Microsoft Defender for Cloud Reviews

The solution provides a security score based on the environment and gives recommendations for improving that score. For example, a manual server may require patches to strengthen security, and MS Defender for Cloud informs us. We can also run a vulnerability assessment in the background of work processes to detect server vulnerabilities. We primarily operate a hybrid cloud environment with some specific on-prem integrations.

One of our clients, operating in the electronics industry, has around 1,300 endpoints, 700 users on the Windows server, and 300 other devices. There are also 100-150 users on Unix servers.

We use multiple Microsoft security products, including Defender for Cloud, Sentinel, and Defender for Endpoint. The products are integrated, and there is nothing complicated about integrating them; we provide the APIs or the credentials, and they are automatically integrated.

The product helps us prioritize threats across the enterprise, which is essential when interacting with clients, as we can show them their high-risk vulnerabilities and tackle them first.

The solution helps automate routine tasks and the finding of high-value alerts. Additionally, following the resolution of an issue, we can set up a logic app to trigger an automatic system response if it happens again.

The integrated security suite saves us time, as multiple security solutions work together seamlessly in the cloud, allowing us to take actions that could take 24-48 hours to replicate using third-party products. 

Defender for Cloud reduced our time to detect and respond; if we are faced with an issue known to the threat intelligence database or that occurred before, we don't need to invest any time at all. The solution reduced our time to detect and respond by around 50%. 

Integration with Defender for Endpoint allows us to see the health of our endpoints in terms of workload protection, which is one of the benefits of these integrations.

Microsoft solutions working natively together to provide integrated protection and coordinated detection and response is essential from a business point of view. We don't have to manage multiple tools and services from different dashboards; we can monitor and manage everything from a single point. All the generated alerts from numerous services are ingested into one solution that a single team can monitor. That's one of the best parts of using the integrated Microsoft security suite.

The solution's robust security posture is the most valuable feature.

We have a lot of firewalls, and we can manage them in the solution through the firewall manager. We can set up an Azure firewall and centralize the management policy.

The solution provides excellent visibility into threats, and it's a cloud-based integrated solution, so we don't have to worry about any third-party products or services. Microsoft provides so many options, and that's great.

Defender for Cloud generates reports we can use as an assessment, as it allows us to see the services in our environment and our points of highest risk.

The solution's threat intelligence helps us prepare for threats before they hit and take proactive steps, which is very useful for analysis. 

The most significant areas for improvement are in the security of our identity and endpoints and the posture of the cloud environment. Better protection for our cloud users and cloud apps is always welcome.

Several features are already in the pipeline, including one called External Attack Surface Management, which will be welcome additions.

The solution's stability is impressive; it's very stable.

The scalability is excellent; if we grow or shrink in the future, the scalability is there to accommodate us. I rate the solution ten out of ten in this regard.

When we have a critical issue, customer service is very prompt, and we often get support rapidly. We also get good help in our production environment.

Positive

I previously used Symantec Endpoint Detection and Response and switched because of the benefits of having a cloud-native solution. Additionally, the market is moving towards Microsoft, including many of our customers, so it makes sense for us to go with this trend.

The initial setup consists of three steps for us; first, we conduct an assessment or discovery with a client to determine their requirements and develop an understanding of their environment. Second, we design and plan the deployment to fulfill the client's requirements. Third, we implement and conduct a POC, and if successful, we roll out the entire deployment. The complexity of the setup and the number of staff required depends on the size of the business.

An example of an organization with 500-1,000 staff is that the initial information gathering takes four weeks, the design and planning stage takes two weeks, and the implementation and POC take another two weeks. Therefore, the deployment can take between eight and 15 weeks for a two-person team.

In terms of maintenance, the solution requires monitoring and routine inspection of the details across the services.

I rate the solution nine out of ten. 

DevOps security features are in the preview phase, so we may utilize the solution for that in the future.

We use Microsoft Sentinel, enabling us to ingest data from our entire ecosystem. This data ingestion is important to our security operations because information on our critical applications and services provides us with activity, audit, and application logs. This logging capability means Sentinel allows us to investigate threats and respond holistically from one place. 

To a security colleague who says it's better to go with a best-of-breed strategy rather than a single vendor's security suite, I'd say there are benefits in going with a single vendor.

For example, the customer wants to restrict USB connections or any output device, or they want to verify any link they open before opening it in their real environment. Mostly, they replace the current security tool they are using, such as Kaspersky, with Defender for Cloud because it integrates well with Office 365.

