Microsoft Defender for Endpoint Reviews

It is mainly utilized for telemetry collection and correlating specific behaviors or reactions to TTPs, IOCs, or indications of compromise. It is used for getting that level of detail. 

It is good for attack surface reduction, which is how you harden your endpoint so that they're less likely to be infiltrated or compromised if you have an operative in your environment. So, it's mainly used for reducing the opportunity for someone to compromise the system but also for rapid detection when that occurs.

Coming from an organization where the EDR wasn't strong, it has always been a case of basically searching through the information you already have and looking for something. It was basically trying to find the needle in a haystack. What the Defender platform does is that it reduces the size of the haystack, and it'll say that the needle is over here. Minutes matter, and it certainly zeros you in on the events that are concerning. It also simplifies the effort of trying to get some kind of correlation of behaviors or actions you see in the environment and confirming if something is benign or a threat.

Something that is unique to Microsoft is its licensing model. When you go out and you buy McAfee or Symantec, you know what you're getting out of the box, but with Microsoft, often, when you're looking to achieve a certain set of capabilities, those capabilities are spread across different products. You might try to do something you could do with CrowdStrike, but then find out that you also need to purchase Microsoft Defender for Identity or Microsoft Defender for Azure. You realize that when they talk about what they can offer within the Microsoft platform, it's really the suite of investments. So, sometimes, you may find yourself buying Defender for Endpoint thinking that it matches CrowdStrike, but then you find that Microsoft really needs to sell you something else. One plus one will equal three, but when you have a very concise platform, such as CrowdStrike, you know what you're going to get.

The other consideration is that because it's Windows native capability, your capabilities are largely influenced by what version of OS you're running. For a small-medium business, it is not a big deal, but at an enterprise scale, there are always Server 2000, Server 2003, Server 2008, Server 2012, Server 2016, Server 2019, and so on. So, you're talking about having six or seven different versions where your capabilities are not consistent between 2003 and 2019. It's like asking how robust was security in Windows 2000 versus Windows 2010. You'd say that they're not even the same OS from a security perspective, and that's crazy. When you buy CrowdStrike, you're deploying an agent, and so you get a fairly consistent set of capabilities that are agnostic to the OS version, whereas, with Microsoft, the capabilities are largely influenced by the OS version. For an enterprise, being up to date is a very big consideration to be successful with the platform. So, it forces your platform to not lag behind. You can't have the old server versions and expect that you've got a robust EDR. Defender shines on Server 2016 and higher, but if you were to do some type of penetration or red teaming exercise on a 2003 server, you'd be better off with CrowdStrike or pretty much anything else.

We've been piloting it for the last six months, and this is what we have selected to implement.

There are no scalability constraints because it's all in the cloud. It's a SaaS. So, they can take on more PCs than any Fortune 500 would even have. The only constraint is that in terms of scaling, the strength of the platform is highly influenced by the OS version. If you were largely using Windows XP and Server 2003, you would not want to choose Microsoft Defender as your suite.

It is fantastic, but sometimes, it could be challenging to navigate. If you buy something like a Carbon Black or a CrowdStrike, you normally have one sales rep and one sales engineer, and depending on the level of support you pay for, you may get premium or platinum support, which means you have a very concise escalation path. With Microsoft, there are 20 different account reps. There is a productivity suite guy. There is a security guy. There are so many different places, which can create some confusion at times, but there is no lack of resources. If you have an issue, there are so many Microsoft employees and reps who are engaged at the enterprise level that once you figure out who to speak to, you get traction pretty quick. So, in summary, because there are a lot more people, their support is really great, but sometimes, having a lot more people can also create confusion in terms of where to go.

It is easy. It is native. They're literally like checkboxes. There is really nothing to package and deploy. If you're at a current version, it is a policy. You just turn on the policy. You go through the setup of installing McAfee on your home computer with next, next, next, and finish, or Microsoft will say, "Hey, we noticed you don't have an AV. Do you want to enable Microsoft or Windows Defender?" You say yes, and you slide the box from off to on, and you're now protected. It is like that. It couldn't be easier. There are things like firewall rules and network considerations that have to happen, but from an enablement perspective, because it is native, it really reduces the burden of onboarding the platform.

We didn't go through a real comprehensive analysis when we made the selection. We did some light touching, but we really did not do some comprehensive analysis between Microsoft and CrowdStrike. 

At an enterprise level, a lot of the stuff is based on relationships. It's not like you're starting from a green field. You look at who is your strategic vendor and who is not. With Microsoft specifically, you always get bundle deals towards your renewals. It's always like if you buy more Office 365, we can give you a discount on Defender and things like that. If you don't have a relationship with CrowdStrike or someone else, it is hard for their rep to speak to your CEO or your CSO, but Microsoft does. They've already got standing monthly meetings with them. So, we've made a determination to go with Microsoft because:

1. The technology is compelling.
2. It is a strategic fit for us. 

I would rate it a nine out of 10.

Initially, I was running a different endpoint security program but it did not have a dashboard that met my needs. It would only do on-premises. If laptops, desktops, or VDIs were remote, such as people working from home or in a different office, my VDIs—which are really just on-premises but they're in a separate subnet in VMware, Windows 10, Windows 7, Windows 11, 2008, all the way up to 2022—I could only get the servers that were on-prem. That solution had a management console but there was no integrated console within Microsoft so that I could cover all bases. I deployed Defender for Endpoint and now I'm able to see them in there. For some, I've still got the old AMP on them, but Defender will run in passive mode and let AMP run and report to its own console.

The reason I don't want to run AMP, primarily, is that it's a resource hog. Defender for Endpoint integrates it and automatically comes with the Windows operating system or Windows Server Desktop. Plus I can use Defender for IoT and see, on my network—which is a home lab company—my routers, my switches, and, believe it or not, my televisions and refrigerators; the IoT devices that I might have on my network. And that integrates into Defender for Endpoint.

