Microsoft Defender for Cloud Reviews

We are primarily using Azure Security Center to bring a level of security into the environment. Before I started to work with this solution, I was a Kubernetes and Azure Cloud architect. I was working for a service provider where I did not get the opportunity to look at how do they secure the resources, but in the last one and a half years, I had to get into those aspects because the organization I was working for wanted to introduce Kubernetes into the ecosystem, and the main concern was regarding all the hacking that was going on. For introducing Kubernetes as a platform, all business managers wanted to know if it was secure or how to make it secure. We started to look at Azure Security Center and its capabilities because Azure was their main solution. We also used AWS and GCP to some extent, but predominantly, we had Azure. So, we first took Azure Security Center and started to leverage its features.

Azure gives access to a lot of policies and allows you to group those policies into initiatives. There were about 170 subscriptions spread across sandbox, dev, test, non-prod, and prod environments, which were spread across India, Canada, and the USA. Each geography had its own data resiliency requirements, so these policies had to be applied stringently. For example, if somebody created a virtual machine, it had to be in a specific region, or if someone was storing the data in a database, it had to be only in that region. It could not cross the border. So, we had to first enforce policies at the level where we had to identify where the storage resources were, which network could talk to which network, and who could do what, and then it went on to all levels. Azure provided very good, robust, and built-in policies for each resource, and we had to set some to audit and some to enforce. 

While setting policies for about 170 subscriptions, we needed to ensure consistency. We needed to apply them consistently across all subscriptions. Azure Security Center helped us in ensuring that we audit certain policies, and we also enforce certain policies. We had set some policies to audit because we wanted to see what's going on, and we had set some policies to enforce because of regulatory purposes or because of the way the entire network and all the systems were designed. We used Azure Security Center as our central place to administer policies. We had to group all the subscriptions into management groups, and there was a hierarchy of groups. We could apply the policies at one specific level, and any subscription that we would create under that group would have the same set of policies. It helped us in getting a bird's-eye view through dashboards. We could see what was happening across the enterprise.

We started using it for Kubernetes, but it expanded into a wider initiative of more stringent policies across the board. In terms of lift and shift, a lot of people get tempted to go to GCP because it is cheaper, but we were primarily using Microsoft products. So, we started adopting Azure, and we did not pay attention to Azure Security Center at the beginning. When we looked at Azure Security Center for the first time, it had already been three years, and we had done almost 100% lift and shift, but we could recover from any aspect of security. Azure Security Center helped us in recovering from our mistake. If we had worked with it at the start of our journey, it would have been easier, and even though we were looking at it halfway through our journey, it still helped us. I consider it halfway because lift and shift is only one part of the process. You are saving a lot of money, but you are still not cloud-based. The real power of the cloud comes when you start using the platform services, and before starting to use them, we were able to get into a secured environment. Kubernetes was the first platform that we were looking at, and when we were able to secure it, everything else was pretty simple. That's because, with Kubernetes, there is a shared responsibility model where the cloud provider takes care of some of the aspects, and you have to take care of a lot of things. Azure Security Center helps in ensuring that you have taken care of and secured everything.

Its recommendations are really good. Most of the time, they are appropriate. Azure comes with a lot of default policies that are set to audit only. As the enterprise grew and we started adopting the cloud, initially, we didn't pay much attention to Azure Security Center. For us, Azure Security Center was like an afterthought; it was not planned from day one. In our enterprise journey, when we started looking at it halfway through, we realized that there were so many violations. We started with auditing. We found policies that nobody was using, and then we started enforcing them. It was really good in terms of built-in policies, recommendations, and then applying them across the board with a minimal set of actions.

It is very intuitive when it comes to policy administration, alerts and notifications, and ease of setting up roles at different hierarchies. It has also been good in terms of the network technology maps. It provides a good overview, but it also depends on the complexity of your network.

