Microsoft Defender for Endpoint Reviews

I use Defender for Endpoint every day, for example, when a user downloads an unwanted application, we get an alert. Sometimes we have suspicious processes in an endpoint, and we receive an alert for those activities.

Microsoft Defender for Endpoint helps in detecting different alerts and potential threats by providing alerts and timelines with detailed explanations, which is useful to understand and close or address the issues.

In Microsoft Defender, there is a security portal that allows advanced hunting. You can query and access useful information from logs and events, which is powerful and efficient. Additionally, the timeline feature helps in understanding which process launched what and identifying errors.

Sometimes, there are difficulties in downloading a file considered as malicious. We encounter a bug that requires several attempts to download, which is a bit of a challenge.

I have been working with Microsoft Defender for Endpoint since February, which is approximately eight months.

The stability of the solution is rated an eight out of ten. It is quite stable.

The scalability of the solution is rated as eight, suggesting it is reasonably scalable.

I contacted Microsoft support for personal use of Defender, and they were very nice, providing solutions quickly. This was a positive experience.

Positive

Before using Defender for Endpoint, I used SentinelOne. Defender is easier to use than SentinelOne.

For the initial setup, I’d give it an eight out of ten, suggesting it’s quite straightforward.

The price for Microsoft Defender for Endpoint is about three euros, which is considered reasonably priced. I'd rate it seven out of ten for cost.

I have previously evaluated SentinelOne before using Microsoft Defender for Endpoint.

I'd advise others to use Microsoft Defender for Endpoint because it's a good solution with many experts behind it. Additionally, it's compatible and easy to use with Windows environments.

I'd rate the solution eight out of ten.

I used MDE to investigate individual alerts. We were able to initiate AV scans on devices from MDE. That was our normal practice as soon as we pulled up an alert. My understanding was that it wouldn't slow down the throughput or the productivity of the endpoint device. We could theoretically isolate the device via MDE.

We also used Cloud App Security, Microsoft Defender for Cloud, and Azure Sentinel. At my last two organizations, they were in the process of moving from Splunk to the Microsoft security suite. It was standard procedure for us to install MDE on Microsoft Defender as the endpoint solution for every device. We didn't have anything on-premises.

I have experience with Microsoft Sentinel. We were transitioning toward using that as our SIEM. They encouraged us to learn the Kusto Query Language, which is extremely useful.

My organization was in the process of using Sentinel to ingest data from their entire ecosystem.

The solution was deployed across multiple departments and multiple locations in North America. It was deployed on a private cloud.

MDE eliminates the need to look at multiple dashboards, given it has only one XDR dashboard. It has a good user interface for looking at campaigns and the big picture as opposed to just one incident. They also have good graphics.

MDE decreased the time it takes to do detection and response. It allows us to quickly look at the timeline and see what caused the alert. In my organization, they wanted to know what caused the alert, not just whether or not it was a false positive. 

If there is malware on a device, they wanted to know how it got there. If there is malware on the device from another device in our environment, that is a huge deal. If someone clicked on something in an email or went to a suspicious website on their own, that is extremely important to determine quickly in our environment. It's very helpful to determine the level of the threat.

The investigation aspect is the most useful. It's user-friendly and has a good user interface. There's a universal search bar at the top of MDE. Plugging in the hostname brings up the page for the host. From there, we can see any alerts and an overview of the host, who it's assigned to, and who is logged into it.

I usually quickly go straight to the alerts tab and start investigating the alerts. It has a really great timeline function on it. It shows everything that occurred on the device and any connections it made on the internet or with other devices on the network. It shows activities like who logged in and who logged off. I could pull all of that through the timeline and figure out what happened and why it happened. The investigative capabilities are really good.

MDE provides pretty good visibility into threats. I would give it an A-. Overall, I was pretty impressed by it.

Sentinel enables us to investigate threats and respond holistically from just one place. Sentinel's security protection is pretty good. We had some alerts that we considered for a potential campaign. There were some instances when we had the AI perform an investigation for us, and it was pretty comprehensive.

MDE helps automate routine tasks. This was at a level higher than mine, but the automation seemed to work well for them. They had some queries and other tasks that they would schedule and set up alerts for.

MDE has also saved us time.

One of our main problems in cybersecurity is dealing with noise. If you look at the logs for any device over a 10-minute period, it's just too much information. The timeline on MDE is very good at whittling down the noise to find the answers to our questions.

I would like MDE to have the ability to isolate a certain amount of time on the timeline. Splunk has a better UI when it comes to isolating a certain amount of time. I need to know exactly what happened two minutes prior to and two minutes after an incident. I don't need to see half an hour's worth of information.

With Splunk, the UI is perfect. With just a couple of clicks of a button, it'll show us 30 seconds prior to and 30 seconds after an incident. The timeline for MDE is more difficult to understand.

After a failed log-in, Splunk shows when the event happened on the timeline down to a thousandth of a second. Theoretically, we could do that with the Kusto language, but that would mean changing the query every time. It's just not as user-friendly as it could be.

I used MDE for two years.

The stability is great.

I used Carbon Black and McAfee ePO in my previous organization, but they were in the process of moving everything to the Microsoft security solution.

Splunk was our main SIEM and alert system. It pulled alerts from different sources. When we received an alert, Splunk would quickly give us basic information, and then we would go straight to MDE. We received a lot more information from MDE's alerts than we did from Splunk.

I didn't spend a lot of time with Splunk. I normally input the hostname of the affected device that triggered the alert. I pulled all of the information from there, like the timeline of the event, the IOCs it had spotted, the name of the alert, and all of the other details. From there, I did a full investigation of the alert through MDE. I was very impressed with MDE. It gives great details, and it's very easy to use.

