Microsoft Defender for Endpoint Reviews

We use it as an antivirus and EDR solution. We also use it for vulnerability scanning and threat hunting.

It is cloud-based. We have a cloud-first strategy when it comes to our organization.

We are a very small, lightweight start-up organization who has only been around for a couple of years. We have 17 endpoints. 

We have it deployed on our endpoints and virtual servers. We have a few Windows Servers 2019, and we have onboarded those both onto Defender for Endpoint as well. Those servers are not managed by MDM because they are Server 2019, but we have onboarded them so they are being managed by Defender for Endpoint as well.

This solution definitely increases our security posture. When you are reviewing your existing fleet or endpoints and based on the configuration that you put out of your Defender for Endpoint, you then receive a security score from Microsoft. Depending on what rules you have configured, what policies you have deployed, and what attack surface reduction rules that you have set up and deployed, it is almost gamifying information security in the sense that you are always trying to achieve a higher score. The more hardening you perform on your endpoints, the better score you receive. This generally tends to give you a better peace of mind, but also makes you secure at the same time.

I like the fact that it is baked into the Microsoft platform. 

Since we have deployed it, we have been really impressed with the way that everything just stitches together really well. You can access all your security data and telemetry from a single pane of glass on the Microsoft Security admin console. You can access all your endpoints, see how your antivirus is running, and get all your vulnerability scans and reports. In the software inventories, you can review your known vulnerabilities and understand whether those are zero days or if there are active threats out in the wild. Essentially, you don't need to jump into different admin consoles. You have everything built into Windows Defender Security Center, which we find really useful.

If you consider our organization, we are a fairly Mac-heavy organization. At the moment, around 80% of our fleet are Mac OSs. We made a conscious decision to roll out Defender for Endpoint against all our endpoints, whether it is Windows or Mac OS. However, one thing that we have noticed is that there is definitely no parity on the platform between the two operating systems. When you are configuring, deploying, and onboarding machines, you can get very granular with your security configuration when you are deploying it to a Windows's endpoint. For Mac OS, it is a lot more straightforward. You don't have the ability to apply as much configuration as you would on Windows. That is definitely something that has room for improvement. 

I am also not sure how well the EDR functionality works on the Mac OS platform. It just provides an antivirus and the full EDR capability is not there on a Mac OS. 

The web filtering needs a little bit of work. We are actually in the market at the moment for a third-party web filter or cloud secure web gateway to try and plug that hole since it is a bit of a pain point for us. I don't think we will use the baked in version from Defender for Endpoint.

On the Mac OS platform, there is no parity between Windows and Mac OS. The solution is very feature-rich and very well-integrated into Windows, and I guess baked into Windows 10 and Windows 11. Whereas, on the Mac OS platform, there is still some work there to give it a more feature-reach platform.

I have been using it for about a year.

With Windows, we have been very happy. We have had no issues or problems whatsoever. We had one issue on the Mac OS platform when an update to Mac OS was deployed. It wasn't a major update, like Monterey. It was a point update. So I think it might have been 12.2.1 where the Defender icon was starting to display across, which means I found a threat or it's not working properly. We had that across a handful of machines. I did a bunch of Google searches and sort of realized this was happening to a lot of other organizations, so it was probably a false positive.

I contacted Microsoft support who confirmed that it was just a visual glitch. I guess Apple is well-known for this. When they do push out their updates, they attempt to break the occasional third-party system. That was the only issue that we have encountered, which was more a visual glitch than an actual threat.

It is pretty much zero-touch because the definitions sort of update themselves. The application updates itself because it is deployed through Microsoft Intune. Therefore, the maintenance is pretty straightforward.

It is very scalable. Because it is cloud-based, it is elastic in its nature. You can onboard machines en masse. Whether you are onboarding 15 machines or 1500 machines, it is very straightforward.

As we scale up, this is now our AV and EDR of choice. Every new machine will be rolled out or onboarded to Defender for Endpoint. We will be sticking with it in the long-term. We have also the logs and telemetry from Defender for Endpoint being ingested into our MDRC platform.

The technical support is very good. Wherever I have worked with them, we have always been enterprise customers. Whenever I have raised a ticket for support, you generally receive a phone call anywhere from 10 minutes to three hours after raising your ticket. Even if it is not a P1, but a P2 or P3 ticket or just a request for information that you have generated in the form of a ticket, they will respond back to you quickly.

They have good levels of escalation. So, if their first line support is unable to help, they can quickly escalate to the second or third line. I have never really had any problems with Microsoft support. That is across Defender for Endpoint and Microsoft Endpoint Manager as well as for the productivity throughout Office 365 and Azure Active Directory.

I would rate them as eight out of 10.

Positive

We currently have an MSP in place, which is a managed service provider, who manages all our IT support, service desk, and desktop support functions. They had already purchased an antivirus subscription for the organization when I joined the organization, and it was a fairly basic one. Our biggest problem was that it does not have any SIEM integration. 

When we decided to go down the route of having a SOC or MDR service, we couldn't ingest the logs from the antivirus platform into their SIEM. That is when the hunt started for a new AV service.

I wouldn't say the user impact has changed on top of the AV product that we had before.

The initial setup was very straightforward. Microsoft, as an organization, is quite well-incentivized to get you to use their own products. There are hoards of material out there via their social media channel, through their own documentation, or the Microsoft Learn platform. There are reams and reams of user guides for you to go through, all of which are fairly straightforward. They are regularly updated as well.

It is all cloud-delivered so there isn't any on-premise infrastructure that I need to maintain, patch, or configure. It is literally all configured in the cloud. So, it was a very easy setup process for me.

It took days to get a proof of concept together on a handful of machines. Over the next few weeks, once we got the go ahead and thought, "You know what? We are going to go with this." It was just a matter of weeks and that was more down to team availability. We needed to sit down and offboard the existing AV, which we weren't particularly happy with, then onboard Defender for Endpoint. So, we tied that project with our MDM rollout. Therefore, while we were deploying our MDM solution and enrolling the device, we were onboarding the machine to Defender for Endpoint as well.

I actually set it all up myself. I am the only technical person at the organization. I have worked with Microsoft quite extensively in the past, and I have used their fast track consultancy services in other organizations that I have worked with as well. Therefore, I am quite confident and familiar with Microsoft technologies. 

We then signed up with an MDR supplier who does managed detection and response. Essentially, that is a team of cybersecurity experts who connect to our infrastructure and all the data telemetry from our endpoints feed up to their platform. If they see any threats, anomalies, or events, they will then jump in, reviewing and remediating as required.

We had a consultancy session with one of their Microsoft consultants around a month ago, where they reviewed the setup that I configured. They put in two or three recommendations to harden the setup a little bit more, but they were overall pretty happy with it. Thus, if I can do it, then it can't be that difficult.

There is less overhead in terms of having the system administrator or information security manager jumping around different systems and trying to actively keep a handle on our security posture across the organization. Instead, everything is right in front of me.

One of the first things that I did when I came onboard in the organization was scrapping our reseller agreement. I registered us as a not-for-profit with Microsoft, and we now get subsidized licensing at effectively half price. It just sort of makes sense for us. Now, we buy our licenses directly from Microsoft rather than our formal license reseller.

Even if you are not registered as a not-for-profit, the offering that they have is definitely worth consideration. This is in the sense that the E5 stack just gives you so many benefits. You get your entire productivity suite through Microsoft 365 apps. You get all your security and identity protection. You get the Defender for Endpoint and Defender for Identity. You get the cloud access security broker as well. You get Azure Active Directory Premium P2, which gives you so many good things that you can configure and deploy. You don't have to configure them on day one, but you have access to so many different tools that will protect your data, security, endpoints, and identities that you could build out a security strategy 18 months long, and slowly work your way through it, based on what you have available to you through your license.

