Microsoft Defender for Endpoint Reviews

Microsoft Defender is a Windows platform that can be integrated with various solutions. It has a complete dashboard that gives us clear visibility into the total security of things, the endpoint devices connected, and their status. It also gives us information about who has been logged in and at what time. Compared to other solutions, Microsoft Defender for Endpoint gives us more visibility and threat analysis reports.

Microsoft Defender for Endpoint has improved my security score very well. Since it is a fully automated solution, all false positives have been ruled out for me. The investigations provided by the dashboard have compliance functionality and are useful for auditing purposes.

The solution's latest features for threat analysis are updated to provide us with future protection against the latest threats worldwide. It allows us to prepare from our side for the worst scenarios so that the business operations would not be affected.

Microsoft Defender for Endpoint should include better automation that will make it faster to detect the latest threats happening across the world. The solution should also generate an automatic report for any investigation before I generate a report. The solution's cost could be improved as it is an expensive tool.

I have been using Microsoft Defender for Endpoint for four years.

Microsoft Defender for Endpoint is a highly stable solution.

Microsoft Defender for Endpoint is a scalable solution. We have around 3,000 total endpoint devices with two administrators, and we have plans to increase the usage.

The solution's technical support is good. We were able to get proper support from the technical support team.

Positive

The solution’s initial setup is easy.

The solution’s deployment took almost three weeks. Two network engineers and I ensured the configuration of the group policies. We ensured that all the inbound and outbound traffic was properly configured and implemented.

We have seen a return on investment with Microsoft Defender for Endpoint.

Microsoft Defender for Endpoint is an expensive solution.

Before choosing Microsoft Defender for Endpoint, we evaluated other solutions by Azure. We chose Microsoft Defender for Endpoint because of its better functionalities and capabilities.

The solution provides us with clear visibility. We have a clear dashboard analysis, and we don't need to worry about the changes we need to make as it gives a clear solution for us. Threat hunting is the best feature that gives the response to any event happening.

The solution helps me prioritize threats across our enterprise because I'm able to map all the devices across my enterprise. It is improving my security score compared to the earlier one. Compared to our earlier endpoint protection solutions, we have a good edge over the mapping we have with Microsoft Defender for Endpoint. Any new devices getting added to our ecosystem are getting secured in a better way.

We use more than one Microsoft security product. We have integrated all of these products, and it was easy to integrate them.

The integrated Microsoft security solutions work natively together to deliver coordinated detection and response across our environment. This is very important for us because we follow a framework where protection, detection, response, and recovery have to happen in a seamless manner.

Microsoft security products give visibility into the information about the latest threats happening across the globe. This gives us awareness and helps us to be well-prepared before the attacks.

We use Microsoft Defender for Cloud, and we make use of its bi-directional sync capabilities. Microsoft Defender for Endpoint has both on-premises and cloud capabilities.

We use Microsoft Sentinel, which enables us to ingest data from our entire ecosystem. We have different types of endpoints. The ingestion of data gives more data and more credibility to the logs, which makes my environment more secure.

MS Sentinel enables us to investigate threats and respond holistically from one place. It provides vulnerability management and threat detection so that we'll be able to see different logs and parameters. Normally, the threat collection, detection, and response are very much important for an organization.

MS Sentinel’s built-in SOAR and UEBA are different higher-end functionalities with artificial intelligence that provide a secure environment for any platform. It can analyze more volumes of data.

Compared to MS Sentinel, SOAR solutions are more costly.

Our Microsoft security solution helps automate routine tasks and help automate the finding of high-value alerts. It gives us a clear investigation report to find the RCA appropriately, thereby speeding up our response time.

Our Microsoft security solution has helped eliminate having to look at multiple dashboards and given us one XDR dashboard. I can integrate all my security parameters into one dashboard, and looking for the management review is easy for me.

The solution’s threat intelligence helps prepare us for potential threats before they hit and to take proactive steps. It alerts me immediately from which IP the threat is coming so that I can block that respective port immediately and prevent it from entering my network.

Our Microsoft security solution has saved us time by making the operations faster and reducing the response time. The solution has saved me almost 15 days in a month.

Our Microsoft security solution has saved us money by providing a single integrated solution and eliminating the need for different security solutions.

The solution has decreased our time to detect and respond. The solution has enabled me to act quickly on any issue before it hits me.

Microsoft Defender for Endpoint is a one-stop solution for your protection, and it gives overall visibility of your endpoint devices. You can easily add on the devices whenever the enterprise is growing.

With Microsoft Defender for Endpoint, you can club your endpoint protection, email protection, network protection, and application protection and ensure they are in good hands. We can handle anything regarding security operations, investigations, or complaints from a single point.

Overall, I rate Microsoft Defender for Endpoint a nine out of ten.

I am a SOC analyst and I use Microsoft Defender for Endpoint to investigate endpoints in our environment and malicious activity.

The visibility into threats that Defender provides is excellent. The logs I receive are quite comprehensive, allowing me to see what is happening on each endpoint, including the running processes and generated alerts. It does a pretty good job of detecting when certain events occur, which helps me stay attentive to potential issues. Overall, it offers significant visibility.

Defender does a good job in helping to prioritize threats across our entire enterprise because it provides me with context by distinguishing between high and medium threats.

We also utilize Azure Sentinel, Defender for Cloud Apps, Defender for Identity, and Office 365. These solutions are integrated together, and whenever one of them receives an alert, it is sent to the main alert queue. I would give the integration an eight out of ten.

Sentinel allows us to collect data from our entire ecosystem. We primarily use it for the network firewall logs, but it can also handle other types of logs.

Sentinel does an excellent job of providing us with comprehensive security protection and visibility into security alerts and incidents. It informs us about policy violations, such as foreign user sign-ins and sign-ins from multiple or different devices, among other things. Therefore, it offers greater visibility beyond just phishing alerts.

Microsoft Defender for Endpoint has significantly improved our organization by identifying the activities of individual users and effectively hunting for any threatening activities they might engage in. For instance, if a user downloads a malicious file or clicks on a malware-infected link, the software can promptly detect and mitigate the issue on the server.