We didn't have dedicated personnel for any problems. We purchased full support with the license. Setup wasn't flawless, but there weren't any major issues.

I would rate this solution as eight out of ten.

If you have the money for it, I would recommend the Microsoft security solution.

I would recommend a single-vendor strategy if you have the money for it. I believe in defense in depth. Regarding endpoint protection, I think it's better to stick with one vendor. In my previous organization, they had conflicts between MDE and McAfee. McAfee would read MDE as a virus, and MDE would read McAfee as a virus.

The problem with endpoints is that if you have more than one solution, each of those solutions will see the other guy as a virus or potential virus. When it comes to endpoint protection, I would go with a single vendor.

We use Defender for endpoint security, firewall administration, and antivirus. 

From an administrative perspective, Defender provides a single pane of glass for us to look at compliance throughout the company and for the customers we recommended it to. That's probably the most significant piece. The governance and policy features work together for us because we can easily provide the self-attestation that we need for the federal government.

Automation at this point, as I understand, is a lot of one-offs. It depends on the particular console that you're looking at. I'd love to have them integrated. I understand that there's a larger solution for that, but it's challenging to figure out a cost estimate of what it would take to get it up and running. The automations are often tied to the separate Defender products and not always integrated, but we're still shy about buying the larger product and integrating all the logs. 

Defender for Endpoint saves time by making administration more manageable. It's at least four hours per month per administrator. We save money with Defender because it's packaged with other Microsoft solutions. It's $20 to $60 per user annually, depending on the suite you're getting. 

I like that Defender is integrated and doesn't have a third-party payload trying to advertise subscription renewal. I don't get spam because of it. Regarding visibility, no one has their finger in as many operating systems as Microsoft. No one has the platform or deployment profile that Microsoft has. Microsoft can outshine any third-party vendor when it comes to visibility.

The interface isn't necessarily intuitive to a nontechnical person. You can get stuck in the little endpoint security portal. Sometimes, if you uninstall a competitive product, the end user doesn't always know if it's running or if they're protected even though it's silently running. There could be a notification, widget, or something that's resident on the screen for at least a bit, especially if you're doing remote support. You want to talk them through it, but sometimes, we're not allowed to look at the PCs we support.

I'd like them to improve visualizations for people higher up the reporting chain, such as potential purchasers, directors, VPs, and CEOs. They have little time. They want to see red, green, and yellow lights or some other type of visualization. It would be great to have this functionality out of the box without a lot of custom development.

We're learning about the AI Security Co-pilot. I'm unsure how it integrates, but I'd like to see it integrated. I'm an administrator, so I don't look at the logs constantly, but patching is critical. I would love to see the percentage of PCs patched in a given period. Reporting and alerts are crucial issues. When an alert needs to be triggered, we'd love to see some events flush up.

We often have to wait for and do a report until we find what we're looking for. It would be nice to sort of set it and forget it or have a community board of plugins that we could download and say, "Here's the meantime to resolution for x, y, or z policy or some policies that we could potentially integrate.

I have used Defender for Endpoint for seven years. 

I can't think of any ongoing issues that we have other than our own internal minor configuration. I don't know if this is in there, but I would love the ability to see how we're deployed and get recommendations.

Defender is scalable. The solution covers multiple locations and departments. We have about 100,000 end users. The departments vary in size. 

I rate Microsoft support six out of 10. They're responsive and willing to help. I have no problems with their customer service. However, it's sometimes difficult to find a technician that understands your issue. Sometimes, when you try to do self-service with Microsoft, it refers you to a third-party website for support ideas and stuff. That's absolutely bizarre. Why would I trust a third party linked from the Microsoft community forums and things?

Neutral

We were using Norton Antivirus, but we switched because we were familiar with Defender. We had Defender running on our home machines, and we had positive experiences because it didn't noticeably slow our machines. It was fairly intelligent at what it did. Sometimes, you feel a little restricted by a few of the things that it may not have. But in the end, I don't think that we're missing anything that we didn't already have in the product.

Defender is typically bundled with 365 packages that the customers are already buying. We haven't done an in-depth ROI for right. Often, we leave the customer to make those decisions even though we can point to tools like that on the web or allow an analyst tool to do that type of work. 

We looked at Norton, McAfee, and another one that I can't recall. Ultimately, our decision primarily came down to integration into the system. If it's integrated, it isn't overwritten by the security patch, and it doesn't add to the payload we're already sending down to manage the PC. We wouldn't use it if the quality wasn't there, but all else being equal, it's always easier to use an integrated solution from a single vendor.

I rate Microsoft Defender for Endpoint nine out of 10. 

We use it as an antivirus and EDR solution. We also use it for vulnerability scanning and threat hunting.

It is cloud-based. We have a cloud-first strategy when it comes to our organization.

We are a very small, lightweight start-up organization who has only been around for a couple of years. We have 17 endpoints. 

We have it deployed on our endpoints and virtual servers. We have a few Windows Servers 2019, and we have onboarded those both onto Defender for Endpoint as well. Those servers are not managed by MDM because they are Server 2019, but we have onboarded them so they are being managed by Defender for Endpoint as well.

This solution definitely increases our security posture. When you are reviewing your existing fleet or endpoints and based on the configuration that you put out of your Defender for Endpoint, you then receive a security score from Microsoft. Depending on what rules you have configured, what policies you have deployed, and what attack surface reduction rules that you have set up and deployed, it is almost gamifying information security in the sense that you are always trying to achieve a higher score. The more hardening you perform on your endpoints, the better score you receive. This generally tends to give you a better peace of mind, but also makes you secure at the same time.

