Microsoft Defender for Endpoint Reviews

We use Microsoft Defender for Endpoint for anti-malware purposes.

Microsoft Defender for Endpoint has good visibility into threats, capturing 95 percent of them.

Microsoft Defender for Endpoint helps us prioritize threats across our organization, which is important.

We have integrated Microsoft Defender and Sentinel. The process of integrating Microsoft Defender for Endpoint and Sentinel was easy.

They work natively together to deliver coordinated detection and response across our environment which is important. Microsoft Defender for Endpoint and Sentinel work together comprehensively to detect and protect against threats. If one solution misses a threat, the other one will pick it up.

Sentinel allows us to gather data from our entire ecosystem, which is crucial for us.

It enables us to investigate threats and respond holistically from one place.

Microsoft Defender for Endpoint is an effective anti-malware solution. Additionally, it offers the capability to isolate a device in case of more significant issues with a workstation or server. Moreover, we can directly connect with the machine through Microsoft Defender itself to access and check files using live response, allowing us to assess the situation accurately.

Microsoft Defender for Endpoint offers a unified XDR dashboard that eliminates the need to view multiple dashboards. However, we are only focusing on incidents and log queries.

The threat intelligence helps us prepare for potential threats before they occur, allowing us to take proactive steps, as long as there are alerts and we have properly configured them.

We were previously using IBM QRadar, but it was not quite effective for generating alerts or for data analytics. Additionally, it created numerous alerts, which only sent us notifications for issues like behavioral concerns. This had a significant impact on the workload for InfoSec Operations. Microsoft Defender for Endpoint has helped to reduce our SecOps team's investigation time.

Once we invest the initial time to create alerts and queries, Microsoft Defender for Endpoint saves us time by sending alerts and logs directly. This eliminates the need to repeatedly create queries to search for specific alerts, incidents, or events.

Microsoft Defender for Endpoint has decreased our time to detection and time to respond.

There are a couple of features, such as isolating the devices or connecting the device and connecting live response. These are very good features of Microsoft Defender for Endpoint because we can directly connect to the machine, access the system, and check if any malicious files that our Defender or Sentinel is detecting are present or not. This allows us to investigate those files further.

Microsoft Defender for Endpoint sometimes fails to detect malware incidents, and when it does manage to stop them, we only receive a notification stating that the issue has been resolved. Unfortunately, we are not provided with any information on how the solution resolved the incident.

Microsoft Defender for Endpoint does not offer default templates for alerts, requiring us to configure everything ourselves to avoid numerous false positives.

The pricing needs to be improved.

I have been using Microsoft Defender for Endpoint for a little over one year.

I give the stability a nine out of ten.

I give the scalability an eight out of ten.

We rarely need technical support, but when we encounter issues with log ingestion, we contact them. Unfortunately, the support isn't very helpful as they suggest trying things we've already attempted, which haven't worked. Consequently, we often find ourselves searching online to resolve the problem on our own.

Neutral

I also use FireEye, which is now called Trellix, along with McAfee. Each tool has its own advantages and disadvantages. FireEye was solely an EDR solution. Microsoft Defender for Endpoint is superior to McAfee due to the higher number of alerts and the ability to isolate and connect to the machine in real-time.

Microsoft Defender for Endpoint is the default solution for Microsoft, but it can be challenging to integrate with Linux environments. Additionally, if we are using any other EDR or anti-malware solutions, Microsoft Defender for Endpoint will only work passively, not actively, and we cannot convert it to function as an active anti-malware solution.

The initial setup of Microsoft Defender for Endpoint may be more complex compared to other solutions that only require pushing agents to workstations or servers. Each device must be compliant and onboarded to Azure in order to be active, and any non-compliant workstations cannot be uploaded to Azure. On the other hand, with McAfee and similar solutions, we only need to push the agent and it starts reporting to the console. Our deployment process lasted six months and involved a group of three to four people and their respective teams. We had one team for field agents, another for SCCM purposes, and an Operations team as well.

Microsoft assisted with the implementation, and they were efficient.

We are required to pay for the data we ingest, and increasing the data amount incurs additional expenses.

I give Microsoft Defender for Endpoint an eight out of ten.

We currently have around 6,000 Microsoft Defender for Endpoint users in our organization.

We have a team called InfoSec Operations that handles maintenance and consists of approximately five people.

I recommend Microsoft Defender for Endpoint for larger organizations, and they should undergo training if they intend to use it in conjunction with Microsoft Sentinel, as it is a complex tool compared to others like QRadar. For smaller organizations, I suggest using Splunk, which is a reliable solution.

Microsoft Defender for Endpoint is a viable solution, but it does have limitations when it comes to other operating systems. I would not recommend this solution for an organization that operates in a Linux-based environment.

We use Defender for endpoint security, firewall administration, and antivirus. 