For Kubernetes, I was using Azure Kubernetes Service (AKS). To see that whatever is getting deployed into AKS goes through the correct checks and balances in terms of affinities and other similar aspects and follows all the policies, we had to use a product called Stackrox. At a granular level, the built-in policies were good for Kubernetes, but to protect our containers from a coding point of view, we had to use a few other products. For example, from a programming point of view, we were using Checkmarx for static code analysis. For CIS compliance, there are no CIS benchmarks for AKS. So, we had to use other plugins to see that the CIS benchmarks are compliant. There are CIS benchmarks for Kubernetes on AWS and GCP, but there are no CIS benchmarks for AKS. So, Azure Security Center fell short from the regulatory compliance point of view, and we had to use one more product. We ended up with two different dashboards. We had Azure Security Center, and we had Stackrox that had its own dashboard. The operations team and the security team had to look at two dashboards, and they couldn't get an integrated piece. That's a drawback of Azure Security Center. Azure Security Center should provide APIs so that we can integrate its dashboard within other enterprise dashboards, such as the PowerBI dashboard. We couldn't get through these aspects, and we ended up giving Reader security permission to too many people, which was okay to some extent, but when we had to administer the users for the Stackrox portal and Azure Security Center, it became painful.

We were also using it for just-in-time access for developer VMs. Many a time, developers need certain administrative privileges to perform some actions, and that's where we had to use just-in-time privileges. Administering them out of Azure Security Center is good, but it also means that you have to give those permissions to lots of people, which is very cumbersome. So, I ended up giving permissions to the entire Ops team, which defeats the purpose and is also not acceptable at a lot of places.

These were the two use cases where I felt that I really had to get into the depth of Azure Security Center to figure out how I can use it much better.

I have been working with this solution for the last one and a half years. 

I didn't find any issues with its stability. When you start using Azure Security Center to look at your on-prem application or resources, you might have issues with monitoring these on-prem resources, but it is not related to the stability or reliability of Azure Security Center. It has nothing to do with Azure Security Center; it is related to how you have configured, what kind of resources you have, and what permissions you have given. 

Sometimes, the network operations team and security operations team are not in tandem with each other. We had done lift and shift for most of the resources, but there were still some resources that were on-prem. For on-prem resources, people are comfortable with Dynatrace and other similar tools, but they are not really security tools; they come under the observation and monitoring tools. It can be very hard to sell Azure Security Center for something that is on-prem, and because of the corporate silos, someone might not give you access to an on-prem resource. For example, your Oracle Database is still on-prem, and you are systematically strangulating the application and moving it to Cosmos DB or SQL Server on the cloud, but you are not allowed to monitor it. In such situations, Azure Security Center can only report one part of the application, which makes it tough to tell business managers

why this application is down, what went wrong, why there is latency, what is the problem, etc. So, more than the product, it has to do with ensuring that the SOC team works with the NOC team and ensures that they have the required access so that they can also observe on-prem resources from the security aspect. Otherwise, you won't know what's happening. You won't know if any hacking is going on, or if somebody is doing SQL injections to the on-prem Oracle Database. You wouldn't have a clue.

I'm an architect. I don't deal with the regular operations aspects.

There is nothing in terms of the setup. It comes by default. It is only about paying attention to the Azure Security Center in terms of giving correct roles to subscription owners, security administrators, etc. It is only about properly setting up those roles.

It only required going through the documentation in detail and having a couple of brainstorming sessions. We didn't have to hire any special consultants. We could do it ourselves. We spent a week properly going through the documentation. Having a word with the product managers also helped. Many times, such implementations have more to do with the way organizations are structured in terms of departmental silos. So, it helps to get everybody on board and ensure that everybody has the same understanding. It is related to an organization's culture; it has nothing to do with the product. It is more related to outsiders and insiders and different levels of knowledge and backgrounds, but the product itself is pretty simple to start with.

We did it ourselves.

It is bundled with our enterprise subscription, which makes it easy to go for it. It is available by default, and there is no extra cost for using the standard features.

I don't know if any other solution was evaluated. Most probably, we didn't because Azure Security Center is available by default, and there is no extra charge for using the standard features.

When you're using such platform services, you've got to be a little bit careful because the products are always getting updated. You need to keep an eye on the product roadmap in terms of what's coming up so that you are not duplicating. That's what we had to do with Stackrox. We discussed with Microsoft's technical support team, and we got a confirmation that they're not going to take care of CIS benchmarks in the near future. It was a little bit disheartening, but at least, we knew upfront that Microsoft is not going to look into this area. They were open and candid about what they were going to do and what they were not going to do. So, we started looking at other products. Microsoft keeps on updating its products to keep them relevant. So, you need to know what they are implementing in the next three months or six months so that you can at least tell the security teams that a certain feature is coming up.

