Microsoft Defender for Endpoint Reviews

In an enterprise setting, I use the product to protect workstations, and more recently servers, from all sorts of threats, including malware, viruses, trojans, etc.

Defender for Endpoint gives us greater visibility. Cybersecurity professionals always need that because what we don't see can get us into a lot of trouble. We also need visibility to be easily applied across platforms and with an improving ability to gather information from Linux or Mac-based end platforms. AWS and Google Cloud give better visibility, which we need from a security standpoint.

The other Microsoft security products we use are Defender for Cloud Apps, Defender for IoT, and Defender for Cloud.

The integration is pretty straightforward. It depends on a company's licensing and deployment team, and Microsoft makes it simple to integrate multiple solutions. It is easy to integrate into a test environment, though it depends on the infrastructure and networking team because they have to carry it out. Each company has different solutions; whether they are entirely cloud-based, on-prem, or hybrid, there's a lot of flexibility. Depending on the package, Microsoft is usually very helpful and available to assist with implementation and integration.

Coordinated detection and response between the solutions are essential. Depending on the company and its capabilities, it can sometimes be challenging to bring different tool sets to bear. For example, integrating endpoint protection, XDR, theme tools, CASB apps, and security from different companies can be very tricky. What Microsoft is doing in terms of easy integration makes their product an easy sell because it's critical to spend time doing the work of security rather than worrying about and dealing with integration. 

Threat protection is extensive; it covers most of the concerns we face as a company. I have limited experience with the IoT side, although I'll be working with that soon. Microsoft is thinking ahead and looking toward the future of protection, and I think they're on the right path. The comprehensive threat protection is there, and that results in a steep learning curve because an organization may have a whole bag of tools, some of which they may not use or need depending on the size of the enterprise. The extensiveness is impressive, and Microsoft is doing the right thing in attempting to cover all threat avenues. The necessary side effect of trying to cover every threat is not being the best in class at dealing with any one threat; more of a jack of all trades, master of none. It also increases the learning curve for analysts.  

The threat-hunting service is very useful for a security professional.

The ability to fine-tune specific policies to protect our enterprise is also advantageous.

The increasing deployment availability on different platforms and OSs is a good functionality.

Seamless integration with the Microsoft SIEM tool and other tools such as Splunk and Sentinel is excellent.

Defender for Endpoint provides good visibility into threats, and there is always room for improvement.  

The tool allows us to prioritize risk factors and fine-tune those based on our requirements as a company. That's extremely important because different companies face different threats from an enterprise point of view. Everyone is concerned about phishing, but only certain companies deal with personal health information, for example, and those dictate the security priority landscape. This functionality is one of the essential elements in an endpoint solution.

In Defender for Endpoint, we can create a certain alert logic to alert us on either high-value assets or individuals. With Sentinel integration, we can develop playbooks for the tool, which helps us gather the information for an investigation or automate a lot of threat intelligence searching. Endpoint has its standalone functionality in this respect; Microsoft does a good job providing sufficient threat hunting in each tool in case a customer only has one. Overall, the solution's threat-hunting and investigation resources are extensive.  

Eliminating multiple dashboards saves time. It may save between five and 30 seconds, but at the end of the day, if I've done eight investigations, that's minutes saved each month. That adds to hours of work saved by not having to deal with multiple dashboards.   

Our time to detect and respond decreased; even a few minutes saved by not searching through multiple dashboards helps. Threat intelligence also informs the end user if a website or link has a bad reputation. These features help reduce the time we spend investigating an incident or alert.  

My main issue with the tool is that there are too many menus. This causes a steep learning curve for those without training or unfamiliar with Defender for Endpoint. From an end-user perspective, the solution is there on the machine and does its job; it works seamlessly. However, as a security professional dealing with it behind the scenes, the learning curve can be steep, but not too steep. Still, it has taken some of my analysts up to a month to get familiar with the product.

Microsoft is slow to act on improving the threat intelligence elimination of false positives. They have a feed of indicators of compromise, which they are constantly updating, but some of the category intelligence is sometimes off base. Microsoft is working to improve that, but threat intelligence is vital; it's there, usable, and requires some fine-tuning and adjustment. That's good, although automated threat intelligence has room for improvement.

Threat intelligence is an area Microsoft needs to improve on; if a company only has Defender for Endpoint, that's their single point of truth regarding threats. Therefore, the tool must provide as much threat intelligence and automation as possible. Defender and Sentinel offer more options, but companies with only Defender need it to be improved.

A significant area for improvement is better integration with other tool sets in the industry. The solution integrates well with other Microsoft products, but only some environments have those products or the flexibility to adopt them. Microsoft Defender for Endpoint needs to integrate with different systems, for example, Cisco or other firewalls. Better integration with more cloud vendors would also be excellent, as not everyone will have Azure.

I've been using the solution for over 15 years. 

The solution is very stable, and that has improved with time. It used to be hard on the workstations, but we experienced those issues eight years ago. Microsoft always came out with a patch within a week or two, which would fix the problem. Nowadays, the tool is very stable; the only potential issue is if something happens on the cloud end, as the dashboards are cloud-based. That's something I've yet to personally experience, though.

The scalability is there, and there's always room for improvement. I need to incorporate more outliers, but the solution is easy enough to deploy that I can quickly onboard many workstations or servers. The product is an eight out of ten in terms of scalability.

Customer support responds rather quickly; it depends on the service level agreement, but they are pretty good about getting back to us and following up on any issues we may have. 

Most of the companies I've worked for used Defender for Endpoint. I have used different SIEM tools like Splunk and briefly used QRadar a long time ago.

I was involved in the deployment planning, but different teams did the actual deployment. I understand the deployment to be easy. 

In terms of maintenance, the solution requires updates from time to time, which are handled by the infrastructure team.

