Microsoft Defender XDR Reviews

We have it deployed as part of our security stack for our endpoints.

The technicians working on the issues have a clearer idea of a higher priority issue versus a lower priority. 

I like that Defender is easy to use and the alerts are all in one central location.

Some of our older hardware experienced a slight bump in CPU and memory usage. Although I don't have empirical data to back that up, I would suggest possibly more streamlining in the software.

I have been using Defender XDR for seven months.

We haven't had any issues with it, so I don't have any problems with its stability.

From what I have seen, it's easy to roll out to new onboarded machines and servers.

Microsoft support is not very good. You get stuck in low-level support for way longer than you should, instead of them escalating the issue up the chain. This is kind of the same with all Microsoft support, not just XDR.

We had BitDefender EDR, which is a pretty similar product, but we switched because we were trying to put everything under the Microsoft umbrella. We got good pricing on it and were happy with the results of the testing we did. Defender XDR officers richer insights into Defender XDR. It's a better overall experience. 

I don't personally crunch those numbers, so I don't know. But I know that we're committed to this for the future, so I would assume that we're doing okay.

Defender XDR is priced comparably to other solutions on the market.

I would rate Defender XDR as an eight or a nine. There is always room for improvement.

Extended XDR expands threat protection across endpoints, email, identities, and cloud environments.

Microsoft Defender XDR provides strong identity protection with comprehensive insights into risky user behavior and potential indicators of compromise. It includes capabilities for monitoring Active Directory against attacks and threats, making it a broad and deep solution for identity security.

Improving scalability, especially for very large tenants, could be beneficial for Microsoft Defender XDR. Additionally, enhancing the privilege access management capability would make it a better solution overall.

I have been using Microsoft Defender XDR for about a year and a half.

Microsoft Defender XDR is very stable. I would rate the stability as a 10 out of 10.

I would rate the scalability of the product as a 10 out of 10.

Microsoft's customer support for Defender XDR is generally very good and I would rate it at around an eight out of ten. Larger customers like us, especially those partially owned by Microsoft, tend to receive excellent support. However, smaller organizations may not experience the same level of support.

Positive

Microsoft Defender XDR is typically deployed at the organizational level across multiple locations and departments. Maintenance is required, and the number of people needed depends on the organization's size and complexity. It could range from a large team for a big organization to just a few individuals for smaller ones.

Microsoft Defender XDR is expensive, especially for the full suite functionality. However, when compared to buying multiple-point solutions separately, it may be comparable in price. Overall, it is competitive within the market, but the broad capabilities make direct cost comparisons challenging.

Clients implement this tool to address various security issues efficiently. Microsoft Defender XDR offers a unified solution for a wide range of security needs, including extended detection and response across multiple platforms like Office, endpoints, mobile, and identity.

Microsoft Defender XDR includes some identity and access management features, especially when used alongside Azure Active Directory's privileged access management capabilities.

While primarily focused on Microsoft technologies, Microsoft Defender XDR can integrate with third-party SIEM vendors and covers multiple operating systems, including macOS, iOS, Android, and Windows, through its Defender for Endpoint and Intune capabilities.

Microsoft Defender XDR is designed as an XDR solution, utilizing the Mitre ATT&CK framework to detect and correlate events across various areas of compromise. It can identify and correlate events related to advanced attacks, such as business email compromise and ransomware, affecting security operations by providing insights into the events leading up to such attacks.

When security products like antivirus and vulnerability management software are discontinued in favor of Microsoft Defender XDR and other Microsoft 365 tools, it streamlines operations but may require less manual correlation of security events.

Some organizations might experience a 10-20% cost reduction with Microsoft Defender XDR, but for me, the main goal is to improve detection and response capabilities, not just save money. It is about adapting to the evolving threat landscape rather than focusing solely on cost savings.

Microsoft Defender XDR has saved time for our security team, making our operations more efficient.

For those evaluating Microsoft Defender XDR, my advice is to understand your requirements and map them to the appropriate licensing capabilities. It is not a one-time project but an ongoing process, so plan for continuous improvement of your security posture.

Overall, I would rate Microsoft Defender XDR as an 8 out of 10.

We provide MXDR services. Initially, they are professional services such as setup and deployment, and then after that, we provide Day 2 services, which include working on the incidents and alerts the products generate, determining which one is a true positive and which one is a false positive, taking response actions, and maintaining a steady state.

We are expanding use cases with Defender for IoT integration. Now that the E5 license includes the enterprise IoT sensors, we are getting more of that telemetry to our SOC. Because most SOCs do not have that telemetry, it is something that we have had a couple of clients invest in. 

In terms of our in-house usage of this solution, there is not a lot of in-house infrastructure when it comes to workstations and things like that. As a security company, we are pretty infrastructure-light.

It helps with the well-rounded investigation where it does the automated investigations and does a lot of enrichment for you, so the SOC analyst does not have to play run and go fetch as much. They can go deeper into an investigation in a shorter amount of time.

It does not necessarily provide unified identity and access management. Most of that comes from Entra ID, but it absolutely provides security visibility. For identity protection, the combination of Azure Identity Protection and Defender for Identity in the same place is the most powerful part because it is your on-prem identity world and your cloud identity world. Those two things are connected in most environments. Most of the people who have issues or most Microsoft customers have hybrid environments. That means they have two IMs and a bidirectional trust. One is the old-school one, which is Active Directory, and that lets everybody in with a username and password, whether you are good or bad, and then the newer one is the one that has conditional access, and that is Entra ID. Most corporate environments have both, so you have all of the weaknesses of both systems in one nice little package. From a defensive monitoring standpoint, we get a lot of cases, and most clients have that situation. Most clients that we see for incident response, and who are dealing with whether they are going to have our business online tomorrow, are in that hybrid situation.

In terms of covering more than just Microsoft technologies, most of 365 Defender is focused on its own technologies. There is that extensibility to be able to bring in threat indicators. The Zeek integration in Windows provides a lot of functionality, but most of the time, when we are getting that third-party signal, it is via a SIEM. That is where we go look for that third-party cross-correlation signal. The XDR signal is in that 365 Defender portal, and using things like custom detections is helpful there, so you can do SIEM-like functionality, but not on a third-party data set. This third-party correlation is the logical place for Sentinel. Some of the federated search between the two and being able to see both datasets in both places relieves that pain. The vast majority of our MDR clients are using 365 Defender and Sentinel, but there are definitely people who have E5 licensing but still have QRadar, Splunk, or something like that. Sometimes, we have somebody who starts with just 365 Defender but has a Sentinel adoption plan because they have a year left on their QRadar contract. The cool part about Sentinel is that it is software as a service, so you can start small and then add to it. You can start with what we call Sentinel Light, which is basically just the free data connectors. A lot of times what people do is that they have E5 licensing in their contract, and they start with 365 Defender. They then start with free data sources in Sentinel and incrementally add server logs or Palo Alto logs as their budget allows them.

