Microsoft Defender for Cloud Reviews

We use Azure Security Center in our own company, and we have also deployed it for one of our clients. Our biggest use case is the enforcement of regulatory compliance on our cloud.

Security Center has helped us really well in terms of regulatory compliance enforcement on our cloud. We were able to deploy the inbuilt policies, and we were also able to build our own initiatives and policies. There were certain things that we wanted to check to see if our VMs were compliant. We also wanted to ensure that our storage and databases are compliant, and Security Center helped us in doing that.

This product has features that have helped us improve our security posture because we have a large estate of servers or VMs in Azure, and with Security Center, we were able to find out that a lot of our VMs were not compliant. This would have caused us a lot of trouble if there was an audit in the near future. The issues that it flagged for us gave us the opportunity to fix the problems, which was really helpful. Essentially, it was a preventative measure that allowed us to identify and rectify issues before they got out of hand.

One way that this solution has helped to improve our organization is that we have a better view of the entire security status, including how compliant our systems are and whether there are any open issues that need our attention. There are also reports that we generate periodically, so everyone is aware of the overall status of the environment.

When we started out, our secure score was pretty low. We adopted some of the recommendations that Security Center set out and we were able to make good progress on improving it. It had been in the low thirties and is now in the upper eighties.

Our overall security posture has been enhanced. A lot of the time, our cloud is accessed by people in the organization and they keep spinning up virtual machines, creating resources. Often, there are ports that open or there are certain security issues that are not handled. Because there are so many people and so many new resources coming up, it is difficult to track all of them. With the help from Security Center, we are able to see exactly what has come up.

If there are new issues that arise, which could happen if someone has not followed the proper protocol before bringing up a VM or another network resource, we can see this because we have a better local view of exactly what is there in the environment. So in that regard, we can say that it has helped us improve our security posture.

Using this product does not affect the end-user in any major way. Its usage is mostly relevant to the backend, and of interest to administrators.

The most valuable features are regulatory compliance and security alerts. The security score is very helpful, as well. Together, these let us know the state of each subscription and whether there are any actions that we need to take. This functionality is pretty helpful in audits.

We would like to have better transparency as to how the security score is calculated because as it is now, it is difficult to understand. We showed it to a couple of our clients, and they had trouble understanding it and an explanation or breakdown is not readily available. The score includes different weightage for certain controls. For example, if there is a "Control A" and it has a weight of 10 then it would affect the score more than "Control B", which has a weight of five. Being able to see the weights that are assigned to each control would be an improvement.

We have been using Azure Security Center for between eight and nine months.

This is a pretty stable solution and we haven't run into any issues as of yet.

I don't think there should be problems with scalability. It supports more than a hundred subscriptions, with multiple thousands of resources. I expect that we will be fine in that regard.

There are between 10 to 15 users that are currently using the security center. We have only two to three administrators and the rest of them have a highly localized role. Some of them are working on the policies, whereas others take care of compliance issues. They try to remedy issues and also try to improve our security score.

Our client has data centers that are divided into various regions and various business units. They are onboarding new business owners every couple of months, so it is in the process of expansion. They want all of their business units to be onboarded.

I have not had the chance to speak with technical support from Microsoft but from what I have heard from my colleagues, they are pretty responsive and give you good information with respect to fixing issues.

We had another tool, Morpheus, which was a multi-cloud manager. We did some work on it but because it wasn't native to Azure, we didn't go any further with it.

The initial setup is pretty straightforward. We just had to enable it for our subscriptions.

Deployment does not take a long time. The maximum is 24 hours if you have a lot of subscriptions but otherwise, it's pretty quick.

We have several subscriptions so we initially started by deploying some for testing. When we were sure that we knew how to go about it, we deployed the remaining ones.

We completed the deployment in-house and two people were required.

There are two other people in charge of maintenance.

The cost of the license is based on the subscriptions that you have.