I would rate the solution eight out of ten. 

The infrastructure team has bi-directional sync capabilities set up and running well. It's essential when it comes to having hybrid cloud solutions and cloud solutions from different vendors. Various systems need to have seamless communication and shared issue reporting.  

Microsoft is increasing its data connectors, which is very helpful for ingesting data from different feeds, though some elements aren't fully fleshed out yet. How much data needs to be digested depends on the enterprise; every SIEM tool has a price to pay for how much data is ingested. The simple answer is that Sentinel allows us to ingest a ton of data, and that's vital. If we can't see a threat, we can't detect it and protect against it.  

Sentinel enables us to investigate and respond to threats from one place, which is very important for us. This is an area Microsoft has improved because we used to have to go to three different portals for our security picture. Now, everything we need to find can be seen in one pane of glass in Sentinel, whether we are looking at alerts or incidents.  

The comprehensiveness of Sentinel's protection depends on an organization's security program's maturity and capacity to leverage the solution. There's room for growth, but Microsoft is making good strides in the machine learning and AI portion of its product. The setup and fine-tuning of the tool play a significant role in how smoothly SOAR operates and whether it fulfills an organization's specific requirements. The default playbook may not fit with needs precisely, and staff with knowledge of Kusto Query Language are necessary for fine-tuning. A certain level of expertise is required to leverage Sentinel's sort and machine learning capabilities fully. 

I don't know how much Sentinel costs as I don't see the bills, but the biggest standalone SIEM and SOAR competitor is Splunk. Splunk does a better job but is also much more expensive; people often complain about the cost. I can't compare the value and pricing of the two as I need to know precisely how much they cost. Splunk is supposed to have changed its pricing model to become more affordable recently, and I wonder if Microsoft did the same with Sentinel. However, because Sentinel integrates with other solutions an organization may already use if they're a Microsoft shop, it makes it worth the price.

When it comes to a best-of-breed versus a single vendor security suite, it depends on the people higher up in the organization and usually comes down to cost. Everyone wants the best of the best, but only some companies are capable or willing to pay for that because it can be costly. Microsoft is trying to provide a pricing model that encourages customers to use a suite that seamlessly integrates with Windows and server OSs and increases integration with Linux and Mac OSs. That can provide a better ROI than getting the best of the best but having limited visibility and integration with other tools and the network. Microsoft leverages the security suite model as its selling point, and it's working for them. 

I advise potential customers to read up on the community boards and look into their specific needs. Defender for Endpoint is a good competitor for those looking for an EDR solution, and for those looking for a complete security suite, it's one of the better choices. The tool is competitive, but there are other choices if a company wants the best. Microsoft Defender for Endpoint is in the top three, only considering EDR, but for those looking for a line of products to protect their company and thereby make some savings, it's one of the premier choices.

It provides good visibility in terms of the number of devices covered, users covered, and so on. With most people working from home for the past two years as a result of the pandemic, Microsoft has helped us improve our security. Because it's a cloud component, we have been able to have improved coverage for our remote users, which was a challenge when we were using traditional endpoint protection solutions. Microsoft Defender for Endpoint has enabled us to secure devices even when they are off of the organization's premises. It has added value to our organization and has helped improve and mitigate security risks across the organization.

I like the fact that it's prebuilt onto Windows and that it integrates with various solutions.

The Microsoft Defender for Endpoint dashboard gives you a very wide view. If, for example, a device is having some malicious activity, it will tell you who has logged into that device and the history of the activity such as whether the activity began because that particular user clicked a malicious link in an email. It is able to do this because Microsoft Defender can connect to the whole Microsoft 365 ecosystem. Thus, it can provide more visibility as compared to a standalone endpoint solution, which will only give you visibility with regard to the information collected on the client in which it is installed.

It provides a detailed level of visibility considering that it's prebuilt onto Windows. It's able to drill down into the processes, such as the DLL files that are running and the installation files from where the threat is emanating. It gives you a deeper threat analysis in comparison to that of other solutions I've worked with. Microsoft Defender is able to provide details such as whether it is a malicious file, the process that is executing a particular file, how it is initiated, the process number, the particular execution file that is running, and so on.

When it discovers a threat, it has its own inbuilt capabilities to prioritize the severity as low, medium, high, and critical. You can also intervene and assign a particular priority to an incident if the priority was not what you expected. Microsoft Defender gives you visibility not just from a threat perspective but also from a user perspective, for example, to identify the most high-risk users in an organization. It gives you the ability to prioritize the riskiest users and devices.

We use Azure AD Identity Protection, Windows Defender for Cloud, and Microsoft Defender for Office 365.

It is easy to integrate these solutions because Microsoft Defender for Endpoint gives you a central view of all of the security components in the organization. We have integrated these solutions to have one central dashboard.

Having one XDR dashboard has eliminated the need to look at multiple dashboards.

In terms of these solutions working natively together to deliver coordinated detection and response across our environment, Defender for Endpoint works natively well on its own Defender for Office 365. The full integrated visibility doesn't come natively enabled by default. As an administrator, you have to figure out where the configuration is and enable that configuration so that the events are captured by one solution and pushed to the central dashboard for security.

Microsoft has come a long way in terms of security and comprehensive threat protection. They've done quite a lot to mature their solutions. It's hard to find one vendor who covers your email security, cloud security, and endpoint security, giving you central visibility into all of it, and Microsoft is one of the major players at the moment.

Threat intelligence helps us proactively prevent attacks before they happen. Defender can pick up an activity that is happening across other tenants in the organization. You can then look at what controls you can put in place to prevent it from happening in your own organization. It's better to prevent an attack rather than to stop one that is already happening. This approach allows us to proactively put measures in place and be ready to respond in case an attack does occur. It keeps us more alert and prepared.