The biggest advantage is it centralizes management. Customers do not have to manage different vendor products. They feel confident using Microsoft because of the long-recognized technology and detailed technical documentation available online.

The valuable features include the ability to manage devices and the fact that Defender can replace other security tools like SCCM. Since they use Office 365, they need tools that work better in their organization, such as M365 Defender for Cloud.

There are challenges with the licensing policies, which are quite complicated. The documentation is difficult to understand and resellers need proper training to support customers effectively. Microsoft should provide better training for resellers.

I have been working with Defender for Cloud for more than five years.

It is quite stable. It doesn’t have significant stability issues. I would rate it an eight for stability.

I am not the one using it directly yet I haven't heard any complaints, so I would rate it a five.

Working with Microsoft technical support can be challenging. The problem-solving process can be delayed, and not all issues get resolved promptly. If there are ten tickets, maybe only five or six get resolved satisfactorily.

Neutral

Customers are replacing security tools like Kaspersky, Symantec, or Broadcom to use Defender for Cloud because it integrates seamlessly with Office 365.

The initial setup is not very easy yet it is manageable. It is not too difficult for those familiar with the product. It is a medium-complexity setup.

The implementation should be handled by the reseller. Resellers need proper training from Microsoft as the documentation is complicated.

In Vietnam, the cost structure makes it expensive. The licensing is priced publicly on the Microsoft website and it adds up based on the number of users.

The cost is expensive for the Vietnamese market. It is publicly available on the Microsoft website, and the pricing depends on the number of users.

Organizations should ensure resellers are well-trained to support the new technologies. Proper documentation and support are crucial.

I'd rate the solution seven out of ten.

We use Defender for Cloud for workloads that involve large amounts of data.

It's cost-effective to create custom logs in Defender for Cloud. 

Defender for Cloud provides a prioritized list of remediations for security issues, reducing risk and improving security operations.

There is room for improvement in terms of cost-effectiveness when enabling every single log, including custom logs.

I've been using Defender for Cloud for a year and a half.

I have no issues with the stability of Microsoft Defender for Cloud.

Scalability is great, and I would rate it a ten out of ten.

It's hard to reach someone who understands my problems. I haven't had many issues, so I haven't called them.

Positive

I used an unspecified different solution before adopting Microsoft Defender for Cloud.

The solution is really easy to enable.

I interacted with a Microsoft representative for implementation, and the process was straightforward.

The setup costs are low because it's easy to enable. However, I'm not clear on other pricing details.

I didn't evaluate other solutions extensively before choosing this.

I rate Defender for Cloud 10 out of 10.

My role is more on the FinOps side. My customers use it.

In specific contexts like finance or healthcare area, there are regulations requiring compliance. At this stage, we need to be able to prove we have state-of-the-art endpoint protection and the ability to show that all these tools are up-to-date with the latest updates and identified threats. This is very useful for my customers to be able to prove compliance.

Mainly, the ability to identify threats using signatures, analyze threat behavior, and integrate with other cloud services, specifically Azure Log Analytics and other logging projects. These are the features I like. 

Customers generally find it satisfactory for their needs. Most organizations struggle with the ability to handle this type of product. Sometimes, it's a lack of knowledge or expertise on Microsoft Defender, which leads to issues with certain tasks. That can be a bit difficult to figure out.

Most customer teams need more training on this type of product.

Due to the lack of expertise or hands-on experience with the product, it's sometimes difficult to determine whether the issue lies with Microsoft Defender or another related project. In the cloud, everything is tightly connected, making it challenging to pinpoint which part is failing. So, the lack of a deep understanding of the product leads to some difficulties.

In future releases, I would like to see integration of artificial intelligence to ease the administrative burden would help a lot, especially when it comes to deploying the product to fit specific contexts, architectures, or infrastructures. That would fill the gap caused by the lack of expertise or knowledge.

There are some promises that Microsoft has made, but I'm not aware if they've been fully implemented.

I have been using it for three years. 

I worked with Cybereason and other standard antivirus programs, but nothing as full-fledged as Microsoft Defender.

Overall, I would rate the solution as eight out of ten.

My recommendation heavily depends on the context, the customer's IT landscape, the maturity of the team working there, and many other factors that need to be taken into account when selecting a product. 

Microsoft Defender by itself is a good choice, but ultimately, the best option depends on the specific context.

I use the solution for threat hunting. We've installed it on a lot of devices. I look for specific version numbers or threats within the environment.

The product has given us more insight into potential avenues for attack paths.

I like that the solution shows me recent log-ins for certain servers and devices. It's pretty helpful to track down activities and identify or tie them to specific users.