We didn't have to do it for Azure Security Center, but for Azure Firewall, we had to request certain features, and there are a lot of features that are still pending. For example, if I use Azure Firewall, just-in-time permissions do not work. If VMs are behind Azure Firewall, then through Azure Security Center, I can't give permissions, but if I use the Palo Alto firewall, I can do the same. So, we had to set up our VMs by using the Palo Alto firewall. Sometimes, Microsoft does strange things, and they don't talk to the Azure Firewall team. After one and a half years of asking for that feature, it is still a no-go. We want to use Azure Firewall because it is not VM-based. With the Palo Alto firewall, I have to provide one more VM in between and start administering it. So, I have one extra resource that needs to be administered, and it is non-Azure or non-Microsoft.

When you start enforcing policies across multiple subscriptions, you need to be very careful. You need to pay attention to the notifications that come out. The notification details were where we had to do some customization. We had to prioritize the notifications and then put them into a group mailbox so that instead of one person, a group of teams gets notified. We could write an Azure function around it to integrate with Microsoft Teams. We could push them to the Microsoft Teams channel. It took some amount of effort. It took about a week of tinkering, but we were able to notify the entire development team. As we started auditing and enforcing from our sandbox to the development environment, we started discovering a lot more things. We got formal requests on why we had to disable some policies. We got more specific feedback. When we are able to catch such things early in the life cycle, it becomes easier to protect the higher-level environments properly. It was very good in terms of the dashboard, converting from non-compliance to audit, or enforcing policies across multiple subscriptions. We had to customize the notifications, and it would've been nice if there was a more intuitive way of customizing the notification, but it might also be because of our knowledge level at that time. We could have also integrated it with Slack because it supports integration with Slack, but we predominantly use Microsoft Teams.

I would advise others to start playing with it. They can start with a sandbox environment. If an enterprise has multiple resources, such as VMs, databases, they should put all of them in different resource groups in a subscription and categorize their resources properly. All resources should be structured properly. Otherwise, it is really difficult to administer policies at the resource level. They have to group them properly so that they are managing resource groups or subscriptions rather than individual resources. So, structuring of the resources is the key to the administration of policies. It took quite some time for us. It was not an easy task. We create Terraform scripts for setting the entire infrastructure. So, we had to reorganize our Terraform scripts to ensure that the resources were created in appropriate resource groups and communication can happen across resource groups. We had to set up the NSGs properly from the network point of view so that they all were accessible. It took us quite some time, but organizing the resources pays very well when it comes to spinning the higher-level environments and ensuring that they're compliant or they work.

I would rate it an eight out of 10.

I use this solution in two different scenarios. The first is for the security and monitoring of Azure accounts. Another is for SIEM integration and the Azure Gateway WAF. Essentially, it's a one-stop solution where you can integrate all of the other Azure security products. This means that instead of maybe going to Firewall Manager, Azure Defender, or WAF, you can have all of them send statistics or logs to Azure Security Center, and you can do your analysis from there.

This product helps us with regulatory compliance.

With respect to improving our security posture, it helps us to understand where we are in terms of compliance. We can easily know when we are below the standard because of the scores it calculates.

It helps us with alerts. You're able to automatically channel these alerts to emails and get the team readily looking into the issue.

We don't need a distributed team looking at the various security solutions. Instead, they just look into Azure Security Center and then get everything from one place.

It also supports multiple cloud integration, where you can add other clouds like AWS and GCP. However, we don't use that feature. 

The most valuable feature is the help with regulatory compliance, as it gives us security scores and the CVE details.

Centralized management is another feature that is key for me.

This product has a lot of features but to get the best out of it, it requires a lot of insight into Azure itself. An example of this is customizing Azure Logic Apps to be able to send the right logs to Security Center.

The overview provides you with good information, but if you want more details, there is a lot more customization to do, which requires knowledge of the other supporting solutions. You can get the best out of it, but then you will also need to do a lot of work.

Improvements are needed with respect to how it integrates the subscriptions in various Azure accounts. You can have a lot of accounts, but you don't get detailed information. Specifically, it gives you overall score statistics, although it's not very intuitive, especially when you want to see information from individual subscriptions.

For example, if there are five subscriptions sending traffic to Azure Security Center, it gives you the summary of everything. If you want to narrow it down to one particular subscription and then get deep into the events, you really have to do some work. This is where they could improve.