I like the fact that it is baked into the Microsoft platform. 

Since we have deployed it, we have been really impressed with the way that everything just stitches together really well. You can access all your security data and telemetry from a single pane of glass on the Microsoft Security admin console. You can access all your endpoints, see how your antivirus is running, and get all your vulnerability scans and reports. In the software inventories, you can review your known vulnerabilities and understand whether those are zero days or if there are active threats out in the wild. Essentially, you don't need to jump into different admin consoles. You have everything built into Windows Defender Security Center, which we find really useful.

If you consider our organization, we are a fairly Mac-heavy organization. At the moment, around 80% of our fleet are Mac OSs. We made a conscious decision to roll out Defender for Endpoint against all our endpoints, whether it is Windows or Mac OS. However, one thing that we have noticed is that there is definitely no parity on the platform between the two operating systems. When you are configuring, deploying, and onboarding machines, you can get very granular with your security configuration when you are deploying it to a Windows's endpoint. For Mac OS, it is a lot more straightforward. You don't have the ability to apply as much configuration as you would on Windows. That is definitely something that has room for improvement. 

I am also not sure how well the EDR functionality works on the Mac OS platform. It just provides an antivirus and the full EDR capability is not there on a Mac OS. 

The web filtering needs a little bit of work. We are actually in the market at the moment for a third-party web filter or cloud secure web gateway to try and plug that hole since it is a bit of a pain point for us. I don't think we will use the baked in version from Defender for Endpoint.

On the Mac OS platform, there is no parity between Windows and Mac OS. The solution is very feature-rich and very well-integrated into Windows, and I guess baked into Windows 10 and Windows 11. Whereas, on the Mac OS platform, there is still some work there to give it a more feature-reach platform.

I have been using it for about a year.

With Windows, we have been very happy. We have had no issues or problems whatsoever. We had one issue on the Mac OS platform when an update to Mac OS was deployed. It wasn't a major update, like Monterey. It was a point update. So I think it might have been 12.2.1 where the Defender icon was starting to display across, which means I found a threat or it's not working properly. We had that across a handful of machines. I did a bunch of Google searches and sort of realized this was happening to a lot of other organizations, so it was probably a false positive.

I contacted Microsoft support who confirmed that it was just a visual glitch. I guess Apple is well-known for this. When they do push out their updates, they attempt to break the occasional third-party system. That was the only issue that we have encountered, which was more a visual glitch than an actual threat.

It is pretty much zero-touch because the definitions sort of update themselves. The application updates itself because it is deployed through Microsoft Intune. Therefore, the maintenance is pretty straightforward.

It is very scalable. Because it is cloud-based, it is elastic in its nature. You can onboard machines en masse. Whether you are onboarding 15 machines or 1500 machines, it is very straightforward.

As we scale up, this is now our AV and EDR of choice. Every new machine will be rolled out or onboarded to Defender for Endpoint. We will be sticking with it in the long-term. We have also the logs and telemetry from Defender for Endpoint being ingested into our MDRC platform.

The technical support is very good. Wherever I have worked with them, we have always been enterprise customers. Whenever I have raised a ticket for support, you generally receive a phone call anywhere from 10 minutes to three hours after raising your ticket. Even if it is not a P1, but a P2 or P3 ticket or just a request for information that you have generated in the form of a ticket, they will respond back to you quickly.

They have good levels of escalation. So, if their first line support is unable to help, they can quickly escalate to the second or third line. I have never really had any problems with Microsoft support. That is across Defender for Endpoint and Microsoft Endpoint Manager as well as for the productivity throughout Office 365 and Azure Active Directory.

I would rate them as eight out of 10.

Positive

We currently have an MSP in place, which is a managed service provider, who manages all our IT support, service desk, and desktop support functions. They had already purchased an antivirus subscription for the organization when I joined the organization, and it was a fairly basic one. Our biggest problem was that it does not have any SIEM integration. 

When we decided to go down the route of having a SOC or MDR service, we couldn't ingest the logs from the antivirus platform into their SIEM. That is when the hunt started for a new AV service.

I wouldn't say the user impact has changed on top of the AV product that we had before.

The initial setup was very straightforward. Microsoft, as an organization, is quite well-incentivized to get you to use their own products. There are hoards of material out there via their social media channel, through their own documentation, or the Microsoft Learn platform. There are reams and reams of user guides for you to go through, all of which are fairly straightforward. They are regularly updated as well.

It is all cloud-delivered so there isn't any on-premise infrastructure that I need to maintain, patch, or configure. It is literally all configured in the cloud. So, it was a very easy setup process for me.

It took days to get a proof of concept together on a handful of machines. Over the next few weeks, once we got the go ahead and thought, "You know what? We are going to go with this." It was just a matter of weeks and that was more down to team availability. We needed to sit down and offboard the existing AV, which we weren't particularly happy with, then onboard Defender for Endpoint. So, we tied that project with our MDM rollout. Therefore, while we were deploying our MDM solution and enrolling the device, we were onboarding the machine to Defender for Endpoint as well.

I actually set it all up myself. I am the only technical person at the organization. I have worked with Microsoft quite extensively in the past, and I have used their fast track consultancy services in other organizations that I have worked with as well. Therefore, I am quite confident and familiar with Microsoft technologies. 