From an administrative perspective, Defender provides a single pane of glass for us to look at compliance throughout the company and for the customers we recommended it to. That's probably the most significant piece. The governance and policy features work together for us because we can easily provide the self-attestation that we need for the federal government.

Automation at this point, as I understand, is a lot of one-offs. It depends on the particular console that you're looking at. I'd love to have them integrated. I understand that there's a larger solution for that, but it's challenging to figure out a cost estimate of what it would take to get it up and running. The automations are often tied to the separate Defender products and not always integrated, but we're still shy about buying the larger product and integrating all the logs. 

Defender for Endpoint saves time by making administration more manageable. It's at least four hours per month per administrator. We save money with Defender because it's packaged with other Microsoft solutions. It's $20 to $60 per user annually, depending on the suite you're getting. 

I like that Defender is integrated and doesn't have a third-party payload trying to advertise subscription renewal. I don't get spam because of it. Regarding visibility, no one has their finger in as many operating systems as Microsoft. No one has the platform or deployment profile that Microsoft has. Microsoft can outshine any third-party vendor when it comes to visibility.

The interface isn't necessarily intuitive to a nontechnical person. You can get stuck in the little endpoint security portal. Sometimes, if you uninstall a competitive product, the end user doesn't always know if it's running or if they're protected even though it's silently running. There could be a notification, widget, or something that's resident on the screen for at least a bit, especially if you're doing remote support. You want to talk them through it, but sometimes, we're not allowed to look at the PCs we support.

I'd like them to improve visualizations for people higher up the reporting chain, such as potential purchasers, directors, VPs, and CEOs. They have little time. They want to see red, green, and yellow lights or some other type of visualization. It would be great to have this functionality out of the box without a lot of custom development.

We're learning about the AI Security Co-pilot. I'm unsure how it integrates, but I'd like to see it integrated. I'm an administrator, so I don't look at the logs constantly, but patching is critical. I would love to see the percentage of PCs patched in a given period. Reporting and alerts are crucial issues. When an alert needs to be triggered, we'd love to see some events flush up.

We often have to wait for and do a report until we find what we're looking for. It would be nice to sort of set it and forget it or have a community board of plugins that we could download and say, "Here's the meantime to resolution for x, y, or z policy or some policies that we could potentially integrate.

I have used Defender for Endpoint for seven years. 

I can't think of any ongoing issues that we have other than our own internal minor configuration. I don't know if this is in there, but I would love the ability to see how we're deployed and get recommendations.

Defender is scalable. The solution covers multiple locations and departments. We have about 100,000 end users. The departments vary in size. 

I rate Microsoft support six out of 10. They're responsive and willing to help. I have no problems with their customer service. However, it's sometimes difficult to find a technician that understands your issue. Sometimes, when you try to do self-service with Microsoft, it refers you to a third-party website for support ideas and stuff. That's absolutely bizarre. Why would I trust a third party linked from the Microsoft community forums and things?

Neutral

We were using Norton Antivirus, but we switched because we were familiar with Defender. We had Defender running on our home machines, and we had positive experiences because it didn't noticeably slow our machines. It was fairly intelligent at what it did. Sometimes, you feel a little restricted by a few of the things that it may not have. But in the end, I don't think that we're missing anything that we didn't already have in the product.

Defender is typically bundled with 365 packages that the customers are already buying. We haven't done an in-depth ROI for right. Often, we leave the customer to make those decisions even though we can point to tools like that on the web or allow an analyst tool to do that type of work. 

We looked at Norton, McAfee, and another one that I can't recall. Ultimately, our decision primarily came down to integration into the system. If it's integrated, it isn't overwritten by the security patch, and it doesn't add to the payload we're already sending down to manage the PC. We wouldn't use it if the quality wasn't there, but all else being equal, it's always easier to use an integrated solution from a single vendor.

I rate Microsoft Defender for Endpoint nine out of 10. 

We use it as an Enterprise Detection and Response (EDR) solution. We use it for compliance purposes, and we are starting to use it for DLP purposes.

Microsoft Defender for Endpoint allows our threat hunting and threat remediation teams to reduce the footprint of viruses when they come on the network.

We have immediate visibility on all endpoints. It is very good at visibility.

For prioritizing threats across our enterprise, the threat-hunting system in Microsoft Defender for Endpoint is not top-notch. We usually integrate it into things like our SIEM or Sentinel or other things to prioritize or our SOAR system to automate.

We can feed the alerts coming out of it into our XSOAR system to immediately act on events versus waiting until people see them and use the ticketing system.

Microsoft Defender for Endpoint has saved us time. It has saved us at least 40 hours a week. We are able to automate and have the ability to handle threats on an enterprise with 50,000 devices.

Microsoft Defender for Endpoint has not saved us costs. It is a Microsoft product.