You can purchase some add-ons, like Microsoft Threat Expert team. I have not read too much into that, but my understanding is that comes at an additional cost. Since we have a dedicated MDR and SOC sitting on top of our Defender for Endpoint, it is not something that applies to us anyway.

We are E5 customers. Essentially, we have the flagship license. We looked at a lot of different organizations and vendors for our antivirus needs. We spoke to the usual suspects: CrowdStrike, Sophos, and Darktrace. 

Because we also have a Gartner subscription, we reached out to our Gartner analyst, and said to them, "Look, we have the E5 license and know that Microsoft doesn't have the greatest reputation when it comes to their antivirus products, but we understand they have come on a lot over the last few years. This is the direction that we proceed. We want to deploy Microsoft Defender for Endpoint. We then want to layer an external managed detection response service on top of it that will essentially provide 24/7/365 monitoring for alerts and anomalies." Gartner advised us that it has improved to the point where they are now considered one of the leaders on their magic quadrant, so we should be absolutely fine with it. 

Originally, Microsoft wasn't in mind for us at all. We sort of had our heart set on CrowdStrike because we were really impressed with them. We got quite deep into advanced discussions with them and Darktrace as well.

The deciding factor for going with Microsoft was the budget. We were already paying for the E5 licensing. So, we were allowed to use Defender without any extra costs. We could just enable and configure it. We thought that we would use the budget left over to purchase a dedicated MDR service who would maintain an overall ability for all the endpoints to connect with it. We could also expand that to our Google Cloud Platform as well as our AWS and Azure Cloud environments. We could also extend that service onto our physical appliances, e.g., the logs from our on-premise firewalls, security appliances, and routers.

We felt that in terms of scaling up to get to the security posture that we needed, this might be a better solution for us. Whereas, CrowdStrike and Darktrace, at the time, were more focused on the endpoints. For example, if there was some suspicious behavior happening on our Azure Active Directory and our CEO's user account was under a brute-force attack, then CrowdStrike wouldn't necessarily pick up on such an attack because they are more focused on the endpoint rather than the cloud instances. Thus, we thought Microsoft gave us better coverage overall as well as the fact that we were already licensed for it.

It just made sense for us to go down that direction. We just felt we would have a more well-rounded approach if we went with Defender for Endpoint supported by the MDR service, who would then provide monitoring over all our cloud instances, endpoints, and on-premise infrastructure and appliances.

One of the main benefits is cost. Being an E5 subscriber, we are essentially already paying for Defender for Endpoint. However, it wasn't on our initial list of antivirus solutions when we were going out to market. We really felt that we were going to go for a managed service, such as CrowdStrike or Darktrace. When we decided to go for Defender for Endpoint, we created a cost savings. So, it was easier for us to prove the business case to our senior management.

A good antivirus is something that sort of happily sits in the background and just pretty much does its job until it is needed. It is just sitting there constantly watching and monitoring. Then, if it does need to intervene or remediate against the threat, that is when you know, "My antivirus is happily working." We haven't had many incidents to deal with. To be honest, we have had a couple of false positives. 

Definitely shortlist them in your list when you are out looking for a new vendor. What tends to happen with a lot of IT professionals is that they overlook the Microsoft offering because of the reputation that Microsoft Defender has had in the past, when it came to its consumer version. However, they have spent the last few years completely revamping their security stack. I think it offers a really well-rounded, holistic approach to cybersecurity now. They are definitely worth considering next to CrowdStrike, Sophos, and Darktrace.

A lot of organizations are probably like, "Oh, no, we don't want to get Microsoft. We don't want to get Defender. We want to get an established name," but I think Microsoft has put a lot of effort, budget, and development time into their security stack. It is a great suite. 

As their Azure platform grows, they leverage that to power and drive their Defender for Endpoint. A lot of the protections that they deploy are cloud-delivered platforms. So, they are picking up telemetry from millions of different signals and endpoints. They have so much data and can see trends really quickly.

I would rate them as eight out of 10.

Microsoft Defender that you get by default on Windows is an unmanaged solution. It detects, but it is conventional EDR in the sense that it can detect malicious code on the machine, but it is not good from an enterprise point of view because you can't see what is being detected. The difference between Defender and Defender ATP is that you get what's called the execution chain, which is its classic use case. 

When I try to open an attachment to an email, Defender tells me that this is malicious, but when you are in an enterprise and you do receive an alert that the file is malicious, the problem usually for the analyst is that they don't know what the person clicked on. They know there was a malicious file but was it an attachment? Was it something on the USB stick? Did they download it from the internet? That's not clear. Defender ATP gives you the execution chain. In this particular example, you can see that it was outlook.exe that launched the suspicious file which then launched or tried to download various components. You can see the whole execution tree because very often, the initial thing you get is a dropper, which then downloads subsequent components, and very often, the subsequent components get missed.

It essentially gives you visibility into the execution chain. So, you are better able to do a risk assessment. For instance, if something came from Outlook, then you know that you need to go and look in exchange or look in the mail system. If the trigger came from winword.exe, then you know that it was a document, and the person had opened a document from the email. You might see Internet Explorer, when it was still there, spawn PowerShell or a command shell, which is unusual, or you might see calc.exe open a command shell. All of this detection is invaluable for identifying whether something is suspicious or not. Your EDR might not detect any of this, but ATP would see this suspicious sequence of opening and flag it. So, essentially it is the visibility and the ability to detect unusual behavior that conventional EDR would not necessarily do for you.

Its version is usually up to date. It is a cloud solution. 

Its visibility is the most useful part of it, and it also increases the effectiveness of your response. You spend less time asking the users the standard question of what did they click on. To which, they usually say that they didn't click on anything. You can go in ATP, and you can see that they opened an email and then clicked on a link, and the link is this. There is no hiding this. Users do lie.

You can detect threats that are not necessarily known because of a behavior. If you have Internet Explorer opening a command shell, that is not normal. That does not happen unless there is some kind of malicious activity. It is also very good for visibility into what PowerShell scripts do. PowerShell is a double-edged sword. It is very powerful, but in a lot of cases, there is no visibility on what it is doing. With ATP, we generally have that ability.

I like the process visibility. This ability to visualize how something was executed is valuable, and the fact that Defender ATP is also linked to the threat intelligence that they have is also valuable. So, even if you have something that doesn't have a conventional signature, the fact that you get this strange execution means that you can detect things that are normally not visible.

The other feature that I like in Defender is that because it is up in the cloud, when you're trying to do any kind of managed service, it is fairly easy to set up if you're just within one tenant, but there are a lot of things wrong with the way Microsoft does it as compared to other products like Palo Alto Cortex, SentinelOne, or CrowdStrike.

The catch with ATP is you have to have the right Microsoft license. The licensing of ATP is linked to the licensing of Office 365. You have to have an E3 or an E5 license. If you have a small office license, it is not possible for you.

