Microsoft Defender for Endpoint Reviews

Our use cases, and the way we deploy it, depend on the different situations we encounter.

There may be a company that is already using the Endpoint Protection solution and we have to do a migration.

Another scenario is that a company may be migrating away from another endpoint threat protection solution.

And there are some companies that are already using SCCM, and we may have to go through one of two scenarios. One is to co-manage with what they call Microsoft Endpoint Manager and Configuration Manager. If they are already using SCCM, and only SCCM, we will typically have to go through a process where we integrate SCCM into Endpoint Manager and then they'll usually bring some endpoints into Intune and they'll do a PLC. They have to Azure AD-join or register a device into that so it can be managed through Intune. They may even co-manage it for a while until they fully onboard into Intune only. A lot of people are looking to get away from co-management and managing through Endpoint Manager. But there are some prerequisites to accomplish that.

The endgame for most companies is they want to manage things from Intune only. There are different paths to get there, depending on what they already have in place.

Overall, Defender for Endpoint has created a better security posture, particularly in these COVID times where no one is on-premises anymore and they're working remotely.

More than anything, what I find most valuable is the holistic integration with all Defender products and MCAS. You can not deploy this in a vacuum. It's like most Microsoft technology. If you want to do a Zero Trust model and framework, you have to deploy things in a holistic solution.

Among the new features I like is that you can ingest your Defender events directly into your SIEM/SOAR product, particularly Azure Sentinel, although not a lot of people are using that and you don't have to be using it. You can ingest them into any SIEM/SOAR product directly.

There are features that have helped improve a company's security posture, now that remote work has come into play. Microsoft had to come up with a solution because identity is the new security plan. The largest attack surface is going to be your endpoints, so you have to be able to control your endpoints. There is malware that can collect IDs and it doesn't have to be from privileged accounts, it could be from any account. Once they get in, then they can start looking around to see if there are any security holes, move laterally, and get a hold of a privileged account. And if they get a hold of a privileged then they can just turn off all your security controls and get to your data and you've got a ransomware attack. With Defender for Endpoint, it's the combination. Every one of the features in it is equally important, but the most important thing is integrating it with the other Defender products, to create a holistic solution.

The best feature is the fact that for certain mobiles you can control your corporate profiles versus your personal profiles. That is amazingly important. Apple just supported the separation of corporate and personal profiles, whereas Android has been doing that for quite some time. You are better off as an organization, when it comes to BYOD—because Apple just now started supporting separation of corporate and personal profiles—to start with the version that supports that feature. If you go below that level, you don't get that feature, and it makes it very difficult to separate corporate and personal profiles. Because Android supports that, if an Android phone is lost or stolen, I can wipe out all the corporate-related information from that phone and not touch the personal side. I can separate the apps and I can separate the ability to cut and paste between apps. I can cut the ability from sharing files between apps between the personal and corporate profiles. From a data loss prevention standpoint, I can completely segment corporate apps and data from personal apps and data.

Another feature is that it is now supported across multiple platforms, where it was regulated at one time for just Microsoft-supported operating systems. That development is very important.

There are a few caveats, things we have run into. It's not easy to create special allowances for certain groups of users. It can be a little heavy-handed in some areas where Microsoft has decided to lock a feature out, meaning they make it hard to make an exception. I'll give you two examples. One company we work with needed to use about 20 different thumb drives for about 20 users. To make that exception for them was very difficult. In fact, you can't really make an exception. But what you can do is allow them to use it and, while it will still alert, you can actually suppress those alerts. Another example was where a group needed to be able to go in and manipulate their PC ERP settings. To make an exception for them was also a difficult process. A lot of people have suggested that Microsoft should not, by default, make it so difficult by locking your ability to make exceptions.

Another issue is that when you implement this it is not a single solution in and of itself. You have to implement what are called security baselines for each platform. But Microsoft does not have security baselines, other than for its own products. That means that when you want to do a security baseline for say, iOS or Android, you have to depend on other security organizations' recommendations and set the security controls to create those security baselines for other platforms. You would typically use CIS. But when it comes to iOS, it's a real pain. iOS requires you to create a security baseline for every version of iOS. Android does not.

I've been using Microsoft Defender for Endpoint since it first came out. They bundled it into M365 licenses, particularly E5 licenses or the equivalent, around 2019.

Like every other security product out there, the stability of Defender for Endpoint is a work in progress. The solution is trying to address a tough problem and anybody will tell you that cyber security is not a fair fight. It's just incredibly hard to defend against the bad actors. Everybody is scurrying right now to come up with different ways to stop the problem and it's just not there yet.

In terms of scalability, we have run into organizations that are very large and that have said it doesn't scale well. I'm part of MISA, the Microsoft Intelligence Security Association, and we did a review of all their products and they all had scaling problems, including SIEM/SOAR, MCAS, Endpoint Manager, et cetera.

There are two "fronts" for anybody who is using a SIEM/SOAR: one is how fast they can ingest, and the other one is how fast they can make decisions. You want to do this in real-time, or near real-time.

The ingestion problem is that you're ingesting a bunch of stuff from everywhere: from the network, from identity, from all your services, and your apps. It's a crazy amount of data. Some organizations are doing on the order of 5 billion events daily. How do you ingest all that in a timely manner and correlate it? You have to do it in a distributed way. There will be a top-level SIEM/SOAR and several underneath it that are collecting data for a particular location or a set of users. You trim that down and eventually ingest stuff to the top so that you can see things from the holistic viewpoint. Or you decentralize it, where office A and all its users have their own, and office B has its own, and you don't necessarily roll it up into a single, corporate-wide solution.

There are products out there that are addressing this by not storing the events directly onto disk, but into flash drives, so they're super-fast. They never put it on a disk and save it. You can have the option of saving it to disk for long-term retention. But the immediate ingestion of events is happening through flash drives. It sits in fast memory, never gets written to disks, and that's how they're speeding things up. And there are AI/ML engines pulling that stuff in and they can act much faster.

In addition, some AI/ML engines are more mature than others. There is a lot of work being done on that front. When it comes to Endpoint Manager there are a bunch of events coming from a ton of endpoints. It's no different than ingesting events from a thousand database servers. Or they could be from your whole application reference architectures, and your data analytics reference architectures. Everybody sees the problem coming, the problem of big data. That's what we are really talking about. There is a whole lot of stuff coming in and we have to make sense of it, figure out what's relevant, have a scoring system and prioritization system to make decisions fast. For example, the bad guys are able to get into your systems and, within 20 minutes, they've already done an assessment. Usually, if you're lucky, you can respond to that in 30 minutes. And if you're a huge enterprise, you may not even be able to respond that fast.

That's the reason everybody says it's not a fair fight. We don't have the tools right now to react fast enough.

As for how extensively it's being used by our clients, anyone who is going to use it plans to use it as a one-stop solution. They won't be using multiple solutions and they will roll it out to every endpoint. It makes perfect sense to do so because you don't want to have multiple products and require your staff to have knowledge of multiple products.

For big corporations, it takes a little while to get there. It's something that has been evolving for 30 years now. Organizations want to settle on a standard desktop and want to be able to do configuration control that allows them to control the apps and the usability from a security standpoint. It used to be, "Let's make it easily usable." But now the industry is flipping that over to, "It has to be secure." The vendors have finally come to the point where the balance between usability and security is leveling out.

I've used multiple solutions in the past. We switched based on our customers' requests. Some do it for solution architecture reasons and some of them do it for enterprise.

The enterprise customers say, "Oh, we know we need Endpoint Manager, but we need to align a solution with our business requirements first. Before you even select a solution we are going to look at our business requirements, then do a bake-off possibly, and then select a solution." Or they'll just look at industry ratings of the solutions and say, "Oh, this is the best one," not knowing that those ratings don't necessarily look at every new solution out there. There are so many. We are a VAR and we resell hundreds of security and regulatory compliance products. Usually, unless they bring us in at the early stages of the process, our clients have already picked a solution.

The initial setup is very complex. To me, it's one of the more complex solutions because it touches so much. I have to know every platform and every platform version, when I create security baselines. As I mentioned, certain versions of iOS don't support the separation of corporate and personal profiles, and then you run into the scenario where they're already using some other endpoint protection and they want to migrate it to Microsoft Defender for Endpoint.

Or there is the scenario where they are using SCCM and to then use Microsoft Defender for Endpoint you should really require Endpoint Manager, meaning that you have to transition to that. And as I noted, making exceptions is hard. 

And when you integrate it across all the Defender products, and are managing a project like that, you have to get to a point where they're ready to be integrated, which is an issue of timing. So it's one of the more complicated things to roll out, compared to Defender for Identity. Defender for Office 365 is pretty large too, but Endpoint is the hardest of the three.

It even touches identity, because there are Azure Active Directory conditional access policies, and those are connected with Endpoint Manager. You've literally got to look at what policies and what setup within Endpoint Manager can apply to different versions of iOS. You have to dissect so that if you're going to do BYOD, for example, and allow a version of iOS from some early version and up, you have to understand that there may be some options that you can use with one version that you can't with others. It's much easier to do with Android than it is with iOS.

When you start heading down that path, it's a maturation process. You have to roll things out in phases. It's a very complicated product. Like with SIEM/SOAR products, when you start getting events, you could be flooded with them. You have to learn to tune it, so that you can differentiate the trees from the forest. You have to correlate things and automate your responses. That type of tuning process is a long process one to get the clutter out.

A product like Sentinel is pretty cool because it has predetermined workbooks, and predetermined manual and automated responses. It has playlists. They are making it very much easier to trim that clutter and to get to the nitty-gritty, and they have done so with Defender for Endpoint.

The deployment time, with fine-tuning, depends on the size of the organization. If it's a small or medium business, it could take three months to deploy and tune, and it could take longer; up to six months. It depends on many factors that I've mentioned, such as if they're migrating, or if they have an integration between SCCM and Intune. It also depends on the expertise level of the organization, its maturation level, and skill sets. All of that comes into play.

It also depends on their starting point in terms of some of the prerequisite services. You don't generally roll out Defender for Endpoint until you've got identity governance and protection. That's the first thing you do because everything is dependent upon that. After that, the prerequisite is rolling out Endpoint Manager, and then Defender for Endpoint. If it's a hybrid situation, you may roll out Defender for Identity so you can cover your Active Directory controllers and provide threat protection for them, although you can do all the "Defenders" in parallel; you just have to time them correctly so that when you integrate them together they're ready to go.

