Buyer's Guide
EPP (Endpoint Protection for Business)
January 2023
Get our free report covering Sophos, CrowdStrike, Broadcom, and other competitors of Microsoft Defender for Endpoint. Updated: January 2023.
670,400 professionals have used our research since 2012.

Read reviews of Microsoft Defender for Endpoint alternatives and competitors

Sachin Vinay - PeerSpot reviewer
Network Administrator at Amrita
Real User
Top 5Leaderboard
Easily detects advanced attacks based on user behavior
Pros and Cons
  • "The best feature is security monitoring, which detects and investigates suspicious user activities. It can easily detect advanced attacks based on the behavior. The credentials are securely stored, so it reduces the risk of compromise. It will monitor user behavior based on artificial intelligence to protect the identities in your organization. It will even help secure the on-premise Active Directory. It syncs from the cloud to on-premise, and on-premise modifications will be reflected in the cloud."
  • "There is no option to remedy an issue directly from the console. If we see an alert, we can't fix it from the console. Instead, we must depend on other Microsoft products, such as MDE. That is a significant drawback. It simply works as a scanner, which can sometimes put enough load on the sensors. Immediate actions should be possible from the dashboard because. It can prevent issues from spreading further."

What is our primary use case?

I work for a university, and we use Defender for Identity for students, faculty members, researchers, etc. It's around 4,000 end-users. We have a completely Azure-based environment, and all of our users have migrated to the cloud. While we still have some on-premise users, we have synced our user base to the Azure Active Directory in the cloud. 

We require identity protection because most cybersecurity cases today involve identity harvesting. Microsoft Defender for Identity proved to be the best solution for providing support for malicious identity-related issues. Our entire cloud setup is protected. 

How has it helped my organization?

Our enterprise usage entirely depends on identity-based users. Any identity issue or attack could lead to massive data leakage in our environment. Defender for Identity is easy to use and provides precise details on the timeline to facilitate quick transfers.

Microsoft creates a database of critical vulnerabilities that they are constantly updating. Whether it's an old-fashioned or novel attack, it promptly notifies us. It may take some time to identify if it is a brand-new threat. Once it is located, it will tell us what the issue is.

We need to analyze the security features monthly and validate them. Microsoft Defender provides the correct solution for this. It will give you the proper security progressions that happen in Microsoft. We can define levels of security and prioritize security concerns, so we take action on the high-priority problems first. Regarding password resets, etc., there are less-complicated issues that don't pose a risk of data leakage, so we assign a lower priority.

It helps us be proactive because it will notify us about the preventive measures we can take. Once it flags a vulnerability, we can investigate the root cause. So that way, we can mitigate the most critical threats with this set of notifications from Defender.

Defender for Identity has affected our on-premise security because we need less identity management. Everything can be handled on the cloud. We require fewer devices for identity management, so it has reduced our hardware shortage.

It has saved us time by providing prompt notifications. We don't need to spend more time on SIEM solutions. Usually, we would require SIEM solutions or advanced log-based analysis solutions to find all the identity compromises or any identity-hijacking issues. We needed a designated person to check all these aspects with advanced threat-detection programs. We can eliminate all these challenges with the help of Microsoft Defender for Identity. It has cut the time spent on these tasks by 50 percent. 

Defender has also saved us money because we don't require traditional identity-based solutions in the firewall. We needed different identity-based solutions for the cloud, virtual machines, etc. Microsoft has this legacy proprietary feature, so we don't need other solutions. It has considerably reduced our budget by around 30 percent. It has sped up our detection and response time by about 10 percent. 

What is most valuable?

The best feature is security monitoring, which detects and investigates suspicious user activities. It can easily detect advanced attacks based on the behavior. The credentials are securely stored, so it reduces the risk of compromise. It will monitor user behavior based on artificial intelligence to protect the identities in your organization. It will even help secure the on-premise Active Directory. It syncs from the cloud to on-premise, and on-premise modifications will be reflected in the cloud.

Identity harvesting is the most common threat. Legacy Microsoft solutions and Amazon face the same issues in the cloud. Users don't implement other security mechanisms in the cloud. In an on-premise environment, we would have multiple security devices like firewalls and several layers of security. Cloud users are less bothered because cloud features are there and only need to be configured.

Microsoft Defender for Cloud is the best solution because all threats are completely visible, and it has a great dashboard. The dashboard displays each threat and score, so we can identify the threat rating and act efficiently to avoid compromising user identities.

