alerts that pop up for different services to analyze the gaps in our Azure landscape. We then assess what we need to close and what makes sense for our environment because not everything is applicable. It depends on our company's requirements as well. We plan the strategy for how to close those gaps. There are different mechanisms for how you deal with those security alerts.
How has it helped my organization?
We are using the Microsoft Azure Security Benchmark along with the CIS Benchmark. We rely quite heavily on these benchmarks, and I would rate the CSPM functionality a nine out of ten. Most recommendations are focused on generic security gaps, but overall, those recommendations are very good from the security aspect, irrespective of the industry.
It is pretty good in terms of the range of workloads covered. It covers most of the IaaS infrastructure that Azure offers and most of the PaaS services that we are using. I cannot recall any service that we are using for which Microsoft Defender for Cloud does not have recommendations.
We have integrated the alerts that we are getting from Microsoft Defender for Cloud with our on-premises Splunk solution. We capture those alerts. They are integrated via Microsoft Events Hub. It acts like a queue and pulls those alerts from Microsoft Defender for Cloud and then sends them to Splunk. This integration helps our global security team to figure out which alerts are critical. They can then reach out to the owner of an asset.
Microsoft Defender for Cloud helps in improving our overall security posture. We have a nice overview of what is missing where and what can be improved.
Without Microsoft Defender for Cloud, we will not have any visibility into our security posture. The way on-premises things work in our company is complex. We have ten different tools for ten different categories. We have one tool for vulnerability assessment and one for patch fixing. Microsoft Defender for Cloud is a single integrated tool. It gives me a holistic overview of my whole security posture.
What is most valuable?
The most valuable features are the different plans it offers and the visibility within them, such as the Defender for Servers plan includes capabilities for vulnerability findings on machines and configurations at the OS level. They have different plans for different things. We are utilizing all of them, and they are equally good.
What needs improvement?
Currently, issues are structured in Microsoft Defender for Cloud at severity levels of high, critical, or warning, but these severity levels are not always right. For example, Microsoft might consider a port being open as critical, but that might not be the case for our company. Similarly, it might suggest closing some management ports, but you might need them to be able to log in, so the severity levels for certain things can be improved. Even though Microsoft Defender for Cloud provides a way to temporarily disable certain alerts or notifications without affecting our security score, it would be better to have more granularized control over these recommendations. Currently, we cannot even disable certain alerts or notifications.
There should be an automated mechanism to design Azure policies based on the recommendations, possibly with AI integration. Instead of an engineer having to write a policy to fix security gaps, which is very time-consuming, there should be an inbuilt capability to auto-remediate everything and have proper control in place.
Additionally, enabling Defender for Cloud at the resource group level, rather than only at the subscription level, would be beneficial.
For how long have I used the solution?
I have been using Microsoft Defender for Cloud for five years.
What do I think about the stability of the solution?
Overall, stability is good. However, Microsoft sometimes changes settings or configurations without transparency. These changes, detected as drift by our infrastructure as a code tool, require unnecessary work. I suggest Microsoft maintain default settings as per the existing configurations during updates to save us from having to do unnecessary work.
What do I think about the scalability of the solution?
Scalability is generally good, but it also depends on the customer's implementation. We are using infrastructure as a code, so we do not have any scalability issues with Microsoft Defender for Cloud implementation because our cloud automatically does it.
If a new subscription is created manually, the configuration is manual too. An automatic toggle for new subscriptions would ease scalable deployment.
From a scalable perspective, if your company has hundreds or thousands of subscriptions, there should be some toggle to automatically scan your new subscription and turn different plans on. This is something they can take into consideration.
How are customer service and support?
Customer service and support from Microsoft are very poor. Even for high-severity cases, response or resolution time can extend to three or four weeks. Often, cases are transferred between teams with no resolution, resulting in a negative experience. We end up closing the case or resolving it on our own. I cannot recall any instance where they managed to quickly resolve any issue.
I even suggested to my top management to give me one percent of what they are paying for Microsoft's enterprise-level support because I anyway end up resolving the issues on my own. Our case just gets transferred from one engineer to another. We have to explain the same thing from scratch. Nobody is checking case details. Nobody is handing over properly on Microsoft's side. The support experience is very bad.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I did not use any other solutions. Because we use Azure, we prefer to use Microsoft's native, built-in capabilities. That is why we have been using Microsoft Defender for Cloud from the beginning.
How was the initial setup?
The initial setup was simple and straightforward. From a configuration perspective, it is not so complicated. It involves enabling the service at the subscription level, which requires turning on basic toggles.
What about the implementation team?
My team implements these solutions. All new requirements pass through our team.
What's my experience with pricing, setup cost, and licensing?
The pricing model for most plans is generally good, but the cost of the new Defender for Storage plan is high and should be revisited, as it could lead to disabling desirable security features due to cost.
They have introduced a new Defender for Storage plan which they are going to mandate for new workloads. They might already have done that, but it is very costly for users needing additional capabilities. The licensing cost is per storage account irrespective of whether it is enabled or not. Previously, the model for the same service was based on transactions. If you had one million transactions, you were charged according to that. If you had only 10,000, you were charged according to that. Making the new storage plan mandatory is not a good idea from a customer perspective. We did our analysis and compared the new storage plan with the old one. We found that the cost with the new plan is 3.5 times higher. Why would I opt for that as a customer? If it becomes mandatory, we might even disable the plan altogether. We will end up losing certain security alerts that we want to have because of the cost aspect. This new plan should not be enforced, and the customers should have the flexibility to decide.
Another thing is that Microsoft Defender for Cloud is always enabled at the subscription levels. When it is enabled at the subscription level, everybody is charged for it. In the future, there should be more granularity so that under the same subscription, different teams can put their resources. Whoever wants to utilize these capabilities can enable them in their resource group. This will help save costs. Teams will be happy because they will be able to utilize these tools as per their requirements.
What other advice do I have?
I would rate Microsoft Defender for Cloud an eight out of ten. The solution is quite good and addresses many security gaps. It is the starting point to improve the security of your Azure platform. You can introduce other solutions such as Microsoft Sentinel later. If you start with just Microsoft Defender for Cloud, about 75% of your security gaps will be addressed. After that, you can think of some advanced solutions.
In my experience of working with Azure, teams are not utilizing this solution to its fullest capability. It has so many plans and recommendations to offer, but most of the people do not understand it.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
*Disclosure: My company does not have a business relationship with this vendor other than being a customer.