In terms of narrowing things down, per account, it is not granular enough. In general, it gives you good summaries of what is happening everywhere, with consolidated views. You're able to get this information on your dashboard. But, if you wanted to narrow down per subscription, you don't want to have to jump into the subscriptions and then look at them one by one. Simply, we should be able to get more insights from within Azure Security Center. It's possible, but this is where it requires a lot more customization.

I have been using Azure Security Center for approximately two years.

In terms of stability and availability, Security Center is very good. It doesn't change. Because it's cloud-based, you don't actually have to manage infrastructure to get it up. If you are using the SIEM portion of it, it's what you are sending to it that will determine what you get out of it.

If you are using a hybrid solution from your own site then you have to make sure that your internet connection to the cloud is reliable. Your VPNs that are pushing data have to be stable, as well. Also, if you are using a third-party solution, you have to manage your keys well. But in terms of it being stable, I would say it's highly available and highly stable.

This solution is very scalable. You can integrate as many subscriptions as possible. They could be Azure subscriptions, AWS accounts, GCP, and other resources. Because it's cloud-based, I have not actually encountered any limits.

I know that with cloud providers when there are limits, you can request an increase, but in terms of how many, I have not seen any limitations so far. As such, I would say it's highly scalable.

We are using it a lot. For Azure, there are 20-plus subscriptions. We don't really use it for AWS accounts. Instead, we prefer to use AWS Security Hub on AWS, so we don't push AWS account data there. But for Azure, we used it for at least 20 subscriptions.

We have a distributed team. I have used it for the past two years in the company, and it's a huge organization. In the whole of the organization, Microsoft Azure is used as the main cloud. AWS was also used, but that was mostly for specific projects. In terms of the number of people using it, I estimate it is between 50 and 100.

Microsoft support is very good, although it may depend on the kind of support you have. We have enterprise-level support, so any time we needed assistance, there was a solution architect to work with us.

With the highest support level, we had sessions with Microsoft engineers and they were always ready to help. I don't know the other levels of support, but ours was quite good.

We began with the Security Center because it was for projects on Azure.

The initial setup is somewhat straightforward and of medium complexity. Especially when it comes to integrating subscriptions, I would not say that it's complex. At the same time, it is not as simple as just pressing the Next button several times. There are knowledge prerequisites before you can set it up fully and properly.

Setting this solution up was an ongoing project where we kept integrating subscription after subscription. If you know what you're doing, in a couple of days, or even a few minutes, you can get going.

If you need to build the knowledge as you go, it's something you could do in one day. You would integrate one subscription, and then start getting feedback. It's plug and play, in that sense.

The company has seen great returns on investment with this solution. In terms of security, you want to match the spending with how effective it is. Top management generally wants more reports. They want statistics and an analysis of what is happening. For example, reports need to say "We had this number of attempts on our systems."

As additional functionality, it's also able to support the business in terms of knowing and reporting the relevant statistics.

This solution is more cost-effective than some competing products. My understanding is that it is based on the number of integrations that you have, so if you have fewer subscriptions then you pay less for the service.

We did not evaluate anything else before choosing this product.

For example, we are now considering different products for SEIM integration. One of them is Palo Alto Prisma Cloud. However, the price is too expensive when compared to Azure. It is also a multi-cloud product, although, in the beginning, it didn't support AWS and GCP. It now has support for those cloud providers, as well as additional features that Azure doesn't have.

My advice for anybody who is implementing this product is to start building knowledge about it. Go to the Microsoft documentation and learn about it. As much as they show all of its great functionalities, you really need knowledge of other supporting resources that work with Azure Security Center, because it is just like a hub. It's what you push into it and how you customize it that determines what you get.

This means that if you don't have knowledge of Firewall Manager and you just want to use Security Center, it becomes a problem for you. This is something that you need to know. So, I advise people to get a holistic knowledge of all of the supporting resources that work with Azure Security Center to be able to maximize its value.

If you are looking to build on Azure then I would recommend the Security Center, mainly because of the cost and you will immediately get all of the functionality that you need.

The biggest lesson that I learned from using this product is that you don't get the best value right out of the box. You need further customization and configuration. The capabilities are there but if you don't have a dedicated security team with good technical know-how, such as scripting skills, or being able to work with the Logic App, or maybe the basic functionalities of security, then when you want more in-depth details into your subscriptions, it will become a problem.

I would rate this solution a seven out of ten.