We have a  single sign-on feature on the cloud. If we lose a single set of identities, it can compromise the entire organization, including cloud and on-premise. The same identities are being used everywhere. The user activity has to be completely visible on the dashboard, and it has to generate a pattern. It will notify us if there is any security breach.

It is a complete monitoring set. Minor changes in the user identity can lead to data leakage. If a password is changed in the cloud, it will be reflected automatically in the on-premise. This minor change will trigger an alert in Microsoft Defender for Identity. It ensures that each cloud identity is well protected from spoofing. It has a comprehensive database of well-known spoofing techniques, enabling us to provide cloud identity protection completely. 

It has a vast scope because it is completely single sign-on. In the emerging industry, we use single sign-on because users need to authenticate, but it's challenging to remember multiple passwords. Once your user signs in, you can access all the data. An identity compromise would lead to various issues and affect the data on-premises. Defender maintains a constantly updated database with the latest signatures, attack models, and threats. If it detects one threat, it will monitor the suspicious event and give us frequent alerts.

Identity protection is vital because we use an identity mechanism for everything, including firewall-related activities. The exact identity used in the cloud is used in the most complex firewalls. We require an excellent migration technique to regain this user credential if something gets compromised. Blocking this requires a massive set of procedures. Microsoft Defender comprehensively monitors identity and provides frequent alerts regarding any issue, so we don't need to think of anything else.

Defender's bidirectional sync capabilities are helpful because we need to sync data from multiple directions, including tenant-to-tenant, on-premise-to-cloud, and cloud-to-cloud syncing. As a university, we have multiple tenants, so we need to sync or access data across platforms. That way, everything is more secure, and Microsoft Defender for Cloud also provides ample security for cloud transfers.

The bidirectional sync capabilities are flawless—10 out of 10. Our on-premise Active Directory is perfectly synced with the Azure AD. Everything is synced with on-premise, and changes are reflected in minutes. If a problem with identity is addressed on the cloud, the fix will be mirrored on-premise and vice versa.

Microsoft Defender for Cloud and Identity are bundled. If we have these two solutions, we don't need to worry about anything else or third-party antivirus. Microsoft Defender for Identity acts as a link to all the Microsoft security features that require identity-based validation. Microsoft Defender instantly provides identity security for all our applications, and users need not worry about typing their passwords. Even in situations with less complex encryption mechanisms, users don't need to worry about typing in their passwords. Defender will check and monitor if there are any flaws in that, and it will let us know if there are any issues.

We're a Microsoft shop, so everything works together. If one feature isn't working, everything will be affected. If Defender isn't working, half of our Microsoft security features will be dead. Without identity security, user data can easily be compromised, and data can fall into the hands of intruders or other hackers. The solutions have to complement each other. If anything got wrong, the entire setup would have flaws.

Microsoft security has a legacy security mechanism. A while back, we might have gone with Defender for Endpoint, but Microsoft has also grown into the face of the cloud. The same Defender solution is completely maintaining cloud security. We can imagine Microsoft's vast scale and how Defender can protect the cloud environment from vulnerabilities and attacks. We are definitely delighted with Microsoft products.

The dashboard features are fantastic because it provides a comprehensive overview. It has a great alert mechanism and log inspector that tracks when users access various servers. With this kind of identity validation, we can control which servers the users can access. We have total visibility from the dashboard. We can track identity usage even if there are no issues. That is an essential advantage.

What needs improvement?

There is no option to remedy an issue directly from the console. If we see an alert, we can't fix it from the console. Instead, we must depend on other Microsoft products, such as MDE. That is a significant drawback. It simply works as a scanner, which can sometimes put enough load on the sensors. Immediate actions should be possible from the dashboard because. It can prevent issues from spreading further.

For how long have I used the solution?

I have used Defender for Identity for six years.

What do I think about the stability of the solution?

Defender for Identity is extremely stable. We don't experience any bugs because Microsoft has a three-tier system for checking everything. 

What do I think about the scalability of the solution?

Defender for Identity is completely scalable.

How are customer service and support?

I rate Microsoft support 10 out of 10. The technical support is good, but we don't need it for Defender because everything is pretty straightforward.

How would you rate customer service and support?

Positive

How was the initial setup?

Setting up Defender is straightforward and took two days. We require system admins to check for data mismatches. Once we implement the security, the cloud and on-premise data have to be perfectly synced. We need to ensure the on-premise data can be secured from Defender. It doesn't need maintenance after deployment. Everything happens automatically.

What was our ROI?