With Microsoft Defender for Endpoint, you can automate some of the incident response actions. However, we do have false positives that are picked up, and automation needs to be done sparingly. Automation of routine tasks does free up our admins, and they can focus on more strategic initiatives and improvements, and leave the day-to-day administrative duties to the system.

This solution has saved us time in terms of providing centralized visibility and not having to onboard agents when deploying. It has made management a bit easier because it can be accessed from anywhere and has made it a bit more convenient to manage the whole Endpoint protection activities. Our team is still quite lean, and the time spent on EDR activities has probably reduced by about 50%, freeing us up to catch up on other activities that we're following up on in the entire information security program.

Microsoft Defender for Endpoint has decreased our time to detect and our time to respond. Proactive alerts help you send notifications before something actually happens. That means you have more time at hand to quickly detect threats before they happen. If they do happen, it gives you all of the information you need to be able to quickly respond compared to traditional EDR solutions for which you may need to look for VPN production to access your tenant. The ability to automate the responses has also decreased the time it takes to respond to an incident by about 50% because even before the notification is received, the system would have begun to take the action that you had configured for the automation. That is, the response will begin without your intervention.

Automation is one of the areas that need improvement because if you fully automate, then there's a high chance that you're going to be blocking a lot of actual false positives.

With the XDR dashboard, when you're doing an investigation and you're drilling down to obtain further details it tends to open many different tabs that take you away from your main tabs. You can end up having 10 tabs open for one investigation. This is another area for improvement because you can end up getting lost in multiple tabs. Therefore, the central console can be improved so that it does not take you to several different pages for each investigation.

Microsoft keeps changing the name of the solution, and when we go to senior management to ask for a budget, they think you're asking for a different solution. It would be great if Microsoft could decide that Defender for Endpoint is the name and stick with it.

I've been using it for three years.

It's quite stable.

It's very easy to scale because it comes built-in with Windows 10, and you just need to enable it. This can be done on scale using group policies or through Endpoint Manager on cloud or Intune.

We have about 5,000 users.

The technical support is okay, and I would rate them at seven out of ten. It depends on the level of support that you have with Microsoft. If you have enterprise support, you'll get dedicated support, and your issues will be resolved much faster. That is, if you're able to pay for premium support, you'll get good, faster responses. If you have normal support, however, it may take a bit longer to get someone to look at an issue.

Neutral

We previously used Kaspersky Endpoint Protection. One of the reasons why we switched is the fact that traditional endpoint solutions tend to be monolithic. They usually run on an on-premises infrastructure. As a result, you have to deploy agents to all of the machines and to manage them, you have to be on the company's network or be able to access it through VPN. Also, those who work remotely will need to log into the VPN to receive updates. Often, those who don't need access to internal systems will go for months without logging into the VPN, which means that they will not pick up the updates.

We were also looking for a solution that was more cloud-friendly because the organization was moving towards the cloud with the emergence of remote work.

The initial deployment can be straightforward if you have Windows 10 Enterprise Professional because it will come preinstalled. All you will have to do then is to enable it. In our case, we wanted to enable a particular GP and encountered some complexities in terms of connectivity. It took us about six months to deploy it.

It's a SaaS solution, so you don't require much effort in terms of deployment. Once installed, there's very little maintenance required. We don't have to upgrade any agents; it's straightforward. It mainly requires administrative work from the console.

Our environment is across multiple branches in the organization with branches in different locations and countries.

We had a team of three with someone to configure the group policies, someone to look at the admin center on Microsoft, and someone to ensure that the traffic is allowed.

Because Microsoft Defender comes as an add-on, it can be a bit expensive if you're trying to buy it separately. Another option is to upgrade, but the enterprise licenses for Microsoft can also be quite a bit pricey. Overall, the cost of Microsoft Defender compared to that of other endpoint detection solutions is slightly higher.

If you have a big team, then you can go with a best-of-breed strategy where you have dedicated teams that are looking at your endpoint protection, email protection, network protection, and so on. You may have a SOC team as well that gets the events and incidents from all of the different teams, analyzes centrally and provides a general view from a security operations perspective. In summary, if you have a well-resourced, mature organization, then it may make sense to go for the best-of-breed strategy.

However, if you have an organization without a big security team, it makes sense to have a single vendor's suite. At times, it may appear to be a single point of failure, but in terms of management and usability, it's a bit easier to work with and deploy. It will give you some level of visibility that will cut across the different domains.

Overall, Microsoft Defender for Endpoint is a good solution, and it'll give you good visibility and protection. It's worth considering, and I will rate it at eight on a scale from one to ten.

I'm a security coach with multiple clients. I provide security implementation, planning, and maintenance through Microsoft Defender. I use all the Defender products, including Defender for Identity, Defender for Office 365, and Defender for Cloud. 

It's easy to integrate the solutions. You only need to go into the settings and switch on the connectivity to all the Defender for Endpoint connectivity telemetry. Microsoft documentation is thorough, and it walks you through all the necessary steps.

We're multi-client and multi-cloud. We're working with multiple organizations and departments, so it's complex. We have domains and sub-domains that we must account for on the deployment side. We also use Defender for ATP, which is the Defender for domain controllers.

Defender for Endpoint helped to bridge the gap with remote workforce solutions because it protects managed and unmanaged devices. It's also easier to use because Defender for Endpoint is cloud-managed, so it stays maintained and updated. It has a leg up on competing solutions that require more system resources and maintenance. 

The tight integration with Microsoft operating systems is another advantage because it's easier to manage. It also goes beyond Windows OS. Defender for Endpoint supports other platforms and operating systems, such as Linux, iOS, and Android. I like that Microsoft is expanding the product's scope beyond Microsoft operating systems. Microsoft is developing a holistic approach, so you don't need a third-party product to protect these other non-Microsoft platforms.

