Microsoft Defender for Endpoint Reviews

We use Microsoft Defender for Endpoint to secure our customers' networks. One of the main reasons we chose this solution is its seamless integration with other Microsoft products, including Security. This integration enables the efficient exchange of signals and facilitates incident investigation and correlation with other security measures. Therefore, we recommend Microsoft Defender to our customers for robust endpoint security. 

Microsoft has been recognized as a leader in Gartner reports for two consecutive years for their exceptional threat-capturing abilities within their division. In comparison to other solutions, Microsoft Defender Endpoint Security offers a wide range of features, and the benefit of integration with other solutions makes it a more powerful product. This is in contrast to individual products from separate vendors, which lack default integrations and may not offer visibility over other endpoints in our environment.

The solution provides a high level of visibility into threats and is integrated with other solutions such as Microsoft Defender for Identity. This integration enables the solution to receive signals from Microsoft Defender for Identity, which are then relayed to users who attempt to log in to an infected device. If the threat originates from Microsoft Defender or Office 365, users are alerted and advised not to open any suspicious links or attachments. This integration greatly enhances the investigation experience and is extremely useful in the detection and analysis of potential threats.

Microsoft Defender for Endpoint helps prioritize the threats across our organization.

The automatic investigation response is the key feature of Microsoft Defender for Endpoint. It enables us to concentrate on the critical incidents related to the endpoint or machines. This capability enables the security team to focus on the most significant alerts or incidents related to the device's self-analytics. Prioritizing our investigations and responses with Microsoft Defender for Endpoint is crucial.

The integration with Microsoft solutions is smooth, and integrating with other products can be done with just one click.

In most cases, the solutions work natively together to deliver coordinated detection responses across our environment, which is very helpful.

The comprehensiveness of threat protection offered by Microsoft's solutions is extensive. These solutions can thoroughly investigate all resources in an organization when deployed correctly according to best practices. They can detect any threats related to email, endpoints, and identity attacks, whether on-premises or in the cloud.

Microsoft Defender for Endpoint has been instrumental in enhancing our organization's operations. It detects the majority of threats aimed at our devices, aiding us in our efforts to combat threats. Additionally, it expedites the investigation process by running playbooks on incidents. This saves us time and increases efficiency. Furthermore, the integration capabilities of Microsoft Defender for Endpoint allow us to address the source of the threat by partnering it with other solutions. Microsoft Defender for Endpoint can be integrated with Microsoft Intune, allowing us to provide device signals to the latter. This permits us to grant or deny access to specific sources based on device signals.

The solution assists in automating routine tasks and streamlines the identification of high-value alerts. When used in conjunction with Microsoft Sentinel, which is highly effective in detection and comprehensive investigations, the quality of high-value alerts is excellent.

Microsoft Defender for Endpoint has eliminated the need to access multiple dashboards and provided us with a single XDR dashboard. Instead of logging into five different portals to investigate a threat, we only need to access one portal, Microsoft Defender for Endpoint. This portal collects signals from various solutions and integrates them into a single incident, providing a comprehensive view of the detection from different sources in one place. This improves our visibility and simplifies the threat investigation process.

Having a consolidated dashboard saves us a significant amount of time by eliminating the need to log into multiple portals. This single portal can be used for investigation purposes and can relate to various aspects. It simplifies the process of monitoring a multitude of sources or resources in the environment, making it easier to detect and investigate potential issues. A consolidated dashboard improves collections and visibility, streamlining the investigation process.

The threat intelligence provided by the solution helps us prepare for potential threats and take proactive measures before they occur. Many of Microsoft's security solutions now depend on Microsoft's security intelligence. The ISG collects signals from various products worldwide, providing extensive information on recent global threats targeting different products. Integrating with Microsoft Defender for Endpoint, this information is particularly helpful.

The solution has helped us save time. I suggested that we check Microsoft Defender for Endpoint daily to review the latest incidents that occurred during the process. We can quickly examine the incident and then take action based on the recommendations provided by either Microsoft Defender for Endpoint or Microsoft 365 Defender, as it consolidates the signals.

This solution is cost-effective since we would otherwise have to pay for multiple licenses if we were to use various solutions. Additionally, we prefer not to subscribe to multiple vendors for different services. By integrating these features, we save time, and they are already integrated by default, unlike other vendors who may not offer this feature or integration.

Real-time detection and cloud-based delivery of detections are highly efficient. I have deployed the Microsoft Application Control which I found to be very effective, albeit difficult to deploy. I have implemented point guard and attack deduction rules which enable me to identify attack locations effectively. Microsoft Defender for Endpoint has several excellent features, and the correlation of alerts and investigation experiences within the platform helps lead investigations

The application control feature requires improvement. It is currently challenging to detect and fine-tune the application control policies. A better GUI is needed for configuring the policies, beyond the current partial console, such as a third-party or Microsoft tool. Additionally, more documentation is required for the application control section as there is currently none available in Microsoft's resources. This lack of documentation can make the process confusing.

The policy configuration has room for improvement. Currently, we require additional solutions to configure policies for Microsoft Defender for Endpoint. We need either Microsoft Intune or a new policy object. It seems many individuals find this process confusing. It is perplexing to me why we must configure policies using different solutions when ideally, we should have all configurations for Microsoft Defender for Endpoint in a single portal. It would be more practical to configure policies directly within Microsoft Defender for Endpoint, rather than using external solutions.

I have been using the solution for three years.

Microsoft Defender for Endpoint is stable.

Microsoft Defender for Endpoint is scalable.

I previously used Trend Micro Apex One, but I've found that Microsoft Defender for Endpoint has more benefits. Although I haven't worked with the full suite of Trend Micro, I believe that their Suite is also highly effective. However, I have experience using the full suite of Microsoft Defender, and I find it to be a more powerful tool for threat detection. While Trend Micro Apex One is easy to implement, has a seamless implementation experience, and is superior when it comes to policy configuration; For threat detection capabilities, Microsoft Defender for Endpoint is stronger.