As we were on Azure, we didn't look to other vendors for similar solutions.

We use between 80% and 90% of the functionality within the solution. We don't use workbooks as of now but otherwise, we use pretty much everything.

There are a few options that are included but not enabled out of the box. One example of this is Azure Defender.

Maintenance-wise, one thing that we do is keep up to date on policies and compliance. Microsoft provides a lot of out-of-the-box compliance initiatives, and sometimes they can go out of date and are replaced. We have to make sure that the new ones are correctly enabled and that the older ones are no longer active. Essentially, we want to disregard the old policies and ensure that the new ones are enforced.

The biggest lesson that I have learned is to keep an eye on your resource usage in Azure, because if it's a large environment with a lot of users then you might not know who opens the door to the outside. Using Security Center lets you keep track of what's going on in your environment.

I would rate this solution an eight out of ten.

I am working in a security domain where Azure Security Center is playing a key role. We are primarily using Azure Security Center to secure our infrastructure. We are also able to use Azure Security Center for many other purposes.

In terms of deployment, we have a hybrid cloud. It is a combination of both on-prem and cloud. Azure Security Center is deployed on-prem, and then there are OMS agents that are provided by Microsoft that can be installed at any location, such as on-prem or on the cloud. These agents collect Windows and Linux logs from the machines on various clouds for Azure Security Center, which is something interesting for me.

It has improved our security posture a lot. The Azure Security Center provides a score that shows where is your organization at the moment in terms of security. After some time, you can see how much you have improved and where you can improve your score. We are getting this kind of advice from Azure Security Center.

It has definitely affected our end-user experience. With the help of this tool, we can investigate more security incidents in a very good manner. It has also enriched my career and improved me as a professional in terms of understanding various features and security incidents. 

Before implementing Azure Security Center, we had so many issues with our infrastructure in terms of security monitoring. With the implementation of Azure Security Center, we have resolved many issues. One of the issues that we have resolved is that we are now able to do security monitoring of the complete infrastructure. It not only supports cloud security monitoring; it also supports on-prem security monitoring. It has an OMS agent that can be installed on on-prem Windows servers, Linux, or other platforms for collecting logs. These agents can also be used on other cloud platforms, such as AWS, GCP, or Google Cloud. 

The security alerts and correlated alerts are most valuable. It correlates the logs and gives us correlated alerts, which can be fed into any security information and event management (SIEM) tool. It is an analyzed correlation tool for monitoring security. It gives us alerts when there is any kind of unauthorized access, or when there is any malfunctioning in multifactor authentication (MFA). If our Azure is connected with Azure Security Center, we get to know what types of authentication are happening in our infra. 

It has so many security monitoring features, such as compromised accounts. For example, if I'm working for abc.com company, and I'm using the same company email address for registering to another hotel or some other place where it gets hacked or something goes wrong, they will alert us. If my credentials are dumped somewhere on the dark web, they trigger an alert stating that you should go and reset your credentials. There are many more interesting alerts, and such features are pretty awesome in terms of security monitoring. In terms of security, it gives a very good overview of our estate. It also has many features from the cloud administration side.

Agent features need to be improved. They support agents through Azure Arc or Workbench. Sometimes, we are not able to get correct signals from the machines on which we have installed these agents. We are not able to see how many are currently reporting to Azure Security Center, and how many are currently not reporting. For example, we have 1,000 machines, and we have enrolled 1,000 OMS agents on these machines to collect the log. When I look at the status, even though at some places, it shows that it is connected, but when I actually go and check, I'm not getting any alerts from those. There are some discrepancies on the agent, and the agent features are not up to the mark.

Sometimes, we are getting backdated logs, and there could be more correlation.

So far, its stability is good. I don't see any issues with the stability part.

In terms of new features, we are able to scale up to our requirements. New features get added immediately. So far, I don't see any issues in our environment.