For large organizations, it could take a year or two. For example, if there are half a million endpoint devices—and that's possible if you have an organization with 200,000 employees and contractors, and each has a laptop and a mobile—it can take some time.

In terms of an implementation strategy, I have developed work-breakdown structures for just about every Azure service and almost every Azure M365 service. They look at working with them holistically, but they are broken down into each individual service and mention the other services within the work-breakdown schedule, and how you integrate them. The first thing I do is a current-state assessment and that gives me an indication of the readiness for deployment. The next steps are plan, design, deploy, manage, secure. There are strict sets of security controls and I have to gather every single one of those per platform. It's quite a long process. It follows the saying, "If you fail to plan you plan to fail."

As for staff required to maintain Defender for Endpoint, once you get it set up and tuned it's not too bad. It depends on the size of the organization again. If a business has 100 people, one person can do it easily. If there are a few thousand people, you may need two or three people. It often depends on your getting all the features rolled out. In IT it often happens that we roll stuff out and we always intend to get to that other piece but we just never get the time to do it. Many organizations are going to a lean staff and bringing in consultants to help roll things out. For us, as a contractor, it's great. Our business is booming.

Most organizations that we have come to want to replace their current endpoint protection solution for Defender. A reason many of them do that is that they aren't pleased with whatever they have. They may not know what features are relevant and just don't know how to roll them out. They realize, "Oh, I bought M365/E5 licenses, and Defender comes with them already. Why not use it?" 

Most people don't realize M365/E5 licenses are an amazing deal. They think "Oh, it's expensive," and I'll ask, "Compared to what?" If you don't have it you will have to buy licenses for multiple products to fill the same security space that you would have gotten with the Microsoft product. Go figure out how much it costs you per product, per user, and then come back and tell me how things add up financially.

If our client brings us into the process at the right time, we evaluate products for them, since we're evaluating products constantly. That's part of what we do. We have to know, through a deep-dive, the pros and cons of each. We are constantly being updated by our vendors about how they're addressing a particular security area.

Is Defender for Endpoint the best product out there? No, it's not. I can think of several others that are pretty amazing. It's still a product that's evolving, but it does a really good job for the most part. It does the best job when it is integrated with the whole Microsoft holistic solution. If you look at Microsoft's site, you will see what capabilities Microsoft has. They will show you how these products integrate and work together to give you a holistic solution to develop a Zero Trust model framework.

And while it's not the best solution overall, some of the pieces are. There are several areas where Microsoft is good or better than most, and then there are some weaknesses when you do Zero Trust. They don't have a secure web gateway product. Their MCAS or CASB product leaves a little bit to be desired. There are other solutions, in those two components of a Zero Trust model, that do a much better job. Zscaler probably has the bulk of the business but I'm a big fan of Netskope. There is Crowdstrike, and Forcepoint may be making some inroads because they just developed a new anti-malware technology. But none of them are going to be perfect because malware is a hard problem to solve.

There is also a new product I just reviewed for M365 Security that is pretty amazing on paper. Although I haven't actually kicked the tires on it yet, it looks really good and it's from one of the fastest-growing companies out there.

Think of it like this: If you don't buy E5 licenses or the equivalent with M365, you don't get Defender for Office 365. People don't realize that product is a kind of a split product. It's a multi-function product. It has some DLP pieces that work with MIP and it has some pieces that work with the Office 365 outlying suite. It's a little bit of a funky product.

But one of the things it has is a part of your Exchange Online protection. Without it, you don't get the features like anti-spam, anti-virus, safe links, and safe attachments. That combination addresses what is called a combined attack. You get an attachment and the attachment may have a link in it, or you get an email that has a link in it. They all look legitimate. If someone clicks on it, it takes them to a malware site, and bam! You just downloaded it into your computer and now endpoint protection comes into play.

Eighty percent of malware is still spread via email today. That's how they attack you. They're trying to penetrate your apps and they're even trying to penetrate your M365 online apps. This product works inline and they've already proven that, even with Defender for Office 365, there are still malicious messages getting through. The bad actors figure out how. They actually buy the product and figure out where its weaknesses are and they attack it. Because it's such a popular product it's the one they're going to target. It has the biggest attack surface. They've been attacking the weaknesses of M365, particularly the Exchange Online protection and all the weaknesses in Defender for Office 365. They've just been clobbering it. We're having a lot of people say to us, "Do a security assessment on our M365". All I can tell them is that it's not their problem as much as it's the product's problem right now.

Microsoft is trying to address things as fast as it can, but it's going to take months to get there. But here is another product you can add on that can help you fill those flaws. What this other company has done is that they've said, "We'll fix those flaws for you and we'll make it an easy process to do so." Usually, the circumstances in which you need an email security gateway is when you don't have an E5 license. But now they're even attacking that. And when that happens you have to change the MX record. With this new product that I've read about, you don't have to do that. It just supplements the weakness of M365, not only in Exchange Online protection but throughout all the other apps, like Sharepoint, Teams, and OneDrive. That's pretty impressive. And it works with all those products easily, without change in administration or training. It installs in minutes. I was floored when I saw that.

The organizations I have worked with that are using Microsoft Defender for Endpoint are mostly small- and medium-sized businesses. Our larger customers are generally not using it.

There was a service built within our organization, a service that is very much hooked in with CrowdStrike. If you've ever seen the CrowdStrike products, you'll understand why. They are pretty impressive products. They do some things that help them see malicious activity in near real-time. Can they react to it in near real-time? No. But like everybody, they are trying to find a way to be able to react faster. They just bought a company called Humio, which is a SIEM/SOAR product I referred to earlier that does not store events directly to disk, so it can act on things much faster.

Used alone, I would rate Defender for Endpoint a seven out of 10. When integrated with other Microsoft products, I would give it an eight. It really depends on other pieces of the solution for Zero trust to work properly. It won't work well if you deploy it by itself. If you're going to use Defender for Endpoint, you should also use Defender for Identity, Defender for Office 365, and the full gamut, including MCAS and MIP, and then you will need your SIEM/SOAR. It's a long journey. And you had better have done your identity very well. If you haven't, it won't really matter what you throw in place, once they breach your identity plane. That's the most important one. I can put every possible safeguard in place, but if someone gets the keys to the kingdom, I might as well just turn them off.

We use it as an antivirus and EDR solution. We also use it for vulnerability scanning and threat hunting.

It is cloud-based. We have a cloud-first strategy when it comes to our organization.

We are a very small, lightweight start-up organization who has only been around for a couple of years. We have 17 endpoints. 

We have it deployed on our endpoints and virtual servers. We have a few Windows Servers 2019, and we have onboarded those both onto Defender for Endpoint as well. Those servers are not managed by MDM because they are Server 2019, but we have onboarded them so they are being managed by Defender for Endpoint as well.

This solution definitely increases our security posture. When you are reviewing your existing fleet or endpoints and based on the configuration that you put out of your Defender for Endpoint, you then receive a security score from Microsoft. Depending on what rules you have configured, what policies you have deployed, and what attack surface reduction rules that you have set up and deployed, it is almost gamifying information security in the sense that you are always trying to achieve a higher score. The more hardening you perform on your endpoints, the better score you receive. This generally tends to give you a better peace of mind, but also makes you secure at the same time.

I like the fact that it is baked into the Microsoft platform. 

Since we have deployed it, we have been really impressed with the way that everything just stitches together really well. You can access all your security data and telemetry from a single pane of glass on the Microsoft Security admin console. You can access all your endpoints, see how your antivirus is running, and get all your vulnerability scans and reports. In the software inventories, you can review your known vulnerabilities and understand whether those are zero days or if there are active threats out in the wild. Essentially, you don't need to jump into different admin consoles. You have everything built into Windows Defender Security Center, which we find really useful.

If you consider our organization, we are a fairly Mac-heavy organization. At the moment, around 80% of our fleet are Mac OSs. We made a conscious decision to roll out Defender for Endpoint against all our endpoints, whether it is Windows or Mac OS. However, one thing that we have noticed is that there is definitely no parity on the platform between the two operating systems. When you are configuring, deploying, and onboarding machines, you can get very granular with your security configuration when you are deploying it to a Windows's endpoint. For Mac OS, it is a lot more straightforward. You don't have the ability to apply as much configuration as you would on Windows. That is definitely something that has room for improvement. 

I am also not sure how well the EDR functionality works on the Mac OS platform. It just provides an antivirus and the full EDR capability is not there on a Mac OS. 

The web filtering needs a little bit of work. We are actually in the market at the moment for a third-party web filter or cloud secure web gateway to try and plug that hole since it is a bit of a pain point for us. I don't think we will use the baked in version from Defender for Endpoint.

On the Mac OS platform, there is no parity between Windows and Mac OS. The solution is very feature-rich and very well-integrated into Windows, and I guess baked into Windows 10 and Windows 11. Whereas, on the Mac OS platform, there is still some work there to give it a more feature-reach platform.

I have been using it for about a year.

With Windows, we have been very happy. We have had no issues or problems whatsoever. We had one issue on the Mac OS platform when an update to Mac OS was deployed. It wasn't a major update, like Monterey. It was a point update. So I think it might have been 12.2.1 where the Defender icon was starting to display across, which means I found a threat or it's not working properly. We had that across a handful of machines. I did a bunch of Google searches and sort of realized this was happening to a lot of other organizations, so it was probably a false positive.

I contacted Microsoft support who confirmed that it was just a visual glitch. I guess Apple is well-known for this. When they do push out their updates, they attempt to break the occasional third-party system. That was the only issue that we have encountered, which was more a visual glitch than an actual threat.

It is pretty much zero-touch because the definitions sort of update themselves. The application updates itself because it is deployed through Microsoft Intune. Therefore, the maintenance is pretty straightforward.

It is very scalable. Because it is cloud-based, it is elastic in its nature. You can onboard machines en masse. Whether you are onboarding 15 machines or 1500 machines, it is very straightforward.

As we scale up, this is now our AV and EDR of choice. Every new machine will be rolled out or onboarded to Defender for Endpoint. We will be sticking with it in the long-term. We have also the logs and telemetry from Defender for Endpoint being ingested into our MDRC platform.