The initial setup is straightforward because we just need to onboard devices, through a script, employment, onboarding package, or any other MDM Solution like Intune. The deployment takes between four and eight hours and requires a maximum of two people.

We implement the solution for our customers.

Microsoft Defender for Endpoint can be costly as a standalone solution. However, when included in a bundled license with other Microsoft solutions, it becomes a cost-effective option. Microsoft Defender for Endpoint provides excellent value for our organization.

There is an additional cost for Microsoft Premier support.

I give the solution an eight out of ten.

Microsoft Defender for Endpoint is deployed across multiple locations and departments. The solution can be used for enterprise, medium, and small businesses but can be expensive for SMBs.

To achieve success with Microsoft Defender for Endpoint, it is crucial to establish best practices and ensure full deployment without causing any disruptions to business productivity. Simply enabling all features without understanding their impact could lead to interruptions in productivity. By adhering to best practices and carefully assessing the impact of each policy, we can ensure a smooth and effective implementation.

The solution can be used on everything. It can be used on the cloud. You can also use it for on-premises devices, from servers to laptops. It's a pretty good solution to manage devices and servers.

Usually, our clients have an on-premises infrastructure and they want to start working in the cloud, especially in Azure. We use Microsoft Defender to manage on-premises devices from Azure. Especially over the last two years, a lot of companies have wanted to focus more on their own business and that's why they have us manage their IT security.

The main goal of using Defender for our clients is to do vulnerability scanning and to be aware of any possible security breaches in their infrastructure.

Microsoft Defender is totally integrated with Microsoft 365 Azure. For example, years ago a software company that was working on-premises with Microsoft products came to us. They asked us to help them connect to Azure because with Azure, they could, of course, run their core business, but it would also help them create more value in the market. Microsoft Defender is the best way to manage on-premises devices, but also devices on the cloud.

It also helps us to prioritize threats.

In addition, the solution gives us a single dashboard that we can customize. When our security operators start their day, they look at the dashboard information. If there is a big issue, they automatically get the information. They can send an email to the team involved. The dashboard helps the security team, day-to-day, to ensure everything is secure for the client. The dashboard is really important.

And overall, the solution has saved us 50 percent of our time. It also saves us money because it prevents ransomware and web application attacks every day. Currently, with the war in Ukraine, because I work in Europe, hackers are trying to hack into enterprises, and that's another reason it's really important to have this kind of solution.

It may be saving us 30 percent, in terms of money, because once you have the system in place, you can avoid a lot of attacks and keep secret information away from hackers. When we talk about security, we're also talking about the reputation of the company. Using this kind of solution helps our clients not to lose money through a loss of reputation.

In terms of time to respond, someone who is working every day on the security operation team, can respond correctly within five minutes, to be conservative, to a problem they receive from the scanning done by Defender. It has decreased that time by about 20 percent, although keep in mind that I am a security architect and not part of the operations team.

The scanning part is one of the most valuable features with the automation of vulnerability scanning. That's why we use Defender. It gives us a lot of information on how to improve security.

There are some competitive products on the market, but the best is Microsoft Defender because it's very easy to integrate. That's one reason a lot of clients want Microsoft Defender.

It's also very easy to implement compared to other solutions.

Regarding other Microsoft solutions, about half of our clients take Sentinel, while 90 percent take Defender. They are very easy to integrate. That's one of the reasons, for me, that Microsoft is the best on the market. And in reviews about the best tools on the market, everybody agrees that Sentinel is the best on the market in the security area. When you work with Sentinel, it's easy to work with the Microsoft suite of products. It's easy to integrate every product from Microsoft.

We also use Microsoft Defender for Cloud's bidirectional sync capabilities. For security, they allow us to get all the information we need on time.

After scanning, there are false positives so sometimes you need to manage the results.

Also, we would like to see more tools for managing on-premises security. A lot of companies have their own on-premises infrastructure and want to move to the cloud. Sometimes, we have the tools, like Defender, to manage security in the cloud, but because we are so focused on the cloud, we forget the fact that we need to be sure about the security of the on-premises environment, specifically Active Directory. I know it's tricky, but I'd like to see them add some tools for a really good dashboard to introduce the fact that we also need to be careful about on-premises.

A lot of companies have their Active Directory on an on-premises physical server. When they start the journey of moving to the cloud, especially to Azure, they use Microsoft Defender to do device management, especially servers and computers. But to improve security monitoring it would help if we could monitor on-premises, especially identity. Usually, when hackers hack into an environment, they use tools to get the identity of a person. If we had tools to integrate with Defender, it would help improve security.

I have been working with Microsoft Defender for two years.

It's a stable solution.

It's also a scalable solution.

About 90 percent of our clients have deployments in multiple locations because they are usually multi-national, and that's why it sometimes takes more time to do the implementation.

The technical support of Microsoft is good.

Positive

I have always used Microsoft solutions.

The deployment is straightforward. The amount of time it takes depends on the configuration the client wants, but it's easy enough to deploy. 

If we need to implement it for a client with 2,000 devices, it takes more time. Just the implementation, for me, takes 20 minutes, but after that we have to implement configuration on the cloud, and that is totally different.

If it's a big company, it could take three months, because we have to do discovery. We have a lot of clients that use customized containers and customized Linux servers, and that's where we have to be sure we do the implementation the right way.

Usually, when working with clients and proposing different solutions, they prefer to work with Microsoft Defender because it is integrated. And when you talk about the price, it's really perfect, compared to other advanced threat-scanning products on the market. Overall, 90 percent choose Microsoft Defender because it's great and very easy to put in place. You don't need to install an extra service or do a big design. You pay for the licenses and that's it.

If you're considering working with Microsoft Defender, the first thing you need to do is an inventory of the infrastructure. We need to know what the client has: how many Windows Servers, how many Linux servers, and how much content. And then you need to know what you want to do with the devices. Some devices are not supported anymore. We need to know which devices the client wants to be covered by Defender.