Defender helps to automate routine tasks and the identification of high-value alerts. Sentinel aids in the automation process by allowing me to address the issue of numerous false positives. Specifically, I automated the handling of certain false positives that originated from a particular IP range. This IP range was generating false positives due to a flagged server, even though the server itself was not actually malicious. In such cases, Sentinel proved to be beneficial as it facilitated the automation and removal of unnecessary noise.

Microsoft Defender for Endpoint has helped save us the trouble of looking at multiple dashboards by providing a single XDR dashboard.

Microsoft Defender for Endpoint has been instrumental in saving us time, especially by identifying true positives instead of wasting time on false positives.

I enjoy using the live response feature, which allows me to remotely access different endpoints and investigate malicious files, such as malware that people may have downloaded, and other related issues.

Threat intelligence has the potential for improvement, particularly by integrating more sources. This will enable us to accurately identify when a domain or an IP is malicious. If we could obtain information from external sources, it would reduce the need to use different open source tools to verify whether a domain or IP is malicious or not.

I have been using Microsoft Defender for Endpoint for a year and a half.

Microsoft Defender for Endpoint is stable. I have only experienced one crash.

Microsoft Defender for Endpoint proved to be scalable in our environment, supporting over 500 endpoints.

I have also used Splunk. Splunk is more modular and portable, allowing us to integrate it with a wide range of different tools. In contrast, features of Defender and Sentinel, such as those provided by Microsoft, do not integrate well with as many other options.

I would rate Microsoft Defender for Endpoint a nine out of ten. It provides me with greater certainty regarding malicious activity compared to Splunk, which demands much more analysis. Defender for Endpoint performs a significant amount of work in terms of identifying and validating malicious elements. This saves us from having to read and interpret a large number of logs. It takes care of the interpretation and conducts about half of the log analysis on our behalf.

I still have to conduct threat intelligence on my own, such as open-source intelligence. I don't automatically search VirusTotal for things, but I still end up doing my own source searching.

It's an AV and EDR. The AV is integrated with the OS and, once you onboard the devices through a portal, it also functions as an EDR.

The main reason it has improved our organization is that it is integrated with the entire Microsoft 365 suite. We get a lot of functionality and a centralized way of operating or controlling all the devices in the environment.

The solution automates routine tasks and the finding of high-value alerts. That helps a lot. I worked with a different product before and, if we wanted to check if a specific application was affecting our organization, we had to get the application details and then search in the EDR console or on the devices for those application details. But with Defender for Endpoint, you can simply put the application details in a query and run it, and that becomes a customized detection. I don't need to check for the same application again and again. I can get an alert whenever it pops up again.

There is integration with all the products, whether Defender for Cloud or Microsoft Purview or Office 365, so we have a centralized console. There is a sync so that you can get all the alerts in different portals on a single portal. That consolidation makes things easier because we don't have to navigate to multiple portals to check for all the information. Before, we used to only get basic details, like the title or the category of a particular alert. But now, since it is also syncing with Sentinel, we don't need to go to the Defender portal. We can view the entire alert story and related devices, or potentially affected devices, and which devices could be the next targets.

Another advantage is that the threat intelligence helps us proactively prepare for potential issues before they strike. There is an option to check for vulnerabilities and that is not only limited to our organization or the license we bought. We have one filter that will show all the potential threats in the market or that other customers might have reported. We can view them and the steps they have followed. There are all the CVD details that are not affecting our organization, things that are still new in the market, and it will give the remediation steps for them as well.

In terms of deployment, management, and manual efforts, it has saved me a lot of time. Previously, I would review each alert. That meant, during a given week, that I would be on alerts for three or four days, and only then would I go on to other things. It has saved me a couple of days a week because of the automation and auto-suppress rules, which are configured to automatically resolve an alert and trigger an email to me that the alert has come up and the action has been taken.

Because it has been integrated with the OS, we get the entire software inventories, and we even get access to the registries. Those are the primary features. We also have something called advanced hunting, which uses SQL tables to list out all the details of the device and that is also used for threat hunting.

Defender for Endpoint also helps prioritize threats across our enterprise, and we have an option for customized detections, which is an additional feature that differentiates it from other products. The customized detection helps us identify threats.

I would like to see improvement from a management perspective. We have had to depend on Intune for certain tasks.

I would also like to see additional features related to device control. For now, it has all the common features that other EDR and AV products offer, but device control is missing. Device control means automatically syncing the devices without any dependency on other products, like Intune, SCCM, or even Azure. If it could sync between products after only adding it to one product, that would be great.

I've been working with Microsoft Defender for Endpoint for close to one year.

It is stable.

It is also scalable. 

Since it's an AV and EDR, you can use it at any location and on all the platforms, including Android and iOS.

Support depends on the support contract you have. The Premier support contract is comparatively efficient.

I would rate their support at eight out of 10. Sometimes, because they have multiple teams, there could be a delay with a ticket going to a wrong team. But once it is routed to the correct team, we get good support.

Positive

I worked with one similar solution, which was VMware Carbon Black Cloud. Defender for Endpoint has the advantage because Carbon Black is a third party to the OS. That is going to create a lot of additional work to manually deploy things, check the installation, see if it's parsing. There could also be compatibility issues. Because Defender is integrated with the OS, you don't need to do those manual tasks to install the product or work through the compatibility issues.

It is pretty straightforward to deploy. There isn't any manual effort, even if you are a new customer and migrating from a different product to Defender. All you need to do is get a license and the credentials to log in.

In the back-end, if we were to deploy the new tenant, it would be on Azure, and there are a series of steps to follow, nothing complex. It's just a GUI. You just need to give the device count and the geographical location. It takes four to five people for the deployment. 

Once the deployment is done, you don't need to constantly monitor it, but four people would be good for operations: two people to manage the devices and configuration, and the other two to review the alerts that are coming and analyze the vulnerabilities. Once a month you should review and update the software. Other than that, there is only maintenance when there is an issue. The signatures are updated automatically.

You can manage the devices on-prem, but if you want the EDR solution, it's completely cloud. You still have the option to control the devices on-prem through SCCM or any other integration, but ideally, it's cloud-based. The back-end portal is on Azure, but the console or tenant for users or management is a different portal. It's not on the Azure portal, it's a different URL.

The time it takes to see benefits depends on the end-users' requirements or which products they want to integrate it with. In my case, after two or three months I felt like I had found the good things to integrate it with and had a centralized way to manage them.