And with Sentinel, I'm hoping to pull that into logs that I have for my cloud-based and on-premises-based servers so I have one pane of glass that will alert me if something is going on. It will correlate those logs from Defender on every endpoint and put them into one incident if there are alerts to be had.

It probably could help me prepare for potential threats before they hit. The nice thing about it is that it has filtering. I can filter on different logs and say, "I'm looking for this user and every place he ever logged into. I can filter on his name and the scope of the machines I'm looking at. If there's a bad actor, a different version of software, I can pull that up. It has simple filtering and advanced filters, which really help out a lot. It does speed things up.

I rely a lot on Defender for Endpoint to find a lot of stuff for me. With Microsoft knowing about a threat in the wild, something that hasn't hit me yet but it's out there and I'm vulnerable to it, it will detect those vulnerable systems for me. I rely on that to patch or update that operating system.

When you install an OS, it could be a year old, it could be brand-new, or it could be five years old and it's not patched and updated. Sometimes there are apps on it, from Google or Adobe for example. This will tell me that my Adobe Acrobat has so many vulnerabilities and that I need to bring it up to this date because I've got 13 vulnerabilities that could be hacked. I rely on it quite a bit to pull those notices together and alert me on what needs to be updated. I don't have to actually hunt for a lot of it. It does the hunting for me automatically.

The features I found to be most valuable in Defender for Endpoint are its alerting, policies, and threat-hunting.

For threat-hunting, I'll put some threats in a test scenario. I've downloaded known viruses that are out in the public for testing. They're not really a virus but they've got a signature. Defender for Endpoint will automatically find those, quarantine them for me, and alert me to what it did. It gives me "automated eyes."

A lot of it is hands-off. It just deploys and it updates by itself. With other applications, like McAfee or AMP, I'll have to download a new version and make sure that the signatures were applied. With Defender, one of the things I like is that it has automatic updates.

And Defender has other integrations with Microsoft that are of benefit. It will tell me that certificates are out of date for my certificate server; I've deployed certificates to my laptops or VDIs or servers or switches. There's an automation routine that I can kick in using KQL—Kustom Query Language—so that it automatically remediates the issues that it finds.

And the visibility into threats that Defender for Endpoint provides is fantastic. Since it is a Microsoft product, and they have it deployed worldwide, they pull over a couple of trillion data points a day from other companies and countries. They've got teams of security analysts or researchers who are constantly updating these and they feed me that information. I'll know about a threat that might be down the road or I might be susceptible to, something that I could patch. It tells me if there is a known fix or if there isn't, in which case I might have to go in a different direction. It's the might behind Microsoft. It pulls in all that information so everybody else can see it.

In addition, with the data connectors for Azure or containers or even M365, threats are automatically classified as high, medium, low, or informational. If they're not classified, I can classify them myself or set a priority on them as to whether they need to be looked at right away, whether they're active or in process or resolved.

Microsoft security products provide a little more comprehensive protection than some of the other offerings. One great thing about it is that it's part of the operating system and it's already turned on when you deploy the OS.

But if you do have a third party, like AMP or McAfee for example, Defender will run in passive mode. That means it's not constantly doing a scan, virus check, or malware check. Still, if you open an email, write a document, or load a USB key to copy files, it would scan in all those situations. But in passive mode, it scans once a day, I believe. It does a device discovery and it will tell you, "We found this software, we found these documents, you did have malware or a virus and it has been quarantined." And that's in passive mode.

If you put it in active mode, without the third-party virus and malware checkers, Defender for Endpoint will give you a software inventory and a timeline of every key that was clicked in case you had a bad actor that infiltrated your network or your machine. If an employee went to a rogue support site and downloaded some software, and let somebody in, it would alert me through UEBA: "There is unique behavior that we don't normally see from this person. They don't normally access this site. The alert would tell me which site had been accessed and that software had been downloaded. It would tell me the time it was installed and what it did—every keystroke. That's with Defender for Endpoint being active.

In active mode, it's great that it gives you so much information, but it does record every keystroke so you have a lot of logs. For my home business, I had to turn off quite a bit because the data that it does gather is every event and activity that happens on a server or laptop. For my little testing scenario, it was overwhelming.

I know what I have on my machines so that amount of data logging started to add up in the cost. That's the only downside to Sentinel and Defender that I can see so far: You have to log and store that data somewhere, and it normally stores it in the cloud, unless you have an on-premises SIEM that you can download those logs into directly and store things on your own hard drives.

I had a $200 credit with Microsoft Azure and I didn't pay attention to it and it ate up $179 of that credit in the first two days because I had Defender for Endpoint check DNS to make sure that I wasn't getting spoofed or targeted.

You have to keep an eye on the Sentinel and Defender for Endpoint storage.

I have been using Defender for Endpoint since about November, so about three months.

It's pretty stable.

With a browser or web-based system, it might confuse things, saying, "You don't have access," because you should have logged in with your admin credentials but you logged in with your standard user credentials because you are on the same desktop.

For my home business I just have basic support. I submit a ticket and they get back to me in a couple of days.

Positive

My company isn't off the ground yet, it's basically going to be a family medical practice run by my wife and me. I'm an IT guy and she's a nurse practitioner and, eventually, she wants to work for herself. I'm doing the background and since I do use it for my regular job, I'm doing this on my own labs as well with trial software or things I've bought subscriptions for. I've bought Microsoft E5 so a lot of it is out-of-pocket and on a shoestring budget.

The nice thing about Defender and Sentinel is that the cost is based on the data logs that you ingest from the Defender endpoints and data connectors. I don't have to buy a 25- or 50- or 1,000-user or enterprise license. I can buy one license at a time. For small mom-and-pop shops, that's very important. A lot of startups don't have that kind of budget for enterprise-wide scalability, especially when they don't have many devices in the first place.