Another challenge is that it is not a multi-tenant solution. Microsoft's tenant is a licensed tenant. I'm an MSSP. So, I have multiple customers. In Microsoft's world, that means that I can't just buy an E5 license and give that out to all my customers. That won't work because all of the customer data resides within a single tenant in Microsoft's world. Other products—such as SentinelOne, Palo Alto Cortex, CrowdStrike, et cetera—are multi-tenant. So, I can have it at the top of the pyramid for my analyst to look into it and see all the customers, but each customer's data is separate. If the customer wants to look at what we see, they would only see their data, whereas in the Microsoft world, if I've got multiple customers connected to the same Microsoft tenant, they would see everybody else's data, which is a privacy problem in Europe. It is not possible to share the data, and it is a breach of privacy. So, the licensing and the privacy aspect makes it problematic in some situations.

It is also very complicated. If you decide to outsource your monitoring through an MSSP, the model for allowing the MSSP to connect to your Defender cloud is very complicated. In Office 365, it is relatively simple, but because of the way it has been done in Defender—because Defender is not part of the same cloud—it is a mess. It is possible, and it is workable, but it is probably one of the most complicated integrations we do.

It is still clunky as compared to products like Cisco AMP, SentinelOne, and CrowdStrike. Microsoft took the Defender product, and they bolted on the extra features, but you can see that there are different development teams working on it. Some features are well integrated, and some features are not. They keep on improving it, and it is better than it was. It is better than an unmanaged solution, but it is far from perfect.

I have been using it for about two years. I've got a couple of customers today with it.

Its stability is lesser than some of the competition. I've seen machines having a blue screen. I've seen machines block, but it is usually a problem related to the lack of resources. I wouldn't deploy it on a machine with less than 16 gigs of memory. All the issues that we had on the laptops were essentially related to memory because it does all the analysis in memory, and it eats a lot of memory to do that. So, stability is more a function of making sure that your endpoint farm has what's available. If you've got less than 16 gigs, I would not recommend it. You need to either change your endpoints or consider using another solution because although it'll work, it can be very slow.

It is like Microsoft Office. Its scalability is good, but I don't know how manageable it would be on a big scale. The biggest deployment I've worked on was about 5,000 endpoints, and it seemed to be okay.

It is Microsoft support. It can be very good, and it can be very bad. It depends on who you get on the phone. I would rate them a five out of ten.

Neutral

It is very simple. You can deploy it through the normal tools that you use, such as SCCM. The deployment for it is linked back to your tenant. 

We use it as a headless install. It is pushed out onto all the machines. Our normal rollout process rolls out about 50 to 100 machines in no time. They can pull the agents from the internet, or they can pull the agents internally, deploy them, and turn them on. For an antivirus, it is quite quick.

In terms of maintenance, it is pretty much like other Microsoft solutions. If you are able to do the auto-update functions, that's good. The downside to it is that it is fairly heavy on network traffic. On one of the large deployments, we found we had problems with the internet gateway because the console and all the telemetry and everything else is in the cloud. It was problematic.

It runs in the background. It is like any other antivirus solution. Sometimes, it needs tuning. An example would be that we have developers who do a lot of source code compiling. They might have tens of thousands of files that get touched or accessed when they do a compile. We have to make sure that those particular file types and certain directories are not scanned on read when they're opened. Otherwise, what normally might take an hour to compile can take more than 12 hours. That's not a problem specific to Defender. It is a problem in general, but it is fairly easy to create profiles to say that for those particular groups of machines or those particular groups of users, these file directories are exceptions to the scanning.

The licensing fee is a function of your Office 365 license. The feature set you get is a function of the license as well. There is probably an E2 version, an E3 version, and an E5 version. There are several versions, and not all features are the same. So, you might want to check what features you're expecting because you might get shocked. If you only have an E3 license, the capability isn't the same.

You have to look at the total cost of ownership (TCO) because the license component is only one aspect of the block. So, if your internal IT teams know well about IBM cloud solutions, then Defender is very easy because there is nothing new. What hurts the projects is integration. It is a hidden cost because it is beyond licensing. It can be problematic if you don't have some of the other integration tools from Microsoft. So, if you don't have the package deployment platforms and all the cloud equivalents, then there is a lot of manual work involved.

The other aspect that comes into the cost is that there is an option to store. You can make the agents report a lot more information, but if you increase the storage, then you increase your Azure storage costs, which can be painfully expensive. You typically have about 7 to 30 days of basic detection data included, but if you want to keep a more detailed log so that your IT guys can go back and figure out what was going on, it would increase your storage requirements, and that can get expensive. I know customers who turned on some of the features to increase the detection rate, and they got a huge bill from Microsoft.

A weakness, as well as an advantage, of Defender is that it is always on the cloud. There is no on-prem. You deploy additional agents into the customer infrastructure, but the console and the feedback are through the cloud.

Customers often say that Microsoft has included it in their license. So, it is license-cost neutral, but just because it is included in the license and appears to be cheap, it isn't necessarily a good reason for doing it. It isn't equivalent to other EDR or XDR solutions, but to an extent, you get what you pay for. ATP is a work in progress. To me, it is not a complete product.

Customers also go for it because it gives them visibility, and it means it is one less system to manage. They have the license for it, and they just want everything in the same ecosystem. There isn't much that we can do about that. As an MSSP, we're agnostic from a technology point of view. If the customer says, "This is what we want to do," we'll take it over.

I would advise asking yourself:

• What do your endpoints consist of?
• Which operating systems, such as Windows, Linux, iOS, or Android, will you have to support? The functionality that you get depends on your license.
• What is it that you're trying to achieve by taking Defender? 
• Are there more capable XDR-type solutions out there? 

If I was comparing them, from most effective to least effective or least integrated, I would put SentinelOne, Palo Alto Cortex, Cybereason, Microsoft Defender, and Cisco AMP.

If you want to get into the advantages of XDR solutions, which is about the detection capability coupled with artificial intelligence (AI) and data leaking, then it may not be the solution that you want. If you also want to be able to do threat intelligence, it is not the solution for you. That's because essentially the threat intelligence features are not there. You can get some threat intelligence from Azure, Microsoft Sentinel, etc, but it is not in the product like with Palo Alto Cortex, SentinelOne, or Cybereason.

I'd give it a cautious six out of ten.

I am a SOC analyst and I use Microsoft Defender for Endpoint to investigate endpoints in our environment and malicious activity.

The visibility into threats that Defender provides is excellent. The logs I receive are quite comprehensive, allowing me to see what is happening on each endpoint, including the running processes and generated alerts. It does a pretty good job of detecting when certain events occur, which helps me stay attentive to potential issues. Overall, it offers significant visibility.

Defender does a good job in helping to prioritize threats across our entire enterprise because it provides me with context by distinguishing between high and medium threats.

We also utilize Azure Sentinel, Defender for Cloud Apps, Defender for Identity, and Office 365. These solutions are integrated together, and whenever one of them receives an alert, it is sent to the main alert queue. I would give the integration an eight out of ten.

Sentinel allows us to collect data from our entire ecosystem. We primarily use it for the network firewall logs, but it can also handle other types of logs.

Sentinel does an excellent job of providing us with comprehensive security protection and visibility into security alerts and incidents. It informs us about policy violations, such as foreign user sign-ins and sign-ins from multiple or different devices, among other things. Therefore, it offers greater visibility beyond just phishing alerts.

Microsoft Defender for Endpoint has significantly improved our organization by identifying the activities of individual users and effectively hunting for any threatening activities they might engage in. For instance, if a user downloads a malicious file or clicks on a malware-infected link, the software can promptly detect and mitigate the issue on the server.

Defender helps to automate routine tasks and the identification of high-value alerts. Sentinel aids in the automation process by allowing me to address the issue of numerous false positives. Specifically, I automated the handling of certain false positives that originated from a particular IP range. This IP range was generating false positives due to a flagged server, even though the server itself was not actually malicious. In such cases, Sentinel proved to be beneficial as it facilitated the automation and removal of unnecessary noise.