A lot of times, we want to work with Sentinel because it's the best on the market. But Sentinel is more tricky to put that in place. But when you advise a client on security, of course, you propose a lot of solutions, including Defender and Sentinel. You propose the best on the market to improve their security.

Usually, they go for Microsoft Defender, but for Sentinel, sometimes it takes time. They say to us, "We don't have the money right now, let's wait two years." On many of my projects, my clients have already worked in the cloud and they want to start working with Azure. That's why Microsoft Defender is a good tool to implement. There are times we advise the client about Sentinel but they already have a SIEM solution like Splunk.

Defender for Endpoint does not help us automate routine tasks right now because it's extra work. I know we could put that in place, but often, when we start working with a client in the cloud, we spend a lot of money on that. I know, in the day-to-day operations of the security teams of our clients, they have so much to do and it would be really good to implement automation. We propose it to our clients, but it's up to them to decide if they want to do it.

The threat intelligence can help prepare for potential threats before they hit, but this is also something we need to talk to the client about. Sometimes, it's not in our hands. We can propose things to the client, but they have to choose. So far, after proposing these kinds of things to clients, I haven't received their agreement. This part of the solution is really interesting, but it can also be expensive for some clients. It depends on their budget.

And in terms of using multiple vendors for security or a single-vendor security suite, in my current company, we generally advise our clients to have different vendors, but it depends on the client. I, myself, am not a risky guy. But a lot of our clients have Microsoft products, and we'll advise them to use Microsoft products. You don't want to go to war with your client.

Sometimes, they want to work with a lot of different products, but when you try to do that it can be really expensive because you need to work on the connections between them. I usually advise Microsoft because it's very easy and a lot of clients already have Windows Servers, et cetera. It really depends on each case. It depends on who is paying, who is asking, and what they want.

We use Microsoft Defender for Endpoint for our antivirus protection.

The visibility into threats that Defender for Endpoint provides is good because we are using all Microsoft products. 

Microsoft Defender for Endpoint assists us in prioritizing threats throughout our enterprise. This prioritization of threats is crucial for safeguarding end-user devices.

Sentinel allows us to gather data from our entire ecosystem, and the interface is highly impressive. Data ingestion is of utmost importance for our organization, especially concerning the security of our environment.

It allows us to comprehensively investigate threats and respond from a unified platform. This is of great significance to us, as Sentinel plays a pivotal role in our Security Operations Center.

Microsoft Defender for Endpoint assists us in automating the prioritization of critical alerts. I am certified in cybersecurity. Recently, I have begun the process of renewing my certification as it is set to expire next year. I have been reading numerous articles regarding Sentinel, Defender for Cloud, Identity, and Endpoint applications, and there is a multitude of information available. Automation is now fully integrated, which holds significant importance for enterprise-level customers.

The solution assists in eliminating the necessity of using multiple dashboards, providing us with a single XDR dashboard integrated across various Microsoft products.

The threat intelligence assists us in preparing for potential threats before they occur, allowing us to take proactive measures to prevent them. The assessment mechanism analyzes and identifies threats, providing clear instructions before we proceed to the security parameters.

It has saved our clients time, mainly with their SOC operations. 

The antivirus is the most valuable feature.

There are alternative solutions that offer a greater range of dashboard insights when compared to Microsoft Defender for Endpoint. The solution needs better integration with third-party vendors.

The analysis that identifies the threats and remedies them can be enhanced in a future release.

I have been using Microsoft Defender for Endpoint for almost four years.

Microsoft Defender for Endpoint is stable.

Microsoft Defender for Endpoint is scalable.

The quality of technical support is determined by the customer's priority levels: P1, P2, and P3. Overall, they are known to provide good support.

Sometimes, the support takes a while to respond, and their shifts change, so we have to begin again with the new person on the shift.

Positive

The initial setup is straightforward for me. All Microsoft products are easy to configure and integrate data also. To properly utilize all the features the person integrating must understand the architecture code concept as well.

Before deployment, I consistently conduct a rapid assessment to comprehend the customer's infrastructure. Subsequently, I formulate a plan grounded in this information. Typically, we aim for minimal personnel involvement due to the centralized nature of cloud operations. Additionally, we can advocate for either GPO or CCM deployment software. Our approach entails utilizing a singular architect, one resource, and one SME for implementing and overseeing the infrastructure, aligning with the security prerequisites of the customer's locale. Continuous monitoring of the infrastructure is imperative, maintaining a 24/7 vigilance.

The implementation takes around three months to install and configure.

The pricing is competitive. The pay model is pay as we use.

For organizations that make use of all Microsoft solutions, the cost is lower, and the visibility is increased.

I rate Microsoft Defender for Endpoint nine out of ten.

Microsoft Defender for Endpoint is indeed a commendable product. However, despite its implementation, we should consider the integration of other security products. This is due to the escalating variety of cyberattacks prevalent today. While Windows consistently issues patches to update its existing products, I propose the adoption of a dual-product approach within our infrastructure. This approach aims to preempt eleventh-hour security breaches. By juxtaposing and scrutinizing the attributes of different solutions, we can better comprehend their nuances, specifically at the feature level. The pivotal factor lies in how adeptly a solution identifies and mitigates potential threats. Therefore, I advocate for the incorporation of two distinct solutions within our infrastructure. This strategy is poised to yield heightened efficiency, effectively mitigating the risks of both security breaches and data breaches.

We use the solution for antivirus and firewall protection.

Microsoft Defender for Endpoint's visibility into threats is good. The solution helps us prioritize threats across our enterprise.

Microsoft Defender for Endpoint has helped our organization by providing continuous protection across our organization without overloading our CPUs by running in the background. We realized the benefits of Microsoft Defender for Endpoint while we were comparing it with other solutions.