365 Defender has enabled us to discontinue the use of other security products. There is always realization in terms of whether we still need, for example, Tenable agents with 365 Defender TVM. The answer is probably not. Normally, it is building out that process where we are going to remove Tanium because we now have Intune, so everybody has that adoption roadmap. Typically, you go for the things that create the least amount of friction when you are going through that adoption roadmap and you save the things that are going to be painful, such as DLP, for the end. It is always about dollars. When it comes to security budgets, potentially, you are replacing five to six line items on your security budget with one. I have been getting extra functionality on top of it for Teams and things like that. When you make the business case to the decision-makers and you get all of the information at the table, it is normally a pretty overwhelming case.

The savings depend on what their actual spending is and how many other security vendors they are purchasing. For most information security professionals, half of their day goes into vendor meetings and maintaining those vendor relationships. You have active relationships, contract relationships, etc. You have all these different relationships, and you have to go out to their conferences, their dinners, and things like that, so you end up dealing with vendors all day instead of actually doing the work. There are two types of costs. There is that hard cost, which is pretty easy to define, and there is also that soft cost of what if you had this common security fabric that you could take, customize, and then add to it. That is what the Microsoft security play is. Instead of bolt-on security, it is built-in security, and then you can still add to it. You can still add custom tools like Velociraptor and all the other tools that complement the Microsoft security suite, but what you do not have to do is play with vendors all day and do the bolt-on security play, which is, "Install our agent and everything will be good. There will be 99% ransomware protection." That is not how real life works.

It saves time and brings operational efficiency. As threat hunters, looking for an initial compromised assessment, going into a SIEM, and looking through a SIEM can take a lot of time. With 365 Defender, I can run four or five queries on you, and if they light up, I know you have problems. If they do not light up, you are probably alright. It is about being able to get there relatively quickly and assess the situation. Should we go ahead and send out the notice and call the general counsel, or is this just a little thing we need to run down and keep traps on? The time saved depends on where they are coming from. If it is a relatively old school company that has got an old school SIEM, and then they have a next-gen antivirus and a separate EDR solution, they could be doing 100% manual investigation, so it is saving them 300% because the chances are that they were not even investigating all their alerts. 

The ability to hunt that IM data set or the identity data set at the same time is valuable. As incident response professionals, we are very used to EDRs and having device process registry telemetry, but a lot of times, we do not have that identity data right there with us, so we have to go search for it in some other silo. Being able to cross-correlate via both datasets at the same time is something that we can only do in Defender 365. We do not get it in the other products.

From an integration standpoint, it is always improving overall. With Security Copilot coming out, as partners, we are waiting for the GDAP support so that we can actually see Security Copilot on behalf of customers if they subscribe to it. I assume that will happen in the next couple of months, but there have been smaller improvements like that. I started with the Defender ATP product back in 2019. In terms of where it started versus where it is now, it is very different. A lot of the automated defense capabilities for auto-remediation and the threat and vulnerability management features that are coming out are the most exciting because they answer that CISO question, which is, "How covered am I for ransomware?" Most of the time when people answer that question, it is a very generic answer. They can look at the top twenty methods that most ransomware groups are going to use to see how protected they are, but they are probably not going to do that well, or they are pretty secure, and they are probably going to do pretty well. It gives more of that real-world experience that most people do not have. 

We have been using this solution for about four and a half years.

From a partner standpoint, typically, we do our best not to contact support. We are very sensitive about how we spend our time. The more time we burn on something, the less profitable we are. Normally, playing kick-the-ticket-around in any support organization does not help, so most of the time, our engineers can arrive at some type of solution without engaging anybody else. If we do have a hard blocker that is well-defined and well-documented, we typically escalate that through the product team and not through the support channel because the more time we spend on the phone with support, the less we believe in our overall relationship, so we just avoid that activity, and we feel good about the relationship.

We definitely have had some major instances with large customers where something bad was happening and they needed immediate resolution, but they did not even get a callback for 48 hours. When you are in the middle of that relationship just doing the SOC servers, you wonder why you are getting 300 attack alerts in an hour. You then escalate and call everybody inside of Microsoft. You blow up the horn right on Friday because these things always happen on Fridays. It is a bad situation for everyone. The one thing that I have learned especially with MDE is that most of the time, the people who can fix your issues are in Tel Aviv. A lot of times, if I put an entire well-documented explanation together and drop it in Teams to somebody, I will get a response at 2 AM, so the next day, I will check my messages first thing, and a lot of times, it is like, "That issue is fixed now." I know where I need to go when I need to get things solved, but calling any help desk, including our own internal help desk, does not work. 

In the right context, Microsoft's support can easily be a seven or an eight out of ten adventure. In the wrong context, it can easily be a two or three adventure. It is like rolling the dice. Sometimes they come up with snake eyes, so it is all about expectations.

I also deal with Azure a lot because most of the time, I am responsible for our backend systems. We are rebuilding our entire platform in Azure. We did a greenfield build, so I am teaching a lot of Java developers on Azure. Their default answer when something does not work is that Azure is broken. I know that Azure is not broken. They are doing it wrong. I then show them, but their general thought is, "Why don't we just open a ticket with Azure support?" My response is, "Why do you want to wait three hours for them to tell you the same thing, which is, that you are doing it wrong?" A lot of it is engineers learning. If they have the appropriate exposure and investment in education, it helps with digital transformation, but it also helps with security transformation. A lot of times organizations buy things and then tell their engineers to implement them. Nobody bothered to send them into training first, so they are doing their best with the information they have. They did not send them to Microsoft Ignite. They did not send them to any of the great local resources. We have all these different meetup groups where you can see the difference in people. You get to know who is succeeding with Azure or succeeding with Microsoft Security. When you get stuck, you know whom to call and ask how to do something because you are not able to figure it out even after wasting six hours. You can ask them to at least point you in the right direction. That is a better solution than calling an 1800 number because it is going to be more focused and more prescriptive.

We support a couple of other security vendors as well, which always gives us a great comparison to how they are doing. It is the difference between holistic security and non-holistic security. You get one set of data. It could be a good set of data, but it is not mixed with the other data points. When you got an email alert here, and then you got an identity alert, and then you got an EDR alert, and then you got the domain controller alert, you can go through that entire kill chain versus those separate technologies. With separate technologies, you are going to spend an hour and a half putting that story together, and chances are they are already on ten different servers by now, so you are behind the gun. You know the story, but now, you have a bigger story because it just blossomed over there.

In terms of comparison, there are quite a few other XDR products, and all of the XDR products suffer from the same kind of challenge, which is—they are only as good as the data they have available. For instance, if you are a 365 Defender shop, but you are using Okta, a lot of that identity information is not flowing through 365 Defender. It is flowing through Okta, so it is 60% to 70% blind. Trend Micro has its XDR solution, but if you do not have all the things deployed, and you only have 30% of the things deployed, you are looking at 30% percent of the data. That is one of the key components. When we deal with an IR situation, we have a lot of people who are like, "We have E5. We deployed Defender for Identity. We deployed Defender for Endpoint to some of the endpoints, but not all of these servers yet because that is scheduled for next year." In such scenarios, we have limited visibility. We can see certain things, but those other alerts tell us some other things are going on on some endpoints that we cannot see. That is the situation that you have to solve rather quickly, so halfway-done deployments are the issue. When we see them, we know why they are calling us because it was always bound to happen. It is then that classic situation where they will have to do it all in two days on Saturday and Sunday. They will have to completely redo it and finish off that deployment because this is what they needed to do for threat eradication.

