Microsoft Defender for Endpoint Reviews

We use Defender for endpoint security, firewall administration, and antivirus. 

From an administrative perspective, Defender provides a single pane of glass for us to look at compliance throughout the company and for the customers we recommended it to. That's probably the most significant piece. The governance and policy features work together for us because we can easily provide the self-attestation that we need for the federal government.

Automation at this point, as I understand, is a lot of one-offs. It depends on the particular console that you're looking at. I'd love to have them integrated. I understand that there's a larger solution for that, but it's challenging to figure out a cost estimate of what it would take to get it up and running. The automations are often tied to the separate Defender products and not always integrated, but we're still shy about buying the larger product and integrating all the logs. 

Defender for Endpoint saves time by making administration more manageable. It's at least four hours per month per administrator. We save money with Defender because it's packaged with other Microsoft solutions. It's $20 to $60 per user annually, depending on the suite you're getting. 

I like that Defender is integrated and doesn't have a third-party payload trying to advertise subscription renewal. I don't get spam because of it. Regarding visibility, no one has their finger in as many operating systems as Microsoft. No one has the platform or deployment profile that Microsoft has. Microsoft can outshine any third-party vendor when it comes to visibility.

The interface isn't necessarily intuitive to a nontechnical person. You can get stuck in the little endpoint security portal. Sometimes, if you uninstall a competitive product, the end user doesn't always know if it's running or if they're protected even though it's silently running. There could be a notification, widget, or something that's resident on the screen for at least a bit, especially if you're doing remote support. You want to talk them through it, but sometimes, we're not allowed to look at the PCs we support.

I'd like them to improve visualizations for people higher up the reporting chain, such as potential purchasers, directors, VPs, and CEOs. They have little time. They want to see red, green, and yellow lights or some other type of visualization. It would be great to have this functionality out of the box without a lot of custom development.

We're learning about the AI Security Co-pilot. I'm unsure how it integrates, but I'd like to see it integrated. I'm an administrator, so I don't look at the logs constantly, but patching is critical. I would love to see the percentage of PCs patched in a given period. Reporting and alerts are crucial issues. When an alert needs to be triggered, we'd love to see some events flush up.

We often have to wait for and do a report until we find what we're looking for. It would be nice to sort of set it and forget it or have a community board of plugins that we could download and say, "Here's the meantime to resolution for x, y, or z policy or some policies that we could potentially integrate.

I have used Defender for Endpoint for seven years. 

I can't think of any ongoing issues that we have other than our own internal minor configuration. I don't know if this is in there, but I would love the ability to see how we're deployed and get recommendations.

Defender is scalable. The solution covers multiple locations and departments. We have about 100,000 end users. The departments vary in size. 

I rate Microsoft support six out of 10. They're responsive and willing to help. I have no problems with their customer service. However, it's sometimes difficult to find a technician that understands your issue. Sometimes, when you try to do self-service with Microsoft, it refers you to a third-party website for support ideas and stuff. That's absolutely bizarre. Why would I trust a third party linked from the Microsoft community forums and things?

Neutral

We were using Norton Antivirus, but we switched because we were familiar with Defender. We had Defender running on our home machines, and we had positive experiences because it didn't noticeably slow our machines. It was fairly intelligent at what it did. Sometimes, you feel a little restricted by a few of the things that it may not have. But in the end, I don't think that we're missing anything that we didn't already have in the product.

Defender is typically bundled with 365 packages that the customers are already buying. We haven't done an in-depth ROI for right. Often, we leave the customer to make those decisions even though we can point to tools like that on the web or allow an analyst tool to do that type of work. 

We looked at Norton, McAfee, and another one that I can't recall. Ultimately, our decision primarily came down to integration into the system. If it's integrated, it isn't overwritten by the security patch, and it doesn't add to the payload we're already sending down to manage the PC. We wouldn't use it if the quality wasn't there, but all else being equal, it's always easier to use an integrated solution from a single vendor.

I rate Microsoft Defender for Endpoint nine out of 10. 

We use it as an Enterprise Detection and Response (EDR) solution. We use it for compliance purposes, and we are starting to use it for DLP purposes.

Microsoft Defender for Endpoint allows our threat hunting and threat remediation teams to reduce the footprint of viruses when they come on the network.

We have immediate visibility on all endpoints. It is very good at visibility.

For prioritizing threats across our enterprise, the threat-hunting system in Microsoft Defender for Endpoint is not top-notch. We usually integrate it into things like our SIEM or Sentinel or other things to prioritize or our SOAR system to automate.