Our company is an MNC, and there are around 180,000 endpoints that we are protecting or monitoring with this solution. Currently, its adoption is around 70%. We cannot achieve 100% coverage because of some of the legacy products. There are legacy servers, and then there are some people who are working in customer environments where they are not utilizing our laptops. We still need to cover 20% more.

Their support during the implementation was awesome. They provided very good support. After the implementation, they scheduled weekly calls to check with us if everything is going well. They helped us with troubleshooting and more understanding. If there are any product improvements, they have been announcing them over the course.

I was not involved in its implementation, but it was a pretty straightforward process. 

There is a separate cloud team for implementation. We just review whatever they have implemented from the security perspective. We review whether they have implemented it correctly or whether we are getting correct alerts. 

Our admin team had one week of training, and they implemented it with the help of Microsoft. Our environment is a bit complex, but we did it.

We have absolutely got a return on the investment. Our company is a managed security service provider (MSSP). When we get more projects, we mention the products that we are currently using to secure our environment. We also do a proof of concept (PoC) or a demo about how we installed such products in our environment and how secure we are. There are so many security scoring systems, and they give the score. Our score is on the highest side, which is useful for providing a security service to our client or customer. We have implemented Azure Security Center at many places for our customers.

I am not involved in this area. However, I believe its price is okay because even small customers are using Azure Security Center. I don't think it is very expensive.

For cloud security posture, Azure Security Center is a good product. It is different from a Security Information and Event Management (SIEM) tool. We are also using a SIEM tool. Microsoft has a SIEM tool called Sentinel, and there are many SIEM tools out there in the market such as Splunk, QRadar, and ArcSight. Azure Security Center is not a replacement for Sentinel. It gives the complete posture of your cloud. It was started with the purpose of finding any anomalies and malfunctioning for Azure AD, which is related to login and logout of employees, but then they elaborated it a bit more.

I would rate Azure Security Center a nine out of 10.

I am from a Citrix background and in our organization, we implement solutions and provide them to end-users. In our past couple of deployments, we have been using hybrid cloud scenarios where the complete workload is on the Azure platform and the management is done on the Citrix cloud.

The workloads include tasks for Windows 7, Windows 8, and Windows 10 devices, and they are all running on Azure. We have to make sure that they are compliant with our organization's security standards, which is why we are using the Azure Security Center.

We integrate each workload with the Azure Security Center, where we can use things like Azure Defender and use the Azure Log Analytics Workspace.

Our environment is completely virtual. We have a virtual desktop infrastructure, like a Desktop as a Service.

Azure Security Center has helped to improve our security posture. Before we implemented it, we used to have to install the agent manually for each and every workload. For example, if I have 40 machines in my environment, I have to go to all of them and install the agent. This manual process not only required a lot of human effort but created more opportunities for error. By using the Azure Security Center, I can integrate it just by selecting the subscription. It will take care of everything.

This solution has improved our end-user experience in cases, for example, where Microsoft Defender is not implemented, Azure Defender can be integrated. When an end-user runs an EXE file or any malicious activities are running on the device, Azure Security Center will capture them and send an alert to the administrator.

The most valuable features related to my involvement are Azure Defender and enabling log analytics on the workloads. This helps to integrate the workload suite with the analytics repository. For example, if I want to capture any logs from a Windows 10 workload, then this allows me to do so.

The Log Analytics Workspace acts as a repository where it captures all of the data from Windows 10 and Windows 8 workloads. In order to implement it, an agent needs to be installed. With Azure Security Center, we can configure a policy that accounts for different subscription levels. It automatically installs the agent and begins capturing data.

This product provides us with many features including auto-provisioning of dependency agents for Azure Log Analytics, as well as for Azure Defender.

We can create alerts that trigger if there is any malicious activity happening in the workflow and these alerts can be retrieved using the query language.

Azure Security Center takes a long time to update, compared to the on-premises version of Microsoft Defender. It has most of the features for monitoring end-user machines for security updates or malicious activity but, for example, the latest DAT files are slow to arrive compared to Microsoft Defender.