The solution has saved us money compared to the other products we use, but it depends on the situation. If there are multiple integrations, you have to get the licenses for those as well. But in our case, comparatively, we have saved money.

We did consider other options, CyberArc and Trellix (which is the new name for McAfee products). But the ease of using Defender for Endpoint and the reduction in manual efforts are why we went with it. Also, collecting and reporting on the data was easier.

The visibility into threats that the solution gives us is the same as other EDR products. But one advantage I have noticed, because I have experience working with a couple of other EDR products, is getting the complete device registry information. If we want to query anything or look into the complete alert or vulnerability details, we can get to the core. We don't need to depend on getting access to the device. We can do it from a centralized console.

I've seen a lot of people saying that they are looking for feature X but it's not there in the product. Most EDR products function in the same way, but they call features by different names. My advice would be to consult with Microsoft's Fast Track support engineers. They can guide you and explain every feature. Go for that first and then implement it.

I would definitely recommend Defender for Endpoint because going with a third party would require a lot of maintenance. For smaller companies, Defender for Endpoint would be more cost-efficient than requiring more headcount to do more maintenance.

I used MDE to investigate individual alerts. We were able to initiate AV scans on devices from MDE. That was our normal practice as soon as we pulled up an alert. My understanding was that it wouldn't slow down the throughput or the productivity of the endpoint device. We could theoretically isolate the device via MDE.

We also used Cloud App Security, Microsoft Defender for Cloud, and Azure Sentinel. At my last two organizations, they were in the process of moving from Splunk to the Microsoft security suite. It was standard procedure for us to install MDE on Microsoft Defender as the endpoint solution for every device. We didn't have anything on-premises.

I have experience with Microsoft Sentinel. We were transitioning toward using that as our SIEM. They encouraged us to learn the Kusto Query Language, which is extremely useful.

My organization was in the process of using Sentinel to ingest data from their entire ecosystem.

The solution was deployed across multiple departments and multiple locations in North America. It was deployed on a private cloud.

MDE eliminates the need to look at multiple dashboards, given it has only one XDR dashboard. It has a good user interface for looking at campaigns and the big picture as opposed to just one incident. They also have good graphics.

MDE decreased the time it takes to do detection and response. It allows us to quickly look at the timeline and see what caused the alert. In my organization, they wanted to know what caused the alert, not just whether or not it was a false positive. 

If there is malware on a device, they wanted to know how it got there. If there is malware on the device from another device in our environment, that is a huge deal. If someone clicked on something in an email or went to a suspicious website on their own, that is extremely important to determine quickly in our environment. It's very helpful to determine the level of the threat.

The investigation aspect is the most useful. It's user-friendly and has a good user interface. There's a universal search bar at the top of MDE. Plugging in the hostname brings up the page for the host. From there, we can see any alerts and an overview of the host, who it's assigned to, and who is logged into it.

I usually quickly go straight to the alerts tab and start investigating the alerts. It has a really great timeline function on it. It shows everything that occurred on the device and any connections it made on the internet or with other devices on the network. It shows activities like who logged in and who logged off. I could pull all of that through the timeline and figure out what happened and why it happened. The investigative capabilities are really good.

MDE provides pretty good visibility into threats. I would give it an A-. Overall, I was pretty impressed by it.

Sentinel enables us to investigate threats and respond holistically from just one place. Sentinel's security protection is pretty good. We had some alerts that we considered for a potential campaign. There were some instances when we had the AI perform an investigation for us, and it was pretty comprehensive.

MDE helps automate routine tasks. This was at a level higher than mine, but the automation seemed to work well for them. They had some queries and other tasks that they would schedule and set up alerts for.

MDE has also saved us time.

One of our main problems in cybersecurity is dealing with noise. If you look at the logs for any device over a 10-minute period, it's just too much information. The timeline on MDE is very good at whittling down the noise to find the answers to our questions.

I would like MDE to have the ability to isolate a certain amount of time on the timeline. Splunk has a better UI when it comes to isolating a certain amount of time. I need to know exactly what happened two minutes prior to and two minutes after an incident. I don't need to see half an hour's worth of information.

With Splunk, the UI is perfect. With just a couple of clicks of a button, it'll show us 30 seconds prior to and 30 seconds after an incident. The timeline for MDE is more difficult to understand.

After a failed log-in, Splunk shows when the event happened on the timeline down to a thousandth of a second. Theoretically, we could do that with the Kusto language, but that would mean changing the query every time. It's just not as user-friendly as it could be.

I used MDE for two years.

The stability is great.

I used Carbon Black and McAfee ePO in my previous organization, but they were in the process of moving everything to the Microsoft security solution.

Splunk was our main SIEM and alert system. It pulled alerts from different sources. When we received an alert, Splunk would quickly give us basic information, and then we would go straight to MDE. We received a lot more information from MDE's alerts than we did from Splunk.

I didn't spend a lot of time with Splunk. I normally input the hostname of the affected device that triggered the alert. I pulled all of the information from there, like the timeline of the event, the IOCs it had spotted, the name of the alert, and all of the other details. From there, I did a full investigation of the alert through MDE. I was very impressed with MDE. It gives great details, and it's very easy to use.

We didn't have dedicated personnel for any problems. We purchased full support with the license. Setup wasn't flawless, but there weren't any major issues.

I would rate this solution as eight out of ten.

If you have the money for it, I would recommend the Microsoft security solution.

I would recommend a single-vendor strategy if you have the money for it. I believe in defense in depth. Regarding endpoint protection, I think it's better to stick with one vendor. In my previous organization, they had conflicts between MDE and McAfee. McAfee would read MDE as a virus, and MDE would read McAfee as a virus.

The problem with endpoints is that if you have more than one solution, each of those solutions will see the other guy as a virus or potential virus. When it comes to endpoint protection, I would go with a single vendor.

In an enterprise setting, I use the product to protect workstations, and more recently servers, from all sorts of threats, including malware, viruses, trojans, etc.

Defender for Endpoint gives us greater visibility. Cybersecurity professionals always need that because what we don't see can get us into a lot of trouble. We also need visibility to be easily applied across platforms and with an improving ability to gather information from Linux or Mac-based end platforms. AWS and Google Cloud give better visibility, which we need from a security standpoint.

The other Microsoft security products we use are Defender for Cloud Apps, Defender for IoT, and Defender for Cloud.