We then signed up with an MDR supplier who does managed detection and response. Essentially, that is a team of cybersecurity experts who connect to our infrastructure and all the data telemetry from our endpoints feed up to their platform. If they see any threats, anomalies, or events, they will then jump in, reviewing and remediating as required.

We had a consultancy session with one of their Microsoft consultants around a month ago, where they reviewed the setup that I configured. They put in two or three recommendations to harden the setup a little bit more, but they were overall pretty happy with it. Thus, if I can do it, then it can't be that difficult.

There is less overhead in terms of having the system administrator or information security manager jumping around different systems and trying to actively keep a handle on our security posture across the organization. Instead, everything is right in front of me.

One of the first things that I did when I came onboard in the organization was scrapping our reseller agreement. I registered us as a not-for-profit with Microsoft, and we now get subsidized licensing at effectively half price. It just sort of makes sense for us. Now, we buy our licenses directly from Microsoft rather than our formal license reseller.

Even if you are not registered as a not-for-profit, the offering that they have is definitely worth consideration. This is in the sense that the E5 stack just gives you so many benefits. You get your entire productivity suite through Microsoft 365 apps. You get all your security and identity protection. You get the Defender for Endpoint and Defender for Identity. You get the cloud access security broker as well. You get Azure Active Directory Premium P2, which gives you so many good things that you can configure and deploy. You don't have to configure them on day one, but you have access to so many different tools that will protect your data, security, endpoints, and identities that you could build out a security strategy 18 months long, and slowly work your way through it, based on what you have available to you through your license.

You can purchase some add-ons, like Microsoft Threat Expert team. I have not read too much into that, but my understanding is that comes at an additional cost. Since we have a dedicated MDR and SOC sitting on top of our Defender for Endpoint, it is not something that applies to us anyway.

We are E5 customers. Essentially, we have the flagship license. We looked at a lot of different organizations and vendors for our antivirus needs. We spoke to the usual suspects: CrowdStrike, Sophos, and Darktrace. 

Because we also have a Gartner subscription, we reached out to our Gartner analyst, and said to them, "Look, we have the E5 license and know that Microsoft doesn't have the greatest reputation when it comes to their antivirus products, but we understand they have come on a lot over the last few years. This is the direction that we proceed. We want to deploy Microsoft Defender for Endpoint. We then want to layer an external managed detection response service on top of it that will essentially provide 24/7/365 monitoring for alerts and anomalies." Gartner advised us that it has improved to the point where they are now considered one of the leaders on their magic quadrant, so we should be absolutely fine with it. 

Originally, Microsoft wasn't in mind for us at all. We sort of had our heart set on CrowdStrike because we were really impressed with them. We got quite deep into advanced discussions with them and Darktrace as well.

The deciding factor for going with Microsoft was the budget. We were already paying for the E5 licensing. So, we were allowed to use Defender without any extra costs. We could just enable and configure it. We thought that we would use the budget left over to purchase a dedicated MDR service who would maintain an overall ability for all the endpoints to connect with it. We could also expand that to our Google Cloud Platform as well as our AWS and Azure Cloud environments. We could also extend that service onto our physical appliances, e.g., the logs from our on-premise firewalls, security appliances, and routers.

We felt that in terms of scaling up to get to the security posture that we needed, this might be a better solution for us. Whereas, CrowdStrike and Darktrace, at the time, were more focused on the endpoints. For example, if there was some suspicious behavior happening on our Azure Active Directory and our CEO's user account was under a brute-force attack, then CrowdStrike wouldn't necessarily pick up on such an attack because they are more focused on the endpoint rather than the cloud instances. Thus, we thought Microsoft gave us better coverage overall as well as the fact that we were already licensed for it.

It just made sense for us to go down that direction. We just felt we would have a more well-rounded approach if we went with Defender for Endpoint supported by the MDR service, who would then provide monitoring over all our cloud instances, endpoints, and on-premise infrastructure and appliances.

One of the main benefits is cost. Being an E5 subscriber, we are essentially already paying for Defender for Endpoint. However, it wasn't on our initial list of antivirus solutions when we were going out to market. We really felt that we were going to go for a managed service, such as CrowdStrike or Darktrace. When we decided to go for Defender for Endpoint, we created a cost savings. So, it was easier for us to prove the business case to our senior management.

A good antivirus is something that sort of happily sits in the background and just pretty much does its job until it is needed. It is just sitting there constantly watching and monitoring. Then, if it does need to intervene or remediate against the threat, that is when you know, "My antivirus is happily working." We haven't had many incidents to deal with. To be honest, we have had a couple of false positives. 

Definitely shortlist them in your list when you are out looking for a new vendor. What tends to happen with a lot of IT professionals is that they overlook the Microsoft offering because of the reputation that Microsoft Defender has had in the past, when it came to its consumer version. However, they have spent the last few years completely revamping their security stack. I think it offers a really well-rounded, holistic approach to cybersecurity now. They are definitely worth considering next to CrowdStrike, Sophos, and Darktrace.

A lot of organizations are probably like, "Oh, no, we don't want to get Microsoft. We don't want to get Defender. We want to get an established name," but I think Microsoft has put a lot of effort, budget, and development time into their security stack. It is a great suite. 

As their Azure platform grows, they leverage that to power and drive their Defender for Endpoint. A lot of the protections that they deploy are cloud-delivered platforms. So, they are picking up telemetry from millions of different signals and endpoints. They have so much data and can see trends really quickly.

I would rate them as eight out of 10.

Microsoft Defender for Endpoint can be used for system protection. For example, anti-virus, malware, and EDR.

The most valuable feature of Microsoft Defender for Endpoint is that it is embedded into the Windows system. Additionally, the performance is good and simple to maintain.