I would rate the stability a four out of five. Once we enable it, the Azure Security Center will push security updates to all of the end-user machines and start capturing the logs. It helps in many ways.

There is no limitation to the scalability. For example, if I have 10 subscriptions in my Azure environment, it is my choice if I have to use five in production and five for non-production. If I require more, I can upgrade it as needed. It's very flexible.

The people who work with this product hands-on are our administrators. Apart from them, nobody has the access required to make changes.

If we face any issue with Azure Security Center, where we are unable to solve it ourselves, we raise a support ticket with Microsoft directly. We describe the issue and they will come back to us with support.

Usually, we are happy with the support that we receive.

Prior to this product, we worked on a solution from McAfee. However, it was a legacy application and when it came time to upgrade, we opted to use one from Azure because we were using Azure already.

In the case of an on-premises workload, we instead use a SQUAM solution by Microsoft.

The initial setup is a straightforward process. We just need to go into the security center and select the substrates. The deployment takes less than one hour to complete.

In terms of an implementation strategy, we simply follow the Microsoft documentation.

There is a helpful cost-reducing option that allows you to integrate production subscriptions with non-production subscriptions. 

My advice for anyone who is considering Azure Security Center is that it has similar features to the on-premises Microsoft Defender, as well as other software security tools. If you are already using an Azure environment then I recommend implementing Azure Security Center versus having security solutions from different vendors.

I would rate this solution a seven out of ten.

Our primary use case is for cloud endpoint IoT security and overall cybersecurity implementations. We handle aspects from presales, installation, post-sales, and ongoing consulting to optimize customer security.

Implementing Microsoft Defender for Cloud has helped our organization in terms of providing robust cloud workload protection with minimal false positives. It also allows us to integrate with other tools like Splunk for observability and Qualys for vulnerability assessments, ensuring comprehensive security for our clients.

Some of the most valuable features of Microsoft Defender for Cloud include its effectiveness in threat detection through unsupervised machine learning, CTI, and advanced sandboxing. These features have consistently minimized false positives. The rich history of signature-based technology from Microsoft also adds to its reliability.

Integration into other third-party products, particularly those from tier three vendors like ManageEngine and Hexcode, has proven difficult. While there is ample documentation from Microsoft, the company needs to improve on making their integrations less challenging.

I have been working with Microsoft products for six to seven years.

We used to resell CyberX before it was acquired. The switch was made to enhance our security offerings with more comprehensive solutions.

The initial setup of Microsoft Defender for Cloud is manageable. Our team handles the presales, installation, and post-sales, ensuring the customer achieves a level of compliance with their security and regulatory needs.

We perform the presales, installation, and post-sales for clients. For compliance and consultancy, a dedicated consulting team works with the customers.

The pricing of Microsoft Defender for Cloud is very expensive. Although it is overpriced, many of our enterprise customers have a Microsoft ELA, making it the solution of choice.

Our customers also use products like CrowdStrike, Cyber Reason, TrendMicro, and AllGuard. Many are on Microsoft Azure, while some also use OCI and AWS.

The primary piece of advice would be to improve third-party integrations, especially with products from tier-three vendors. This would make the overall solution more versatile and easier to manage for diverse customer needs.

I'd rate the solution nine out of ten.

The log analysis and threat prevention analysis are good.

Technical support is helpful.

We haven't really received any customer feedback yet. Once we have some, we'll be able to better discuss areas of improvement.

The solution needs to keep improving its log analysis and threat mechanisms.

The product was a bit complex to set up earlier, however, it is a bit streamlined now.

Basically, we are looking at unique specimens. Linux works best with ONELAB. With Linux, we have a lot of Metasploit, however, it is undetectable sometimes. We want to improve that particular aspect of the Defender.

We've been using the solution for the last four and a half years. 