The integration is pretty straightforward. It depends on a company's licensing and deployment team, and Microsoft makes it simple to integrate multiple solutions. It is easy to integrate into a test environment, though it depends on the infrastructure and networking team because they have to carry it out. Each company has different solutions; whether they are entirely cloud-based, on-prem, or hybrid, there's a lot of flexibility. Depending on the package, Microsoft is usually very helpful and available to assist with implementation and integration.

Coordinated detection and response between the solutions are essential. Depending on the company and its capabilities, it can sometimes be challenging to bring different tool sets to bear. For example, integrating endpoint protection, XDR, theme tools, CASB apps, and security from different companies can be very tricky. What Microsoft is doing in terms of easy integration makes their product an easy sell because it's critical to spend time doing the work of security rather than worrying about and dealing with integration. 

Threat protection is extensive; it covers most of the concerns we face as a company. I have limited experience with the IoT side, although I'll be working with that soon. Microsoft is thinking ahead and looking toward the future of protection, and I think they're on the right path. The comprehensive threat protection is there, and that results in a steep learning curve because an organization may have a whole bag of tools, some of which they may not use or need depending on the size of the enterprise. The extensiveness is impressive, and Microsoft is doing the right thing in attempting to cover all threat avenues. The necessary side effect of trying to cover every threat is not being the best in class at dealing with any one threat; more of a jack of all trades, master of none. It also increases the learning curve for analysts.  

The threat-hunting service is very useful for a security professional.

The ability to fine-tune specific policies to protect our enterprise is also advantageous.

The increasing deployment availability on different platforms and OSs is a good functionality.

Seamless integration with the Microsoft SIEM tool and other tools such as Splunk and Sentinel is excellent.

Defender for Endpoint provides good visibility into threats, and there is always room for improvement.  

The tool allows us to prioritize risk factors and fine-tune those based on our requirements as a company. That's extremely important because different companies face different threats from an enterprise point of view. Everyone is concerned about phishing, but only certain companies deal with personal health information, for example, and those dictate the security priority landscape. This functionality is one of the essential elements in an endpoint solution.

In Defender for Endpoint, we can create a certain alert logic to alert us on either high-value assets or individuals. With Sentinel integration, we can develop playbooks for the tool, which helps us gather the information for an investigation or automate a lot of threat intelligence searching. Endpoint has its standalone functionality in this respect; Microsoft does a good job providing sufficient threat hunting in each tool in case a customer only has one. Overall, the solution's threat-hunting and investigation resources are extensive.  

Eliminating multiple dashboards saves time. It may save between five and 30 seconds, but at the end of the day, if I've done eight investigations, that's minutes saved each month. That adds to hours of work saved by not having to deal with multiple dashboards.   

Our time to detect and respond decreased; even a few minutes saved by not searching through multiple dashboards helps. Threat intelligence also informs the end user if a website or link has a bad reputation. These features help reduce the time we spend investigating an incident or alert.  

My main issue with the tool is that there are too many menus. This causes a steep learning curve for those without training or unfamiliar with Defender for Endpoint. From an end-user perspective, the solution is there on the machine and does its job; it works seamlessly. However, as a security professional dealing with it behind the scenes, the learning curve can be steep, but not too steep. Still, it has taken some of my analysts up to a month to get familiar with the product.

Microsoft is slow to act on improving the threat intelligence elimination of false positives. They have a feed of indicators of compromise, which they are constantly updating, but some of the category intelligence is sometimes off base. Microsoft is working to improve that, but threat intelligence is vital; it's there, usable, and requires some fine-tuning and adjustment. That's good, although automated threat intelligence has room for improvement.

Threat intelligence is an area Microsoft needs to improve on; if a company only has Defender for Endpoint, that's their single point of truth regarding threats. Therefore, the tool must provide as much threat intelligence and automation as possible. Defender and Sentinel offer more options, but companies with only Defender need it to be improved.

A significant area for improvement is better integration with other tool sets in the industry. The solution integrates well with other Microsoft products, but only some environments have those products or the flexibility to adopt them. Microsoft Defender for Endpoint needs to integrate with different systems, for example, Cisco or other firewalls. Better integration with more cloud vendors would also be excellent, as not everyone will have Azure.

I've been using the solution for over 15 years. 

The solution is very stable, and that has improved with time. It used to be hard on the workstations, but we experienced those issues eight years ago. Microsoft always came out with a patch within a week or two, which would fix the problem. Nowadays, the tool is very stable; the only potential issue is if something happens on the cloud end, as the dashboards are cloud-based. That's something I've yet to personally experience, though.

The scalability is there, and there's always room for improvement. I need to incorporate more outliers, but the solution is easy enough to deploy that I can quickly onboard many workstations or servers. The product is an eight out of ten in terms of scalability.

Customer support responds rather quickly; it depends on the service level agreement, but they are pretty good about getting back to us and following up on any issues we may have. 

Positive

Most of the companies I've worked for used Defender for Endpoint. I have used different SIEM tools like Splunk and briefly used QRadar a long time ago.

I was involved in the deployment planning, but different teams did the actual deployment. I understand the deployment to be easy. 

In terms of maintenance, the solution requires updates from time to time, which are handled by the infrastructure team.

I would rate the solution eight out of ten. 

The infrastructure team has bi-directional sync capabilities set up and running well. It's essential when it comes to having hybrid cloud solutions and cloud solutions from different vendors. Various systems need to have seamless communication and shared issue reporting.  

Microsoft is increasing its data connectors, which is very helpful for ingesting data from different feeds, though some elements aren't fully fleshed out yet. How much data needs to be digested depends on the enterprise; every SIEM tool has a price to pay for how much data is ingested. The simple answer is that Sentinel allows us to ingest a ton of data, and that's vital. If we can't see a threat, we can't detect it and protect against it.  

Sentinel enables us to investigate and respond to threats from one place, which is very important for us. This is an area Microsoft has improved because we used to have to go to three different portals for our security picture. Now, everything we need to find can be seen in one pane of glass in Sentinel, whether we are looking at alerts or incidents.  