Microsoft Defender for Endpoint has helped save us the trouble of looking at multiple dashboards by providing a single XDR dashboard.

Microsoft Defender for Endpoint has been instrumental in saving us time, especially by identifying true positives instead of wasting time on false positives.

I enjoy using the live response feature, which allows me to remotely access different endpoints and investigate malicious files, such as malware that people may have downloaded, and other related issues.

Threat intelligence has the potential for improvement, particularly by integrating more sources. This will enable us to accurately identify when a domain or an IP is malicious. If we could obtain information from external sources, it would reduce the need to use different open source tools to verify whether a domain or IP is malicious or not.

I have been using Microsoft Defender for Endpoint for a year and a half.

Microsoft Defender for Endpoint is stable. I have only experienced one crash.

Microsoft Defender for Endpoint proved to be scalable in our environment, supporting over 500 endpoints.

I have also used Splunk. Splunk is more modular and portable, allowing us to integrate it with a wide range of different tools. In contrast, features of Defender and Sentinel, such as those provided by Microsoft, do not integrate well with as many other options.

I would rate Microsoft Defender for Endpoint a nine out of ten. It provides me with greater certainty regarding malicious activity compared to Splunk, which demands much more analysis. Defender for Endpoint performs a significant amount of work in terms of identifying and validating malicious elements. This saves us from having to read and interpret a large number of logs. It takes care of the interpretation and conducts about half of the log analysis on our behalf.

I still have to conduct threat intelligence on my own, such as open-source intelligence. I don't automatically search VirusTotal for things, but I still end up doing my own source searching.

It's an AV and EDR. The AV is integrated with the OS and, once you onboard the devices through a portal, it also functions as an EDR.

The main reason it has improved our organization is that it is integrated with the entire Microsoft 365 suite. We get a lot of functionality and a centralized way of operating or controlling all the devices in the environment.

The solution automates routine tasks and the finding of high-value alerts. That helps a lot. I worked with a different product before and, if we wanted to check if a specific application was affecting our organization, we had to get the application details and then search in the EDR console or on the devices for those application details. But with Defender for Endpoint, you can simply put the application details in a query and run it, and that becomes a customized detection. I don't need to check for the same application again and again. I can get an alert whenever it pops up again.

There is integration with all the products, whether Defender for Cloud or Microsoft Purview or Office 365, so we have a centralized console. There is a sync so that you can get all the alerts in different portals on a single portal. That consolidation makes things easier because we don't have to navigate to multiple portals to check for all the information. Before, we used to only get basic details, like the title or the category of a particular alert. But now, since it is also syncing with Sentinel, we don't need to go to the Defender portal. We can view the entire alert story and related devices, or potentially affected devices, and which devices could be the next targets.

Another advantage is that the threat intelligence helps us proactively prepare for potential issues before they strike. There is an option to check for vulnerabilities and that is not only limited to our organization or the license we bought. We have one filter that will show all the potential threats in the market or that other customers might have reported. We can view them and the steps they have followed. There are all the CVD details that are not affecting our organization, things that are still new in the market, and it will give the remediation steps for them as well.

In terms of deployment, management, and manual efforts, it has saved me a lot of time. Previously, I would review each alert. That meant, during a given week, that I would be on alerts for three or four days, and only then would I go on to other things. It has saved me a couple of days a week because of the automation and auto-suppress rules, which are configured to automatically resolve an alert and trigger an email to me that the alert has come up and the action has been taken.

Because it has been integrated with the OS, we get the entire software inventories, and we even get access to the registries. Those are the primary features. We also have something called advanced hunting, which uses SQL tables to list out all the details of the device and that is also used for threat hunting.

Defender for Endpoint also helps prioritize threats across our enterprise, and we have an option for customized detections, which is an additional feature that differentiates it from other products. The customized detection helps us identify threats.

I would like to see improvement from a management perspective. We have had to depend on Intune for certain tasks.

I would also like to see additional features related to device control. For now, it has all the common features that other EDR and AV products offer, but device control is missing. Device control means automatically syncing the devices without any dependency on other products, like Intune, SCCM, or even Azure. If it could sync between products after only adding it to one product, that would be great.

I've been working with Microsoft Defender for Endpoint for close to one year.

It is stable.

It is also scalable. 

Since it's an AV and EDR, you can use it at any location and on all the platforms, including Android and iOS.

Support depends on the support contract you have. The Premier support contract is comparatively efficient.

I would rate their support at eight out of 10. Sometimes, because they have multiple teams, there could be a delay with a ticket going to a wrong team. But once it is routed to the correct team, we get good support.

Positive

I worked with one similar solution, which was VMware Carbon Black Cloud. Defender for Endpoint has the advantage because Carbon Black is a third party to the OS. That is going to create a lot of additional work to manually deploy things, check the installation, see if it's parsing. There could also be compatibility issues. Because Defender is integrated with the OS, you don't need to do those manual tasks to install the product or work through the compatibility issues.

It is pretty straightforward to deploy. There isn't any manual effort, even if you are a new customer and migrating from a different product to Defender. All you need to do is get a license and the credentials to log in.

In the back-end, if we were to deploy the new tenant, it would be on Azure, and there are a series of steps to follow, nothing complex. It's just a GUI. You just need to give the device count and the geographical location. It takes four to five people for the deployment. 

Once the deployment is done, you don't need to constantly monitor it, but four people would be good for operations: two people to manage the devices and configuration, and the other two to review the alerts that are coming and analyze the vulnerabilities. Once a month you should review and update the software. Other than that, there is only maintenance when there is an issue. The signatures are updated automatically.

You can manage the devices on-prem, but if you want the EDR solution, it's completely cloud. You still have the option to control the devices on-prem through SCCM or any other integration, but ideally, it's cloud-based. The back-end portal is on Azure, but the console or tenant for users or management is a different portal. It's not on the Azure portal, it's a different URL.

The time it takes to see benefits depends on the end-users' requirements or which products they want to integrate it with. In my case, after two or three months I felt like I had found the good things to integrate it with and had a centralized way to manage them.

The solution has saved us money compared to the other products we use, but it depends on the situation. If there are multiple integrations, you have to get the licenses for those as well. But in our case, comparatively, we have saved money.

We did consider other options, CyberArc and Trellix (which is the new name for McAfee products). But the ease of using Defender for Endpoint and the reduction in manual efforts are why we went with it. Also, collecting and reporting on the data was easier.

The visibility into threats that the solution gives us is the same as other EDR products. But one advantage I have noticed, because I have experience working with a couple of other EDR products, is getting the complete device registry information. If we want to query anything or look into the complete alert or vulnerability details, we can get to the core. We don't need to depend on getting access to the device. We can do it from a centralized console.

I've seen a lot of people saying that they are looking for feature X but it's not there in the product. Most EDR products function in the same way, but they call features by different names. My advice would be to consult with Microsoft's Fast Track support engineers. They can guide you and explain every feature. Go for that first and then implement it.

I would definitely recommend Defender for Endpoint because going with a third party would require a lot of maintenance. For smaller companies, Defender for Endpoint would be more cost-efficient than requiring more headcount to do more maintenance.

I have tried so many antiviruses personally, but this one is integrated with the operating system. That's one of the main reasons for considering this.

The main benefits are compliance and protection from threats.