Microsoft Defender for Endpoint has reduced our time to detect and respond. By going from a manual process to an automated process, depending on the severity, the time reduced has gone from minutes and days to seconds.

The endpoint detection of threats is valuable. The initial detection of things like ransomware and viruses and being able to shut down machines immediately and stop a threat is valuable. We can stop a threat at a source versus allow it to propagate it across the network.

The product itself does not necessarily need improvement, but the support and implementation of the product are the disaster cases. Instead of being able to go back to Microsoft and ask how to do something, we have to work with a vendor who does not exactly know how to do that and has to go to Microsoft to say, "How do we do this?" so that they can answer our questions. There are a lot of things in relation to various compliance standards such as CIS. The primary levels of support of Microsoft do not know or cannot implement that. Working through vendors is time-consuming. It is a painful process to get back to them to get the answers.

I have been using Microsoft Defender for Endpoint for three years.

We have never seen any downtime in it, so it is incredibly stable.

It is incredibly scalable. However, its ability to bind things into the groups on its dashboard is limited. You can see your 50,000 machines empire, but dividing it into regions, and dividing it into subgroups and management areas is very limited.

It is deployed across the world. There are 250 sites worldwide with 50,000 devices.

I would rate their support poorly. I would rate them a two out of ten.

Negative

The history would be a Symantec product, but I do not remember what it was. Then we went up through Azure ATP to Microsoft EDR. 

I was involved in its deployment and initial setup, but I was not a part of PoC at the time. The deployment was very easy. We pushed it out with SCCM.

Our implementation strategy was PoC, small user groups, and then wide or regional deployments.

We have on-premises and cloud deployments. It is an endpoint protection platform. It goes on any endpoint that we have or that we have running. It could be an endpoint that is sitting in the cloud. It could be an endpoint that is sitting on-prem. We use Azure, GCP, and AWS. There is also some limited rack space from IBM.

We used CDW.

We have reduced man hours using the product. We have definitely been able to leverage automation with it more than other products that we have used previously and other products that we are using.

I recently switched from education to private business, and all I can say is that private business licensing from Microsoft is not cheap until you hit certain quantities or scale. That does not mean that it is not comparable to other industries. It is similar pricing, but it is still crazy to me how much you pay for a client. I feel it is high, but it is in line with other vendors.

We evaluated Cortex XDR, Carbon Black, and QRadar or whatever that solution was from IBM.

The Microsoft ecosystem is the main difference. Everything under the umbrella of the Microsoft security toolkit makes life easier when all the systems talk together nicely.

To those evaluating this solution, I would advise first figuring out what your needs are. Figure out what levels of granularity you need in the system to see if it will support your needs. For example, if you have something like department-level control over devices, you might want to look at another system versus a central security solution that controls all devices. Beyond that, make sure your machines have the resources necessary to support the features you turn on in the environment. A lot of the resources in Microsoft Defender for Endpoint can be shut down for slower machines and older machines.

I would rate Microsoft Defender for Endpoint a solid nine out of ten.

We use Microsoft Defender for Endpoint to prevent traffic attacks. The solution displays each attack through Symantec. Therefore, we do not need to develop any use cases. It will detect anomalies using machine learning in Defender for Endpoint. It collects logs from the sensor, which include all mission data from the Windows sensor. The machine logs will then be sent to the cloud for analysis, and for every anomaly found, an alert is generated in our console.

Microsoft Defender for Endpoint provides comprehensive threat visibility. It allows for file analysis, checking unsupported files in the system, and accessing the Mission Live console. Unused files can be deleted, and suspicious files are analyzed and checked for viruses on the platform. In cases where a file has numerous detections from different security vendors, it is quarantined, blocking it in the organization. Care is taken to avoid quarantining legitimate files to prevent disruption. Additionally, there are numerous advanced configuration options available.

It helps us prioritize threats across our entire enterprise. We receive notifications for any advanced threats and can also identify if there is an advanced threat within our organization. Additionally, we can view the different priorities, such as high, medium, or low, and understand the severity of the alerts. For high and medium alerts, we can take immediate action, such as isolating the machines from the network.

We also utilize Microsoft Elastic Cloud and EnCase. I believe the integration is straightforward, but I was only responsible for monitoring after the integration had been completed.

Microsoft offers four products that can seamlessly work together and be accessed through one console. These products are Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft CloudApp Security. With the appropriate license, we can subscribe to all four solutions from the Microsoft security website.

Sentinel allows us to collect data from our entire ecosystem and seamlessly integrate the log files with an API.

Microsoft Sentinel allows us to investigate threats and respond swiftly from a centralized platform. We possess the capability to generate customized queries and delve deep into the logs.

Microsoft Sentinel also has built-in SOAR, UEBA, and threat intelligence capabilities. The playbooks make the security analyst's job much easier. If there is unwanted software, we can configure a notification from the playbook to send the user a message or block the IOCs.