Defender helps us to prioritize threats across the enterprise. The weighted priorities are based on all the MITRE security standards. Defender products work together to provide comprehensive protection. I agree with the placement of Defender Products on Gartner's Magic Quadrant. Defender is a leader in that area of threat protection. I'm pleased with the outcome of a lot of the investigations. I can protect and harden areas that didn't usually didn't have that level of visibility and granularity. 

Defender integrates with Sentinel, enabling me to ingest data from my entire ecosystem. Sentinel also covers non-Microsoft products with the third-party connectors that are provided. I enjoy that part of the Sentinel functionality and feature set. It has several features for aggregating the log data and analytics for the on-premises environment. Having that visibility is crucial.

Sentinel provides the SIEM and the SOAR capabilities, offering a single pane of glass for all of the security operations centers and providing on-site reliability for many of my clients. Sentinel is Microsoft's answer to competing tools such as Splunk and other log application tools. Sentinel seems to provide more added value from the ease of use and visibility. The licensing is also competitive.

You can set up Sentinel to forward alerts if you want to create a managed Cloud environment solution for Sentinel for a client. There's a way to set that up through Azure Front Door. You're seeing the data reporting and single pane of glass for other tenants and customers. It enables you to offer security as a service to maintain visibility for clients.

I like that it considers the status of a device (whether the device is online or offline, VPN or not, etc.) and provides several options for telemetry, depending on where and how the device is being used. It gives a lot of flexibility with the installations, maintenance, and management of the Endpoint solution. In addition to Defender for Endpoint's feature set, other parts of device management reduce the attack surface and protect those devices.

Defender's automation features have been a significant advantage with many of my clients because the remediation has been automated. Most of the time, it doesn't require any human intervention unless there's something that hasn't been set up. I must demonstrate the automated investigation and remediation to my clients to ensure their environment is automatically protected on weekends and after business hours.

The single pane of glass is vital to us as security consultants and our clients, who need a high level of visibility. You can go into the high-level executive dashboard view and drill into each telemetry graphic to provide you with more granular data. I see how easy it is to see the big picture and effortlessly drill into the details using the side navigation menus and more.

Consolidating things into one dashboard streamlined them significantly. When working with multiple tools and vendors, you typically have to stitch the reporting together to get an overarching view of everything. It's time-consuming. By the time some of these tasks are accomplished, the data starts to get stale, so you need to refresh and create an all-new view again. Having real-time capability in a single pane of glass is essential.

Defender Threat Intelligence helps us develop a forward-looking approach to threats and plans. That's one aspect of the product I find incredibly helpful. It will highlight things that may require intervention, such as turning on conditional access rules or setting up some geofencing for anything that looks like it could be a password spray attack from a known location that we can block. 

There are opportunities to turn off any legacy protocols that may be in use. That's been a common thread with some of my clients who still use legacy protocols for sign-in and authorizations. The ability to do that has been a considerable help proactively.

You don't know what you don't know until you know. The continual flow of real-time data and analytics from Defender products helps create a security roadmap and harden many areas. With improved visibility, we can build a better roadmap to harden those areas by prioritizing and doing things methodically. Previously, we were guessing what to do next or what would be most important based on an educated guess. Now, we have data to guide our security decisions.

Microsoft Defender has saved us hours and hours. It has probably paid for itself many times over. I would agree that it has saved a lot of time and money. I estimate it probably saved us the equivalent of two people working full-time. You typically have at least one person overseeing on-premise resources and another dedicated to cloud resources.

In my opinion, the most valuable aspects are the reporting analytics and integration with Sentinel. Defender does an excellent job of correlating the different entities that comprise threat analysis, analytics data, and log analytics. It helps to piece together investigations into any exploit or malicious activity within a specific tenant. AI and analytics tools are probably the most valuable components.

The bidirectional sync capabilities and off-app sanctioning of the SaaS applications are helpful. The identity security posture feature set provides investigation recommendations for risky users. The heat map for locations is also handy. Defender integrates with the AIP DLP for data governance and protection. I use all of that.

There's a need to have augmented workforce capability. You need to see the data streams for client work augmentation for the security operation center and act on the information. Having data in near real-time is essential to my organization and the work we do for our clients. The built-in SOAR, UEBA, and threat detection features are comprehensive.

It always helps to have onboarding wizards. Microsoft has done a lot of work in that area. I would like to see some more refinement in the wizards to allow more diverse use cases and scenarios that help us deploy Defender globally. In particular, I would like to see more deployments considering localization barriers and networks or devices common in various regions. 

Localization is always a challenge, especially with new products you typically want. Solutions are designed to be deployed where the most licenses are being consumed, such as in the United States. They focus on US products, devices, and networks. Specialized deployments for other countries would allow for a smoother experience in transition.

I have been using Microsoft Defender for about two and a half years.

It's pretty stable. I haven't had any reliability concerns with Defender, and there have not been too many complaints from users that have to have extensive reboots or any kind of performance impact. So I would say it's pretty stable.

Scalability is built into the product. It's a cloud-managed solution, so it's capable of scaling pretty quickly as needed. You don't have to unlock another key or do something else to scale the product. It's scalable by design.

I rate Microsoft support a seven out of ten. We've opened a few Microsoft tickets. For example, we've seen some discrepancies between Defender for Exchange Online and the reporting from Sentinel. We raised tickets to determine why Sentinel's logging data doesn't match what we see in Exchange Online.

It can be slow and tedious sometimes. Microsoft has different support level agreements. If you want prompter and higher-quality support, you typically need to pay for an Ultimate Support contract. If we compare that with other companies or organizations, Microsoft is probably on par with everyone else. You don't get a higher level of support unless you pay for it.