The return on investment is there because we don't need to add complicated security managers in the cloud where we need security-based virtual machines running Azure or other cloud platforms. It considerably reduces the time system admins spend on management. The subscription cost is cheaper than deploying a complete hardware setup. It is budget-friendly.

What's my experience with pricing, setup cost, and licensing?

Defender for Identity is a little more expensive than other Microsoft products. Identity and Microsoft Defender for Cloud are both a bit costly.

What other advice do I have?

I rate Defender for Identity nine out of 10. I would give it a perfect 10, except for the inability to remedy issues directly from the console. Defender for Identity is a popular product because most endpoint users already use Defender, so they will be familiar.

When dealing with single sign-on, an identity-based cloud solution is essential for all enterprises because most security concerns are related to identity. It's easy for hackers to hack into servers with compromised identities. We need a legacy enterprise product like Microsoft Defender or a close competitor like Kaspersky. If user identities are compromised, your entire infrastructure will be in danger. Even if the cost is high, you need an enterprise product like Microsoft Defender for Identity.

It's challenging to integrate solutions from multiple vendors. If we used several vendors, we would need to spend a lot of time checking to ensure they integrate correctly. We must also establish an adequate surveillance solution to monitor these different products. It's a headache for the system admins. System administrators have fewer security concerns with an all-Microsoft setup because the elements work in sync. It's easy to monitor the data from any instance, so the data is more secure and accessible. 

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Owner at a security firm with 1-10 employees
Reseller
Top 10
Very customizable but slow in the cloud environment
Pros and Cons
  • "The features that I have found most valuable are the ability to customize it and to reduce its size. It lets you run in a very small window in terms of memory and resources on legacy cash registers."
  • "Everything with Fortinet having to do with their cloud services. They need to invest more in their internal infrastructure that they are running in the cloud. One of the things I find with their cloud environment compared to others' is that they go cheap on the equipment. So it causes some performance degradation."

What is our primary use case?

Our primary use cases for Fortinet FortiEDR are cash registers and endpoint, and point of sales.

The reason we originally started with FortiClient with one of our clients in the first place was that they were able to have legacy cash registers, a really old technology, which we had to get to run in a small resource space, and FortiClient, which was the predecessor, allowed us to literally pick and choose what features we wanted in the client and reduce its size, which you couldn't do with any other types of clients that were out there. That's how we started with that.

It is mostly on premise and any cloud services that we use are directly from Fortinet themselves. I would call that public cloud. We do run some of the customer's environment in private cloud, basically co-location. This has provided the services back to their dataset. I am talking about Fortinet's cloud for the public. For the private stuff it was basically out at Q9, which is the co-location provider.

How has it helped my organization?

Fortinet FortiEDR has the ability to customize the footprint of the client or the agents on the device and on the endpoint.

What is most valuable?

The features that I have found most valuable are the ability to customize it and to reduce its size. It lets you run in a very small window in terms of memory and resources on legacy cash registers. The customer has literally about 800 cash registers. That was the use case for Fortinet FortiEDR - to get that down into a tiny space. The only way to do that was to use this product because it had that ability to unbundle services that were a surplus.

What needs improvement?

In terms of what could be improved, I would say everything with Fortinet having to do with their cloud services. They need to invest more in their internal infrastructure that they are running in the cloud. One of the things I find with their cloud environment compared to others' is that they go cheap on the equipment. So it causes some performance degradation.

A classic example of that would be products like FortiMail where you're basically acting as a mail relay. So say you're on a support call and I'm sending you a mail with document that you expect to come to you immediately, or within 30 - 60 seconds, could take up to 45 minutes because of the load on the cloud services. This can result in trouble tickets and other customer side issue.

In the next release I would like to see more investment in their cloud services. Additionally, they definitely need better integration into their FortiSIEM and FortiSOAR solutions.

They should continue to improve that and possibly include a managed threat hunting feature, an MDR solution.

For how long have I used the solution?

I'm a Fortinet Gold Reseller but primarily we're a consulting company, not a product company. We tend to be agnostic with the one caveat being Fortinet, and only because I was the first guy in Canada to get certified in that, and also the first guy to sell it. There is a personal preference there. But I'm looking deeper into more enterprise security solutions that are SASE and endpoints and EDR, XDR, MDR, all that kind of stuff.

We've done work primarily with FortiGate deployments, but we've also done multiple SD-WAN projects and we've worked with FortiEDR, which is similar to their version of EDR. We've worked with FortiClient before that. As far as FortiCloud goes, we've worked with FortiMail in the cloud, we've worked with FortiManager in the cloud, but we haven't gone into CASB stuff yet.

