Microsoft Defender for Endpoint Reviews

We deploy the solution for our customers, typically with Plan 1, as they generally have E3 licenses. We also use Microsoft Purview, the compliance system consolidating every security aspect into its portal. This offers centralized management and tight integration with Azure and Intune, which are identity and device management tools, respectively.

Our customers have a variety of cloud providers; Azure and GCP are the most popular, but we have some AWS users too. 

We use multiple Microsoft security products, including Azure Information Protection and DLP, in addition to the other flavors of Defender, such as Defender for Cloud and Defender for Identity.  

We integrated all of these products and the integration was easy. 

These solutions work natively together to deliver coordinated detection and response across our environment, which is essential. The beauty of Microsoft is the tight integration of their various products.  

The solution helps us prioritize threats across the enterprise, which is essential for every organization. If a malicious actor or another type of threat gets into the network, we need to know exactly what's happening, how it happened, who triggered it, lateral movement, etc.  

Defender for Endpoint is a 360° solution that sees and covers all areas. Microsoft also has a zero-day protection framework, so they are thinking ahead.

The product decreased our time to detect and respond to threats.

Defender for Endpoint provides good visibility into threats and has favorable threat intelligence. 

The product helps us automate routine tasks and the finding of high-value alerts; it discovers all threats and categorizes them as low, medium, or high priority, then begins remediation automatically based on the threat severity. It's also possible to automate the isolation from the production network of a device infected with ransomware. As always, the workflows and configurations should be optimized based on the environment.

The solution's threat intelligence helps us prepare for potential threats and take proactive steps before they hit. Some bots take care of remediation and an automatic ticketing system whereby open items trigger tickets sent to the team concerned.  

The solution has minimal customization options, especially compared to Mandiant, so we want to see more scope for customization. A single portal for customization would also be a welcome addition. 

A high level of expertise is required to maximize visibility into threats as the tool provides the data, but it isn't crystal clear. Other products are more straightforward and user-friendly, so admin and management-level staff can easily understand the root cause of a threat, which isn't the case with Microsoft. The threat detection and response are there, but significant expertise is required if we want the same level of visibility provided by third-party tools.

There are some issues around ingesting data from MS Sentinel. If we configure Purview, then our compliance is configured for our entire Microsoft tenant, but the integration isn't easy, and there are some known challenges.

We can't see all the data in one place, so we have to log into different portals to access various data, and this needs to be more straightforward. We want to see a single portal with one URL, so those with the appropriate credentials can gain access and see the big picture regarding the threat landscape.

We've been using the solution for over five years. 

The product is stable. 

Defender for Endpoint is scalable.

The deployment was relatively straightforward, but one issue is the knowledge base articles are not particularly accessible.

Regarding implementation strategy, we do discovery, make an assessment, and match with business needs; then, we know precisely what we have to do and which license is required. We can then start the implementation and deployment.

For maintenance, two team members are sufficient to manage 5,000 users or devices. 

We're a service provider, so we carry out the deployments ourselves. 

We have seen an ROI. 

I'm not too familiar with costs as I'm an architect, though I know about online pricing, as I help two teams with online purchasing and procurement. Nowadays, everyone has an enterprise agreement, such as an E3 license, which we provide to our customers.

The solution saved us money. 

We evaluated many solutions, including Mandiant, Cortex XDR, McAfee MVISION, and Fortinet FortiClient.

I rate the solution nine out of ten, and I recommend it.

We use Microsoft Sentinel, and it allows us to ingest data from our entire ecosystem.

Sentinel enables us to investigate threats and respond holistically from one place, which is important to us.  

We want to find a solution that fits businesses of every size and type, but we primarily target small and medium-sized enterprises. 

Defender helps us prioritize threats across the organization. When we needed to update the patches on our endpoints, we could look at all the patches and see what still needed to be fixed. We could decide whether it's necessary to address something urgently or deploy it as part of routine monthly maintenance. It's crucial to have the insights and a report that I can show to an executive to demonstrate that we need to act fast. This is less common because most people accept your hotfixes and patches when they come out, especially monthly security updates. However, some older shops might be like, "I'm running Windows 10. No one's touching this." We still need to service and support those machines, too. 

The solution helps us automate routine tasks and alerts. There's a dashboard where I can see the statuses of my machines in the environment. It helps us breathe a little bit easier. We're responding to businesses that had shifting needs during COVID. How can we be more proactive and help them to be more proactive? We shifted from traditional PC antivirus software to stuff that's totally different. I can't say it's "set it and forget it" because that implies a lazy mentality. However, I know I have a level of protection that I can have faith in. 