Microsoft security solutions help automate routine tasks and identify high-value alerts. I used to work as a System Administrator or Network Administrator, so I understand how useful it is for admins to have their routines automated. I am aware that the solution supports policies and ensures that it is very beneficial.

Automation has enabled the process to be automated, such as protecting certain roles or allowing digital transactions, etc.

Microsoft Defender for Endpoint's threat intelligence helps us prepare for potential threats before they hit and to take proactive steps.

Microsoft Defender for Endpoint saves us time and money.

The solution has helped reduce our time for detection and response.

Microsoft Defender for Endpoint is easy to load and it runs quietly in the background, unlike other solutions.

The solution is reliable.

Microsoft Defender for Endpoint can use more advertising to promote their features.

I have been using the solution for five years.

The stability of Microsoft Defender for Endpoint is good.

The solution is easily scalable. We have ten people using the solution currently.

I previously used, Symantec Endpoint Detection and Response, ESET Endpoint Security, and McAfee MVISION Endpoint Detection and Response before switching to Microsoft Defender for Endpoint.

I give the solution a ten out of ten.

The solution is deployed across our local network. 

I recommend the solution and it should not be removed from a person's computer.

The type of endpoint security solution that is used in an organization should be based on the environment.

In the past, I needed two, three, or four apps to do my job. With Microsoft Defender for Endpoint, I have all the resources on one site. I can check what the threats are and if the computers need to be updated or if they reboot with various apps. It's very helpful for us. For example, I have colleagues who use different versions of a certain programming software. With this tool, I can check whether they need to update the app because an older version might have a lot of bugs. I can check which applications need to be updated or uninstalled.

I have a lot of alerts set up as well. For example, all our users are here in Mexico. If we get someone connecting in the UK or Venezuela or Colombia, we get an alert. I then know I need to change the password and use two-step authentication.

And I get a message when a new threat comes up or I need to do updates to different tools. This is helpful because threats are always working in innovative ways. These are very important messages for us.

Defender for Endpoint saves me a lot of time because I have all the alerts and information in one application. It also saves money because when you lose information due to an attack, you lose a lot of money on the reconfiguration of the sites or the information or on the recovery of a backup or a server. It's very important to have a tool like this. It saves a lot of money. The cost-benefit is very good.

It's a very complete application. I have all the controls in one site. I can track emails, attacks, and threats, and I can research information. I really like this configuration because I have all the information in place. It was very easy for me to configure it to show me all the things that I need in one dashboard for monitoring.

The visibility into threats is very good. I can track the threats very easily in this application. I have also used Trend Micro and it's more difficult to do with that solution. With Defender, I have all the information and I can follow all of the steps and do my job. It's really easy and very impressive.

I also use Microsoft Endpoint Manager to control all our laptops and cell phones. I take care of all those policies in that solution. In addition, I use Microsoft Azure and Microsoft Exchange, as well as Teams and SharePoint. I have integrated them all into one environment. All the solutions are integrated into one solution and that makes my job easier. Integrating them is really easy because you have one platform to configure all of them. In the role of the global manager, I can make all the changes in these solutions. And the process for connecting all these apps is very easy.

I have two different environments, two different types of accounts. I have accounts for administrators and corporate employees, but I also have accounts for students. I can't split these types of accounts. I need a separate configuration for both. I don't have access to the laptops or computers of the students, so I can't deactivate the alerts from the students' machines. I get a lot of alerts from their machines. I need to research how I can get alerts for only the administrative machines.

I have been using Microsoft Defender for Endpoint for three years.

The stability of Defender for Endpoint is very good. I haven't had trouble with it.

The scalability is pretty good. It's easy to scale it.

I have different locations here in Mexico, with about 300 users here and two or three in the UK, depending on the travel schedule.

I have contact with a Microsoft partner here in Mexico as well as directly with Microsoft. If the partner doesn't have a solution, I can contact Microsoft support.

The support is very quick in communicating. Usually, with one mail or one call, the problem is resolved.

Positive

I used Trend Micro and Symantec in the past to research threats, like viruses and malware, but for me, Defender for Endpoint is the better solution. It's very easy to integrate all the tools and gives me a lot of information in one place. It's very easy to detect an attack or email threat.

I also get all the alerts on my cell phone. Because I have all the alerts, if one of my colleagues in the IT area makes a change, I have all the information. That makes it very easy to maintain.

For me, the pricing is very good, but for management it's very expensive. Other solutions are less expensive. But when I present all the information and all the reports they say, "Well, it's expensive, but the cost-benefit is very good."

If you have all the information, and you are clear about what solutions your business needs, and Microsoft has all that information, the change is very easy. It's a very good solution.

It is our endpoint protection solution as a part of the full Defender Suite that we use. We use it for every one of our devices, including Macs and Windows.

Each endpoint is with Intune, and then the management is done out of Azure.

It takes automated actions. If a device is found to have a virus, it will automatically remove it, isolate the device, and then notify us to follow up. That way, things are less critical when we get to them. It will stop the spread. We're a worldwide company with very few people on the security staff. It allows us to remove the risk in an immediate fashion without the staff having to jump on it, which just takes time.

It helps us prioritize threats across our enterprise. We have limited resources to deal with the threats. So, this prioritization is critical to us.

We use more than just Defender for Endpoint. We use Defender for Identity, Defender for Office 365, and Cloud App security. We use the whole 365 Defender suite. It is easy to integrate these products. The challenge is having all the features in your environment and obviously making it work within your environment because of your different applications and business processes, but all these solutions work natively together to deliver coordinated detection and response across our environment. This is critical for us because we have limited resources. So, allowing the machines to talk to each other and not having to jump from place to place just makes life a lot easier.

We use Microsoft Defender for Cloud for the hybrid cloud environment. We are not multi-cloud at this point. We use it to identify weaknesses within our environment, both prem and off-prem so that we can prioritize. We do not use Sentinel at this time.

For the most part, it gives me what I need in one spot. I do have to drill down into other dashboards for more defined reports. We go into the Intune dashboard for compliance and things like that.