The comprehensiveness of Sentinel's protection depends on an organization's security program's maturity and capacity to leverage the solution. There's room for growth, but Microsoft is making good strides in the machine learning and AI portion of its product. The setup and fine-tuning of the tool play a significant role in how smoothly SOAR operates and whether it fulfills an organization's specific requirements. The default playbook may not fit with needs precisely, and staff with knowledge of Kusto Query Language are necessary for fine-tuning. A certain level of expertise is required to leverage Sentinel's sort and machine learning capabilities fully. 

I don't know how much Sentinel costs as I don't see the bills, but the biggest standalone SIEM and SOAR competitor is Splunk. Splunk does a better job but is also much more expensive; people often complain about the cost. I can't compare the value and pricing of the two as I need to know precisely how much they cost. Splunk is supposed to have changed its pricing model to become more affordable recently, and I wonder if Microsoft did the same with Sentinel. However, because Sentinel integrates with other solutions an organization may already use if they're a Microsoft shop, it makes it worth the price.

When it comes to a best-of-breed versus a single vendor security suite, it depends on the people higher up in the organization and usually comes down to cost. Everyone wants the best of the best, but only some companies are capable or willing to pay for that because it can be costly. Microsoft is trying to provide a pricing model that encourages customers to use a suite that seamlessly integrates with Windows and server OSs and increases integration with Linux and Mac OSs. That can provide a better ROI than getting the best of the best but having limited visibility and integration with other tools and the network. Microsoft leverages the security suite model as its selling point, and it's working for them. 

I advise potential customers to read up on the community boards and look into their specific needs. Defender for Endpoint is a good competitor for those looking for an EDR solution, and for those looking for a complete security suite, it's one of the better choices. The tool is competitive, but there are other choices if a company wants the best. Microsoft Defender for Endpoint is in the top three, only considering EDR, but for those looking for a line of products to protect their company and thereby make some savings, it's one of the premier choices.

It provides good visibility in terms of the number of devices covered, users covered, and so on. With most people working from home for the past two years as a result of the pandemic, Microsoft has helped us improve our security. Because it's a cloud component, we have been able to have improved coverage for our remote users, which was a challenge when we were using traditional endpoint protection solutions. Microsoft Defender for Endpoint has enabled us to secure devices even when they are off of the organization's premises. It has added value to our organization and has helped improve and mitigate security risks across the organization.

I like the fact that it's prebuilt onto Windows and that it integrates with various solutions.

The Microsoft Defender for Endpoint dashboard gives you a very wide view. If, for example, a device is having some malicious activity, it will tell you who has logged into that device and the history of the activity such as whether the activity began because that particular user clicked a malicious link in an email. It is able to do this because Microsoft Defender can connect to the whole Microsoft 365 ecosystem. Thus, it can provide more visibility as compared to a standalone endpoint solution, which will only give you visibility with regard to the information collected on the client in which it is installed.

It provides a detailed level of visibility considering that it's prebuilt onto Windows. It's able to drill down into the processes, such as the DLL files that are running and the installation files from where the threat is emanating. It gives you a deeper threat analysis in comparison to that of other solutions I've worked with. Microsoft Defender is able to provide details such as whether it is a malicious file, the process that is executing a particular file, how it is initiated, the process number, the particular execution file that is running, and so on.

When it discovers a threat, it has its own inbuilt capabilities to prioritize the severity as low, medium, high, and critical. You can also intervene and assign a particular priority to an incident if the priority was not what you expected. Microsoft Defender gives you visibility not just from a threat perspective but also from a user perspective, for example, to identify the most high-risk users in an organization. It gives you the ability to prioritize the riskiest users and devices.

We use Azure AD Identity Protection, Windows Defender for Cloud, and Microsoft Defender for Office 365.

It is easy to integrate these solutions because Microsoft Defender for Endpoint gives you a central view of all of the security components in the organization. We have integrated these solutions to have one central dashboard.

Having one XDR dashboard has eliminated the need to look at multiple dashboards.

In terms of these solutions working natively together to deliver coordinated detection and response across our environment, Defender for Endpoint works natively well on its own Defender for Office 365. The full integrated visibility doesn't come natively enabled by default. As an administrator, you have to figure out where the configuration is and enable that configuration so that the events are captured by one solution and pushed to the central dashboard for security.

Microsoft has come a long way in terms of security and comprehensive threat protection. They've done quite a lot to mature their solutions. It's hard to find one vendor who covers your email security, cloud security, and endpoint security, giving you central visibility into all of it, and Microsoft is one of the major players at the moment.

Threat intelligence helps us proactively prevent attacks before they happen. Defender can pick up an activity that is happening across other tenants in the organization. You can then look at what controls you can put in place to prevent it from happening in your own organization. It's better to prevent an attack rather than to stop one that is already happening. This approach allows us to proactively put measures in place and be ready to respond in case an attack does occur. It keeps us more alert and prepared.

With Microsoft Defender for Endpoint, you can automate some of the incident response actions. However, we do have false positives that are picked up, and automation needs to be done sparingly. Automation of routine tasks does free up our admins, and they can focus on more strategic initiatives and improvements, and leave the day-to-day administrative duties to the system.

This solution has saved us time in terms of providing centralized visibility and not having to onboard agents when deploying. It has made management a bit easier because it can be accessed from anywhere and has made it a bit more convenient to manage the whole Endpoint protection activities. Our team is still quite lean, and the time spent on EDR activities has probably reduced by about 50%, freeing us up to catch up on other activities that we're following up on in the entire information security program.

Microsoft Defender for Endpoint has decreased our time to detect and our time to respond. Proactive alerts help you send notifications before something actually happens. That means you have more time at hand to quickly detect threats before they happen. If they do happen, it gives you all of the information you need to be able to quickly respond compared to traditional EDR solutions for which you may need to look for VPN production to access your tenant. The ability to automate the responses has also decreased the time it takes to respond to an incident by about 50% because even before the notification is received, the system would have begun to take the action that you had configured for the automation. That is, the response will begin without your intervention.

Automation is one of the areas that need improvement because if you fully automate, then there's a high chance that you're going to be blocking a lot of actual false positives.

With the XDR dashboard, when you're doing an investigation and you're drilling down to obtain further details it tends to open many different tabs that take you away from your main tabs. You can end up having 10 tabs open for one investigation. This is another area for improvement because you can end up getting lost in multiple tabs. Therefore, the central console can be improved so that it does not take you to several different pages for each investigation.