Defender helps us be more proactive. I find value in the zero-day threats that get fixed from Microsoft bug fixes or security updates. I can read and research about those zero-day threats from Microsoft's public site without digging too deeply into the Defender side of things. 

We've saved some time with Defender for Endpoint because we were doing a lot of unnecessary remediation with the other products. We had a series of servers that our previous product was installed on. It would blue-screen the server at random, and you can't have that. I'm not worried about Defender impacting my system stability. We put a lot of high-performance systems out there, including PCs and backend compute. I want to ensure we won't be overburdened by unnecessary security software that may not be giving me the protection I want.

Defender's reporting saves us four hours to eight hours each month. It has many of the standard reports we need built in, so it's effortless to generate and pull from. The time we save in other areas isn't as easy to quantify. I don't have to worry about the stability of a box or a computer cluster. 

It has decreased my detection time. On Wednesday, I got emails notifying me that new vulnerabilities were detected. They weren't new, but they were newly disclosed because patches came out for them. It has enabled us to react much quicker. 

I like Defender's reporting and logging features. The email alerts are also helpful. It's hard sometimes to sift through the email, especially if you're an IT firm managing hundreds if not thousands of endpoints, but we find email reporting useful. For example, last Tuesday, we learned of new vulnerabilities that were discovered as a result of the previous patches. The endpoints without those patches triggered alerts in Defender.

Defender ties into the Microsoft 365 portal where many shops spend a lot of their time doing password resets or other tasks. There is much more in the Azure portal too, but the 365 portal has a list of open issues, bugs, and necessary remediation steps. If I'm working on my security score, I have all of those on an active list, which is nice.

Defender should be more accessible for small and medium-sized businesses. You have some organizations that maybe have a hundred employees, and they're focused on making their widgets. That's their nine-to-five every day. They're not thinking about that security side, but maybe they're already invested in 365 or the Azure ecosystem and having Defender as an add-on makes sense from a price perspective. It's easy to deploy, but it could be easier for some of those smaller businesses to onboard endpoints.

The onboarding and deployment could be more user-friendly, and there is room to grow in some of the reports. I don't want them to be oversimplified or overly complex, but there is room for improvement in the reporting it can do. It's relatively minor.

We have used Defender for Endpoint for the last 18 months or so. 

Defender's stability is one of the things I love most about the solution. 

There are no limitations on Defender's scalability. I get the impression that it's designed to cater to massive enterprises with 20,000 or more endpoints, but I think there's a market for a simpler deployment, like 100 PCs, 10 servers, etc. Give me a deployment option that's simple. 

I rate Microsoft support eight out of 10. It's good overall, but it can be hit or miss depending on your issue, and sometimes you don't get the right level or technician. All of my 2023 support experiences have been stellar, but 2022 was a little inconsistent. 

Positive

The company evaluated other solutions in parallel and in tandem with it. Our trajectory shifted slightly during COVID-19, so we explored that more. We tried ESET and SentinelOne for a while. But those are apples-to-oranges comparisons. Defender for Endpoint is geared toward common reporting,  notifications, and backend stuff, whereas SentinelOne is designed to lock machines down. It has many more tendrils deep within, so they're not great comparisons. 

We decided to go with Defender because we're pretty heavily invested in the rest of the Microsoft Stack, so it made sense. However, we wanted to do our due diligence because we're already using other products. We wanted to ensure we were picking the best of breed for our customers fair enough.

We were having issues with other products like ESET, SentinelOne, and Symantec. SentinelOne is just too deep and heavy. It's like trying to shoot a fence post with a missile. It was too much. We rely on the product and trust it. It takes a little while to get there, but once you trust a product, you can move on to the next thing and know you're protected.

The onboarding process could be more straightforward. I wish the onboarding were simpler. It seems a little more ethereal than, "Hey, here's your executable, put this on every machine." That would be easier for a small shop. We're still deploying into a lot of our sites. It didn't take long at all, but it takes a while to get fully ready to deploy, 

Defender's pricing is competitive. There are ways to negotiate a better price with Microsoft or your reseller as your business grows. You can say, "Hey, I bought 365 Business, then E3, and E5. Now, I'm buying Defender, so give me bulk pricing."  There are opportunities to save as you grow that wouldn't exist if you picked a different vendor.