The technical support is very good. Wherever I have worked with them, we have always been enterprise customers. Whenever I have raised a ticket for support, you generally receive a phone call anywhere from 10 minutes to three hours after raising your ticket. Even if it is not a P1, but a P2 or P3 ticket or just a request for information that you have generated in the form of a ticket, they will respond back to you quickly.

They have good levels of escalation. So, if their first line support is unable to help, they can quickly escalate to the second or third line. I have never really had any problems with Microsoft support. That is across Defender for Endpoint and Microsoft Endpoint Manager as well as for the productivity throughout Office 365 and Azure Active Directory.

I would rate them as eight out of 10.

Positive

We currently have an MSP in place, which is a managed service provider, who manages all our IT support, service desk, and desktop support functions. They had already purchased an antivirus subscription for the organization when I joined the organization, and it was a fairly basic one. Our biggest problem was that it does not have any SIEM integration. 

When we decided to go down the route of having a SOC or MDR service, we couldn't ingest the logs from the antivirus platform into their SIEM. That is when the hunt started for a new AV service.

I wouldn't say the user impact has changed on top of the AV product that we had before.

The initial setup was very straightforward. Microsoft, as an organization, is quite well-incentivized to get you to use their own products. There are hoards of material out there via their social media channel, through their own documentation, or the Microsoft Learn platform. There are reams and reams of user guides for you to go through, all of which are fairly straightforward. They are regularly updated as well.

It is all cloud-delivered so there isn't any on-premise infrastructure that I need to maintain, patch, or configure. It is literally all configured in the cloud. So, it was a very easy setup process for me.

It took days to get a proof of concept together on a handful of machines. Over the next few weeks, once we got the go ahead and thought, "You know what? We are going to go with this." It was just a matter of weeks and that was more down to team availability. We needed to sit down and offboard the existing AV, which we weren't particularly happy with, then onboard Defender for Endpoint. So, we tied that project with our MDM rollout. Therefore, while we were deploying our MDM solution and enrolling the device, we were onboarding the machine to Defender for Endpoint as well.

I actually set it all up myself. I am the only technical person at the organization. I have worked with Microsoft quite extensively in the past, and I have used their fast track consultancy services in other organizations that I have worked with as well. Therefore, I am quite confident and familiar with Microsoft technologies. 

We then signed up with an MDR supplier who does managed detection and response. Essentially, that is a team of cybersecurity experts who connect to our infrastructure and all the data telemetry from our endpoints feed up to their platform. If they see any threats, anomalies, or events, they will then jump in, reviewing and remediating as required.

We had a consultancy session with one of their Microsoft consultants around a month ago, where they reviewed the setup that I configured. They put in two or three recommendations to harden the setup a little bit more, but they were overall pretty happy with it. Thus, if I can do it, then it can't be that difficult.

There is less overhead in terms of having the system administrator or information security manager jumping around different systems and trying to actively keep a handle on our security posture across the organization. Instead, everything is right in front of me.

One of the first things that I did when I came onboard in the organization was scrapping our reseller agreement. I registered us as a not-for-profit with Microsoft, and we now get subsidized licensing at effectively half price. It just sort of makes sense for us. Now, we buy our licenses directly from Microsoft rather than our formal license reseller.

Even if you are not registered as a not-for-profit, the offering that they have is definitely worth consideration. This is in the sense that the E5 stack just gives you so many benefits. You get your entire productivity suite through Microsoft 365 apps. You get all your security and identity protection. You get the Defender for Endpoint and Defender for Identity. You get the cloud access security broker as well. You get Azure Active Directory Premium P2, which gives you so many good things that you can configure and deploy. You don't have to configure them on day one, but you have access to so many different tools that will protect your data, security, endpoints, and identities that you could build out a security strategy 18 months long, and slowly work your way through it, based on what you have available to you through your license.

You can purchase some add-ons, like Microsoft Threat Expert team. I have not read too much into that, but my understanding is that comes at an additional cost. Since we have a dedicated MDR and SOC sitting on top of our Defender for Endpoint, it is not something that applies to us anyway.

We are E5 customers. Essentially, we have the flagship license. We looked at a lot of different organizations and vendors for our antivirus needs. We spoke to the usual suspects: CrowdStrike, Sophos, and Darktrace. 

Because we also have a Gartner subscription, we reached out to our Gartner analyst, and said to them, "Look, we have the E5 license and know that Microsoft doesn't have the greatest reputation when it comes to their antivirus products, but we understand they have come on a lot over the last few years. This is the direction that we proceed. We want to deploy Microsoft Defender for Endpoint. We then want to layer an external managed detection response service on top of it that will essentially provide 24/7/365 monitoring for alerts and anomalies." Gartner advised us that it has improved to the point where they are now considered one of the leaders on their magic quadrant, so we should be absolutely fine with it. 

Originally, Microsoft wasn't in mind for us at all. We sort of had our heart set on CrowdStrike because we were really impressed with them. We got quite deep into advanced discussions with them and Darktrace as well.

The deciding factor for going with Microsoft was the budget. We were already paying for the E5 licensing. So, we were allowed to use Defender without any extra costs. We could just enable and configure it. We thought that we would use the budget left over to purchase a dedicated MDR service who would maintain an overall ability for all the endpoints to connect with it. We could also expand that to our Google Cloud Platform as well as our AWS and Azure Cloud environments. We could also extend that service onto our physical appliances, e.g., the logs from our on-premise firewalls, security appliances, and routers.

We felt that in terms of scaling up to get to the security posture that we needed, this might be a better solution for us. Whereas, CrowdStrike and Darktrace, at the time, were more focused on the endpoints. For example, if there was some suspicious behavior happening on our Azure Active Directory and our CEO's user account was under a brute-force attack, then CrowdStrike wouldn't necessarily pick up on such an attack because they are more focused on the endpoint rather than the cloud instances. Thus, we thought Microsoft gave us better coverage overall as well as the fact that we were already licensed for it.

It just made sense for us to go down that direction. We just felt we would have a more well-rounded approach if we went with Defender for Endpoint supported by the MDR service, who would then provide monitoring over all our cloud instances, endpoints, and on-premise infrastructure and appliances.

One of the main benefits is cost. Being an E5 subscriber, we are essentially already paying for Defender for Endpoint. However, it wasn't on our initial list of antivirus solutions when we were going out to market. We really felt that we were going to go for a managed service, such as CrowdStrike or Darktrace. When we decided to go for Defender for Endpoint, we created a cost savings. So, it was easier for us to prove the business case to our senior management.

A good antivirus is something that sort of happily sits in the background and just pretty much does its job until it is needed. It is just sitting there constantly watching and monitoring. Then, if it does need to intervene or remediate against the threat, that is when you know, "My antivirus is happily working." We haven't had many incidents to deal with. To be honest, we have had a couple of false positives. 

Definitely shortlist them in your list when you are out looking for a new vendor. What tends to happen with a lot of IT professionals is that they overlook the Microsoft offering because of the reputation that Microsoft Defender has had in the past, when it came to its consumer version. However, they have spent the last few years completely revamping their security stack. I think it offers a really well-rounded, holistic approach to cybersecurity now. They are definitely worth considering next to CrowdStrike, Sophos, and Darktrace.

A lot of organizations are probably like, "Oh, no, we don't want to get Microsoft. We don't want to get Defender. We want to get an established name," but I think Microsoft has put a lot of effort, budget, and development time into their security stack. It is a great suite. 

As their Azure platform grows, they leverage that to power and drive their Defender for Endpoint. A lot of the protections that they deploy are cloud-delivered platforms. So, they are picking up telemetry from millions of different signals and endpoints. They have so much data and can see trends really quickly.

I would rate them as eight out of 10.

It comes inbuilt with Windows Server and Windows 10, so we are using its latest version. It is deployed centrally on all the platforms, whether it is a virtual environment, a BYOD device, or an office device. It is deployed everywhere. 

All of our users are on Office 365. By default, every user is getting Office 365, and we are also incorporating this into data leak prevention. We have also enabled Azure Active Directory, so policies are deployed directly from our active directory. 

It has reduced admin overhead. Because it comes inbuilt with Windows, we don't have to deal with the complication of using a third-party solution. We stopped using Symantec Antivirus three years ago. Previously, we had to find a person who knew how to manage Symantec Antivirus. Now, we don't have that overhead. It is also less taxing on the admins because they don't need to license an extra software every year and then deploy and manage those licenses. Everything is seamlessly managed from a central application.

Our full backup is on OneDrive. We had deployed separate storage area networks to back up important data for off-site users, not on-site users. In the current scenario of work from home, users need to establish a VPN connection to run our backup system. When they are at home, we cannot back up their systems if they don't have good connectivity. We also can't tax their broadband connections. Incorporating OneDrive as a backup solution with Windows Defender and Windows 10 has helped us immensely. We were not prepared for having people working from home because we always worked from the office, and 100% office attendance was required, but due to the pandemic, people moved to their hometowns, and we could no longer manage those systems. It became a headache for us when people used to report that their Windows got corrupted. Because they were working from home and there is a big problem of electricity in India, if electricity is not there, the systems suddenly shut down, and the registry gets corrupted. All these things are difficult to handle when you're at a remote location and you don't have your eyes and hands on that particular location. In such times, Windows Defender became a very big helping hand in managing the recoveries of such systems. The backups managed from OneDrive were very helpful. It has saved hundreds of hours of restoring the system in case something goes wrong. There was an instance where a user opened a spam message, and a ransomware attack was done on that system. Because the backup is managed by OneDrive, within 17 hours, this user's whole laptop was recovered without physically working on that laptop. Because of slow connectivity, it took time, but we were able to recover. This is the best feature of having OneDrive backup on the fly and recovery on the fly. These 17 hours were peanuts as compared to the data that we were able to save. This is the best selling point of having OneDrive as a backup with Windows Defender and Office 365.

The best part is that it is built into Windows, whether it is a server base or a desktop base, which gives more control over the operating system. Because Defender, the operating system, and the Office solution are by Microsoft, everything is working like hand-in-glove. Its administrative overhead is less because a desktop user has already got some experience of how to handle a Microsoft Defender notification or administer it. While working on Windows 10, every now and then, users might have seen it popping up, and they know how to do certain things. So, it is not too taxing from an administration point of view where we have to tell users what to do. 