Defender for Endpoint aids our organization by enabling us to monitor the antivirus status on devices to ensure they are up-to-date. We can also access vulnerability details that we can share with the vulnerability team to promptly apply necessary patches. Additionally, it allows us to identify any pending configurations, streamlining our security analysis process.

It helped eliminate having to look at multiple dashboards and gave us one XDR dashboard for everything.

Microsoft Defender for Endpoint's threat intelligence assists us in proactively preparing for potential threats before they strike. Any threats detected by Microsoft Defender for Endpoint are automatically blocked, while for those that are not, we have the option to block them manually.

I find the vulnerability management section of Microsoft Defender for Endpoint to be very useful for organizations. It provides details on vulnerabilities, connection, and software vulnerabilities, and identifies any unauthenticated extensions. The Secure Score option is also helpful for reviewing configurations. In a project to improve Secure Score, we reviewed configurations on a weekly basis and implemented changes gradually. Each section (Identity, Endpoint, Encryption) can be configured phase by phase, and the changes are tracked through a graph. Comparing our Secure Score with other organizations is also possible. From a security perspective, Microsoft Defender for Endpoint is easy to understand and facilitates advanced investigations.

The time to generate certain alerts on our dashboard can take between 45 minutes to an hour, and I am unsure of the factors that influence this duration. When I analyze the logs, I notice that some incidents occurred an hour before the alert was generated and sent to the console. This suggests that we are not detecting threats in real-time. Additionally, we encountered another issue with the dashboard while monitoring multiple organizations. One organization received a notification that 70 of their machines were at risk, while the other organizations only had five or ten machines at risk. Upon checking all 70 machines, we found no alerts or vulnerabilities in the logs. We submitted a ticket and provided the logs to Microsoft, but they were unable to offer a proper explanation for the triggered alert on those machines being at risk.

We were experiencing high CPU usage issues on the servers and found that Microsoft Defender for Endpoint was the root cause. We reached out to Microsoft and, after two weeks, they provided us with a solution to edit the registry keys and update the software.

I have been using Microsoft Defender for Endpoint for two years.

The stability is good.

The technical support team is good.

The initial setup is simple. We can deploy using Microsoft SCCM and provide the onboarding package to SCCM. 

There are different licenses, such as E3 and E5. With an E5 license, we can access all the solutions, which is better, but the cost is high. However, it is still valuable from a security perspective.

I give Microsoft Defender for Endpoint an eight out of ten.

We deployed Microsoft Defender for Endpoint and CrowdStrike together in one organization. While Microsoft Defender for Endpoint displayed valid alerts, there were no alerts in CrowdStrike.

We use it for threat protection.

It protects my endpoints from malware and viruses. Those benefits were immediate.

And the automation of routine tasks, such as finding high-value alerts, had an immediate impact because I can see all the threats in a single console, and how they are mitigated.

It has also definitely eliminated having to look at multiple dashboards, giving me one XDR dashboard. It's really effective because it is very tough to handle two different dashboards or environment consoles. The single console gives me a one-shot view of the whole infrastructure, security-wise.

The solution also saves me time because there is no need to install it on all the machines. That is automated. Even the mitigation is sometimes automated, which definitely saves time. It saves me about 90 percent of the time I would otherwise spend on these things.

I have also seen a clear improvement in time to detect and respond. It is instant.

The solution's threat protection is mostly AI and machine-learning based. That is the most important feature of the product. It also offers centralized management so I can remotely manage devices.

In terms of visibility, it gives me all the threats. They are showcased in the management portal. I check there and it's nice.

We also use Microsoft Intune and Azure Information Protection and have them integrated with Defender For Endpoint. The integration was moderately difficult, slightly confusing, but it can be done. But the solutions work natively together to deliver coordinated detection and response. That is very important. Integration is one of the main things I look at. The fact that they work together is the best thing. The threat protection these solutions provide is very comprehensive and very detailed. They cover different aspects and layers of security and that's why it's very important to have them integrated.

The automation could be simpler on the mitigation side. It has a learning curve. Otherwise, it's pretty easy.

I have been using Microsoft Defender for Endpoint for one and a half years.

It is a stable solution.

It's also scalable.

If I have any issues I can relate them to support. But they are quite slow in responding.

Neutral

We used Sophos and we switched because of integration. 

It's deployed on the cloud and the setup is quite fast. I just needed to add the machines and the deployment happened quickly. Within a day, we were up and running. It was straightforward and involved two people.

There is not much maintenance required.

We have definitely seen ROI, due to the fact that I only have one dashboard and one solution. Our ROI is around 20 percent.

The cost is high, compared to other products in the market, if you look at it as a separate product. If you look at the cost where it is part of a bundle, the cost is okay.

Defender for Endpoint doesn't really help to prioritize threats across the enterprise. It's more of a basic threat protection solution. It's more of a reactive approach, once something hits.