We also do some Fortinet managed services in our customer base. So I have worked with Fortinet since 2004, 2005.

Fortinet FortiEDR has only been out for a couple of years. We've been working with it for a couple of months, primarily migrating a customer from FortiClient to FortiEDR.

We haven't done full scale deployments of FortiEDR yet, it's still fairly new.

What do I think about the stability of the solution?

In terms of stability, EDR is a pretty decent solution, but it's not best of breed. One of the challenges with Fortinet, and all of these vendors, is that they are doing acquisitions and doing things to retrofit into their environment, but there's a dependency on legacy or other features that Fortinet has, and Prisma from Palo Alto has. They have their own products, which are how their system is designed. It's really a suite of products. Fortinet is now FortiFabric, with Palo Alto it's Prisma, Prisma Cloud and XSOAR and all that stuff.

All these types of companies are not as flexible. I think in the future, people are not going to be interested in having these huge complex suites of products in order to take advantage of integration.

If you look at a true SASE solution, for example Zscaler, it's a product on its own. And it typically integrates with industry best of breed products first. So Zscaler would work with CrowdStrike or Microsoft Defender before it's going to work with an integrated solution like Palo Alto or Fortinet.

I'm finding more and more that these companies, Palo Alto, Fortinet, Check Point, Juniper, are all doing well right now. But I think in the next year to two, you're going to see a transition away from that type of technology.

It is actually one of Fortinet's big selling points that they're not maintenance heavy and they've got their gang leveraging all the other components. It actually updates itself automatically if you choose. And it has the ability, using FortiManager and other products, where you can push out policies very easily across multiple appliances, although that requires proper design and architecture from the beginning to make sure that you've got cookie cutter configurations across your enterprise.

What do I think about the scalability of the solution?

Scalability is Fortinet's sweet spot, even though they're heavily focused trying to sell into enterprise, their sweet spot is still mid-size, SMB, customers.

Those products work well in an environment which is below 3000 users. It also works well in in terms of large enterprises, like a bank.

I don't see EDR really expanding. Fortinet Firewalls is another story. Firewalls can scale up to very large enterprises, including Telcos, but I don't see the EDR product deployed in those environments.

How are customer service and support?

Their support is getting better.

Right now it is not that good. Fortinet was never big on technical support. I think they went by the theory that if it was hard to write, it should be hard to understand. Their technical support is getting better, but if you compare it to Cisco, it's not as good and it never was. It is one of their weak points. Its response time is not bad, but the attitude of the people on the phone is. It's the amount of information they ask for to do an RMA, for example. They can be very challenging to work for. That's an opportunity for managed security providers, because if you confront them, and take it away from the customer, it makes the customer's experience much better. So a bad support center is good for an MSSP.

How was the initial setup?

The initial setup is complex compared to stuff like CrowdStrike or other products where you can just sign up and download and it, and it works.

It's a little bit more complex with FortiEDR because you're dealing with the setup and management of it, whereas in products like CrowdStrike, it's pretty automatic and it's just a question of a radio button to turn on or turn off additional features that you may want.

For example, going EDR to XDR or going EDR to MDR in CrowdStrike, you can do that in Fortinet but you have to implement FortiSOAR and all this other stuff.

Initially the setup took us a while, simply because we had to mess around with the client. We are talking weeks because we had to test and make sure that there were no performance issues and no interruptions in the flow of data, etc...

That took us probably five, six weeks to get up in a POC type environment. Once we got that, it's cookie cutter. You have an image that you deploy that already has that compiled in it, and it works pretty easily.

What's my experience with pricing, setup cost, and licensing?

Fortinet FortiEDR is priced pretty competitively if you compare it to other companies that are in the same boat, like Palo Alto, who have similar product suites. It is reasonable. In the industry, they call Fortinet the Chevy of Perimeter Security and Palo Alto the Cadillac. I think that's undeserved. I think Fortinet is actually, in the long run, a better product, but it has that reputation because of their pricing. Palo Alto, right off the bat, charged a much higher premium, which created the illusion that you're getting a better product. Palo Alto products are brutally expensive.

But that's the way Palo Alto works and it works for them. Although, I've heard rumors that they're changing their channel model where they're going after enterprise customers directly, rather than forcing it through the channel. Fortinet is a 100% channel, Palo Alto is not. And that's affecting them. If you look at stock prices and earnings, Fortinet is actually doing better.

What other advice do I have?

