Try our new research platform with insights from 80,000+ expert users
SimonThornton - PeerSpot reviewer
Cyber Security Services Operations Manager at a aerospace/defense firm with 201-500 employees
Real User
Provides good visibility and is fairly easy to set up within one tenant, but doesn't support multitenancy and is not as capable as other solutions
Pros and Cons
  • "I like the process visibility. This ability to visualize how something was executed is valuable, and the fact that Defender ATP is also linked to the threat intelligence that they have is also valuable. So, even if you have something that doesn't have a conventional signature, the fact that you get this strange execution means that you can detect things that are normally not visible."
  • "A challenge is that it is not a multi-tenant solution. Microsoft's tenant is a licensed tenant. I'm an MSSP. So, I have multiple customers. In Microsoft's world, that means that I can't just buy an E5 license and give that out to all my customers. That won't work because all of the customer data resides within a single tenant in Microsoft's world. Other products—such as SentinelOne, Palo Alto Cortex, CrowdStrike, et cetera—are multi-tenant. So, I can have it at the top of the pyramid for my analyst to look into it and see all the customers, but each customer's data is separate. If the customer wants to look at what we see, they would only see their data, whereas in the Microsoft world, if I've got multiple customers connected to the same Microsoft tenant, they would see everybody else's data, which is a privacy problem in Europe. It is not possible to share the data, and it is a breach of privacy."

What is our primary use case?

Microsoft Defender that you get by default on Windows is an unmanaged solution. It detects, but it is conventional EDR in the sense that it can detect malicious code on the machine, but it is not good from an enterprise point of view because you can't see what is being detected. The difference between Defender and Defender ATP is that you get what's called the execution chain, which is its classic use case. 

When I try to open an attachment to an email, Defender tells me that this is malicious, but when you are in an enterprise and you do receive an alert that the file is malicious, the problem usually for the analyst is that they don't know what the person clicked on. They know there was a malicious file but was it an attachment? Was it something on the USB stick? Did they download it from the internet? That's not clear. Defender ATP gives you the execution chain. In this particular example, you can see that it was outlook.exe that launched the suspicious file which then launched or tried to download various components. You can see the whole execution tree because very often, the initial thing you get is a dropper, which then downloads subsequent components, and very often, the subsequent components get missed.

It essentially gives you visibility into the execution chain. So, you are better able to do a risk assessment. For instance, if something came from Outlook, then you know that you need to go and look in exchange or look in the mail system. If the trigger came from winword.exe, then you know that it was a document, and the person had opened a document from the email. You might see Internet Explorer, when it was still there, spawn PowerShell or a command shell, which is unusual, or you might see calc.exe open a command shell. All of this detection is invaluable for identifying whether something is suspicious or not. Your EDR might not detect any of this, but ATP would see this suspicious sequence of opening and flag it. So, essentially it is the visibility and the ability to detect unusual behavior that conventional EDR would not necessarily do for you.

Its version is usually up to date. It is a cloud solution. 

How has it helped my organization?

Its visibility is the most useful part of it, and it also increases the effectiveness of your response. You spend less time asking the users the standard question of what did they click on. To which, they usually say that they didn't click on anything. You can go in ATP, and you can see that they opened an email and then clicked on a link, and the link is this. There is no hiding this. Users do lie.

You can detect threats that are not necessarily known because of a behavior. If you have Internet Explorer opening a command shell, that is not normal. That does not happen unless there is some kind of malicious activity. It is also very good for visibility into what PowerShell scripts do. PowerShell is a double-edged sword. It is very powerful, but in a lot of cases, there is no visibility on what it is doing. With ATP, we generally have that ability.

What is most valuable?

I like the process visibility. This ability to visualize how something was executed is valuable, and the fact that Defender ATP is also linked to the threat intelligence that they have is also valuable. So, even if you have something that doesn't have a conventional signature, the fact that you get this strange execution means that you can detect things that are normally not visible.

The other feature that I like in Defender is that because it is up in the cloud, when you're trying to do any kind of managed service, it is fairly easy to set up if you're just within one tenant, but there are a lot of things wrong with the way Microsoft does it as compared to other products like Palo Alto Cortex, SentinelOne, or CrowdStrike.

What needs improvement?

The catch with ATP is you have to have the right Microsoft license. The licensing of ATP is linked to the licensing of Office 365. You have to have an E3 or an E5 license. If you have a small office license, it is not possible for you.

Another challenge is that it is not a multi-tenant solution. Microsoft's tenant is a licensed tenant. I'm an MSSP. So, I have multiple customers. In Microsoft's world, that means that I can't just buy an E5 license and give that out to all my customers. That won't work because all of the customer data resides within a single tenant in Microsoft's world. Other products—such as SentinelOne, Palo Alto Cortex, CrowdStrike, et cetera—are multi-tenant. So, I can have it at the top of the pyramid for my analyst to look into it and see all the customers, but each customer's data is separate. If the customer wants to look at what we see, they would only see their data, whereas in the Microsoft world, if I've got multiple customers connected to the same Microsoft tenant, they would see everybody else's data, which is a privacy problem in Europe. It is not possible to share the data, and it is a breach of privacy. So, the licensing and the privacy aspect makes it problematic in some situations.

It is also very complicated. If you decide to outsource your monitoring through an MSSP, the model for allowing the MSSP to connect to your Defender cloud is very complicated. In Office 365, it is relatively simple, but because of the way it has been done in Defender—because Defender is not part of the same cloud—it is a mess. It is possible, and it is workable, but it is probably one of the most complicated integrations we do.

It is still clunky as compared to products like Cisco AMP, SentinelOne, and CrowdStrike. Microsoft took the Defender product, and they bolted on the extra features, but you can see that there are different development teams working on it. Some features are well integrated, and some features are not. They keep on improving it, and it is better than it was. It is better than an unmanaged solution, but it is far from perfect.

Buyer's Guide
Microsoft Defender for Endpoint
October 2024
Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,325 professionals have used our research since 2012.

For how long have I used the solution?

I have been using it for about two years. I've got a couple of customers today with it.

What do I think about the stability of the solution?

Its stability is lesser than some of the competition. I've seen machines having a blue screen. I've seen machines block, but it is usually a problem related to the lack of resources. I wouldn't deploy it on a machine with less than 16 gigs of memory. All the issues that we had on the laptops were essentially related to memory because it does all the analysis in memory, and it eats a lot of memory to do that. So, stability is more a function of making sure that your endpoint farm has what's available. If you've got less than 16 gigs, I would not recommend it. You need to either change your endpoints or consider using another solution because although it'll work, it can be very slow.

What do I think about the scalability of the solution?

It is like Microsoft Office. Its scalability is good, but I don't know how manageable it would be on a big scale. The biggest deployment I've worked on was about 5,000 endpoints, and it seemed to be okay.

How are customer service and support?

It is Microsoft support. It can be very good, and it can be very bad. It depends on who you get on the phone. I would rate them a five out of ten.

How would you rate customer service and support?

Neutral

How was the initial setup?

It is very simple. You can deploy it through the normal tools that you use, such as SCCM. The deployment for it is linked back to your tenant. 

We use it as a headless install. It is pushed out onto all the machines. Our normal rollout process rolls out about 50 to 100 machines in no time. They can pull the agents from the internet, or they can pull the agents internally, deploy them, and turn them on. For an antivirus, it is quite quick.

In terms of maintenance, it is pretty much like other Microsoft solutions. If you are able to do the auto-update functions, that's good. The downside to it is that it is fairly heavy on network traffic. On one of the large deployments, we found we had problems with the internet gateway because the console and all the telemetry and everything else is in the cloud. It was problematic.

It runs in the background. It is like any other antivirus solution. Sometimes, it needs tuning. An example would be that we have developers who do a lot of source code compiling. They might have tens of thousands of files that get touched or accessed when they do a compile. We have to make sure that those particular file types and certain directories are not scanned on read when they're opened. Otherwise, what normally might take an hour to compile can take more than 12 hours. That's not a problem specific to Defender. It is a problem in general, but it is fairly easy to create profiles to say that for those particular groups of machines or those particular groups of users, these file directories are exceptions to the scanning.

What's my experience with pricing, setup cost, and licensing?

The licensing fee is a function of your Office 365 license. The feature set you get is a function of the license as well. There is probably an E2 version, an E3 version, and an E5 version. There are several versions, and not all features are the same. So, you might want to check what features you're expecting because you might get shocked. If you only have an E3 license, the capability isn't the same.

You have to look at the total cost of ownership (TCO) because the license component is only one aspect of the block. So, if your internal IT teams know well about IBM cloud solutions, then Defender is very easy because there is nothing new. What hurts the projects is integration. It is a hidden cost because it is beyond licensing. It can be problematic if you don't have some of the other integration tools from Microsoft. So, if you don't have the package deployment platforms and all the cloud equivalents, then there is a lot of manual work involved.