Defender for IoT is an add-on to Defender for Endpoint. It's there, but you have to onboard it. I don't really have enough devices, other than my home base, but in a regular business it would find all the switches, routers, security cameras, monitors, printers, modems, and anything else you have attached. With Defender for Endpoint, you need to have an operating system—Linux, Windows, et cetera—to deploy it.

A refrigerator or a camera or a security device doesn't really have a Windows-based operating system on which to deploy the agent. So IoT, within Defender, will scan those devices, find them, and let you know that it found them. It does that out-of-the-box with Defender for Endpoint. If you want to see the actual operating system of IoT devices and get alerts that something is out of date or has vulnerabilities, you have to get a subscription to IoT, which I hope to do.

There's a lot to learn when it comes to using Defender for Endpoint to automate routine tasks and find high-value alerts. KQL is a structured query language for hunting. If I have data ingestion from M365 logs, Defender for Containers, Defender for Storage, and AWS, Defender for Endpoint or Sentinel will allow me to hook up connectors to pull all of those logs into a "master database" with different tables that contain those logs. There are routines that are already written that say, "If you're looking for this type of an event that started with this application that went to a SQL server that was stored on this server that was accessed from a laptop where the guy went through a browser and went to this particular rogue network," and they access all those tables in that master database.

KQL allows me to tap into each of those different tables and correlate like events or like data, and pull it all into an alert or a threat hunt. It's something to master. It's sort of like regular SQL, but there are a lot of tables and schemas and you have to know what the tables and headers and columns and fields are, and then the syntax. It does threat-hunting really well with the canned queries that it has. But if you're looking for something in particular, you need to learn KQL. A SQL Server database admin would know SQL and how to pull data out of tables and do joins, commits, and transaction rollbacks. KQL is on that same level where you have to be an expert in KQL to actually pull all that stuff together. It's quite the learning curve, but there are courses out there that teach you.

I've been doing systems administration and engineering server admin things for quite some time, a couple of decades since Windows came out, and a little bit before that. But jumping over into the security space for my home business, and putting all these things together with Defender and Sentinel, has been a learning curve. It has slowed me down a little bit. A while back, security was always an issue for security teams. Now that I'm working on my own company, I'm a one-man show. But at the same time, I know there are a lot of bad actors out there.

The solution can be used on everything. It can be used on the cloud. You can also use it for on-premises devices, from servers to laptops. It's a pretty good solution to manage devices and servers.

Usually, our clients have an on-premises infrastructure and they want to start working in the cloud, especially in Azure. We use Microsoft Defender to manage on-premises devices from Azure. Especially over the last two years, a lot of companies have wanted to focus more on their own business and that's why they have us manage their IT security.

The main goal of using Defender for our clients is to do vulnerability scanning and to be aware of any possible security breaches in their infrastructure.

Microsoft Defender is totally integrated with Microsoft 365 Azure. For example, years ago a software company that was working on-premises with Microsoft products came to us. They asked us to help them connect to Azure because with Azure, they could, of course, run their core business, but it would also help them create more value in the market. Microsoft Defender is the best way to manage on-premises devices, but also devices on the cloud.

It also helps us to prioritize threats.

In addition, the solution gives us a single dashboard that we can customize. When our security operators start their day, they look at the dashboard information. If there is a big issue, they automatically get the information. They can send an email to the team involved. The dashboard helps the security team, day-to-day, to ensure everything is secure for the client. The dashboard is really important.

And overall, the solution has saved us 50 percent of our time. It also saves us money because it prevents ransomware and web application attacks every day. Currently, with the war in Ukraine, because I work in Europe, hackers are trying to hack into enterprises, and that's another reason it's really important to have this kind of solution.

It may be saving us 30 percent, in terms of money, because once you have the system in place, you can avoid a lot of attacks and keep secret information away from hackers. When we talk about security, we're also talking about the reputation of the company. Using this kind of solution helps our clients not to lose money through a loss of reputation.

In terms of time to respond, someone who is working every day on the security operation team, can respond correctly within five minutes, to be conservative, to a problem they receive from the scanning done by Defender. It has decreased that time by about 20 percent, although keep in mind that I am a security architect and not part of the operations team.

The scanning part is one of the most valuable features with the automation of vulnerability scanning. That's why we use Defender. It gives us a lot of information on how to improve security.

There are some competitive products on the market, but the best is Microsoft Defender because it's very easy to integrate. That's one reason a lot of clients want Microsoft Defender.

It's also very easy to implement compared to other solutions.

Regarding other Microsoft solutions, about half of our clients take Sentinel, while 90 percent take Defender. They are very easy to integrate. That's one of the reasons, for me, that Microsoft is the best on the market. And in reviews about the best tools on the market, everybody agrees that Sentinel is the best on the market in the security area. When you work with Sentinel, it's easy to work with the Microsoft suite of products. It's easy to integrate every product from Microsoft.

We also use Microsoft Defender for Cloud's bidirectional sync capabilities. For security, they allow us to get all the information we need on time.

After scanning, there are false positives so sometimes you need to manage the results.

Also, we would like to see more tools for managing on-premises security. A lot of companies have their own on-premises infrastructure and want to move to the cloud. Sometimes, we have the tools, like Defender, to manage security in the cloud, but because we are so focused on the cloud, we forget the fact that we need to be sure about the security of the on-premises environment, specifically Active Directory. I know it's tricky, but I'd like to see them add some tools for a really good dashboard to introduce the fact that we also need to be careful about on-premises.