I have helped clients deploy it. I have helped a little bit with the internal deployment. We do not have that much infrastructure. Most of our infrastructure is containers, and 365 Defender does not come into play. That is mostly the Defender for Cloud Storage.

In terms of the time it normally takes for different users to get fully deployed and functional with the solution depends on the users and the infrastructure. Those are two different things. For humans, typically those enablement sessions can go in a matter of weeks, and then it is also a matter of the client investing some of their own time in their own lab and things like that because you are never going to learn a tool unless you get hands-on with it. Watching me work on it is not going to teach you that much. You have to work on it, and then because Microsoft security is a holistic security and not a bolt-on thing, you are also dealing with some tech debt at the same time. If they have had 2012 servers and they have not updated those servers in eight years and there are no security patches, you will have to resolve some of those dependencies before you can onboard those servers to Defender. It is not Defender's fault. They should have been patching those all the way anyway. That is according to the best practices, but they were not, so now you will have to wait three weeks for the server team to update these and then you onboard them to Defender. Every corporation has different change controls. If it is a small corporation with only four or five thousand endpoints, there are probably three or four guys who can pretty much do whatever they need to do. A big corporation with a hundred thousand endpoints will have to put that through change control and then four people have to sign off in blood. It is a much bigger thing and lots of paperwork has to happen.

Normally, a good accelerator project takes three to four weeks. That includes going through the basics, making a deployment plan, doing a test group, and then validating that all of those policies are going to work in the environment. One of the big advantages that changed just in the last year is the built-in configuration management. When I initially started with 365 Defender about four or five years ago, we had a problem where a lot of people would run the onboarding packages but forget to deploy the policy, so it did not work as well as it could. The difference those other platforms had was that they had built-in policy management, so you make your settings and apply them to your group of endpoints, but now, it is there in Defender. Previously, with Defender, we had nine different ways to do it, such as configuration manager, registry, and PowerShell, and clients struggled with that because none of the options were perfect for all their endpoints. With the built-in configuration management, you have that feature parity now. You can do built-in policy management for Windows, Mac, and Linux endpoints, and that speeds up deployments. As the deployment engineer, you do not have to say, "Here is the list of ten different options. Let us select which one is going to work for which group of devices." Now you can just say, "We have a good solution. It is probably going to work for about 99% percent of your devices. You might have a few offline servers or old Linux servers. We will have to do a slightly different custom solution for them, but we have a 99% solution. Let us go ahead and get started on it," and that is very good because you do not necessarily lose the room when you are explaining it to your security team members who never had to do something like that. You can just say, "We have a solution here, guys. We are good."

When we go through all of the information security training, typically, we are trained on other systems, so there is a learning curve for most information security professionals. If there is executive sponsorship to say, "We are going to invest in learning our Microsoft security tools so that we get maximum bang for our buck out of them," that typically goes very well. Microsoft has programs, such as accelerators and the ESIS programs, that enable partners to guide that mission. 

Our deployment engineers have done the Sentinel and 365 Defender deployments for four or five years. They work on these projects all day and every day. A lot of time, they are just helping other people who are doing their first project and saying, "Oh, you probably do not want to load it on these servers.", or "This is the shortcut for this issue." They are just guiding them on that process and helping them avoid some of the mishaps and things that people normally struggle with. Once you get them fully deployed, the ROI starts showing up daily. It is just a matter of getting them to that steady state versus that halfway-done state because a halfway-prepared defense never performs well in combat.

I would rate 365 Defender a nine out of ten. It is a very powerful tool. My favorite gig is explaining it to other incident response professionals and saying, "Now that the customer has an E5 license, and this is all deployed, let me show you this. You run this query, and you bring all of this stuff back. This is how you create custom detections that will automatically isolate things if anything jumps off on this device." I can explain that in a two-hour crash course. If you can explain it the right way to other professionals, they end up realizing how powerful it is. It works great.

We use the standard Microsoft services and solutions for our entire IT infrastructure, so we leverage most 365 Defender services, including Sentinel, Defender for Identity, Defender for Endpoint, Defender for Cloud, Defender for Cloud Apps, and Defender for O365. We use all those solutions to secure our IT infrastructure and environments.

We deliver Microsoft services to users worldwide, including SharePoint and Exchange Online. Gmail is the one minor exception where we do something slightly different. 365 Defender currently covers 5,000 endpoints and between 10,000 to 15,000 identities. There are more identities than endpoints because we don't give everyone a company laptop. 

A larger organization absorbed my company that moved to Microsoft security products a little while ago, so it was natural to do the same at my company. The biggest benefit of going with Microsoft is that it's a huge company with lots of resources to put into security.

Most devices use the Microsoft's operating system and products these days. They get a lot of data from all those users, which helps them stay ahead of the competition. They process a few billion security-related signals daily, helping them deliver a better solution to us.

Introducing 365 Defender and Sentinel was the best decision we ever made. Many organizations have most of these components in place but aren't effectively leveraging them. 

They might be using a managed services provider that forces them only to use products from their partners. Still, they have an enterprise license with Microsoft that includes Microsoft Defender for Endpoint, which is part of the 365 solution. I think it makes more sense for people to use Microsoft security solutions too.

We can automate security tasks to a degree. There are several automation options, but it depends on the definitions of analytics rules, queries, etc. Microsoft provides many of those in its out-of-the-box catalog with many additional third-party queries that you can use. You can fully automate things as soon as you have your queries defined. Getting there might be a little difficult. 

Microsoft 365 Defender saved me from looking at multiple dashboards. There are still separate dashboards for Sentinel and 365 Defender, but the same alerts and incidents are generated on both consoles. The only difference is that 365 Defender won't show you anything you've customized on Sentinel. 

There is a separate Microsoft-specific intelligence dashboard that Microsoft keeps up to date. As soon as there is a specific threat that may affect our organization, it shows up on the dashboard, and we can see the sources of the attack, the path, and all the other information you need. It's useful, but I don't think our security operations center is using it. They only rely on third-party threat intelligence resources. 

We've saved time using 365 Defender because rolling it out is easy. The hardest thing is pushing it out to all the devices you are managing. Using a third-party device management solution might be slightly more complicated, but it's straightforward within the Microsoft ecosystem. 

I'm not sure how much money we've saved overall, but they previously used McAfee EDR for antivirus, which was costly. Most of our existing solutions are Microsoft, so we were already entitled to use Microsoft Defender for Endpoint. We weren't using Microsoft security solutions because someone decided they preferred McAfee many years ago. 

The McAfee contact was around a few million, and the full Microsoft enterprise license was also a few million. Using the security solutions bundled with the Microsoft license probably cut our costs in half.

It's hard to say how much our detection and response time decreased because we didn't have a comparable solution. Instead of going to a portal for McAfee or making Splunk ingest all kinds of profiles, we could dump all the data into a more analytical tool to get all these alerts.