Its threat intelligence helps prepare us for potential threats before they hit and take proactive steps. We use the secure score to help identify what we need to do to protect against things as they come up. It lets us know about any ransomware out there so we can jump right on those and do protections. We also use it for the compliance piece against NIST, PCI, and things of that nature.

It saves time. If I didn't have the integrated pieces of Microsoft Defender, to do the same amount and be on top of things, I would probably need two FTEs.

It has absolutely decreased our time to detect and time to respond.

The best thing I like about it is its interaction with the other Defender products. It provides the ability to push telemetry up. It gives me endpoint visibility and allows me to take automated actions. 

It is excellent in terms of visibility into threats. It is very comprehensive in terms of threat detection, and it keeps on getting better. They are consistently adding new features.

They're in the process of pulling more things together. They can continue with the integrations and provide a better way of seeing the impact of security changes, especially on the endpoint side. Before we actually flip the switch, we should be able to see the impact of security changes on the business or business applications. It would prevent breaking any business applications.

In its current rendition, I have been using it for two years.

Its stability is very good.

Its scalability is very good. It definitely scales easily.

Their support is okay. We get support through Insight, which is also our CSP. They're better. I would rate them a five out of ten.

Neutral

On the endpoint side, I've used Sophos and Symantec. We switched because of the integration between all different securities.

The deployment was relatively easy, but when you get into turning on the switches, things can get complicated because it has a lot of different features. Overall, it was easy.

We did it in-house. We had two security systems engineers doing it. 

We have seen a return on investment, but it is hard to give metrics. It has definitely allowed us to maintain a small team and increase our security posture. 

If you're on Microsoft products, and you've bought into what they're doing with Teams Voice and Office, then adding in the security piece is just a slight bump. You go with the E5 licensing, which saves you a lot of money.

With the bundling that Microsoft does, we have saved money. Buying individual point products would've cost us a lot more money than one integrated solution that also capitalizes on Teams Voice and things of that nature. Given our size, buying individual products would have easily cost us a million dollars.

We've looked at other solutions. We've looked at CrowdStrike. We've looked at Symantec. We went for Microsoft because of the full integration. The breadth of the products and the pricing were the main reasons.

I would advise following those secure scores and watching out as you start to communicate with your user base because you're going to impact applications.

To a security colleague who says that it is better to go with a best-of-breed strategy rather than a single vendor’s security suite, my response would be that you got to measure trying to do the integration because with security, to me, bringing that integration together is the key thing. You need to know how quickly you are going to be able to move from your detection to your mitigation. Are you going to turn on things on the firewalls or can you go right to the devices and isolation? The best of the breed is great, but trying to get them all to work together becomes very complex.

I would rate it an eight out of ten.

We use it as an antivirus and EDR solution. We also use it for vulnerability scanning and threat hunting.

It is cloud-based. We have a cloud-first strategy when it comes to our organization.

We are a very small, lightweight start-up organization who has only been around for a couple of years. We have 17 endpoints. 

We have it deployed on our endpoints and virtual servers. We have a few Windows Servers 2019, and we have onboarded those both onto Defender for Endpoint as well. Those servers are not managed by MDM because they are Server 2019, but we have onboarded them so they are being managed by Defender for Endpoint as well.

This solution definitely increases our security posture. When you are reviewing your existing fleet or endpoints and based on the configuration that you put out of your Defender for Endpoint, you then receive a security score from Microsoft. Depending on what rules you have configured, what policies you have deployed, and what attack surface reduction rules that you have set up and deployed, it is almost gamifying information security in the sense that you are always trying to achieve a higher score. The more hardening you perform on your endpoints, the better score you receive. This generally tends to give you a better peace of mind, but also makes you secure at the same time.

I like the fact that it is baked into the Microsoft platform. 

Since we have deployed it, we have been really impressed with the way that everything just stitches together really well. You can access all your security data and telemetry from a single pane of glass on the Microsoft Security admin console. You can access all your endpoints, see how your antivirus is running, and get all your vulnerability scans and reports. In the software inventories, you can review your known vulnerabilities and understand whether those are zero days or if there are active threats out in the wild. Essentially, you don't need to jump into different admin consoles. You have everything built into Windows Defender Security Center, which we find really useful.

If you consider our organization, we are a fairly Mac-heavy organization. At the moment, around 80% of our fleet are Mac OSs. We made a conscious decision to roll out Defender for Endpoint against all our endpoints, whether it is Windows or Mac OS. However, one thing that we have noticed is that there is definitely no parity on the platform between the two operating systems. When you are configuring, deploying, and onboarding machines, you can get very granular with your security configuration when you are deploying it to a Windows's endpoint. For Mac OS, it is a lot more straightforward. You don't have the ability to apply as much configuration as you would on Windows. That is definitely something that has room for improvement. 

I am also not sure how well the EDR functionality works on the Mac OS platform. It just provides an antivirus and the full EDR capability is not there on a Mac OS. 

The web filtering needs a little bit of work. We are actually in the market at the moment for a third-party web filter or cloud secure web gateway to try and plug that hole since it is a bit of a pain point for us. I don't think we will use the baked in version from Defender for Endpoint.

On the Mac OS platform, there is no parity between Windows and Mac OS. The solution is very feature-rich and very well-integrated into Windows, and I guess baked into Windows 10 and Windows 11. Whereas, on the Mac OS platform, there is still some work there to give it a more feature-reach platform.

I have been using it for about a year.

With Windows, we have been very happy. We have had no issues or problems whatsoever. We had one issue on the Mac OS platform when an update to Mac OS was deployed. It wasn't a major update, like Monterey. It was a point update. So I think it might have been 12.2.1 where the Defender icon was starting to display across, which means I found a threat or it's not working properly. We had that across a handful of machines. I did a bunch of Google searches and sort of realized this was happening to a lot of other organizations, so it was probably a false positive.