Our primary use case is for cloud endpoint IoT security and overall cybersecurity implementations. We handle aspects from presales, installation, post-sales, and ongoing consulting to optimize customer security.

Implementing Microsoft Defender for Cloud has helped our organization in terms of providing robust cloud workload protection with minimal false positives. It also allows us to integrate with other tools like Splunk for observability and Qualys for vulnerability assessments, ensuring comprehensive security for our clients.

Some of the most valuable features of Microsoft Defender for Cloud include its effectiveness in threat detection through unsupervised machine learning, CTI, and advanced sandboxing. These features have consistently minimized false positives. The rich history of signature-based technology from Microsoft also adds to its reliability.

Integration into other third-party products, particularly those from tier three vendors like ManageEngine and Hexcode, has proven difficult. While there is ample documentation from Microsoft, the company needs to improve on making their integrations less challenging.

I have been working with Microsoft products for six to seven years.

We used to resell CyberX before it was acquired. The switch was made to enhance our security offerings with more comprehensive solutions.

The initial setup of Microsoft Defender for Cloud is manageable. Our team handles the presales, installation, and post-sales, ensuring the customer achieves a level of compliance with their security and regulatory needs.

We perform the presales, installation, and post-sales for clients. For compliance and consultancy, a dedicated consulting team works with the customers.

The pricing of Microsoft Defender for Cloud is very expensive. Although it is overpriced, many of our enterprise customers have a Microsoft ELA, making it the solution of choice.

Our customers also use products like CrowdStrike, Cyber Reason, TrendMicro, and AllGuard. Many are on Microsoft Azure, while some also use OCI and AWS.

The primary piece of advice would be to improve third-party integrations, especially with products from tier-three vendors. This would make the overall solution more versatile and easier to manage for diverse customer needs.

I'd rate the solution nine out of ten.

I work on micro-segmentation for my master's thesis, and I was looking for ways to implement micro-segmentation using Defender. I work on the assumption that small businesses can't implement expensive virtualization solutions, so I'm looking for alternatives to implement micro-segmentation for their network security.

I use the latest version of the solution.

It's a test deployment. I created the entire network. It's more like a laboratory setup.

The solution does what I want it to do. If you're already on Microsoft, this solution comes bundled with it. It's seamlessly integrated, and it improves security because I can determine who can access what applications and who or what my applications communicate with. It improves the transparency and visibility of the traffic in and out of the network of each workload on my system.

The benefits were realized almost immediately.

Compared to other products, it hasn't helped save SOC time or increase efficiency. I'm focused on micro-segmentation, so compared to other products, it wasn't built for that, but it can be adapted to it.

I'm not sure that the effect on my overall time for detection can be measured, but for non-threats, it's almost effective. The notification system is effective too. It lets me know as soon as there's a problem.

I use this solution to natively support Azure. It works seamlessly on the Azure platform because it's a Microsoft app. Its setup is similar, so if you already have a Microsoft account, it just flows into it.

It's very important to me that the solution has the ability to protect hybrid and multi-cloud environments. 

I'm looking to implement the solution in SMEs that might use different environments. Most SMEs don't have the resources to own their infrastructure entirely, so I can't really predict what environment they will be used in, therefore, I need a solution that is flexible enough to work in multiple environments, both online and offline. The only limiting factor is that I can not this solution use on platforms that aren't Microsoft.

The single pane of glass view is very important for me. It's great to be able to see everything at once and go where I need to very quickly. It's also easy to use if you've used any Microsoft product before. It allows me to see everything I want at a glance. I didn't think it was important until I started to use it, and then I realized how convenient it was.

For micro-segmentation, the unified portal has had an effect on my cloud security posture, but it's a lot of work because I have to configure the rules individually. It's difficult to compare this solution to a product like NSX or any other specialized micro-segmentation product, but because I'm trying to get a solution for small businesses that have about 10 PCs or 10 systems at the most.

It effectively defends against known threats. It also updates regularly, so the threat signatures are updated regularly, but I don't know how often the database is updated on Microsoft, so I can't really quantify its effectiveness against either zero-day threats or new threats.

I've only tried it on Azure cloud and it's effective. I've only used it on a single-cloud structure.

Right now, I'm setting rules for incoming and outgoing traffic for different applications.