While, right now, the solution, in terms of size, is fine, one year or two years down the line, we will need to scale up and we will need to check that particular scale-up process then. As of now, we haven't done so.

Technical support has been good.

Neutral

The initial setup was hard at first. It's gotten easier. It gets simpler with time. 

In terms of maintenance, we are in a hybrid culture. There are data center staff, as well as cloud-centric staff which defaults as per the client requirement. We as a service company, need to rigorously go through cloud solutions, even with the clients and their compliance. We have to honor that compliance.

We have a channel partner with Microsoft. They have consulted with some other third-party people from their end.

The solution has a license renewal on a yearly basis.

The licensing part is not my area of interest. It is a different team that looks after that.

We are channel partners for Microsoft. We are a gold partner and a channel partner.

We earlier were using the on-premises deployment. Then we moved to the cloud for the last two-and-a-half years. It's a hybrid cloud.

I'd advise new users that they can implement it, however, it is complex in nature. No doubt it is useful as per the log analysis and threat protection analysis. 

I would rate the solution a seven out of ten.

Primary use case of this solution has changed depending on the company I've been working in. In my previous job they were using it as a CWPP, cloud workload protection. In my current job it's used for the same purpose but we also use it for monitoring security policies, to enforce new policies and audit them. We also use it to meet some of the compliance requirements as well. We're partners with Azure and I'm the cloud security design lead. 

I personally like the features of the daily recommendations because that's a major deal, and it hosts Microsoft products so it has visibility. If you are bringing in a third party to get a high level of visibility, then a lot of work is required to get that level of capability. This product gives a very good view of the entire security setup of your organization which can be used by the security and operation teams. It provides alerts to the security team on the one hand, and all the AI and ML based detections on the other. It's very beneficial for our security and assault teams. In addition, it provides recommendations for the operations teams who need to sustain a high level of security. It's an important capability. 

I'm quite active on the Azure product blogs. We're able to provide recommendations to Microsoft and they work together with Azure towards achieving them. One of the issues with the product is that it's not possible to write or edit any capability. For example, if there is a false positive detection on the security center, the only option I have is to flag it off. I can dismiss the alert, but there is no option to provide comments or reviews, so that somebody else looking into the portal can brief them. 

I'd like to see some additional features that would include an option for the security team to provide comments on the alerts and also to improve the recommendations. I would like to see them fine tuned. We're also getting a lot of false positive alerts and Azure can reduce that using the Microsoft AI and ML feature.

I've been using this solution for two and a half years. 

This is a very stable solution. 

We've never had issues with scalability. We have over 50 engineers using the solution.

Our company has subscribed to premium support from Microsoft so we can open premium tickets. The support team are always available and we haven't come across any issues in the past.

The initial setup is very straightforward. 

We don't have a say in pricing, it's up to the product vendor. When you compare with other CWPP or server cloud protection products, I believe the Center is well priced. The customer has flexibility to choose which modules they want to use. There is a free version and a paid version and the customer makes a choice based on the organization's security strategy. If you're going to use add-ons or anything more feature rich, then you'd have to pay extra, but the standard product is a fixed price.

If you're in the world of cloud and your company is using Azure as their primary cloud, I think Azure Security Center is a must-have feature, because it provides a bird's eye view of the entire security position of the organization. The solution is integrated and there is service from Microsoft. New features are being added regularly and I think it's a great solution. 

I would rate this solution an eight out of 10. 

This solution replaces, in many ways, the on-premises operations manager that used to be part of the System Center.

The most valuable feature of this solution is the support for a multi-cloud environment.

The policy-related features are good. For example, there is a compliance policy that is related to PCI and another related to NIST.

The support for dynamic networking is good.

Alerting and incident management are valuable features.

The integration with Logic Apps allows for automated responses to incidents. It is also integrated with Microsoft Defender.

They added new functionality into the pretty long list of features and it is constantly being updated. 