Microsoft Defender for Endpoint is secure but when it comes to security all solutions could improve security.

I have been using Microsoft Defender for Endpoint for a couple of years.

Microsoft Defender for Endpoint has been stable in our usage.

We have more than 5,000 users using this solution.

We are quite satisfied with the support.

We use many solutions in our company, such as Panda, Trend Micro, McAfee, Microsoft, and FireEye.

There is no installation required.

We have a five-person technical team that supports this solution.

The solutions price could be cheaper.

I recommend this solution to others.

I rate Microsoft Defender for Endpoint an eight out of ten.

We utilize Microsoft Defender for Endpoint as our EDR solution, which stands for endpoint detection and response. Through this solution, devices are integrated. If new vulnerabilities or novel attacks emerge, Defender for Endpoint promptly identifies them. It serves as our primary EDR solution amidst the variety available in the market.

The current surge in Defender for Endpoint's popularity is attributed to its real-time detection capabilities. Additionally, we can execute SOAR actions, namely security orchestration response. For instance, if we need to isolate a device from the network or run an antivirus scan on a machine, Defender for Endpoint facilitates these tasks.

Consider a scenario where one of the devices becomes compromised. During the investigation, if a malicious IP address is identified, it can be blocked using Defender for Endpoint.

Microsoft Defender for Endpoint offers excellent visibility. We can observe all the details regarding the attack process, such as the type of activity that occurred, including the entire MITRE ATT&CK framework. This enables us to view the initial actions, the device involved, the IP address used, and the extent of the impact on users and devices all through a single interface.

Microsoft Defender for Endpoint definitely assists us in prioritizing threats throughout our enterprise. Based on the signatures, the alert categories are related to high severity, medium severity, and low severity. Therefore, we can determine which alerts require our focus and prioritize them accordingly.

I am currently the Subject Matter Expert for Microsoft within my organization. This encompasses the entire Microsoft security suite. I specialized in working with Microsoft Sentinel. In the past, I was a part of the Microsoft Sentinel team itself, back in 2017 when Sentinel was in its pilot version, known as Azure Security Insights. 

It's very easy to integrate the Microsoft solutions. We have data connectors and APIs readily available. There are no difficulties. If we teach an unfamiliar person for a week how to use Defender for Endpoint and Microsoft Sentinel, they can likely gain insight into the basics of integrating Defender for Endpoint, Microsoft Sentinel, Defender for Identity, or Defender for Cloud Apps.

These solutions work natively together to deliver coordinated detection responses across our environment. When an incident is detected in Microsoft Defender for Endpoint, the same incident will be captured in Microsoft Sentinel within a few minutes. The integration capabilities with both Microsoft and third-party solutions are valuable.

The comprehensiveness of threat protection provided by these Microsoft security solutions is combined into a single interface. We can access all necessary features from one place. The combined solutions offer us User and Entity Behavior Analytics, Endpoint Detection and Response, on-premises, and cloud application security. While no single product can handle everything independently, by implementing basic security practices across all Microsoft products, we achieve a comprehensive threat detection system.

The bi-directional sync capability is a feature that allows us to enable safe devices in both Defender for Cloud and Defender for Endpoint.

Sentinel allows us to ingest data from across our entire ecosystem. If we are utilizing third-party firewalls or other products, we can employ APIs to integrate those solutions with Sentinel.

Sentinel allows us to examine threats and respond comprehensively from a single location. Within this location, we can utilize SOAR playbooks to accomplish different tasks, such as blocking all compromised email sign-in sessions with just one click.

Sentinel is a comprehensive security product, owing to its integrated SOAR, UEBA, and threat intelligence capabilities. UEBA employs built-in machine learning to identify users with high, medium, and low-risk profiles. The user interface also includes a feature that enables us to log out of the user. Threat intelligence has the ability to assimilate all access information from third-party solutions and identify threats originating from the internet. Sentinel consistently operates proactively to prevent compromises. 

I used to utilize Splunk back in 2015, but I have recently transitioned into being a Microsoft security advocate due to the cost optimization benefits. Microsoft Sentinel's pricing is based on the data we ingest. We have the flexibility to choose different models, such as the pay-as-you-go model or the bandwidth model. For instance, if we ingest 500 GB of EPS, we will incur charges for that usage; however, a 20 percent discount is applicable in this scenario. The pricing is directly linked to the amount of data we ingest, which is advantageous. I prefer not to ingest certain security events that are intended for operational purposes. By excluding these events, I can effectively reduce the overall cost of using Microsoft Sentinel. Additionally, being a cloud-native tool eliminates the need for any physical hardware. With just one click, the entire installation process is completed.

There are three ways Microsoft Defender for Endpoint has benefited our organization. The primary advantage is the optimization of our organization's scanning process. We have established a bi-weekly scanning process that runs at midnight, encompassing all machines. This stands as the foremost enhancement. The second advantage revolves around obtaining visibility into vulnerabilities within our environment. Considering our role as an MSSP, responsible for managing over 25 clients, this visibility holds paramount importance. Within Defender, a particularly noteworthy feature is the enabled management. This provides us with the latest information regarding vulnerabilities within Microsoft products as well as third-party software. The third and final advantage pertains to responding to emerging threats. For instance, in the case of a new attack, such as the recent CVE 3688, which targets a Microsoft Office vulnerability, including a zero-day exploit lacking an available solution, our Microsoft-oriented threat intelligence block comes into play. Through custom query languages deployed within Defender, we have the capability to identify anomalous activities. Additionally, this third point ties in with the Application Guard rules. These rules have proven instrumental in proactively preventing ransomware attacks. They operate by automatically obstructing any suspicious processes occurring within the Office environment.

