Harris Koko - PeerSpot reviewer
Security Consultant at a consultancy with 10,001+ employees
Real User
Top 20
Helps prevent attacks, and integrating with other Microsoft products is very easy
Pros and Cons
  • "There are some competitive products on the market, but the best is Microsoft Defender because it's very easy to integrate. That's one reason a lot of clients want Microsoft Defender. It's also very easy to implement compared to other solutions."
  • "We would like to see more tools for managing on-premises security... Sometimes, we have the tools, like Defender, to manage security in the cloud, but because we are so focused on the cloud, we forget the fact that we need to be sure about the security of the on-premises environment, specifically Active Directory."

What is our primary use case?

The solution can be used on everything. It can be used on the cloud. You can also use it for on-premises devices, from servers to laptops. It's a pretty good solution to manage devices and servers.

Usually, our clients have an on-premises infrastructure and they want to start working in the cloud, especially in Azure. We use Microsoft Defender to manage on-premises devices from Azure. Especially over the last two years, a lot of companies have wanted to focus more on their own business and that's why they have us manage their IT security.

The main goal of using Defender for our clients is to do vulnerability scanning and to be aware of any possible security breaches in their infrastructure.

How has it helped my organization?

Microsoft Defender is totally integrated with Microsoft 365 Azure. For example, years ago a software company that was working on-premises with Microsoft products came to us. They asked us to help them connect to Azure because with Azure, they could, of course, run their core business, but it would also help them create more value in the market. Microsoft Defender is the best way to manage on-premises devices, but also devices on the cloud.

It also helps us to prioritize threats.

In addition, the solution gives us a single dashboard that we can customize. When our security operators start their day, they look at the dashboard information. If there is a big issue, they automatically get the information. They can send an email to the team involved. The dashboard helps the security team, day-to-day, to ensure everything is secure for the client. The dashboard is really important.

And overall, the solution has saved us 50 percent of our time. It also saves us money because it prevents ransomware and web application attacks every day. Currently, with the war in Ukraine, because I work in Europe, hackers are trying to hack into enterprises, and that's another reason it's really important to have this kind of solution.

It may be saving us 30 percent, in terms of money, because once you have the system in place, you can avoid a lot of attacks and keep secret information away from hackers. When we talk about security, we're also talking about the reputation of the company. Using this kind of solution helps our clients not to lose money through a loss of reputation.

In terms of time to respond, someone who is working every day on the security operation team, can respond correctly within five minutes, to be conservative, to a problem they receive from the scanning done by Defender. It has decreased that time by about 20 percent, although keep in mind that I am a security architect and not part of the operations team.

What is most valuable?

The scanning part is one of the most valuable features with the automation of vulnerability scanning. That's why we use Defender. It gives us a lot of information on how to improve security.

There are some competitive products on the market, but the best is Microsoft Defender because it's very easy to integrate. That's one reason a lot of clients want Microsoft Defender.

It's also very easy to implement compared to other solutions.

Regarding other Microsoft solutions, about half of our clients take Sentinel, while 90 percent take Defender. They are very easy to integrate. That's one of the reasons, for me, that Microsoft is the best on the market. And in reviews about the best tools on the market, everybody agrees that Sentinel is the best on the market in the security area. When you work with Sentinel, it's easy to work with the Microsoft suite of products. It's easy to integrate every product from Microsoft.

We also use Microsoft Defender for Cloud's bidirectional sync capabilities. For security, they allow us to get all the information we need on time.

What needs improvement?

After scanning, there are false positives so sometimes you need to manage the results.

Also, we would like to see more tools for managing on-premises security. A lot of companies have their own on-premises infrastructure and want to move to the cloud. Sometimes, we have the tools, like Defender, to manage security in the cloud, but because we are so focused on the cloud, we forget the fact that we need to be sure about the security of the on-premises environment, specifically Active Directory. I know it's tricky, but I'd like to see them add some tools for a really good dashboard to introduce the fact that we also need to be careful about on-premises.

A lot of companies have their Active Directory on an on-premises physical server. When they start the journey of moving to the cloud, especially to Azure, they use Microsoft Defender to do device management, especially servers and computers. But to improve security monitoring it would help if we could monitor on-premises, especially identity. Usually, when hackers hack into an environment, they use tools to get the identity of a person. If we had tools to integrate with Defender, it would help improve security.

Buyer's Guide
Microsoft Defender for Endpoint
September 2023
Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: September 2023.
734,156 professionals have used our research since 2012.

For how long have I used the solution?

I have been working with Microsoft Defender for two years.

What do I think about the stability of the solution?

It's a stable solution.

What do I think about the scalability of the solution?

It's also a scalable solution.

About 90 percent of our clients have deployments in multiple locations because they are usually multi-national, and that's why it sometimes takes more time to do the implementation.

How are customer service and support?

The technical support of Microsoft is good.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I have always used Microsoft solutions.

How was the initial setup?

The deployment is straightforward. The amount of time it takes depends on the configuration the client wants, but it's easy enough to deploy. 

If we need to implement it for a client with 2,000 devices, it takes more time. Just the implementation, for me, takes 20 minutes, but after that we have to implement configuration on the cloud, and that is totally different.

If it's a big company, it could take three months, because we have to do discovery. We have a lot of clients that use customized containers and customized Linux servers, and that's where we have to be sure we do the implementation the right way.

Which other solutions did I evaluate?

Usually, when working with clients and proposing different solutions, they prefer to work with Microsoft Defender because it is integrated. And when you talk about the price, it's really perfect, compared to other advanced threat-scanning products on the market. Overall, 90 percent choose Microsoft Defender because it's great and very easy to put in place. You don't need to install an extra service or do a big design. You pay for the licenses and that's it.

What other advice do I have?

If you're considering working with Microsoft Defender, the first thing you need to do is an inventory of the infrastructure. We need to know what the client has: how many Windows Servers, how many Linux servers, and how much content. And then you need to know what you want to do with the devices. Some devices are not supported anymore. We need to know which devices the client wants to be covered by Defender.

A lot of times, we want to work with Sentinel because it's the best on the market. But Sentinel is more tricky to put that in place. But when you advise a client on security, of course, you propose a lot of solutions, including Defender and Sentinel. You propose the best on the market to improve their security.

Usually, they go for Microsoft Defender, but for Sentinel, sometimes it takes time. They say to us, "We don't have the money right now, let's wait two years." On many of my projects, my clients have already worked in the cloud and they want to start working with Azure. That's why Microsoft Defender is a good tool to implement. There are times we advise the client about Sentinel but they already have a SIEM solution like Splunk.

Defender for Endpoint does not help us automate routine tasks right now because it's extra work. I know we could put that in place, but often, when we start working with a client in the cloud, we spend a lot of money on that. I know, in the day-to-day operations of the security teams of our clients, they have so much to do and it would be really good to implement automation. We propose it to our clients, but it's up to them to decide if they want to do it.

The threat intelligence can help prepare for potential threats before they hit, but this is also something we need to talk to the client about. Sometimes, it's not in our hands. We can propose things to the client, but they have to choose. So far, after proposing these kinds of things to clients, I haven't received their agreement. This part of the solution is really interesting, but it can also be expensive for some clients. It depends on their budget.