The other aspect that comes into the cost is that there is an option to store. You can make the agents report a lot more information, but if you increase the storage, then you increase your Azure storage costs, which can be painfully expensive. You typically have about 7 to 30 days of basic detection data included, but if you want to keep a more detailed log so that your IT guys can go back and figure out what was going on, it would increase your storage requirements, and that can get expensive. I know customers who turned on some of the features to increase the detection rate, and they got a huge bill from Microsoft.

What other advice do I have?

A weakness, as well as an advantage, of Defender is that it is always on the cloud. There is no on-prem. You deploy additional agents into the customer infrastructure, but the console and the feedback are through the cloud.

Customers often say that Microsoft has included it in their license. So, it is license-cost neutral, but just because it is included in the license and appears to be cheap, it isn't necessarily a good reason for doing it. It isn't equivalent to other EDR or XDR solutions, but to an extent, you get what you pay for. ATP is a work in progress. To me, it is not a complete product.

Customers also go for it because it gives them visibility, and it means it is one less system to manage. They have the license for it, and they just want everything in the same ecosystem. There isn't much that we can do about that. As an MSSP, we're agnostic from a technology point of view. If the customer says, "This is what we want to do," we'll take it over.

I would advise asking yourself:

  • What do your endpoints consist of?
  • Which operating systems, such as Windows, Linux, iOS, or Android, will you have to support? The functionality that you get depends on your license.
  • What is it that you're trying to achieve by taking Defender? 
  • Are there more capable XDR-type solutions out there? 

If I was comparing them, from most effective to least effective or least integrated, I would put SentinelOne, Palo Alto Cortex, Cybereason, Microsoft Defender, and Cisco AMP.

If you want to get into the advantages of XDR solutions, which is about the detection capability coupled with artificial intelligence (AI) and data leaking, then it may not be the solution that you want. If you also want to be able to do threat intelligence, it is not the solution for you. That's because essentially the threat intelligence features are not there. You can get some threat intelligence from Azure, Microsoft Sentinel, etc, but it is not in the product like with Palo Alto Cortex, SentinelOne, or Cybereason.

I'd give it a cautious six out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: MSSP
PeerSpot user
Infrastructure and Security Manager at a sports company with 11-50 employees
Real User
You can access all your security data and telemetry from a single pane of glass
Pros and Cons
  • "This solution definitely increases our security posture. When you are reviewing your existing fleet or endpoints and based on the configuration that you put out of your Defender for Endpoint, you then receive a security score from Microsoft. Depending on what rules you have configured, what policies you have deployed, and what attack surface reduction rules that you have set up and deployed, it is almost gamifying information security in the sense that you are always trying to achieve a higher score. The more hardening you perform on your endpoints, the better score you receive. This generally tends to give you a better peace of mind, but also makes you secure at the same time."
  • "On the Mac OS platform, there is no parity between Windows and Mac OS. The solution is very feature-rich and very well-integrated into Windows, and I guess baked into Windows 10 and Windows 11. Whereas, on the Mac OS platform, there is still some work there to give it a more feature-reach platform."

What is our primary use case?

We use it as an antivirus and EDR solution. We also use it for vulnerability scanning and threat hunting.

It is cloud-based. We have a cloud-first strategy when it comes to our organization.

We are a very small, lightweight start-up organization who has only been around for a couple of years. We have 17 endpoints. 

We have it deployed on our endpoints and virtual servers. We have a few Windows Servers 2019, and we have onboarded those both onto Defender for Endpoint as well. Those servers are not managed by MDM because they are Server 2019, but we have onboarded them so they are being managed by Defender for Endpoint as well.

How has it helped my organization?

This solution definitely increases our security posture. When you are reviewing your existing fleet or endpoints and based on the configuration that you put out of your Defender for Endpoint, you then receive a security score from Microsoft. Depending on what rules you have configured, what policies you have deployed, and what attack surface reduction rules that you have set up and deployed, it is almost gamifying information security in the sense that you are always trying to achieve a higher score. The more hardening you perform on your endpoints, the better score you receive. This generally tends to give you a better peace of mind, but also makes you secure at the same time.

What is most valuable?

I like the fact that it is baked into the Microsoft platform. 

Since we have deployed it, we have been really impressed with the way that everything just stitches together really well. You can access all your security data and telemetry from a single pane of glass on the Microsoft Security admin console. You can access all your endpoints, see how your antivirus is running, and get all your vulnerability scans and reports. In the software inventories, you can review your known vulnerabilities and understand whether those are zero days or if there are active threats out in the wild. Essentially, you don't need to jump into different admin consoles. You have everything built into Windows Defender Security Center, which we find really useful.

What needs improvement?

If you consider our organization, we are a fairly Mac-heavy organization. At the moment, around 80% of our fleet are Mac OSs. We made a conscious decision to roll out Defender for Endpoint against all our endpoints, whether it is Windows or Mac OS. However, one thing that we have noticed is that there is definitely no parity on the platform between the two operating systems. When you are configuring, deploying, and onboarding machines, you can get very granular with your security configuration when you are deploying it to a Windows's endpoint. For Mac OS, it is a lot more straightforward. You don't have the ability to apply as much configuration as you would on Windows. That is definitely something that has room for improvement. 

I am also not sure how well the EDR functionality works on the Mac OS platform. It just provides an antivirus and the full EDR capability is not there on a Mac OS. 

The web filtering needs a little bit of work. We are actually in the market at the moment for a third-party web filter or cloud secure web gateway to try and plug that hole since it is a bit of a pain point for us. I don't think we will use the baked in version from Defender for Endpoint.

On the Mac OS platform, there is no parity between Windows and Mac OS. The solution is very feature-rich and very well-integrated into Windows, and I guess baked into Windows 10 and Windows 11. Whereas, on the Mac OS platform, there is still some work there to give it a more feature-reach platform.

For how long have I used the solution?

I have been using it for about a year.

What do I think about the stability of the solution?

With Windows, we have been very happy. We have had no issues or problems whatsoever. We had one issue on the Mac OS platform when an update to Mac OS was deployed. It wasn't a major update, like Monterey. It was a point update. So I think it might have been 12.2.1 where the Defender icon was starting to display across, which means I found a threat or it's not working properly. We had that across a handful of machines. I did a bunch of Google searches and sort of realized this was happening to a lot of other organizations, so it was probably a false positive.

I contacted Microsoft support who confirmed that it was just a visual glitch. I guess Apple is well-known for this. When they do push out their updates, they attempt to break the occasional third-party system. That was the only issue that we have encountered, which was more a visual glitch than an actual threat.

It is pretty much zero-touch because the definitions sort of update themselves. The application updates itself because it is deployed through Microsoft Intune. Therefore, the maintenance is pretty straightforward.

What do I think about the scalability of the solution?

It is very scalable. Because it is cloud-based, it is elastic in its nature. You can onboard machines en masse. Whether you are onboarding 15 machines or 1500 machines, it is very straightforward.

As we scale up, this is now our AV and EDR of choice. Every new machine will be rolled out or onboarded to Defender for Endpoint. We will be sticking with it in the long-term. We have also the logs and telemetry from Defender for Endpoint being ingested into our MDRC platform.

How are customer service and support?

The technical support is very good. Wherever I have worked with them, we have always been enterprise customers. Whenever I have raised a ticket for support, you generally receive a phone call anywhere from 10 minutes to three hours after raising your ticket. Even if it is not a P1, but a P2 or P3 ticket or just a request for information that you have generated in the form of a ticket, they will respond back to you quickly.

They have good levels of escalation. So, if their first line support is unable to help, they can quickly escalate to the second or third line. I have never really had any problems with Microsoft support. That is across Defender for Endpoint and Microsoft Endpoint Manager as well as for the productivity throughout Office 365 and Azure Active Directory.

I would rate them as eight out of 10.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We currently have an MSP in place, which is a managed service provider, who manages all our IT support, service desk, and desktop support functions. They had already purchased an antivirus subscription for the organization when I joined the organization, and it was a fairly basic one. Our biggest problem was that it does not have any SIEM integration. 

When we decided to go down the route of having a SOC or MDR service, we couldn't ingest the logs from the antivirus platform into their SIEM. That is when the hunt started for a new AV service.

I wouldn't say the user impact has changed on top of the AV product that we had before.

How was the initial setup?

The initial setup was very straightforward. Microsoft, as an organization, is quite well-incentivized to get you to use their own products. There are hoards of material out there via their social media channel, through their own documentation, or the Microsoft Learn platform. There are reams and reams of user guides for you to go through, all of which are fairly straightforward. They are regularly updated as well.

It is all cloud-delivered so there isn't any on-premise infrastructure that I need to maintain, patch, or configure. It is literally all configured in the cloud. So, it was a very easy setup process for me.