Defender for Endpoint assists in automating routine tasks and identifying high-value alerts. We have APIs established, allowing us to develop our own dashboards using the Defender for Endpoint APIs. For instance, we can utilize Power BI to generate a security report, providing a comprehensive overview of the organization's internal activities.

It has eliminated the necessity for multiple dashboards. This pertains to the MXDR dashboard, which stands for Microsoft Extended Detection Dashboard, as well as the Detection Response Dashboard. Essentially, we have consolidated these into a single comprehensive dashboard, developed entirely by Microsoft. This unified dashboard streamlines the process of accessing organizational insights. As a result, there's no longer a need to access different security products to view their respective dashboards. Within Defender for Endpoint itself, we offer an array of security reports, all conveniently accessible with just one click. For those who may not find the reports relevant, we also provide the option to utilize our in-house developers for Power BI integration. This entails having a centralized dashboard where data from all products is collected and displayed in one location, facilitating a holistic view of security reports.

The integration into a single dashboard has simplified our security operations. Previously, our team had to perform numerous manual tasks for all customers. Therefore, with automation, when we present the report to the customers, they are quite impressed with having everything in one place. 

Microsoft Defender for Endpoints' threat intelligence assists us in preparing for potential threats before they materialize, enabling us to take proactive measures. We identify these proactive threats due to the presence of a threat entry system. If any IOCs are obtained, they are undoubtedly identified by Microsoft Sentinel. Moreover, we have set up indicators ingestion for Defender for Endpoint. This process involves creating steps to acquire data from third-party sources and directly inputting it into Defender for Endpoint. Since Defender for Endpoint has a capacity limit of 15,000 indicators of compromise, we can only ingest data up to this extent. Any surplus data will be automatically removed, provided their IOC scores fall below 60 within a month. Consequently, new IOCs will replace the removed ones.

It has saved our organization around 30 percent of our time in terms of not having to worry about malware. When any malware does get in, it is automatically remediated. Now, the main portion of our time is dedicated to conducting in-depth investigations and identifying other occurrences.

We have cut our organization's costs in half compared to our previous solutions. This is mainly due to the automation of most tasks, which means we now only need ten people to manage 20 customers, a significant reduction from the 30 engineers we needed before.

Microsoft Defender for Endpoint has significantly reduced our time for detection and response. Our Service Level Agreement entails detecting issues within 15 minutes and responding within 30 minutes. Defender for Endpoint has greatly contributed to these time savings. The incidents that we used to address using Splunk required extensive coordination within our team and with our customers, leading to substantial time consumption. Previously, resolving a single incident took around 40 minutes. Presently, this process takes approximately 15 minutes.

The most valuable feature is the timeline, which allows us to view the details of an event 30 minutes before and after.

Forensic investigation is a valuable feature of Defender for Endpoint.

We can run the virus scan across our entire environment.

We can block suspicious URLs and quarantine malicious files within the Defender for Endpoint portal.

Some of the integrations that Defender should include involve the use of the web app. Utilizing the web app implies that the Defender API should be accessible through mobile devices as well. For instance, if there exists a mobile application, it would be beneficial. Let's imagine a scenario where I'm traveling and I receive a new alert. With a Defender mobile application, I could easily isolate the threat, conduct an investigation on my mobile device, or even automatically escalate or assign the alert to my engineers.

There are certain third-party apps that haven't been integrated with Defender. I would be delighted to witness the integration of those apps with Defender for Endpoint. 

The deployment of Defender for Endpoint should be made smoother via Intune.

I have been using Microsoft Defender for Endpoint for five years.

Microsoft Defender for Endpoint is stable.

Microsoft Defender for Endpoint is scalable.

The technical support is fine but it takes time to reach them.

Neutral

We previously used Splunk but switched to Microsoft Defender for Endpoint because of the cost and smoother operation.

With the proper training, the initial setup is straightforward.

When conducting customer onboarding, the deployment will require a minimum of three days. Therefore, we must ensure everything is executed flawlessly and follow security best practices. Emphasizing precise deployment is crucial. Hence, deploying without careful planning is not an option, aiming to prevent any issues in a larger environment. In contrast, a smaller environment can be deployed within two days.

For a large organization with over 5,000 employees, a team of up to six people is required for the deployment.

We are achieving a 15 percent return on investment, which is contributing to the growth and impact of our company.

If we are acquiring everything in a single place, the front end becomes cost-effective. We won't need to purchase five separate products for various tasks. Instead, it's one product designed for five tasks, which is certainly a cost-effective approach.

I rate Microsoft Defender for Endpoint an eight out of ten.

We also utilize Defender for Cloud. Defender for Cloud is employed specifically for the Azure product. If we have servers deployed within Azure, the system handles alerting, traceability, and security. Therefore, we certainly use it.

We have three locations where Microsoft Defender for Endpoint is deployed. One is in Australia, another is in Qatar, and the third is in India. Consequently, we employ approximately two hundred personnel.

No maintenance is required for Defender for Endpoint on the customer's end.

A single-vendor security solution approach is better than a best-of-breed strategy. We all are using Microsoft laptops and OS.

I recommend completing a POC before adapting Microsoft Defender for Endpoint.

The solution can be used on everything. It can be used on the cloud. You can also use it for on-premises devices, from servers to laptops. It's a pretty good solution to manage devices and servers.