And in terms of using multiple vendors for security or a single-vendor security suite, in my current company, we generally advise our clients to have different vendors, but it depends on the client. I, myself, am not a risky guy. But a lot of our clients have Microsoft products, and we'll advise them to use Microsoft products. You don't want to go to war with your client.

Sometimes, they want to work with a lot of different products, but when you try to do that it can be really expensive because you need to work on the connections between them. I usually advise Microsoft because it's very easy and a lot of clients already have Windows Servers, et cetera. It really depends on each case. It depends on who is paying, who is asking, and what they want.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
PeerSpot user
Associate Director-Technology Consultancy at a consultancy with 1,001-5,000 employees
MSP
Top 20
Proactive, doesn't slow down the systems, and integrates well with Microsoft products
Pros and Cons
  • "The most important feature is the way it monitors the threats and blocks them. About 10 days ago, we were implementing SOC for a particular client. The SOC was not yet implemented, but they had Microsoft Defender. That organization was hit by some ransomware, but the hacker could not succeed. Because of the EDR, the hacker could not install the hacking tools. They were trying to do that, but Microsoft Defender completely blocked that. The hacker could log into the system, but they could not install anything."
  • "It should support non-Windows products better. Microsoft is now one of the leading vendors in the security area. So, they should be product-independent."

What is our primary use case?

We provide solutions to our customers based on their requirements. We started working with Microsoft products because we saw people getting more inclined toward Microsoft security products. For example, previously, for SOC, we saw more organizations working with Splunk or QRadar. However, over the last six months, we have seen a lot of customers migrating to Microsoft Sentinel because they already have Microsoft products in their environment, and it works better with other Microsoft products.

How has it helped my organization?

The main purpose of EDR is threat protection, and Microsoft Defender is most impressive when you are factoring in the E3 and E5 security enhancements. It gives all monitoring alerts on a proactive basis. It generates an alert if it finds suspicious traffic, and it also helps to understand where the risks are.

It helps us to prioritize threats across our enterprise. That's one of the key features.

It helps automate routine tasks and the finding of high-value alerts. Because of the automation, you don't need to do anything. You are not required to do anything manually. It automatically detects threats and blocks them. It reduces a lot of manual effort.

It makes the organization much more secure. Microsoft Defender is one of the leading products. It works perfectly. When you are monitoring daily alerts, you can understand what kind of threats your organization is facing or how it is blocking. Based on this analysis, you can secure your organization more. Based on their automation, they are protecting you, and from that analysis, you can understand what threats your organization is facing. So, you can focus more on that area. It helps you to identify and secure those areas so that the same threats don't come in the future.

It has saved us about 20% of the time from an endpoint perspective. It has reduced our time to detect and respond by 50%.

Our customers also use M365 and Microsoft Sentinel. We have integrated all of these products. The base product is Microsoft Sentinel because that is the SIEM. All M365 logs get ingested for the phishing attack checks, and Microsoft Defender logs get integrated with Microsoft Sentinel to check all the endpoint-related activities. These endpoints include Windows servers, laptops, and desktops. On Windows Server also, we have installed Microsoft Defender EDR. From there, the logs go to Microsoft Sentinel, and from there, a centralized monitoring console works. These solutions work natively together to deliver coordinated detection and response across an environment.

What is most valuable?

The most important feature is the way it monitors the threats and blocks them. About 10 days ago, we were implementing SOC for a particular client. The SOC was not yet implemented, but they had Microsoft Defender. That organization was hit by some ransomware, but the hacker could not succeed. Because of the EDR, the hacker could not install the hacking tools. They were trying to do that, but Microsoft Defender completely blocked that. The hacker could log into the system, but they could not install anything. 

Microsoft Defender is a lot proactive, and it can also analyze the threats on the latest technologies. In the case of the attack that happened just 10 days ago, we immediately logged in and saw various challenges because we didn't have any other logs. SOC was not ready, and we only had EDR logs. From there, we could identify that the hacker couldn't succeed because Microsoft Defender was proactively working. It prevented the complete attack.

It is proficient and proactive in monitoring threats. It can seamlessly monitor all the individual assets in real time. Another thing is that after installing the Microsoft Defender agent, your computer doesn't slow down even though real-time scanning is going on in the background.

What needs improvement?

It should support non-Windows products better. Microsoft is now one of the leading vendors in the security area. So, they should be product-independent.

For how long have I used the solution?

I have been using it for the last year.

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

It is scalable.

How are customer service and support?

I have not faced any issues with their technical support. Our client has a tie-up with Microsoft, and the Microsoft team has provided them with good support, but I'm not sure how they will be in the case of small customers. 

Which solution did I use previously and why did I switch?

We are working with multiple vendors for our clients. We are using CrowdStrike for some of the other organizations. Microsoft Defender has grown in a very big way in a very short period, but CrowdStrike Falcon is ahead of it in terms of protection.

Microsoft doesn't give everything in a single dashboard, whereas with Mandiant or Secureworks, from a single dashboard, you can manage everything, such as your EDR threats, vulnerability detection and response, and network detection and response. Microsoft has not grown up in that way.

How was the initial setup?

It is much easier to deploy for the Windows platform. One of the customers had 3,000 or 4,000 endpoints, and we could do the deployment in two months.

There was a team of 10 members. They were working on multiple things. They were not fully dedicated to it. We had SCCM, and we had to push everything through SCCM. That helped a lot to automatically push to multiple endpoints at the same time.

If it is on the cloud, you don't require any separate maintenance, but when their patch is coming, you have to do the patch upgrade. You can make that automated. It is easy.

What was our ROI?

It is hard to measure the amount of money saved from using this solution because it depends on if you had any attack, and if an attack happens, how much your organization would lose based on the threat. It was published that in the last year, companies have lost millions of dollars because of ransomware and multiple attacks.

What's my experience with pricing, setup cost, and licensing?

They are now doing it on an endpoint basis. It is based on the number of endpoints, which is good.

Which other solutions did I evaluate?

We made multiple comparisons between tools. We had not only Microsoft Defender but also CrowdStrike and Tanium. I was working on some of the requirements for one of our clients, and based on that, we started evaluating these three products. We started working with Microsoft Defender based on the endpoints or hosts available on the Windows platform. We saw that most of the organizations are still on the Windows platform. They have Windows laptops as well as Windows servers. 

One of the reasons why the client agreed to go with Microsoft Defender was that it was easy to deploy. We didn't need to spend a lot of time implementing it. It is much simpler compared to other competitive products.

During the PoC, we found Microsoft Defender to be easy to implement. It was able to detect a lot of things, but in a few areas, we found CrowdStrike much ahead of Microsoft Defender. Another difference is that CrowdStrike is product-independent, whereas Microsoft Defender is limited to Microsoft products. Also, if you have any other EDR running on your system and if you implement Microsoft Defender, it'll immediately disable others. In this tenure, if something happens, there is always a risk.

What other advice do I have?

To a security colleague who says it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would agree. I prefer multiple vendors. I am not in favor of implementing Microsoft products in all areas because, in every domain, there are some specialty products. You should focus on that and see how to make your organization much safer. Every organization claims that it has all the products, but all the products are not good. That's why you have to find out the best one and put it there.

I would recommend comparing it with other products and defining what are the most important needs for your organization. You may not require all the features. Microsoft Defender includes a lot of things. Microsoft Defender has its own MCAS solution. It also supports DLP, which is not yet mature. You should see what is required for your organization and then do a testing or PoC on that.