A lot of companies have their Active Directory on an on-premises physical server. When they start the journey of moving to the cloud, especially to Azure, they use Microsoft Defender to do device management, especially servers and computers. But to improve security monitoring it would help if we could monitor on-premises, especially identity. Usually, when hackers hack into an environment, they use tools to get the identity of a person. If we had tools to integrate with Defender, it would help improve security.

I have been working with Microsoft Defender for two years.

It's a stable solution.

It's also a scalable solution.

About 90 percent of our clients have deployments in multiple locations because they are usually multi-national, and that's why it sometimes takes more time to do the implementation.

The technical support of Microsoft is good.

Positive

I have always used Microsoft solutions.

The deployment is straightforward. The amount of time it takes depends on the configuration the client wants, but it's easy enough to deploy. 

If we need to implement it for a client with 2,000 devices, it takes more time. Just the implementation, for me, takes 20 minutes, but after that we have to implement configuration on the cloud, and that is totally different.

If it's a big company, it could take three months, because we have to do discovery. We have a lot of clients that use customized containers and customized Linux servers, and that's where we have to be sure we do the implementation the right way.

Usually, when working with clients and proposing different solutions, they prefer to work with Microsoft Defender because it is integrated. And when you talk about the price, it's really perfect, compared to other advanced threat-scanning products on the market. Overall, 90 percent choose Microsoft Defender because it's great and very easy to put in place. You don't need to install an extra service or do a big design. You pay for the licenses and that's it.

If you're considering working with Microsoft Defender, the first thing you need to do is an inventory of the infrastructure. We need to know what the client has: how many Windows Servers, how many Linux servers, and how much content. And then you need to know what you want to do with the devices. Some devices are not supported anymore. We need to know which devices the client wants to be covered by Defender.

A lot of times, we want to work with Sentinel because it's the best on the market. But Sentinel is more tricky to put that in place. But when you advise a client on security, of course, you propose a lot of solutions, including Defender and Sentinel. You propose the best on the market to improve their security.

Usually, they go for Microsoft Defender, but for Sentinel, sometimes it takes time. They say to us, "We don't have the money right now, let's wait two years." On many of my projects, my clients have already worked in the cloud and they want to start working with Azure. That's why Microsoft Defender is a good tool to implement. There are times we advise the client about Sentinel but they already have a SIEM solution like Splunk.

Defender for Endpoint does not help us automate routine tasks right now because it's extra work. I know we could put that in place, but often, when we start working with a client in the cloud, we spend a lot of money on that. I know, in the day-to-day operations of the security teams of our clients, they have so much to do and it would be really good to implement automation. We propose it to our clients, but it's up to them to decide if they want to do it.

The threat intelligence can help prepare for potential threats before they hit, but this is also something we need to talk to the client about. Sometimes, it's not in our hands. We can propose things to the client, but they have to choose. So far, after proposing these kinds of things to clients, I haven't received their agreement. This part of the solution is really interesting, but it can also be expensive for some clients. It depends on their budget.

And in terms of using multiple vendors for security or a single-vendor security suite, in my current company, we generally advise our clients to have different vendors, but it depends on the client. I, myself, am not a risky guy. But a lot of our clients have Microsoft products, and we'll advise them to use Microsoft products. You don't want to go to war with your client.

Sometimes, they want to work with a lot of different products, but when you try to do that it can be really expensive because you need to work on the connections between them. I usually advise Microsoft because it's very easy and a lot of clients already have Windows Servers, et cetera. It really depends on each case. It depends on who is paying, who is asking, and what they want.

I'm a security coach with multiple clients. I provide security implementation, planning, and maintenance through Microsoft Defender. I use all the Defender products, including Defender for Identity, Defender for Office 365, and Defender for Cloud. 

It's easy to integrate the solutions. You only need to go into the settings and switch on the connectivity to all the Defender for Endpoint connectivity telemetry. Microsoft documentation is thorough, and it walks you through all the necessary steps.

We're multi-client and multi-cloud. We're working with multiple organizations and departments, so it's complex. We have domains and sub-domains that we must account for on the deployment side. We also use Defender for ATP, which is the Defender for domain controllers.

Defender for Endpoint helped to bridge the gap with remote workforce solutions because it protects managed and unmanaged devices. It's also easier to use because Defender for Endpoint is cloud-managed, so it stays maintained and updated. It has a leg up on competing solutions that require more system resources and maintenance. 

The tight integration with Microsoft operating systems is another advantage because it's easier to manage. It also goes beyond Windows OS. Defender for Endpoint supports other platforms and operating systems, such as Linux, iOS, and Android. I like that Microsoft is expanding the product's scope beyond Microsoft operating systems. Microsoft is developing a holistic approach, so you don't need a third-party product to protect these other non-Microsoft platforms.

Defender helps us to prioritize threats across the enterprise. The weighted priorities are based on all the MITRE security standards. Defender products work together to provide comprehensive protection. I agree with the placement of Defender Products on Gartner's Magic Quadrant. Defender is a leader in that area of threat protection. I'm pleased with the outcome of a lot of the investigations. I can protect and harden areas that didn't usually didn't have that level of visibility and granularity. 

Defender integrates with Sentinel, enabling me to ingest data from my entire ecosystem. Sentinel also covers non-Microsoft products with the third-party connectors that are provided. I enjoy that part of the Sentinel functionality and feature set. It has several features for aggregating the log data and analytics for the on-premises environment. Having that visibility is crucial.

Sentinel provides the SIEM and the SOAR capabilities, offering a single pane of glass for all of the security operations centers and providing on-site reliability for many of my clients. Sentinel is Microsoft's answer to competing tools such as Splunk and other log application tools. Sentinel seems to provide more added value from the ease of use and visibility. The licensing is also competitive.

You can set up Sentinel to forward alerts if you want to create a managed Cloud environment solution for Sentinel for a client. There's a way to set that up through Azure Front Door. You're seeing the data reporting and single pane of glass for other tenants and customers. It enables you to offer security as a service to maintain visibility for clients.