It took days to get a proof of concept together on a handful of machines. Over the next few weeks, once we got the go ahead and thought, "You know what? We are going to go with this." It was just a matter of weeks and that was more down to team availability. We needed to sit down and offboard the existing AV, which we weren't particularly happy with, then onboard Defender for Endpoint. So, we tied that project with our MDM rollout. Therefore, while we were deploying our MDM solution and enrolling the device, we were onboarding the machine to Defender for Endpoint as well.

What about the implementation team?

I actually set it all up myself. I am the only technical person at the organization. I have worked with Microsoft quite extensively in the past, and I have used their fast track consultancy services in other organizations that I have worked with as well. Therefore, I am quite confident and familiar with Microsoft technologies. 

We then signed up with an MDR supplier who does managed detection and response. Essentially, that is a team of cybersecurity experts who connect to our infrastructure and all the data telemetry from our endpoints feed up to their platform. If they see any threats, anomalies, or events, they will then jump in, reviewing and remediating as required.

We had a consultancy session with one of their Microsoft consultants around a month ago, where they reviewed the setup that I configured. They put in two or three recommendations to harden the setup a little bit more, but they were overall pretty happy with it. Thus, if I can do it, then it can't be that difficult.

What was our ROI?

There is less overhead in terms of having the system administrator or information security manager jumping around different systems and trying to actively keep a handle on our security posture across the organization. Instead, everything is right in front of me.

What's my experience with pricing, setup cost, and licensing?

One of the first things that I did when I came onboard in the organization was scrapping our reseller agreement. I registered us as a not-for-profit with Microsoft, and we now get subsidized licensing at effectively half price. It just sort of makes sense for us. Now, we buy our licenses directly from Microsoft rather than our formal license reseller.

Even if you are not registered as a not-for-profit, the offering that they have is definitely worth consideration. This is in the sense that the E5 stack just gives you so many benefits. You get your entire productivity suite through Microsoft 365 apps. You get all your security and identity protection. You get the Defender for Endpoint and Defender for Identity. You get the cloud access security broker as well. You get Azure Active Directory Premium P2, which gives you so many good things that you can configure and deploy. You don't have to configure them on day one, but you have access to so many different tools that will protect your data, security, endpoints, and identities that you could build out a security strategy 18 months long, and slowly work your way through it, based on what you have available to you through your license.

You can purchase some add-ons, like Microsoft Threat Expert team. I have not read too much into that, but my understanding is that comes at an additional cost. Since we have a dedicated MDR and SOC sitting on top of our Defender for Endpoint, it is not something that applies to us anyway.

Which other solutions did I evaluate?

We are E5 customers. Essentially, we have the flagship license. We looked at a lot of different organizations and vendors for our antivirus needs. We spoke to the usual suspects: CrowdStrike, Sophos, and Darktrace

Because we also have a Gartner subscription, we reached out to our Gartner analyst, and said to them, "Look, we have the E5 license and know that Microsoft doesn't have the greatest reputation when it comes to their antivirus products, but we understand they have come on a lot over the last few years. This is the direction that we proceed. We want to deploy Microsoft Defender for Endpoint. We then want to layer an external managed detection response service on top of it that will essentially provide 24/7/365 monitoring for alerts and anomalies." Gartner advised us that it has improved to the point where they are now considered one of the leaders on their magic quadrant, so we should be absolutely fine with it. 

Originally, Microsoft wasn't in mind for us at all. We sort of had our heart set on CrowdStrike because we were really impressed with them. We got quite deep into advanced discussions with them and Darktrace as well.

The deciding factor for going with Microsoft was the budget. We were already paying for the E5 licensing. So, we were allowed to use Defender without any extra costs. We could just enable and configure it. We thought that we would use the budget left over to purchase a dedicated MDR service who would maintain an overall ability for all the endpoints to connect with it. We could also expand that to our Google Cloud Platform as well as our AWS and Azure Cloud environments. We could also extend that service onto our physical appliances, e.g., the logs from our on-premise firewalls, security appliances, and routers.

We felt that in terms of scaling up to get to the security posture that we needed, this might be a better solution for us. Whereas, CrowdStrike and Darktrace, at the time, were more focused on the endpoints. For example, if there was some suspicious behavior happening on our Azure Active Directory and our CEO's user account was under a brute-force attack, then CrowdStrike wouldn't necessarily pick up on such an attack because they are more focused on the endpoint rather than the cloud instances. Thus, we thought Microsoft gave us better coverage overall as well as the fact that we were already licensed for it.

It just made sense for us to go down that direction. We just felt we would have a more well-rounded approach if we went with Defender for Endpoint supported by the MDR service, who would then provide monitoring over all our cloud instances, endpoints, and on-premise infrastructure and appliances.

One of the main benefits is cost. Being an E5 subscriber, we are essentially already paying for Defender for Endpoint. However, it wasn't on our initial list of antivirus solutions when we were going out to market. We really felt that we were going to go for a managed service, such as CrowdStrike or Darktrace. When we decided to go for Defender for Endpoint, we created a cost savings. So, it was easier for us to prove the business case to our senior management.

What other advice do I have?

A good antivirus is something that sort of happily sits in the background and just pretty much does its job until it is needed. It is just sitting there constantly watching and monitoring. Then, if it does need to intervene or remediate against the threat, that is when you know, "My antivirus is happily working." We haven't had many incidents to deal with. To be honest, we have had a couple of false positives. 

Definitely shortlist them in your list when you are out looking for a new vendor. What tends to happen with a lot of IT professionals is that they overlook the Microsoft offering because of the reputation that Microsoft Defender has had in the past, when it came to its consumer version. However, they have spent the last few years completely revamping their security stack. I think it offers a really well-rounded, holistic approach to cybersecurity now. They are definitely worth considering next to CrowdStrike, Sophos, and Darktrace.

A lot of organizations are probably like, "Oh, no, we don't want to get Microsoft. We don't want to get Defender. We want to get an established name," but I think Microsoft has put a lot of effort, budget, and development time into their security stack. It is a great suite. 

As their Azure platform grows, they leverage that to power and drive their Defender for Endpoint. A lot of the protections that they deploy are cloud-delivered platforms. So, they are picking up telemetry from millions of different signals and endpoints. They have so much data and can see trends really quickly.

I would rate them as eight out of 10.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Microsoft Defender for Endpoint
October 2024
Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,325 professionals have used our research since 2012.
Head of Security at Mannai Microsoft Solutions
Real User
Top 20
We can block suspicious URLs, quarantine malicious files, and conduct a forensic investigation
Pros and Cons
  • "We can run the virus scan across our entire environment."
  • "Some of the integrations that Defender should include involve the use of the web app."

What is our primary use case?

We utilize Microsoft Defender for Endpoint as our EDR solution, which stands for endpoint detection and response. Through this solution, devices are integrated. If new vulnerabilities or novel attacks emerge, Defender for Endpoint promptly identifies them. It serves as our primary EDR solution amidst the variety available in the market.

The current surge in Defender for Endpoint's popularity is attributed to its real-time detection capabilities. Additionally, we can execute SOAR actions, namely security orchestration response. For instance, if we need to isolate a device from the network or run an antivirus scan on a machine, Defender for Endpoint facilitates these tasks.

Consider a scenario where one of the devices becomes compromised. During the investigation, if a malicious IP address is identified, it can be blocked using Defender for Endpoint.

How has it helped my organization?

Microsoft Defender for Endpoint offers excellent visibility. We can observe all the details regarding the attack process, such as the type of activity that occurred, including the entire MITRE ATT&CK framework. This enables us to view the initial actions, the device involved, the IP address used, and the extent of the impact on users and devices all through a single interface.

Microsoft Defender for Endpoint definitely assists us in prioritizing threats throughout our enterprise. Based on the signatures, the alert categories are related to high severity, medium severity, and low severity. Therefore, we can determine which alerts require our focus and prioritize them accordingly.

I am currently the Subject Matter Expert for Microsoft within my organization. This encompasses the entire Microsoft security suite. I specialized in working with Microsoft Sentinel. In the past, I was a part of the Microsoft Sentinel team itself, back in 2017 when Sentinel was in its pilot version, known as Azure Security Insights. 

It's very easy to integrate the Microsoft solutions. We have data connectors and APIs readily available. There are no difficulties. If we teach an unfamiliar person for a week how to use Defender for Endpoint and Microsoft Sentinel, they can likely gain insight into the basics of integrating Defender for Endpoint, Microsoft Sentinel, Defender for Identity, or Defender for Cloud Apps.

These solutions work natively together to deliver coordinated detection responses across our environment. When an incident is detected in Microsoft Defender for Endpoint, the same incident will be captured in Microsoft Sentinel within a few minutes. The integration capabilities with both Microsoft and third-party solutions are valuable.