Neutral

I've worked with all the major antivirus and endpoint protection vendors, including Splunk, CrowdStrike, Sophos, Norton, and McAfee. Microsoft's advantage is its integration with the operating system, ease of deployment, and support for the 365 Cloud experience. It makes everything easier to deploy, maintain and manage. It comes down to cost and integration. We realize cost savings because it's integrated into the E5 licensing product.

The setup is straightforward and mostly automated. You only have to intervene when you experience errors. Those typically happen on non-US systems or in other countries. For the most part, it's effortless to deploy.

We try to use the auto-onboarding capabilities that come with Autopilot. If you have new systems deployed with Windows Autopilot onboarding capability, that's going to turn Defender on with the proper policies and security parameters. 

One person is enough to deploy Defender if you have a plan and proper communication. You notify everyone that the deployment is happening and push the button. You need to let everyone know if reboots are required and the like. Other than that, it's pretty much a one-person deployment job.

In terms of maintenance, Defender is probably somewhere in the middle. Microsoft maintains a lot of automated updates. There are feature sets that come into play with things that are put in preview and you may want to see if it's something you want to turn on and try out while it's in preview. Those are the only areas that require some discussion and intervention. Most of the maintenance is automated. At the same time, you also need to be trained and aware of the updates and feature sets as they mature. You must stay on top of changes to the UI, reporting, etc.  

If you look at what we pay on average and all the potential ransomware and malware threats we've averted, we've definitely saved tens of thousands of dollars, depending on the client. Some of the bigger clients have saved millions of dollars of potential ransomware payouts because Defender products helped protect those areas of attack. 

The cost is competitive and reasonable because most of the expense is log analytics, storage, and data consumption and ingestion. They can be throttled and controlled, so they are highly flexible. Defender has a lot of advantages over competing products.

From a licensing aspect, you're not just getting a security product. You're getting a lot of other capabilities that go beyond the Defender products. You get an E5 or E3 license and some form of Defender for Endpoint included with all the other security features of the other Defender products. 

It didn't take too long to decide on Microsoft because of the integration and simplicity. CrowdStrike is probably the closest competitor.

I rate Microsoft Defender for Endpoint a nine out of ten. Defender is one of the best I've seen, and I'm not saying that as a Microsoft reseller. We use Defender and have gotten our Microsoft certifications to provide a high level of service for our clients. It's crucial to have a product we stand behind and believe in wholeheartedly. We're not getting kickbacks from Microsoft for saying or doing any of that. We use it because it works. 

I would say there's a trade-off. Once you start adding complexity to security, you're going against best practices that say simpler is better. Adding another vendor or a level of complexity is usually unnecessary. Unless there's something Microsoft completely missed, I would question the value of going to another vendor. 

Communication and planning are most important. Any time you change products or deploy something for the first time, you should test it first in a smaller use-case scenario. That will help you identify any issues with your network, firewall, or legacy applications that may be falsely identified as a threat. It's always best to test your use case scenarios in a proof of concept before you deploy it.

I worked for an enterprise client in the public sector with half a million endpoints. I'm in Canada, and that's bigger than most US companies. Defender is an endpoint agent, but it's tied into what I would call a SOC outsourcing stack. It's part of a security operations center that is getting threat intelligence, comparing that to endpoint detection and response, and feeding it all back into a SIEM.

I use either E3 or will upgrade to the E5 full suite, or will go a la carte. You can pick one or two off there, but it usually makes more sense to go all E5. Sentinel and Defender are the two things I like in E5 that I work together.

We use Defender's bidirectional sync capabilities at a high level. I'm more of a high-end security architect, so I do the conceptual designs but not the implementation. Even though I like it, I don't know if it gets implemented and used or not. As a capability, as an architect, that's a good thing to have.

Our deployment is still a work in progress, but it will enable us to mature and automate our cyber incident response and threat security posture. Defender helps us automate routine tasks and the findings of high-value alerts. That's the SOAR part we hope to achieve with the project reaches maturity.  

Defender simplifies things if you are managing a multi-cloud environment or a hybrid deployment. Instead of having 10 dashboards, you're now down to three. It creates a fabric. Do I have a single pane of glass? No. However, I have three panes instead of ten.

It can give early warning signs. I'd stop short of saying Defender protects, detects, responds, and remediates. It still doesn't do the remediate part. Defender will ultimately save time and money when we've fully implemented it. I'll find more problems, but I think the integration will save me a lot more time on the operations,  incident response, etc. It's all speculative until you're fully deployed and got key metrics to prove it.

The biggest reason I looked at Defender is that the world seems to have shifted to Office 365 and Azure in the last couple of years because COVID is forcing many people to work from home. Defender has better out-the-box integration with Office 365 and Microsoft security solutions like Sentinel, and its SIEM. CrowdStrike or other top products are excellent, but I'd still need to integrate them.

Defender is great at identifying threats on Windows and Azure products. If the threats aren't related to Microsoft, I will use something else. My view of Microsoft Defender changed significantly over the past five years. I used to think it couldn't compete with best-in-class solutions like CrowdStrike. It was like a Microsoft version of CrowdStrike. Today, I think it's on par pound-for-pound with CrowdStrike on the EDR Gartner MQ capability list. 

If you have multi-cloud like Google and AWS, the native solutions are better for those particular cases. But if you want Azure covered and you use Sentinel and Defender, you can also integrate Defender well with Zscaler. 

Zscaler is more of a multi-CSP fabric with zero trust capabilities that integrate with CrowdStrike and other third-party tools. I use Defender and Sentinel for Microsoft, but I also like that Microsoft integrates very well with Zscaler and vice versa.