Centralizing policies and rolling everything out is done only from one console. We are able to provide restrictions based on what we want to filter, such as certain apps should not run and certain things should run. Because we are also into website development and code development, sometimes, users need to run certain software or their own build application, which is not possible to specify with an antivirus solution. With Defender, we can centrally deploy a policy where certain parts are excluded, and they can run their code in those particular parts. This is a very nice feature where we don't have to micromanage developers' PCs or exceptions.

Data leak prevention is something that our company requires, and it is incorporated in this solution. Because we are using Microsoft OneDrive, and it is easy to take the backup to OneDrive via Microsoft Defender.

It has helped in improving our security posture.

Its user interface (UI) can be improved. Currently, in the console, you have to dig down for certain things. They've got many different layers to get to things instead of having it all on the surface. You have to go three folds lower to get to specific functionality or click a particular option. It would be good if we can manage the console through menus and instead of three clicks, we can do things in one click. They need to change the UI and work on it in terms of a better user experience. For example, user management should be in one menu, license management should be in one menu, and backup management should be in one menu. Currently, if you click on a user, you will get some devices there, and some devices will be on the other menu. Its UI is complicated. In terms of functionality, everything is okay. We don't want anything to be changed in it.

We have been using this solution for three years.

It is highly stable. We don't even have to look into it to see if it has stopped working, or whether it is doing its job well or not. We have around 500 devices in our organization, and all devices do the regular login with the logs. It is immensely stable.

Its scalability is immense. There is no device, user, or policy limit. You install a device, and it is automatically configured because the policy is deployed from the centralized policy server or active directory.

We have around 500 devices in our organization, and all devices are using it. We have all kinds of devices such as laptops, desktops, notebooks, surface devices, etc. We also have in-house virtual servers on the AWS cloud and in-house physical servers. We also recommend enabling it for our client servers, and we configure policies for them.

Every person in our organization is using this solution. We have approximately 380 users. Its users include everyone from a new joiner to our management president. Last year, our strength was 260, and this year we have 380 users. We are growing, and by 2022, we should have more than 600 users. We are growing in a very good manner, and a group target is there. We are definitely going to grow.

We have been using Microsoft products since the commencement of Windows 95. We have rarely used their support because they make their products in a way that makes them easy to use. Sometimes, there are flaws and issues, and because we are also a Microsoft Partner, we get support on priority. They take a case at the level where they think it will be resolved, and if someone is not able to resolve it, it automatically gets escalated. 

We mostly use our in-house support. In the past 20 years, we have used their support twice. When I used their support last time around four to five years ago, they were really very helpful. They were good and very professional. I cannot comment on how their support is now with the current pandemic and people not working from the office. 

We were using Symantec Antivirus three years ago. When we were using Symantec Antivirus, users used to report that certain popups are there, and what should they do with them. They used to ask, "Is my system infected?" They used to panic on seeing those pop-ups. Most of them were unnecessary and would say that they need to have admin access or a particular software is trying to open a port. Because we are into development, it is a requirement of a developer to open certain ports and to make that application listen on certain ports. Such requirements were very difficult to configure in Symantec. It was difficult to make it understand that these ports are going to be used by developers, and they are going to be opened, and it is not a virus activity. Sometimes, the temporary folder of users used to get infected, and it used to give hundreds and hundreds of pop-ups. We didn't know how to close all those pop-ups in one go because they were not in a group. Imagine sitting and closing a hundred pop-ups. We had to click the Close button on each and every pop-up.

With Microsoft Defender, we can control notifications. We can tell which notifications should go to the users and which shouldn't go to the users and should be forwarded to the admin central console. In terms of user experience, users are happier with less annoyance of pop-ups that they used to get with Symantec Antivirus. They do not need to know each and everything that is going at the backend. Only the admins need to know certain things, and they should know them. With Microsoft Defender, users don't even get to know that they have an antivirus solution on their system because they never get any irritating pop-ups or notifications or slowness of the system. We configure everything from the backend, and we are managing their systems from one console, which is the biggest plus point of Microsoft Defender.

Its initial setup is very easy. It took us just a couple of hours to deploy it on remote devices.

Our implementation strategy was to deploy group policies and manage the DLP policies from the central console.

We did our own research, and because it was a lockdown, we had resources on our hands. We asked one of our system admins to look into the options and the policies that we need to deploy and what we need to do. He went over it for a month and trained the rest of the team. Within one and a half months, it was fully operational on each device, and my whole team was trained on it.

The whole job of its deployment was done by one person, and for maintenance, we have got a five-person team because we have 380 users across the clock and across the globe.

We have very much seen an ROI.

Licenses depend upon what you are looking for and what kind of security do you want to implement. There are costs in addition to the standard licensing fees.

When we used to buy Symantec, we used to spend on 100 licenses. We used to spend approximately $2,700 for those many licenses, and they came in packs. To add one more license, I had to buy a pack with a minimum of 10 licenses. I had to spend on nine extra licenses because I can't get a single license, whereas when we go for Microsoft, we can get as many licenses as we want.

If I have 100 users today, and tomorrow, I have 90 users, I can release my 10 licenses next month. With any other software vendor, you buy licenses for one year, and you have to stick with that. If today you have 100 licenses, and tomorrow, you have 50, you have already paid for one year's license. You can't go back and tell them that I don't require these 50 licenses because I have lost my 50 users, but with Microsoft Defender, licensing is on a monthly basis. It gives you both options. You can go yearly and save on it, or you can go monthly. You will, again, save on it. It is very fair everywhere.

My advice is, "Try it, and you will love it." If you go for any other product, you will have to manage everything separately, which becomes an overhead. You will have a separate console, separate licensing, and a separate vendor. You will also get a piece of software that is going to have a layer in between the operating system and your applications, whereas Defender incorporates itself onto the layer where the operating system is sitting. So, you don't tax your resources to manage a product that is already incorporated into all systems. Everybody knows how to use Windows and Defender, so the learning curve is also not there. It is very easy, and it offloads a lot of things such as tech requirements, separate licensing requirements, and separate vendor management. 

I am not advising you to go ahead and discard whatever you are using. You should implement it in a test environment and see what your requirements are because the requirements will definitely impact the licensing. If your requirements are met, and then compare the time required to manage Defender versus the current solution that you are using. You should compare how many hours are you putting in managing both solutions with a different skill set. Only after such evaluation, you should deploy it. 

The biggest lesson that I have learned from using this solution is to always keep it simple. Don't complicate.

I would rate Microsoft Defender Antivirus a nine out of 10. If they can make the UI more systematic, I can give it a 10 out of 10.

I'm a security coach with multiple clients. I provide security implementation, planning, and maintenance through Microsoft Defender. I use all the Defender products, including Defender for Identity, Defender for Office 365, and Defender for Cloud. 

It's easy to integrate the solutions. You only need to go into the settings and switch on the connectivity to all the Defender for Endpoint connectivity telemetry. Microsoft documentation is thorough, and it walks you through all the necessary steps.

We're multi-client and multi-cloud. We're working with multiple organizations and departments, so it's complex. We have domains and sub-domains that we must account for on the deployment side. We also use Defender for ATP, which is the Defender for domain controllers.

Defender for Endpoint helped to bridge the gap with remote workforce solutions because it protects managed and unmanaged devices. It's also easier to use because Defender for Endpoint is cloud-managed, so it stays maintained and updated. It has a leg up on competing solutions that require more system resources and maintenance. 

The tight integration with Microsoft operating systems is another advantage because it's easier to manage. It also goes beyond Windows OS. Defender for Endpoint supports other platforms and operating systems, such as Linux, iOS, and Android. I like that Microsoft is expanding the product's scope beyond Microsoft operating systems. Microsoft is developing a holistic approach, so you don't need a third-party product to protect these other non-Microsoft platforms.

Defender helps us to prioritize threats across the enterprise. The weighted priorities are based on all the MITRE security standards. Defender products work together to provide comprehensive protection. I agree with the placement of Defender Products on Gartner's Magic Quadrant. Defender is a leader in that area of threat protection. I'm pleased with the outcome of a lot of the investigations. I can protect and harden areas that didn't usually didn't have that level of visibility and granularity. 

Defender integrates with Sentinel, enabling me to ingest data from my entire ecosystem. Sentinel also covers non-Microsoft products with the third-party connectors that are provided. I enjoy that part of the Sentinel functionality and feature set. It has several features for aggregating the log data and analytics for the on-premises environment. Having that visibility is crucial.

Sentinel provides the SIEM and the SOAR capabilities, offering a single pane of glass for all of the security operations centers and providing on-site reliability for many of my clients. Sentinel is Microsoft's answer to competing tools such as Splunk and other log application tools. Sentinel seems to provide more added value from the ease of use and visibility. The licensing is also competitive.

You can set up Sentinel to forward alerts if you want to create a managed Cloud environment solution for Sentinel for a client. There's a way to set that up through Azure Front Door. You're seeing the data reporting and single pane of glass for other tenants and customers. It enables you to offer security as a service to maintain visibility for clients.

I like that it considers the status of a device (whether the device is online or offline, VPN or not, etc.) and provides several options for telemetry, depending on where and how the device is being used. It gives a lot of flexibility with the installations, maintenance, and management of the Endpoint solution. In addition to Defender for Endpoint's feature set, other parts of device management reduce the attack surface and protect those devices.

Defender's automation features have been a significant advantage with many of my clients because the remediation has been automated. Most of the time, it doesn't require any human intervention unless there's something that hasn't been set up. I must demonstrate the automated investigation and remediation to my clients to ensure their environment is automatically protected on weekends and after business hours.

The single pane of glass is vital to us as security consultants and our clients, who need a high level of visibility. You can go into the high-level executive dashboard view and drill into each telemetry graphic to provide you with more granular data. I see how easy it is to see the big picture and effortlessly drill into the details using the side navigation menus and more.

Consolidating things into one dashboard streamlined them significantly. When working with multiple tools and vendors, you typically have to stitch the reporting together to get an overarching view of everything. It's time-consuming. By the time some of these tasks are accomplished, the data starts to get stale, so you need to refresh and create an all-new view again. Having real-time capability in a single pane of glass is essential.