The comprehensiveness of threat protection provided by these Microsoft security solutions is combined into a single interface. We can access all necessary features from one place. The combined solutions offer us User and Entity Behavior Analytics, Endpoint Detection and Response, on-premises, and cloud application security. While no single product can handle everything independently, by implementing basic security practices across all Microsoft products, we achieve a comprehensive threat detection system.

The bi-directional sync capability is a feature that allows us to enable safe devices in both Defender for Cloud and Defender for Endpoint.

Sentinel allows us to ingest data from across our entire ecosystem. If we are utilizing third-party firewalls or other products, we can employ APIs to integrate those solutions with Sentinel.

Sentinel allows us to examine threats and respond comprehensively from a single location. Within this location, we can utilize SOAR playbooks to accomplish different tasks, such as blocking all compromised email sign-in sessions with just one click.

Sentinel is a comprehensive security product, owing to its integrated SOAR, UEBA, and threat intelligence capabilities. UEBA employs built-in machine learning to identify users with high, medium, and low-risk profiles. The user interface also includes a feature that enables us to log out of the user. Threat intelligence has the ability to assimilate all access information from third-party solutions and identify threats originating from the internet. Sentinel consistently operates proactively to prevent compromises. 

I used to utilize Splunk back in 2015, but I have recently transitioned into being a Microsoft security advocate due to the cost optimization benefits. Microsoft Sentinel's pricing is based on the data we ingest. We have the flexibility to choose different models, such as the pay-as-you-go model or the bandwidth model. For instance, if we ingest 500 GB of EPS, we will incur charges for that usage; however, a 20 percent discount is applicable in this scenario. The pricing is directly linked to the amount of data we ingest, which is advantageous. I prefer not to ingest certain security events that are intended for operational purposes. By excluding these events, I can effectively reduce the overall cost of using Microsoft Sentinel. Additionally, being a cloud-native tool eliminates the need for any physical hardware. With just one click, the entire installation process is completed.

There are three ways Microsoft Defender for Endpoint has benefited our organization. The primary advantage is the optimization of our organization's scanning process. We have established a bi-weekly scanning process that runs at midnight, encompassing all machines. This stands as the foremost enhancement. The second advantage revolves around obtaining visibility into vulnerabilities within our environment. Considering our role as an MSSP, responsible for managing over 25 clients, this visibility holds paramount importance. Within Defender, a particularly noteworthy feature is the enabled management. This provides us with the latest information regarding vulnerabilities within Microsoft products as well as third-party software. The third and final advantage pertains to responding to emerging threats. For instance, in the case of a new attack, such as the recent CVE 3688, which targets a Microsoft Office vulnerability, including a zero-day exploit lacking an available solution, our Microsoft-oriented threat intelligence block comes into play. Through custom query languages deployed within Defender, we have the capability to identify anomalous activities. Additionally, this third point ties in with the Application Guard rules. These rules have proven instrumental in proactively preventing ransomware attacks. They operate by automatically obstructing any suspicious processes occurring within the Office environment.

Defender for Endpoint assists in automating routine tasks and identifying high-value alerts. We have APIs established, allowing us to develop our own dashboards using the Defender for Endpoint APIs. For instance, we can utilize Power BI to generate a security report, providing a comprehensive overview of the organization's internal activities.

It has eliminated the necessity for multiple dashboards. This pertains to the MXDR dashboard, which stands for Microsoft Extended Detection Dashboard, as well as the Detection Response Dashboard. Essentially, we have consolidated these into a single comprehensive dashboard, developed entirely by Microsoft. This unified dashboard streamlines the process of accessing organizational insights. As a result, there's no longer a need to access different security products to view their respective dashboards. Within Defender for Endpoint itself, we offer an array of security reports, all conveniently accessible with just one click. For those who may not find the reports relevant, we also provide the option to utilize our in-house developers for Power BI integration. This entails having a centralized dashboard where data from all products is collected and displayed in one location, facilitating a holistic view of security reports.

The integration into a single dashboard has simplified our security operations. Previously, our team had to perform numerous manual tasks for all customers. Therefore, with automation, when we present the report to the customers, they are quite impressed with having everything in one place. 

Microsoft Defender for Endpoints' threat intelligence assists us in preparing for potential threats before they materialize, enabling us to take proactive measures. We identify these proactive threats due to the presence of a threat entry system. If any IOCs are obtained, they are undoubtedly identified by Microsoft Sentinel. Moreover, we have set up indicators ingestion for Defender for Endpoint. This process involves creating steps to acquire data from third-party sources and directly inputting it into Defender for Endpoint. Since Defender for Endpoint has a capacity limit of 15,000 indicators of compromise, we can only ingest data up to this extent. Any surplus data will be automatically removed, provided their IOC scores fall below 60 within a month. Consequently, new IOCs will replace the removed ones.

It has saved our organization around 30 percent of our time in terms of not having to worry about malware. When any malware does get in, it is automatically remediated. Now, the main portion of our time is dedicated to conducting in-depth investigations and identifying other occurrences.

We have cut our organization's costs in half compared to our previous solutions. This is mainly due to the automation of most tasks, which means we now only need ten people to manage 20 customers, a significant reduction from the 30 engineers we needed before.

Microsoft Defender for Endpoint has significantly reduced our time for detection and response. Our Service Level Agreement entails detecting issues within 15 minutes and responding within 30 minutes. Defender for Endpoint has greatly contributed to these time savings. The incidents that we used to address using Splunk required extensive coordination within our team and with our customers, leading to substantial time consumption. Previously, resolving a single incident took around 40 minutes. Presently, this process takes approximately 15 minutes.

What is most valuable?

The most valuable feature is the timeline, which allows us to view the details of an event 30 minutes before and after.

Forensic investigation is a valuable feature of Defender for Endpoint.

We can run the virus scan across our entire environment.

We can block suspicious URLs and quarantine malicious files within the Defender for Endpoint portal.

What needs improvement?

Some of the integrations that Defender should include involve the use of the web app. Utilizing the web app implies that the Defender API should be accessible through mobile devices as well. For instance, if there exists a mobile application, it would be beneficial. Let's imagine a scenario where I'm traveling and I receive a new alert. With a Defender mobile application, I could easily isolate the threat, conduct an investigation on my mobile device, or even automatically escalate or assign the alert to my engineers.

There are certain third-party apps that haven't been integrated with Defender. I would be delighted to witness the integration of those apps with Defender for Endpoint. 

The deployment of Defender for Endpoint should be made smoother via Intune.

For how long have I used the solution?

I have been using Microsoft Defender for Endpoint for five years.

What do I think about the stability of the solution?

Microsoft Defender for Endpoint is stable.

What do I think about the scalability of the solution?

Microsoft Defender for Endpoint is scalable.

How are customer service and support?

The technical support is fine but it takes time to reach them.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We previously used Splunk but switched to Microsoft Defender for Endpoint because of the cost and smoother operation.

How was the initial setup?

With the proper training, the initial setup is straightforward.

When conducting customer onboarding, the deployment will require a minimum of three days. Therefore, we must ensure everything is executed flawlessly and follow security best practices. Emphasizing precise deployment is crucial. Hence, deploying without careful planning is not an option, aiming to prevent any issues in a larger environment. In contrast, a smaller environment can be deployed within two days.

For a large organization with over 5,000 employees, a team of up to six people is required for the deployment.

What was our ROI?

We are achieving a 15 percent return on investment, which is contributing to the growth and impact of our company.

What's my experience with pricing, setup cost, and licensing?

If we are acquiring everything in a single place, the front end becomes cost-effective. We won't need to purchase five separate products for various tasks. Instead, it's one product designed for five tasks, which is certainly a cost-effective approach.

What other advice do I have?

I rate Microsoft Defender for Endpoint an eight out of ten.

We also utilize Defender for Cloud. Defender for Cloud is employed specifically for the Azure product. If we have servers deployed within Azure, the system handles alerting, traceability, and security. Therefore, we certainly use it.

We have three locations where Microsoft Defender for Endpoint is deployed. One is in Australia, another is in Qatar, and the third is in India. Consequently, we employ approximately two hundred personnel.

No maintenance is required for Defender for Endpoint on the customer's end.

A single-vendor security solution approach is better than a best-of-breed strategy. We all are using Microsoft laptops and OS.

I recommend completing a POC before adapting Microsoft Defender for Endpoint.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Sr. Lead Consultant at catapult
MSP
The single pane of glass is vital to us as security consultants and to our clients, who need a high level of visibility
Pros and Cons
  • "In my opinion, the most valuable aspects are the reporting analytics and integration with Sentinel. Defender does an excellent job of correlating the different entities that comprise threat analysis, analytics data, and log analytics. It helps to piece together investigations into any exploit or malicious activity within a specific tenant. AI and analytics tools are probably the most valuable components."
  • "Localization is always a challenge, especially with new products you typically want. Solutions are designed to be deployed where the most licenses are being consumed, such as in the United States. They focus on US products, devices, and networks. Specialized deployments for other countries would allow for a smoother experience in transition."