With a single vendor, it's much easier to detect alerts and threats beforehand. Having a single vendor helps.

I would recommend Defender For Endpoint. If you are using other Microsoft products, together, this is a better security solution.

We use Microsoft Defender for Endpoint to secure our customers' networks. One of the main reasons we chose this solution is its seamless integration with other Microsoft products, including Security. This integration enables the efficient exchange of signals and facilitates incident investigation and correlation with other security measures. Therefore, we recommend Microsoft Defender to our customers for robust endpoint security. 

Microsoft has been recognized as a leader in Gartner reports for two consecutive years for their exceptional threat-capturing abilities within their division. In comparison to other solutions, Microsoft Defender Endpoint Security offers a wide range of features, and the benefit of integration with other solutions makes it a more powerful product. This is in contrast to individual products from separate vendors, which lack default integrations and may not offer visibility over other endpoints in our environment.

The solution provides a high level of visibility into threats and is integrated with other solutions such as Microsoft Defender for Identity. This integration enables the solution to receive signals from Microsoft Defender for Identity, which are then relayed to users who attempt to log in to an infected device. If the threat originates from Microsoft Defender or Office 365, users are alerted and advised not to open any suspicious links or attachments. This integration greatly enhances the investigation experience and is extremely useful in the detection and analysis of potential threats.

Microsoft Defender for Endpoint helps prioritize the threats across our organization.

The automatic investigation response is the key feature of Microsoft Defender for Endpoint. It enables us to concentrate on the critical incidents related to the endpoint or machines. This capability enables the security team to focus on the most significant alerts or incidents related to the device's self-analytics. Prioritizing our investigations and responses with Microsoft Defender for Endpoint is crucial.

The integration with Microsoft solutions is smooth, and integrating with other products can be done with just one click.

In most cases, the solutions work natively together to deliver coordinated detection responses across our environment, which is very helpful.

The comprehensiveness of threat protection offered by Microsoft's solutions is extensive. These solutions can thoroughly investigate all resources in an organization when deployed correctly according to best practices. They can detect any threats related to email, endpoints, and identity attacks, whether on-premises or in the cloud.

Microsoft Defender for Endpoint has been instrumental in enhancing our organization's operations. It detects the majority of threats aimed at our devices, aiding us in our efforts to combat threats. Additionally, it expedites the investigation process by running playbooks on incidents. This saves us time and increases efficiency. Furthermore, the integration capabilities of Microsoft Defender for Endpoint allow us to address the source of the threat by partnering it with other solutions. Microsoft Defender for Endpoint can be integrated with Microsoft Intune, allowing us to provide device signals to the latter. This permits us to grant or deny access to specific sources based on device signals.

The solution assists in automating routine tasks and streamlines the identification of high-value alerts. When used in conjunction with Microsoft Sentinel, which is highly effective in detection and comprehensive investigations, the quality of high-value alerts is excellent.

Microsoft Defender for Endpoint has eliminated the need to access multiple dashboards and provided us with a single XDR dashboard. Instead of logging into five different portals to investigate a threat, we only need to access one portal, Microsoft Defender for Endpoint. This portal collects signals from various solutions and integrates them into a single incident, providing a comprehensive view of the detection from different sources in one place. This improves our visibility and simplifies the threat investigation process.

Having a consolidated dashboard saves us a significant amount of time by eliminating the need to log into multiple portals. This single portal can be used for investigation purposes and can relate to various aspects. It simplifies the process of monitoring a multitude of sources or resources in the environment, making it easier to detect and investigate potential issues. A consolidated dashboard improves collections and visibility, streamlining the investigation process.

The threat intelligence provided by the solution helps us prepare for potential threats and take proactive measures before they occur. Many of Microsoft's security solutions now depend on Microsoft's security intelligence. The ISG collects signals from various products worldwide, providing extensive information on recent global threats targeting different products. Integrating with Microsoft Defender for Endpoint, this information is particularly helpful.

The solution has helped us save time. I suggested that we check Microsoft Defender for Endpoint daily to review the latest incidents that occurred during the process. We can quickly examine the incident and then take action based on the recommendations provided by either Microsoft Defender for Endpoint or Microsoft 365 Defender, as it consolidates the signals.

This solution is cost-effective since we would otherwise have to pay for multiple licenses if we were to use various solutions. Additionally, we prefer not to subscribe to multiple vendors for different services. By integrating these features, we save time, and they are already integrated by default, unlike other vendors who may not offer this feature or integration.