From my own perspective, they just need a product that is tailored to micro-segmentation so I can configure rules for multiple systems at once and manage it. Instead of having to set up individual rules for individual applications, there should be a system that can allow me to set up multiple rules at once and can automatically update the rules as the infrastructure changes.

The solution is stable.

In general, the scalability is good. It wasn't built for my use case, which is micro-segmentation. If I had 100 systems, it would be a lot of work for me.

I have not had to call or get in touch with them, but there's a lot of documentation online. I've found a lot of what I need without having to contact anyone.

The documentation is excellent. There's a lot from Microsoft and other providers. I think it's a fairly popular system.

It was straightforward. I was the only person that deployed and tested the solution.

Initial deployment took a day, but the initial configuration rule setting took a while because it was my first time using the system.

The first step was to set up the cloud, install some test applications that I needed to protect, and then configure rules for traffic between the applications, and then between the application and external networks.

The solution doesn't really require any maintenance. It's fairly automatic. Once it's up and running, it pretty much works.

The cost is fair. There aren't any costs in addition to the standard licensing fee.

I didn't evaluate other options because I use this solution for thesis research. I researched which solution was the most used cloud and picked Azure.

I would rate this solution six out of ten. 

As a perimeter defense system, I would rate the solution a seven. As a micro-segmentation system or application, I would rate it a four.

As a perimeter defense solution, it's excellent. As a micro-segmentation product, it's not so great, especially if you have a lot of systems. It's not the product's fault because I don't think that's what it was built for.

We have a managed detection and response solution, a type of SOC/SIEM/SOAR product, and we are adding data sources to our solution. We want to have data for our Azure cloud environment as well, so we use Microsoft Defender for Cloud as one of the sources for our Azure environment.

We use it as an extra way to gain trust for our environment. We have purposely secured the total Azure cloud environment with firewalls, application gateways, et cetera, but we also want to have trust in our resource groups. That's an extra line of defense we have for our security.

It helps our teams to have more security awareness because, first of all, they have to think about setting up Defender for Cloud, and the cost of Defender for Cloud is borne by those teams. So they are more aware of protecting their own environments.

It also helps automate routine tasks and the finding of high-value alerts because the alerts sit in the data source itself. It's easier to prioritize alerts.

The main advantage is the detection and response. Threat intelligence helps you prepare for potential threats before they hit. If something is there, we will detect it. And there are special teams threat-hunting through the data.

We have our data sources everywhere, on endpoints and in the cloud. When we find something anywhere, we can act everywhere, because it's an integrated solution. It gives us more possibilities to take action automatically.

We like the security aspect. Most importantly, it's an integrated solution. We not only have Defender for Cloud, but we also have Defender for Endpoint, Defender for Office 365, and Defender for Identity. It's an integrated, holistic solution. In our MDR solution, it's not a Microsoft Sentinel SOC, rather we have a third-party SOC/SIEM and they also do threat hunting for us.

It's really easy to integrate these products. It's just an interface, the Microsoft Graph Security API. We can collect all the data and forward it to our solution. We don't only use Microsoft products as a data source, but all kinds of security products. We have data about our firewalls, our gateways, and our event collections from Windows, but also from Unix.

Sometimes, it's very difficult to determine when I need Microsoft Defender for Cloud for a special resource group or certain kinds of products. That's not an issue directly with the product, though.

I have been using Microsoft Defender for Cloud for less than a year.

It's a very stable solution. I haven't heard of any problems.

It is a scalable solution.

We use it across multiple regions including Europe and Oceania. We have multiple solutions for our data analysis and system development platforms. Our web shops are using it. It's used for almost everything in the cloud. We have about 2,000 endpoints.

Microsoft's technical support is fine. We don't have any issues with it.

Positive

We have a lot of other products, like McAfee, but we are changing everything to Microsoft Defender. We are switching because, enterprise-wide, we want to have one standard for everything to make everything easier to manage. And we want all the data it delivers to be the same. We want one view of the truth for everything.

It's very easy to deploy. That is the least of any problems. It's just a simple yes or no in the cloud. It took 10 seconds.

We have an Enterprise Agreement with Microsoft but we also have a Cloud Service Provider contract with several parties so we can easily get the licenses we need. It's very easy to install. It's almost by default.

The solution itself doesn't require maintenance in the traditional way, but everything we're doing with it is about innovation. We are trying to innovate each platform, and each solution. Innovation is an ongoing business process.