It helps us to avoid disruption in the business. It helps us see if other solutions are causing any slowness to our end-user machines. We can see if there are any service availability issues. Operations-wise, it helps us a lot to maintain the uptime of our business.

It helps us prioritize threats across our enterprise, which is very important and one of our priorities.

We have the Defender for cloud applications. It's very easy to integrate. It's straightforward. These solutions work natively together to deliver coordinated detection and response across our environment, which is very important for us.

We did extensive testing of its functionality, and it's very effective. It covers almost all the new, unknown, and known threats. 

It helps automate routine tasks and the finding of high-value alerts, which is helpful for incident response and SLAs. It has saved us 50% of the time to respond to the incident.

It helps us to be proactive. It can detect unknown threats and alerts us. We're able to identify any malicious sign-ins or logins. 

It has decreased our time to detect and respond. Previously, we were doing it manually. It took one hour to two hours to detect and respond. Now, it takes us minutes.

It has very good detection and protection capabilities. They have a new feature for ransomware protection. 

It doesn't cause the slowness of the system, which is one of the reasons why I like it.

There is complexity in accessing the dashboard. Microsoft security suite has a different URL per service or per application. If there was one single place of information, that would help.

They should bring back the feature of a dedicated proxy device for communication to the cloud. As of now, all the agents are required to send the logs directly to the cloud. There should be a solution where you can put a proxy and all the logs are consolidated, like a forwarder.

I've been using it for about five years.

It's very stable.

It's very scalable. We have deployed it only to 250 endpoints for now. It's not enterprise-wide. We have plans to increase its usage.

I haven't encountered many issues so far. Their support is good. I would rate them an 8 out of 10.

Positive

We used another solution. The switch over to this solution was a management decision.

We have a hybrid deployment with the Microsoft Azure cloud. The initial setup was complex. There were some issues because a lot of prerequisites needed to be accomplished. It took us about three months.

We had a staged approach. We first onboarded non-critical assets and then moved to critical assets.

It takes time to realize the benefits from the time of deployment. It took us about two years.

We had around five people for deployment. Some of them were testers, and some of them were admins for the configuration and deployment of agents.

It requires maintenance. We have cloud administrators and desktop support for endpoints.

We did look into other solutions. We have criteria for evaluation. The features that stood out were their reputation and innovation.

I would recommend Microsoft Defender. They are a leader, and they have many deployment use cases. However, it also depends on the requirements of a company. There is no one-size-fits-all. Each company has its own unique requirements.

I would rate it an 8 out of 10.

I worked for an enterprise client in the public sector with half a million endpoints. I'm in Canada, and that's bigger than most US companies. Defender is an endpoint agent, but it's tied into what I would call a SOC outsourcing stack. It's part of a security operations center that is getting threat intelligence, comparing that to endpoint detection and response, and feeding it all back into a SIEM.

I use either E3 or will upgrade to the E5 full suite, or will go a la carte. You can pick one or two off there, but it usually makes more sense to go all E5. Sentinel and Defender are the two things I like in E5 that I work together.

We use Defender's bidirectional sync capabilities at a high level. I'm more of a high-end security architect, so I do the conceptual designs but not the implementation. Even though I like it, I don't know if it gets implemented and used or not. As a capability, as an architect, that's a good thing to have.

Our deployment is still a work in progress, but it will enable us to mature and automate our cyber incident response and threat security posture. Defender helps us automate routine tasks and the findings of high-value alerts. That's the SOAR part we hope to achieve with the project reaches maturity.  

Defender simplifies things if you are managing a multi-cloud environment or a hybrid deployment. Instead of having 10 dashboards, you're now down to three. It creates a fabric. Do I have a single pane of glass? No. However, I have three panes instead of ten.

It can give early warning signs. I'd stop short of saying Defender protects, detects, responds, and remediates. It still doesn't do the remediate part. Defender will ultimately save time and money when we've fully implemented it. I'll find more problems, but I think the integration will save me a lot more time on the operations,  incident response, etc. It's all speculative until you're fully deployed and got key metrics to prove it.

The biggest reason I looked at Defender is that the world seems to have shifted to Office 365 and Azure in the last couple of years because COVID is forcing many people to work from home. Defender has better out-the-box integration with Office 365 and Microsoft security solutions like Sentinel, and its SIEM. CrowdStrike or other top products are excellent, but I'd still need to integrate them.

Defender is great at identifying threats on Windows and Azure products. If the threats aren't related to Microsoft, I will use something else. My view of Microsoft Defender changed significantly over the past five years. I used to think it couldn't compete with best-in-class solutions like CrowdStrike. It was like a Microsoft version of CrowdStrike. Today, I think it's on par pound-for-pound with CrowdStrike on the EDR Gartner MQ capability list. 

If you have multi-cloud like Google and AWS, the native solutions are better for those particular cases. But if you want Azure covered and you use Sentinel and Defender, you can also integrate Defender well with Zscaler. 

Zscaler is more of a multi-CSP fabric with zero trust capabilities that integrate with CrowdStrike and other third-party tools. I use Defender and Sentinel for Microsoft, but I also like that Microsoft integrates very well with Zscaler and vice versa.

The comprehensiveness of Microsoft threat-protection products is great. Five years ago, I would've said don't use it because other products are better. Today, Microsoft Sentinel by itself is a leading Gartner SIEM tool. It has advantages over competitors because of the ability to integrate with Microsoft solutions and automate continuous monitoring of Microsoft AD and Office 365 data.

Sentinel aggregates logs from everything. It's pretty good at that. If you were on Google Cloud or AWS, you would use the native products, but Sentinel is useful if you already have it and you want to use it as the central log aggregator.

Defender offers SOAR plus UEBA, and you can integrate it easily with the endpoint, making it a compelling security fabric as a SOC technology stack. I would put it in the top four along with IBM, Splunk, and maybe Fortinet as one of the better-integrated UEBA types of technology suites.

Microsoft Defender improved a lot. They weren't even on the Gartner Magic Quadrant, and now they've equaled or surpassed the leading solutions. I would suggest they continue doing what they're doing on their product roadmap and develop more SOAR. The last thing for them to tackle is multi-tenant and multi-cloud handling.

I have been using Defender for about five years.

Defender is robust.

I'm still in the early stage, but the scalability seems impressive based on my research and the size of reference clients.

I've mostly seen the pre-sales part, like doing demos and licensing. As far as doing demos and licensing. My experience with the sales organization has been awesome, but I'm not dealing with maintenance, rollover, or contract.

Five years ago, I looked at Micro Focus, ArcSight, and maybe some best-of-breed UEBA and EDR solutions, like CrowdStrike and Intercept. Business considerations led me to choose Defender. 

Security people will go for the top security solution, but executives are worried about enterprise and return on investment. They push for Microsoft security products because they've got Azure and Windows. I now agree that it also makes sense from a security point of view,

As an architect, my experience with the deployment is limited to evaluations and PoCs, and the full roll-out is ongoing. Ultimately, it's a low-maintenance solution. The payoff on automation and maturity is getting ongoing maintenance and support, training, patches, and new product upgrades. That's part and parcel of why it's a good idea.

The price was a problem for me three years ago, but they improved their E3, E5, and a la carte licensing. In other words, you have to get all of E5. That used to be a problem because you had E3, Defender, and guardrails, but you needed an E5 license to get the management suite and the analytics. 

It's more flexible now. You can switch from a la carte to the entire suite when it starts to make sense. It's becoming more economically competitive to go that route.