What is our primary use case?

I'm a security coach with multiple clients. I provide security implementation, planning, and maintenance through Microsoft Defender. I use all the Defender products, including Defender for Identity, Defender for Office 365, and Defender for Cloud. 

It's easy to integrate the solutions. You only need to go into the settings and switch on the connectivity to all the Defender for Endpoint connectivity telemetry. Microsoft documentation is thorough, and it walks you through all the necessary steps.

We're multi-client and multi-cloud. We're working with multiple organizations and departments, so it's complex. We have domains and sub-domains that we must account for on the deployment side. We also use Defender for ATP, which is the Defender for domain controllers.

How has it helped my organization?

Defender for Endpoint helped to bridge the gap with remote workforce solutions because it protects managed and unmanaged devices. It's also easier to use because Defender for Endpoint is cloud-managed, so it stays maintained and updated. It has a leg up on competing solutions that require more system resources and maintenance. 

The tight integration with Microsoft operating systems is another advantage because it's easier to manage. It also goes beyond Windows OS. Defender for Endpoint supports other platforms and operating systems, such as Linux, iOS, and Android. I like that Microsoft is expanding the product's scope beyond Microsoft operating systems. Microsoft is developing a holistic approach, so you don't need a third-party product to protect these other non-Microsoft platforms.

Defender helps us to prioritize threats across the enterprise. The weighted priorities are based on all the MITRE security standards. Defender products work together to provide comprehensive protection. I agree with the placement of Defender Products on Gartner's Magic Quadrant. Defender is a leader in that area of threat protection. I'm pleased with the outcome of a lot of the investigations. I can protect and harden areas that didn't usually didn't have that level of visibility and granularity. 

Defender integrates with Sentinel, enabling me to ingest data from my entire ecosystem. Sentinel also covers non-Microsoft products with the third-party connectors that are provided. I enjoy that part of the Sentinel functionality and feature set. It has several features for aggregating the log data and analytics for the on-premises environment. Having that visibility is crucial.

Sentinel provides the SIEM and the SOAR capabilities, offering a single pane of glass for all of the security operations centers and providing on-site reliability for many of my clients. Sentinel is Microsoft's answer to competing tools such as Splunk and other log application tools. Sentinel seems to provide more added value from the ease of use and visibility. The licensing is also competitive.

You can set up Sentinel to forward alerts if you want to create a managed Cloud environment solution for Sentinel for a client. There's a way to set that up through Azure Front Door. You're seeing the data reporting and single pane of glass for other tenants and customers. It enables you to offer security as a service to maintain visibility for clients.

I like that it considers the status of a device (whether the device is online or offline, VPN or not, etc.) and provides several options for telemetry, depending on where and how the device is being used. It gives a lot of flexibility with the installations, maintenance, and management of the Endpoint solution. In addition to Defender for Endpoint's feature set, other parts of device management reduce the attack surface and protect those devices.

Defender's automation features have been a significant advantage with many of my clients because the remediation has been automated. Most of the time, it doesn't require any human intervention unless there's something that hasn't been set up. I must demonstrate the automated investigation and remediation to my clients to ensure their environment is automatically protected on weekends and after business hours.

The single pane of glass is vital to us as security consultants and our clients, who need a high level of visibility. You can go into the high-level executive dashboard view and drill into each telemetry graphic to provide you with more granular data. I see how easy it is to see the big picture and effortlessly drill into the details using the side navigation menus and more.

Consolidating things into one dashboard streamlined them significantly. When working with multiple tools and vendors, you typically have to stitch the reporting together to get an overarching view of everything. It's time-consuming. By the time some of these tasks are accomplished, the data starts to get stale, so you need to refresh and create an all-new view again. Having real-time capability in a single pane of glass is essential.

Defender Threat Intelligence helps us develop a forward-looking approach to threats and plans. That's one aspect of the product I find incredibly helpful. It will highlight things that may require intervention, such as turning on conditional access rules or setting up some geofencing for anything that looks like it could be a password spray attack from a known location that we can block. 

There are opportunities to turn off any legacy protocols that may be in use. That's been a common thread with some of my clients who still use legacy protocols for sign-in and authorizations. The ability to do that has been a considerable help proactively.

You don't know what you don't know until you know. The continual flow of real-time data and analytics from Defender products helps create a security roadmap and harden many areas. With improved visibility, we can build a better roadmap to harden those areas by prioritizing and doing things methodically. Previously, we were guessing what to do next or what would be most important based on an educated guess. Now, we have data to guide our security decisions.

Microsoft Defender has saved us hours and hours. It has probably paid for itself many times over. I would agree that it has saved a lot of time and money. I estimate it probably saved us the equivalent of two people working full-time. You typically have at least one person overseeing on-premise resources and another dedicated to cloud resources.

What is most valuable?

In my opinion, the most valuable aspects are the reporting analytics and integration with Sentinel. Defender does an excellent job of correlating the different entities that comprise threat analysis, analytics data, and log analytics. It helps to piece together investigations into any exploit or malicious activity within a specific tenant. AI and analytics tools are probably the most valuable components.

The bidirectional sync capabilities and off-app sanctioning of the SaaS applications are helpful. The identity security posture feature set provides investigation recommendations for risky users. The heat map for locations is also handy. Defender integrates with the AIP DLP for data governance and protection. I use all of that.

There's a need to have augmented workforce capability. You need to see the data streams for client work augmentation for the security operation center and act on the information. Having data in near real-time is essential to my organization and the work we do for our clients. The built-in SOAR, UEBA, and threat detection features are comprehensive.

What needs improvement?

It always helps to have onboarding wizards. Microsoft has done a lot of work in that area. I would like to see some more refinement in the wizards to allow more diverse use cases and scenarios that help us deploy Defender globally. In particular, I would like to see more deployments considering localization barriers and networks or devices common in various regions. 

Localization is always a challenge, especially with new products you typically want. Solutions are designed to be deployed where the most licenses are being consumed, such as in the United States. They focus on US products, devices, and networks. Specialized deployments for other countries would allow for a smoother experience in transition.

For how long have I used the solution?

I have been using Microsoft Defender for about two and a half years.

What do I think about the stability of the solution?

It's pretty stable. I haven't had any reliability concerns with Defender, and there have not been too many complaints from users that have to have extensive reboots or any kind of performance impact. So I would say it's pretty stable.

What do I think about the scalability of the solution?

Scalability is built into the product. It's a cloud-managed solution, so it's capable of scaling pretty quickly as needed. You don't have to unlock another key or do something else to scale the product. It's scalable by design.

How are customer service and support?

I rate Microsoft support a seven out of ten. We've opened a few Microsoft tickets. For example, we've seen some discrepancies between Defender for Exchange Online and the reporting from Sentinel. We raised tickets to determine why Sentinel's logging data doesn't match what we see in Exchange Online.

It can be slow and tedious sometimes. Microsoft has different support level agreements. If you want prompter and higher-quality support, you typically need to pay for an Ultimate Support contract. If we compare that with other companies or organizations, Microsoft is probably on par with everyone else. You don't get a higher level of support unless you pay for it.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I've worked with all the major antivirus and endpoint protection vendors, including Splunk, CrowdStrike, Sophos, Norton, and McAfee. Microsoft's advantage is its integration with the operating system, ease of deployment, and support for the 365 Cloud experience. It makes everything easier to deploy, maintain and manage. It comes down to cost and integration. We realize cost savings because it's integrated into the E5 licensing product.

How was the initial setup?

The setup is straightforward and mostly automated. You only have to intervene when you experience errors. Those typically happen on non-US systems or in other countries. For the most part, it's effortless to deploy.

We try to use the auto-onboarding capabilities that come with Autopilot. If you have new systems deployed with Windows Autopilot onboarding capability, that's going to turn Defender on with the proper policies and security parameters. 

One person is enough to deploy Defender if you have a plan and proper communication. You notify everyone that the deployment is happening and push the button. You need to let everyone know if reboots are required and the like. Other than that, it's pretty much a one-person deployment job.

In terms of maintenance, Defender is probably somewhere in the middle. Microsoft maintains a lot of automated updates. There are feature sets that come into play with things that are put in preview and you may want to see if it's something you want to turn on and try out while it's in preview. Those are the only areas that require some discussion and intervention. Most of the maintenance is automated. At the same time, you also need to be trained and aware of the updates and feature sets as they mature. You must stay on top of changes to the UI, reporting, etc.  

What was our ROI?