I like that it considers the status of a device (whether the device is online or offline, VPN or not, etc.) and provides several options for telemetry, depending on where and how the device is being used. It gives a lot of flexibility with the installations, maintenance, and management of the Endpoint solution. In addition to Defender for Endpoint's feature set, other parts of device management reduce the attack surface and protect those devices.

Defender's automation features have been a significant advantage with many of my clients because the remediation has been automated. Most of the time, it doesn't require any human intervention unless there's something that hasn't been set up. I must demonstrate the automated investigation and remediation to my clients to ensure their environment is automatically protected on weekends and after business hours.

The single pane of glass is vital to us as security consultants and our clients, who need a high level of visibility. You can go into the high-level executive dashboard view and drill into each telemetry graphic to provide you with more granular data. I see how easy it is to see the big picture and effortlessly drill into the details using the side navigation menus and more.

Consolidating things into one dashboard streamlined them significantly. When working with multiple tools and vendors, you typically have to stitch the reporting together to get an overarching view of everything. It's time-consuming. By the time some of these tasks are accomplished, the data starts to get stale, so you need to refresh and create an all-new view again. Having real-time capability in a single pane of glass is essential.

Defender Threat Intelligence helps us develop a forward-looking approach to threats and plans. That's one aspect of the product I find incredibly helpful. It will highlight things that may require intervention, such as turning on conditional access rules or setting up some geofencing for anything that looks like it could be a password spray attack from a known location that we can block. 

There are opportunities to turn off any legacy protocols that may be in use. That's been a common thread with some of my clients who still use legacy protocols for sign-in and authorizations. The ability to do that has been a considerable help proactively.

You don't know what you don't know until you know. The continual flow of real-time data and analytics from Defender products helps create a security roadmap and harden many areas. With improved visibility, we can build a better roadmap to harden those areas by prioritizing and doing things methodically. Previously, we were guessing what to do next or what would be most important based on an educated guess. Now, we have data to guide our security decisions.

Microsoft Defender has saved us hours and hours. It has probably paid for itself many times over. I would agree that it has saved a lot of time and money. I estimate it probably saved us the equivalent of two people working full-time. You typically have at least one person overseeing on-premise resources and another dedicated to cloud resources.

In my opinion, the most valuable aspects are the reporting analytics and integration with Sentinel. Defender does an excellent job of correlating the different entities that comprise threat analysis, analytics data, and log analytics. It helps to piece together investigations into any exploit or malicious activity within a specific tenant. AI and analytics tools are probably the most valuable components.

The bidirectional sync capabilities and off-app sanctioning of the SaaS applications are helpful. The identity security posture feature set provides investigation recommendations for risky users. The heat map for locations is also handy. Defender integrates with the AIP DLP for data governance and protection. I use all of that.

There's a need to have augmented workforce capability. You need to see the data streams for client work augmentation for the security operation center and act on the information. Having data in near real-time is essential to my organization and the work we do for our clients. The built-in SOAR, UEBA, and threat detection features are comprehensive.

It always helps to have onboarding wizards. Microsoft has done a lot of work in that area. I would like to see some more refinement in the wizards to allow more diverse use cases and scenarios that help us deploy Defender globally. In particular, I would like to see more deployments considering localization barriers and networks or devices common in various regions. 

Localization is always a challenge, especially with new products you typically want. Solutions are designed to be deployed where the most licenses are being consumed, such as in the United States. They focus on US products, devices, and networks. Specialized deployments for other countries would allow for a smoother experience in transition.

I have been using Microsoft Defender for about two and a half years.

It's pretty stable. I haven't had any reliability concerns with Defender, and there have not been too many complaints from users that have to have extensive reboots or any kind of performance impact. So I would say it's pretty stable.

Scalability is built into the product. It's a cloud-managed solution, so it's capable of scaling pretty quickly as needed. You don't have to unlock another key or do something else to scale the product. It's scalable by design.

I rate Microsoft support a seven out of ten. We've opened a few Microsoft tickets. For example, we've seen some discrepancies between Defender for Exchange Online and the reporting from Sentinel. We raised tickets to determine why Sentinel's logging data doesn't match what we see in Exchange Online.

It can be slow and tedious sometimes. Microsoft has different support level agreements. If you want prompter and higher-quality support, you typically need to pay for an Ultimate Support contract. If we compare that with other companies or organizations, Microsoft is probably on par with everyone else. You don't get a higher level of support unless you pay for it.

Neutral

I've worked with all the major antivirus and endpoint protection vendors, including Splunk, CrowdStrike, Sophos, Norton, and McAfee. Microsoft's advantage is its integration with the operating system, ease of deployment, and support for the 365 Cloud experience. It makes everything easier to deploy, maintain and manage. It comes down to cost and integration. We realize cost savings because it's integrated into the E5 licensing product.

The setup is straightforward and mostly automated. You only have to intervene when you experience errors. Those typically happen on non-US systems or in other countries. For the most part, it's effortless to deploy.

We try to use the auto-onboarding capabilities that come with Autopilot. If you have new systems deployed with Windows Autopilot onboarding capability, that's going to turn Defender on with the proper policies and security parameters. 

One person is enough to deploy Defender if you have a plan and proper communication. You notify everyone that the deployment is happening and push the button. You need to let everyone know if reboots are required and the like. Other than that, it's pretty much a one-person deployment job.

In terms of maintenance, Defender is probably somewhere in the middle. Microsoft maintains a lot of automated updates. There are feature sets that come into play with things that are put in preview and you may want to see if it's something you want to turn on and try out while it's in preview. Those are the only areas that require some discussion and intervention. Most of the maintenance is automated. At the same time, you also need to be trained and aware of the updates and feature sets as they mature. You must stay on top of changes to the UI, reporting, etc.  