Defender is good enough if I compare it to the leading EDR solutions on Gartner. I would place it in the top quartile based on cyber threat intel. Cisco Talos and CrowdStrike are better, but Defender isn't that far behind. The payoff for me is the native Microsoft integration. 

Suppose most of my applications and data were still on-premise and I didn't need to work from home because of COVID. In that case, I'd be looking at IBM, Q1 Radar, Resilient, FortiSIEM, or ArcSight because the legacy SIEM products do on-premise security well. However, most of my cloud data is Office 365 in Azure, so that's what prompted me to start looking at Sentinel and Defender. 90 percent of my criteria shifted to the cloud, specifically Microsoft Azure.

I rate Microsoft Defender for Endpoint nine out of ten. If you're planning to use Defender, you need to understand the options around E3, E5, and a la carte licensing. This is also true if you do a bake-off between IBM, ArcSight, or other best-of-breed products, understand what capabilities you really need. If you're a small or medium-sized enterprise, you won't have the same needs as a corporation with half a million endpoints. 

It is mainly utilized for telemetry collection and correlating specific behaviors or reactions to TTPs, IOCs, or indications of compromise. It is used for getting that level of detail. 

It is good for attack surface reduction, which is how you harden your endpoint so that they're less likely to be infiltrated or compromised if you have an operative in your environment. So, it's mainly used for reducing the opportunity for someone to compromise the system but also for rapid detection when that occurs.

Coming from an organization where the EDR wasn't strong, it has always been a case of basically searching through the information you already have and looking for something. It was basically trying to find the needle in a haystack. What the Defender platform does is that it reduces the size of the haystack, and it'll say that the needle is over here. Minutes matter, and it certainly zeros you in on the events that are concerning. It also simplifies the effort of trying to get some kind of correlation of behaviors or actions you see in the environment and confirming if something is benign or a threat.

Something that is unique to Microsoft is its licensing model. When you go out and you buy McAfee or Symantec, you know what you're getting out of the box, but with Microsoft, often, when you're looking to achieve a certain set of capabilities, those capabilities are spread across different products. You might try to do something you could do with CrowdStrike, but then find out that you also need to purchase Microsoft Defender for Identity or Microsoft Defender for Azure. You realize that when they talk about what they can offer within the Microsoft platform, it's really the suite of investments. So, sometimes, you may find yourself buying Defender for Endpoint thinking that it matches CrowdStrike, but then you find that Microsoft really needs to sell you something else. One plus one will equal three, but when you have a very concise platform, such as CrowdStrike, you know what you're going to get.

The other consideration is that because it's Windows native capability, your capabilities are largely influenced by what version of OS you're running. For a small-medium business, it is not a big deal, but at an enterprise scale, there are always Server 2000, Server 2003, Server 2008, Server 2012, Server 2016, Server 2019, and so on. So, you're talking about having six or seven different versions where your capabilities are not consistent between 2003 and 2019. It's like asking how robust was security in Windows 2000 versus Windows 2010. You'd say that they're not even the same OS from a security perspective, and that's crazy. When you buy CrowdStrike, you're deploying an agent, and so you get a fairly consistent set of capabilities that are agnostic to the OS version, whereas, with Microsoft, the capabilities are largely influenced by the OS version. For an enterprise, being up to date is a very big consideration to be successful with the platform. So, it forces your platform to not lag behind. You can't have the old server versions and expect that you've got a robust EDR. Defender shines on Server 2016 and higher, but if you were to do some type of penetration or red teaming exercise on a 2003 server, you'd be better off with CrowdStrike or pretty much anything else.

We've been piloting it for the last six months, and this is what we have selected to implement.

There are no scalability constraints because it's all in the cloud. It's a SaaS. So, they can take on more PCs than any Fortune 500 would even have. The only constraint is that in terms of scaling, the strength of the platform is highly influenced by the OS version. If you were largely using Windows XP and Server 2003, you would not want to choose Microsoft Defender as your suite.

It is fantastic, but sometimes, it could be challenging to navigate. If you buy something like a Carbon Black or a CrowdStrike, you normally have one sales rep and one sales engineer, and depending on the level of support you pay for, you may get premium or platinum support, which means you have a very concise escalation path. With Microsoft, there are 20 different account reps. There is a productivity suite guy. There is a security guy. There are so many different places, which can create some confusion at times, but there is no lack of resources. If you have an issue, there are so many Microsoft employees and reps who are engaged at the enterprise level that once you figure out who to speak to, you get traction pretty quick. So, in summary, because there are a lot more people, their support is really great, but sometimes, having a lot more people can also create confusion in terms of where to go.

It is easy. It is native. They're literally like checkboxes. There is really nothing to package and deploy. If you're at a current version, it is a policy. You just turn on the policy. You go through the setup of installing McAfee on your home computer with next, next, next, and finish, or Microsoft will say, "Hey, we noticed you don't have an AV. Do you want to enable Microsoft or Windows Defender?" You say yes, and you slide the box from off to on, and you're now protected. It is like that. It couldn't be easier. There are things like firewall rules and network considerations that have to happen, but from an enablement perspective, because it is native, it really reduces the burden of onboarding the platform.

We didn't go through a real comprehensive analysis when we made the selection. We did some light touching, but we really did not do some comprehensive analysis between Microsoft and CrowdStrike. 

At an enterprise level, a lot of the stuff is based on relationships. It's not like you're starting from a green field. You look at who is your strategic vendor and who is not. With Microsoft specifically, you always get bundle deals towards your renewals. It's always like if you buy more Office 365, we can give you a discount on Defender and things like that. If you don't have a relationship with CrowdStrike or someone else, it is hard for their rep to speak to your CEO or your CSO, but Microsoft does. They've already got standing monthly meetings with them. So, we've made a determination to go with Microsoft because:

1. The technology is compelling.
2. It is a strategic fit for us. 

I would rate it a nine out of 10.

Our use cases, and the way we deploy it, depend on the different situations we encounter.

There may be a company that is already using the Endpoint Protection solution and we have to do a migration.

Another scenario is that a company may be migrating away from another endpoint threat protection solution.

And there are some companies that are already using SCCM, and we may have to go through one of two scenarios. One is to co-manage with what they call Microsoft Endpoint Manager and Configuration Manager. If they are already using SCCM, and only SCCM, we will typically have to go through a process where we integrate SCCM into Endpoint Manager and then they'll usually bring some endpoints into Intune and they'll do a PLC. They have to Azure AD-join or register a device into that so it can be managed through Intune. They may even co-manage it for a while until they fully onboard into Intune only. A lot of people are looking to get away from co-management and managing through Endpoint Manager. But there are some prerequisites to accomplish that.

The endgame for most companies is they want to manage things from Intune only. There are different paths to get there, depending on what they already have in place.

Overall, Defender for Endpoint has created a better security posture, particularly in these COVID times where no one is on-premises anymore and they're working remotely.

More than anything, what I find most valuable is the holistic integration with all Defender products and MCAS. You can not deploy this in a vacuum. It's like most Microsoft technology. If you want to do a Zero Trust model and framework, you have to deploy things in a holistic solution.

Among the new features I like is that you can ingest your Defender events directly into your SIEM/SOAR product, particularly Azure Sentinel, although not a lot of people are using that and you don't have to be using it. You can ingest them into any SIEM/SOAR product directly.