If you look at what we pay on average and all the potential ransomware and malware threats we've averted, we've definitely saved tens of thousands of dollars, depending on the client. Some of the bigger clients have saved millions of dollars of potential ransomware payouts because Defender products helped protect those areas of attack. 

What's my experience with pricing, setup cost, and licensing?

The cost is competitive and reasonable because most of the expense is log analytics, storage, and data consumption and ingestion. They can be throttled and controlled, so they are highly flexible. Defender has a lot of advantages over competing products.

From a licensing aspect, you're not just getting a security product. You're getting a lot of other capabilities that go beyond the Defender products. You get an E5 or E3 license and some form of Defender for Endpoint included with all the other security features of the other Defender products. 

Which other solutions did I evaluate?

It didn't take too long to decide on Microsoft because of the integration and simplicity. CrowdStrike is probably the closest competitor.

What other advice do I have?

I rate Microsoft Defender for Endpoint a nine out of ten. Defender is one of the best I've seen, and I'm not saying that as a Microsoft reseller. We use Defender and have gotten our Microsoft certifications to provide a high level of service for our clients. It's crucial to have a product we stand behind and believe in wholeheartedly. We're not getting kickbacks from Microsoft for saying or doing any of that. We use it because it works. 

I would say there's a trade-off. Once you start adding complexity to security, you're going against best practices that say simpler is better. Adding another vendor or a level of complexity is usually unnecessary. Unless there's something Microsoft completely missed, I would question the value of going to another vendor. 

Communication and planning are most important. Any time you change products or deploy something for the first time, you should test it first in a smaller use-case scenario. That will help you identify any issues with your network, firewall, or legacy applications that may be falsely identified as a threat. It's always best to test your use case scenarios in a proof of concept before you deploy it.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Senior program lead at a manufacturing company with 10,001+ employees
Real User
Top 20
Works very well with the Microsoft ecosystem and helps to stop threats at the source
Pros and Cons
  • "The endpoint detection of threats is valuable. The initial detection of things like ransomware and viruses and being able to shut down machines immediately and stop a threat is valuable. We can stop a threat at a source versus allow it to propagate it across the network."
  • "The product itself does not necessarily need improvement, but the support and implementation of the product are the disaster cases."

What is our primary use case?

We use it as an Enterprise Detection and Response (EDR) solution. We use it for compliance purposes, and we are starting to use it for DLP purposes.

How has it helped my organization?

Microsoft Defender for Endpoint allows our threat hunting and threat remediation teams to reduce the footprint of viruses when they come on the network.

We have immediate visibility on all endpoints. It is very good at visibility.

For prioritizing threats across our enterprise, the threat-hunting system in Microsoft Defender for Endpoint is not top-notch. We usually integrate it into things like our SIEM or Sentinel or other things to prioritize or our SOAR system to automate.

We can feed the alerts coming out of it into our XSOAR system to immediately act on events versus waiting until people see them and use the ticketing system.

Microsoft Defender for Endpoint has saved us time. It has saved us at least 40 hours a week. We are able to automate and have the ability to handle threats on an enterprise with 50,000 devices.

Microsoft Defender for Endpoint has not saved us costs. It is a Microsoft product.

Microsoft Defender for Endpoint has reduced our time to detect and respond. By going from a manual process to an automated process, depending on the severity, the time reduced has gone from minutes and days to seconds.

What is most valuable?

The endpoint detection of threats is valuable. The initial detection of things like ransomware and viruses and being able to shut down machines immediately and stop a threat is valuable. We can stop a threat at a source versus allow it to propagate it across the network.

What needs improvement?

The product itself does not necessarily need improvement, but the support and implementation of the product are the disaster cases. Instead of being able to go back to Microsoft and ask how to do something, we have to work with a vendor who does not exactly know how to do that and has to go to Microsoft to say, "How do we do this?" so that they can answer our questions. There are a lot of things in relation to various compliance standards such as CIS. The primary levels of support of Microsoft do not know or cannot implement that. Working through vendors is time-consuming. It is a painful process to get back to them to get the answers.

For how long have I used the solution?

I have been using Microsoft Defender for Endpoint for three years.

What do I think about the stability of the solution?

We have never seen any downtime in it, so it is incredibly stable.

What do I think about the scalability of the solution?

It is incredibly scalable. However, its ability to bind things into the groups on its dashboard is limited. You can see your 50,000 machines empire, but dividing it into regions, and dividing it into subgroups and management areas is very limited.

It is deployed across the world. There are 250 sites worldwide with 50,000 devices.

How are customer service and support?

I would rate their support poorly. I would rate them a two out of ten.

How would you rate customer service and support?

Negative

Which solution did I use previously and why did I switch?

The history would be a Symantec product, but I do not remember what it was. Then we went up through Azure ATP to Microsoft EDR. 

How was the initial setup?

I was involved in its deployment and initial setup, but I was not a part of PoC at the time. The deployment was very easy. We pushed it out with SCCM.

Our implementation strategy was PoC, small user groups, and then wide or regional deployments.

We have on-premises and cloud deployments. It is an endpoint protection platform. It goes on any endpoint that we have or that we have running. It could be an endpoint that is sitting in the cloud. It could be an endpoint that is sitting on-prem. We use Azure, GCP, and AWS. There is also some limited rack space from IBM.

What about the implementation team?

We used CDW.

What was our ROI?

We have reduced man hours using the product. We have definitely been able to leverage automation with it more than other products that we have used previously and other products that we are using.

What's my experience with pricing, setup cost, and licensing?

I recently switched from education to private business, and all I can say is that private business licensing from Microsoft is not cheap until you hit certain quantities or scale. That does not mean that it is not comparable to other industries. It is similar pricing, but it is still crazy to me how much you pay for a client. I feel it is high, but it is in line with other vendors.

Which other solutions did I evaluate?

We evaluated Cortex XDR, Carbon Black, and QRadar or whatever that solution was from IBM.

The Microsoft ecosystem is the main difference. Everything under the umbrella of the Microsoft security toolkit makes life easier when all the systems talk together nicely.

What other advice do I have?

To those evaluating this solution, I would advise first figuring out what your needs are. Figure out what levels of granularity you need in the system to see if it will support your needs. For example, if you have something like department-level control over devices, you might want to look at another system versus a central security solution that controls all devices. Beyond that, make sure your machines have the resources necessary to support the features you turn on in the environment. A lot of the resources in Microsoft Defender for Endpoint can be shut down for slower machines and older machines.

I would rate Microsoft Defender for Endpoint a solid nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
IT Architect at a real estate/law firm with 10,001+ employees
Real User
Top 5
We have seen improvement in all our endpoint vulnerabilities
Pros and Cons
  • "The detection features are valuable, as is the fact that it is easier to port these logs into Sentinel. That is also useful for us. It is more comprehensive."
  • "If the solution could be integrated more with Defender for Cloud, to be more unified, that would help. It is good now, but even more integration could be done with Defender for Cloud. We see two different portals. If Defender for Endpoint could be ported to the CSPM, Defender for Cloud, that would make things even easier for us."

What is our primary use case?

We use it to protect our servers and endpoints, which include our employees' laptops and our own endpoint portal, where we see the single pane of glass reports. It is our first line of defense.

How has it helped my organization?

We have seen improvement in all our endpoint vulnerabilities, which is very crucial for us. If this had not been implemented, we would be in trouble because our endpoints would be unprotected. It has definitely improved the security posture of our organization.

Also, automated investigation, protection, and alerts have affected our security operations in a positive way. We get to see the vulnerabilities quicker, and we get to see the root cause analysis as well.

Defender for Endpoint has also eliminated having to look at multiple dashboards. The Endpoint portal is sufficient. It is easier for our security operations team to look at the vulnerabilities and reports and plan for remediation actions.

In addition, the moment the solution's threat intelligence provides a suspicious IP or a suspicious URL, we block it right away. We are more secure. It has helped our security operations detect things in advance and preempt any vulnerabilities.

We have seen productivity gains in terms of the mean time to resolve issues, on the order of 20 to 30 percent. We have the unified dashboarding and reporting, the investigation, and automated remediation. Saving 20 percent of our time translates to saving money.

What is most valuable?

The detection features are valuable, as is the fact that it is easier to port these logs into Sentinel. That is also useful for us. It is more comprehensive.

The visibility into threats that Defender for Endpoint provides us with is quite deep and mature. The threats that we find help us understand our vulnerabilities and remediate them if required.

Another very important point is that it prioritizes threats across our enterprise. This is important; the solution is the first line of defense. Defender for Endpoint is very crucial for our defense, considering that we all work remotely.

We also use Defender for Cloud, Purview, and Microsoft Sentinel; all of these are integrated and go into Sentinel. It was easy to integrate them because we are using Azure Cloud, and all of them are native to Azure Cloud. The connectors also make it easy. The fact that these solutions work natively together, providing coordinated detection and response, is very important to us. That is precisely why we got into Azure. This does provide us with a comprehensive view of the threats, incidents, alerts, investigations, and threat-hunting processes. Overall, it gives us multiple ways of securing things.