The product must improve its UI. Looking at multiple devices for the same issue or vulnerability is very cumbersome.

The solution should provide built-in features related to trending and graphing over time. If it’s already present, we haven’t found it. It doesn't seem intuitive to find it quite as easily as some other tools with ready-to-go dashboards.

I have been using the solution for two years.

The tool’s stability seems to be pretty good. I'm sure Microsoft takes care of its backend structure since it is a cloud solution.

Scalability, in general, is fine. We can deploy it on as many devices as we want. However, getting meaningful results and data out of that is not easy, especially when some of the things you're looking for might be across your entire enterprise. For example, if we want to know whether a DLL version is installed on any device, trying to get that information by going one by one through the devices is ridiculously cumbersome.

We used LogRhythm for a little bit. We switched to Microsoft Defender for Cloud because we wanted to do a cloud homogenization. We wanted to bring things away from on-premise and into the cloud because we had cloud assets. It just made more sense to have a cloud solution to manage the tools instead of pulling back into our network and opening the tunnel paths to our on-premise LogRhythm server.

The solution is deployed on-premise as well as on the public cloud. Our cloud providers are Azure and AWS. We also have some GCP assets. We have around 20,000 total devices. They don’t always correspond to an end user. Of those, maybe 12,000 to 13,000 are enrolled in Microsoft Defender for Cloud.

Other devices we have are either outdated Linux or outdated Windows. We’re trying to migrate all the ones we can, and then some of them will be those narrow use-case devices where it wouldn't really make sense or be feasible for them to have a definitive cloud. They're limited processing power devices, like iPads and tablets.

The product certainly requires maintenance.

Just based on costs, I do not see an ROI. However, evaluating a return on investment for something that provides insight into risks and vulnerabilities is not my area of expertise. In my opinion, a lot of it can't be quantified.

We have the full E5 license. The tool is pretty expensive.

We evaluated Splunk. Splunk's really expensive. It would also have been an on-premise solution. We needed a cloud solution.

We use Microsoft Defender for Cloud to support Azure natively. The solution’s ability to protect hybrid and multi-cloud environments is pretty important for us. Just as much as anyone else.

The unified portal for managing and providing visibility across hybrid and multi-cloud environments could be better with some of the ways things are displayed. Overall, it’s all right.

We have had the solution since we started cloud. I cannot provide a comparison for it. I don't pay too much attention to Microsoft Secure Score. However, I’m sure the product has affected it. We use the product to track down vulnerabilities and missing patches. When those get passed, I'm sure that it changes the score.

We have integrated Microsoft 365 and Microsoft Defender for Cloud with Microsoft Sentinel. However, I don't deal with it specifically. The tool’s UI could be better. As it is right now, we can only view information from one device at a time. It is extremely limiting.

The solution is pretty good at keeping our multi-cloud infrastructure and cloud resources secure. We use AWS, and we also have some Windows devices in AWS. We have Microsoft Defender on those.

Microsoft Defender for Cloud has helped save some of our SOC time. The reporting features, being able to search multiple devices for a specific vulnerability or incident and tying it back, are very difficult to do in the UI. There's some scripting that can be done, but that doesn't make it easier for a lot of people.

We have set up alerts in the tool. That, combined with other industry scanners like Tenable Nessus, Invicti, and a couple of others that we utilize in our environment, sends updates and alerts to us so that we can quickly respond to issues. We were not measuring TTR. So, the effect on the overall TTR is negligible.

It is hard to quantify whether the product has saved us money. We haven't seen any attacks from ransomware gangs. Possibly, those are being prevented, and we don't get alerts for some of these attacks. It has not saved us money. It's expensive. However, it is not expensive compared to all our computers being locked up, and someone demanded two million dollars.

People evaluating the product must look at other options to determine what works best for their environment and organization. It may not necessarily be the best option, but it might be. It certainly works well in a wholly Microsoft Windows environment, especially with other Microsoft software as a primary. If they’re using OfficeSuite, like Microsoft Word and Microsoft Excel, it works well. If they have other things within their environment, they must do their homework and research to see if it works.

Overall, I rate the tool a seven out of ten.

I use it for managing our customers' server vulnerability assessments for regular and SQL servers. I also use it to get a security score for the resources of our customers that are on Azure, as well as security posture management. 

We also have regulatory benchmarks to audit our customers' resources that are on Azure to check whether they're meeting regulatory standards like ISO 27000.