Microsoft keeps changing the name of the solution, and when we go to senior management to ask for a budget, they think you're asking for a different solution. It would be great if Microsoft could decide that Defender for Endpoint is the name and stick with it.

I've been using it for three years.

It's quite stable.

It's very easy to scale because it comes built-in with Windows 10, and you just need to enable it. This can be done on scale using group policies or through Endpoint Manager on cloud or Intune.

We have about 5,000 users.

The technical support is okay, and I would rate them at seven out of ten. It depends on the level of support that you have with Microsoft. If you have enterprise support, you'll get dedicated support, and your issues will be resolved much faster. That is, if you're able to pay for premium support, you'll get good, faster responses. If you have normal support, however, it may take a bit longer to get someone to look at an issue.

Neutral

We previously used Kaspersky Endpoint Protection. One of the reasons why we switched is the fact that traditional endpoint solutions tend to be monolithic. They usually run on an on-premises infrastructure. As a result, you have to deploy agents to all of the machines and to manage them, you have to be on the company's network or be able to access it through VPN. Also, those who work remotely will need to log into the VPN to receive updates. Often, those who don't need access to internal systems will go for months without logging into the VPN, which means that they will not pick up the updates.

We were also looking for a solution that was more cloud-friendly because the organization was moving towards the cloud with the emergence of remote work.

The initial deployment can be straightforward if you have Windows 10 Enterprise Professional because it will come preinstalled. All you will have to do then is to enable it. In our case, we wanted to enable a particular GP and encountered some complexities in terms of connectivity. It took us about six months to deploy it.

It's a SaaS solution, so you don't require much effort in terms of deployment. Once installed, there's very little maintenance required. We don't have to upgrade any agents; it's straightforward. It mainly requires administrative work from the console.

Our environment is across multiple branches in the organization with branches in different locations and countries.

We had a team of three with someone to configure the group policies, someone to look at the admin center on Microsoft, and someone to ensure that the traffic is allowed.

Because Microsoft Defender comes as an add-on, it can be a bit expensive if you're trying to buy it separately. Another option is to upgrade, but the enterprise licenses for Microsoft can also be quite a bit pricey. Overall, the cost of Microsoft Defender compared to that of other endpoint detection solutions is slightly higher.

If you have a big team, then you can go with a best-of-breed strategy where you have dedicated teams that are looking at your endpoint protection, email protection, network protection, and so on. You may have a SOC team as well that gets the events and incidents from all of the different teams, analyzes centrally and provides a general view from a security operations perspective. In summary, if you have a well-resourced, mature organization, then it may make sense to go for the best-of-breed strategy.

However, if you have an organization without a big security team, it makes sense to have a single vendor's suite. At times, it may appear to be a single point of failure, but in terms of management and usability, it's a bit easier to work with and deploy. It will give you some level of visibility that will cut across the different domains.

Overall, Microsoft Defender for Endpoint is a good solution, and it'll give you good visibility and protection. It's worth considering, and I will rate it at eight on a scale from one to ten.

I'm a security coach with multiple clients. I provide security implementation, planning, and maintenance through Microsoft Defender. I use all the Defender products, including Defender for Identity, Defender for Office 365, and Defender for Cloud. 

It's easy to integrate the solutions. You only need to go into the settings and switch on the connectivity to all the Defender for Endpoint connectivity telemetry. Microsoft documentation is thorough, and it walks you through all the necessary steps.

We're multi-client and multi-cloud. We're working with multiple organizations and departments, so it's complex. We have domains and sub-domains that we must account for on the deployment side. We also use Defender for ATP, which is the Defender for domain controllers.

Defender for Endpoint helped to bridge the gap with remote workforce solutions because it protects managed and unmanaged devices. It's also easier to use because Defender for Endpoint is cloud-managed, so it stays maintained and updated. It has a leg up on competing solutions that require more system resources and maintenance. 

The tight integration with Microsoft operating systems is another advantage because it's easier to manage. It also goes beyond Windows OS. Defender for Endpoint supports other platforms and operating systems, such as Linux, iOS, and Android. I like that Microsoft is expanding the product's scope beyond Microsoft operating systems. Microsoft is developing a holistic approach, so you don't need a third-party product to protect these other non-Microsoft platforms.

Defender helps us to prioritize threats across the enterprise. The weighted priorities are based on all the MITRE security standards. Defender products work together to provide comprehensive protection. I agree with the placement of Defender Products on Gartner's Magic Quadrant. Defender is a leader in that area of threat protection. I'm pleased with the outcome of a lot of the investigations. I can protect and harden areas that didn't usually didn't have that level of visibility and granularity. 

Defender integrates with Sentinel, enabling me to ingest data from my entire ecosystem. Sentinel also covers non-Microsoft products with the third-party connectors that are provided. I enjoy that part of the Sentinel functionality and feature set. It has several features for aggregating the log data and analytics for the on-premises environment. Having that visibility is crucial.

Sentinel provides the SIEM and the SOAR capabilities, offering a single pane of glass for all of the security operations centers and providing on-site reliability for many of my clients. Sentinel is Microsoft's answer to competing tools such as Splunk and other log application tools. Sentinel seems to provide more added value from the ease of use and visibility. The licensing is also competitive.

You can set up Sentinel to forward alerts if you want to create a managed Cloud environment solution for Sentinel for a client. There's a way to set that up through Azure Front Door. You're seeing the data reporting and single pane of glass for other tenants and customers. It enables you to offer security as a service to maintain visibility for clients.

I like that it considers the status of a device (whether the device is online or offline, VPN or not, etc.) and provides several options for telemetry, depending on where and how the device is being used. It gives a lot of flexibility with the installations, maintenance, and management of the Endpoint solution. In addition to Defender for Endpoint's feature set, other parts of device management reduce the attack surface and protect those devices.

Defender's automation features have been a significant advantage with many of my clients because the remediation has been automated. Most of the time, it doesn't require any human intervention unless there's something that hasn't been set up. I must demonstrate the automated investigation and remediation to my clients to ensure their environment is automatically protected on weekends and after business hours.

The single pane of glass is vital to us as security consultants and our clients, who need a high level of visibility. You can go into the high-level executive dashboard view and drill into each telemetry graphic to provide you with more granular data. I see how easy it is to see the big picture and effortlessly drill into the details using the side navigation menus and more.