The comprehensiveness of Microsoft threat-protection products is great. Five years ago, I would've said don't use it because other products are better. Today, Microsoft Sentinel by itself is a leading Gartner SIEM tool. It has advantages over competitors because of the ability to integrate with Microsoft solutions and automate continuous monitoring of Microsoft AD and Office 365 data.

Sentinel aggregates logs from everything. It's pretty good at that. If you were on Google Cloud or AWS, you would use the native products, but Sentinel is useful if you already have it and you want to use it as the central log aggregator.

Defender offers SOAR plus UEBA, and you can integrate it easily with the endpoint, making it a compelling security fabric as a SOC technology stack. I would put it in the top four along with IBM, Splunk, and maybe Fortinet as one of the better-integrated UEBA types of technology suites.

Microsoft Defender improved a lot. They weren't even on the Gartner Magic Quadrant, and now they've equaled or surpassed the leading solutions. I would suggest they continue doing what they're doing on their product roadmap and develop more SOAR. The last thing for them to tackle is multi-tenant and multi-cloud handling.

I have been using Defender for about five years.

Defender is robust.

I'm still in the early stage, but the scalability seems impressive based on my research and the size of reference clients.

I've mostly seen the pre-sales part, like doing demos and licensing. As far as doing demos and licensing. My experience with the sales organization has been awesome, but I'm not dealing with maintenance, rollover, or contract.

Five years ago, I looked at Micro Focus, ArcSight, and maybe some best-of-breed UEBA and EDR solutions, like CrowdStrike and Intercept. Business considerations led me to choose Defender. 

Security people will go for the top security solution, but executives are worried about enterprise and return on investment. They push for Microsoft security products because they've got Azure and Windows. I now agree that it also makes sense from a security point of view,

As an architect, my experience with the deployment is limited to evaluations and PoCs, and the full roll-out is ongoing. Ultimately, it's a low-maintenance solution. The payoff on automation and maturity is getting ongoing maintenance and support, training, patches, and new product upgrades. That's part and parcel of why it's a good idea.

The price was a problem for me three years ago, but they improved their E3, E5, and a la carte licensing. In other words, you have to get all of E5. That used to be a problem because you had E3, Defender, and guardrails, but you needed an E5 license to get the management suite and the analytics. 

It's more flexible now. You can switch from a la carte to the entire suite when it starts to make sense. It's becoming more economically competitive to go that route.

Defender is good enough if I compare it to the leading EDR solutions on Gartner. I would place it in the top quartile based on cyber threat intel. Cisco Talos and CrowdStrike are better, but Defender isn't that far behind. The payoff for me is the native Microsoft integration. 

Suppose most of my applications and data were still on-premise and I didn't need to work from home because of COVID. In that case, I'd be looking at IBM, Q1 Radar, Resilient, FortiSIEM, or ArcSight because the legacy SIEM products do on-premise security well. However, most of my cloud data is Office 365 in Azure, so that's what prompted me to start looking at Sentinel and Defender. 90 percent of my criteria shifted to the cloud, specifically Microsoft Azure.

I rate Microsoft Defender for Endpoint nine out of ten. If you're planning to use Defender, you need to understand the options around E3, E5, and a la carte licensing. This is also true if you do a bake-off between IBM, ArcSight, or other best-of-breed products, understand what capabilities you really need. If you're a small or medium-sized enterprise, you won't have the same needs as a corporation with half a million endpoints. 

Once we enroll devices, the Microsoft scanners scan them in the backend and find vulnerabilities for the devices. For example, if our Office version is outdated, or Chrome is an outdated version, or there are any vulnerabilities or security loopholes, they will be displayed in Defender for Endpoint. We go through those vulnerabilities and we try to fix them by creating group policies or by using Intune. If there are any security recommendations in Defender for Endpoint, we fix those assets.

It's the best solution for vulnerabilities. Most updates will be done by group policies in a big organization and everything will be maintained in that way. But with non-group policies, if it's not a hybrid environment, or they are only using cloud, or they're connected to Azure already, or they don't have AD, a lot of updates will be missed. That is a very difficult situation for handling vulnerabilities. In that situation, once we enroll the devices to Defender for Endpoint, all the vulnerabilities will be displayed on the dashboard and we can review them and fix them. In that way, we can stop most cyberattacks and close all the vulnerabilities and loopholes.

Before enrolling devices to Defender for Endpoint, we don't know what vulnerabilities or security loopholes are on those devices. Once we enroll devices we find a lot of vulnerabilities and we have been able to fix a lot of security-related issues. It has helped us a lot.

It is impacting our security score. Before we enrolled our devices to Defender for Endpoint, our security score was 58. When we enrolled 500-plus devices to Defender for Endpoint, our security score went down to about 42 percent. We then understood we need to maintain it above 50 percent, as recommended by Microsoft. We are trying to increase our security score by fixing those issues.

It shows how to fix a given vulnerability or security issue, providing step-by-step guidance. That saves a lot of time because if we didn't know how to fix a vulnerability, we would need to do some research and find the right document. That would take time. It is saving us 10 to 15 hours per month.

It finds the loopholes and vulnerabilities and shows you some security recommendations as well. Based on the requirements, we fix them. We don't necessarily need to fix all the vulnerabilities. For example, if an organization is using Office 365 and the accounts team wants Excel to be updated to version 16.2.0, some applications or some data will work only with that particular version, but some data will not be supported. In that situation, we don't want to upgrade MS Excel.

Integrating Microsoft solutions with other solutions is not that difficult. Microsoft provides documentation on how to integrate things, which is good. We get a lot of information from the Microsoft pages. Integration is very helpful for finding all the security-related stuff.

Defender for Endpoint has one dashboard with security-related information, vulnerability-related information, and basic recommendations from Microsoft, all in different tabs. That's helpful because if we want to fix only the recommended ones, we can go fix all of them, or if we want to work on the security-related ones, we can go to the security tab and work on all of them.