It has enabled our organization to have an organized approach to, and quick visibility, or a bird's-eye view, of the current security portion. The way the portal organizes things has allowed us to focus on the specific vulnerabilities and security gaps that have to be fixed quickly. It gives us flexibility on what we should be checking on.

Defender for Cloud has helped us reduce or close some of the key security gaps of our main assets on the cloud. It has also helped us comply with some of the regulatory compliance standards, like CIS and ISO 27000 because of its main features. And it has also helped us in terms of threat detection and vulnerability management.

Another benefit is that it has really helped detect some of the Zero-day-model threats. We've also been able to utilize the automation features to investigate and remediate some of the threats that have been discovered. It has improved the time it takes to remediate threats, mainly because of automation. The logic apps that we've been able to set in either Sentinel or Defender for Cloud are the main components that have really improved that efficiency, and the time needed for remediating threats.

The time to respond is near real time, if the logic apps are in use, because it's just a matter of putting the playbooks into action. This is something that we've tested and found is quite effective for remediation.

The solution has also saved us money over going with a standalone solution where you purchase licenses for servers for a whole year. Now, we pay only for the servers in use. With the subscription-based model for servers, you're only paying per hour and only when the server is being utilized.

The main feature is the security posture assessment through the security score. I find that to be very helpful because it gives us guidance on what needs to be secured and recommendations on how to secure the workloads that have been onboarded.

Another component, although I can't say it's specific to Defender for Cloud, is that the onboarding process is easy. I find that helpful compared with the competitors' solutions. Onboarding the resources into Defender for Cloud is quite easy.

Also, we have integrated Microsoft 365 and Microsoft Defender for Cloud with Microsoft Sentinel and the integration is actually just a click of a button. It's very easy. You just click to connect the data sources and Microsoft Sentinel. Having them work together is an advantage. I like the fact that the main threat notification console has moved to Security Center so that we don't have to go into each of these solutions. It's beneficial having the three solutions working together in terms of the investigations that we have been doing with them.

The threat intelligence is quite good at detecting multi-level threats. If, for example, you integrate Defender for Endpoint and 365 and Defender for Identity, the threat intelligence is able to grab these two signals and provide good insights into, and a good, positive view of the threats.

The solution's portal is very easy to use, but there's one key component that is missing when it comes to managing policies. For example, if I've onboarded my server and I need to specify antivirus policies, there's no option to do that on the portal. I will have to go to Intune to deploy them. That is one main aspect that is missing and it's worrisome.

Defender for Cloud, as a solution, allows you to manage and protect servers from vulnerabilities without using Defender for Servers. I find it a bit weird, if you are to manage the antivirus for servers on the portal, that you can't deploy the antivirus policies on the same portal. For instance, if you want to exclude a particular folder from an antivirus scan or if you want to disable the antivirus from the portal, you'll not ideally do it on the portal. That's a huge part that is currently missing.

Also, some thought has to be put into the issue of false positives. We've been seeing false positives that are related to Sentinel through the integration. We have been giving them this feedback, but I don't know if that is something that Microsoft is working on.

The time for detection is one of the things that we were also supposed to raise with the Microsoft team. There is a slight delay in terms of detection. That "immediate" factor isn't there. There's a need to improve the time to detection. When malware has been detected by Defender for Endpoint, we find that it takes approximately one to two minutes before the signal reaches Defender for Cloud. If that could be reduced to near-real-time, that would be helpful. That's one of the key areas that should be improved because we've done some simulations on that.

I have been using Microsoft Defender for Cloud for three years.

It's quite stable. In my experience, there have been no issues with the stability.

Because we have Premium Support, the support is quite okay. We are able to get answers to most of the queries that we raise.

Positive

The initial setup is quite easy, especially if it's for non-servers. It's just a matter of enabling and disabling servers, using the Azure app.

And the solution doesn't require any maintenance on our side.

There are improvements that have to be made to the licensing. Currently, for servers, it has to be done by grouping the servers on a single subscription and that means that each server is subject to the same planning. We don't have an option whereby, if all those resources are in one subscription, we can have each of the individual servers subject to different planning.

There's no option for specifying that "Server A should be in Plan 1 and server B should be in Plan 2," because the servers are in the same subscription. That's something that can be fixed. 

Also, there needs to be a clear description by Microsoft for those customers who have Defender for Endpoint for Servers and Defender for Servers because now they don't know which subscription they should purchase.

I've used many solutions, but Defender for Cloud is in its own class. You can't compare it with third-party solutions because those solutions either have a third-party antivirus or they're not integrated in the same way as Defender for Cloud is. Because Defender for Cloud integrates multiple solutions within it, like Defender for Endpoint, other workloads, and the firewall manager, it stands on its own as a single solution that contains all these solutions. 