I rate Microsoft Defender for Endpoint eight out of 10. 

We are a Microsoft-heavy organization, so we use Microsoft Defender for Endpoint because of its compatibility with our environment and its reports, which provide good visibility into our environment and send telemetry logs to the server.

Microsoft Defender for Endpoint collects all system logs, activity logs, and threats. It then sends this data to the Office 365 security portal, where we can view all logs and use various analytics tools to forecast average bandwidth usage, identify programs used by users, and view which apps are running in our environment, including unauthorized apps. All of these insights are easily accessible if we have a complete Microsoft solution.

Microsoft Defender for Endpoint helps us prioritize threats across our enterprise. We have configured the standard settings and are using many Microsoft solutions, so we receive direct support from Microsoft. We have created many policies, including a standard policy for all apps and programs used in our organization. We have a list of these programs, and any that are in the Defender for Endpoint exclusion list, such as DLP software or trusted software, are excluded so that they do not slow down the process. We then prioritize the apps according to standard cybersecurity priorities. For example, if an application is vulnerable and not from a renowned vendor, it should be blocked.

We have integrated Sentinel with Defender for Endpoint. The integration was a few simple clicks.

Our integrated solutions work together seamlessly to provide coordinated detection and response across our environment. We like Microsoft's Advanced Threat Protection solution, which uses EDR and AI to protect endpoints. Recently, a user downloaded an unknown file, and ATP immediately flagged it. ATP then ran an automatic investigation and provided us with the results in the portal. We can then decide whether to quarantine, delete, or report the file to Microsoft Defender for Endpoint.

Microsoft provides comprehensive security products that have fulfilled all of our security needs and assured us that we have enterprise-grade security and do not need any other solutions. We have received positive results.

We use the cloud's bidirectional synchronization capabilities to synchronize our on-premises Sentinel agents with the Azure Monitor agents.

It is our requirement to have bi-directional synchronization between the cloud and on-premises environments because we now have users in both locations. This means that if a user changes their password in the cloud, it will also be updated in the local Active Directory. Additionally, we have some on-premises servers that require our SQL databases in Azure, so they communicate with the cloud bi-directionally.

Microsoft Sentinel enables us to ingest data from our entire ecosystem. The whole point of Sentinel is to collect logs and notify us, showing us our cybersecurity posture and where we stand. It also advises us on the policies we define for our system and whether the system in our environment matches those policies, identifying any applications that are not fulfilling those policies.

Sentinel provides visibility into our environment and we can investigate and respond to threats through Defender.

In the context of user and entity behavior analytics, Sentinel is very effective. It can identify high- and low-risk users by analyzing their daily usage activities, such as the applications they access, the websites they visit, and how they handle data. Sentinel then segregates users into high-risk and low-risk groups based on this analysis. This gives us good visibility into user behavior, which is essential for protecting our organization. While Sentinel has other capabilities, we are currently using it for UEBA.

Microsoft security has helped us save about 30 hours per month, reducing our workload.

Microsoft security has helped us save costs. In our company, we have different Office 365 licenses, including E5, E3, and F5. Some of the security add-ins are free with these subscriptions. For example, the E5 license includes SIEM, Office 365, Defender for Endpoint, and an Active Directory P1 subscription. This means that we do not have to purchase these add-ins separately, as they are included in our licensing.

Defender for Endpoint has reduced our time to detect and respond. Once an incident has occurred the AI automatically takes action and provides us with a detailed report of the investigation. It takes five to ten minutes to resolve an incident.

To have full visibility, we must access multiple dashboards, which is a problem because they change frequently, with daily updates to naming conventions. A single dashboard would be a significant improvement.

I have been using Microsoft Defender for Endpoint for seven months.

Microsoft Defender for Endpoint is extremely stable.

Microsoft Defender for Endpoint is easily scalable because it is compatible with a variety of Windows and Linux machines.

Technical support is good. We usually receive a response with a solution within 24 hours.

Neutral

We are currently evaluating CrowdStrike and a few other solutions.

I would rate Microsoft Defender for Endpoint eight out of ten.

Microsoft-heavy organizations should avoid using third-party SIEM solutions, as the compatibility issues would require significant effort from the IT department to configure them with Microsoft applications.

Microsoft Defender for Endpoint is a detection system, not a prevention system. We receive alerts after a threat has occurred.

It is better to choose a single company security solution because it will free up time to focus on the environment and identify loopholes. Rather than using three or four third-party software programs, which would require us to spend more time learning about them and resolving compatibility issues, a single solution would provide a better view of the environment.