We can feed the alerts coming out of it into our XSOAR system to immediately act on events versus waiting until people see them and use the ticketing system.

Microsoft Defender for Endpoint has saved us time. It has saved us at least 40 hours a week. We are able to automate and have the ability to handle threats on an enterprise with 50,000 devices.

Microsoft Defender for Endpoint has not saved us costs. It is a Microsoft product.

Microsoft Defender for Endpoint has reduced our time to detect and respond. By going from a manual process to an automated process, depending on the severity, the time reduced has gone from minutes and days to seconds.

The endpoint detection of threats is valuable. The initial detection of things like ransomware and viruses and being able to shut down machines immediately and stop a threat is valuable. We can stop a threat at a source versus allow it to propagate it across the network.

The product itself does not necessarily need improvement, but the support and implementation of the product are the disaster cases. Instead of being able to go back to Microsoft and ask how to do something, we have to work with a vendor who does not exactly know how to do that and has to go to Microsoft to say, "How do we do this?" so that they can answer our questions. There are a lot of things in relation to various compliance standards such as CIS. The primary levels of support of Microsoft do not know or cannot implement that. Working through vendors is time-consuming. It is a painful process to get back to them to get the answers.

I have been using Microsoft Defender for Endpoint for three years.

We have never seen any downtime in it, so it is incredibly stable.

It is incredibly scalable. However, its ability to bind things into the groups on its dashboard is limited. You can see your 50,000 machines empire, but dividing it into regions, and dividing it into subgroups and management areas is very limited.

It is deployed across the world. There are 250 sites worldwide with 50,000 devices.

I would rate their support poorly. I would rate them a two out of ten.

Negative

The history would be a Symantec product, but I do not remember what it was. Then we went up through Azure ATP to Microsoft EDR. 

I was involved in its deployment and initial setup, but I was not a part of PoC at the time. The deployment was very easy. We pushed it out with SCCM.

Our implementation strategy was PoC, small user groups, and then wide or regional deployments.

We have on-premises and cloud deployments. It is an endpoint protection platform. It goes on any endpoint that we have or that we have running. It could be an endpoint that is sitting in the cloud. It could be an endpoint that is sitting on-prem. We use Azure, GCP, and AWS. There is also some limited rack space from IBM.

We used CDW.

We have reduced man hours using the product. We have definitely been able to leverage automation with it more than other products that we have used previously and other products that we are using.

I recently switched from education to private business, and all I can say is that private business licensing from Microsoft is not cheap until you hit certain quantities or scale. That does not mean that it is not comparable to other industries. It is similar pricing, but it is still crazy to me how much you pay for a client. I feel it is high, but it is in line with other vendors.

We evaluated Cortex XDR, Carbon Black, and QRadar or whatever that solution was from IBM.

The Microsoft ecosystem is the main difference. Everything under the umbrella of the Microsoft security toolkit makes life easier when all the systems talk together nicely.

To those evaluating this solution, I would advise first figuring out what your needs are. Figure out what levels of granularity you need in the system to see if it will support your needs. For example, if you have something like department-level control over devices, you might want to look at another system versus a central security solution that controls all devices. Beyond that, make sure your machines have the resources necessary to support the features you turn on in the environment. A lot of the resources in Microsoft Defender for Endpoint can be shut down for slower machines and older machines.

I would rate Microsoft Defender for Endpoint a solid nine out of ten.

Microsoft Defender for Endpoints supports any changes to file permissions, file access, and modifications to file delivery, as well as anti-virus and anti-malware protection. We enable Microsoft Defender on subscription. We depend on the solution for anti-malware, antivirus, and threat protection.

Regarding visibility into threats, Automatic integration enables Microsoft Defender on the level of subscription on the virtual machine. On the level of resources, and OS services, the direct integration between Azure Resources and Microsoft Defender is very smooth. The solution is perfect compared to using third-party software such as antivirus, Symantec, or any other option. We may face some issues in some integrations, but Microsoft Defender for Endpoint integration with Azure Resources is much better than trying to integrate with other solutions.

We use additional Microsoft solutions such as Gateway which is automatically integrated with Microsoft Defender by enabling it from the portal.

The integrated Microsoft products we are using work together to provide a coordinated detection response. The logs are all integrated and sent to a Log at network spaces. Level network spaces and Azure Monitor are already integrated with Microsoft Defender, and if an alert appears in the environment from a firewall, the web, or any other security component, it will automatically generate a security alert on Microsoft Defender. Microsoft Defender becomes the interface or supporter that manages all the security alerts in the environment.