I contacted Microsoft support who confirmed that it was just a visual glitch. I guess Apple is well-known for this. When they do push out their updates, they attempt to break the occasional third-party system. That was the only issue that we have encountered, which was more a visual glitch than an actual threat.

It is pretty much zero-touch because the definitions sort of update themselves. The application updates itself because it is deployed through Microsoft Intune. Therefore, the maintenance is pretty straightforward.

It is very scalable. Because it is cloud-based, it is elastic in its nature. You can onboard machines en masse. Whether you are onboarding 15 machines or 1500 machines, it is very straightforward.

As we scale up, this is now our AV and EDR of choice. Every new machine will be rolled out or onboarded to Defender for Endpoint. We will be sticking with it in the long-term. We have also the logs and telemetry from Defender for Endpoint being ingested into our MDRC platform.

The technical support is very good. Wherever I have worked with them, we have always been enterprise customers. Whenever I have raised a ticket for support, you generally receive a phone call anywhere from 10 minutes to three hours after raising your ticket. Even if it is not a P1, but a P2 or P3 ticket or just a request for information that you have generated in the form of a ticket, they will respond back to you quickly.

They have good levels of escalation. So, if their first line support is unable to help, they can quickly escalate to the second or third line. I have never really had any problems with Microsoft support. That is across Defender for Endpoint and Microsoft Endpoint Manager as well as for the productivity throughout Office 365 and Azure Active Directory.

I would rate them as eight out of 10.

Positive

We currently have an MSP in place, which is a managed service provider, who manages all our IT support, service desk, and desktop support functions. They had already purchased an antivirus subscription for the organization when I joined the organization, and it was a fairly basic one. Our biggest problem was that it does not have any SIEM integration. 

When we decided to go down the route of having a SOC or MDR service, we couldn't ingest the logs from the antivirus platform into their SIEM. That is when the hunt started for a new AV service.

I wouldn't say the user impact has changed on top of the AV product that we had before.

The initial setup was very straightforward. Microsoft, as an organization, is quite well-incentivized to get you to use their own products. There are hoards of material out there via their social media channel, through their own documentation, or the Microsoft Learn platform. There are reams and reams of user guides for you to go through, all of which are fairly straightforward. They are regularly updated as well.

It is all cloud-delivered so there isn't any on-premise infrastructure that I need to maintain, patch, or configure. It is literally all configured in the cloud. So, it was a very easy setup process for me.

It took days to get a proof of concept together on a handful of machines. Over the next few weeks, once we got the go ahead and thought, "You know what? We are going to go with this." It was just a matter of weeks and that was more down to team availability. We needed to sit down and offboard the existing AV, which we weren't particularly happy with, then onboard Defender for Endpoint. So, we tied that project with our MDM rollout. Therefore, while we were deploying our MDM solution and enrolling the device, we were onboarding the machine to Defender for Endpoint as well.

I actually set it all up myself. I am the only technical person at the organization. I have worked with Microsoft quite extensively in the past, and I have used their fast track consultancy services in other organizations that I have worked with as well. Therefore, I am quite confident and familiar with Microsoft technologies. 

We then signed up with an MDR supplier who does managed detection and response. Essentially, that is a team of cybersecurity experts who connect to our infrastructure and all the data telemetry from our endpoints feed up to their platform. If they see any threats, anomalies, or events, they will then jump in, reviewing and remediating as required.

We had a consultancy session with one of their Microsoft consultants around a month ago, where they reviewed the setup that I configured. They put in two or three recommendations to harden the setup a little bit more, but they were overall pretty happy with it. Thus, if I can do it, then it can't be that difficult.

There is less overhead in terms of having the system administrator or information security manager jumping around different systems and trying to actively keep a handle on our security posture across the organization. Instead, everything is right in front of me.

One of the first things that I did when I came onboard in the organization was scrapping our reseller agreement. I registered us as a not-for-profit with Microsoft, and we now get subsidized licensing at effectively half price. It just sort of makes sense for us. Now, we buy our licenses directly from Microsoft rather than our formal license reseller.

Even if you are not registered as a not-for-profit, the offering that they have is definitely worth consideration. This is in the sense that the E5 stack just gives you so many benefits. You get your entire productivity suite through Microsoft 365 apps. You get all your security and identity protection. You get the Defender for Endpoint and Defender for Identity. You get the cloud access security broker as well. You get Azure Active Directory Premium P2, which gives you so many good things that you can configure and deploy. You don't have to configure them on day one, but you have access to so many different tools that will protect your data, security, endpoints, and identities that you could build out a security strategy 18 months long, and slowly work your way through it, based on what you have available to you through your license.

You can purchase some add-ons, like Microsoft Threat Expert team. I have not read too much into that, but my understanding is that comes at an additional cost. Since we have a dedicated MDR and SOC sitting on top of our Defender for Endpoint, it is not something that applies to us anyway.

We are E5 customers. Essentially, we have the flagship license. We looked at a lot of different organizations and vendors for our antivirus needs. We spoke to the usual suspects: CrowdStrike, Sophos, and Darktrace. 

Because we also have a Gartner subscription, we reached out to our Gartner analyst, and said to them, "Look, we have the E5 license and know that Microsoft doesn't have the greatest reputation when it comes to their antivirus products, but we understand they have come on a lot over the last few years. This is the direction that we proceed. We want to deploy Microsoft Defender for Endpoint. We then want to layer an external managed detection response service on top of it that will essentially provide 24/7/365 monitoring for alerts and anomalies." Gartner advised us that it has improved to the point where they are now considered one of the leaders on their magic quadrant, so we should be absolutely fine with it. 

Originally, Microsoft wasn't in mind for us at all. We sort of had our heart set on CrowdStrike because we were really impressed with them. We got quite deep into advanced discussions with them and Darktrace as well.