With any of these products, you need to step back and look at where the wave of technology is going in the security posture. I think that you need to step back and say, "Here's my current situation, what's the best solution two to three years from now?" If you look at that, I don't see Fortinet or Palo Alto or any of those traditional product vendors being the future state.

These companies are like system integrators. A lot of system integrators went out of business mostly because they couldn't make the paradigm shift from a product led business to a service led business. I see the same type of thing happening in the traditional Perimeter Security companies, that are not designed from the ground up. They make an acquisition of a product and they try to integrate it into their business model, and to leverage all their other products in a suite. That's not the way the industry is going.

On a scale of one to ten, I would rate Fortinet FortiEDR somewhere around a six.

It goes back to what I said that I don't think it's got a huge future. If you compare it to CrowdStrike or those type of products, it is very similar to Palo Alto's Cortex, they didn't even come out with an an EDR solution, they went directly to an XDR solution. What is XDR penetration? About 2% of the market right now. It's just not a fit to the future. That's why I give it a six.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer:
Sr. Security Lead at a healthcare company with 10,001+ employees
Real User
Enables us to see at a glance whether users have device control and disk encryption enabled properly
Pros and Cons
  • "The fact that Morphisec uses deterministic attack prevention that does not require human intervention has affected our security team's operations by making things much simpler. We don't have to really track down various alerts anymore, they've just stopped. At that point, we can go in and we can clean up whatever needs to be cleaned up. There are some things that Morphisec detects that we can't really remove, it's parts of Internet Explorer, but it's being blocked anyway. So we're happy with that."
  • "Some of the filters for the console need improvement. There are alerts that show up and just being able to acknowledge that we've seen those and not turn them off, but dismiss them, would be a huge benefit."

What is our primary use case?

We purchased Morphisec primarily to help mitigate and protect us against Ryuk ransomware back in December when that was running really rampant. The antivirus that we were using at that point was outdated. We were looking to move to a new vendor, and we needed something as a stopgap to supplement our current antivirus. Morphisec fit that bill perfectly. It had features that our antivirus did not. It had an immediate deployment and immediate return on investment that we just would not be able to get if we were to turn around and try to deploy a full-blown antivirus across the entire environment. Morphisec was quick, simple, and did not conflict with anything that we already had. It also did not cause any additional delays in our virtualized environment, which was a huge concern for our infrastructure team. It just fit perfectly.

We've detected things that our antivirus was not picking up. We had no visibility or control over anything that was running in process memory. Morphisec immediately started blocking things that should not have been running in process memory. It also gave us visibility into the Windows Defender antivirus that we did not have without increasing our Microsoft licensing and gave us some basic control over Defender as well. We previously used McAfee.

How has it helped my organization?

The fact that Morphisec uses deterministic attack prevention that does not require human intervention has affected our security team's operations by making things much simpler. We don't have to really track down various alerts anymore, they've just stopped. At that point, we can go in and we can clean up whatever needs to be cleaned up. There are some things that Morphisec detects that we can't really remove, it's parts of Internet Explorer, but it's being blocked anyway. So we're happy with that.

It's very important to us that it offers visibility into and control over Windows 10, native device control, disc encryption, and personal firewall. We're actually in the process now of deploying the control over the firewall so that we can consolidate to a single pane of glass for our antivirus and controls. It will help us through leveraging group policy, which can fail, especially if the machine drops off of the domain, we have a significantly larger remote than we did a year ago. We have machines that don't necessarily get the policies they need to get when they need to get them. Morphisec fixed that.

The level of control from Morphisec Guard compared to Windows 10 Native Security tools is a bit more basic than the Windows 10 Native Controls. You basically enable the firewall or you disable it, based on the various profiles. I have not yet seen a way to create exceptions in the firewall or rules and things like that but those can be pushed through group policy, regardless. As long as the firewall is enabled, it's functioning and it's doing better than if there was no policy applied at all.

Morphisec Guard enabled us to see at a glance whether our users have device control and disk encryption enabled properly. It is especially important with our remote workforce. Disc encryption is an absolute must. And the device control, USB devices, is also an absolute must.

It has reduced the amount of time we spend investigating false positives. It reduced our amount of chasing antivirus alerts by about 80% a week.

Our team's overall workload has also been reduced by about 30% on a weekly basis of our workload, we would spend a lot of time tracking alerts.

It has enabled us to take Morphisec and leverage one product where we would have had to have had at least two previously. I don't really have numbers for what that would look like. We didn't really investigate too many other vendors in that space, but it's probably at least 50% savings over what we would have needed. So it has helped us to save money on our security stack.