We use Microsoft Defender for Endpoint to protect our work environment.

The endpoint provides good visibility into threats. However, working with Microsoft Defender for Endpoint and its control panel can be challenging, especially when dealing with features such as compliance and cloud app security details. Nevertheless, with enough experience, it becomes a useful tool for threat detection. Although it may be difficult to work with initially, it is an essential instrument for information security.

Microsoft Defender for Endpoint helps us prioritize threats across our enterprise.

The integration of Microsoft Defender for Endpoint with other Microsoft solutions is easy. The integrated Microsoft solutions work natively with each other.

The level of comprehensiveness provided by all of the integrated solutions is satisfactory.

Microsoft Sentinel allows us to investigate and respond to threats from one place.

Microsoft Defender for Endpoint helps automate routine tasks and find high-value alerts. The solution has a powerful advanced query that we can schedule to run automatically.

Microsoft Defender for Endpoint simplifies the use of multiple dashboards by providing a single XDR feature. This is a beneficial feature, but my reliance is on the 50 automated rules that run on a schedule to keep me informed of any incidents.

The automatic rules and policies that we apply using Microsoft Defender for Endpoint save us around four hours per day.

Microsoft Defender for Endpoint has saved our organization money by protecting the environment from threats.

Microsoft Defender for Endpoint has reduced our time to detect and respond to security threats by consolidating all relevant information in a single panel within a web portal. This enables us to quickly review and respond to potential threats, thus improving our ability to mitigate risks effectively.

Microsoft Defender for Endpoint has helped our organization by working to identify threats quickly before they become a problem. 

The integration with all variations of Microsoft Defender, for Endpoint, 365, and Cloud is valuable.

The time it takes to implement policies has room for improvement. When we create policies or configure file profiles and assign them to specific groups, Microsoft Defender for Endpoint will apply these rules accordingly. If we need to make changes to the policy, it can take up to thirty minutes or even two to three hours for the changes to take effect on Microsoft Defender for Endpoint. This waiting period can be a significant amount of time to implement changes. It is at times quicker to create new policies than to make changes to existing policies.

We are experiencing problems with certain Samsung Android mobile devices that have Microsoft Defender for Endpoint installed. Specifically, when attempting to log into the corporate profile, users are prompted multiple times to enter their credentials.

I have been using Microsoft Defender for Endpoint for two years.

Microsoft Defender for Endpoint is extremely stable.

Microsoft Defender for Endpoint is scalable.

The technical support team is professional.

Positive

We previously used a separate antivirus and endpoint solution called Cynet but it was not very useful. Our organization moved into the Cloud so we decided to use Microsoft Defender for Endpoint.

We deployed Microsoft Defender for Endpoint across multiple locations in our organization.

We evaluated Splunk and Microsoft 365 before the head of our company chose Microsoft Defender for Endpoint.

I give Microsoft Defender for Endpoint an eight out of ten.

No maintenance is required on our end for Microsoft Defender for Endpoint.

Microsoft Defender for Endpoint is a powerful tool and I recommend it.

Using a single vendor security suite carries inherent risks, but with a well-established company like Microsoft, those risks are significantly reduced, and it's more cost-effective than using multiple best-of-breed solutions to achieve the same level of security.

We use Microsoft Defender for Endpoint to manage the firewall and provide endpoint security, such as antivirus protection, on the endpoint.

The visibility of threats is excellent. The most difficult aspect of Microsoft Defender for Endpoint, especially for a small MSP, is the amount of information that needs to be filtered through. There is a lot that can be done in the portal, so it requires someone to spend a lot of time going through all the settings and making sure any issues are resolved. This is why we added Huntress to it, as it helps with the identification of other issues.

Microsoft Defender for Endpoint helps prioritize threats across the enterprise. The great thing about the Defender portal is that if there is a new issue, it highlights the issue for us in the portal, enabling us to easily check the CVE report to see which devices are affected, and make the necessary changes.

The major advantage of Microsoft Defender for Endpoint for us is that we receive a great deal of information. Initially, when we encountered the solution, the most difficult thing was that there was a lot more detail to go through, a lot more logs, and settings that we had to configure. However, once we had everything in place, as we are covering so many devices using the same solution, we were able to make a significant impact on our security.

The solution helps automate the high-value alerts to identify the devices that are at high risk of attack, but we still have to remediate ourselves.