The deciding factor for going with Microsoft was the budget. We were already paying for the E5 licensing. So, we were allowed to use Defender without any extra costs. We could just enable and configure it. We thought that we would use the budget left over to purchase a dedicated MDR service who would maintain an overall ability for all the endpoints to connect with it. We could also expand that to our Google Cloud Platform as well as our AWS and Azure Cloud environments. We could also extend that service onto our physical appliances, e.g., the logs from our on-premise firewalls, security appliances, and routers.

We felt that in terms of scaling up to get to the security posture that we needed, this might be a better solution for us. Whereas, CrowdStrike and Darktrace, at the time, were more focused on the endpoints. For example, if there was some suspicious behavior happening on our Azure Active Directory and our CEO's user account was under a brute-force attack, then CrowdStrike wouldn't necessarily pick up on such an attack because they are more focused on the endpoint rather than the cloud instances. Thus, we thought Microsoft gave us better coverage overall as well as the fact that we were already licensed for it.

It just made sense for us to go down that direction. We just felt we would have a more well-rounded approach if we went with Defender for Endpoint supported by the MDR service, who would then provide monitoring over all our cloud instances, endpoints, and on-premise infrastructure and appliances.

One of the main benefits is cost. Being an E5 subscriber, we are essentially already paying for Defender for Endpoint. However, it wasn't on our initial list of antivirus solutions when we were going out to market. We really felt that we were going to go for a managed service, such as CrowdStrike or Darktrace. When we decided to go for Defender for Endpoint, we created a cost savings. So, it was easier for us to prove the business case to our senior management.

A good antivirus is something that sort of happily sits in the background and just pretty much does its job until it is needed. It is just sitting there constantly watching and monitoring. Then, if it does need to intervene or remediate against the threat, that is when you know, "My antivirus is happily working." We haven't had many incidents to deal with. To be honest, we have had a couple of false positives. 

Definitely shortlist them in your list when you are out looking for a new vendor. What tends to happen with a lot of IT professionals is that they overlook the Microsoft offering because of the reputation that Microsoft Defender has had in the past, when it came to its consumer version. However, they have spent the last few years completely revamping their security stack. I think it offers a really well-rounded, holistic approach to cybersecurity now. They are definitely worth considering next to CrowdStrike, Sophos, and Darktrace.

A lot of organizations are probably like, "Oh, no, we don't want to get Microsoft. We don't want to get Defender. We want to get an established name," but I think Microsoft has put a lot of effort, budget, and development time into their security stack. It is a great suite. 

As their Azure platform grows, they leverage that to power and drive their Defender for Endpoint. A lot of the protections that they deploy are cloud-delivered platforms. So, they are picking up telemetry from millions of different signals and endpoints. They have so much data and can see trends really quickly.

I would rate them as eight out of 10.

Microsoft Defender that you get by default on Windows is an unmanaged solution. It detects, but it is conventional EDR in the sense that it can detect malicious code on the machine, but it is not good from an enterprise point of view because you can't see what is being detected. The difference between Defender and Defender ATP is that you get what's called the execution chain, which is its classic use case. 

When I try to open an attachment to an email, Defender tells me that this is malicious, but when you are in an enterprise and you do receive an alert that the file is malicious, the problem usually for the analyst is that they don't know what the person clicked on. They know there was a malicious file but was it an attachment? Was it something on the USB stick? Did they download it from the internet? That's not clear. Defender ATP gives you the execution chain. In this particular example, you can see that it was outlook.exe that launched the suspicious file which then launched or tried to download various components. You can see the whole execution tree because very often, the initial thing you get is a dropper, which then downloads subsequent components, and very often, the subsequent components get missed.

It essentially gives you visibility into the execution chain. So, you are better able to do a risk assessment. For instance, if something came from Outlook, then you know that you need to go and look in exchange or look in the mail system. If the trigger came from winword.exe, then you know that it was a document, and the person had opened a document from the email. You might see Internet Explorer, when it was still there, spawn PowerShell or a command shell, which is unusual, or you might see calc.exe open a command shell. All of this detection is invaluable for identifying whether something is suspicious or not. Your EDR might not detect any of this, but ATP would see this suspicious sequence of opening and flag it. So, essentially it is the visibility and the ability to detect unusual behavior that conventional EDR would not necessarily do for you.

Its version is usually up to date. It is a cloud solution. 

Its visibility is the most useful part of it, and it also increases the effectiveness of your response. You spend less time asking the users the standard question of what did they click on. To which, they usually say that they didn't click on anything. You can go in ATP, and you can see that they opened an email and then clicked on a link, and the link is this. There is no hiding this. Users do lie.

You can detect threats that are not necessarily known because of a behavior. If you have Internet Explorer opening a command shell, that is not normal. That does not happen unless there is some kind of malicious activity. It is also very good for visibility into what PowerShell scripts do. PowerShell is a double-edged sword. It is very powerful, but in a lot of cases, there is no visibility on what it is doing. With ATP, we generally have that ability.

I like the process visibility. This ability to visualize how something was executed is valuable, and the fact that Defender ATP is also linked to the threat intelligence that they have is also valuable. So, even if you have something that doesn't have a conventional signature, the fact that you get this strange execution means that you can detect things that are normally not visible.

The other feature that I like in Defender is that because it is up in the cloud, when you're trying to do any kind of managed service, it is fairly easy to set up if you're just within one tenant, but there are a lot of things wrong with the way Microsoft does it as compared to other products like Palo Alto Cortex, SentinelOne, or CrowdStrike.

The catch with ATP is you have to have the right Microsoft license. The licensing of ATP is linked to the licensing of Office 365. You have to have an E3 or an E5 license. If you have a small office license, it is not possible for you.