Having a single pane of glass for all Microsoft security services makes everything much easier. A security analyst can go to a single portal and see everything in one view. The integration of everything into one portal is a huge benefit. 

Defender provides a lot of detailed information about your environment. It may be challenging for people without much experience to get the data they need because it can also be overwhelming. At the end of the day, Defender gives you almost all the information you need for anything you want to do, and Microsoft is working to extend that further. Some areas may not be fully integrated into 365 Defender yet.

There's also a vulnerability management feature. It installs an agent on all your devices to check where you're vulnerable, so you can resolve the issue. Once you get hit by an attack, you can disrupt the attack using an advanced AI.  

We use all of the Microsoft security solutions. They do an excellent job of making it simple to integrate the security features. It's easy if you have a little experience, and there is a lot of documentation if you are entirely new. 

The various Microsoft solutions work seamlessly together, especially the Sentinel part. Attack disruption is almost fully automated.

Sentinel can ingest data from our entire ecosystem with some additional work. Technically, you could ingest anything. It would be easier if there were an out-of-the-box way to integrate it, which already exists for many components. However, several third-party products do not have out-of-the-box connectivity, so you may need to do some fairly complex work. On the other hand, it is relatively simple to ingest data from most big-name products.

Sentinel enables us to investigate and respond to threats from one place, which is essential because IT environments are increasingly complex. There are so many servers, cloud services, applications, etc. Using multiple portals to view security incidents doesn't work anymore. 

You still need to configure Sentinel to ingest data from other third-party solutions, but much of the data is readily available if you primarily use Microsoft products. There's a lot of overlap between Defender and Sentinel, but as soon as you go outside the Microsoft domain, you must start using Sentinel. 

Sentinel is comprehensive. It stacks up well against some of the other big names in the SIEM space. Microsoft plans to add even more advanced features like behavioral analytics. AI is a huge topic right now, and Microsoft is ahead of the curve compared to other solutions in the security quadrant.

It already integrates natively with the Microsoft ecosystem, but there is still room for a minor improvement in third-party integration. Another issue is that the portal is sometimes less intuitive than you would like. That's probably because they're consolidating various security products, and there are a few legacy things left over that complicate matters in some cases. 

Still, if you gave someone who works in security access for the first time, that person would be impressed and wouldn't have any specific complaints. You only start to notice a few small things once you used them for a while, but nothing is significant. 

Microsoft 365 Defender combines several Microsoft solutions, and I used the component solutions of 365 before they were consolidated into one solution. For example, I started using Defender ATP four years ago, but I've only used 365 Defender for around three years.

Overall, the stability is top-notch.

I haven't seen any limits to 365 Defender's scalability. I don't know if you would have issues once you start adding 200,000 endpoints. There might be some glitches here or there. Scalability seems to be an area where Microsoft's cloud solutions excel. 

I rate Microsoft's support a four out of ten. Support is hit or miss. Microsoft wants you to buy premium support contracts. Though they call themselves professional support, it's almost like throwing questions into a black hole. You get an answer, but it's never helpful. 

If you invest in what they call "Unified Support," it's slightly better. You get good answers quite often, but it sometimes takes a long time. They should be going to the public group to discuss technical features, and they don't do that.

In some cases, their answers make no sense. I recently caught a support person making a statement I knew was incorrect, so I had to go back to somebody in the product group at Microsoft to get them to confirm. In my opinion, it's better to invest in a support partner. These companies specialize in this. They might know a fix or shortcuts to get high-level support. Their IT department may have contacts with people in Microsoft's public group, so they can get answers faster. 

Neutral

Before my company was acquired, we used a few solutions, but they also started drifting toward Microsoft in the last year. They were also shifting from third-party solutions to Microsoft solutions. They used McAfee for endpoint protection and eventually switched to Carbon Black. 

If you asked me five years ago if I would recommend a Microsoft security solution, I probably would have said "No," but they've come a long way in a short time and made a lot of investments in that area. Seven years ago, I would also have chosen something like McAfee or Carbon Black.

365 Defender is a cloud-based solution, so you don't plan and deploy the individual components like a traditional endpoint solution. You have components installed on-prem, like the firmware for endpoints, and you run Lambda for Cloud on your servers, which may be in the cloud. We also have servers hosted in a Microsoft. Our environment combines multiple things. 

I was primarily responsible for the deployment. I found it mostly straightforward, but I also have experience and a Microsoft expert certification on many of these topics. If you've never done this before, the good news is that Microsoft documentation is excellent. It gives you all the steps that you need to take. But then it will take you a bit longer to follow the instructions. I can almost do this with my eyes closed, but it will take a lot longer for someone new to this. 

If you have some experience, you could theoretically set this up in a few days. It wouldn't be completely deployed because you may need to write several analytics rules in Sentinel, depending on your environment. The integration with Microsoft apps is one click.

I did the planning, but our IT partner did the hands-on work. The design stage took a little longer here. We discussed which features to enable and which might cause our users too many problems. That process took about two or three months. The actual deployment was finished in a few weeks. The only limiting factor was that we needed to ensure all the endpoint software was installed, which took some time. 

After the deployment, there is a little maintenance, but it's pretty automated. We need to be extra careful in some areas. Microsoft often releases new features that replace and disable existing features. Administrators may need to go into the various services and change settings. You also need to push updates to the endpoints. 

Microsoft does this automatically, but you can use a device management solution. How often do you want to do this, and how quickly? Do you want to delay specific updates to the antivirus engine for testing purposes? 

For example, Microsoft messed up about four months ago when they pushed out an update automatically to all the global endpoints. Depending on our settings, it causes certain file types to be seen as malicious and deleted from user devices. 

For example, it was deleting shortcuts. You can imagine if you came into the office on a Monday morning, and all the shortcuts have been deleted. It might make sense to test the updates to ensure they're working. You have many options to manage this, so it's flexible in that sense. It's just a matter of your organization's cybersecurity priorities. 

Microsoft customers can opt into server health notifications. You get a lot of notifications, but they may not affect your organization, and not all of them are serious. 

365 Defender can get expensive because you pay per gigabyte of data ingested. On the other hand, much of the data available in the other Microsoft security solutions are made available relatively cheaply—sometimes at cost or for free. Integrating only a limited set of third-party solutions with Sentinel would be cost-effective. It's much more affordable if companies only have Microsoft solutions. 

Data ingestion and log storage costs are relatively expensive, and you also need to consider the labor investments in fine-tuning all the analytics rules, etc. However, those costs will be similar to any product.

Microsoft licensing is highly complex, so you must carefully pick the license you need. People tend to choose the cheapest license or take a more expensive one to ensure that all possible features they need are covered. The price difference between those two options is vast. 

Some of these services are there without a license. That's problematic because the Microsoft agreements state you must license them. You might assume that you can use it. There are no restrictions in some cases, so some companies may have a problem. If Microsoft finds out, they'll get stuck with a bill because they were using something without a license. 