What needs improvement?

Some of the filters for the console need improvement. There are alerts that show up and just being able to acknowledge that we've seen those and not turn them off, but dismiss them, would be a huge benefit.

For how long have I used the solution?

We've been using Morphisec for about six months now. It is installed on our endpoints and servers. We have a SaaS version of the console.

What do I think about the stability of the solution?

I've had 100% availability anytime I've needed to go look. I have not had any issues in any of our environments with the agents.

What do I think about the scalability of the solution?

Scalability is very easy. We can just call and say that we need more licenses and they give us more licenses and we can push that agent out. It's the same executable file we have on our file shares. We just expand however many we need, to as large as we want to go.

We have about 8,000 endpoints, 2,500 servers, and 4,000 virtualized desktops.

Our next step would be to purchase the Linux agent and get that on the few Linux servers and appliances that we have.

How are customer service and technical support?

The technical support has been fantastic. Any feature requests I've had, any issues I've run into, which have been very minimal, they've had an immediate response. Turnaround for feature requests is really, really fast. I've seen it within the next update which they do monthly. They provide great technical support. 

Which solution did I use previously and why did I switch?

We looked at Bitdefender, Trend Micro, and Microsoft Defender. We are still using Microsoft Defender in conjunction with Morphisec in a small pilot group. We're still evaluating where we want to go for a true antivirus solution. So, we still have a small deployment of Defender.

Deployment was the biggest difference between Morphisec and the other solutions. It was far simpler to deploy Morphisec without having to remove another antivirus, without having to make a large-scale project, or look for compatibility. It works on all supported operating systems. It works in conjunction with other antiviruses. We didn't have to create exceptions and there were no conflicts with the antivirus we were running and Morphisec. So that really helped us make that decision, purchase this, roll it out, and have it supplement our existing technologies. And it gave us an almost immediate return on investment.

How was the initial setup?

The initial setup was very straightforward. We deployed it via group policy. We had it deployed across the entire environment in about three days.

What's my experience with pricing, setup cost, and licensing?

There are no additional costs to standard licensing. We've had full support. I get biweekly calls with my technical account manager and we purchased the licenses for everything we needed for a single cost.

What other advice do I have?

If you have the ability to get Morphisec into their environment, it's going to be a hundred percent return on investment. I would recommend it every time.

If you can, get it and run with it, because it's great. It's been eye-opening, the things that other antiviruses were missing, and we've seen it protect against zero days. We've seen it protect against ransomware that other antiviruses have not even seen.

I would rate Morphisec a ten out of ten. 

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
SimonThornton - PeerSpot reviewer
Cyber Security Services Operations Manager at a aerospace/defense firm with 201-500 employees
Real User
Top 10
Has good process visualization and automated response capabilities, and comes with excellent support and flexible licensing
Pros and Cons
  • "The process visualization, automated response, and snapshotting are valuable. The integration and automation possibilities are also valuable."
  • "The update process can be better. It is very easy to deploy, but over a long period, the updating process can be a little messy. In some EDR solutions, you end up with a very good mechanism to push new versions. It could do with a little work in that area. It is not particularly difficult, but it could do with a little work."

What is our primary use case?

We're a partner of SentinelOne, but we're also a partner of many other companies. We're not a vendor per se. We sell SOC as a service, and as a part of that service, we provide protection solutions. My area is around antivirus. So, we are not a reseller in that sense.

I am using its latest version. It can be deployed on-prem as well as on the cloud. I have customers with a requirement for both. SentinelOne provides their own cloud because that's where they do their artificial intelligence (AI).

How has it helped my organization?

SentinelOne is what they call extended detection and response (XDR). So, it is the next generation of endpoint detection. The main difference between Endpoint Detection and Response (EDR) and XDR is that in XDR you have visibility on how something is executing. An EDR solution detects a suspicious or malicious package based on its signature or its behavior and sends an alert, but the problem is that you only see the file that it alerts on. For example, if it is an attachment to an email, you'll see the trigger on the attachment when you try to open it, but what you don't always know is from where that came. With an XDR solution like SentinelOne, you can see the whole process execution. You can say that it was executed from inside Word, Outlook, or something else. For example, when you opened an attachment in Outlook, it triggered Word and got opened in Word. This whole process execution is visible with XDR. It also offers the possibility to suspend or respond intelligently. So, you can use it not only to detect that the package is suspicious, but you could also suspend it so that when the person comes to investigate, the suspended process is still there.

What is most valuable?