Usually, our clients have an on-premises infrastructure and they want to start working in the cloud, especially in Azure. We use Microsoft Defender to manage on-premises devices from Azure. Especially over the last two years, a lot of companies have wanted to focus more on their own business and that's why they have us manage their IT security.

The main goal of using Defender for our clients is to do vulnerability scanning and to be aware of any possible security breaches in their infrastructure.

Microsoft Defender is totally integrated with Microsoft 365 Azure. For example, years ago a software company that was working on-premises with Microsoft products came to us. They asked us to help them connect to Azure because with Azure, they could, of course, run their core business, but it would also help them create more value in the market. Microsoft Defender is the best way to manage on-premises devices, but also devices on the cloud.

It also helps us to prioritize threats.

In addition, the solution gives us a single dashboard that we can customize. When our security operators start their day, they look at the dashboard information. If there is a big issue, they automatically get the information. They can send an email to the team involved. The dashboard helps the security team, day-to-day, to ensure everything is secure for the client. The dashboard is really important.

And overall, the solution has saved us 50 percent of our time. It also saves us money because it prevents ransomware and web application attacks every day. Currently, with the war in Ukraine, because I work in Europe, hackers are trying to hack into enterprises, and that's another reason it's really important to have this kind of solution.

It may be saving us 30 percent, in terms of money, because once you have the system in place, you can avoid a lot of attacks and keep secret information away from hackers. When we talk about security, we're also talking about the reputation of the company. Using this kind of solution helps our clients not to lose money through a loss of reputation.

In terms of time to respond, someone who is working every day on the security operation team, can respond correctly within five minutes, to be conservative, to a problem they receive from the scanning done by Defender. It has decreased that time by about 20 percent, although keep in mind that I am a security architect and not part of the operations team.

The scanning part is one of the most valuable features with the automation of vulnerability scanning. That's why we use Defender. It gives us a lot of information on how to improve security.

There are some competitive products on the market, but the best is Microsoft Defender because it's very easy to integrate. That's one reason a lot of clients want Microsoft Defender.

It's also very easy to implement compared to other solutions.

Regarding other Microsoft solutions, about half of our clients take Sentinel, while 90 percent take Defender. They are very easy to integrate. That's one of the reasons, for me, that Microsoft is the best on the market. And in reviews about the best tools on the market, everybody agrees that Sentinel is the best on the market in the security area. When you work with Sentinel, it's easy to work with the Microsoft suite of products. It's easy to integrate every product from Microsoft.

We also use Microsoft Defender for Cloud's bidirectional sync capabilities. For security, they allow us to get all the information we need on time.

After scanning, there are false positives so sometimes you need to manage the results.

Also, we would like to see more tools for managing on-premises security. A lot of companies have their own on-premises infrastructure and want to move to the cloud. Sometimes, we have the tools, like Defender, to manage security in the cloud, but because we are so focused on the cloud, we forget the fact that we need to be sure about the security of the on-premises environment, specifically Active Directory. I know it's tricky, but I'd like to see them add some tools for a really good dashboard to introduce the fact that we also need to be careful about on-premises.

A lot of companies have their Active Directory on an on-premises physical server. When they start the journey of moving to the cloud, especially to Azure, they use Microsoft Defender to do device management, especially servers and computers. But to improve security monitoring it would help if we could monitor on-premises, especially identity. Usually, when hackers hack into an environment, they use tools to get the identity of a person. If we had tools to integrate with Defender, it would help improve security.

I have been working with Microsoft Defender for two years.

It's a stable solution.

It's also a scalable solution.

About 90 percent of our clients have deployments in multiple locations because they are usually multi-national, and that's why it sometimes takes more time to do the implementation.

The technical support of Microsoft is good.

Positive

I have always used Microsoft solutions.

The deployment is straightforward. The amount of time it takes depends on the configuration the client wants, but it's easy enough to deploy. 

If we need to implement it for a client with 2,000 devices, it takes more time. Just the implementation, for me, takes 20 minutes, but after that we have to implement configuration on the cloud, and that is totally different.

If it's a big company, it could take three months, because we have to do discovery. We have a lot of clients that use customized containers and customized Linux servers, and that's where we have to be sure we do the implementation the right way.

Usually, when working with clients and proposing different solutions, they prefer to work with Microsoft Defender because it is integrated. And when you talk about the price, it's really perfect, compared to other advanced threat-scanning products on the market. Overall, 90 percent choose Microsoft Defender because it's great and very easy to put in place. You don't need to install an extra service or do a big design. You pay for the licenses and that's it.

If you're considering working with Microsoft Defender, the first thing you need to do is an inventory of the infrastructure. We need to know what the client has: how many Windows Servers, how many Linux servers, and how much content. And then you need to know what you want to do with the devices. Some devices are not supported anymore. We need to know which devices the client wants to be covered by Defender.

A lot of times, we want to work with Sentinel because it's the best on the market. But Sentinel is more tricky to put that in place. But when you advise a client on security, of course, you propose a lot of solutions, including Defender and Sentinel. You propose the best on the market to improve their security.

Usually, they go for Microsoft Defender, but for Sentinel, sometimes it takes time. They say to us, "We don't have the money right now, let's wait two years." On many of my projects, my clients have already worked in the cloud and they want to start working with Azure. That's why Microsoft Defender is a good tool to implement. There are times we advise the client about Sentinel but they already have a SIEM solution like Splunk.

Defender for Endpoint does not help us automate routine tasks right now because it's extra work. I know we could put that in place, but often, when we start working with a client in the cloud, we spend a lot of money on that. I know, in the day-to-day operations of the security teams of our clients, they have so much to do and it would be really good to implement automation. We propose it to our clients, but it's up to them to decide if they want to do it.