I rate Microsoft 365 Defender a nine out of ten. Microsoft is doing extremely well, and they plan to add a lot of new features, which is going to be exciting for many people in the security area. 

I always recommend a proof of concept, but I believe you'll be fine if most of your environment is Microsoft. These solutions also support Apple hardware, so that shouldn't be a problem either. If you're entirely using Microsoft products, I would say it's a no-brainer, especially if you are already invested in a Microsoft 365 license.

At the same time, Microsoft's licensing is extremely complicated, and there are several different licenses that go up in price quickly. You might need a licensing consultant because they know the details. You could also go in the opposite direction there. Somebody might try to sell you the most expensive Microsoft plan because they believe you need it, but you lose money if you're not using it.

Security 101 tells you, "Don't bet on a single vendor." I agree with that on a certain level because what happens if Microsoft gets compromised? But on the other hand, the native integration you get from using Microsoft security solutions is worthwhile. 

I've had this conversation with my CEO at some point. They raised the question of what would happen if Microsoft were compromised. I told them that Microsoft is one organization, but each of these product groups acts like its own startup in the sense that there is a subset of infrastructure devoted to each. If one part of Microsoft is compromised, it does not mean the whole of Microsoft is compromised. I always tell people to let go of that principle, but I understand the desire to introduce additional tooling. 

We're a small business. Defender XDR gives us a centralized security solution for monitoring our servers and some user PCs. We have around 30 machines, 10 of which are servers. 

Defender XDR saves the security team time by telling us what patches to apply. We also get preemptive notes about things that need to be done.

I like Defender XDR's reports and alerts. They give you updates about the latest hotfixes and zero-day vulnerabilities, which gives me all the information I need to maintain my servers. 

Defender's AI for identifying suspicious activity could be improved. Also, I do a lot of home updates. Maybe there is a way to set it up faster. For example, let's say that I want to automatically update seven computers, servers, etc. I wouldn't do it to a user, but maybe the server. I don't mind if the server restarts automatically.

I have used Defender XDR for a year.

Defender XDR is stable.

Defender is scalable. I haven't had any issues with that part.  

Microsoft support is good. I usually don't contact them directly. We have a support partner. If there's an issue, they can resolve it with Microsoft quickly.

We previously used Symantec antivirus. We're a small company, so switching wasn't a big deal. We switched because Symantec discontinued the solution we were using. They actually don't sell it anymore.

I wasn't involved in the decision to purchase Defender XDR. We are a small company, so we needed a vendor to support SMEs, and Microsoft caters to businesses of all sizes. We checked some other solutions but went with Defender because we're already on Azure, so the solutions complement each other.

Deploying Defender XDR was easy. Our external security guy handled most of the settings and onboarding, and our IT guy handled a few of the problematic cases. Most of the maintenance was automatic.

I don't know the exact pricing, but I believe Defender offered the best small business solution for the price.

I rate Microsoft Defender XDR nine out of 10. I don't have experience with other XDRs that I can compare it to, but I think Defender is an excellent solution. It's fairly easy to understand and navigate, and it's a good value.

We use Defender XDR to assign roles and monitor based on the analytics report from Microsoft. 

Defender XDR has improved the organization's confidentiality. If there's a DLP violation, such as someone sharing documents inappropriately, a notification will automatically trigger. Defender stops the movement of advanced attacks. We first need to set up some independent indicators of compromise. The IOCs are connected to some attack surface reduction rules.

We get alerts if someone tries installing something on the system or adding an external hard drive. We get security recommendations from Microsoft, but our security implements them on their own. We don't use the AI feature. We see significant time savings from the alerts based on the indicators of compromise. It saves us about 10 to 15 percent.

The best feature is probably the alert generation. When I do a security reset, the other session triggers instantly from the Defender console, and I can work on it. The policies are three times, but they are also ready to install it.

The identity management feature is something we need for our use case. It wraps up the access management and XDR components, so it's not just Defender. It works well with Azure AD for access management. I didn't think I needed identity and access management in the past, but it's nice to have if you're performing a significant migration on a tight schedule. 

Defender XDR's coverage extends beyond Microsoft technologies. It covers all the endpoints of users in the organization. I can manage access to any application and system within the organization. 

Defender XDR could provide recommendations for threat-hunting queries. Some people do not know how to write an advanced threat query, so we need to spend time training them. 

We have used Defender XDR for about 15 months.

I rate Defender XDR 10 out of 10 for stability. It's a stable solution. We've had no outages. 

The scalability depends on the number of licenses you can purchase. If I want to add more endpoints or solutions from Microsoft XDR, I have to pay more. The scale depends on the pricing. 

I rate Microsoft support eight out of 10. Some cases are easy fixes, so they don't take much time, whereas some of our more complex tickets take some time.

Positive

I've also worked with Trellix. Microsoft provides better recommendations for protecting our tools, devices, and files. Trellix has XDR capabilities, too, but Microsoft's recommendations are more robust. 

Defender XDR is a SaaS solution. The deployment is ongoing because we're constantly onboarding and retiring endpoints. Microsoft handles most of the maintenance for it. It rarely requires maintenance from our end. 

Defender XDR is fairly priced and cost-effective. 

I rate Microsoft Defender XDR eight out of 10. If you want to implement this product, you should have a team who understands the product well. It's SaaS-based, so the Microsoft team is delivering everything to you. However, you still need to know the product.

We are using Microsoft Defender for Office 365 for identity and email security, safe links, etc.

It works as an antivirus, and it also works for any behavioral issues in a particular machine. It protects all the applications from any vulnerability. It works in both ways. It works for vulnerability management and also for the EDR part. Earlier, we had Qualys for vulnerability management, but Microsoft Defender takes care of both. It provides information about how vulnerable a machine is, and it also takes care of the antivirus and behavioral issues in a particular machine due to some threats or any unwanted applications installed.

It helps us manage vulnerabilities. If there are any vulnerabilities in a machine due to a lack of patches or end-of-life software installed on the machine, it gives us the report. After seeing the report, we can fix those vulnerabilities by uninstalling the vulnerable applications or by patching them.

It takes care of the antivirus part. The signatures are constantly getting updated related to new viruses. It covers any identity-related issues or device-specific issues. It covers the MITRE framework. If any threat or risk is present in our environment, it takes care of that and then tells us that these are the issues that we need to work on. After we get the alerts, we do the investigation and remediation.

It provides unified identity and access management. You can create role-based access. You can create policies based on different risk levels. You can also trigger password resets. There are a lot of capabilities that are built in. You can also create conditional access (CA) policies. If any vulnerable application is installed on a device, you do not want that device to be connected to your network, you can create conditional access policies. It will first check whether the integrity of the device is as per your organization's requirements. If it is compliant, then only that device will be allowed to connect to your network. The same goes for identity. If MFA is enabled in your environment, the users will be allowed to connect only if their accounts have MFA enabled. Otherwise, the access is blocked. You can automate such things.