Microsoft Defender works well with Microsoft products. You can implement or install it on the Windows platform, but you will have to find another way to track non-Windows platforms, such as Linux platforms or Unix platforms.

Similarly, Microsoft Sentinel does the analysis for Microsoft products in a better way, but they are yet to catch up when it comes to non-Windows products. It lacks when it comes to analyzing non-Windows products. It isn't able to identify all the threats properly. The number of false positives is much more compared to other products, but still, Microsoft Sentinel is one of the leading products in the market. It has developed a lot as compared to what we saw one year ago. It enables you to ingest data from your Microsoft environment, but I am not sure about the non-Microsoft environment. This data ingestion is very important. Without ingesting all the logs to your SIEM, you can't monitor the threats. When it comes to security products, they need to be product-independent. In terms of cost, it is almost similar to other products, but it is a little bit cheaper than Splunk. In terms of ease of use, on the Windows platform, it is very easy to use, but it is not so easy for non-Windows platforms.

Overall, I would rate Microsoft Defender an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: MSP
Flag as inappropriate
PeerSpot user
Buyer's Guide
Microsoft Defender for Endpoint
September 2023
Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: September 2023.
734,156 professionals have used our research since 2012.
Network Engineer at a real estate/law firm with 51-200 employees
Real User
Top 20
Covers everything that we want from our security platform, integrates with all enterprise services, and is infinitely scalable
Pros and Cons
  • "It is a very advanced system based on AI. It has a very large database of places or sites on the internet where you should not go. It is continuously online."
  • "It makes your Surface devices hot. It is resource-intensive. It strains your CPU, not more than other file scanners around, but it also does a lot more. When you are transmitting files or data, it is continuously scanning the traffic and analyzing it bit by bit to see what's going on, and that, of course, is costly in terms of CPU. It is CPU intensive, and if you are on battery, it drains your battery fast. That's the only drawback that it has."

What is our primary use case?

We are a property investment company, and people here use Microsoft Surface devices for their daily job. We are a Microsoft-oriented company, and we use it for our basic endpoint security implementation. 

Our entire security is based on this endpoint solution. Sometimes you have centralized security where you scan all traffic going through a central firewall and you also check through several types of solutions. You also check HTTPS connections. Basically, for all the traffic going inside and outside the company, you use a security firewall, and this endpoint solution is actually a firewall solution or security solution that is distributed. So, all the traffic coming from and going into the end-user device is basically submitted for scanning. If you download an ISO on a website or an email, everything is scanned for security to check whether it contains any malicious data. 

We are using Microsoft Defender for Endpoint Plan 2, which is the enterprise version of Microsoft Defender for Endpoint. We are using the most recent version of it.

We deploy it via Intune. The feature is called Microsoft Intune Autopilot. We have a hardware hash. A colleague of mine prepares the configuration and then based on the hardware hash and Autopilot, the devices are completely installed and joined to Azure AD and then to our enterprise. Intune is a Microsoft device management platform that comes with Microsoft solutions. When you buy a new device, based on the hardware hash, it can automatically find that device through Autopilot and do the specific deployment for your company. So, the users can use any type of device, start it, and then it will automatically be joined to our environment.

How has it helped my organization?

It is a completely integrated platform with advanced threat analysis, SIEM features, updated inventory, and so on. It is an all-in-one solution. Microsoft is taking over lots of companies to provide more and better services to its clients. This is one of the best solutions around at the moment.

It protects our organization from all kinds of attacks, such as ransomware attacks and any malware downloads. It is like an oracle who knows everything about:

  • What is around at the moment?
  • From where the attacks are coming?
  • What is currently going on security-wise?

It knows about all the software that you have installed on the laptop, and whether they are not patched or have security issues. It covers everything you want from your security platform.

What is most valuable?

It is a very advanced system based on AI. It has a very large database of places or sites on the internet where you should not go. It is continuously online. 

It is completely self-sufficient. You don't have to install anything. It is completely integrated into the operating system, and it also has a centralized information dashboard where you can immediately see:

  • Are all your devices up to date?
  • Are there any threats?
  • Are the devices having problems with updates?
  • Are they infected with anything?
  • Was something blocked?

You can immediately see what is going on in your enterprise, in different networks, and also in people's homes in terms of endpoint security.

It is a zero-trust platform, and it integrates with all types of enterprise services that we run. It also integrates with the Office 365 environment where you can securely connect from anywhere.

What needs improvement?

It makes your Surface devices hot. It is resource-intensive. It strains your CPU, not more than other file scanners around, but it also does a lot more. When you are transmitting files or data, it is continuously scanning the traffic and analyzing it bit by bit to see what's going on, and that, of course, is costly in terms of CPU. It is CPU intensive, and if you are on battery, it drains your battery fast. That's the only drawback that it has.

They're continuously improving it. You can compare it with Teams. About a year ago, the codex and the presentation of the Teams application were not very well optimized, and if you were using the Teams application, it used to drain your battery. It still drains your battery, but they have improved it a lot, and it is a lot less CPU intensive after one year. They're working on Defender for Endpoint to make it less CPU intensive.

For how long have I used the solution?

We have been using Microsoft Defender for Endpoint for more than six months.

What do I think about the stability of the solution?

Its stability is quite good, especially with Windows 11, which is a very stable operating system. Of course, you can run into some issues. We have some issues with docking stations for Surface and screens, but generally, the operating system together with the endpoint security solution is very stable.

What do I think about the scalability of the solution?

It is the most scalable solution around. You can create an Azure tenant, and with a script, you can deploy 1,000 user accounts. There is no actual limit to it, so the scalability is infinite.

How are customer service and support?

Their support has improved. They're quite good. I would rate them an eight out of ten.

How would you rate customer service and support?

Positive

How was the initial setup?

It has the easiest setup that I've ever seen. It's completely integrated with Microsoft. When you deploy your machine through Autopilot and Intune and assign the license, everything is done automatically. Of course, you have a lot of possibilities and a lot of freedom for detailed configuration, but out of the box, it comes completely self-sustained. You don't have to do anything. This is one of the easiest solutions that I've seen.

You just apply for the plan in Office 365, and you set up your very basic Autopilot template where you would specify the types of software that have to be installed. For instance, you want Office or other types of software. The very basic template is enough to roll it out fully automatically.

It takes a couple of hours. If you apply for a tenant on Azure, you pay for the licenses, and you can roll out with a click on 200 to 1,000 endpoint devices within the hour. This cloud is really amazing.

What about the implementation team?

We are a small company with a few technical engineers, and we provide services for our clients. We provide all kinds of services such as maintaining endpoints and Azure cloud solutions with virtualized services and SaaS services.

Its implementation is more or less handled by my colleague. I do a little bit of configuration but not so much. My colleague knows about all the technical details. He does the complete installation and the complete central management of policies and templates. However, a basic part with basic software is very quickly implemented. You just create a tenant on microsoft.com, and then you can very easily roll out to as many workstations as you would like the necessary configuration for Defender for Endpoint.

What's my experience with pricing, setup cost, and licensing?

Its price at the moment is very good because you get a lot of value for your money, especially with the subscriptions. If you have the E1, E3, or E5 enterprise subscription, you pay per month per user, and you get almost an infinite number of solutions. If you compare the price to the number of solutions that you get, it is a very good deal. 