There is no perfect product in the world and there are always features that can be added. Innovation is something that is always on the table.

I have been working with Azure Security Center for more than four years.

This product is much more stable than anything else. The SLA has four nines of stability and it is impossible to compare it with anything that is on-premises. Cloud systems are much more stable.

Scalability is not something that we talk about because this product only exists in the cloud. We talk about it in terms of regions. There are approximately 50 zones across the globe, where for example, Canada has three zones that are split into Central, East, and West.

This is an example of Software as a Service, so scalability is out of the question.

If you need tech support, you need to go to the support site, find the proper program, and subscribe to it. Only basic support is included. If you need premium support or if you need a developer, the support is available, you just need to go to the site and find it.

It is extremely easy to subscribe, and extremely easy to understand. It depends on your requirements and on exactly what you need but a description of every program is readily available.

If you have questions, go to the FAQ, and on the same page, you will have access to the documentation. The documentation is crystal clear. It's very practical and actionable. It explains in simple phrases, or words, what the action is, what the purpose is, and what the benefit or value of it is. 

There is no need to find anything else. You start from the price calculator, and then click and get more information, and from the same page, you find what you need. 

You don't need to do anything else.

With respect to implementation, you just switch it on.

If you need to deploy something else then there are step-by-step instructions available. Setup and deployment will be easy for those who have experience working with this type of solution.

For those not used to this type of operation or not working in this area, it is absolutely possible to talk to their partners, such as the one that I work for, and they will help you.

If you hire the consulting service from a partner then they will help you to plan and design, including performing a capacity review to see what is required and what services need to be integrated. You will identify needs such as an on-premises data center versus using a third-party cloud.

This is a worldwide service and depending on the country, there will be different prices. 

There is a price calculator for Azure Services. You select the service that you are interested in, and the basic or the standard is there immediately, which has support options. Different levels of support are available for different prices. A subscription is part of the Azure Service. You will need to find what type of service you need.

If you need to negotiate the price, based on the enterprise agreement or per commitment, the price schema is available. You just need to speak with a partner.

You can also pay with your credit card, but you will need to read the documentation online.

In summary, if you would like to work with a product that addresses security in the cloud, or in a multi-cloud environment then this is exactly the product. There is no need to implement anything else.

There are multiple things that are absolutely nice about this product. That said, there is no such thing as a perfect product.

I would rate Azure Security Center a nine out of ten.

The most valuable feature is that it's intuitive. It's very intuitive. The only problem that we're struggling with is that we have 21 different subscriptions we're trying to apply security to. It's impossible to keep everything organized.

We built our hierarchy incorrectly and we're struggling now with some of the features that are up there. Once we straighten our hierarchy out, we are going to applied policies, whether it's through Security Center or any other thing. It's going to be a lot easier once our hierarchy is fixed.

We need to apply things in a certain place and then we realize that we need to apply them to the subscription as well. And next thing we know we also need to apply it to another subscription, it's unmanageable. We're applying different policies across all our different subscriptions, which is fine, but at 21 subscriptions you can have over a dozen policies. We're trying to skinny that down to four or five policies. It's not a defect in a Security Center. It's a defect in how we built it.

We have been using Azure Security Center for two years. It's been a part of the service since we moved up to Azure.

The stability is great. 

I find documentation or any configuration in Azure, in their specific servers, very straightforward, and very intuitive. If you do not set it up correctly, it's difficult, it's like herding cats to get everything that you want.

I would say the biggest advice I'd give to anyone is to make sure that your hierarchy for your subscriptions is done correctly, single management. You can't have 10 different groups managing it. It's got to have a single structure of management and then the hierarchy needs to be set up correctly.

I would give it an eight out of ten. I think it's one of the best in breeds. I'm comparing it to AWS and some of the smaller ones out there, but I find it very intuitive. That's one thing I do like about their products, they're very intuitive. 

Not a perfect ten because we're not using it to its full capacity.