We still enjoy jumping between Defender and Huntress' portals. Microsoft has removed the need for a large number of solutions as the Defender portal itself encompasses a great deal. This is both good and bad as they continue to add to the Defender portal. For a small team, it can be quite overwhelming to have to go through the one Defender portal. However, if the team was larger and we had more dedicated staff, it would be great as everything would be in one place.

Microsoft Defender for Endpoint's threat intelligence helps us prepare for potential threats before they occur and take proactive steps based on the CVE reports, which advise us which devices have higher threat issues.

Being aware of the issues is a good thing, and with solutions like Webroot Business Endpoint Protection, we may think everything is fine as long as the antivirus is installed. However, with Microsoft Defender for Endpoint, we are given a lot of information and become more aware of the issues. This helps us strive to reach the 100 mark on the security score.

Microsoft Defender for Endpoint has saved time by preventing attacks from occurring, and I have been able to rely on it. In contrast, when we used Webroot Business Endpoint Protection, we installed it and then largely forgot about it, assuming it would take care of itself. Webroot rarely gave us any warnings, which may have been due to the product not knowing what to do or not having anything to alert us about. On the other hand, Defender is constantly active and provides us with updates about the endpoints. This may take up more time, as it is making us aware of a lot of other things.

Microsoft Defender for Endpoint is more expensive than Webroot Business Endpoint Protection. However, the value is there in terms of the product we are getting. The cost savings with Microsoft Defender for Endpoint come from being aware of the issues and taking steps to prevent them from occurring. The savings come from avoiding the issues.

Microsoft Defender for Endpoints has a quick response time when it detects a threat. From what I've seen, the system is quite fast. It's not instantaneous when changes are made in the portal and sent to the endpoint, but it is still quick.

The most valuable feature of Microsoft Defender for Endpoint is its ability to bring together all the data, providing more information than just antivirus hits. Additionally, it has a useful security score that is tied into the Defender platform, giving us a better understanding of what is happening at the endpoint.

Microsoft often changes the names of its products, the design of its portals, and what is included in them. This can be confusing for people who are not using them regularly. There is a lot of information to take in, and the portals tend to change quickly due to the fast-paced nature of the industry. This can be frustrating when something that was there one day is gone the next.

I would like to see when NDR solutions become more widespread in other regions. It would be amazing to observe how that progresses. It is something that we are considering, having Microsoft do part of the work using the dependent portal instead of having engineers from our own company do it. Therefore, I am eager to see where that goes.

The stability has room for improvement.

I have been using the solution for over one year.

When testing to see if the antivirus solution is working properly with a lot of different events occurring on the device, we found that the Defender interface can become cluttered. The solution does not always give us a real-time view of what is happening, making it difficult to navigate the user interface. Therefore, there is potential for improvement in terms of stability.

We've deployed the solution in small environments and larger ones. So we haven't had any issues going between the two. Microsoft Defender for Endpoint is scalable.

We have encountered two technical issues in the past. The support team was very competent, and when I contacted Microsoft support, they were extremely helpful.

Positive

We had previously used Webroot Business Endpoint Protection, Bitdefender GravityZone, CrowdStrike Falcon, and Cortex XDR by Palo Alto Networks. Microsoft Defender for Endpoint is now included in our licenses, making it an easy addition for many of our clients since some of them already had the licenses that included the solution. Moreover, since many of us already use Microsoft products and portals daily, we were comfortable with Microsoft and the solution did not require a lot of retraining. Additionally, the price was another factor that made the solution attractive; CrowdStrike and the requirements associated with it are too costly for some of our clients.

The initial setup is not complex. It is more cumbersome than Huntress because it is not just an installer. We have a package that needs to be deployed to a few machines. We can run a script, or use a GPO package to distribute it. Although it is not as easy as some of the other smaller solutions, it is still quite simple. We can roll out a group policy. The deployment didn't take long at all. We had already set people up with licenses to access a Hive with Microsoft, so the deployment solution was straightforward. Most of our clients also have directories managed through Azure, which made the rollout easy.

The deployment process requiring engineering numbers or similar is very minimal as it can be done through a single group policy.

The implementations are completed in-house for our clients.

The licensing costs for Microsoft Defender for Endpoint are reasonable.

I give the solution an eight out of ten. When discussing Microsoft Defender with other engineers, we agree that it can be challenging to become accustomed to and comprehend the UI at first. Once we have a grasp on the UI, it is excellent; however, initially, it is difficult to learn.