I'm only concerned about the future because Microsoft is taking over one company after another. In the end, there will be no alternative and then they can do whatever they like, but for now, in terms of price, Microsoft is one of the best performers.

What other advice do I have?

At the moment, it is one of the best security platforms for endpoint security in the market. It is comparable to SentinelOne in terms of features and functions.

It is part of Microsoft's ecosystem. If you need a reliable and secure work environment, and you are bound by GDPR and other standards where you have to take care of your data and prevent breaches and unauthorized access, it is a great solution. 

The E1, E3, or E5 license contains Defender for Endpoint along with many other solutions. Having just the scanner is not enough these days. You need an overview of your whole environment. You need to make sure that your endpoints are encrypted, they are up to date, and they are correctly using zero-trust relationships for your central services. All these things that you need these days are perfectly implemented in the solutions that Microsoft provides. This is the only way for a company that takes data seriously and has to give a guarantee to customers that data is protected.

It is resource-intensive, but you have to take into account that it is not only a file scanner. It is continuously scanning every connection you make on the internet. It is deeply investigating the data that you transport and the connections that you make. It is scanning your files, and it is scanning your software against all kinds of knowledge bases to identify whether there are vulnerabilities in the software that you use. It is a solution that integrates almost everything. It is doing what a central firewall did before, but it is doing that in a distributed way on your device. So, it does so much more than you expect. If you are providing it to your users, you have to take its CPU consumption into account, and you need to provide sufficient CPU power for this.

I would rate it an eight out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Cyber Security Senior Analyst at a security firm with 51-200 employees
Real User
Top 20
Has EPP and EDR capabilities, helps with compliance, and provides visibility at one place
Pros and Cons
  • "We had certain compliance and usage issues. For example, our company wanted to go with CIS, but we didn't have a proper way of measuring whether the endpoints have the right standards in place or whether they were compliant with CIS. Microsoft Defender was like a one-stop for most things because it gave us the vulnerability and patching scores so that our vulnerability management teams can focus on covering up the vulnerabilities and the patching team can check the vulnerable versions and deploy the right versions."
  • "I'm not too sure of its current capabilities, but I'm pretty sure they are doing a good job on Windows and Mac. However, I'm not sure whether they covered Linux. If I remember correctly, Microsoft Defender didn't have anything proper on Linux back then, but if they have improved it from that aspect, it would already be ticking all the boxes."

What is our primary use case?

We used it as an EPP and EDR solution. 

How has it helped my organization?

Microsoft Defender made the work quite easy because we didn't have to rely on multiple tools, and we could look at one thing. It had a specific endpoint-level reporting standard as well where you can see the vulnerable threats and the outdated versions. It was very convenient.

We had certain compliance and usage issues. For example, our company wanted to go with CIS, but we didn't have a proper way of measuring whether the endpoints have the right standards in place or whether they were compliant with CIS. Microsoft Defender was like a one-stop for most things because it gave us the vulnerability and patching scores so that our vulnerability management teams can focus on covering up the vulnerabilities and the patching team can check the vulnerable versions and deploy the right versions. It had multiple advantages for us in terms of patching, vulnerability management, adhering to security standards, and EDR and AV capabilities. 

Microsoft Defender was pretty interesting in terms of visibility. When we compare the solution that we had before with Microsoft Defender, there is almost a night and day difference. Microsoft Defender is pretty advanced with the threats. We used to run, simulate, and see whether we were prone to the latest vulnerabilities. It was a pretty good solution in our experience.

It definitely saved us a lot of time. I don't have the metrics, but because it was a one-stop place, we didn't have to navigate through all the controls and go from one place to another to look for different reports for each section. We had one tool that could do everything in one place. It would have definitely saved us nearly one-fifth or 20% of the time. It would have also saved money because you rely on one single tool for multiple things. When you go with the premium suite, you get other tools as well. There is definitely a cost-saving aspect.

What is most valuable?

It came in a suite. There were multiple other products that were included with it as well in the premium suite. Another factor was that you don't have to invest in two products, and you can get both components, the EPP and the EDR, in one. You can also do simple vulnerability management, CIS hardening, and things like that from Microsoft Defender. Those were the main reasons for considering it back then.

What needs improvement?

I haven't used the product in nearly eight months. I use it on my device, but I haven't used it at an administrative level. Previously, with Microsoft Defender, we used to have certain problems with the Mac machines, but later on, they came up with various ways so that we could use the MDM solution to do the job. They provided pretty good support. Their engineers came and tried to figure out the solution.

I'm not too sure of its current capabilities, but I'm pretty sure they are doing a good job on Windows and Mac. However, I'm not sure whether they covered Linux. If I remember correctly, Microsoft Defender didn't have anything proper on Linux back then, but if they have improved it from that aspect, it would already be ticking all the boxes.

For how long have I used the solution?

I have used Microsoft Defender for eight months to one year in my previous organization.

What do I think about the stability of the solution?

In comparison to the other solutions that I've had experience with, Microsoft Defender was very good.

What do I think about the scalability of the solution?

It was definitely scalable. In my previous organization, we enrolled more than 20,000 endpoints.

How are customer service and support?

It was pretty good. At that time, Microsoft Defender was very new. When they released it for Mac, that's when we got hold of them. There was a time when their support engineers learned certain things from me about it, and I also did learn something from them. It was a win-win situation for both of us.

I would rate their support a seven out of them. The level of support depends on the complexity of the issue. If an issue is small, anyone can solve it, and it wouldn't take much time, but when you run into a complex problem, you need proper people coming in quickly and giving you some support after looking into the issue. Ideally, if they are very well-trained at all levels, that would be good.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We had other products for antivirus and EDR. We removed those two products and replaced them with Microsoft Defender. They both were pretty good solutions in the market back then. One of them is a pretty good solution even now.

We found Microsoft Defender pretty good when we did the PoC as compared to the rest of the tools. Some of the solutions were only antivirus, and some of them were only EDR, whereas this particular tool had a lot of features built into it. So, one agent could do many things. Another reason for going for this solution was that the company I used to work with was a bit biased toward Microsoft. They were a Microsoft customer, and they were comfortable with Microsoft. 

The reliability of support was one of the reasons why we chose Microsoft. When it comes to tools, there are always requirements related to budget, level of support, and other things. When you go for a PoC and look at the demo, you might think a product is stable, but when you run into a problem, the support could be weak. In such instances, what's the use of the product if you don't have good support or if they take at least two to three days to solve a small issue?

How was the initial setup?

I handled the Mac machine part of it. Initially, setting up policies and getting all the configuration profiles in place was a bit of a challenge because they didn't have proper documentation at first. During the PoC, there were not many documents or support articles, but when we were in the deployment phase, they had everything, even specific to particular MDMs, which made it very smooth. We ran into a couple of small problems, but that's pretty common in every deployment. Other than that, it was pretty smooth. 

From Microsoft's side, there is a pretty good deployment strategy in place, but different companies have different objectives and different ways of working. There are situations where certain users and groups might need something specific but other users or groups don't. There could be multiple groups of users with different expectations. So, it is pretty straightforward, but like with any security tool, there could be internal user-level challenges. However, for a company that does not have a very complex environment, it should be a piece of cake. It should be pretty easy.