There are features that have helped improve a company's security posture, now that remote work has come into play. Microsoft had to come up with a solution because identity is the new security plan. The largest attack surface is going to be your endpoints, so you have to be able to control your endpoints. There is malware that can collect IDs and it doesn't have to be from privileged accounts, it could be from any account. Once they get in, then they can start looking around to see if there are any security holes, move laterally, and get a hold of a privileged account. And if they get a hold of a privileged then they can just turn off all your security controls and get to your data and you've got a ransomware attack. With Defender for Endpoint, it's the combination. Every one of the features in it is equally important, but the most important thing is integrating it with the other Defender products, to create a holistic solution.

The best feature is the fact that for certain mobiles you can control your corporate profiles versus your personal profiles. That is amazingly important. Apple just supported the separation of corporate and personal profiles, whereas Android has been doing that for quite some time. You are better off as an organization, when it comes to BYOD—because Apple just now started supporting separation of corporate and personal profiles—to start with the version that supports that feature. If you go below that level, you don't get that feature, and it makes it very difficult to separate corporate and personal profiles. Because Android supports that, if an Android phone is lost or stolen, I can wipe out all the corporate-related information from that phone and not touch the personal side. I can separate the apps and I can separate the ability to cut and paste between apps. I can cut the ability from sharing files between apps between the personal and corporate profiles. From a data loss prevention standpoint, I can completely segment corporate apps and data from personal apps and data.

Another feature is that it is now supported across multiple platforms, where it was regulated at one time for just Microsoft-supported operating systems. That development is very important.

There are a few caveats, things we have run into. It's not easy to create special allowances for certain groups of users. It can be a little heavy-handed in some areas where Microsoft has decided to lock a feature out, meaning they make it hard to make an exception. I'll give you two examples. One company we work with needed to use about 20 different thumb drives for about 20 users. To make that exception for them was very difficult. In fact, you can't really make an exception. But what you can do is allow them to use it and, while it will still alert, you can actually suppress those alerts. Another example was where a group needed to be able to go in and manipulate their PC ERP settings. To make an exception for them was also a difficult process. A lot of people have suggested that Microsoft should not, by default, make it so difficult by locking your ability to make exceptions.

Another issue is that when you implement this it is not a single solution in and of itself. You have to implement what are called security baselines for each platform. But Microsoft does not have security baselines, other than for its own products. That means that when you want to do a security baseline for say, iOS or Android, you have to depend on other security organizations' recommendations and set the security controls to create those security baselines for other platforms. You would typically use CIS. But when it comes to iOS, it's a real pain. iOS requires you to create a security baseline for every version of iOS. Android does not.

I've been using Microsoft Defender for Endpoint since it first came out. They bundled it into M365 licenses, particularly E5 licenses or the equivalent, around 2019.

Like every other security product out there, the stability of Defender for Endpoint is a work in progress. The solution is trying to address a tough problem and anybody will tell you that cyber security is not a fair fight. It's just incredibly hard to defend against the bad actors. Everybody is scurrying right now to come up with different ways to stop the problem and it's just not there yet.

In terms of scalability, we have run into organizations that are very large and that have said it doesn't scale well. I'm part of MISA, the Microsoft Intelligence Security Association, and we did a review of all their products and they all had scaling problems, including SIEM/SOAR, MCAS, Endpoint Manager, et cetera.

There are two "fronts" for anybody who is using a SIEM/SOAR: one is how fast they can ingest, and the other one is how fast they can make decisions. You want to do this in real-time, or near real-time.

The ingestion problem is that you're ingesting a bunch of stuff from everywhere: from the network, from identity, from all your services, and your apps. It's a crazy amount of data. Some organizations are doing on the order of 5 billion events daily. How do you ingest all that in a timely manner and correlate it? You have to do it in a distributed way. There will be a top-level SIEM/SOAR and several underneath it that are collecting data for a particular location or a set of users. You trim that down and eventually ingest stuff to the top so that you can see things from the holistic viewpoint. Or you decentralize it, where office A and all its users have their own, and office B has its own, and you don't necessarily roll it up into a single, corporate-wide solution.

There are products out there that are addressing this by not storing the events directly onto disk, but into flash drives, so they're super-fast. They never put it on a disk and save it. You can have the option of saving it to disk for long-term retention. But the immediate ingestion of events is happening through flash drives. It sits in fast memory, never gets written to disks, and that's how they're speeding things up. And there are AI/ML engines pulling that stuff in and they can act much faster.

In addition, some AI/ML engines are more mature than others. There is a lot of work being done on that front. When it comes to Endpoint Manager there are a bunch of events coming from a ton of endpoints. It's no different than ingesting events from a thousand database servers. Or they could be from your whole application reference architectures, and your data analytics reference architectures. Everybody sees the problem coming, the problem of big data. That's what we are really talking about. There is a whole lot of stuff coming in and we have to make sense of it, figure out what's relevant, have a scoring system and prioritization system to make decisions fast. For example, the bad guys are able to get into your systems and, within 20 minutes, they've already done an assessment. Usually, if you're lucky, you can respond to that in 30 minutes. And if you're a huge enterprise, you may not even be able to respond that fast.

That's the reason everybody says it's not a fair fight. We don't have the tools right now to react fast enough.

As for how extensively it's being used by our clients, anyone who is going to use it plans to use it as a one-stop solution. They won't be using multiple solutions and they will roll it out to every endpoint. It makes perfect sense to do so because you don't want to have multiple products and require your staff to have knowledge of multiple products.

For big corporations, it takes a little while to get there. It's something that has been evolving for 30 years now. Organizations want to settle on a standard desktop and want to be able to do configuration control that allows them to control the apps and the usability from a security standpoint. It used to be, "Let's make it easily usable." But now the industry is flipping that over to, "It has to be secure." The vendors have finally come to the point where the balance between usability and security is leveling out.

I've used multiple solutions in the past. We switched based on our customers' requests. Some do it for solution architecture reasons and some of them do it for enterprise.

The enterprise customers say, "Oh, we know we need Endpoint Manager, but we need to align a solution with our business requirements first. Before you even select a solution we are going to look at our business requirements, then do a bake-off possibly, and then select a solution." Or they'll just look at industry ratings of the solutions and say, "Oh, this is the best one," not knowing that those ratings don't necessarily look at every new solution out there. There are so many. We are a VAR and we resell hundreds of security and regulatory compliance products. Usually, unless they bring us in at the early stages of the process, our clients have already picked a solution.

The initial setup is very complex. To me, it's one of the more complex solutions because it touches so much. I have to know every platform and every platform version, when I create security baselines. As I mentioned, certain versions of iOS don't support the separation of corporate and personal profiles, and then you run into the scenario where they're already using some other endpoint protection and they want to migrate it to Microsoft Defender for Endpoint.

Or there is the scenario where they are using SCCM and to then use Microsoft Defender for Endpoint you should really require Endpoint Manager, meaning that you have to transition to that. And as I noted, making exceptions is hard. 

And when you integrate it across all the Defender products, and are managing a project like that, you have to get to a point where they're ready to be integrated, which is an issue of timing. So it's one of the more complicated things to roll out, compared to Defender for Identity. Defender for Office 365 is pretty large too, but Endpoint is the hardest of the three.

It even touches identity, because there are Azure Active Directory conditional access policies, and those are connected with Endpoint Manager. You've literally got to look at what policies and what setup within Endpoint Manager can apply to different versions of iOS. You have to dissect so that if you're going to do BYOD, for example, and allow a version of iOS from some early version and up, you have to understand that there may be some options that you can use with one version that you can't with others. It's much easier to do with Android than it is with iOS.