Microsoft Defender for Endpoint is deployed in systems located in data centers and on-premises, providing a wide range of devices. Approximately two thousand endpoint devices are in use.

Since the solution is a Windows subsystem, it is not difficult to maintain. We utilize a management solution to run many of those updates regularly, ensuring that they are completed regularly.

No single solution or vendor has all the answers, and it can be risky to rely on just one source. If an attack occurs and we are only using one form of security, if it is breached, the attackers will have unfettered access. Therefore, I believe it is beneficial to have a multi-layered approach, utilizing multiple solutions and vendors with different technologies that can work together.

I suggest people do some Microsoft training regarding the Defender platform to become comfortable with it before deploying it to understand exactly what is necessary to make it work.

We primarily use the solution for security. For most clients, we deploy the solution for security purposes. Some clients just deploy it as part of Microsoft. Some haven't fully set it up even though they've paid for it. Some may be deployed and set it up and then have it disabled. 

They've grown the solution into an XDR EDR type of solution. It's nice. Everyone is going in the same direction. There are good process flows and features that make permissions and setup easier if clients are all under Microsoft.

If you get it set up correctly, it just works. 

It does help us prioritize issues. It depends on how the user has it set up, however. You can make a very nice pane of glass. It depends on who it's set up for and what they are doing with it. Some people throw the Windows Defender EDR solution out there and walk away. It does you no good if you're not sitting there watching it, monitoring and setting it up to get the feeds and the alerts and everything else.

It integrates really well with other security tools. That's something they've done very well. Integration between Microsoft products is very easy. It also works well with API plugins, etc. It works natively with detection and response across the whole environment. There may be pieces that may be tuned or integrated correctly. However, it's all pretty seamless.

The threat protection is pretty comprehensive.  

Defender helps automate routine tasks and find high-value alerts. It's a one-stop shop. You can do integration, for example, with Microsoft Teams. It depends on the business you want to run. A mom-and-pop shop may not need so many tasks sent to very specific people. For larger enterprises, having the same tool across the board makes it very easy.

Defender Endpoint does help prepare for potential threats before they hit. When you're looking at signature-based AV, Defender, just like everyone else, will pick up something known. However, when it comes to user behavior analysis, that's a bit more complicated. 

We've saved five hours or less per month in terms of saving time.

I might help clients save money, depending on the size of the organization. With Defender, you are just paying for licensing. It's all moved to the cloud. 

If a threat actor comes in, and creates a global administrative account, they can gain access to everything and whitelist then block everything else. Having everything, including Defender, under one brand is like having all of your eggs in one basket.

Since they are linked to the operating system, they should have good visibility on what is malicious and what is not. They should be at the forefront in that area. However, they are doing what everyone is doing - especially in threat sharing. Pretty much any EDR solution has the same intelligence. Microsoft should go further since they do develop so much underlying infrastructure since they've "built the house" they should know everything about it. They should be more intuitive.

I haven't been using the solution for too long. I've started using it recently. However, Defender has been around for years.

Technical support is always good. There are different levels you can pay for. I personally have never had to use support for the Defender product. Getting really good technical support depends on what partner level you are. 

I'm also familiar with Sentinel and CrowdStrike. I do move my clients towards third parties and don't necessarily try to set them up under just Microsoft.

Inherently, everyone is using the trend intel. They share and ingest threat information. The intel is there. Some organizations may do it a bit better if you were ranking them. However, Microsoft's job isn't necessarily security. They have cloud infrastructure, et cetera. Unlike CrowdStrike, where security is their bread and butter. For Microsoft, Defender has always been the last on their list in terms of priorities.

Calculating ROI would depend on what your overall security posture is for your entire organization. If you are just trying to do PCI compliance, you may be opening yourself up to threats down the line. Also, if you are never updating, et cetera, you might be a target for ransomware. However, if you take the time to diversify and watch your systems regularly, you will see more ROI.

The solution is cost-effective as it is on-cloud. You don't need to accrue costs related to hosting. 

The pricing is fair. However, it depends on what you are trying to buy and what size your organization is. 

I'm a Microsoft partner. 

This solution does not make my top five.

As far as relatively decent, I'd say they are okay. I'd rate it seven out of ten. However, it's always the number one thing threat actors are targeting. 

The solution is used as an endpoint solution to provide a 360-degree portfolio around an endpoint. It acts as a next-gen antivirus. 

It’s included with the Microsoft licensing, so we don't need multiple licenses.