In terms of our implementation strategy, we first targeted the least impacted devices because we didn't want high-end or critical users complaining about having issues. So, we selected the low-priority users and implemented it for them, and then we tested it out. After that, we implemented it for users with higher priorities. We gradually moved based on the severity.

In terms of maintenance, agent updates are required, which we scheduled automatically. It didn't seem to need much attention. If the product is in a non-complex environment, it won't have many issues, but in a complex environment, there will be some because of VLAN restrictions, network connectivity limitations, etc. We also had issues where agents were not communicating, but it was not because of an issue with the tool. It was mainly because of the complexity of the environment in terms of networking and architecture.

What other advice do I have?

Microsoft Defender decreased our time to detect and time to respond. However, we didn't completely rely on one solution. We had other means as well. We used to have another EDR solution as well, and we used to run both together.

I would definitely agree with a security colleague who says that it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite. For example, if you are a one-vendor customer, the day the vendor gets hit with zero-day or any huge attack, none of your tools or software would work. Your data and other things are also at risk. So, having multiple vendors is good because you'll be covered by different products. 

Microsoft Defender's threat intelligence helps to prepare for potential threats before they hit and take practice steps, but there was another team that was using the threat intelligence and reporting capabilities to see whether the organization was ready. In my previous organization, we had overall IT support, which was then divided into nearly 20 different teams. We had one team specifically to do one specific job. 

For prioritization of threats, if I'm not wrong, Microsoft Defender gives you a severity value. I haven't been in the admin part for long, but it gives you a severity value. Based on that, you can prioritize your threats.

I would rate Microsoft Defender an eight out of ten. 

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
FrancMlinarek - PeerSpot reviewer
IT Engineer at a tech services company with 1-10 employees
Real User
Top 5
Provides more information than just antivirus hits
Pros and Cons
  • "The most valuable feature of Microsoft Defender for Endpoint is its ability to bring together all the data, providing more information than just antivirus hits."
  • "There is a lot of information to take in, and the portals tend to change quickly due to the fast-paced nature of the industry."

What is our primary use case?

We use Microsoft Defender for Endpoint to manage the firewall and provide endpoint security, such as antivirus protection, on the endpoint.

How has it helped my organization?

The visibility of threats is excellent. The most difficult aspect of Microsoft Defender for Endpoint, especially for a small MSP, is the amount of information that needs to be filtered through. There is a lot that can be done in the portal, so it requires someone to spend a lot of time going through all the settings and making sure any issues are resolved. This is why we added Huntress to it, as it helps with the identification of other issues.

Microsoft Defender for Endpoint helps prioritize threats across the enterprise. The great thing about the Defender portal is that if there is a new issue, it highlights the issue for us in the portal, enabling us to easily check the CVE report to see which devices are affected, and make the necessary changes.

The major advantage of Microsoft Defender for Endpoint for us is that we receive a great deal of information. Initially, when we encountered the solution, the most difficult thing was that there was a lot more detail to go through, a lot more logs, and settings that we had to configure. However, once we had everything in place, as we are covering so many devices using the same solution, we were able to make a significant impact on our security.

The solution helps automate the high-value alerts to identify the devices that are at high risk of attack, but we still have to remediate ourselves.

We still enjoy jumping between Defender and Huntress' portals. Microsoft has removed the need for a large number of solutions as the Defender portal itself encompasses a great deal. This is both good and bad as they continue to add to the Defender portal. For a small team, it can be quite overwhelming to have to go through the one Defender portal. However, if the team was larger and we had more dedicated staff, it would be great as everything would be in one place.

Microsoft Defender for Endpoint's threat intelligence helps us prepare for potential threats before they occur and take proactive steps based on the CVE reports, which advise us which devices have higher threat issues.

Being aware of the issues is a good thing, and with solutions like Webroot Business Endpoint Protection, we may think everything is fine as long as the antivirus is installed. However, with Microsoft Defender for Endpoint, we are given a lot of information and become more aware of the issues. This helps us strive to reach the 100 mark on the security score.

Microsoft Defender for Endpoint has saved time by preventing attacks from occurring, and I have been able to rely on it. In contrast, when we used Webroot Business Endpoint Protection, we installed it and then largely forgot about it, assuming it would take care of itself. Webroot rarely gave us any warnings, which may have been due to the product not knowing what to do or not having anything to alert us about. On the other hand, Defender is constantly active and provides us with updates about the endpoints. This may take up more time, as it is making us aware of a lot of other things.

Microsoft Defender for Endpoint is more expensive than Webroot Business Endpoint Protection. However, the value is there in terms of the product we are getting. The cost savings with Microsoft Defender for Endpoint come from being aware of the issues and taking steps to prevent them from occurring. The savings come from avoiding the issues.

Microsoft Defender for Endpoints has a quick response time when it detects a threat. From what I've seen, the system is quite fast. It's not instantaneous when changes are made in the portal and sent to the endpoint, but it is still quick.

What is most valuable?

The most valuable feature of Microsoft Defender for Endpoint is its ability to bring together all the data, providing more information than just antivirus hits. Additionally, it has a useful security score that is tied into the Defender platform, giving us a better understanding of what is happening at the endpoint.

What needs improvement?

Microsoft often changes the names of its products, the design of its portals, and what is included in them. This can be confusing for people who are not using them regularly. There is a lot of information to take in, and the portals tend to change quickly due to the fast-paced nature of the industry. This can be frustrating when something that was there one day is gone the next.

I would like to see when NDR solutions become more widespread in other regions. It would be amazing to observe how that progresses. It is something that we are considering, having Microsoft do part of the work using the dependent portal instead of having engineers from our own company do it. Therefore, I am eager to see where that goes.

The stability has room for improvement.

For how long have I used the solution?

I have been using the solution for over one year.

What do I think about the stability of the solution?

When testing to see if the antivirus solution is working properly with a lot of different events occurring on the device, we found that the Defender interface can become cluttered. The solution does not always give us a real-time view of what is happening, making it difficult to navigate the user interface. Therefore, there is potential for improvement in terms of stability.

What do I think about the scalability of the solution?

We've deployed the solution in small environments and larger ones. So we haven't had any issues going between the two. Microsoft Defender for Endpoint is scalable.

How are customer service and support?

We have encountered two technical issues in the past. The support team was very competent, and when I contacted Microsoft support, they were extremely helpful.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We had previously used Webroot Business Endpoint Protection, Bitdefender GravityZone, CrowdStrike Falcon, and Cortex XDR by Palo Alto Networks. Microsoft Defender for Endpoint is now included in our licenses, making it an easy addition for many of our clients since some of them already had the licenses that included the solution. Moreover, since many of us already use Microsoft products and portals daily, we were comfortable with Microsoft and the solution did not require a lot of retraining. Additionally, the price was another factor that made the solution attractive; CrowdStrike and the requirements associated with it are too costly for some of our clients.

How was the initial setup?

The initial setup is not complex. It is more cumbersome than Huntress because it is not just an installer. We have a package that needs to be deployed to a few machines. We can run a script, or use a GPO package to distribute it. Although it is not as easy as some of the other smaller solutions, it is still quite simple. We can roll out a group policy. The deployment didn't take long at all. We had already set people up with licenses to access a Hive with Microsoft, so the deployment solution was straightforward. Most of our clients also have directories managed through Azure, which made the rollout easy.

The deployment process requiring engineering numbers or similar is very minimal as it can be done through a single group policy.

