What is our primary use case?
We use it as an Enterprise Detection and Response (EDR) solution. We use it for compliance purposes, and we are starting to use it for DLP purposes.
How has it helped my organization?
Microsoft Defender for Endpoint allows our threat hunting and threat remediation teams to reduce the footprint of viruses when they come on the network.
We have immediate visibility on all endpoints. It is very good at visibility.
For prioritizing threats across our enterprise, the threat-hunting system in Microsoft Defender for Endpoint is not top-notch. We usually integrate it into things like our SIEM or Sentinel or other things to prioritize or our SOAR system to automate.
We can feed the alerts coming out of it into our XSOAR system to immediately act on events versus waiting until people see them and use the ticketing system.
Microsoft Defender for Endpoint has saved us time. It has saved us at least 40 hours a week. We are able to automate and have the ability to handle threats on an enterprise with 50,000 devices.
Microsoft Defender for Endpoint has not saved us costs. It is a Microsoft product.
Microsoft Defender for Endpoint has reduced our time to detect and respond. By going from a manual process to an automated process, depending on the severity, the time reduced has gone from minutes and days to seconds.
What is most valuable?
The endpoint detection of threats is valuable. The initial detection of things like ransomware and viruses and being able to shut down machines immediately and stop a threat is valuable. We can stop a threat at a source versus allow it to propagate it across the network.
What needs improvement?
The product itself does not necessarily need improvement, but the support and implementation of the product are the disaster cases. Instead of being able to go back to Microsoft and ask how to do something, we have to work with a vendor who does not exactly know how to do that and has to go to Microsoft to say, "How do we do this?" so that they can answer our questions. There are a lot of things in relation to various compliance standards such as CIS. The primary levels of support of Microsoft do not know or cannot implement that. Working through vendors is time-consuming. It is a painful process to get back to them to get the answers.
For how long have I used the solution?
I have been using Microsoft Defender for Endpoint for three years.
What do I think about the stability of the solution?
We have never seen any downtime in it, so it is incredibly stable.
What do I think about the scalability of the solution?
It is incredibly scalable. However, its ability to bind things into the groups on its dashboard is limited. You can see your 50,000 machines empire, but dividing it into regions, and dividing it into subgroups and management areas is very limited.
It is deployed across the world. There are 250 sites worldwide with 50,000 devices.
How are customer service and support?
I would rate their support poorly. I would rate them a two out of ten.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
The history would be a Symantec product, but I do not remember what it was. Then we went up through Azure ATP to Microsoft EDR.
How was the initial setup?
I was involved in its deployment and initial setup, but I was not a part of PoC at the time. The deployment was very easy. We pushed it out with SCCM.
Our implementation strategy was PoC, small user groups, and then wide or regional deployments.
We have on-premises and cloud deployments. It is an endpoint protection platform. It goes on any endpoint that we have or that we have running. It could be an endpoint that is sitting in the cloud. It could be an endpoint that is sitting on-prem. We use Azure, GCP, and AWS. There is also some limited rack space from IBM.
What about the implementation team?
What was our ROI?
We have reduced man hours using the product. We have definitely been able to leverage automation with it more than other products that we have used previously and other products that we are using.
What's my experience with pricing, setup cost, and licensing?
I recently switched from education to private business, and all I can say is that private business licensing from Microsoft is not cheap until you hit certain quantities or scale. That does not mean that it is not comparable to other industries. It is similar pricing, but it is still crazy to me how much you pay for a client. I feel it is high, but it is in line with other vendors.
Which other solutions did I evaluate?
We evaluated Cortex XDR, Carbon Black, and QRadar or whatever that solution was from IBM.
The Microsoft ecosystem is the main difference. Everything under the umbrella of the Microsoft security toolkit makes life easier when all the systems talk together nicely.
What other advice do I have?
To those evaluating this solution, I would advise first figuring out what your needs are. Figure out what levels of granularity you need in the system to see if it will support your needs. For example, if you have something like department-level control over devices, you might want to look at another system versus a central security solution that controls all devices. Beyond that, make sure your machines have the resources necessary to support the features you turn on in the environment. A lot of the resources in Microsoft Defender for Endpoint can be shut down for slower machines and older machines.
I would rate Microsoft Defender for Endpoint a solid nine out of ten.
*Disclosure: I am a real user, and this review is based on my own experience and opinions.