Real-time detection and cloud-based delivery of detections are highly efficient. I have deployed the Microsoft Application Control which I found to be very effective, albeit difficult to deploy. I have implemented point guard and attack deduction rules which enable me to identify attack locations effectively. Microsoft Defender for Endpoint has several excellent features, and the correlation of alerts and investigation experiences within the platform helps lead investigations

The application control feature requires improvement. It is currently challenging to detect and fine-tune the application control policies. A better GUI is needed for configuring the policies, beyond the current partial console, such as a third-party or Microsoft tool. Additionally, more documentation is required for the application control section as there is currently none available in Microsoft's resources. This lack of documentation can make the process confusing.

The policy configuration has room for improvement. Currently, we require additional solutions to configure policies for Microsoft Defender for Endpoint. We need either Microsoft Intune or a new policy object. It seems many individuals find this process confusing. It is perplexing to me why we must configure policies using different solutions when ideally, we should have all configurations for Microsoft Defender for Endpoint in a single portal. It would be more practical to configure policies directly within Microsoft Defender for Endpoint, rather than using external solutions.

I have been using the solution for three years.

Microsoft Defender for Endpoint is stable.

Microsoft Defender for Endpoint is scalable.

I previously used Trend Micro Apex One, but I've found that Microsoft Defender for Endpoint has more benefits. Although I haven't worked with the full suite of Trend Micro, I believe that their Suite is also highly effective. However, I have experience using the full suite of Microsoft Defender, and I find it to be a more powerful tool for threat detection. While Trend Micro Apex One is easy to implement, has a seamless implementation experience, and is superior when it comes to policy configuration; For threat detection capabilities, Microsoft Defender for Endpoint is stronger.

The initial setup is straightforward because we just need to onboard devices, through a script, employment, onboarding package, or any other MDM Solution like Intune. The deployment takes between four and eight hours and requires a maximum of two people.

We implement the solution for our customers.

Microsoft Defender for Endpoint can be costly as a standalone solution. However, when included in a bundled license with other Microsoft solutions, it becomes a cost-effective option. Microsoft Defender for Endpoint provides excellent value for our organization.

There is an additional cost for Microsoft Premier support.

I give the solution an eight out of ten.

Microsoft Defender for Endpoint is deployed across multiple locations and departments. The solution can be used for enterprise, medium, and small businesses but can be expensive for SMBs.

To achieve success with Microsoft Defender for Endpoint, it is crucial to establish best practices and ensure full deployment without causing any disruptions to business productivity. Simply enabling all features without understanding their impact could lead to interruptions in productivity. By adhering to best practices and carefully assessing the impact of each policy, we can ensure a smooth and effective implementation.

The solution can be used on everything. It can be used on the cloud. You can also use it for on-premises devices, from servers to laptops. It's a pretty good solution to manage devices and servers.

Usually, our clients have an on-premises infrastructure and they want to start working in the cloud, especially in Azure. We use Microsoft Defender to manage on-premises devices from Azure. Especially over the last two years, a lot of companies have wanted to focus more on their own business and that's why they have us manage their IT security.

The main goal of using Defender for our clients is to do vulnerability scanning and to be aware of any possible security breaches in their infrastructure.

Microsoft Defender is totally integrated with Microsoft 365 Azure. For example, years ago a software company that was working on-premises with Microsoft products came to us. They asked us to help them connect to Azure because with Azure, they could, of course, run their core business, but it would also help them create more value in the market. Microsoft Defender is the best way to manage on-premises devices, but also devices on the cloud.

It also helps us to prioritize threats.

In addition, the solution gives us a single dashboard that we can customize. When our security operators start their day, they look at the dashboard information. If there is a big issue, they automatically get the information. They can send an email to the team involved. The dashboard helps the security team, day-to-day, to ensure everything is secure for the client. The dashboard is really important.

And overall, the solution has saved us 50 percent of our time. It also saves us money because it prevents ransomware and web application attacks every day. Currently, with the war in Ukraine, because I work in Europe, hackers are trying to hack into enterprises, and that's another reason it's really important to have this kind of solution.

It may be saving us 30 percent, in terms of money, because once you have the system in place, you can avoid a lot of attacks and keep secret information away from hackers. When we talk about security, we're also talking about the reputation of the company. Using this kind of solution helps our clients not to lose money through a loss of reputation.

In terms of time to respond, someone who is working every day on the security operation team, can respond correctly within five minutes, to be conservative, to a problem they receive from the scanning done by Defender. It has decreased that time by about 20 percent, although keep in mind that I am a security architect and not part of the operations team.

The scanning part is one of the most valuable features with the automation of vulnerability scanning. That's why we use Defender. It gives us a lot of information on how to improve security.

There are some competitive products on the market, but the best is Microsoft Defender because it's very easy to integrate. That's one reason a lot of clients want Microsoft Defender.

It's also very easy to implement compared to other solutions.

Regarding other Microsoft solutions, about half of our clients take Sentinel, while 90 percent take Defender. They are very easy to integrate. That's one of the reasons, for me, that Microsoft is the best on the market. And in reviews about the best tools on the market, everybody agrees that Sentinel is the best on the market in the security area. When you work with Sentinel, it's easy to work with the Microsoft suite of products. It's easy to integrate every product from Microsoft.