What about the implementation team?

The implementations are completed in-house for our clients.

What's my experience with pricing, setup cost, and licensing?

The licensing costs for Microsoft Defender for Endpoint are reasonable.

What other advice do I have?

I give the solution an eight out of ten. When discussing Microsoft Defender with other engineers, we agree that it can be challenging to become accustomed to and comprehend the UI at first. Once we have a grasp on the UI, it is excellent; however, initially, it is difficult to learn.

Microsoft Defender for Endpoint is deployed in systems located in data centers and on-premises, providing a wide range of devices. Approximately two thousand endpoint devices are in use.

Since the solution is a Windows subsystem, it is not difficult to maintain. We utilize a management solution to run many of those updates regularly, ensuring that they are completed regularly.

No single solution or vendor has all the answers, and it can be risky to rely on just one source. If an attack occurs and we are only using one form of security, if it is breached, the attackers will have unfettered access. Therefore, I believe it is beneficial to have a multi-layered approach, utilizing multiple solutions and vendors with different technologies that can work together.

I suggest people do some Microsoft training regarding the Defender platform to become comfortable with it before deploying it to understand exactly what is necessary to make it work.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
PeerSpot user
ICT&CyberSecurity Services Team Lead at a comms service provider with 501-1,000 employees
Real User
Top 20
Scalable, has XDR capabilities, and integrates well with Microsoft products
Pros and Cons
  • "I've started to test it from the security point of view. There are plenty of features that are interesting, but at this time, the XDR functionality is most valuable. It is endpoint security on steroids."
  • "I miss having an executive dashboard or a simple view for viewing things. Everything is extensive in this solution. Everything is configurable and manageable, but the environment of Microsoft 365 has about 13 administrative dashboards, and in each of the dashboards, there are a gazillion things to set up. It is good for a large enterprise, but for a 200-seat client, you need to see 5% of that."

What is our primary use case?

We have been using it in our test environment. On the customer side, we are using the small business variant of the tool. So, we are using Microsoft Defender for Endpoint and Microsoft Defender for SMBs. They're pretty similar, but the one for SMBs is a little lighter.

In our test environment, we have access to 50-seat licenses for everything. So, we are making sure that we are technically in a good place before we begin to offer this kind of solution to our clients. In addition to our solutions, we are delivering services to our clients. So, when we sell an SMB or enterprise Microsoft license, we are able to do the migration, management, and other things for a client.

How has it helped my organization?

It works well with different solutions from Microsoft. If a company is using Microsoft 365 package, this security addition is easier to implement and manage because it is from the same vendor. You have greater visibility because they are from the same vendor. Microsoft probably also has larger visibility on the endpoint itself because of its own operating system.

It provides good visibility into threats. I would rate it a seven out of ten in terms of visibility.

Its threat intelligence is helpful for preparing for potential threats before they hit and taking proactive steps. We can manage our own images, and we can also inform the client to patch certain things.

What is most valuable?

I've started to test it from the security point of view. There are plenty of features that are interesting, but at this time, the XDR functionality is most valuable. It is endpoint security on steroids.

It allows you to prioritize threats across the enterprise, which is very important because the SLAs are different for different cases. If the error is critical, you must act now. If something is just informal, it can be done in weeks. 

What needs improvement?

I miss having an executive dashboard or a simple view for viewing things. Everything is extensive in this solution. Everything is configurable and manageable, but the environment of Microsoft 365 has about 13 administrative dashboards, and in each of the dashboards, there are a gazillion things to set up. It is good for a large enterprise, but for a 200-seat client, you need to see 5% of that.

A simplified SIEM would work so that we don't have to use everything on the Sentinel, which is great by the way, but Sentinel is too expensive for our kind of market. It is an enterprise product. It is not an SMB product.

For how long have I used the solution?

We have been using it for half a year in our test environment.

What do I think about the stability of the solution?

It is good. It is stable. Once you set it up, it works, but we haven't tested it on a large time scale. The solution itself is pretty young. We'll see how stable it will be in the next few years.

What do I think about the scalability of the solution?

It is very scalable. We hope to increase the usage of the product. It is being used only by our team for now at multiple locations. It is for laptops in the office and other networks and also for mobile devices. A few tech guys in our department are testing everything that could happen on the client side, and that's it.

How are customer service and support?

I didn't use their support for this solution, but the knowledge base, training, and documentation are pretty good. I would rate it a nine out of ten.

How would you rate customer service and support?

Positive

How was the initial setup?

It is complex. You need to first have a list of computers. Then, you need to set up the plan for these computers, and then, you need to deploy it and apply it. There are too many steps to deploy this kind of solution because it is a Microsoft native solution.

In terms of the implementation strategy, first, you need to have a view of the inventory. You have to have knowledge of what is already installed on an endpoint. You don't want to cause any clashes with some other endpoint security vendor. So, you need to know your devices. The next one is to prepare the package and then decide to deploy it via Intune or via MSI, through group policy.

In terms of duration, you can deploy it on one computer in minutes. If you are deploying it on a thousand computers and everything is set up correctly, it can be done in a few hours, but if everything is not set up correctly, it can take up to a day or a week. 

It took a month for us to realize its benefits from the time of deployment. It takes some time to understand the settings, portal, etc. 

It has not yet saved any time. It has only consumed my time for now because I need to learn and do the training and PoCs, but it is an investment for the future.

What about the implementation team?

The number of people required for deployment depends on the size of the client or the company. I can do it by myself if I have a client with 100 seats, but if there is a corporation or enterprise in several locations, we need to involve the local IT people to confirm everything is okay, etc.

It doesn't require any maintenance, but it requires somebody to take care of the consequences. You can implement endpoint security and just have it there. You don't have to maintain the solution itself, but you need to take care of the alerts. You need to take care of the patches and other things. The number of people required depends on the size of the client.

What was our ROI?

It hasn't saved us any money yet. It might save in the future, but it depends on the pricing of Microsoft because there are several different parts of the Microsoft solution. 

What's my experience with pricing, setup cost, and licensing?

Everybody would like to see a lower price on everything. The Slovenian market is basically an SME market with clients having up to 100 seat licenses, comprising 90% of the company. They're very price sensitive. So, the price could be cheaper. 

Any additional costs depend on the basic license of the client. There could be additional costs. If somebody needs Plan 2 of Defender for Endpoint, if I'm not mistaken, it is only available as an add-on. It is not included in any license, not even in the E5 license. So, there are some things at an additional cost.

Which other solutions did I evaluate?

We are always open to suggestions and newer and better things. We are constantly looking around for similar solutions and testing them. Microsoft is the biggest player. Everybody uses something from Microsoft. So, it is a logical next step. For an MSP, by having everything from one vendor or everything under one umbrella, managing clients is easier. This is the main reason for exploring this solution.

At the moment, we are using the Cynet XDR solution, and we also tried SentinelOne. We are going to put it in our portfolio in the following months, but mostly, we are comparing everything to Cynet because we have more clients on Cynet.

In comparison to other solutions that we are using, Microsoft Defender for Endpoint has not decreased our time to detect and time to respond much.

What other advice do I have?

In my opinion, from the management and maintenance point of view, it is better to go with a single vendor, but from the security point of view, multiple vendors on multiple layers could work better than one vendor. If one vendor is breached, then everything goes, but if you have several layers with several vendors, and only one is breached, you have other vendors.