When you start heading down that path, it's a maturation process. You have to roll things out in phases. It's a very complicated product. Like with SIEM/SOAR products, when you start getting events, you could be flooded with them. You have to learn to tune it, so that you can differentiate the trees from the forest. You have to correlate things and automate your responses. That type of tuning process is a long process one to get the clutter out.

A product like Sentinel is pretty cool because it has predetermined workbooks, and predetermined manual and automated responses. It has playlists. They are making it very much easier to trim that clutter and to get to the nitty-gritty, and they have done so with Defender for Endpoint.

The deployment time, with fine-tuning, depends on the size of the organization. If it's a small or medium business, it could take three months to deploy and tune, and it could take longer; up to six months. It depends on many factors that I've mentioned, such as if they're migrating, or if they have an integration between SCCM and Intune. It also depends on the expertise level of the organization, its maturation level, and skill sets. All of that comes into play.

It also depends on their starting point in terms of some of the prerequisite services. You don't generally roll out Defender for Endpoint until you've got identity governance and protection. That's the first thing you do because everything is dependent upon that. After that, the prerequisite is rolling out Endpoint Manager, and then Defender for Endpoint. If it's a hybrid situation, you may roll out Defender for Identity so you can cover your Active Directory controllers and provide threat protection for them, although you can do all the "Defenders" in parallel; you just have to time them correctly so that when you integrate them together they're ready to go.

For large organizations, it could take a year or two. For example, if there are half a million endpoint devices—and that's possible if you have an organization with 200,000 employees and contractors, and each has a laptop and a mobile—it can take some time.

In terms of an implementation strategy, I have developed work-breakdown structures for just about every Azure service and almost every Azure M365 service. They look at working with them holistically, but they are broken down into each individual service and mention the other services within the work-breakdown schedule, and how you integrate them. The first thing I do is a current-state assessment and that gives me an indication of the readiness for deployment. The next steps are plan, design, deploy, manage, secure. There are strict sets of security controls and I have to gather every single one of those per platform. It's quite a long process. It follows the saying, "If you fail to plan you plan to fail."

As for staff required to maintain Defender for Endpoint, once you get it set up and tuned it's not too bad. It depends on the size of the organization again. If a business has 100 people, one person can do it easily. If there are a few thousand people, you may need two or three people. It often depends on your getting all the features rolled out. In IT it often happens that we roll stuff out and we always intend to get to that other piece but we just never get the time to do it. Many organizations are going to a lean staff and bringing in consultants to help roll things out. For us, as a contractor, it's great. Our business is booming.

Most organizations that we have come to want to replace their current endpoint protection solution for Defender. A reason many of them do that is that they aren't pleased with whatever they have. They may not know what features are relevant and just don't know how to roll them out. They realize, "Oh, I bought M365/E5 licenses, and Defender comes with them already. Why not use it?" 

Most people don't realize M365/E5 licenses are an amazing deal. They think "Oh, it's expensive," and I'll ask, "Compared to what?" If you don't have it you will have to buy licenses for multiple products to fill the same security space that you would have gotten with the Microsoft product. Go figure out how much it costs you per product, per user, and then come back and tell me how things add up financially.

If our client brings us into the process at the right time, we evaluate products for them, since we're evaluating products constantly. That's part of what we do. We have to know, through a deep-dive, the pros and cons of each. We are constantly being updated by our vendors about how they're addressing a particular security area.

Is Defender for Endpoint the best product out there? No, it's not. I can think of several others that are pretty amazing. It's still a product that's evolving, but it does a really good job for the most part. It does the best job when it is integrated with the whole Microsoft holistic solution. If you look at Microsoft's site, you will see what capabilities Microsoft has. They will show you how these products integrate and work together to give you a holistic solution to develop a Zero Trust model framework.

And while it's not the best solution overall, some of the pieces are. There are several areas where Microsoft is good or better than most, and then there are some weaknesses when you do Zero Trust. They don't have a secure web gateway product. Their MCAS or CASB product leaves a little bit to be desired. There are other solutions, in those two components of a Zero Trust model, that do a much better job. Zscaler probably has the bulk of the business but I'm a big fan of Netskope. There is Crowdstrike, and Forcepoint may be making some inroads because they just developed a new anti-malware technology. But none of them are going to be perfect because malware is a hard problem to solve.

There is also a new product I just reviewed for M365 Security that is pretty amazing on paper. Although I haven't actually kicked the tires on it yet, it looks really good and it's from one of the fastest-growing companies out there.

Think of it like this: If you don't buy E5 licenses or the equivalent with M365, you don't get Defender for Office 365. People don't realize that product is a kind of a split product. It's a multi-function product. It has some DLP pieces that work with MIP and it has some pieces that work with the Office 365 outlying suite. It's a little bit of a funky product.

But one of the things it has is a part of your Exchange Online protection. Without it, you don't get the features like anti-spam, anti-virus, safe links, and safe attachments. That combination addresses what is called a combined attack. You get an attachment and the attachment may have a link in it, or you get an email that has a link in it. They all look legitimate. If someone clicks on it, it takes them to a malware site, and bam! You just downloaded it into your computer and now endpoint protection comes into play.

Eighty percent of malware is still spread via email today. That's how they attack you. They're trying to penetrate your apps and they're even trying to penetrate your M365 online apps. This product works inline and they've already proven that, even with Defender for Office 365, there are still malicious messages getting through. The bad actors figure out how. They actually buy the product and figure out where its weaknesses are and they attack it. Because it's such a popular product it's the one they're going to target. It has the biggest attack surface. They've been attacking the weaknesses of M365, particularly the Exchange Online protection and all the weaknesses in Defender for Office 365. They've just been clobbering it. We're having a lot of people say to us, "Do a security assessment on our M365". All I can tell them is that it's not their problem as much as it's the product's problem right now.

Microsoft is trying to address things as fast as it can, but it's going to take months to get there. But here is another product you can add on that can help you fill those flaws. What this other company has done is that they've said, "We'll fix those flaws for you and we'll make it an easy process to do so." Usually, the circumstances in which you need an email security gateway is when you don't have an E5 license. But now they're even attacking that. And when that happens you have to change the MX record. With this new product that I've read about, you don't have to do that. It just supplements the weakness of M365, not only in Exchange Online protection but throughout all the other apps, like Sharepoint, Teams, and OneDrive. That's pretty impressive. And it works with all those products easily, without change in administration or training. It installs in minutes. I was floored when I saw that.

The organizations I have worked with that are using Microsoft Defender for Endpoint are mostly small- and medium-sized businesses. Our larger customers are generally not using it.

There was a service built within our organization, a service that is very much hooked in with CrowdStrike. If you've ever seen the CrowdStrike products, you'll understand why. They are pretty impressive products. They do some things that help them see malicious activity in near real-time. Can they react to it in near real-time? No. But like everybody, they are trying to find a way to be able to react faster. They just bought a company called Humio, which is a SIEM/SOAR product I referred to earlier that does not store events directly to disk, so it can act on things much faster.

Used alone, I would rate Defender for Endpoint a seven out of 10. When integrated with other Microsoft products, I would give it an eight. It really depends on other pieces of the solution for Zero trust to work properly. It won't work well if you deploy it by itself. If you're going to use Defender for Endpoint, you should also use Defender for Identity, Defender for Office 365, and the full gamut, including MCAS and MIP, and then you will need your SIEM/SOAR. It's a long journey. And you had better have done your identity very well. If you haven't, it won't really matter what you throw in place, once they breach your identity plane. That's the most important one. I can put every possible safeguard in place, but if someone gets the keys to the kingdom, I might as well just turn them off.