We also use Microsoft Defender for Cloud's bidirectional sync capabilities. For security, they allow us to get all the information we need on time.

After scanning, there are false positives so sometimes you need to manage the results.

Also, we would like to see more tools for managing on-premises security. A lot of companies have their own on-premises infrastructure and want to move to the cloud. Sometimes, we have the tools, like Defender, to manage security in the cloud, but because we are so focused on the cloud, we forget the fact that we need to be sure about the security of the on-premises environment, specifically Active Directory. I know it's tricky, but I'd like to see them add some tools for a really good dashboard to introduce the fact that we also need to be careful about on-premises.

A lot of companies have their Active Directory on an on-premises physical server. When they start the journey of moving to the cloud, especially to Azure, they use Microsoft Defender to do device management, especially servers and computers. But to improve security monitoring it would help if we could monitor on-premises, especially identity. Usually, when hackers hack into an environment, they use tools to get the identity of a person. If we had tools to integrate with Defender, it would help improve security.

I have been working with Microsoft Defender for two years.

It's a stable solution.

It's also a scalable solution.

About 90 percent of our clients have deployments in multiple locations because they are usually multi-national, and that's why it sometimes takes more time to do the implementation.

The technical support of Microsoft is good.

Positive

I have always used Microsoft solutions.

The deployment is straightforward. The amount of time it takes depends on the configuration the client wants, but it's easy enough to deploy. 

If we need to implement it for a client with 2,000 devices, it takes more time. Just the implementation, for me, takes 20 minutes, but after that we have to implement configuration on the cloud, and that is totally different.

If it's a big company, it could take three months, because we have to do discovery. We have a lot of clients that use customized containers and customized Linux servers, and that's where we have to be sure we do the implementation the right way.

Usually, when working with clients and proposing different solutions, they prefer to work with Microsoft Defender because it is integrated. And when you talk about the price, it's really perfect, compared to other advanced threat-scanning products on the market. Overall, 90 percent choose Microsoft Defender because it's great and very easy to put in place. You don't need to install an extra service or do a big design. You pay for the licenses and that's it.

If you're considering working with Microsoft Defender, the first thing you need to do is an inventory of the infrastructure. We need to know what the client has: how many Windows Servers, how many Linux servers, and how much content. And then you need to know what you want to do with the devices. Some devices are not supported anymore. We need to know which devices the client wants to be covered by Defender.

A lot of times, we want to work with Sentinel because it's the best on the market. But Sentinel is more tricky to put that in place. But when you advise a client on security, of course, you propose a lot of solutions, including Defender and Sentinel. You propose the best on the market to improve their security.

Usually, they go for Microsoft Defender, but for Sentinel, sometimes it takes time. They say to us, "We don't have the money right now, let's wait two years." On many of my projects, my clients have already worked in the cloud and they want to start working with Azure. That's why Microsoft Defender is a good tool to implement. There are times we advise the client about Sentinel but they already have a SIEM solution like Splunk.

Defender for Endpoint does not help us automate routine tasks right now because it's extra work. I know we could put that in place, but often, when we start working with a client in the cloud, we spend a lot of money on that. I know, in the day-to-day operations of the security teams of our clients, they have so much to do and it would be really good to implement automation. We propose it to our clients, but it's up to them to decide if they want to do it.

The threat intelligence can help prepare for potential threats before they hit, but this is also something we need to talk to the client about. Sometimes, it's not in our hands. We can propose things to the client, but they have to choose. So far, after proposing these kinds of things to clients, I haven't received their agreement. This part of the solution is really interesting, but it can also be expensive for some clients. It depends on their budget.

And in terms of using multiple vendors for security or a single-vendor security suite, in my current company, we generally advise our clients to have different vendors, but it depends on the client. I, myself, am not a risky guy. But a lot of our clients have Microsoft products, and we'll advise them to use Microsoft products. You don't want to go to war with your client.

Sometimes, they want to work with a lot of different products, but when you try to do that it can be really expensive because you need to work on the connections between them. I usually advise Microsoft because it's very easy and a lot of clients already have Windows Servers, et cetera. It really depends on each case. It depends on who is paying, who is asking, and what they want.

We use Defender for Endpoint to secure our Windows 10 endpoints and Windows servers. We use Microsoft Defender as an antivirus, and we also leverage the EDR capability. If any malware or threat is present, Defender can take action on those threats and remediate if there are any malicious actors present in our environment.

It is deployed on-premises, on the cloud, and on multi-cloud solutions like AWS on Azure. We have a diverse, global environment with devices or servers in Europe, the US, and the Asia-Pacific region, except for China.