Defender for Cloud is used for scenarios, including internal threats, threat hunting, in-depth analysis, and scanning the environment. We don't use Microsoft Defender for ATP or Sentinel for our security score, we have a third-party solution.

Defender helps us evaluate our security posture and make it more secure by providing a wider overview of endpoint security and anti-malware technology. We have greater visibility into all the activity happening within the infrastructure and better oversight.

It helps us catch threats that we wouldn't have noticed and also enables us to be more proactive. For example, we can run a script within the environment and provide better insights. Defender increased the efficiency of our SOC by around 65 to 80 percent.

At my previous company, the environment was 100% cloud, so having a cloud-native solution was critical. Also, in a cloud environment, you are exposed to many users with different user behavior patterns also, so it's good to have UEBA features that look at patterns in user behavior.

The unified portal provides a gap analysis of what's going on across the environment with users, and what they do across the environment every day. Having that single pane of glass is essential.

Defender is occasionally unreliable. It isn't 100% efficient in terms of antivirus detection, but it isn't an issue most of the time. It's also somewhat difficult to train new security analysts to use Defender.

I used Microsoft Defender for two years at my previous company.

Defender for Cloud is stable.

Defender for Cloud is scalable. It's easy to use and manage for large environments.

When I joined my last company, they were already using Defender. However, I've worked at several companies that use other solutions such as ESET, CrowdStrike, etc. I've previously worked with EDR and XDR solutions. 

I've done a couple of POCs for Microsoft Defender with the company, and the process is always the same. We don't deploy everything into live environments. It is deployed to a testing environment. After we test a couple of times, we undergo a complete training process. Finally, we organize and deploy it to a section of the company. We usually deploy one segment at a time, like finance, marketing, etc. 

If you have ATP Defender, you must set up a data lake. After deployment, there isn't much maintenance on our end besides managing the logs. You must create scripts for your use cases to inject into the solution. The deployment team typically consists of two people from security, two from infrastructure, and the service desk manager. 

I don't typically handle the licensing. I do POCs and product evaluations. However, I know that Defender for Cloud is packaged with other Microsoft solutions. Most people with Defender ATP also have the E5 or F5 license. It comes with the package, so you only need to activate and configure the solution.

I rate Microsoft Defender for Cloud a seven out of ten. Most of the time, it isn't the most advanced antivirus software on the market. It isn't a highly complex solution. It's something that a lot of analysts can use. Defender gives you a broad overview of what's happening in your environment, and it's a great solution if you're a Microsoft shop. 

We use Microsoft Defender for Cloud to fill a gap temporarily by providing a platform solution for PaaS scanning, as there wasn't an enterprise-wide product available.

Microsoft Defender for Cloud offers a good range of workload coverage that effectively meets our current needs.

Microsoft Defender for Cloud enhances security operations by providing a prioritized list of remediation for security issues identified through Azure Policy and Sentinel. This integration offers unprecedented visibility into PaaS resources which we have not been able to do before.

It enhanced our security posture by enabling us to scan PaaS resources.

Microsoft Defender for Cloud has worked well coordinating detection and response across our devices, identities, apps, emails, data, and cloud workloads.

Microsoft Defender for Cloud is a valuable tool that integrates seamlessly with Azure Policy and our Security SIEM, simplifying implementation and enhancing security posture. Furthermore, its integration with Sentinel provides prioritized remediation steps for security issues identified through both Azure Policy and Sentinel, increasing visibility into PaaS resources and streamlining our security operations.

Microsoft Defender for Cloud could be improved by adding capabilities for NetApp files and more PaaS resources from other vendors, not just Microsoft.

I have been using Microsoft Defender for Cloud for a year and a half.

Microsoft Defender for Cloud is stable.

Microsoft Defender for Cloud is scalable.

Microsoft customer support has been great so far.

Positive

Microsoft Defender for Cloud is easily deployed using Azure Policy and a workspace.

So far, Microsoft Defender for Cloud essentially plugs the security gap we were looking to fill, so it has shown a return on investment.

Microsoft Defender for Cloud is pricey, especially for Kubernetes clusters. It could be cheaper. Wiz is a little better from a reporting perspective.

We did not evaluate other solutions because Microsoft Defender for Cloud was the easiest to implement under the circumstances and the most readily available. Otherwise, the application would have been subject to the standard intake and other corporate processes.

I would rate Microsoft Defender for Cloud an eight out of ten.