Defender Threat Intelligence helps us develop a forward-looking approach to threats and plans. That's one aspect of the product I find incredibly helpful. It will highlight things that may require intervention, such as turning on conditional access rules or setting up some geofencing for anything that looks like it could be a password spray attack from a known location that we can block. 

There are opportunities to turn off any legacy protocols that may be in use. That's been a common thread with some of my clients who still use legacy protocols for sign-in and authorizations. The ability to do that has been a considerable help proactively.

You don't know what you don't know until you know. The continual flow of real-time data and analytics from Defender products helps create a security roadmap and harden many areas. With improved visibility, we can build a better roadmap to harden those areas by prioritizing and doing things methodically. Previously, we were guessing what to do next or what would be most important based on an educated guess. Now, we have data to guide our security decisions.

Microsoft Defender has saved us hours and hours. It has probably paid for itself many times over. I would agree that it has saved a lot of time and money. I estimate it probably saved us the equivalent of two people working full-time. You typically have at least one person overseeing on-premise resources and another dedicated to cloud resources.

In my opinion, the most valuable aspects are the reporting analytics and integration with Sentinel. Defender does an excellent job of correlating the different entities that comprise threat analysis, analytics data, and log analytics. It helps to piece together investigations into any exploit or malicious activity within a specific tenant. AI and analytics tools are probably the most valuable components.

The bidirectional sync capabilities and off-app sanctioning of the SaaS applications are helpful. The identity security posture feature set provides investigation recommendations for risky users. The heat map for locations is also handy. Defender integrates with the AIP DLP for data governance and protection. I use all of that.

There's a need to have augmented workforce capability. You need to see the data streams for client work augmentation for the security operation center and act on the information. Having data in near real-time is essential to my organization and the work we do for our clients. The built-in SOAR, UEBA, and threat detection features are comprehensive.

It always helps to have onboarding wizards. Microsoft has done a lot of work in that area. I would like to see some more refinement in the wizards to allow more diverse use cases and scenarios that help us deploy Defender globally. In particular, I would like to see more deployments considering localization barriers and networks or devices common in various regions. 

Localization is always a challenge, especially with new products you typically want. Solutions are designed to be deployed where the most licenses are being consumed, such as in the United States. They focus on US products, devices, and networks. Specialized deployments for other countries would allow for a smoother experience in transition.

I have been using Microsoft Defender for about two and a half years.

It's pretty stable. I haven't had any reliability concerns with Defender, and there have not been too many complaints from users that have to have extensive reboots or any kind of performance impact. So I would say it's pretty stable.

Scalability is built into the product. It's a cloud-managed solution, so it's capable of scaling pretty quickly as needed. You don't have to unlock another key or do something else to scale the product. It's scalable by design.

I rate Microsoft support a seven out of ten. We've opened a few Microsoft tickets. For example, we've seen some discrepancies between Defender for Exchange Online and the reporting from Sentinel. We raised tickets to determine why Sentinel's logging data doesn't match what we see in Exchange Online.

It can be slow and tedious sometimes. Microsoft has different support level agreements. If you want prompter and higher-quality support, you typically need to pay for an Ultimate Support contract. If we compare that with other companies or organizations, Microsoft is probably on par with everyone else. You don't get a higher level of support unless you pay for it.

Neutral

I've worked with all the major antivirus and endpoint protection vendors, including Splunk, CrowdStrike, Sophos, Norton, and McAfee. Microsoft's advantage is its integration with the operating system, ease of deployment, and support for the 365 Cloud experience. It makes everything easier to deploy, maintain and manage. It comes down to cost and integration. We realize cost savings because it's integrated into the E5 licensing product.

The setup is straightforward and mostly automated. You only have to intervene when you experience errors. Those typically happen on non-US systems or in other countries. For the most part, it's effortless to deploy.

We try to use the auto-onboarding capabilities that come with Autopilot. If you have new systems deployed with Windows Autopilot onboarding capability, that's going to turn Defender on with the proper policies and security parameters. 

One person is enough to deploy Defender if you have a plan and proper communication. You notify everyone that the deployment is happening and push the button. You need to let everyone know if reboots are required and the like. Other than that, it's pretty much a one-person deployment job.

In terms of maintenance, Defender is probably somewhere in the middle. Microsoft maintains a lot of automated updates. There are feature sets that come into play with things that are put in preview and you may want to see if it's something you want to turn on and try out while it's in preview. Those are the only areas that require some discussion and intervention. Most of the maintenance is automated. At the same time, you also need to be trained and aware of the updates and feature sets as they mature. You must stay on top of changes to the UI, reporting, etc.  

If you look at what we pay on average and all the potential ransomware and malware threats we've averted, we've definitely saved tens of thousands of dollars, depending on the client. Some of the bigger clients have saved millions of dollars of potential ransomware payouts because Defender products helped protect those areas of attack. 

The cost is competitive and reasonable because most of the expense is log analytics, storage, and data consumption and ingestion. They can be throttled and controlled, so they are highly flexible. Defender has a lot of advantages over competing products.

From a licensing aspect, you're not just getting a security product. You're getting a lot of other capabilities that go beyond the Defender products. You get an E5 or E3 license and some form of Defender for Endpoint included with all the other security features of the other Defender products. 

It didn't take too long to decide on Microsoft because of the integration and simplicity. CrowdStrike is probably the closest competitor.

I rate Microsoft Defender for Endpoint a nine out of ten. Defender is one of the best I've seen, and I'm not saying that as a Microsoft reseller. We use Defender and have gotten our Microsoft certifications to provide a high level of service for our clients. It's crucial to have a product we stand behind and believe in wholeheartedly. We're not getting kickbacks from Microsoft for saying or doing any of that. We use it because it works. 

I would say there's a trade-off. Once you start adding complexity to security, you're going against best practices that say simpler is better. Adding another vendor or a level of complexity is usually unnecessary. Unless there's something Microsoft completely missed, I would question the value of going to another vendor. 

Communication and planning are most important. Any time you change products or deploy something for the first time, you should test it first in a smaller use-case scenario. That will help you identify any issues with your network, firewall, or legacy applications that may be falsely identified as a threat. It's always best to test your use case scenarios in a proof of concept before you deploy it.

Microsoft Defender that you get by default on Windows is an unmanaged solution. It detects, but it is conventional EDR in the sense that it can detect malicious code on the machine, but it is not good from an enterprise point of view because you can't see what is being detected. The difference between Defender and Defender ATP is that you get what's called the execution chain, which is its classic use case. 

When I try to open an attachment to an email, Defender tells me that this is malicious, but when you are in an enterprise and you do receive an alert that the file is malicious, the problem usually for the analyst is that they don't know what the person clicked on. They know there was a malicious file but was it an attachment? Was it something on the USB stick? Did they download it from the internet? That's not clear. Defender ATP gives you the execution chain. In this particular example, you can see that it was outlook.exe that launched the suspicious file which then launched or tried to download various components. You can see the whole execution tree because very often, the initial thing you get is a dropper, which then downloads subsequent components, and very often, the subsequent components get missed.

It essentially gives you visibility into the execution chain. So, you are better able to do a risk assessment. For instance, if something came from Outlook, then you know that you need to go and look in exchange or look in the mail system. If the trigger came from winword.exe, then you know that it was a document, and the person had opened a document from the email. You might see Internet Explorer, when it was still there, spawn PowerShell or a command shell, which is unusual, or you might see calc.exe open a command shell. All of this detection is invaluable for identifying whether something is suspicious or not. Your EDR might not detect any of this, but ATP would see this suspicious sequence of opening and flag it. So, essentially it is the visibility and the ability to detect unusual behavior that conventional EDR would not necessarily do for you.

Its version is usually up to date. It is a cloud solution. 

Its visibility is the most useful part of it, and it also increases the effectiveness of your response. You spend less time asking the users the standard question of what did they click on. To which, they usually say that they didn't click on anything. You can go in ATP, and you can see that they opened an email and then clicked on a link, and the link is this. There is no hiding this. Users do lie.

You can detect threats that are not necessarily known because of a behavior. If you have Internet Explorer opening a command shell, that is not normal. That does not happen unless there is some kind of malicious activity. It is also very good for visibility into what PowerShell scripts do. PowerShell is a double-edged sword. It is very powerful, but in a lot of cases, there is no visibility on what it is doing. With ATP, we generally have that ability.

I like the process visibility. This ability to visualize how something was executed is valuable, and the fact that Defender ATP is also linked to the threat intelligence that they have is also valuable. So, even if you have something that doesn't have a conventional signature, the fact that you get this strange execution means that you can detect things that are normally not visible.

The other feature that I like in Defender is that because it is up in the cloud, when you're trying to do any kind of managed service, it is fairly easy to set up if you're just within one tenant, but there are a lot of things wrong with the way Microsoft does it as compared to other products like Palo Alto Cortex, SentinelOne, or CrowdStrike.

The catch with ATP is you have to have the right Microsoft license. The licensing of ATP is linked to the licensing of Office 365. You have to have an E3 or an E5 license. If you have a small office license, it is not possible for you.

Another challenge is that it is not a multi-tenant solution. Microsoft's tenant is a licensed tenant. I'm an MSSP. So, I have multiple customers. In Microsoft's world, that means that I can't just buy an E5 license and give that out to all my customers. That won't work because all of the customer data resides within a single tenant in Microsoft's world. Other products—such as SentinelOne, Palo Alto Cortex, CrowdStrike, et cetera—are multi-tenant. So, I can have it at the top of the pyramid for my analyst to look into it and see all the customers, but each customer's data is separate. If the customer wants to look at what we see, they would only see their data, whereas in the Microsoft world, if I've got multiple customers connected to the same Microsoft tenant, they would see everybody else's data, which is a privacy problem in Europe. It is not possible to share the data, and it is a breach of privacy. So, the licensing and the privacy aspect makes it problematic in some situations.

It is also very complicated. If you decide to outsource your monitoring through an MSSP, the model for allowing the MSSP to connect to your Defender cloud is very complicated. In Office 365, it is relatively simple, but because of the way it has been done in Defender—because Defender is not part of the same cloud—it is a mess. It is possible, and it is workable, but it is probably one of the most complicated integrations we do.