It hasn't saved us money, as it's a cost to our company, but we're safe. It's the same as insurance: If there are no burglars then you don't need it. So it doesn't save costs but it might save you costs if something happens. Safety will cost money, but it shouldn't be too much.

The pricing is very difficult because every type of Defender for Cloud has its own metrics and pricing. If you have a Cloud for Key Vault, the pricing is different than it is for storage. Every type has its own pricing list and rules.

We don't use the full capabilities of Defender for Cloud so I don't know if it is the same as Defender for Endpoint. That solution is autonomous and acts on incidents immediately, based on playbooks for a type of incident behavior. Defender for Endpoint is capable of acting immediately when an attacker wants to encrypt a disk, for instance. I don't know if Defender for Cloud has the same capabilities, but it should.

In the discussion about going with a best-of-breed strategy or a single vendor's security suite, we have a mix. My thought is that I would like to have at least two big vendors, rather than one for everything. That way they can challenge each other.

Overall, I'm happy with Defender for Cloud. We're just at the beginning of using it but we want to extend our own solutions with Defender for Cloud as much as possible.

We use Microsoft Defender for Cloud for our cloud security.

I like Defender's bidirectional sync. It's a behind-the-scenes feature, but it's very important. I like how it's integrated with and collaborates with other products by design. This is especially true between Sentinel, Security Center, and Defender.

The entire Defender Suite is tightly coupled, integrated, and collaborative. This allows me to have more flexibility in the roles and responsibilities of my teams, the access to their tooling, and the ability to report accurately on the current threat posture. For example, if I have Sentinel and CloudApp, and someone closes an incident in CloudApp, it will also close in Sentinel. However, if I had CloudApp in Splunk, this would not be the case. This integration is what I like.

The documentation could be much clearer. I also think that Microsoft should stop rebranding everything constantly. I'm tired of every name changing every 90 days. It's ridiculous. I understand that they're coupling tools together but look at AIP. It has had over 14 names in the last five years. That's absurd. Microsoft needs to stop rebranding everything and stick with one brand. They can build them out from there.

I like the fact that the dashboards are integrated, but I don't like that the CloudApp is now mapped to the Security dashboard. I hate that. I should be able to map dashboards myself. Having one dashboard is great for some people, but I have people who do Endpoint Management and they don't do Incident Management. They're two different groups. I should be able to send them to different portals if I want to. They're not all working out of the same portal. I do like that the dashboards have the option to be put into one portal, the Security portal, but I don't like that now I have to figure out where Microsoft moved everything. I liked it better when they were separate, so I could isolate and assign groups to each tool. Now that they're putting all the portals together, it's more complicated. I like the idea of a single pane of glass, but I think they're adding too much change too quickly without explaining the main purpose or mission of each product. And they're not making a clear distinction between them. When we put them all in one portal, it just adds more confusion. For example, in CloudApps, I see incidents in the "Incidents" section, but in the new Security portal, incidents are not in the CloudApp section. People don't need to search for stuff. They knew how to do it before. Microsoft needs to stop changing things so often. I believe in change, but not every other month.

Defenders threat intelligence is useless, I think, because it didn't see SolarWinds coming. After SolarWinds, if we even mention their analytics and threat intelligence, it's just evidence that it doesn't exist. It didn't even see SolarWinds coming. The only value I see in their threat intelligence, from a marketing perspective, is that it allows me to leave logs in their native location and tell clients to leave them longer. So if they find something like SolarWinds later on, they can go back and look through older logs and find it again. After SolarWinds, I'm not impressed at all by anything Microsoft says about their multi-billion dollar login.

I have been using Microsoft Defender for Cloud for over ten years since it was part of the Defender Suite.

We have not had any complaints from our clients about the stability of Microsoft Defender for Cloud.

I've questioned Microsoft's claims about the scalability of Defender for Cloud. I don't think their claims are accurate. I don't think we could scale Defender for Cloud to the level that Microsoft claims. Microsoft tells me that I could let my Log Analytics scale, but I think there must be a limit.

We have always had good experiences with the technical support through the portal.

Positive

The deployment is easy as long as we understand the licensing and what we are doing. The deployment was completed as a team.