All of our subscriptions are on the Cloud. We don't use anything on-prem. Microsoft Defender is a portal that manages all Endpoint Defender resources in an environment. This includes Defender for Endpoint on virtual machines, Defender for Cloud, Defender for App Service, and any other Defender resource.

We integrated Microsoft Sentinel with Defender Endpoint enabling us to ingest data from our entire ecosystem.

We utilize the interface for our Security Environment. We don't install any other third-party products such as Microscan at the outset, but we are a partner of Microsoft, and we only use Microsoft products.

We act according to the automatic alerts triggered by the Microsoft Center.

Microsoft Defender for Endpoint helps us eliminate the need to look at multiple dashboards by automatically providing one XDR dashboard to show the security score of each subscription and the vulnerability that needs to be remediated for each resource.

Having a consolidated dashboard allows us to address the vulnerabilities that automatically appear on the portal sooner using the recommendations provided by the solution.

Microsoft Defender for Endpoint automatically protects our environment once a virus or malware is detected without any action from our end.

Microsoft Defender for Endpoint has saved us time detecting viruses, but we still have to manually manage any viruses related to the Windows updates batching in order to fix vulnerabilities on a monthly basis.

The solution has decreased our time to detect and respond to threats. Microsoft Defender for Endpoint should secure the environment automatically. We just act when any threat is detected on the back end by the SOC team.

File protection is the most valuable feature. Antivirus security on the Level OS, Microsoft Defender, and Microsoft Guard for 2019. 

Threat protection is a critical part of Azure security and is managed under the umbrella of Microsoft Defender. All threat protection services work directly with the Microsoft Defender agent or the Qualys vulnerability scanner.

Microsoft Defender for Endpoint is enabled on the machines to automatically route tasks and help us automate the findings of high-value alerts. The alerts appear on the security alert under the Microsoft Defender for Cloud.

The solution should be updated by Microsoft with new features from time to time. The backend may have been changed to be more stable and secure, but there have been no major changes to the portal itself.

For the next update, I would like a link that connects directly to the resource, instead of having to connect manually. This will make it easier to identify any issues related to App Service.

I have been using the solution for four years.

The solution is stable.

The solution automatically scales to our requirements and we currently have plans to scale up.

The quality of Microsoft's technical support depends on the service type. Some services are okay, and some are not. Sometimes we open a case and get the result the first time, and sometimes it takes more than one session.

Neutral

The initial setup is straightforward and takes about an hour.

We enable all subscriptions, which come with free basic services, and we can upgrade to premium services by selecting the required resources. If we have Azure Sequel, or infrastructure, such as virtual machines, we enable it at the virtual machine level. We enable services according to the current resource.

The implementation was completed in-house by a team of two people.

Bundling our Microsoft products is more effective and cost-efficient.

The license cost is around $35 per machine, which is not expensive compared to other products. In addition to the solution's license fee, Azure DevOps Standard costs around $30,000. I believe this is too expensive and hope that the cost can be lowered in the future.

I give the solution a nine out of ten.

The solution is used for a website and is deployed in one location. We have 1,000 users.

Maintenance is completed once a month for batching the products in the environment for Sequel, SharePoint, and Microsoft products. Two people are required for the maintenance.

Microsoft Defender for Endpoint is a very good solution. I recommend the solution to others and suggest using only Microsoft products in order to receive all the support from one place.

We use Microsoft Defender for Endpoint as an enterprise security solution.

The visibility is great. For example, Microsoft Defender for Endpoint's portal has a section called threat analytics. There's a threat intelligence box. So all new threats and trending threats are visible. If any of our devices in our organization are susceptible to this threat, the solution will let us know because it searches for that specific particular vulnerability, which can be exploited. The Microsoft threat analytics tool gives us that type of visibility into the threats that might affect our organization. For example, the threat analysis updates every half hour to one hour with the top ten latest threats. The scan tries to ensure that these threats don't belong to our organization and if they do, it identifies the infected device. Microsoft Defender for Endpoint makes a lot of security recommendations when we onboard it to quarantine a lot of security recommendations that help to improve the security posture of our environment.

Microsoft Defender for Endpoint assists our organization in prioritizing threats across our enterprise by providing security recommendations based on the weaknesses in our organization. It includes a department that provides management licenses and uses analytics to identify high-priority threats in our environment. This is connected to a common protocol that assigns a priority level of five to devices with vulnerabilities, indicating what actions should be taken. Thus, we have all the necessary information in one place.