It is still clunky as compared to products like Cisco AMP, SentinelOne, and CrowdStrike. Microsoft took the Defender product, and they bolted on the extra features, but you can see that there are different development teams working on it. Some features are well integrated, and some features are not. They keep on improving it, and it is better than it was. It is better than an unmanaged solution, but it is far from perfect.

I have been using it for about two years. I've got a couple of customers today with it.

Its stability is lesser than some of the competition. I've seen machines having a blue screen. I've seen machines block, but it is usually a problem related to the lack of resources. I wouldn't deploy it on a machine with less than 16 gigs of memory. All the issues that we had on the laptops were essentially related to memory because it does all the analysis in memory, and it eats a lot of memory to do that. So, stability is more a function of making sure that your endpoint farm has what's available. If you've got less than 16 gigs, I would not recommend it. You need to either change your endpoints or consider using another solution because although it'll work, it can be very slow.

It is like Microsoft Office. Its scalability is good, but I don't know how manageable it would be on a big scale. The biggest deployment I've worked on was about 5,000 endpoints, and it seemed to be okay.

It is Microsoft support. It can be very good, and it can be very bad. It depends on who you get on the phone. I would rate them a five out of ten.

Neutral

It is very simple. You can deploy it through the normal tools that you use, such as SCCM. The deployment for it is linked back to your tenant. 

We use it as a headless install. It is pushed out onto all the machines. Our normal rollout process rolls out about 50 to 100 machines in no time. They can pull the agents from the internet, or they can pull the agents internally, deploy them, and turn them on. For an antivirus, it is quite quick.

In terms of maintenance, it is pretty much like other Microsoft solutions. If you are able to do the auto-update functions, that's good. The downside to it is that it is fairly heavy on network traffic. On one of the large deployments, we found we had problems with the internet gateway because the console and all the telemetry and everything else is in the cloud. It was problematic.

It runs in the background. It is like any other antivirus solution. Sometimes, it needs tuning. An example would be that we have developers who do a lot of source code compiling. They might have tens of thousands of files that get touched or accessed when they do a compile. We have to make sure that those particular file types and certain directories are not scanned on read when they're opened. Otherwise, what normally might take an hour to compile can take more than 12 hours. That's not a problem specific to Defender. It is a problem in general, but it is fairly easy to create profiles to say that for those particular groups of machines or those particular groups of users, these file directories are exceptions to the scanning.

The licensing fee is a function of your Office 365 license. The feature set you get is a function of the license as well. There is probably an E2 version, an E3 version, and an E5 version. There are several versions, and not all features are the same. So, you might want to check what features you're expecting because you might get shocked. If you only have an E3 license, the capability isn't the same.

You have to look at the total cost of ownership (TCO) because the license component is only one aspect of the block. So, if your internal IT teams know well about IBM cloud solutions, then Defender is very easy because there is nothing new. What hurts the projects is integration. It is a hidden cost because it is beyond licensing. It can be problematic if you don't have some of the other integration tools from Microsoft. So, if you don't have the package deployment platforms and all the cloud equivalents, then there is a lot of manual work involved.

The other aspect that comes into the cost is that there is an option to store. You can make the agents report a lot more information, but if you increase the storage, then you increase your Azure storage costs, which can be painfully expensive. You typically have about 7 to 30 days of basic detection data included, but if you want to keep a more detailed log so that your IT guys can go back and figure out what was going on, it would increase your storage requirements, and that can get expensive. I know customers who turned on some of the features to increase the detection rate, and they got a huge bill from Microsoft.

A weakness, as well as an advantage, of Defender is that it is always on the cloud. There is no on-prem. You deploy additional agents into the customer infrastructure, but the console and the feedback are through the cloud.

Customers often say that Microsoft has included it in their license. So, it is license-cost neutral, but just because it is included in the license and appears to be cheap, it isn't necessarily a good reason for doing it. It isn't equivalent to other EDR or XDR solutions, but to an extent, you get what you pay for. ATP is a work in progress. To me, it is not a complete product.

Customers also go for it because it gives them visibility, and it means it is one less system to manage. They have the license for it, and they just want everything in the same ecosystem. There isn't much that we can do about that. As an MSSP, we're agnostic from a technology point of view. If the customer says, "This is what we want to do," we'll take it over.

I would advise asking yourself:

• What do your endpoints consist of?
• Which operating systems, such as Windows, Linux, iOS, or Android, will you have to support? The functionality that you get depends on your license.
• What is it that you're trying to achieve by taking Defender? 
• Are there more capable XDR-type solutions out there? 

If I was comparing them, from most effective to least effective or least integrated, I would put SentinelOne, Palo Alto Cortex, Cybereason, Microsoft Defender, and Cisco AMP.

If you want to get into the advantages of XDR solutions, which is about the detection capability coupled with artificial intelligence (AI) and data leaking, then it may not be the solution that you want. If you also want to be able to do threat intelligence, it is not the solution for you. That's because essentially the threat intelligence features are not there. You can get some threat intelligence from Azure, Microsoft Sentinel, etc, but it is not in the product like with Palo Alto Cortex, SentinelOne, or Cybereason.

I'd give it a cautious six out of ten.

Initially, I was running a different endpoint security program but it did not have a dashboard that met my needs. It would only do on-premises. If laptops, desktops, or VDIs were remote, such as people working from home or in a different office, my VDIs—which are really just on-premises but they're in a separate subnet in VMware, Windows 10, Windows 7, Windows 11, 2008, all the way up to 2022—I could only get the servers that were on-prem. That solution had a management console but there was no integrated console within Microsoft so that I could cover all bases. I deployed Defender for Endpoint and now I'm able to see them in there. For some, I've still got the old AMP on them, but Defender will run in passive mode and let AMP run and report to its own console.

The reason I don't want to run AMP, primarily, is that it's a resource hog. Defender for Endpoint integrates it and automatically comes with the Windows operating system or Windows Server Desktop. Plus I can use Defender for IoT and see, on my network—which is a home lab company—my routers, my switches, and, believe it or not, my televisions and refrigerators; the IoT devices that I might have on my network. And that integrates into Defender for Endpoint.

And with Sentinel, I'm hoping to pull that into logs that I have for my cloud-based and on-premises-based servers so I have one pane of glass that will alert me if something is going on. It will correlate those logs from Defender on every endpoint and put them into one incident if there are alerts to be had.

It probably could help me prepare for potential threats before they hit. The nice thing about it is that it has filtering. I can filter on different logs and say, "I'm looking for this user and every place he ever logged into. I can filter on his name and the scope of the machines I'm looking at. If there's a bad actor, a different version of software, I can pull that up. It has simple filtering and advanced filters, which really help out a lot. It does speed things up.

I rely a lot on Defender for Endpoint to find a lot of stuff for me. With Microsoft knowing about a threat in the wild, something that hasn't hit me yet but it's out there and I'm vulnerable to it, it will detect those vulnerable systems for me. I rely on that to patch or update that operating system.

When you install an OS, it could be a year old, it could be brand-new, or it could be five years old and it's not patched and updated. Sometimes there are apps on it, from Google or Adobe for example. This will tell me that my Adobe Acrobat has so many vulnerabilities and that I need to bring it up to this date because I've got 13 vulnerabilities that could be hacked. I rely on it quite a bit to pull those notices together and alert me on what needs to be updated. I don't have to actually hunt for a lot of it. It does the hunting for me automatically.

The features I found to be most valuable in Defender for Endpoint are its alerting, policies, and threat-hunting.

For threat-hunting, I'll put some threats in a test scenario. I've downloaded known viruses that are out in the public for testing. They're not really a virus but they've got a signature. Defender for Endpoint will automatically find those, quarantine them for me, and alert me to what it did. It gives me "automated eyes."

A lot of it is hands-off. It just deploys and it updates by itself. With other applications, like McAfee or AMP, I'll have to download a new version and make sure that the signatures were applied. With Defender, one of the things I like is that it has automatic updates.

And Defender has other integrations with Microsoft that are of benefit. It will tell me that certificates are out of date for my certificate server; I've deployed certificates to my laptops or VDIs or servers or switches. There's an automation routine that I can kick in using KQL—Kustom Query Language—so that it automatically remediates the issues that it finds.

And the visibility into threats that Defender for Endpoint provides is fantastic. Since it is a Microsoft product, and they have it deployed worldwide, they pull over a couple of trillion data points a day from other companies and countries. They've got teams of security analysts or researchers who are constantly updating these and they feed me that information. I'll know about a threat that might be down the road or I might be susceptible to, something that I could patch. It tells me if there is a known fix or if there isn't, in which case I might have to go in a different direction. It's the might behind Microsoft. It pulls in all that information so everybody else can see it.

In addition, with the data connectors for Azure or containers or even M365, threats are automatically classified as high, medium, low, or informational. If they're not classified, I can classify them myself or set a priority on them as to whether they need to be looked at right away, whether they're active or in process or resolved.

Microsoft security products provide a little more comprehensive protection than some of the other offerings. One great thing about it is that it's part of the operating system and it's already turned on when you deploy the OS.

But if you do have a third party, like AMP or McAfee for example, Defender will run in passive mode. That means it's not constantly doing a scan, virus check, or malware check. Still, if you open an email, write a document, or load a USB key to copy files, it would scan in all those situations. But in passive mode, it scans once a day, I believe. It does a device discovery and it will tell you, "We found this software, we found these documents, you did have malware or a virus and it has been quarantined." And that's in passive mode.

If you put it in active mode, without the third-party virus and malware checkers, Defender for Endpoint will give you a software inventory and a timeline of every key that was clicked in case you had a bad actor that infiltrated your network or your machine. If an employee went to a rogue support site and downloaded some software, and let somebody in, it would alert me through UEBA: "There is unique behavior that we don't normally see from this person. They don't normally access this site. The alert would tell me which site had been accessed and that software had been downloaded. It would tell me the time it was installed and what it did—every keystroke. That's with Defender for Endpoint being active.

In active mode, it's great that it gives you so much information, but it does record every keystroke so you have a lot of logs. For my home business, I had to turn off quite a bit because the data that it does gather is every event and activity that happens on a server or laptop. For my little testing scenario, it was overwhelming.

I know what I have on my machines so that amount of data logging started to add up in the cost. That's the only downside to Sentinel and Defender that I can see so far: You have to log and store that data somewhere, and it normally stores it in the cloud, unless you have an on-premises SIEM that you can download those logs into directly and store things on your own hard drives.