The process visualization, automated response, and snapshotting are valuable. The integration and automation possibilities are also valuable.

What needs improvement?

The update process can be better. It is very easy to deploy, but over a long period, the updating process can be a little messy. In some EDR solutions, you end up with a very good mechanism to push new versions. It could do with a little work in that area. It is not particularly difficult, but it could do with a little work.

For how long have I used the solution?

I have been using it for about a year and a half.

What do I think about the stability of the solution?

It gives good stability. It can have an impact on the performance of the workstation, but that is usually a question of tuning. From a stability point of view, I've never had a machine with a blue screen.

What do I think about the scalability of the solution?

It scales very well.

How are customer service and support?

They're excellent. I would rate them a five out of five.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We are technology agnostic in the sense that if a customer doesn't have a solution, we'll make a recommendation. If they don't have a solution, then our recommendation goes along the lines of SentinelOne, Palo Alto Cortex, Microsoft Defender ATP, or ESET. These are the ones that I typically would recommend, but Microsoft Defender ATP is problematic because you have to have the Azure and Office licenses to get it. For the other ones, you can buy the licenses separately. We also take over other solutions. I have some customers on Kaspersky and other solutions.

How was the initial setup?

It is straightforward. If we deploy it from a URL where it downloads, it can be done in 10 minutes. If it is coming from an internal deployment server, it can be a few minutes. It is essentially headless. There are no prompts.

What about the implementation team?

I have six people, but they normally work with the customers. As an MSSP, we normally work with the customer IT teams to deploy the agents in large companies. In small companies, it could be our people who do it. 

The number of people required depends on the number of endpoints, but generally, the number is low because it is a very simple installation. In fact, we even have end users running this.

What was our ROI?

It has the best ROI that I've seen. If I compare it to Microsoft Defender ATP or Defender for Endpoint, which a lot of people compare it against because it's included with the E3 or E5 Office licenses, Defender is three to five years behind SentinelOne. You're also tied to Microsoft's licensing scheme, whereas SentinelOne is independent of all of them. The ROI is very good. For me, its closest direct competitor is either Cybereason or Palo Alto's Cortex.

What's my experience with pricing, setup cost, and licensing?

Its price is per endpoint per year. One of the features of its licensing is that it is a multi-tenanted solution. From an MSSP point of view, if I want to have several different virtual clouds of customers, it is supported natively, which is not the case with, for example, Microsoft Defender.

Another nice thing about it is that you can buy one license if you want to. Some vendors insist that you buy 50 or 100, whereas here, you can just buy one.

The Singularity product has three versions: Singularity Core, Singularity Control, and Singularity Complete. The Singularity Complete one is really what I consider an enterprise rate solution. The middle one, Control, is more than adequate. In terms of price, it works out very similar to what you would pay for Kaspersky or for any other solution. The licensing per endpoint, per year, and per version is progressively more expensive for the Core, Control, and Complete versions. 

The interesting thing is that it is possible to upgrade across the versions without a major change. If a customer buys the most basic installation and would like some of the features out of the middle, it is possible.

What other advice do I have?

You have a choice between an on-premise console and the cloud. My advice would be to use the cloud, but it is a consideration of whether your endpoints can connect to the cloud or not. One of my customers is in the military defense area, and they have no connection to the internet. So, we had to deploy on-prem. What you don't get with the on-prem is all the AI. So, if you're deploying on-prem, you get the core features of SentinelOne, but you don't get all of the bells and whistles that you get from the cloud environment. The same is true for Cisco AMP and other solutions that are deployed on-prem. So, you need to consider how you're going to consume it if you have a disconnected network. If you're in the financial world, a lot of the production networks are not connected to the internet. So, solutions like Microsoft Defender are not an option because they're cloud-based, whereas SentinelOne is an option in those environments.

I would rate it an eight out of ten. It is a very good solution, but you have to compare it to understand it better.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Director, IT & Systems Security at Tilson
Real User
Top 20
Good visibility helps us make educated decisions, easy to scale, helpful threat-response support
Pros and Cons
  • "The Protect functionality on the laptops provides great visibility into what's occurring, and the cloud management of the platform is what we needed."
  • "The console is a little cluttered and at times, finding what you're looking for is not intuitive."

What is our primary use case?

We implemented CrowdStrike because we needed to identify a new solution to address a 100% remote workforce, both because of COVID, but in general, our workforce is very distributed around the country.

How has it helped my organization?

The primary way that CrowdStrike has improved the way our organization functions is visibility. When we do have an issue, the ability to see what was happening before, during, and after the issue on the target laptop or server is far better than what we were used to.