Another challenge is that it is not a multi-tenant solution. Microsoft's tenant is a licensed tenant. I'm an MSSP. So, I have multiple customers. In Microsoft's world, that means that I can't just buy an E5 license and give that out to all my customers. That won't work because all of the customer data resides within a single tenant in Microsoft's world. Other products—such as SentinelOne, Palo Alto Cortex, CrowdStrike, et cetera—are multi-tenant. So, I can have it at the top of the pyramid for my analyst to look into it and see all the customers, but each customer's data is separate. If the customer wants to look at what we see, they would only see their data, whereas in the Microsoft world, if I've got multiple customers connected to the same Microsoft tenant, they would see everybody else's data, which is a privacy problem in Europe. It is not possible to share the data, and it is a breach of privacy. So, the licensing and the privacy aspect makes it problematic in some situations.

It is also very complicated. If you decide to outsource your monitoring through an MSSP, the model for allowing the MSSP to connect to your Defender cloud is very complicated. In Office 365, it is relatively simple, but because of the way it has been done in Defender—because Defender is not part of the same cloud—it is a mess. It is possible, and it is workable, but it is probably one of the most complicated integrations we do.

It is still clunky as compared to products like Cisco AMP, SentinelOne, and CrowdStrike. Microsoft took the Defender product, and they bolted on the extra features, but you can see that there are different development teams working on it. Some features are well integrated, and some features are not. They keep on improving it, and it is better than it was. It is better than an unmanaged solution, but it is far from perfect.

I have been using it for about two years. I've got a couple of customers today with it.

Its stability is lesser than some of the competition. I've seen machines having a blue screen. I've seen machines block, but it is usually a problem related to the lack of resources. I wouldn't deploy it on a machine with less than 16 gigs of memory. All the issues that we had on the laptops were essentially related to memory because it does all the analysis in memory, and it eats a lot of memory to do that. So, stability is more a function of making sure that your endpoint farm has what's available. If you've got less than 16 gigs, I would not recommend it. You need to either change your endpoints or consider using another solution because although it'll work, it can be very slow.

It is like Microsoft Office. Its scalability is good, but I don't know how manageable it would be on a big scale. The biggest deployment I've worked on was about 5,000 endpoints, and it seemed to be okay.

It is Microsoft support. It can be very good, and it can be very bad. It depends on who you get on the phone. I would rate them a five out of ten.

Neutral

It is very simple. You can deploy it through the normal tools that you use, such as SCCM. The deployment for it is linked back to your tenant. 

We use it as a headless install. It is pushed out onto all the machines. Our normal rollout process rolls out about 50 to 100 machines in no time. They can pull the agents from the internet, or they can pull the agents internally, deploy them, and turn them on. For an antivirus, it is quite quick.

In terms of maintenance, it is pretty much like other Microsoft solutions. If you are able to do the auto-update functions, that's good. The downside to it is that it is fairly heavy on network traffic. On one of the large deployments, we found we had problems with the internet gateway because the console and all the telemetry and everything else is in the cloud. It was problematic.

It runs in the background. It is like any other antivirus solution. Sometimes, it needs tuning. An example would be that we have developers who do a lot of source code compiling. They might have tens of thousands of files that get touched or accessed when they do a compile. We have to make sure that those particular file types and certain directories are not scanned on read when they're opened. Otherwise, what normally might take an hour to compile can take more than 12 hours. That's not a problem specific to Defender. It is a problem in general, but it is fairly easy to create profiles to say that for those particular groups of machines or those particular groups of users, these file directories are exceptions to the scanning.

The licensing fee is a function of your Office 365 license. The feature set you get is a function of the license as well. There is probably an E2 version, an E3 version, and an E5 version. There are several versions, and not all features are the same. So, you might want to check what features you're expecting because you might get shocked. If you only have an E3 license, the capability isn't the same.

You have to look at the total cost of ownership (TCO) because the license component is only one aspect of the block. So, if your internal IT teams know well about IBM cloud solutions, then Defender is very easy because there is nothing new. What hurts the projects is integration. It is a hidden cost because it is beyond licensing. It can be problematic if you don't have some of the other integration tools from Microsoft. So, if you don't have the package deployment platforms and all the cloud equivalents, then there is a lot of manual work involved.

The other aspect that comes into the cost is that there is an option to store. You can make the agents report a lot more information, but if you increase the storage, then you increase your Azure storage costs, which can be painfully expensive. You typically have about 7 to 30 days of basic detection data included, but if you want to keep a more detailed log so that your IT guys can go back and figure out what was going on, it would increase your storage requirements, and that can get expensive. I know customers who turned on some of the features to increase the detection rate, and they got a huge bill from Microsoft.

A weakness, as well as an advantage, of Defender is that it is always on the cloud. There is no on-prem. You deploy additional agents into the customer infrastructure, but the console and the feedback are through the cloud.

Customers often say that Microsoft has included it in their license. So, it is license-cost neutral, but just because it is included in the license and appears to be cheap, it isn't necessarily a good reason for doing it. It isn't equivalent to other EDR or XDR solutions, but to an extent, you get what you pay for. ATP is a work in progress. To me, it is not a complete product.

Customers also go for it because it gives them visibility, and it means it is one less system to manage. They have the license for it, and they just want everything in the same ecosystem. There isn't much that we can do about that. As an MSSP, we're agnostic from a technology point of view. If the customer says, "This is what we want to do," we'll take it over.

I would advise asking yourself:

• What do your endpoints consist of?
• Which operating systems, such as Windows, Linux, iOS, or Android, will you have to support? The functionality that you get depends on your license.
• What is it that you're trying to achieve by taking Defender? 
• Are there more capable XDR-type solutions out there? 

If I was comparing them, from most effective to least effective or least integrated, I would put SentinelOne, Palo Alto Cortex, Cybereason, Microsoft Defender, and Cisco AMP.

If you want to get into the advantages of XDR solutions, which is about the detection capability coupled with artificial intelligence (AI) and data leaking, then it may not be the solution that you want. If you also want to be able to do threat intelligence, it is not the solution for you. That's because essentially the threat intelligence features are not there. You can get some threat intelligence from Azure, Microsoft Sentinel, etc, but it is not in the product like with Palo Alto Cortex, SentinelOne, or Cybereason.

I'd give it a cautious six out of ten.