If you look at what we pay on average and all the potential ransomware and malware threats we've averted, we've definitely saved tens of thousands of dollars, depending on the client. Some of the bigger clients have saved millions of dollars of potential ransomware payouts because Defender products helped protect those areas of attack. 

The cost is competitive and reasonable because most of the expense is log analytics, storage, and data consumption and ingestion. They can be throttled and controlled, so they are highly flexible. Defender has a lot of advantages over competing products.

From a licensing aspect, you're not just getting a security product. You're getting a lot of other capabilities that go beyond the Defender products. You get an E5 or E3 license and some form of Defender for Endpoint included with all the other security features of the other Defender products. 

It didn't take too long to decide on Microsoft because of the integration and simplicity. CrowdStrike is probably the closest competitor.

I rate Microsoft Defender for Endpoint a nine out of ten. Defender is one of the best I've seen, and I'm not saying that as a Microsoft reseller. We use Defender and have gotten our Microsoft certifications to provide a high level of service for our clients. It's crucial to have a product we stand behind and believe in wholeheartedly. We're not getting kickbacks from Microsoft for saying or doing any of that. We use it because it works. 

I would say there's a trade-off. Once you start adding complexity to security, you're going against best practices that say simpler is better. Adding another vendor or a level of complexity is usually unnecessary. Unless there's something Microsoft completely missed, I would question the value of going to another vendor. 

Communication and planning are most important. Any time you change products or deploy something for the first time, you should test it first in a smaller use-case scenario. That will help you identify any issues with your network, firewall, or legacy applications that may be falsely identified as a threat. It's always best to test your use case scenarios in a proof of concept before you deploy it.

Our primary use case for Microsoft Defender for Endpoint is desktop security.

Defender for Endpoint has improved our security posture by ensuring that malicious websites aren't accessed, thereby enhancing desktop and network security.

The visibility into our attack surface provided by Defender for Endpoint is good.

Defender for Endpoint has significantly reduced our SOC team's workload by automating threat detection and response, allowing them to focus on other critical projects. This increased efficiency has minimized security concerns and freed up several hours per week for the team.

We are primarily a Microsoft environment, but we also utilize a few Macs. Microsoft Defender for Endpoint functions effectively across both platforms.

Web filtering is the most valuable feature of Microsoft Defender for Endpoint because it effectively maintains security for website access.

There is a need for improvement in reducing false positives. Defender flags vulnerabilities based on registry keys or temporary files that are not necessarily vulnerabilities. This creates a lot of false positives. There could also be better clarity in navigating through the GUI to identify and resolve vulnerabilities.

A disconnect exists between the subject-matter experts and Microsoft's Level One support teams, causing delays in issue resolution. Repeated interactions are necessary due to Level One's lack of tools and knowledge, hindering efficient problem-solving and negatively impacting our experience with Microsoft support.

I have been using Microsoft Defender for Endpoint for about three years.

Defender for Endpoint is a stable product with reliable uptime.

The support from Microsoft is somewhat lacking. The level-one support seems disconnected from subject matter experts, leading to back-and-forth delays in resolving issues.

Neutral

CrowdStrike's GUI is more user-friendly and provides easy-to-follow instructions, while Defender for Endpoint requires more effort to access detailed file information and vulnerability assessments. For instance, locating a specific device involves navigating through reported vulnerabilities, clicking on associated devices, and then searching for the device name to identify the vulnerabilities and their origins. The switch to Defender for Endpoint was likely motivated by cost savings and compliance requirements.

Defender for Endpoint is a good security product that provides a good return on investment.

I would rate Microsoft Defender for Endpoint a seven out of ten. It has effectively improved our security posture, but there are areas where support and usability can be enhanced.

Currently, I'm working to build out DLP policies in Defender for Endpoints.

Defender for Endpoint enables us to see vulnerabilities on certain endpoints and investigate the attack surface. We've improved our Security Score to the industry standard. The solution has reduced the mean time to remediation, but it's hard to give a precise number because it varies on a case-to-case basis. Automatic remediation of certain vulnerabilities has allowed our SOC to work on other projects. 

Attack surface reduction and limiting attack surface vectors are valuable features. It's helpful to isolate specific devices and get super granular with the features they offer. The visibility into the attack surface is good. It gets highly granular. I don't work on that side, but the people who do tell me they get more visibility. 

Defender for Endpoint is complex, and the documentation is detailed. At the same time, it's hard to navigate sometimes. You have to go through tons of documentation to find what you want.

I have been using Microsoft Defender for Endpoint for one and a half years.

The stability is great. I haven't seen any outages with Microsoft.

It's pretty easy to scale with Microsoft, as they make it easy if you look into the documentation.

I rate Microsoft support eight out of 10. Customer service has been pretty good. I don't have any complaints.

Positive

We've had E5 licensing for a while now, but our security stacks were spread across multiple resources, so we are currently consolidating.

I don't work much with the costs, but I have not heard of any issues with pricing, licensing, or setup costs for Microsoft Defender for Endpoint.

I rate Microsoft Defender for Endpoint eight out of 10.

We use Microsoft Defender for Endpoint to secure our customers' networks. One of the main reasons we chose this solution is its seamless integration with other Microsoft products, including Security. This integration enables the efficient exchange of signals and facilitates incident investigation and correlation with other security measures. Therefore, we recommend Microsoft Defender to our customers for robust endpoint security. 

Microsoft has been recognized as a leader in Gartner reports for two consecutive years for their exceptional threat-capturing abilities within their division. In comparison to other solutions, Microsoft Defender Endpoint Security offers a wide range of features, and the benefit of integration with other solutions makes it a more powerful product. This is in contrast to individual products from separate vendors, which lack default integrations and may not offer visibility over other endpoints in our environment.