I had a $200 credit with Microsoft Azure and I didn't pay attention to it and it ate up $179 of that credit in the first two days because I had Defender for Endpoint check DNS to make sure that I wasn't getting spoofed or targeted.

You have to keep an eye on the Sentinel and Defender for Endpoint storage.

I have been using Defender for Endpoint since about November, so about three months.

It's pretty stable.

With a browser or web-based system, it might confuse things, saying, "You don't have access," because you should have logged in with your admin credentials but you logged in with your standard user credentials because you are on the same desktop.

For my home business I just have basic support. I submit a ticket and they get back to me in a couple of days.

Positive

My company isn't off the ground yet, it's basically going to be a family medical practice run by my wife and me. I'm an IT guy and she's a nurse practitioner and, eventually, she wants to work for herself. I'm doing the background and since I do use it for my regular job, I'm doing this on my own labs as well with trial software or things I've bought subscriptions for. I've bought Microsoft E5 so a lot of it is out-of-pocket and on a shoestring budget.

The nice thing about Defender and Sentinel is that the cost is based on the data logs that you ingest from the Defender endpoints and data connectors. I don't have to buy a 25- or 50- or 1,000-user or enterprise license. I can buy one license at a time. For small mom-and-pop shops, that's very important. A lot of startups don't have that kind of budget for enterprise-wide scalability, especially when they don't have many devices in the first place.

Defender for IoT is an add-on to Defender for Endpoint. It's there, but you have to onboard it. I don't really have enough devices, other than my home base, but in a regular business it would find all the switches, routers, security cameras, monitors, printers, modems, and anything else you have attached. With Defender for Endpoint, you need to have an operating system—Linux, Windows, et cetera—to deploy it.

A refrigerator or a camera or a security device doesn't really have a Windows-based operating system on which to deploy the agent. So IoT, within Defender, will scan those devices, find them, and let you know that it found them. It does that out-of-the-box with Defender for Endpoint. If you want to see the actual operating system of IoT devices and get alerts that something is out of date or has vulnerabilities, you have to get a subscription to IoT, which I hope to do.

There's a lot to learn when it comes to using Defender for Endpoint to automate routine tasks and find high-value alerts. KQL is a structured query language for hunting. If I have data ingestion from M365 logs, Defender for Containers, Defender for Storage, and AWS, Defender for Endpoint or Sentinel will allow me to hook up connectors to pull all of those logs into a "master database" with different tables that contain those logs. There are routines that are already written that say, "If you're looking for this type of an event that started with this application that went to a SQL server that was stored on this server that was accessed from a laptop where the guy went through a browser and went to this particular rogue network," and they access all those tables in that master database.

KQL allows me to tap into each of those different tables and correlate like events or like data, and pull it all into an alert or a threat hunt. It's something to master. It's sort of like regular SQL, but there are a lot of tables and schemas and you have to know what the tables and headers and columns and fields are, and then the syntax. It does threat-hunting really well with the canned queries that it has. But if you're looking for something in particular, you need to learn KQL. A SQL Server database admin would know SQL and how to pull data out of tables and do joins, commits, and transaction rollbacks. KQL is on that same level where you have to be an expert in KQL to actually pull all that stuff together. It's quite the learning curve, but there are courses out there that teach you.

I've been doing systems administration and engineering server admin things for quite some time, a couple of decades since Windows came out, and a little bit before that. But jumping over into the security space for my home business, and putting all these things together with Defender and Sentinel, has been a learning curve. It has slowed me down a little bit. A while back, security was always an issue for security teams. Now that I'm working on my own company, I'm a one-man show. But at the same time, I know there are a lot of bad actors out there.

I offer a Security Operation Center (SOC), which is like a person standing and going through the metal detector at the airport. We're like the staff standing there and watching people and then having them send stuff through the conveyor. It is real-time detection and response.

I don't use Microsoft Defender that much. If I come across a client who doesn't want to spend on a different endpoint solution, I just have them use Microsoft Defender that is built into their devices.

The ransomware and some of the other features that are built into it give you more telemetry now. From the security side, I don't look at what an endpoint solution does. I look at what it gives me. I need data. I don't want something to just say, "Oh, I stopped it." That's good, but I need to be able to figure out what did it stop. Was it a good thing or a bad thing that it stopped, and what is it doing. I need to be able to break that down and go deeper into that analysis to figure out what is being stopped. Microsoft Defender is doing that now and is giving more telemetry. It doesn't give nearly as much as Bitdefender does, but it is pretty good.

It is built into Windows 10. So, I don't really have to go out and get an extra or a separate endpoint security solution. It stands on its own. I have some clients who are using Microsoft Defender, and it is perfectly fine because my SOC can actually get the telemetry from Microsoft Defender and use that as well. Microsoft Defender does have the telemetry information, and I can get some of that out of it for my SOC. I can use what's built into it to stop and do more of a response layer. I can use Microsoft Defender to stop something right there.

I like the fact that it has the ransomware solution in there. I'm glad that the ransomware solution is built into it. That's probably the biggest thing that I see in Microsoft Defender.

It is useful when a client does not want to spend extra on getting a new endpoint solution or does not want to get something else installed on their devices.

The biggest thing that I would emphasize to Microsoft is that if they are confident in their solution, they should brag more about it. In other words, they should put more stuff out there to prove that they're just as good as the others. The biggest thing is that people still don't believe in it. When it comes to the IT world, they still don't believe in Microsoft Defender. It has been there for a while, and I know that I used to not trust it because it was free and I didn't know what it was doing and if I could trust it. If you go to comparison sites, you would hardly see it being compared to solutions like Norton, Bitdefender, Webroot, etc. Microsoft can do a better job of promoting it.

They should offer more telemetry or more information coming out of there for Syslog type of scenario so that a SOC could use the data that they have built into it. This would be useful.

It is not very scalable from the eyes of an MSP because there is no dashboard that you can use to see all of your devices that have Windows Defender unless you have your own dashboard or an RMM tool to actually look at it. So, you might not get to know that a particular computer of a client is doing something, and it might have got a virus. That person might know that, but unless you set it up to actually send you the information, you won't get to know that. That's one of the things that is hard with Microsoft Defender. It is not made for the MSP world where you have one pane of glass to see all of your clients with Microsoft Defender on it unless your RMM tool already has that built-in and it can see the telemetry from Microsoft Defender. 

I have been using it off and on for some time.

Its stability is fine. It is a built-in and legacy solution. It can stand up to any other endpoint security solution. 

It is not very scalable from the eyes of an MSP. There is no dashboard that you can use to see all of your devices that have Windows Defender unless you have your own dashboard or an RMM tool to actually look at it. Because it doesn't give you one pane of glass to look at everything, you have to have an RMM tool that can actually see the data coming from Microsoft Defender. If you don't have an RMM tool, you would need one, and that would be an extra cost.

I don't really use an RMM tool. We have a SOC, and I don't really deal with individual computers themselves. In the past, I have used RMM tools, and some of them do well with looking at Microsoft Defender, but my SOC has a really good dashboard that I can use to see what's going on with Microsoft Defender. I can actually control stuff on Microsoft Defender from my SOC.

I have not used their support for Microsoft Defender. Generally, their support is fine. They've definitely improved and gotten better.

I don't use Microsoft Defender that much. It is built into Windows 10, and if you put the antivirus or endpoint security on, it kind of turns itself off automatically. I've been using Bitdefender lately. I used to use Panda Security, but now I use Bitdefender.

I recommend it for clients who don't want to spend on a different endpoint solution, but I don't put all my eggs in one basket. I don't say that a particular antivirus or endpoint security solution is 10 times better than the other one. I just don't look at things that way because I know the process and what hackers actually go through to get past all of them. So, none of them are that much better. The only thing I tell others is to not use the free ones, but to that defense, they all have a level of reachability.

When it comes to performance, Microsoft Defender is much faster because it really doesn't look at all of the things that are Microsoft-focused. It has a better understanding of what Microsoft has made, whereas other solutions are going to look at anything as a potential threat. It is definitely a better option because it knows Windows. You install another antivirus on Windows, it has to try to figure out the software. Microsoft already knows how Word, OneNote, or their other solutions work. So, Microsoft Defender doesn't need to scan specific things, whereas Bitdefender or another solution doesn't know that, and it is going to scan everything, which can slow your system down. 

I offer a SOC, and we do real-time detection and response. I don't put all my eggs in one basket when it comes to endpoint security. I believe endpoint security needs to be there because it is a layer of security, but it is not everything. The reason I use Bitdefender is that it has more telemetry and more information coming out of it to put into my SOC than Microsoft Defender, which doesn't have as much telemetry coming out of it.

For telemetry or forensics, Microsoft Defender doesn't give you reports. It just does what it does. Microsoft Defender will give you information, but you got to go to the individual device. I can't pull much telemetry information into a SOC. So, if you want to see from where the hacker or the hacking software came in, how it got there, and how it moved unilaterally across the system or network, you may not get all of that with Microsoft Defender, but with the telemetry data that comes out of Bitdefender, you will get more of such information and you can follow its path.

It just comes on a device when you buy it. When you buy a laptop, it is built into Windows 10. They have Windows Security, and there are separate pieces of it. When you look into some of it, it is called Defender. They also have a standalone Windows Defender.

It is a full endpoint security solution, and they have a firewall in there. You can go in there and set different things up for your firewall. When it comes to security, not everything is turned on. You actually have to go in and turn the ransomware part on. There are things about ransomware that you got to turn on, and they really depend on what you need in your practice or business. You have to make sure you go in there and look at it. You can't just set it and forget it. It does come automatically, but you got to go in there and set things up because they know that some things can stop certain aspects of your business from running. So, they don't want to turn everything on. They leave it up to you.

The configuration of those extra parts can get complex, but I do believe it is pretty straightforward. It involves more yes or no type of questions. It is just flipping a switch on each individual part that you want to use. It is just like everything else. You have to test and see if it is going to work in your environment.

In terms of maintenance, all the updates come with Microsoft. Every time they update Windows 10, they also update Microsoft Defender. It is pretty simple.