Microsoft is very effective in device control. If there is malware that is coming in, It is very quick to remove it. It doesn't let it gain a footprint on your drive, so that prevents further damage from happening to the endpoint.

This solution helps us prioritize threats across our enterprise. When we are looking at our current scenario, post-COVID, most of the employees of the clients that we are dealing with are remote. When it comes to remote, you can make sure that they're logging in to VPN, however, most of their time is online and we need a product that is actively protecting them even if a user is not on a VPN or a company network. This product integrates very well with Windows due to the fact that it's a Microsoft product. It's giving users the protection that they need while ensuring businesses don’t have to spend extra on licenses.

We are using other Microsoft products. Including CASB integrated with our endpoint. We’re also using Azure, for example, and Microsoft Defender for Cloud as well as Sentinel (although a different team manages it). We have seen a very hybrid kind of environment with one of our clients where they were using an on-prem solution throughout, and they were aiming to move to the cloud. It becomes very easy to integrate everything and move most of their infrastructure to the cloud. It does take time and effort, however, with everything integrated, you can get it done. Microsoft solutions also work natively together. That’s a big strength. Everything communicates seamlessly.

We have very good visibility on our endpoints. The level of information it throws back is helpful.

How long it takes to see the level of benefits will depend on the deployment. Our deployment took two months for one client. Within a month’s time, they started seeing the benefits. We had a substantial number of endpoints to roll out, however, we began to note benefits pretty fast.

Microsoft Defender for Endpoint helps automate the finding of high-value alerts. It still needs to mature a little bit. Overall, we are seeing very security-intensive products and Microsoft still has a lot to learn.

It helped eliminate having to worry about multiple dashboards. Now, we have one single dashboard where our team takes care of everything. That has been very helpful. It makes the team focus on one single product. That helps prepare us for potential threats before they hit. We get fairly decent visibility into what's happening. Since we have one single dashboard that is giving us all the information, it becomes very easy for the team to react to incidents as well.

Overall, the solution has saved time. Previously, while we were doing deployment, most of our time was spent figuring out how to handle the products that are not natively from Microsoft. We had to figure out how we could integrate to get the most out of our products. Now, with Microsoft, we have all the integrations present in one place.

On average, we’ve likely saved nine to 12 hours weekly just by having one single Microsoft dashboard.

We’ve saved money, too. Considering it comes under one existing license, we don’t have to spend money separately or buy another license to get all the features we need.

The solution decreased our time to detection and time to respond. Our turnaround is better. From the moment we receive an alert to the moment we close the case, we’ve seen a reduction of 18% to 20% overall.

The visibility of threats needs to improve a bit. It still has to learn a lot. Where we stand right now, compared to other products that are there in the market, they still have to work on their threat intelligence and the overall maturity of detecting the malware. Sometimes we have seen instances where they have wrongly identified the malware. That is something that we would really hope that Microsoft works on.

Microsoft has to improve the efficacy of the product further. When we are talking about a security product, there are minor frameworks and there are close to 145 different techniques that we are talking about. It broadly categorizes into types yet it doesn't drill it down to techniques, which gives us a very specific idea of what they are aiming for. 

I've been using the solution for the past one and a half years as a solution architect to design and deliver EDR solutions. 

The product is fairly stable. 

The solution can scale. We scaled up initially from 500 to 32,00 endpoints and it was fine. 

We've had to contact support in the past and found them to be very effective. They are knowledgeable in their approach. However, the tasks can be a bit time-consuming.

Positive

We are using CrowdStrike, Palo Alto XDR, and a lot of different products. The client using CrowdStrike may have moved to Defender based on the cost.

The initial setup was simple. 

There is a bit of maintenance required around data retention. It has a data retention period of 80 or 90 days depending on the configuration. We make it a habit of filing data for compliance purposes. Two to three people are normally involved with the maintenance aspect. It's not resource-intensive. 

We are the third party. We help clients implement the solution. 

We have witnessed an ROI. 

The product is very cheap compared to other options. It's very affordable, which is why Microsoft is gaining a foothold in terms of client acquisition.

We're a Microsoft partner. 

I'd rate the product seven out of ten. 

You can spend a lot of money to get a very specific security tool, however, if you don't have the money, Defender does a pretty good job for you.

We use Microsoft Defender for Endpoint for anti-malware purposes.

Microsoft Defender for Endpoint has good visibility into threats, capturing 95 percent of them.

Microsoft Defender for Endpoint helps us prioritize threats across our organization, which is important.