What needs improvement?

If the solution could be integrated more with Defender for Cloud, to be more unified, that would help. It is good now, but even more integration could be done with Defender for Cloud. We see two different portals. If Defender for Endpoint could be ported to the CSPM, Defender for Cloud, that would make things even easier for us.

For how long have I used the solution?

I have been using Microsoft Defender for Endpoint for three years.

What do I think about the stability of the solution?

We have never had any downtime or any other issues.

What do I think about the scalability of the solution?

We have scaled up to 3,000 endpoints, and there is scope for it to be scaled more. When more employees join or more departments come in, we'll be scaling up.

How are customer service and support?

Defender for Endpoint's technical support is fairly good. We haven't encountered many problems with them. We initially had some problems when we integrated Sentinel, but that was resolved internally.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We did not have another EDR solution. We started with Azure.

How was the initial setup?

The deployment was straightforward because it's all native. We are integrating within the Azure environment, so it is easy.

This solution specifically would have taken a week or so to deploy, but it was part of our overall deployment along with the other Microsoft products. After a week, we started utilizing or pushing the data into our security operations.

We had multiple servers and laptops that were endpoints to be protected by Defender for Endpoint, almost 3,000 endpoints. We had to go one by one. Initially, we implemented 500, and eventually we built on top of that.

It doesn't require much maintenance unless we add more endpoints. That's when we need to push it. Otherwise, there is not much activity involved.

What about the implementation team?

It was all done in-house and required three full-time resources.

What was our ROI?

We have easily seen 20 to 30 percent savings, year on year.

Which other solutions did I evaluate?

They would have definitely evaluated other solutions, but the clear preference for a native solution is what made this stand out.

What other advice do I have?

A single-vendor security suite has its advantages in terms of ease of porting, ease of connecting to the SOC, and also dashboarding. For ease of use, a single vendor strategy is valuable. But cost-wise, if you go for multiple vendors, you may be able to negotiate the cost, but that approach makes things difficult to integrate.

It detects suspicious malware and credential access issues, and it even maps to the Mitre ATT&CK framework. It's a pretty good product. Try it out and implement it as soon as possible.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior Consultant - Cloud & Infrastructure Security at a tech vendor with 10,001+ employees
MSP
Top 20
Assists our organization in prioritizing threats across our enterprise by providing security recommendations based on the weaknesses in our organization
Pros and Cons
  • "The most valuable aspect is information, specifically the automatic investigation of packages."
  • "The profiling method currently in use is not very user-friendly and has ample scope for improvement."

What is our primary use case?

We use Microsoft Defender for Endpoint as an enterprise security solution.

How has it helped my organization?

The visibility is great. For example, Microsoft Defender for Endpoint's portal has a section called threat analytics. There's a threat intelligence box. So all new threats and trending threats are visible. If any of our devices in our organization are susceptible to this threat, the solution will let us know because it searches for that specific particular vulnerability, which can be exploited. The Microsoft threat analytics tool gives us that type of visibility into the threats that might affect our organization. For example, the threat analysis updates every half hour to one hour with the top ten latest threats. The scan tries to ensure that these threats don't belong to our organization and if they do, it identifies the infected device. Microsoft Defender for Endpoint makes a lot of security recommendations when we onboard it to quarantine a lot of security recommendations that help to improve the security posture of our environment.

Microsoft Defender for Endpoint assists our organization in prioritizing threats across our enterprise by providing security recommendations based on the weaknesses in our organization. It includes a department that provides management licenses and uses analytics to identify high-priority threats in our environment. This is connected to a common protocol that assigns a priority level of five to devices with vulnerabilities, indicating what actions should be taken. Thus, we have all the necessary information in one place.

Prioritization is crucial because there is a possibility of a high-priority threat entering our environment. This is how the solution determines the priority of threats. For instance, if one of our high-impact business devices is vulnerable to a top-priority security five threat we need to address it first. Alternatively, we may choose to address the sixty computers with a level two or three security threat, which are mostly associated with lower impacts. Therefore, prioritization aids in determining which critical business infrastructure requires immediate attention.

There are several lines with multiple solutions, but Microsoft offers a comprehensive solution with its E5 license. This license includes a wide range of features such as purview information protection, data protection, and other business-related tools. In my previous experience, I have noticed that some organizations utilize multiple Microsoft products, such as Defender for Endpoint, Identity Management, Defender for Cloud Applications, and Defender for IoT. This combination of different products can be quite useful.

Microsoft Defender for Cloud on Azure can be easily integrated with Defender for Endpoint, including on-premise solutions that can be onboarded to Azure with different subscription values. The integration will already onboard it to the device with Defender for Endpoint, along with additional features such as Just-in-Time Access, Defender for Vulnerability Management, and Control Sign-in Monitoring. These features provide robust cloud security monitoring and can be added to Defender for Endpoint. Moreover, Defender for Cloud is integrated with Defender for Endpoint portals, enabling a one-stop shop for onboarding devices with all the cloud posture management required for a single computer or software. This integration is highly beneficial, and other applications can be similarly integrated.

It is easy to integrate Microsoft Defender for Endpoint with other solutions.

These solutions seamlessly integrate to create a zero-trust platform, as offered by Microsoft. This platform ensures protection from various threats such as networks, applications, and infrastructure, with the added benefit of Microsoft Sentinel. The Sentinel tool combines threat analytics from multiple sources into a user-friendly workspace, providing optimal productivity. Additionally, sending logs from any of these products, including Sentinel, to the cloud connector is a simple process.

The integrated Microsoft security products offer comprehensive threat protection, such as Microsoft Defender for Office. With these products, our office is now able to identify and address email threats in a single platform, instead of checking each platform individually for application, identity, vulnerability management, and endpoint security. Moreover, these products can be easily integrated into a single workspace solution. With the help of pre-existing methods in Sentinel, we can efficiently handle a large number of alerts that we receive. Rather than going through each alert individually, we can activate a playbook that provides solutions for common alerts and takes actions in parallel to resolving them. This integration simplifies the process of achieving a complete security solution.

When we transition from on-premise servers to Azure ARC resources and activate Defender for Cloud Applications, it becomes easier to manage our servers from different networks, especially when it comes to security features. For example, we can check the compliance of our devices and organization with PCI DSS or other security protocols. Running compliance checks during the transition while syncing data with a different SL Cloud provides us with a significant amount of data and valuable information, including recommendations for improving compliance. This process involves bi-directional communication between devices, the cloud, Azure, and different network clouds.

Microsoft Sentinel allows us to easily ingest data from our entire ecosystem.

Microsoft Sentinel allows us to investigate threats and respond holistically from a single platform. Sentinel is both a SOAR and SIEM solution, meaning we can perform responses, but we must create a separate playbook for them. The default method may include some pre-built responses. The most important aspect is that if our company uses SentinelOne instead of Defender, we can still easily send logs through our Sentinel Workspace using API calls. This can be accomplished with a few connections, and we can create our own playbooks for different types of alerts. For example, if SentinelOne is not sending data, we can generate alerts of this type and respond accordingly. This significantly reduces user effort.

The security protection offered by Sentinel is extensive. It can be integrated with any Microsoft solutions, including information protection, and can be connected directly to Microsoft's threat intelligence sources and other resources. This allows for comprehensive protection.

Our clients have reported that Sentinel's cost and ease of use, in comparison to other stand-alone SIEM and SOAR solutions, are favorable. They find the user-friendliness of Sentinel to be worth the cost.

Microsoft Defender for Endpoint assists in automating routine tasks and identifying high-value alerts. We can automate actions based on the alert's sensitivity, and in case we are uncertain of how to handle those alerts, we have the option to seek assistance from a Defender expert. This feature is particularly valuable, as it can provide guidance in identifying and investigating such alerts.

Microsoft Defender for Endpoint helps eliminate multiple dashboards by giving us one XDR dashboard.

The solution's threat intelligence helps us detect and respond to threats proactively by identifying suspicious behavior.

Microsoft Defender for Endpoint has been instrumental in saving us time by alerting us about potential threats and automatically guiding us through the necessary steps to eliminate them. The solution logs all the actions taken, saving us from having to spend valuable time retracing the steps.

By detecting threats in advance before they can propagate, Microsoft Defender for Endpoint helps our organization save money. The tool helps to identify potential security risks early, preventing their escalation and the associated costs of mitigation.

Our detection and response time has improved. This is thanks to Microsoft Defender, which has Endpoint Detection and Response capabilities. Before, we used to manually create policies to address security incidents, but now the system can automatically remediate issues without us having to intervene.

What is most valuable?