It doesn't really affect my business because the cost goes out to my client either way. If they have 200 devices and they are charged $2 per endpoint for each one of them, that's an extra $400 a month. If they are just using Microsoft Defender built into their systems, that cost goes away for them. My clients are definitely saving money with Microsoft Defender.

It doesn't affect my business because I'm looking at telemetry regardless of the solution. So, it doesn't matter if it is coming from Microsoft Defender or Bitdefender.

It is built into Windows 10. If our clients are using Microsoft Defender, the cost goes away for them.

It is just like anything. You should definitely do your homework and see if it is going to give you the information that you need. You should focus on forensics and the kind of information you are going to get out of Microsoft Defender. Will you get the reporting that you need? Will you get the telemetry and all the data that you need to be able to follow the path of an attack? You need to be able to see that. You need to know this information for your clients because they may need it for the FBI or something else. So, you need as much information as you can. You need to make sure that that you're going to get the information out of there and you have the right setup to be able to see everything with all of your clients. You should have an RMM tool or whatever you're using to be able to see all of your clients, and you need to make sure that you have the setup for that.

Microsoft Defender has been around for many years, and since Windows 10, they've really ramped it up, and it has gotten a lot better. I've seen some of the statistics on it, and it stands up against some of the other solutions out there, such as Norton. They've added things that make it more of an EDR, which is the endpoint detection and response layer. The ransomware was one of the big add-ons, and it is good that they've put that in there. It can stand on its own now.

It has not affected our organization's security posture a lot, but it has given me more options to lower costs for my clients. It has helped my clients and in turn, my business. It has not affected our end-user experience in a negative or a positive way. It is just a tool. I do the monitoring, stopping, blocking, and everything else for clients. 

It can be a good solution, and I hope that they grow with it and do more with it. They can make it simpler for the security and MSP world. If their solution just gets better for the MSP world, it would help everyone.

I would rate Microsoft Defender a seven out of 10 because of its lack of usability for an MSP and its lack of telemetry information, but it is useful, and it does stop ransomware.

In an enterprise setting, I use the product to protect workstations, and more recently servers, from all sorts of threats, including malware, viruses, trojans, etc.

Defender for Endpoint gives us greater visibility. Cybersecurity professionals always need that because what we don't see can get us into a lot of trouble. We also need visibility to be easily applied across platforms and with an improving ability to gather information from Linux or Mac-based end platforms. AWS and Google Cloud give better visibility, which we need from a security standpoint.

The other Microsoft security products we use are Defender for Cloud Apps, Defender for IoT, and Defender for Cloud.

The integration is pretty straightforward. It depends on a company's licensing and deployment team, and Microsoft makes it simple to integrate multiple solutions. It is easy to integrate into a test environment, though it depends on the infrastructure and networking team because they have to carry it out. Each company has different solutions; whether they are entirely cloud-based, on-prem, or hybrid, there's a lot of flexibility. Depending on the package, Microsoft is usually very helpful and available to assist with implementation and integration.

Coordinated detection and response between the solutions are essential. Depending on the company and its capabilities, it can sometimes be challenging to bring different tool sets to bear. For example, integrating endpoint protection, XDR, theme tools, CASB apps, and security from different companies can be very tricky. What Microsoft is doing in terms of easy integration makes their product an easy sell because it's critical to spend time doing the work of security rather than worrying about and dealing with integration. 

Threat protection is extensive; it covers most of the concerns we face as a company. I have limited experience with the IoT side, although I'll be working with that soon. Microsoft is thinking ahead and looking toward the future of protection, and I think they're on the right path. The comprehensive threat protection is there, and that results in a steep learning curve because an organization may have a whole bag of tools, some of which they may not use or need depending on the size of the enterprise. The extensiveness is impressive, and Microsoft is doing the right thing in attempting to cover all threat avenues. The necessary side effect of trying to cover every threat is not being the best in class at dealing with any one threat; more of a jack of all trades, master of none. It also increases the learning curve for analysts.  

The threat-hunting service is very useful for a security professional.

The ability to fine-tune specific policies to protect our enterprise is also advantageous.

The increasing deployment availability on different platforms and OSs is a good functionality.

Seamless integration with the Microsoft SIEM tool and other tools such as Splunk and Sentinel is excellent.

Defender for Endpoint provides good visibility into threats, and there is always room for improvement.  

The tool allows us to prioritize risk factors and fine-tune those based on our requirements as a company. That's extremely important because different companies face different threats from an enterprise point of view. Everyone is concerned about phishing, but only certain companies deal with personal health information, for example, and those dictate the security priority landscape. This functionality is one of the essential elements in an endpoint solution.

In Defender for Endpoint, we can create a certain alert logic to alert us on either high-value assets or individuals. With Sentinel integration, we can develop playbooks for the tool, which helps us gather the information for an investigation or automate a lot of threat intelligence searching. Endpoint has its standalone functionality in this respect; Microsoft does a good job providing sufficient threat hunting in each tool in case a customer only has one. Overall, the solution's threat-hunting and investigation resources are extensive.  

Eliminating multiple dashboards saves time. It may save between five and 30 seconds, but at the end of the day, if I've done eight investigations, that's minutes saved each month. That adds to hours of work saved by not having to deal with multiple dashboards.   

Our time to detect and respond decreased; even a few minutes saved by not searching through multiple dashboards helps. Threat intelligence also informs the end user if a website or link has a bad reputation. These features help reduce the time we spend investigating an incident or alert.  

My main issue with the tool is that there are too many menus. This causes a steep learning curve for those without training or unfamiliar with Defender for Endpoint. From an end-user perspective, the solution is there on the machine and does its job; it works seamlessly. However, as a security professional dealing with it behind the scenes, the learning curve can be steep, but not too steep. Still, it has taken some of my analysts up to a month to get familiar with the product.

Microsoft is slow to act on improving the threat intelligence elimination of false positives. They have a feed of indicators of compromise, which they are constantly updating, but some of the category intelligence is sometimes off base. Microsoft is working to improve that, but threat intelligence is vital; it's there, usable, and requires some fine-tuning and adjustment. That's good, although automated threat intelligence has room for improvement.

Threat intelligence is an area Microsoft needs to improve on; if a company only has Defender for Endpoint, that's their single point of truth regarding threats. Therefore, the tool must provide as much threat intelligence and automation as possible. Defender and Sentinel offer more options, but companies with only Defender need it to be improved.

A significant area for improvement is better integration with other tool sets in the industry. The solution integrates well with other Microsoft products, but only some environments have those products or the flexibility to adopt them. Microsoft Defender for Endpoint needs to integrate with different systems, for example, Cisco or other firewalls. Better integration with more cloud vendors would also be excellent, as not everyone will have Azure.

I've been using the solution for over 15 years. 

The solution is very stable, and that has improved with time. It used to be hard on the workstations, but we experienced those issues eight years ago. Microsoft always came out with a patch within a week or two, which would fix the problem. Nowadays, the tool is very stable; the only potential issue is if something happens on the cloud end, as the dashboards are cloud-based. That's something I've yet to personally experience, though.

The scalability is there, and there's always room for improvement. I need to incorporate more outliers, but the solution is easy enough to deploy that I can quickly onboard many workstations or servers. The product is an eight out of ten in terms of scalability.

Customer support responds rather quickly; it depends on the service level agreement, but they are pretty good about getting back to us and following up on any issues we may have. 

Positive

Most of the companies I've worked for used Defender for Endpoint. I have used different SIEM tools like Splunk and briefly used QRadar a long time ago.

I was involved in the deployment planning, but different teams did the actual deployment. I understand the deployment to be easy. 

In terms of maintenance, the solution requires updates from time to time, which are handled by the infrastructure team.

I would rate the solution eight out of ten. 

The infrastructure team has bi-directional sync capabilities set up and running well. It's essential when it comes to having hybrid cloud solutions and cloud solutions from different vendors. Various systems need to have seamless communication and shared issue reporting.  

Microsoft is increasing its data connectors, which is very helpful for ingesting data from different feeds, though some elements aren't fully fleshed out yet. How much data needs to be digested depends on the enterprise; every SIEM tool has a price to pay for how much data is ingested. The simple answer is that Sentinel allows us to ingest a ton of data, and that's vital. If we can't see a threat, we can't detect it and protect against it.  

Sentinel enables us to investigate and respond to threats from one place, which is very important for us. This is an area Microsoft has improved because we used to have to go to three different portals for our security picture. Now, everything we need to find can be seen in one pane of glass in Sentinel, whether we are looking at alerts or incidents.  

The comprehensiveness of Sentinel's protection depends on an organization's security program's maturity and capacity to leverage the solution. There's room for growth, but Microsoft is making good strides in the machine learning and AI portion of its product. The setup and fine-tuning of the tool play a significant role in how smoothly SOAR operates and whether it fulfills an organization's specific requirements. The default playbook may not fit with needs precisely, and staff with knowledge of Kusto Query Language are necessary for fine-tuning. A certain level of expertise is required to leverage Sentinel's sort and machine learning capabilities fully. 

I don't know how much Sentinel costs as I don't see the bills, but the biggest standalone SIEM and SOAR competitor is Splunk. Splunk does a better job but is also much more expensive; people often complain about the cost. I can't compare the value and pricing of the two as I need to know precisely how much they cost. Splunk is supposed to have changed its pricing model to become more affordable recently, and I wonder if Microsoft did the same with Sentinel. However, because Sentinel integrates with other solutions an organization may already use if they're a Microsoft shop, it makes it worth the price.

When it comes to a best-of-breed versus a single vendor security suite, it depends on the people higher up in the organization and usually comes down to cost. Everyone wants the best of the best, but only some companies are capable or willing to pay for that because it can be costly. Microsoft is trying to provide a pricing model that encourages customers to use a suite that seamlessly integrates with Windows and server OSs and increases integration with Linux and Mac OSs. That can provide a better ROI than getting the best of the best but having limited visibility and integration with other tools and the network. Microsoft leverages the security suite model as its selling point, and it's working for them. 

I advise potential customers to read up on the community boards and look into their specific needs. Defender for Endpoint is a good competitor for those looking for an EDR solution, and for those looking for a complete security suite, it's one of the better choices. The tool is competitive, but there are other choices if a company wants the best. Microsoft Defender for Endpoint is in the top three, only considering EDR, but for those looking for a line of products to protect their company and thereby make some savings, it's one of the premier choices.