Having the updates happening automatically, with a third-party defining those updates and pushing those in, also providing us visibility into the current status of all of our endpoints, is critical.

We use Falcon's endpoint and cloud workload protection, which is deployed on our Azure cloud servers. It is definitely one of the top options available to any organization. We had reviewed 10 different applications in the EDR space and Falcon was one of the top three that we had identified.

In terms of preventing breaches, so far, it's doing great. Definitely, in our testing that we do every month, it is identifying issues that arise with more certainty. Simply, the team has more confidence in what they're utilizing as a tool and it has freed them up to work on things that are a more efficient use of their time.

What is most valuable?

The Protect functionality on the laptops provides great visibility into what's occurring, and the cloud management of the platform is what we needed.

It is important to us that this cloud-native solution provides us with flexibility and always-on protection because we have a 100% distributed workforce, in place even before COVID. To manage 600 remotely-deployed laptops requires a cloud-managed solution.

What needs improvement?

The console is a little cluttered and at times, finding what you're looking for is not intuitive. Once you find it, it's great, but it's not always very intuitive as to how to find exactly what you're looking for sometimes.

For how long have I used the solution?

I have been using CrowdStrike Falcon for six months.

What do I think about the stability of the solution?

We have had no issues at all with stability, and no conflicts on any of our endpoints or servers.

What do I think about the scalability of the solution?

It seems to be limitless from a scalability standpoint. Definitely, there would be no impact on our end, and we haven't noticed or run into any issues as we scaled from our initial 10 systems to 600. There was no difference in speed or reporting, et cetera.

So, scalability does not seem to be an issue.

How are customer service and technical support?

Technical support is an area for improvement. If you have an actual issue, such as an identified threat, then they are very good. However, if you're struggling to figure out what might have occurred, we're still trying to figure out how to get our best support from CrowdStrike in those situations.

Which solution did I use previously and why did I switch?

Prior to Falcon, we were using Webroot.

The primary improvement that we have seen is visibility. We had no visibility into what happened before, during, and after a situation with Webroot, but with CrowdStrike, we have that visibility, which allows our team to make educated decisions. In terms of detection and prevention, I believe it's all experiential so far. Falcon has been very good at both detection and remediation for any issue that has come up.

How was the initial setup?

The sensor setup and deployment were extremely easy. We were able to deploy a hundred percent of our endpoints within 60 days. We found it to be very smooth.

It was a very simple deployment strategy to get the agent out to the end-users. It was so smooth that we didn't even have to notify the end-users that it was being done. It just happened automatically. 

There was no conflict between CrowdStrike and our existing EDR that we were going to get rid of. After the installation, we were able to have the old EDR totally removed within 30 days.

What about the implementation team?

We had two people for deployment and we have one for maintenance. Their roles are in information security.

What was our ROI?

We have seen ROI in that our team is freed up to work on things that are more important.

What's my experience with pricing, setup cost, and licensing?

We took advantage of Falcon's free trial before purchasing it, and it was very easy to get it. We were on the phone with a representative discussing our next steps and they offered the free trial, and we were set up and functional with it the next morning. Having a free trial period is something that is expected. If anybody wants our business in this space then it's necessary because we aren't going to purchase something without trying it first.

The pricing is not bad. It's on the higher end of the market, but you get what you pay for. It's a little on the confusing side because the name of the item they're selling doesn't match what you see when you log into the product.

If you buy "Protect" and you log into the product, you don't see "Protect". You see something else, like "Identify" or whatever. So, they need to do a better job of aligning product names from the sale to within the product.

There are add-on fees for different packages that you can buy, and we are looking at adding on some feature functionality as we go forward.

Which other solutions did I evaluate?

We evaluated 10 different solutions in the EDR space. The top three included CrowdStrike Falcon, Carbon Black, and Microsoft's ATP.

CrowdStrike was a little better, cost-wise, than the other two. Also, I felt that the console for managing the platform was easier for my team.

What other advice do I have?

My advice for anybody who is looking into implementing this product is that every organization is slightly different in its needs, and CrowdStrike may or may not be the right solution. Once you can do a trial and a bake-off of multiple options, you'll find if CrowdStrike is the right solution or not.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
EPP (Endpoint Protection for Business)
January 2023
Get our free report covering Sophos, CrowdStrike, Broadcom, and other competitors of Microsoft Defender for Endpoint. Updated: January 2023.
670,400 professionals have used our research since 2012.