Prioritization is crucial because there is a possibility of a high-priority threat entering our environment. This is how the solution determines the priority of threats. For instance, if one of our high-impact business devices is vulnerable to a top-priority security five threat we need to address it first. Alternatively, we may choose to address the sixty computers with a level two or three security threat, which are mostly associated with lower impacts. Therefore, prioritization aids in determining which critical business infrastructure requires immediate attention.

There are several lines with multiple solutions, but Microsoft offers a comprehensive solution with its E5 license. This license includes a wide range of features such as purview information protection, data protection, and other business-related tools. In my previous experience, I have noticed that some organizations utilize multiple Microsoft products, such as Defender for Endpoint, Identity Management, Defender for Cloud Applications, and Defender for IoT. This combination of different products can be quite useful.

Microsoft Defender for Cloud on Azure can be easily integrated with Defender for Endpoint, including on-premise solutions that can be onboarded to Azure with different subscription values. The integration will already onboard it to the device with Defender for Endpoint, along with additional features such as Just-in-Time Access, Defender for Vulnerability Management, and Control Sign-in Monitoring. These features provide robust cloud security monitoring and can be added to Defender for Endpoint. Moreover, Defender for Cloud is integrated with Defender for Endpoint portals, enabling a one-stop shop for onboarding devices with all the cloud posture management required for a single computer or software. This integration is highly beneficial, and other applications can be similarly integrated.

It is easy to integrate Microsoft Defender for Endpoint with other solutions.

These solutions seamlessly integrate to create a zero-trust platform, as offered by Microsoft. This platform ensures protection from various threats such as networks, applications, and infrastructure, with the added benefit of Microsoft Sentinel. The Sentinel tool combines threat analytics from multiple sources into a user-friendly workspace, providing optimal productivity. Additionally, sending logs from any of these products, including Sentinel, to the cloud connector is a simple process.

The integrated Microsoft security products offer comprehensive threat protection, such as Microsoft Defender for Office. With these products, our office is now able to identify and address email threats in a single platform, instead of checking each platform individually for application, identity, vulnerability management, and endpoint security. Moreover, these products can be easily integrated into a single workspace solution. With the help of pre-existing methods in Sentinel, we can efficiently handle a large number of alerts that we receive. Rather than going through each alert individually, we can activate a playbook that provides solutions for common alerts and takes actions in parallel to resolving them. This integration simplifies the process of achieving a complete security solution.

When we transition from on-premise servers to Azure ARC resources and activate Defender for Cloud Applications, it becomes easier to manage our servers from different networks, especially when it comes to security features. For example, we can check the compliance of our devices and organization with PCI DSS or other security protocols. Running compliance checks during the transition while syncing data with a different SL Cloud provides us with a significant amount of data and valuable information, including recommendations for improving compliance. This process involves bi-directional communication between devices, the cloud, Azure, and different network clouds.

Microsoft Sentinel allows us to easily ingest data from our entire ecosystem.

Microsoft Sentinel allows us to investigate threats and respond holistically from a single platform. Sentinel is both a SOAR and SIEM solution, meaning we can perform responses, but we must create a separate playbook for them. The default method may include some pre-built responses. The most important aspect is that if our company uses SentinelOne instead of Defender, we can still easily send logs through our Sentinel Workspace using API calls. This can be accomplished with a few connections, and we can create our own playbooks for different types of alerts. For example, if SentinelOne is not sending data, we can generate alerts of this type and respond accordingly. This significantly reduces user effort.

The security protection offered by Sentinel is extensive. It can be integrated with any Microsoft solutions, including information protection, and can be connected directly to Microsoft's threat intelligence sources and other resources. This allows for comprehensive protection.

Our clients have reported that Sentinel's cost and ease of use, in comparison to other stand-alone SIEM and SOAR solutions, are favorable. They find the user-friendliness of Sentinel to be worth the cost.

Microsoft Defender for Endpoint assists in automating routine tasks and identifying high-value alerts. We can automate actions based on the alert's sensitivity, and in case we are uncertain of how to handle those alerts, we have the option to seek assistance from a Defender expert. This feature is particularly valuable, as it can provide guidance in identifying and investigating such alerts.

Microsoft Defender for Endpoint helps eliminate multiple dashboards by giving us one XDR dashboard.