The threat intelligence can help prepare for potential threats before they hit, but this is also something we need to talk to the client about. Sometimes, it's not in our hands. We can propose things to the client, but they have to choose. So far, after proposing these kinds of things to clients, I haven't received their agreement. This part of the solution is really interesting, but it can also be expensive for some clients. It depends on their budget.

And in terms of using multiple vendors for security or a single-vendor security suite, in my current company, we generally advise our clients to have different vendors, but it depends on the client. I, myself, am not a risky guy. But a lot of our clients have Microsoft products, and we'll advise them to use Microsoft products. You don't want to go to war with your client.

Sometimes, they want to work with a lot of different products, but when you try to do that it can be really expensive because you need to work on the connections between them. I usually advise Microsoft because it's very easy and a lot of clients already have Windows Servers, et cetera. It really depends on each case. It depends on who is paying, who is asking, and what they want.

What I found most valuable in Microsoft Defender for Endpoint is that it's out-of-the-box, which brings more value to the customer. The technical support for the product is also one of the best parts, because it's good, in terms of the product knowledge of the technical engineers.

In Microsoft Defender for Endpoint, the devices still need to mature a little more when compared to other AV solutions. Microsoft Defender for Endpoint is not as robust, and you cannot customize it much, so that's a challenge. These are the rooms for improvement in the product.

Microsoft Defender for Endpoint is still being improved. I would say it's still in the development stage. Daily, Microsoft is getting feedback from the customers, so they are modifying the product based on the feedback and requirements of the customers. It's an ongoing process, and as a consultant, I'm in a much better shape, from a consultant point of view, in terms of speaking with customers.

What I'd like to see in the next release of Microsoft Defender for Endpoint is a single console where you can manage all the policies, Intune, and the EDR capability that can be managed through Intune. There should be a single portal for that to make it more convenient for the security consultant engineer to work with. Right now, I have to hop between different controls. Even the tenant attach feature needs to become more mature in Microsoft Defender for Endpoint because it's just very basic. The concept is good, but it's very basic, so it requires more effort for the engineer to configure.

I've been dealing with Microsoft Defender for Endpoint since 2018.

Microsoft Defender for Endpoint is a stable product.

Microsoft Defender for Endpoint is a cloud solution, so it's always scalable.

Technical support for Microsoft Defender for Endpoint is good, and it's the best part. Microsoft knows that the product needs some development, so they're working on improvements, but all the technical engineers I've worked with so far are very technically sound and they know the product.

The initial setup for Microsoft Defender for Endpoint is straightforward, if you are aware or have knowledge of it. For example, it's easy if you have gone through all the phases of setting up Microsoft Defender for Endpoint when it started as a manual deployment, manual configuration, then it came through GTO, then SSCM, then Intune, and now SMM. If you have gone through all the phases of deployment, then you know where you need to go and where to change the settings.

If you just started with Intune, or you're dealing with a combination of Intune and a firewall, the initial setup won't be as easy. It could be challenging for a newcomer, because you do not have much experience with Microsoft Defender for Endpoint, but they'll give you good support, and they'll try to resolve the challenges that come up when setting up the solution.

Pricing for Microsoft Defender for Endpoint is competitive. Out of the bundle, you will get a lot of security, if I talk about Microsoft E5, for example, and get a lot of benefits. If the customer goes and purchases a different solution, it will cost more, so pricing for Microsoft Defender for Endpoint is quite reasonable at the moment. There isn't any challenge in terms of pricing, for example, I didn't see a customer who pulled back because of the price. Some prices could be negotiable, and sometimes, as a sales point, the two become negotiable, but they don't bill one and pull back because of the pricing. If you have an E5 license, you get everything.

Customers don't worry about the prices too much, because what they're a little bit worried about is the complete capability of Microsoft Defender for Endpoint in the endpoint security space when compared to other legacy solutions such as McAfee Endpoint Security and Symantec End-User Endpoint Security that are quite mature enough in this market, as seen on Gartner. Sometimes the customer is reluctant to move to Microsoft Defender for Endpoint, but not because of its price. I didn't have customers who questioned the pricing for the solution.

I'm currently working with all these solutions: McAfee Endpoint Security, Symantec End-User Endpoint Security, and Microsoft Defender for Endpoint, because I'm a consultant. I'm not a customer. I do use it, and the organization I'm in uses it, but I'm a consultant to the customer. I do pre-sales and look into any of the technical aspects of Microsoft Defender for Endpoint.

In terms of comparing Symantec End-User Endpoint Security with Microsoft Defender for Endpoint, they both work, but in different ways and they have different approaches. Microsoft Defender for Endpoint doesn't have HIPS, while Symantec End-User Endpoint Security has HIPS. Microsoft Defender for Endpoint has ASR rules which are compulsory, but there are some activities that Microsoft Defender for Endpoint can't do in an environment, particularly if it is an air-gapped network. In an air-gapped network, which is very secure, my team can't open the internet, and Microsoft Defender for Endpoint fails in that, despite being an EDR solution, because it's cloud-based and it doesn't work there. Microsoft still doesn't have any solution for mitigating the air-gapped network.

My advice to people looking into implementing Microsoft Defender for Endpoint is to do it very fast because the tool is changing very rapidly, so if you are a novice and you are just learning, what you learn might get changed in the next quarter. Some of the functionality might get changed, so you need to keep up with the changes, and you need to learn quickly and implement Microsoft Defender for Endpoint fast.

My rating for Microsoft Defender for Endpoint is seven out of ten.