It is important that identity and access management are included in Microsoft Defender rather than needing an additional solution. Nowadays, you see a lot of phishing emails and unsecure links being forwarded to user accounts. In Microsoft Defender, we have secure links and safe links. Once enabled, if any malicious link is sent to a user account, when the user clicks on a link, it immediately checks whether it is safe to access. If it is found to be malicious, it is immediately blocked. If a user mistakenly clicks on a link, the risk state is changed automatically in the web portal. If you have a conditional policy in place, the access is blocked for that user. Even if the attackers have access, they will not be able to do anything. In today's scenario, it is pretty important to have these in place.

As of now, the integration part is pretty limited to Microsoft products. However, by using Sentinel, which is a SIEM solution, you can integrate other products.

It stops the lateral movement of advanced attacks like ransomware or business email compromise. You can create lateral movement policies, and you also can create high-risk users or high-risk devices. You can have customized policies for them. You can create different policies, and the alerts triggered from those devices or users are put into high severity so that you can take immediate action.

You get the telemetry of any attack observed by Microsoft Defender. You can see everything from the starting point till the remediation steps automatically taken by Microsoft Defender. The investigations can be found easily. They are pretty detailed. Everything is there in the portal.

It has the ability to adapt to evolving threats. Threat intelligence is embedded in the portal itself for new threats, technologies, ransomware, or malware. All the latest threats are automatically handled by Microsoft Defender. Remediation is also automatically available.

It saves time. There is automatic remediation, and there are playbooks that you can configure. You can automate the remediation steps that you have already tried on a particular machine. If you want to suppress some of the alerts, you can create suppression rules so that your team does not spend time investigating them. Playbooks, automatic remediation, and suppression of similar alerts save a lot of time.

Vulnerability management is valuable. We had a different product for vulnerability management. We were using Qualys for that, but after we got Microsoft Defender, we also got the vulnerability management part. It is embedded in the portal itself. We do not have to look into another solution or tool. We did not have to install any additional sensor which reduces the overhead and does not affect the machine's capability. With the same sensor, we get the vulnerability report and threat report. We also get to know any risks and issues related to malware and other things.

The portal is quite user-friendly. There is integration with Office, Intune, and other products from the same portal. From there, we can see which policies are installed on a particular machine. We also can manage devices, groups, and tagging. For a different set of teams or departments, we can create different device groups. Based on the teams and their work portfolio, we can create different policies. It is quite handy, whereas with the Qualys solution, the portal was quite cluttered. To find a particular option, we had to look at many options, whereas Microsoft Defender is quite user-friendly.

We are also getting all the reports by using the same sensor. It is light on the machines as well. It consumes less resources than other solutions available in the market.

It is evolving. We are seeing new advancements and integrations. They have integrated Copilot, so going forward, we can take the AI advantage. It will be quite easy for us to run any queries. These are the advantages that I see in Microsoft Defender in comparison to others.

The patching capability should be there. Patching is something that you cannot do even though you see the vulnerabilities present in your environment. For patching, you have to depend on another solution.

Other than that, there are still limitations in creating device groups. You can create tags, but these tags are based on limited options. There are only a few categories based on which you can create a tag or device group. If there are other conditions that you want to put, such as creating a group based on the application installed on a particular machine, you cannot do that. There are some shortcomings. Also, if you want to whitelist a particular application for a set of groups, you cannot do that. We had an incident where we wanted to whitelist a particular application that was getting blocked by Microsoft Defender, but we were not able to create those groups. We were not able to whitelist the application for some of the devices. We had to whitelist it for the whole environment, which we did not want to do.

It only has pre-built dashboards. You cannot create customized dashboards. They have a set of dashboards, but they are not customizable.

We can create reports using KQL, but it is hard to create customized reports using KQL. You get a CSV, but you need to use Power BI or another reporting product to create the report. The other products available in the market give you customized dashboards, customized reporting, and customized workflows. This is pending in Microsoft Defender.

I have been working with this solution for 1.5 years.

It is a Microsoft product. It is similar to any other Microsoft product in terms of stability. They do change the name and other functionalities, but it is pretty much similar to any other Microsoft product.

It is pretty scalable. It does not stop you anywhere.

I am working in an MNC. We have more than 6,000 people.

It depends upon the license that you have. They have a different set of licenses based on which you get support. It depends on the support packages you have purchased.

It is very easy to raise a request. They have a portal. From there, you can create a ticket by email or by chat. The response is based on the support package that you have. If you have premium support, you can get a response in minutes. 

In my previous organization, I worked with Palo Alto XDR. In this organization, we had McAfee, which is a signature-based solution. Microsoft Defender is more advanced than McAfee. It is EDR-based, whereas McAfree was signature-based. It was based on the signatures related to a particular threat or virus. It was handling threat prevention, but behavioral analysis and other functionalities that you see in EDRs were not there. We wanted to move to a behavioral-based antivirus solution. That is why we opted for Microsoft Defender.

Microsoft Defender also enabled us to discontinue the Qualys solution. It has many capabilities related to vulnerability management. They are available out of the box, but patching is something that is missing. For patching, you need to use Intune, whereas, in Qualys, you can also do patching, so patching is something that is missing in Microsoft Defender. However, Microsoft Defender is very good for the assessment of vulnerabilities.

You also get visibility of the devices that are still not onboarded to Microsoft Defender. You have something called Device Discovery in Microsoft Defender. Once enabled, you can get details of all the machines that still do not have Defender, whereas, in Qualys, you have to create customized or scheduled scans of your network. They then run on a periodic basis, but that is not the case with Microsoft Defender. It is on a real-time basis. The Microsoft Defender client continuously does the scanning, and you get visibility into all the machines on your network that still do not have Microsoft Defender onboarded. However, you cannot do patching with Microsoft Defender.

Microsoft Defender can save costs. Qualys is pretty expensive. Microsoft Defender does vulnerability management out of the box, so if you do not want to do patching and you have another solution for patching, you can save costs. It also has out-of-the-box functionality for identity protection.

It is deployed on a public cloud. If you do not have people in your team who know about this product, Microsoft can give you a vendor to help with deployment, creating the policies, etc.

Overall, it is pretty straightforward because Microsoft Defender is enabled on all Windows machines. All you need to do is to activate the sensor that is already installed. The installation process is not much, but if you want somebody to help you, Microsoft can help you with a list of vendors at a particular location. The vendor can help you with configuring the policies and activating different licenses.

Documentation is available on the Microsoft portal to help you create policies and go forward as per your environment.

We took help from somebody for implementation.

It does not require a lot of people because it is a cloud solution and the sensor is already available in the machine itself. It does not require a lot of manpower to get started with Microsoft Defender and do a migration. However, it also depends on how big your organization is. If it is an MNC with a presence in multiple countries, you might need at least one person per region. If any hands-on support is required on a client machine, you can do troubleshooting remotely or provide on-site support. If you have only one site, you do not need much manpower. A single person can do it.

Its maintenance is similar to any other solution. If you are changing any policy, you have to test them before putting them into production. Apart from that, it does not require anything. The Defender updates are automatically available. You can push them through your patching solution. Its maintenance is not hard.