The solution's threat intelligence helps us detect and respond to threats proactively by identifying suspicious behavior.

Microsoft Defender for Endpoint has been instrumental in saving us time by alerting us about potential threats and automatically guiding us through the necessary steps to eliminate them. The solution logs all the actions taken, saving us from having to spend valuable time retracing the steps.

By detecting threats in advance before they can propagate, Microsoft Defender for Endpoint helps our organization save money. The tool helps to identify potential security risks early, preventing their escalation and the associated costs of mitigation.

Our detection and response time has improved. This is thanks to Microsoft Defender, which has Endpoint Detection and Response capabilities. Before, we used to manually create policies to address security incidents, but now the system can automatically remediate issues without us having to intervene.

The most valuable aspect is the information, specifically the automatic investigation of packages. For instance, during an automated investigation, data and information are collected. Additionally, there is an encapsulated view that shows the origin of the package, how it was propagated, and any blockages or attacks that may have occurred. The most critical factor is the information gathered regarding various types of incidents, including how they are mapped and propagated, and what actions should be taken in response.

Creating antivirus profiles for Linux is a more challenging task compared to other operating systems. The profiling method currently in use is not very user-friendly and has ample scope for improvement.

I have been using the solution for over four years.

Microsoft Defender for Endpoint is stable.

Microsoft Defender for Endpoint can scale effectively to meet the needs of our environment, regardless of its size.

The technical support team is highly knowledgeable, and in cases where they are unable to provide a solution, they escalate the issue to the second level of support. Their services are available around the clock, and if the assigned representative is unavailable, they promptly transfer the ticket to another capable person to ensure a seamless resolution of the issue.

Positive

I previously utilized SentinelOne, Kaspersky Endpoint Detection and Response, Symantec Endpoint Detection and Response, and Carbon Black CB Defense. However, I find Microsoft Defender for Endpoint to be more user-friendly than the other solutions. The information provided by Defender is valuable, and the deployment process is easy. Additionally, it offers several valuable features.

The complexity of deployment depends on the client's environment. The number of people required for the deployment depends on the number of servers the organization has. For example, in a deployment of 700 workstations and 500 servers, one full-time and two part-time consultants are required.

We implement the solution for our clients in-house.

We experienced a positive return on investment by using Microsoft Defender for Endpoint. This solution allows us to streamline our operations by consolidating all necessary components under a single umbrella and eliminating the need for additional vendors and extra costs.

Microsoft Defender for Endpoint is included with a Microsoft E5 license.

I give the solution an eight out of ten.

The most cost-effective and user-friendly option for security is a single-vendor security suite. This approach also eliminates the need for multiple integrations.

I recommend that organizations avail themselves of Microsoft's trials and demos, and compare Defender with other solutions in their environment to determine the best fit. With a Microsoft E5 license, organizations can access all of Microsoft's solutions and use whatever they need.

We use Defender for Endpoint to secure our Windows 10 endpoints and Windows servers. We use Microsoft Defender as an antivirus, and we also leverage the EDR capability. If any malware or threat is present, Defender can take action on those threats and remediate if there are any malicious actors present in our environment.

It is deployed on-premises, on the cloud, and on multi-cloud solutions like AWS on Azure. We have a diverse, global environment with devices or servers in Europe, the US, and the Asia-Pacific region, except for China.

One feature I like the most is vulnerability management, which shows any vulnerable software or OS present in my environment. Microsoft Defender for Endpoint provides a complete overview and also recommends the steps to mitigate the vulnerabilities or threats. Most of the other antivirus or EDR solutions generally don't provide vulnerability management. It is an add-on that Microsoft Defender for Endpoint provides.

Also, because of this solution's EDR capabilities, we can determine what we want Microsoft Defender to do and then automate the entire process. We have already enabled these automated response capabilities and are leveraging them.

The visibility into threats that Microsoft Defender provides is very detailed. If we want to investigate how a threat was initially integrated into our environment, we can do that with a detailed activity timeline. It will be across the servers or Windows Endpoint, so we will be able to see the correlation and gain a complete picture of any threat within that timeline.

It helps us prioritize threats across our enterprise to a certain extent. Whenever there is a threat, we'll get a risk score along with the level of severity. We will then be able to see whether the threats are of high, medium, or low severity and can prioritize them accordingly.

Prioritization is really important to our organization because with 100,000 people working, we see an immense number of threat alerts including phishing, identity, and other kinds of threats. We have a limited number of people working in security operations centers, and we may see 30,000 alerts come through. Therefore, it's very important for us to prioritize those alerts so that we don't end up working on threats that are not important and miss critical alerts.