The solution's threat analytics is another tab and it is helpful for finding vulnerabilities, phishing emails, and spam emails. If we want to release them, we can release them. We will check IP abuse and whether the IP is related to brute force attacks. If we want to improve on something, we will send it to Microsoft to analyze it. Being proactive is important. As specialists, we need to review the recommendations from Microsoft on a day-to-day basis and fix them as much as we can. Day-to-day, we need to upgrade and make sure all the devices are up to date. That should not be done on a weekly or monthly basis.

Right now, the solution provides some recommendations on the dashboard but we don't have any priorities. It's a mix of all the vulnerabilities and all the security recommendations. I would like to see some priority or categorization of high, medium, and low so that we can fix the high ones first.

We have been using Microsoft Defender for Endpoint for one and a half years. 

I haven't seen any downtime. I don't see any issues with the stability. If there is any downtime, Microsoft will send a message on the dashboard and we can see any service issues.

Their tech support is very good. If we raise a ticket, they will respond within 15 to 20 minutes. If they don't know, they will do some research and come back to us. I love working with Microsoft

Positive

We used GFI Vipre. We switched because Vipre was not a Microsoft product, and we trust Microsoft. Between a third party and Microsoft, most people will choose Microsoft because the solution and the support are very good. We also have a client portfolio and we get a discount on the license.

The initial setup is simple. We run a script on the local machine and the device will be enrolled to Defender.

I completely configured Defender for Endpoint to be used in an automated way. We enrolled our devices to Intune and we configured Defender for Endpoint in Intune. Once we add our devices to Intune and to a group, those devices will be enrolled to Defender for Endpoint also. Enrolling takes around 24 to 48 hours.

Maintenance is pretty easy. Once we run that script, there are no complications while enrolling the devices.

The comprehensiveness of the threat-protection that Microsoft security products provide depends upon the license. Right now, we are using E5 licenses which cover every security feature. But if a small or mid-level organization uses an E3 license or Business Basic plan, not all the features are provided. The cost is high for E5 licenses, but if we go with the E3 license, most of the features are not covered.

We did some research and found other solutions. The support is very good for Microsoft. If we raise a ticket, within 15 to 20 minutes, we will get a response from the Microsoft support team regarding the issue. They keep an eye on it; every ticket is tracked. If we want, we can also escalate. With a third-party solution, we cannot get as much support as we can with Microsoft.

There are a lot of cyber security tools, so it depends upon the requirements. I'm not saying that we need to use only Microsoft. But when it comes to support, I don't know how the others do. Using a suite of solutions from Microsoft has benefits. Support is a very good one. The recommendations are also provided in the dashboard, and the SLA is 99.9 percent; we don't expect downtime with Microsoft.

We are not using Microsoft Sentinel. It will create alerts regarding VMs or storage but the cost is very high. Sentinel is not going to help much more when compared with Defender for Endpoint. Sentinel isn't preferable. It only creates alerts. There is not that much impact on the organization if it uses Sentinel also.

Microsoft Defender for Endpoint is a very good solution. I recommend using it.

We use Microsoft Defender for Endpoint for protection, asset onboarding, and service onboarding. We primarily focus on Microsoft-based endpoints. Specifically, we look for processes to determine if malware, viruses, or adware have been installed.

Microsoft Defender for Endpoint helps prioritize threats across our enterprise. The solution notifies us of new vulnerabilities, including those that have been published, exploited, or are being exploited, and it provides some visibility into these threats.

Microsoft Defender for Endpoint has a significant impact on reducing the number of affected machines. I personally write custom detection rules to analyze the environment and look for specific patterns, such as ransomware. Although some of the pre-built detection rules in Azure on GitHub are useful, they are not as flexible in terms of use cases. Therefore, it makes sense to write custom rules instead of importing the pre-built ones.

Microsoft Defender for Endpoint helps automate routine tasks and helps automate the finding of high-value alerts.

Microsoft Defender for Endpoint improved our security posture and operations by automating some of the mundane tasks, such as analyzing alerts. This allows us to focus on incidents that were created from specific individual alerts.

Microsoft Defender for Endpoint saved us time in terms of operational and C- CERT security. It reduced the amount of time we spend analyzing what happened on a particular endpoint, which processes were started, and which ones were suspicious. For example, it helped us to quickly identify suspicious installation protocols.

Microsoft Defender for Endpoint reduced our time to detect and respond by 25 percent.

Endpoint's most valuable feature is deep analysis. It provides a lot more in-depth findings. However, it only analyzes portable files with the .exe and .drl extensions. It does not analyze other file extensions. Additionally, it does not provide all the necessary information about the file's memory usage or size. I have to download the file to my computer to do further analysis. Therefore, the size of the application that the deep analysis analyzes is the only other red flag I can think of.

Microsoft Defender for Endpoint does not provide much flexibility in terms of threats. It only looks at what is currently in the environment. It does not provide flexibility like threat modeling, where we can provide our own threat model within the environment. This would allow Defender to provide us with feedback on threat intelligence that is tailored to our organization's needs and threat landscape.

Microsoft Defender for Endpoint's deep analysis shows that it works well with Microsoft's standard applications. However, it does not function as intended when used with Unix or Linux distributions. Therefore, it would be beneficial to improve support for other systems.

I have been using Microsoft Defender for Endpoint for one and a half years.

In terms of resources, I believe the solution is more resource-intensive because I can initiate multiple automated investigations, which will likely take a day or two to complete.

Our organization has thousands of people using the solution.

I give Microsoft Defender for Endpoint an eight out of ten.

No maintenance is required from our end.

I believe a best-of-breed solution is better because it eliminates some of the limitations of applications that do not provide solid stability in terms of detection time, response time, and eradication. This is because a best-of-breed solution is designed to be the best in its class at each of these tasks. As a result, it can identify threats more quickly, respond to them more effectively, and eradicate them more completely.