One feature I like the most is vulnerability management, which shows any vulnerable software or OS present in my environment. Microsoft Defender for Endpoint provides a complete overview and also recommends the steps to mitigate the vulnerabilities or threats. Most of the other antivirus or EDR solutions generally don't provide vulnerability management. It is an add-on that Microsoft Defender for Endpoint provides.

Also, because of this solution's EDR capabilities, we can determine what we want Microsoft Defender to do and then automate the entire process. We have already enabled these automated response capabilities and are leveraging them.

The visibility into threats that Microsoft Defender provides is very detailed. If we want to investigate how a threat was initially integrated into our environment, we can do that with a detailed activity timeline. It will be across the servers or Windows Endpoint, so we will be able to see the correlation and gain a complete picture of any threat within that timeline.

It helps us prioritize threats across our enterprise to a certain extent. Whenever there is a threat, we'll get a risk score along with the level of severity. We will then be able to see whether the threats are of high, medium, or low severity and can prioritize them accordingly.

Prioritization is really important to our organization because with 100,000 people working, we see an immense number of threat alerts including phishing, identity, and other kinds of threats. We have a limited number of people working in security operations centers, and we may see 30,000 alerts come through. Therefore, it's very important for us to prioritize those alerts so that we don't end up working on threats that are not important and miss critical alerts.

Along with Microsoft Defender, we also use Microsoft Defender for Cloud Apps, Microsoft Defender for Cloud, and Microsoft Defender for Identity. Integrating these products is quite simple. You just toggle the button, and the integration will be turned on. Once you have turned on integration, you will see feeds from the other portals. That is, if I get something in Defender for Identity, then I will be able to see relevant items in the Defender for Endpoint portal as well. It's out-of-the-box integration, and no additional measures are required.

These solutions work natively together to deliver coordinated detection and response across our environment. They work in the background and share common intelligence with each other and provide correlated feeds within these portals. They provide comprehensive threat protection.

When the integration is in place, it eliminates the need to look at multiple dashboards. Initially, we used to have different portals for incidents, but now, we have one central console. We can see alerts and incidents from Defender for Cloud, Defender for Identity, etc. It saves us a lot of time because our analysts don't have to spend time looking at different dashboards or consoles.

In terms of preparing for potential threats before they hit and taking proactive steps, the feeds in Microsoft Defender for Endpoint help us detect zero-day vulnerabilities or any ransomware. The threat analytics show us what the current and upcoming threats are. I can get the indicators of compromise from that particular list and can prepare my team on how to act on those particular threats. It has helped us to become more efficient.

Overall, this solution has helped us save 30% to 40% of our time.

Also, our time to detect and respond has decreased by around 40 to 50%.

One major item for improvement is the ability to add exceptions. We can add some exceptions, but not at the level we need to.

The second major area for improvement involves enhanced capabilities for different operating systems or platforms. That is, even though we have coverage for different operating systems or platforms such as Linux, we don't get all of the controls and enhanced capabilities that are available with Windows devices.

Reporting could also be improved because, at present, we get limited results at times. For example, in an environment with more than 100,000 devices, you may just get 10,000 results when you run a report.

I've been using it for close to four years.

It's not very stable because Microsoft keeps making a lot of improvements as it's a new product. For example, today I might see something on one page, on another day, it might be located on some other page or portal. However, I have seen stability to some extent over the last couple of months.

It's definitely a scalable solution. Almost all of the users in my organization, close to 70,000, use this solution.

Technical support is an area that needs a lot of improvement. Microsoft does not have the right people who can help with any challenges or problems, and ultimately, we end up finding the solutions on our own rather than relying on them. They take a lot of time to work on a support case, and we can't find the right level of support as well. Therefore, on a scale from one to ten with one being the worst and ten being the best, I would give technical support a rating of four.

Neutral

We have seen a return on investment in the last few years in terms of our organization being protected against threats.

Microsoft Defender for Endpoint is cost-effective because there's one unified license, and with this unified license, you get the capabilities for your cloud applications, servers, and endpoints as well. Therefore, it saves us a lot of money because the cost with other solutions is for just one piece of OS or maybe an urban environment. The licensing process is not complex as well.

Your use cases, how your organization is configured, and what your infrastructure is like will determine whether you go with a best-of-breed strategy rather than a single vendor's security suite. From a cost perspective, I think it's better to just go with one technology because when you have two technologies in place, there may be conflicts with policies that may result in additional time spent investigating.

However, if an organization has a high number of macOSs and they have a lot of Linux servers, they may choose to go with two technologies if Microsoft Defender doesn't provide a complete set of security capabilities.

Before you implement the solution, first see what your use cases are and what you're actually looking for. Then, define your environment and what you're going to protect first, whether they be application servers or just endpoints. Then, you can have a detailed discussion with the implementer or vendor.

On a scale from one to ten, I would give Microsoft Defender for Endpoint an overall rating of seven.