Every organization has different requirements. In my previous organization, we opted for Palo Alto even though we had Defender and CrowdStrike. CrowdStrike is also a best-in-class solution, but we opted for Palo Alto because it was giving something that was a requirement. In that organization, we also wanted to do some management. We wanted to run some scripts through our XDR solution. CrowdStrike had some limitations. We also wanted to do a console login for a particular machine. CrowdStrike gave that functionality, but it was pretty limited, whereas, in Palo Alto, it was limitless. We could straightaway see the files present on a machine by using the console view. We could run a different set of queries. It did not matter whether we were running a PowerShell script, a Python script, or any other language script because the compiler was embedded in the sensor. Palo Alto met the needs of that company. For the use cases, it was the best fit.

In my current organization, the use cases are different. We only wanted an EDR solution. Also, because most of the products in our environment are from Microsoft, the integration with them was pretty easy. That is why we opted for Microsoft Defender. An organization should look at its use cases and then decide on an EDR/XDR solution.

Comparing Microsoft Defender's EDR capabilities with other solutions, I would recommend going for another solution available in the market. I would rate it a 6 out of 10 because there are a lot of things that are available in other solutions, such as doing a remote of a particular machine and running other language scripts. Other solutions are also better in terms of the isolation of a particular device, removal from the isolation, and granularity of security control. I am not comparing it with others for vulnerability management because Palo Alto or CrowdStrike do not do that. If there are any vulnerabilities and you want to fix them, you have to do all the work.

I've mainly used the EDR component within 365 Defender, which is Microsoft Defender for Endpoint. It does a good job of bringing the whole attack story together, so you can see email activity, endpoint activity, cloud app activity, and some sort of sign-in activity as well relating to Azure AD, but I've mainly dealt with it from the EDR aspect.

It definitely improved visibility when I dealt with this solution, but the main benefit is the advanced hunting because it allows you to uncover threats that you didn't realize were there, or they weren't alerted because you were looking for specific behavior. The custom detection and linking to that is something quite cool because if you know there's a behavior, you want to keep an eye out for it. For example, it might be linked to a recent threat, so you can set up that detection query, and as soon as it finds a result, it will flag an alert. That has definitely helped to be more proactive and a bit more ahead of the curve with attacks. So, it improves visibility and also helps with being proactive.

It helps to prioritize threats across the enterprise. It does assign severity to a threat, but it also gives you an overview at a glance. If you know that your organization is susceptible to certain major threats, those are the ones you probably want to pick up on. With the severity and alerts, it gives you an idea of which is the most pressing incident. If you've got one with just one alert, that's a medium, but if you've got one with five highs. You're probably going to focus on the high one. That helps to prioritize.

It helps automate routine tasks and the finding of high-value alerts to a degree. You can have certain actions where if an event starts on the endpoint, it automatically isolates that. If it occurs, for example, on the email, then you can automatically purge it. It helps with the routine tasks that people would have to manually do in the portal. With automation, it takes care of it automatically if an alert fires. It improves efficiency because, after hours, there might be no one there available to isolate a machine. This way, as soon as the alert fires, that machine is isolated, and the next morning or the next working day, an analyst can go in and see that this alert fired and the endpoint has been isolated. That definitely helps from a coverage perspective when people are unavailable because those actions occur without anyone being present.

It has absolutely helped eliminate having to look at multiple dashboards and have one XDR dashboard. I've got three years of experience. At the start, we had all the individual portals for cloud app security, endpoints, Office, etc. The whole point of 365 is to unify, and they've done a good job. The different components are broken out into sections on the left-hand side, and you can very easily click through them and navigate them. It eliminates the need for multiple tabs and dashboards. It has definitely helped with what they were aiming for, which is to have a single pane of glass view.

It has saved us time by not having multiple dashboards. We don't need to open multiple portals and sign in to them. It definitely saves time there and also in understanding the true story of an attack. It has definitely helped in terms of efficiency. It's hard to quantify the time savings because I'm not using it now, but from what I remember, it saved at least 20% to 25% time just because it does a good job of giving you the information. You can glance at the key information that you need, and then it gives some details, and then you go to other places externally to investigate further.

The threat analytics give you a report on what Microsoft has seen in the world. What I like about those is that they will show you if that's actively impacting your environment at the moment or likely to. For example, if there are vulnerabilities that are being exposed, it tells you whether you're vulnerable or not, so you can protect against them before they are here. One thing I do like is that they also give you advanced hunting queries, so you can look for the behavior associated with those threats and make sure that you've got your coverage in place. I wouldn't necessarily call it threat intelligence. It's more of threat analytics and reporting that they provide.

I'm not aware of whether it saved any money in any of my previous roles, but a lot of organizations have the E5 security license, and they don't realize it. They have third-party vendors doing their email security, endpoint security, and so on, but holistically, Microsoft's E5 license gives you all of those capabilities, and it would also be cheaper than paying multiple vendors.

It decreases your time to detect and time to respond. It does a good job. It has the auto investigation ability so it can automatically detect threats. When you build custom detections, you can have automated response actions. Those two together help you with the mean time to remediate and the mean time to resolve. The information at a glance easily lets you see if it's a false positive or something that you know in your environment, and it's gonna be non-malicious. You can glance over and dismiss those alerts, and you could potentially be setting up suppression so that you don't get notified about them in the future. All in all, it helps you to improve your remediation. The time reduction depends on the scenario. Sometimes, you can instantly see false positives that would decrease your time by 85%. On the whole, there is about 35% to 40% time savings because of the way it correlates with the signals and gives you quick ways to remediate them.

For me, the advanced hunting capabilities have been really great. It allowed querying the dataset with their own language, which is KQL or Kusto Query Language. That has allowed me to get much more insight into the events that have occurred. The whole power of 365 Defender is that you can get the whole story. It allows you to query an email-based activity and then correlate it with an endpoint-based activity. The advanced hunting capabilities have definitely been one of my favorite features.

The way the incidents are put together is also good. It can intelligently correlate activities from email to endpoint, and then you can visually see it in the timeline view or graph view. It does a good job of presenting that incident to you, and it's easy to navigate between it and then pivot to some actions as well.

For some scenarios, it provides good visibility into threats, and for some scenarios, it doesn't. For example, sometimes the URLs within the emails have destinations, and you do get a screenshot and all further details, but it's not always the case. It would be good if they did a better job of enabling that for all the emails that they identified as malicious. When you get an email threat, you can go into the email and see more details, but the URL destination feature doesn't always show you a screenshot of the URL in that email. It also doesn't always give you the characteristics relating to that URL. It would be quite good if the information is complete where it says that we identified this URL, and this is what it looks like. There should be some threat intel about it. It should give you more details.

One other limitation is with cloud-based events. Sometimes, you don't get enough details in the alert. You have to go to other portals to then complete the story or do your own research, ask the user, etc. 

The other one is that with Defender for Endpoint, the attack story is quite good in terms of queries and things like that, but sometimes, multiple events for the same thing are captured, and it's not summarized in a good way. You have to open each entry to see what that partial syntax is. It'll be good if it said that this specific partial syntax was seen fifteen times, and maybe it's something to pay attention to. They could also do some sort of pattern matching. There could be some sort of pattern matching where it says that this is the attack trying to do some enumeration or reconnaissance activities. 