Consolidating things into one dashboard streamlined them significantly. When working with multiple tools and vendors, you typically have to stitch the reporting together to get an overarching view of everything. It's time-consuming. By the time some of these tasks are accomplished, the data starts to get stale, so you need to refresh and create an all-new view again. Having real-time capability in a single pane of glass is essential.

Defender Threat Intelligence helps us develop a forward-looking approach to threats and plans. That's one aspect of the product I find incredibly helpful. It will highlight things that may require intervention, such as turning on conditional access rules or setting up some geofencing for anything that looks like it could be a password spray attack from a known location that we can block. 

There are opportunities to turn off any legacy protocols that may be in use. That's been a common thread with some of my clients who still use legacy protocols for sign-in and authorizations. The ability to do that has been a considerable help proactively.

You don't know what you don't know until you know. The continual flow of real-time data and analytics from Defender products helps create a security roadmap and harden many areas. With improved visibility, we can build a better roadmap to harden those areas by prioritizing and doing things methodically. Previously, we were guessing what to do next or what would be most important based on an educated guess. Now, we have data to guide our security decisions.

Microsoft Defender has saved us hours and hours. It has probably paid for itself many times over. I would agree that it has saved a lot of time and money. I estimate it probably saved us the equivalent of two people working full-time. You typically have at least one person overseeing on-premise resources and another dedicated to cloud resources.

In my opinion, the most valuable aspects are the reporting analytics and integration with Sentinel. Defender does an excellent job of correlating the different entities that comprise threat analysis, analytics data, and log analytics. It helps to piece together investigations into any exploit or malicious activity within a specific tenant. AI and analytics tools are probably the most valuable components.

The bidirectional sync capabilities and off-app sanctioning of the SaaS applications are helpful. The identity security posture feature set provides investigation recommendations for risky users. The heat map for locations is also handy. Defender integrates with the AIP DLP for data governance and protection. I use all of that.

There's a need to have augmented workforce capability. You need to see the data streams for client work augmentation for the security operation center and act on the information. Having data in near real-time is essential to my organization and the work we do for our clients. The built-in SOAR, UEBA, and threat detection features are comprehensive.

It always helps to have onboarding wizards. Microsoft has done a lot of work in that area. I would like to see some more refinement in the wizards to allow more diverse use cases and scenarios that help us deploy Defender globally. In particular, I would like to see more deployments considering localization barriers and networks or devices common in various regions. 

Localization is always a challenge, especially with new products you typically want. Solutions are designed to be deployed where the most licenses are being consumed, such as in the United States. They focus on US products, devices, and networks. Specialized deployments for other countries would allow for a smoother experience in transition.

I have been using Microsoft Defender for about two and a half years.

It's pretty stable. I haven't had any reliability concerns with Defender, and there have not been too many complaints from users that have to have extensive reboots or any kind of performance impact. So I would say it's pretty stable.

Scalability is built into the product. It's a cloud-managed solution, so it's capable of scaling pretty quickly as needed. You don't have to unlock another key or do something else to scale the product. It's scalable by design.

I rate Microsoft support a seven out of ten. We've opened a few Microsoft tickets. For example, we've seen some discrepancies between Defender for Exchange Online and the reporting from Sentinel. We raised tickets to determine why Sentinel's logging data doesn't match what we see in Exchange Online.

It can be slow and tedious sometimes. Microsoft has different support level agreements. If you want prompter and higher-quality support, you typically need to pay for an Ultimate Support contract. If we compare that with other companies or organizations, Microsoft is probably on par with everyone else. You don't get a higher level of support unless you pay for it.

Neutral

I've worked with all the major antivirus and endpoint protection vendors, including Splunk, CrowdStrike, Sophos, Norton, and McAfee. Microsoft's advantage is its integration with the operating system, ease of deployment, and support for the 365 Cloud experience. It makes everything easier to deploy, maintain and manage. It comes down to cost and integration. We realize cost savings because it's integrated into the E5 licensing product.

The setup is straightforward and mostly automated. You only have to intervene when you experience errors. Those typically happen on non-US systems or in other countries. For the most part, it's effortless to deploy.

We try to use the auto-onboarding capabilities that come with Autopilot. If you have new systems deployed with Windows Autopilot onboarding capability, that's going to turn Defender on with the proper policies and security parameters. 

One person is enough to deploy Defender if you have a plan and proper communication. You notify everyone that the deployment is happening and push the button. You need to let everyone know if reboots are required and the like. Other than that, it's pretty much a one-person deployment job.

In terms of maintenance, Defender is probably somewhere in the middle. Microsoft maintains a lot of automated updates. There are feature sets that come into play with things that are put in preview and you may want to see if it's something you want to turn on and try out while it's in preview. Those are the only areas that require some discussion and intervention. Most of the maintenance is automated. At the same time, you also need to be trained and aware of the updates and feature sets as they mature. You must stay on top of changes to the UI, reporting, etc.  

If you look at what we pay on average and all the potential ransomware and malware threats we've averted, we've definitely saved tens of thousands of dollars, depending on the client. Some of the bigger clients have saved millions of dollars of potential ransomware payouts because Defender products helped protect those areas of attack. 

The cost is competitive and reasonable because most of the expense is log analytics, storage, and data consumption and ingestion. They can be throttled and controlled, so they are highly flexible. Defender has a lot of advantages over competing products.

From a licensing aspect, you're not just getting a security product. You're getting a lot of other capabilities that go beyond the Defender products. You get an E5 or E3 license and some form of Defender for Endpoint included with all the other security features of the other Defender products. 

It didn't take too long to decide on Microsoft because of the integration and simplicity. CrowdStrike is probably the closest competitor.

I rate Microsoft Defender for Endpoint a nine out of ten. Defender is one of the best I've seen, and I'm not saying that as a Microsoft reseller. We use Defender and have gotten our Microsoft certifications to provide a high level of service for our clients. It's crucial to have a product we stand behind and believe in wholeheartedly. We're not getting kickbacks from Microsoft for saying or doing any of that. We use it because it works. 

I would say there's a trade-off. Once you start adding complexity to security, you're going against best practices that say simpler is better. Adding another vendor or a level of complexity is usually unnecessary. Unless there's something Microsoft completely missed, I would question the value of going to another vendor. 