My advice to those evaluating Microsoft Defender for Endpoint is to stick with it and train themselves. They should know the solution and try it as much as they can. Microsoft is on the right path here.

It helps to automate routine tasks and the finding of high-value alerts, but we haven't yet implemented automation. We are planning to implement it, but at this time, because of a small number of clients, it is easier to do it manually. We just look into the alerts and resolve them one by one. We don't have a few thousand alerts per day, per week, or per month. So, it is manageable to handle them manually.

It would help us to eliminate looking at multiple dashboards and have one XDR dashboard, but we haven't yet managed to do that.

I would rate it an eight out of ten. I would have rated it a ten, but it is a pretty pricey solution.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Consultant at a tech services company with 1,001-5,000 employees
Real User
Top 10
Enables us to run queries on application details for customized detection
Pros and Cons
  • "Because it has been integrated with the OS, we get the entire software inventories, and we even get access to the registries. Those are the primary features."
  • "I would like to see improvement from a management perspective. We have had to depend on Intune for certain tasks."

What is our primary use case?

It's an AV and EDR. The AV is integrated with the OS and, once you onboard the devices through a portal, it also functions as an EDR.

How has it helped my organization?

The main reason it has improved our organization is that it is integrated with the entire Microsoft 365 suite. We get a lot of functionality and a centralized way of operating or controlling all the devices in the environment.

The solution automates routine tasks and the finding of high-value alerts. That helps a lot. I worked with a different product before and, if we wanted to check if a specific application was affecting our organization, we had to get the application details and then search in the EDR console or on the devices for those application details. But with Defender for Endpoint, you can simply put the application details in a query and run it, and that becomes a customized detection. I don't need to check for the same application again and again. I can get an alert whenever it pops up again.

There is integration with all the products, whether Defender for Cloud or Microsoft Purview or Office 365, so we have a centralized console. There is a sync so that you can get all the alerts in different portals on a single portal. That consolidation makes things easier because we don't have to navigate to multiple portals to check for all the information. Before, we used to only get basic details, like the title or the category of a particular alert. But now, since it is also syncing with Sentinel, we don't need to go to the Defender portal. We can view the entire alert story and related devices, or potentially affected devices, and which devices could be the next targets.

Another advantage is that the threat intelligence helps us proactively prepare for potential issues before they strike. There is an option to check for vulnerabilities and that is not only limited to our organization or the license we bought. We have one filter that will show all the potential threats in the market or that other customers might have reported. We can view them and the steps they have followed. There are all the CVD details that are not affecting our organization, things that are still new in the market, and it will give the remediation steps for them as well.

In terms of deployment, management, and manual efforts, it has saved me a lot of time. Previously, I would review each alert. That meant, during a given week, that I would be on alerts for three or four days, and only then would I go on to other things. It has saved me a couple of days a week because of the automation and auto-suppress rules, which are configured to automatically resolve an alert and trigger an email to me that the alert has come up and the action has been taken.

What is most valuable?

Because it has been integrated with the OS, we get the entire software inventories, and we even get access to the registries. Those are the primary features. We also have something called advanced hunting, which uses SQL tables to list out all the details of the device and that is also used for threat hunting.

Defender for Endpoint also helps prioritize threats across our enterprise, and we have an option for customized detections, which is an additional feature that differentiates it from other products. The customized detection helps us identify threats.

What needs improvement?

I would like to see improvement from a management perspective. We have had to depend on Intune for certain tasks.

I would also like to see additional features related to device control. For now, it has all the common features that other EDR and AV products offer, but device control is missing. Device control means automatically syncing the devices without any dependency on other products, like Intune, SCCM, or even Azure. If it could sync between products after only adding it to one product, that would be great.

For how long have I used the solution?

I've been working with Microsoft Defender for Endpoint for close to one year.

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

It is also scalable. 

Since it's an AV and EDR, you can use it at any location and on all the platforms, including Android and iOS.

How are customer service and support?

Support depends on the support contract you have. The Premier support contract is comparatively efficient.

I would rate their support at eight out of 10. Sometimes, because they have multiple teams, there could be a delay with a ticket going to a wrong team. But once it is routed to the correct team, we get good support.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I worked with one similar solution, which was VMware Carbon Black Cloud. Defender for Endpoint has the advantage because Carbon Black is a third party to the OS. That is going to create a lot of additional work to manually deploy things, check the installation, see if it's parsing. There could also be compatibility issues. Because Defender is integrated with the OS, you don't need to do those manual tasks to install the product or work through the compatibility issues.

How was the initial setup?

It is pretty straightforward to deploy. There isn't any manual effort, even if you are a new customer and migrating from a different product to Defender. All you need to do is get a license and the credentials to log in.

In the back-end, if we were to deploy the new tenant, it would be on Azure, and there are a series of steps to follow, nothing complex. It's just a GUI. You just need to give the device count and the geographical location. It takes four to five people for the deployment. 

Once the deployment is done, you don't need to constantly monitor it, but four people would be good for operations: two people to manage the devices and configuration, and the other two to review the alerts that are coming and analyze the vulnerabilities. Once a month you should review and update the software. Other than that, there is only maintenance when there is an issue. The signatures are updated automatically.

You can manage the devices on-prem, but if you want the EDR solution, it's completely cloud. You still have the option to control the devices on-prem through SCCM or any other integration, but ideally, it's cloud-based. The back-end portal is on Azure, but the console or tenant for users or management is a different portal. It's not on the Azure portal, it's a different URL.

The time it takes to see benefits depends on the end-users' requirements or which products they want to integrate it with. In my case, after two or three months I felt like I had found the good things to integrate it with and had a centralized way to manage them.

What's my experience with pricing, setup cost, and licensing?

The solution has saved us money compared to the other products we use, but it depends on the situation. If there are multiple integrations, you have to get the licenses for those as well. But in our case, comparatively, we have saved money.

Which other solutions did I evaluate?

We did consider other options, CyberArc and Trellix (which is the new name for McAfee products). But the ease of using Defender for Endpoint and the reduction in manual efforts are why we went with it. Also, collecting and reporting on the data was easier.

The visibility into threats that the solution gives us is the same as other EDR products. But one advantage I have noticed, because I have experience working with a couple of other EDR products, is getting the complete device registry information. If we want to query anything or look into the complete alert or vulnerability details, we can get to the core. We don't need to depend on getting access to the device. We can do it from a centralized console.

What other advice do I have?

I've seen a lot of people saying that they are looking for feature X but it's not there in the product. Most EDR products function in the same way, but they call features by different names. My advice would be to consult with Microsoft's Fast Track support engineers. They can guide you and explain every feature. Go for that first and then implement it.

I would definitely recommend Defender for Endpoint because going with a third party would require a lot of maintenance. For smaller companies, Defender for Endpoint would be more cost-efficient than requiring more headcount to do more maintenance.

Disclosure: My company has a business relationship with this vendor other than being a customer: Integrator
Flag as inappropriate
PeerSpot user
Mahmoud Eldeep - PeerSpot reviewer
Security Team Lead at Global Brands Group
Real User
Real-time detection, easy to deploy, and scalable
Pros and Cons
  • "Real-time detection and cloud-based delivery of detections are highly efficient."
  • "The application control feature requires improvement."