I've been using it for over three years.

There are some times when it does have downtime or service outages. They do a good job of updating the service status page to let you know about that, but there have also been misclassifications, for example, for Chrome updates, generating malicious alerts and things like that. On the whole, it's quite stable.

There are sometimes when it can freeze up or not present the data that you want. It gives you data unavailable or other errors, but, usually, these are quite quickly resolved. Sometimes, it's just to do with a particular instance, but sometimes, there can be wider outages. You just have to pay attention to the service status page or raise a support case and then be notified when that's resolved. On the whole, it's fairly stable.

Because it's built on the cloud and for the cloud, it does scale quite well. However, one area where it can be a challenge is when you use the Kusto Query Language for event hunting. Sometimes, if you do quite a generic search across, for example, thirty days of data, it gives you processing errors and limitations. I guess Microsoft does that for two reasons. One, to keep the cost down on their side, and two, from a performance standpoint. That is a bit of a limitation of scaling because if you want to do generic sessions across thirty days, you're not able to, but the idea is that you should be able to filter and granularly restrict conditions to get exactly the events you want. However, it would be nice if you were able to search more widely and if the solution could scale to support that, whereas, currently, it doesn't seem to, but that's not the use case they might have had in mind.

It depends. With some clients, we've had the fast-track option, whereas, with some clients, we just had to raise support cases. Usually, when you raise support cases, you're not going through an SME, so there is a bit of basic troubleshooting and things like that. With the fast-track option, you directly get through to someone who understands security, and you can explain the issue. They understand the issue, and you can get a much quicker response. So, the fast-track option is the one where I've had better success. The normal support can sometimes be a bit drawn. There could be a lot of back and forth about not relevant things just because they're not security trained, so they're trying to understand and then help you. 

It has been a mixed experience. Overall, I would rate them a seven out of ten because there have been some gaps, and there have been some successes, especially through the fast-track program.

Neutral

We didn't have anything that was overarching and correlated all the different signals. We had different products. We had a different product for email security or a different product for the endpoint. I might be wrong here, but I don't think there's another tool that brings those aspects together as well as 365 Defender does.

From what I went through in various roles, it was mostly in the cloud. Defender for Endpoint is a cloud-based solution. In fact, most Defender solutions are now based on the cloud. The only exception is if you've got Defender for Identity. For one of our engagements, I did deal with that, so it was a mixture. Apart from Defender for Identity, all the other solutions have been on the cloud.

In one of my roles prior to my current one, I was doing onboarding for a client with Defender for Endpoint. I was getting them onto it and migrating from McAfee. I was involved in the setup, coordinating the groups and the roles, and things like that. In all the other roles, the tool was already in place. It was just about maturing it and getting hands-on.

The setup was quite complex. Microsoft Docs guide you, but there were a few gaps that I had to fill in. One example is onboarding with group policy. Microsoft does lay all the steps on the docs page, but it doesn't give you screenshots. It doesn't give you things to look out for. It doesn't give you logs that would correlate to those events and things like that. I had to put things together using external sources, such as YouTube or just Google search. On the whole, it was very okay to follow, but it just didn't have that depth. What I produced for that client was a step-by-step coding guide with screenshots that they could give to the infrastructure team to get them on board. We had a good success rate that way, whereas if I had just sent them the Microsoft Docs link, I'm sure they would have had a few more questions.

That was the only use case I had experienced initial-setup-wise. The onboarding for group policy took maybe a month or two just because we had quite a big setup. We had different groups to roll it out to. We rolled it out to pilot devices, then 10 or 20 devices, then 100, and so on. It took about a month or two.

In terms of maintenance, from the service side, you rely on Microsoft to make sure it's available, secure, and things like that. Sometimes, you get downtime, and sometimes, you get bugs. For example, last year, a Chrome update was misclassified as malicious, which caused all the alerts. You then have to raise support cases to find out what happened. Eventually, Microsoft releases a fix, so in terms of maintenance, it's more on them. The only thing from your side is making sure, for example, the roles are still relevant. If someone who has access leaves, you need to make sure that their role is revoked. You need to make sure that you've got your role set up for the least privilege and things like that on an ongoing basis because there may be certain new features in the portal that have a corresponding role assignment. If you don't have that enabled or configured, then you're not going to get that benefit. That's the only thing needed from the maintenance perspective. You just need to make sure your roles are regularly reviewed and optimized when needed.

All I can say again is the E5 gives you all the capabilities that it offers. It also gives Office 365 and one terabyte of storage. All in all, the E5 license model makes sense. There are some people who say it's quite costly, but rather than paying different vendors, it makes sense to go all in with Microsoft if you've got that licensing. From that perspective, it's cost-effective, but I can't comment much on that.

To a security colleague who says it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that I'm slightly biased because I'm such a fan of the Microsoft suite. Some people do say that you shouldn't put eggs into one basket, and you're giving a lot of control to Microsoft and things like that. I would advise evaluating based on your needs. For example, for your endpoints, you might see much better value in CrowdStrike, Tanium, or something like that as compared to Defender for Endpoint.

You can do PoCs. Microsoft makes it quite easy. You can have the trials and things like that. You can play around and see which one supports your environment. I wouldn't say Microsoft is necessarily the option for all organizations, but I do think it's a very compelling offer. They're constantly evolving the product. They pay a lot of attention to consumer feedback. They've enterprise feedback as well to improve the product. I wouldn't completely rule out either option. If you've got one that's tried and tested for your enterprise, and that's a third party, you can see what Microsoft can offer. If it just doesn't match up, then stick to what you have even if it costs more because all in all, you may have tried and tested processes. You may have an investment in that product, and it may just have capabilities that the Microsoft one doesn't have. I would also encourage you to add a feature request for the Microsoft one, and then they'll be more on the equal side.

I would advise doing a PoC. If you are using Carbon Black, CrowdStrike, or Titanium, evaluate it. Have a sample host or spin up some VMs or onboard them to Defender. Do some simulations and do some attacks that you think are likely going to be. See how the logs look, see the investigation processes, and do a gap analysis with your current solution. If it brings you any value, then potentially look to deploy it further. Don't just go all in without understanding what it does. If you don't have any security solution right now, and you are a small business or a local business, it's worth doing the trial and seeing what value you get from the trial because, in that situation, you don't have anything to compare to. You are an easy customer to onboard from Microsoft's perspective because you wouldn't be that complex. So, do a trial and then go from there.

I would rate it an eight out of ten overall. I do really like the product. I do like the fact that it combines all the alerts into one. I remember when I was a security analyst back in 2019, I had to open multiple tabs and close alerts in one portal and then the other portal. They've done a good job of bi-directional syncing of alerts. If you're closing in 365 Defender, it'll close in the MCAS portal or cloud apps. Overall, the biggest thing for me was just advanced hunting capability because previously, it wasn't possible to get those cloud app events or Defender for Office events to do hunting. Endpoint was the first one to have that hunting capability, and I'm glad that they've extended that to the other stacks. So, overall, I would give it an eight, and I'm really impressed.