Communication and planning are most important. Any time you change products or deploy something for the first time, you should test it first in a smaller use-case scenario. That will help you identify any issues with your network, firewall, or legacy applications that may be falsely identified as a threat. It's always best to test your use case scenarios in a proof of concept before you deploy it.

I worked for an enterprise client in the public sector with half a million endpoints. I'm in Canada, and that's bigger than most US companies. Defender is an endpoint agent, but it's tied into what I would call a SOC outsourcing stack. It's part of a security operations center that is getting threat intelligence, comparing that to endpoint detection and response, and feeding it all back into a SIEM.

I use either E3 or will upgrade to the E5 full suite, or will go a la carte. You can pick one or two off there, but it usually makes more sense to go all E5. Sentinel and Defender are the two things I like in E5 that I work together.

We use Defender's bidirectional sync capabilities at a high level. I'm more of a high-end security architect, so I do the conceptual designs but not the implementation. Even though I like it, I don't know if it gets implemented and used or not. As a capability, as an architect, that's a good thing to have.

Our deployment is still a work in progress, but it will enable us to mature and automate our cyber incident response and threat security posture. Defender helps us automate routine tasks and the findings of high-value alerts. That's the SOAR part we hope to achieve with the project reaches maturity.  

Defender simplifies things if you are managing a multi-cloud environment or a hybrid deployment. Instead of having 10 dashboards, you're now down to three. It creates a fabric. Do I have a single pane of glass? No. However, I have three panes instead of ten.

It can give early warning signs. I'd stop short of saying Defender protects, detects, responds, and remediates. It still doesn't do the remediate part. Defender will ultimately save time and money when we've fully implemented it. I'll find more problems, but I think the integration will save me a lot more time on the operations,  incident response, etc. It's all speculative until you're fully deployed and got key metrics to prove it.

The biggest reason I looked at Defender is that the world seems to have shifted to Office 365 and Azure in the last couple of years because COVID is forcing many people to work from home. Defender has better out-the-box integration with Office 365 and Microsoft security solutions like Sentinel, and its SIEM. CrowdStrike or other top products are excellent, but I'd still need to integrate them.

Defender is great at identifying threats on Windows and Azure products. If the threats aren't related to Microsoft, I will use something else. My view of Microsoft Defender changed significantly over the past five years. I used to think it couldn't compete with best-in-class solutions like CrowdStrike. It was like a Microsoft version of CrowdStrike. Today, I think it's on par pound-for-pound with CrowdStrike on the EDR Gartner MQ capability list. 

If you have multi-cloud like Google and AWS, the native solutions are better for those particular cases. But if you want Azure covered and you use Sentinel and Defender, you can also integrate Defender well with Zscaler. 

Zscaler is more of a multi-CSP fabric with zero trust capabilities that integrate with CrowdStrike and other third-party tools. I use Defender and Sentinel for Microsoft, but I also like that Microsoft integrates very well with Zscaler and vice versa.

The comprehensiveness of Microsoft threat-protection products is great. Five years ago, I would've said don't use it because other products are better. Today, Microsoft Sentinel by itself is a leading Gartner SIEM tool. It has advantages over competitors because of the ability to integrate with Microsoft solutions and automate continuous monitoring of Microsoft AD and Office 365 data.

Sentinel aggregates logs from everything. It's pretty good at that. If you were on Google Cloud or AWS, you would use the native products, but Sentinel is useful if you already have it and you want to use it as the central log aggregator.

Defender offers SOAR plus UEBA, and you can integrate it easily with the endpoint, making it a compelling security fabric as a SOC technology stack. I would put it in the top four along with IBM, Splunk, and maybe Fortinet as one of the better-integrated UEBA types of technology suites.

Microsoft Defender improved a lot. They weren't even on the Gartner Magic Quadrant, and now they've equaled or surpassed the leading solutions. I would suggest they continue doing what they're doing on their product roadmap and develop more SOAR. The last thing for them to tackle is multi-tenant and multi-cloud handling.

I have been using Defender for about five years.

Defender is robust.

I'm still in the early stage, but the scalability seems impressive based on my research and the size of reference clients.

I've mostly seen the pre-sales part, like doing demos and licensing. As far as doing demos and licensing. My experience with the sales organization has been awesome, but I'm not dealing with maintenance, rollover, or contract.

Five years ago, I looked at Micro Focus, ArcSight, and maybe some best-of-breed UEBA and EDR solutions, like CrowdStrike and Intercept. Business considerations led me to choose Defender. 

Security people will go for the top security solution, but executives are worried about enterprise and return on investment. They push for Microsoft security products because they've got Azure and Windows. I now agree that it also makes sense from a security point of view,

As an architect, my experience with the deployment is limited to evaluations and PoCs, and the full roll-out is ongoing. Ultimately, it's a low-maintenance solution. The payoff on automation and maturity is getting ongoing maintenance and support, training, patches, and new product upgrades. That's part and parcel of why it's a good idea.

The price was a problem for me three years ago, but they improved their E3, E5, and a la carte licensing. In other words, you have to get all of E5. That used to be a problem because you had E3, Defender, and guardrails, but you needed an E5 license to get the management suite and the analytics. 

It's more flexible now. You can switch from a la carte to the entire suite when it starts to make sense. It's becoming more economically competitive to go that route.

Defender is good enough if I compare it to the leading EDR solutions on Gartner. I would place it in the top quartile based on cyber threat intel. Cisco Talos and CrowdStrike are better, but Defender isn't that far behind. The payoff for me is the native Microsoft integration. 

Suppose most of my applications and data were still on-premise and I didn't need to work from home because of COVID. In that case, I'd be looking at IBM, Q1 Radar, Resilient, FortiSIEM, or ArcSight because the legacy SIEM products do on-premise security well. However, most of my cloud data is Office 365 in Azure, so that's what prompted me to start looking at Sentinel and Defender. 90 percent of my criteria shifted to the cloud, specifically Microsoft Azure.

I rate Microsoft Defender for Endpoint nine out of ten. If you're planning to use Defender, you need to understand the options around E3, E5, and a la carte licensing. This is also true if you do a bake-off between IBM, ArcSight, or other best-of-breed products, understand what capabilities you really need. If you're a small or medium-sized enterprise, you won't have the same needs as a corporation with half a million endpoints.