The most valuable aspect is the information, specifically the automatic investigation of packages. For instance, during an automated investigation, data and information are collected. Additionally, there is an encapsulated view that shows the origin of the package, how it was propagated, and any blockages or attacks that may have occurred. The most critical factor is the information gathered regarding various types of incidents, including how they are mapped and propagated, and what actions should be taken in response.

What needs improvement?

Creating antivirus profiles for Linux is a more challenging task compared to other operating systems. The profiling method currently in use is not very user-friendly and has ample scope for improvement.

For how long have I used the solution?

I have been using the solution for over four years.

What do I think about the stability of the solution?

Microsoft Defender for Endpoint is stable.

What do I think about the scalability of the solution?

Microsoft Defender for Endpoint can scale effectively to meet the needs of our environment, regardless of its size.

How are customer service and support?

The technical support team is highly knowledgeable, and in cases where they are unable to provide a solution, they escalate the issue to the second level of support. Their services are available around the clock, and if the assigned representative is unavailable, they promptly transfer the ticket to another capable person to ensure a seamless resolution of the issue.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I previously utilized SentinelOne, Kaspersky Endpoint Detection and Response, Symantec Endpoint Detection and Response, and Carbon Black CB Defense. However, I find Microsoft Defender for Endpoint to be more user-friendly than the other solutions. The information provided by Defender is valuable, and the deployment process is easy. Additionally, it offers several valuable features.

How was the initial setup?

The complexity of deployment depends on the client's environment. The number of people required for the deployment depends on the number of servers the organization has. For example, in a deployment of 700 workstations and 500 servers, one full-time and two part-time consultants are required.

What about the implementation team?

We implement the solution for our clients in-house.

What was our ROI?

We experienced a positive return on investment by using Microsoft Defender for Endpoint. This solution allows us to streamline our operations by consolidating all necessary components under a single umbrella and eliminating the need for additional vendors and extra costs.

What's my experience with pricing, setup cost, and licensing?

Microsoft Defender for Endpoint is included with a Microsoft E5 license.

What other advice do I have?

I give the solution an eight out of ten.

The most cost-effective and user-friendly option for security is a single-vendor security suite. This approach also eliminates the need for multiple integrations.

I recommend that organizations avail themselves of Microsoft's trials and demos, and compare Defender with other solutions in their environment to determine the best fit. With a Microsoft E5 license, organizations can access all of Microsoft's solutions and use whatever they need.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
AnuragSrivastava - PeerSpot reviewer
Information Security Engineering Lead at a energy/utilities company with 10,001+ employees
Real User
Provides detailed visibility into threats but the ability to add exceptions needs improvement
Pros and Cons
  • "One feature I like the most is vulnerability management, which shows any vulnerable software or OS present in my environment. Microsoft Defender for Endpoint provides a complete overview and also recommends the steps to mitigate the vulnerabilities or threats. Most of the other antivirus or EDR solutions generally don't provide vulnerability management. It is an add-on that Microsoft Defender for Endpoint provides."
  • "The second major area for improvement involves enhanced capabilities for different operating systems or platforms. That is, even though we have coverage for different operating systems or platforms such as Linux, we don't get all of the controls and enhanced capabilities that are available with Windows devices."

What is our primary use case?

We use Defender for Endpoint to secure our Windows 10 endpoints and Windows servers. We use Microsoft Defender as an antivirus, and we also leverage the EDR capability. If any malware or threat is present, Defender can take action on those threats and remediate if there are any malicious actors present in our environment.

It is deployed on-premises, on the cloud, and on multi-cloud solutions like AWS on Azure. We have a diverse, global environment with devices or servers in Europe, the US, and the Asia-Pacific region, except for China.

What is most valuable?

One feature I like the most is vulnerability management, which shows any vulnerable software or OS present in my environment. Microsoft Defender for Endpoint provides a complete overview and also recommends the steps to mitigate the vulnerabilities or threats. Most of the other antivirus or EDR solutions generally don't provide vulnerability management. It is an add-on that Microsoft Defender for Endpoint provides.

Also, because of this solution's EDR capabilities, we can determine what we want Microsoft Defender to do and then automate the entire process. We have already enabled these automated response capabilities and are leveraging them.

The visibility into threats that Microsoft Defender provides is very detailed. If we want to investigate how a threat was initially integrated into our environment, we can do that with a detailed activity timeline. It will be across the servers or Windows Endpoint, so we will be able to see the correlation and gain a complete picture of any threat within that timeline.

It helps us prioritize threats across our enterprise to a certain extent. Whenever there is a threat, we'll get a risk score along with the level of severity. We will then be able to see whether the threats are of high, medium, or low severity and can prioritize them accordingly.

Prioritization is really important to our organization because with 100,000 people working, we see an immense number of threat alerts including phishing, identity, and other kinds of threats. We have a limited number of people working in security operations centers, and we may see 30,000 alerts come through. Therefore, it's very important for us to prioritize those alerts so that we don't end up working on threats that are not important and miss critical alerts.

Along with Microsoft Defender, we also use Microsoft Defender for Cloud Apps, Microsoft Defender for Cloud, and Microsoft Defender for Identity. Integrating these products is quite simple. You just toggle the button, and the integration will be turned on. Once you have turned on integration, you will see feeds from the other portals. That is, if I get something in Defender for Identity, then I will be able to see relevant items in the Defender for Endpoint portal as well. It's out-of-the-box integration, and no additional measures are required.

These solutions work natively together to deliver coordinated detection and response across our environment. They work in the background and share common intelligence with each other and provide correlated feeds within these portals. They provide comprehensive threat protection.

When the integration is in place, it eliminates the need to look at multiple dashboards. Initially, we used to have different portals for incidents, but now, we have one central console. We can see alerts and incidents from Defender for Cloud, Defender for Identity, etc. It saves us a lot of time because our analysts don't have to spend time looking at different dashboards or consoles.

In terms of preparing for potential threats before they hit and taking proactive steps, the feeds in Microsoft Defender for Endpoint help us detect zero-day vulnerabilities or any ransomware. The threat analytics show us what the current and upcoming threats are. I can get the indicators of compromise from that particular list and can prepare my team on how to act on those particular threats. It has helped us to become more efficient.

Overall, this solution has helped us save 30% to 40% of our time.

Also, our time to detect and respond has decreased by around 40 to 50%.

What needs improvement?

One major item for improvement is the ability to add exceptions. We can add some exceptions, but not at the level we need to.

The second major area for improvement involves enhanced capabilities for different operating systems or platforms. That is, even though we have coverage for different operating systems or platforms such as Linux, we don't get all of the controls and enhanced capabilities that are available with Windows devices.

Reporting could also be improved because, at present, we get limited results at times. For example, in an environment with more than 100,000 devices, you may just get 10,000 results when you run a report.

For how long have I used the solution?

I've been using it for close to four years.

What do I think about the stability of the solution?

It's not very stable because Microsoft keeps making a lot of improvements as it's a new product. For example, today I might see something on one page, on another day, it might be located on some other page or portal. However, I have seen stability to some extent over the last couple of months.

What do I think about the scalability of the solution?

It's definitely a scalable solution. Almost all of the users in my organization, close to 70,000, use this solution.

How are customer service and support?

Technical support is an area that needs a lot of improvement. Microsoft does not have the right people who can help with any challenges or problems, and ultimately, we end up finding the solutions on our own rather than relying on them. They take a lot of time to work on a support case, and we can't find the right level of support as well. Therefore, on a scale from one to ten with one being the worst and ten being the best, I would give technical support a rating of four.

How would you rate customer service and support?

Neutral

What was our ROI?

We have seen a return on investment in the last few years in terms of our organization being protected against threats.

What's my experience with pricing, setup cost, and licensing?

Microsoft Defender for Endpoint is cost-effective because there's one unified license, and with this unified license, you get the capabilities for your cloud applications, servers, and endpoints as well. Therefore, it saves us a lot of money because the cost with other solutions is for just one piece of OS or maybe an urban environment. The licensing process is not complex as well.

What other advice do I have?

Your use cases, how your organization is configured, and what your infrastructure is like will determine whether you go with a best-of-breed strategy rather than a single vendor's security suite. From a cost perspective, I think it's better to just go with one technology because when you have two technologies in place, there may be conflicts with policies that may result in additional time spent investigating.

However, if an organization has a high number of macOSs and they have a lot of Linux servers, they may choose to go with two technologies if Microsoft Defender doesn't provide a complete set of security capabilities.

Before you implement the solution, first see what your use cases are and what you're actually looking for. Then, define your environment and what you're going to protect first, whether they be application servers or just endpoints. Then, you can have a detailed discussion with the implementer or vendor.

On a scale from one to ten, I would give Microsoft Defender for Endpoint an overall rating of seven.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros sharing their opinions.
Updated: October 2024
Buyer's Guide
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros sharing their opinions.