What is our primary use case?

We use Microsoft Defender for Endpoint to secure our customers' networks. One of the main reasons we chose this solution is its seamless integration with other Microsoft products, including Security. This integration enables the efficient exchange of signals and facilitates incident investigation and correlation with other security measures. Therefore, we recommend Microsoft Defender to our customers for robust endpoint security. 

Microsoft has been recognized as a leader in Gartner reports for two consecutive years for their exceptional threat-capturing abilities within their division. In comparison to other solutions, Microsoft Defender Endpoint Security offers a wide range of features, and the benefit of integration with other solutions makes it a more powerful product. This is in contrast to individual products from separate vendors, which lack default integrations and may not offer visibility over other endpoints in our environment.

How has it helped my organization?

The solution provides a high level of visibility into threats and is integrated with other solutions such as Microsoft Defender for Identity. This integration enables the solution to receive signals from Microsoft Defender for Identity, which are then relayed to users who attempt to log in to an infected device. If the threat originates from Microsoft Defender or Office 365, users are alerted and advised not to open any suspicious links or attachments. This integration greatly enhances the investigation experience and is extremely useful in the detection and analysis of potential threats.

Microsoft Defender for Endpoint helps prioritize the threats across our organization.

The automatic investigation response is the key feature of Microsoft Defender for Endpoint. It enables us to concentrate on the critical incidents related to the endpoint or machines. This capability enables the security team to focus on the most significant alerts or incidents related to the device's self-analytics. Prioritizing our investigations and responses with Microsoft Defender for Endpoint is crucial.

The integration with Microsoft solutions is smooth, and integrating with other products can be done with just one click.

In most cases, the solutions work natively together to deliver coordinated detection responses across our environment, which is very helpful.

The comprehensiveness of threat protection offered by Microsoft's solutions is extensive. These solutions can thoroughly investigate all resources in an organization when deployed correctly according to best practices. They can detect any threats related to email, endpoints, and identity attacks, whether on-premises or in the cloud.

Microsoft Defender for Endpoint has been instrumental in enhancing our organization's operations. It detects the majority of threats aimed at our devices, aiding us in our efforts to combat threats. Additionally, it expedites the investigation process by running playbooks on incidents. This saves us time and increases efficiency. Furthermore, the integration capabilities of Microsoft Defender for Endpoint allow us to address the source of the threat by partnering it with other solutions. Microsoft Defender for Endpoint can be integrated with Microsoft Intune, allowing us to provide device signals to the latter. This permits us to grant or deny access to specific sources based on device signals.

The solution assists in automating routine tasks and streamlines the identification of high-value alerts. When used in conjunction with Microsoft Sentinel, which is highly effective in detection and comprehensive investigations, the quality of high-value alerts is excellent.

Microsoft Defender for Endpoint has eliminated the need to access multiple dashboards and provided us with a single XDR dashboard. Instead of logging into five different portals to investigate a threat, we only need to access one portal, Microsoft Defender for Endpoint. This portal collects signals from various solutions and integrates them into a single incident, providing a comprehensive view of the detection from different sources in one place. This improves our visibility and simplifies the threat investigation process.

Having a consolidated dashboard saves us a significant amount of time by eliminating the need to log into multiple portals. This single portal can be used for investigation purposes and can relate to various aspects. It simplifies the process of monitoring a multitude of sources or resources in the environment, making it easier to detect and investigate potential issues. A consolidated dashboard improves collections and visibility, streamlining the investigation process.

The threat intelligence provided by the solution helps us prepare for potential threats and take proactive measures before they occur. Many of Microsoft's security solutions now depend on Microsoft's security intelligence. The ISG collects signals from various products worldwide, providing extensive information on recent global threats targeting different products. Integrating with Microsoft Defender for Endpoint, this information is particularly helpful.

The solution has helped us save time. I suggested that we check Microsoft Defender for Endpoint daily to review the latest incidents that occurred during the process. We can quickly examine the incident and then take action based on the recommendations provided by either Microsoft Defender for Endpoint or Microsoft 365 Defender, as it consolidates the signals.

This solution is cost-effective since we would otherwise have to pay for multiple licenses if we were to use various solutions. Additionally, we prefer not to subscribe to multiple vendors for different services. By integrating these features, we save time, and they are already integrated by default, unlike other vendors who may not offer this feature or integration.

What is most valuable?

Real-time detection and cloud-based delivery of detections are highly efficient. I have deployed the Microsoft Application Control which I found to be very effective, albeit difficult to deploy. I have implemented point guard and attack deduction rules which enable me to identify attack locations effectively. Microsoft Defender for Endpoint has several excellent features, and the correlation of alerts and investigation experiences within the platform helps lead investigations

What needs improvement?

The application control feature requires improvement. It is currently challenging to detect and fine-tune the application control policies. A better GUI is needed for configuring the policies, beyond the current partial console, such as a third-party or Microsoft tool. Additionally, more documentation is required for the application control section as there is currently none available in Microsoft's resources. This lack of documentation can make the process confusing.

The policy configuration has room for improvement. Currently, we require additional solutions to configure policies for Microsoft Defender for Endpoint. We need either Microsoft Intune or a new policy object. It seems many individuals find this process confusing. It is perplexing to me why we must configure policies using different solutions when ideally, we should have all configurations for Microsoft Defender for Endpoint in a single portal. It would be more practical to configure policies directly within Microsoft Defender for Endpoint, rather than using external solutions.

For how long have I used the solution?

I have been using the solution for three years.

What do I think about the stability of the solution?

Microsoft Defender for Endpoint is stable.

What do I think about the scalability of the solution?

Microsoft Defender for Endpoint is scalable.

Which solution did I use previously and why did I switch?

I previously used Trend Micro Apex One, but I've found that Microsoft Defender for Endpoint has more benefits. Although I haven't worked with the full suite of Trend Micro, I believe that their Suite is also highly effective. However, I have experience using the full suite of Microsoft Defender, and I find it to be a more powerful tool for threat detection. While Trend Micro Apex One is easy to implement, has a seamless implementation experience, and is superior when it comes to policy configuration; For threat detection capabilities, Microsoft Defender for Endpoint is stronger.

How was the initial setup?

The initial setup is straightforward because we just need to onboard devices, through a script, employment, onboarding package, or any other MDM Solution like Intune. The deployment takes between four and eight hours and requires a maximum of two people.

What about the implementation team?

We implement the solution for our customers.

What's my experience with pricing, setup cost, and licensing?

Microsoft Defender for Endpoint can be costly as a standalone solution. However, when included in a bundled license with other Microsoft solutions, it becomes a cost-effective option. Microsoft Defender for Endpoint provides excellent value for our organization.

There is an additional cost for Microsoft Premier support.

What other advice do I have?

I give the solution an eight out of ten.

Microsoft Defender for Endpoint is deployed across multiple locations and departments. The solution can be used for enterprise, medium, and small businesses but can be expensive for SMBs.

To achieve success with Microsoft Defender for Endpoint, it is crucial to establish best practices and ensure full deployment without causing any disruptions to business productivity. Simply enabling all features without understanding their impact could lead to interruptions in productivity. By adhering to best practices and carefully assessing the impact of each policy, we can ensure a smooth and effective implementation.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
PeerSpot user
Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros sharing their opinions.
Updated: September 2023
Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros sharing their opinions.