The solution provides a high level of visibility into threats and is integrated with other solutions such as Microsoft Defender for Identity. This integration enables the solution to receive signals from Microsoft Defender for Identity, which are then relayed to users who attempt to log in to an infected device. If the threat originates from Microsoft Defender or Office 365, users are alerted and advised not to open any suspicious links or attachments. This integration greatly enhances the investigation experience and is extremely useful in the detection and analysis of potential threats.

Microsoft Defender for Endpoint helps prioritize the threats across our organization.

The automatic investigation response is the key feature of Microsoft Defender for Endpoint. It enables us to concentrate on the critical incidents related to the endpoint or machines. This capability enables the security team to focus on the most significant alerts or incidents related to the device's self-analytics. Prioritizing our investigations and responses with Microsoft Defender for Endpoint is crucial.

The integration with Microsoft solutions is smooth, and integrating with other products can be done with just one click.

In most cases, the solutions work natively together to deliver coordinated detection responses across our environment, which is very helpful.

The comprehensiveness of threat protection offered by Microsoft's solutions is extensive. These solutions can thoroughly investigate all resources in an organization when deployed correctly according to best practices. They can detect any threats related to email, endpoints, and identity attacks, whether on-premises or in the cloud.

Microsoft Defender for Endpoint has been instrumental in enhancing our organization's operations. It detects the majority of threats aimed at our devices, aiding us in our efforts to combat threats. Additionally, it expedites the investigation process by running playbooks on incidents. This saves us time and increases efficiency. Furthermore, the integration capabilities of Microsoft Defender for Endpoint allow us to address the source of the threat by partnering it with other solutions. Microsoft Defender for Endpoint can be integrated with Microsoft Intune, allowing us to provide device signals to the latter. This permits us to grant or deny access to specific sources based on device signals.

The solution assists in automating routine tasks and streamlines the identification of high-value alerts. When used in conjunction with Microsoft Sentinel, which is highly effective in detection and comprehensive investigations, the quality of high-value alerts is excellent.

Microsoft Defender for Endpoint has eliminated the need to access multiple dashboards and provided us with a single XDR dashboard. Instead of logging into five different portals to investigate a threat, we only need to access one portal, Microsoft Defender for Endpoint. This portal collects signals from various solutions and integrates them into a single incident, providing a comprehensive view of the detection from different sources in one place. This improves our visibility and simplifies the threat investigation process.

Having a consolidated dashboard saves us a significant amount of time by eliminating the need to log into multiple portals. This single portal can be used for investigation purposes and can relate to various aspects. It simplifies the process of monitoring a multitude of sources or resources in the environment, making it easier to detect and investigate potential issues. A consolidated dashboard improves collections and visibility, streamlining the investigation process.

The threat intelligence provided by the solution helps us prepare for potential threats and take proactive measures before they occur. Many of Microsoft's security solutions now depend on Microsoft's security intelligence. The ISG collects signals from various products worldwide, providing extensive information on recent global threats targeting different products. Integrating with Microsoft Defender for Endpoint, this information is particularly helpful.

The solution has helped us save time. I suggested that we check Microsoft Defender for Endpoint daily to review the latest incidents that occurred during the process. We can quickly examine the incident and then take action based on the recommendations provided by either Microsoft Defender for Endpoint or Microsoft 365 Defender, as it consolidates the signals.

This solution is cost-effective since we would otherwise have to pay for multiple licenses if we were to use various solutions. Additionally, we prefer not to subscribe to multiple vendors for different services. By integrating these features, we save time, and they are already integrated by default, unlike other vendors who may not offer this feature or integration.

Real-time detection and cloud-based delivery of detections are highly efficient. I have deployed the Microsoft Application Control which I found to be very effective, albeit difficult to deploy. I have implemented point guard and attack deduction rules which enable me to identify attack locations effectively. Microsoft Defender for Endpoint has several excellent features, and the correlation of alerts and investigation experiences within the platform helps lead investigations

The application control feature requires improvement. It is currently challenging to detect and fine-tune the application control policies. A better GUI is needed for configuring the policies, beyond the current partial console, such as a third-party or Microsoft tool. Additionally, more documentation is required for the application control section as there is currently none available in Microsoft's resources. This lack of documentation can make the process confusing.

The policy configuration has room for improvement. Currently, we require additional solutions to configure policies for Microsoft Defender for Endpoint. We need either Microsoft Intune or a new policy object. It seems many individuals find this process confusing. It is perplexing to me why we must configure policies using different solutions when ideally, we should have all configurations for Microsoft Defender for Endpoint in a single portal. It would be more practical to configure policies directly within Microsoft Defender for Endpoint, rather than using external solutions.

I have been using the solution for three years.

Microsoft Defender for Endpoint is stable.

Microsoft Defender for Endpoint is scalable.

I previously used Trend Micro Apex One, but I've found that Microsoft Defender for Endpoint has more benefits. Although I haven't worked with the full suite of Trend Micro, I believe that their Suite is also highly effective. However, I have experience using the full suite of Microsoft Defender, and I find it to be a more powerful tool for threat detection. While Trend Micro Apex One is easy to implement, has a seamless implementation experience, and is superior when it comes to policy configuration; For threat detection capabilities, Microsoft Defender for Endpoint is stronger.

The initial setup is straightforward because we just need to onboard devices, through a script, employment, onboarding package, or any other MDM Solution like Intune. The deployment takes between four and eight hours and requires a maximum of two people.

We implement the solution for our customers.

Microsoft Defender for Endpoint can be costly as a standalone solution. However, when included in a bundled license with other Microsoft solutions, it becomes a cost-effective option. Microsoft Defender for Endpoint provides excellent value for our organization.

There is an additional cost for Microsoft Premier support.

I give the solution an eight out of ten.