We have integrated Microsoft Defender and Sentinel. The process of integrating Microsoft Defender for Endpoint and Sentinel was easy.

They work natively together to deliver coordinated detection and response across our environment which is important. Microsoft Defender for Endpoint and Sentinel work together comprehensively to detect and protect against threats. If one solution misses a threat, the other one will pick it up.

Sentinel allows us to gather data from our entire ecosystem, which is crucial for us.

It enables us to investigate threats and respond holistically from one place.

Microsoft Defender for Endpoint is an effective anti-malware solution. Additionally, it offers the capability to isolate a device in case of more significant issues with a workstation or server. Moreover, we can directly connect with the machine through Microsoft Defender itself to access and check files using live response, allowing us to assess the situation accurately.

Microsoft Defender for Endpoint offers a unified XDR dashboard that eliminates the need to view multiple dashboards. However, we are only focusing on incidents and log queries.

The threat intelligence helps us prepare for potential threats before they occur, allowing us to take proactive steps, as long as there are alerts and we have properly configured them.

We were previously using IBM QRadar, but it was not quite effective for generating alerts or for data analytics. Additionally, it created numerous alerts, which only sent us notifications for issues like behavioral concerns. This had a significant impact on the workload for InfoSec Operations. Microsoft Defender for Endpoint has helped to reduce our SecOps team's investigation time.

Once we invest the initial time to create alerts and queries, Microsoft Defender for Endpoint saves us time by sending alerts and logs directly. This eliminates the need to repeatedly create queries to search for specific alerts, incidents, or events.

Microsoft Defender for Endpoint has decreased our time to detection and time to respond.

There are a couple of features, such as isolating the devices or connecting the device and connecting live response. These are very good features of Microsoft Defender for Endpoint because we can directly connect to the machine, access the system, and check if any malicious files that our Defender or Sentinel is detecting are present or not. This allows us to investigate those files further.

Microsoft Defender for Endpoint sometimes fails to detect malware incidents, and when it does manage to stop them, we only receive a notification stating that the issue has been resolved. Unfortunately, we are not provided with any information on how the solution resolved the incident.

Microsoft Defender for Endpoint does not offer default templates for alerts, requiring us to configure everything ourselves to avoid numerous false positives.

The pricing needs to be improved.

I have been using Microsoft Defender for Endpoint for a little over one year.

I give the stability a nine out of ten.

I give the scalability an eight out of ten.

We rarely need technical support, but when we encounter issues with log ingestion, we contact them. Unfortunately, the support isn't very helpful as they suggest trying things we've already attempted, which haven't worked. Consequently, we often find ourselves searching online to resolve the problem on our own.

Neutral

I also use FireEye, which is now called Trellix, along with McAfee. Each tool has its own advantages and disadvantages. FireEye was solely an EDR solution. Microsoft Defender for Endpoint is superior to McAfee due to the higher number of alerts and the ability to isolate and connect to the machine in real-time.

Microsoft Defender for Endpoint is the default solution for Microsoft, but it can be challenging to integrate with Linux environments. Additionally, if we are using any other EDR or anti-malware solutions, Microsoft Defender for Endpoint will only work passively, not actively, and we cannot convert it to function as an active anti-malware solution.

The initial setup of Microsoft Defender for Endpoint may be more complex compared to other solutions that only require pushing agents to workstations or servers. Each device must be compliant and onboarded to Azure in order to be active, and any non-compliant workstations cannot be uploaded to Azure. On the other hand, with McAfee and similar solutions, we only need to push the agent and it starts reporting to the console. Our deployment process lasted six months and involved a group of three to four people and their respective teams. We had one team for field agents, another for SCCM purposes, and an Operations team as well.

Microsoft assisted with the implementation, and they were efficient.

We are required to pay for the data we ingest, and increasing the data amount incurs additional expenses.

I give Microsoft Defender for Endpoint an eight out of ten.

We currently have around 6,000 Microsoft Defender for Endpoint users in our organization.

We have a team called InfoSec Operations that handles maintenance and consists of approximately five people.

I recommend Microsoft Defender for Endpoint for larger organizations, and they should undergo training if they intend to use it in conjunction with Microsoft Sentinel, as it is a complex tool compared to others like QRadar. For smaller organizations, I suggest using Splunk, which is a reliable solution.

Microsoft Defender for Endpoint is a viable solution, but it does have limitations when it comes to other operating systems. I would not recommend this solution for an organization that operates in a Linux-based environment.