Along with Microsoft Defender, we also use Microsoft Defender for Cloud Apps, Microsoft Defender for Cloud, and Microsoft Defender for Identity. Integrating these products is quite simple. You just toggle the button, and the integration will be turned on. Once you have turned on integration, you will see feeds from the other portals. That is, if I get something in Defender for Identity, then I will be able to see relevant items in the Defender for Endpoint portal as well. It's out-of-the-box integration, and no additional measures are required.

These solutions work natively together to deliver coordinated detection and response across our environment. They work in the background and share common intelligence with each other and provide correlated feeds within these portals. They provide comprehensive threat protection.

When the integration is in place, it eliminates the need to look at multiple dashboards. Initially, we used to have different portals for incidents, but now, we have one central console. We can see alerts and incidents from Defender for Cloud, Defender for Identity, etc. It saves us a lot of time because our analysts don't have to spend time looking at different dashboards or consoles.

In terms of preparing for potential threats before they hit and taking proactive steps, the feeds in Microsoft Defender for Endpoint help us detect zero-day vulnerabilities or any ransomware. The threat analytics show us what the current and upcoming threats are. I can get the indicators of compromise from that particular list and can prepare my team on how to act on those particular threats. It has helped us to become more efficient.

Overall, this solution has helped us save 30% to 40% of our time.

Also, our time to detect and respond has decreased by around 40 to 50%.

One major item for improvement is the ability to add exceptions. We can add some exceptions, but not at the level we need to.

The second major area for improvement involves enhanced capabilities for different operating systems or platforms. That is, even though we have coverage for different operating systems or platforms such as Linux, we don't get all of the controls and enhanced capabilities that are available with Windows devices.

Reporting could also be improved because, at present, we get limited results at times. For example, in an environment with more than 100,000 devices, you may just get 10,000 results when you run a report.

I've been using it for close to four years.

It's not very stable because Microsoft keeps making a lot of improvements as it's a new product. For example, today I might see something on one page, on another day, it might be located on some other page or portal. However, I have seen stability to some extent over the last couple of months.

It's definitely a scalable solution. Almost all of the users in my organization, close to 70,000, use this solution.

Technical support is an area that needs a lot of improvement. Microsoft does not have the right people who can help with any challenges or problems, and ultimately, we end up finding the solutions on our own rather than relying on them. They take a lot of time to work on a support case, and we can't find the right level of support as well. Therefore, on a scale from one to ten with one being the worst and ten being the best, I would give technical support a rating of four.

Neutral

We have seen a return on investment in the last few years in terms of our organization being protected against threats.

Microsoft Defender for Endpoint is cost-effective because there's one unified license, and with this unified license, you get the capabilities for your cloud applications, servers, and endpoints as well. Therefore, it saves us a lot of money because the cost with other solutions is for just one piece of OS or maybe an urban environment. The licensing process is not complex as well.

Your use cases, how your organization is configured, and what your infrastructure is like will determine whether you go with a best-of-breed strategy rather than a single vendor's security suite. From a cost perspective, I think it's better to just go with one technology because when you have two technologies in place, there may be conflicts with policies that may result in additional time spent investigating.

However, if an organization has a high number of macOSs and they have a lot of Linux servers, they may choose to go with two technologies if Microsoft Defender doesn't provide a complete set of security capabilities.

Before you implement the solution, first see what your use cases are and what you're actually looking for. Then, define your environment and what you're going to protect first, whether they be application servers or just endpoints. Then, you can have a detailed discussion with the implementer or vendor.

On a scale from one to ten, I would give Microsoft Defender for Endpoint an overall rating of seven.

We use Microsoft Defender for Endpoint as our EDR solution on all of our user endpoints.

Microsoft Defender for Endpoint provides comprehensive visibility into endpoint security. I've been impressed with its ability to detect and monitor threats without any noticeable gaps in coverage.

We use the entire suite of Microsoft products, which are all integrated. Integrating them is very easy. However, getting them to function as expected after integration was a little more difficult.

The integrated solutions work together to deliver detection and response. However, their behavior may not always align with our expectations.