Our clients complain about the cost of Microsoft Defender for Cloud. Microsoft needs to bring the cost down. What we're doing to their detriment is simply lowering the amount of log retention we're keeping, which is not what I want to do. Storage is so cheap in every other aspect of Azure except for Log Analytics, which makes it even more difficult to explain to clients why we're charging them so much for terabytes of storage. In comparison, data lakes and storage accounts store terabytes of data for much less cost.

I would rate Microsoft Defender for Cloud eight out of ten, mostly because of documentation and availability of information. The difference between the Azure Active Directory Premium P1 and P2 licenses lies not only in their capabilities but also in the amount of logging that is performed for each user. I need to know what is and is not being logged, and which security events are not being logged. I can't find a list of these events anywhere. What is the difference between a one-year retention license and a 180-day license? What additional logging is performed with the one-year license? Microsoft has mentioned that advanced auditing is occurring, but I don't know which events they are getting. I would like to see a list of all the events that are logged, from least to most. This list would probably look like a triangle, with a few items at the top and more and more items as we go down. I would like to see this list for both the AAD Premium P1 and P2 licenses. I can't get this list. My client has asked me what events we are not capturing, and my answer is that I don't know because I can't find it. Microsoft won't give me a list of the events that are logged, either. They can only reference the services that the events map to. I want to know the events. The uncertainty and doubt around this is a security feature. Microsoft is trying to make me buy the product because they know that if I get hacked, I could be liable for malpractice. But I'm not going to buy it without more details. I'm very upset that they didn't provide more information.

I primarily use the solution just for the networking of virtual machines.

It is very scalable.

The product has been very easy to use and simple set up. 

The maintenance and updating are part of the service, so that brings great value.

It's a stable product.

Technical support is helpful.

It's got a lot of great features. 

I can't speak to any features that are missing. I need time to get a little bit more into it before making any kinds of suggestions. 

They could always work to make the pricing a bit lower.

I've been using the solution for a few months. 

The stability is great. There are no bugs or glitches. It doesn't crash or freeze. It's reliable and the performance has been quite good in general.

Its ability to scale is impressive. It's one of the main selling points. If a company needs to expand it, it can do so. It's not a problem.

We have about 25 or so people using the solution. Some of them are new.

From my experience, technical support is good. They're quick to respond and knowledgeable. I haven't seen a need for improvement in any aspect of their support services. We are quite satisfied with them.

We did use other solutions, however, they were more for training or educational purposes. 

The setup is extremely straightforward and simple. It's not a complex or difficult process. You can get as involved as you want in it, or you can keep it simple.

The maintenance is also part of their service, which means we don't have to worry about it at all. They take care of everything. It doesn't require personnel watching over it. 

The pricing is mid to high. It's not the cheapest or least expensive option.

It's a good solution for, I'd say, small to medium business startups. It's also viable for enterprise solutions.

I'd rate the solution at a ten out of ten. We have been very happy with its capabilities. 

The log analysis and threat prevention analysis are good.

Technical support is helpful.

We haven't really received any customer feedback yet. Once we have some, we'll be able to better discuss areas of improvement.

The solution needs to keep improving its log analysis and threat mechanisms.

The product was a bit complex to set up earlier, however, it is a bit streamlined now.

Basically, we are looking at unique specimens. Linux works best with ONELAB. With Linux, we have a lot of Metasploit, however, it is undetectable sometimes. We want to improve that particular aspect of the Defender.

We've been using the solution for the last four and a half years. 

While, right now, the solution, in terms of size, is fine, one year or two years down the line, we will need to scale up and we will need to check that particular scale-up process then. As of now, we haven't done so.

Technical support has been good.

Neutral

The initial setup was hard at first. It's gotten easier. It gets simpler with time. 

In terms of maintenance, we are in a hybrid culture. There are data center staff, as well as cloud-centric staff which defaults as per the client requirement. We as a service company, need to rigorously go through cloud solutions, even with the clients and their compliance. We have to honor that compliance.

We have a channel partner with Microsoft. They have consulted with some other third-party people from their end.

The solution has a license renewal on a yearly basis.

The licensing part is not my area of interest. It is a different team that looks after that.

We are channel partners for Microsoft. We are a gold partner and a channel partner.

We earlier were using the on-premises deployment. Then we moved to the cloud for the last two-and-a-half years. It's a hybrid cloud.

I'd advise new users that they can implement it, however, it is complex in nature. No doubt it is useful as per the log analysis and threat protection analysis. 

I would rate the solution a seven out of ten.