Microsoft Defender for Endpoint is deployed across multiple locations and departments. The solution can be used for enterprise, medium, and small businesses but can be expensive for SMBs.

To achieve success with Microsoft Defender for Endpoint, it is crucial to establish best practices and ensure full deployment without causing any disruptions to business productivity. Simply enabling all features without understanding their impact could lead to interruptions in productivity. By adhering to best practices and carefully assessing the impact of each policy, we can ensure a smooth and effective implementation.

We want to find a solution that fits businesses of every size and type, but we primarily target small and medium-sized enterprises. 

Defender helps us prioritize threats across the organization. When we needed to update the patches on our endpoints, we could look at all the patches and see what still needed to be fixed. We could decide whether it's necessary to address something urgently or deploy it as part of routine monthly maintenance. It's crucial to have the insights and a report that I can show to an executive to demonstrate that we need to act fast. This is less common because most people accept your hotfixes and patches when they come out, especially monthly security updates. However, some older shops might be like, "I'm running Windows 10. No one's touching this." We still need to service and support those machines, too. 

The solution helps us automate routine tasks and alerts. There's a dashboard where I can see the statuses of my machines in the environment. It helps us breathe a little bit easier. We're responding to businesses that had shifting needs during COVID. How can we be more proactive and help them to be more proactive? We shifted from traditional PC antivirus software to stuff that's totally different. I can't say it's "set it and forget it" because that implies a lazy mentality. However, I know I have a level of protection that I can have faith in. 

Defender helps us be more proactive. I find value in the zero-day threats that get fixed from Microsoft bug fixes or security updates. I can read and research about those zero-day threats from Microsoft's public site without digging too deeply into the Defender side of things. 

We've saved some time with Defender for Endpoint because we were doing a lot of unnecessary remediation with the other products. We had a series of servers that our previous product was installed on. It would blue-screen the server at random, and you can't have that. I'm not worried about Defender impacting my system stability. We put a lot of high-performance systems out there, including PCs and backend compute. I want to ensure we won't be overburdened by unnecessary security software that may not be giving me the protection I want.

Defender's reporting saves us four hours to eight hours each month. It has many of the standard reports we need built in, so it's effortless to generate and pull from. The time we save in other areas isn't as easy to quantify. I don't have to worry about the stability of a box or a computer cluster. 

It has decreased my detection time. On Wednesday, I got emails notifying me that new vulnerabilities were detected. They weren't new, but they were newly disclosed because patches came out for them. It has enabled us to react much quicker. 

I like Defender's reporting and logging features. The email alerts are also helpful. It's hard sometimes to sift through the email, especially if you're an IT firm managing hundreds if not thousands of endpoints, but we find email reporting useful. For example, last Tuesday, we learned of new vulnerabilities that were discovered as a result of the previous patches. The endpoints without those patches triggered alerts in Defender.

Defender ties into the Microsoft 365 portal where many shops spend a lot of their time doing password resets or other tasks. There is much more in the Azure portal too, but the 365 portal has a list of open issues, bugs, and necessary remediation steps. If I'm working on my security score, I have all of those on an active list, which is nice.

Defender should be more accessible for small and medium-sized businesses. You have some organizations that maybe have a hundred employees, and they're focused on making their widgets. That's their nine-to-five every day. They're not thinking about that security side, but maybe they're already invested in 365 or the Azure ecosystem and having Defender as an add-on makes sense from a price perspective. It's easy to deploy, but it could be easier for some of those smaller businesses to onboard endpoints.

The onboarding and deployment could be more user-friendly, and there is room to grow in some of the reports. I don't want them to be oversimplified or overly complex, but there is room for improvement in the reporting it can do. It's relatively minor.

We have used Defender for Endpoint for the last 18 months or so. 

Defender's stability is one of the things I love most about the solution. 

There are no limitations on Defender's scalability. I get the impression that it's designed to cater to massive enterprises with 20,000 or more endpoints, but I think there's a market for a simpler deployment, like 100 PCs, 10 servers, etc. Give me a deployment option that's simple. 

I rate Microsoft support eight out of 10. It's good overall, but it can be hit or miss depending on your issue, and sometimes you don't get the right level or technician. All of my 2023 support experiences have been stellar, but 2022 was a little inconsistent. 

Positive

The company evaluated other solutions in parallel and in tandem with it. Our trajectory shifted slightly during COVID-19, so we explored that more. We tried ESET and SentinelOne for a while. But those are apples-to-oranges comparisons. Defender for Endpoint is geared toward common reporting,  notifications, and backend stuff, whereas SentinelOne is designed to lock machines down. It has many more tendrils deep within, so they're not great comparisons. 

We decided to go with Defender because we're pretty heavily invested in the rest of the Microsoft Stack, so it made sense. However, we wanted to do our due diligence because we're already using other products. We wanted to ensure we were picking the best of breed for our customers fair enough.

We were having issues with other products like ESET, SentinelOne, and Symantec. SentinelOne is just too deep and heavy. It's like trying to shoot a fence post with a missile. It was too much. We rely on the product and trust it. It takes a little while to get there, but once you trust a product, you can move on to the next thing and know you're protected.

The onboarding process could be more straightforward. I wish the onboarding were simpler. It seems a little more ethereal than, "Hey, here's your executable, put this on every machine." That would be easier for a small shop. We're still deploying into a lot of our sites. It didn't take long at all, but it takes a while to get fully ready to deploy, 

Defender's pricing is competitive. There are ways to negotiate a better price with Microsoft or your reseller as your business grows. You can say, "Hey, I bought 365 Business, then E3, and E5. Now, I'm buying Defender, so give me bulk pricing."  There are opportunities to save as you grow that wouldn't exist if you picked a different vendor.

I rate Microsoft Defender for Endpoint eight out of 10.