The implementation of Microsoft Defender for Endpoint has enhanced our organization's security posture by augmenting our visibility, particularly through the integration of MDE, Sentinel, and Defender for Cloud Apps. Additionally, Intune, when utilized in conjunction with these products, provides comprehensive insights into identity and device risks. The deployment began about three years ago before I joined the company. In terms of EDR or just basic visibility, that was achieved within the first year or so. However, we are still working towards a holistic vision of visibility, especially with Defender for Cloud Apps.

Microsoft Defender for Endpoint consolidates multiple dashboards, as all of our security products are Microsoft-based, simplifying our security management.

Microsoft Defender for Endpoint has saved us time compared to our previous solution, which was an on-premises Trellix EDR solution. This is especially evident in the areas of maintenance and operations.

Microsoft Defender for Endpoint's WCS function, a content filtering solution, has proven to be the most useful, stable, and reliable option for our current needs.

Defender for Cloud Apps is one of the most significant products that Microsoft could improve. We've encountered several limitations with Defender for Cloud Apps, such as the inability to create custom cloud applications and add URLs. These features would be valuable for the scoping feature in Defender for Cloud Apps, as each application can currently only have one scope. It cannot have multiple scopes, meaning that an application cannot be blocked for some device groups and allowed for others. This is another limitation we've encountered frequently.

The technical support is slow to respond.

The product development team makes frequent changes that affect the stability of the solution.

I am currently using Microsoft Defender for Endpoint. 

Microsoft Defender for Endpoint is generally stable, but the frequent product changes made by the development team have caused several instances of unusability this year. These changes often introduce bugs that disrupt web functionality, bringing it to a standstill. While the product itself is stable when not affected by these bugs, the recurring issue has occurred three or four times in the past year.

Microsoft Defender for Endpoint is as scalable as any other cloud-based EDR solution. I would give the scalability a nine out of ten.

The technical support is slow to respond and very log-focused.

Neutral

The deployment process is straightforward. We can utilize a script for Intune that can be deployed through SCCM.

The base price for an E5 license, which includes Enterprise Mobility + Security E5, is $57 per user per month. However, there are additional costs for certain security features, such as Premium Threat and Vulnerability Management and Insider Risk Management.

I would rate Microsoft Defender for Endpoint six out of ten. The support and product development team need to improve.

We have deployed Microsoft Defender for Endpoint across the globe on all of our endpoints.

Microsoft Defender for Endpoint updates itself so there is no need for maintenance.

It is advisable to always exercise patience with technical support and occasionally guide them in the right direction. Otherwise, they may become overly focused on irrelevant logs. Additionally, it is crucial to always have a contingency plan in place in case Microsoft Defender for Endpoint encounters unforeseen challenges.

The effectiveness of both best-of-breed and single-vendor security suite methodologies hinges on seamless integration. When products integrate effectively, they provide a unified view of the security landscape, enabling comprehensive monitoring and threat detection. A SIEM, XDR, or similar tool can serve as this centralized dashboard, providing a single pane of glass for security operations. By centralizing visibility and streamlining response times, organizations can effectively achieve their information security analysis and response objectives.

Our primary use case is for protecting Windows 10 endpoints. We use it for email scanning and application control, we can run analytics through it, and the product enables web content filtering. The Defender 365 package is all-encompassing now; it's a good product.

The solution is deployed across our whole business with 3,000 endpoints, including phones, laptops, tablets, and desktops, with 1,700 end users.

We use multiple Microsoft security products, including Defender, Defender for Cloud Apps, Identity Manager, and Intune. We have the whole security package.  

I was the infrastructure engineer who integrated the products, which was elementary; we rolled out via Intune and used SCCM to build the endpoints.  

The solutions work natively together to deliver coordinated detection and response across our environment, and it's better than using Symantec, for example. Defender is the best product out there; it's built into Windows, and it makes sense to use built-in products. This coordination is strategically important to us, as it makes passing knowledge on to the team easier because it's all in one place.   

The solution offers better management of endpoints when it comes to antivirus and malware. It allows us to separate the functionality of managing that security area rather than putting it with the infrastructure team. The infrastructure team handles the monitoring services. At the same time, virus and threat detection can go to the core security team, which takes a load off the infrastructure team and allows the security team to concentrate fully on security.

Defender for Endpoint helps automate routine tasks and the finding of high-value alerts. Once we set our rules, including attack surface reduction (ASR) rules, there's a lot of automation capability. We can apply definitions for all endpoints across our organization.  

The solution helped eliminate having to look at multiple dashboards and gave us one XDR dashboard, which positively affected our security operations. There are four staff in the department, so they appreciate this kind of management. They can see everything from one place, and our security picture is more integrated. They can even carry out basic auditing from the dashboard.  

Defender for Endpoint saves us time because we can quickly go in and search for issues raised by the security department and eliminate the threat. We have 3,000 assets, so it saves the network around half an hour and the infrastructure staff a couple of hours.   

The virus scanning capability is excellent, and it feeds all the logs into the Microsoft 365 Defender portal, making them easy to search for.

We can track web activity and see what users are logged into. The solution picks up a lot of information from machines and pushes it into the Defender 365 portal and Cloud App Security portal.

The product provides good visibility into threats. We can also log in anywhere, which is handy for the security teams.  

Defender for Endpoint helps us prioritize threats across our enterprise; we can configure specific rules concerning viruses, malware, and threat detection.   

In terms of the comprehensiveness of the threat protection provided by Microsoft security products, it's the best in the marketplace. The top three are Defender, Sophos, and Symantec; the others don't come close to these. 

The solution's threat intelligence helps us take proactive steps to prepare for potential threats before they hit because it tracks definitions and threat footprints from the cloud. These can then be identified and stopped at the front door, which is the whole idea of antivirus products these days.

The integration and effectiveness of email security could be better. It's already built-in to the solution and checks emails, scans the links they contain etc.

I've been using the solution since its first iteration came out in 2005, so about 17 years. 

The solution is scalable; we have it deployed across our entire organization to 3,000 endpoints, and 1,700 end users. 

The support is good; I don't have an issue with them. It's straightforward to go into Azure and raise a ticket, although you must know how to ask the right question.

Positive

As far as I know, my organization used Defender for Cloud Apps for a long time and Symantec for service. Symantec is configurable, but it isn't always quick enough to deal with threats, as it has different quarantining methods.

I installed Darktrace for a data center and prefer to work with MS security products.

I wasn't involved in the initial setup; I was a global admin.  

In terms of maintenance, the product is lightweight; any patches are downloaded automatically, and we can configure when they're installed in our patch definitions.

We have the E5 security license, and the solution comes with that.

I rate the solution ten out of ten.

We use Defender for Cloud and make use of its bi-directional sync capabilities, or use Intune, so all our computer objects are synced via Azure ID and pushed into Intune. This capability is there, and it functions, though there are more important features.

It isn't easy to say if the product saves us money and the business is not overly concerned about the cost of Endpoint. You get what you pay for, it's an integrated solution, and there isn't a better one on the market. It does the job, is configurable, and has limitations like all products.

Once Defender for Endpoint becomes more mature in a couple of years, it'll be the Holy Grail like Windows 7 was.

To a security collogue who says it's better to go with a best-of-breed strategy rather than a single vendor's security suite, I'd say Microsoft is the best of breed for those who want a unified approach or integrated solution. I wouldn't use other security products because it's not necessary. I'd integrate the Microsoft security suite anywhere I go.   

I use Defender for Endpoint every day, for example, when a user downloads an unwanted application, we get an alert. Sometimes we have suspicious processes in an endpoint, and we receive an alert for those activities.

Microsoft Defender for Endpoint helps in detecting different alerts and potential threats by providing alerts and timelines with detailed explanations, which is useful to understand and close or address the issues.

In Microsoft Defender, there is a security portal that allows advanced hunting. You can query and access useful information from logs and events, which is powerful and efficient. Additionally, the timeline feature helps in understanding which process launched what and identifying errors.

Sometimes, there are difficulties in downloading a file considered as malicious. We encounter a bug that requires several attempts to download, which is a bit of a challenge.

I have been working with Microsoft Defender for Endpoint since February, which is approximately eight months.

The stability of the solution is rated an eight out of ten. It is quite stable.

The scalability of the solution is rated as eight, suggesting it is reasonably scalable.

I contacted Microsoft support for personal use of Defender, and they were very nice, providing solutions quickly. This was a positive experience.

Positive

Before using Defender for Endpoint, I used SentinelOne. Defender is easier to use than SentinelOne.

For the initial setup, I’d give it an eight out of ten, suggesting it’s quite straightforward.

The price for Microsoft Defender for Endpoint is about three euros, which is considered reasonably priced. I'd rate it seven out of ten for cost.

I have previously evaluated SentinelOne before using Microsoft Defender for Endpoint.

I'd advise others to use Microsoft Defender for Endpoint because it's a good solution with many experts behind it. Additionally, it's compatible and easy to use with Windows environments.

I'd rate the solution eight out of ten.