When evaluating the solution, we must understand how our environment is structured. Is it a hybrid environment? Does it have Unix, Linux, or Microsoft distributions? And within those distributions, do we plan to purchase multiple enterprise systems to cater to each individual distribution?

I am using Defender for one of my customers. 

We use Defender with Sentinel, so we can see everything from one dashboard. You can also use the 365 security portal to manage all your Microsoft solutions, but Sentinel covers the entire estate. It has automation features, but I am not the one who configured that. A separate team does that for the customer. 

Defender helps us be more proactive about security with suggestions on how to improve. It provides a Microsoft security score for 365 and Azure, both of which are helpful. 

Defender saved us time. I believe it saved the customer some money, but I could not provide exact figures.

Defender's analytics are much better than CrowdStrike's. It has the ability to intelligently learn and respond to threats. We conducted a simulated ransomware attack to test it, and Defender detected it faster than CrowdStrike. 

My customer is also happy with Defender's interface. It helps them prioritize threats across their environment. We also use Sentinel and Defender for Cloud. I also tested a VM deployed with Defender that reports back to the 365 portal. It's easy to integrate Microsoft security solutions. All of the solutions work in concert, and they're synchronized. I have no problems with integration and can see the entire landscape. The protection is comprehensive. I'm impressed. I have no complaints about the product.

The bidirectional sync with Defender for Cloud is crucial. If I check the other side of the signal, I can update the source of the alerts. It's vital to have a bidirectional connection for analysis and feedback. 

The documentation could be better. When they update their manuals, sometimes they refer to products by their old names, so it is a little confusing. For example, the documentation might still say "Advanced Threat Protection" instead of Defender for Endpoint. 

I have used Defender for Endpoint for three months. 

I rate Defender a nine out of ten for stability. 

Defender scales well. 

I rate Microsoft's support a nine out of ten. They were impressive. Microsoft has excellent support engineers.

Positive

I previously worked with CrowdStrike Falcon. Defender is more effective because it identifies more threats than Falcon.

I rate Microsoft Defender for Endpoint a nine out of ten. If someone asked me whether a best-in-breed or single-vendor strategy was better, I would say there's no right or wrong answer. It's better to use one vendor from an integration perspective because it's easier to set up. 

A single-vendor approach also simplifies support. For example, if you use CrowdStrike, you might be using Splunk as your SIEM. When you open a ticket with CrowdStrike, they will only be able to answer questions about their own products. 

We use Microsoft Defender for Endpoint to secure our customers' networks. One of the main reasons we chose this solution is its seamless integration with other Microsoft products, including Security. This integration enables the efficient exchange of signals and facilitates incident investigation and correlation with other security measures. Therefore, we recommend Microsoft Defender to our customers for robust endpoint security. 

Microsoft has been recognized as a leader in Gartner reports for two consecutive years for their exceptional threat-capturing abilities within their division. In comparison to other solutions, Microsoft Defender Endpoint Security offers a wide range of features, and the benefit of integration with other solutions makes it a more powerful product. This is in contrast to individual products from separate vendors, which lack default integrations and may not offer visibility over other endpoints in our environment.

The solution provides a high level of visibility into threats and is integrated with other solutions such as Microsoft Defender for Identity. This integration enables the solution to receive signals from Microsoft Defender for Identity, which are then relayed to users who attempt to log in to an infected device. If the threat originates from Microsoft Defender or Office 365, users are alerted and advised not to open any suspicious links or attachments. This integration greatly enhances the investigation experience and is extremely useful in the detection and analysis of potential threats.

Microsoft Defender for Endpoint helps prioritize the threats across our organization.

The automatic investigation response is the key feature of Microsoft Defender for Endpoint. It enables us to concentrate on the critical incidents related to the endpoint or machines. This capability enables the security team to focus on the most significant alerts or incidents related to the device's self-analytics. Prioritizing our investigations and responses with Microsoft Defender for Endpoint is crucial.

The integration with Microsoft solutions is smooth, and integrating with other products can be done with just one click.

In most cases, the solutions work natively together to deliver coordinated detection responses across our environment, which is very helpful.

The comprehensiveness of threat protection offered by Microsoft's solutions is extensive. These solutions can thoroughly investigate all resources in an organization when deployed correctly according to best practices. They can detect any threats related to email, endpoints, and identity attacks, whether on-premises or in the cloud.

Microsoft Defender for Endpoint has been instrumental in enhancing our organization's operations. It detects the majority of threats aimed at our devices, aiding us in our efforts to combat threats. Additionally, it expedites the investigation process by running playbooks on incidents. This saves us time and increases efficiency. Furthermore, the integration capabilities of Microsoft Defender for Endpoint allow us to address the source of the threat by partnering it with other solutions. Microsoft Defender for Endpoint can be integrated with Microsoft Intune, allowing us to provide device signals to the latter. This permits us to grant or deny access to specific sources based on device signals.

The solution assists in automating routine tasks and streamlines the identification of high-value alerts. When used in conjunction with Microsoft Sentinel, which is highly effective in detection and comprehensive investigations, the quality of high-value alerts is excellent.

Microsoft Defender for Endpoint has eliminated the need to access multiple dashboards and provided us with a single XDR dashboard. Instead of logging into five different portals to investigate a threat, we only need to access one portal, Microsoft Defender for Endpoint. This portal collects signals from various solutions and integrates them into a single incident, providing a comprehensive view of the detection from different sources in one place. This improves our visibility and simplifies the threat investigation process.

Having a consolidated dashboard saves us a significant amount of time by eliminating the need to log into multiple portals. This single portal can be used for investigation purposes and can relate to various aspects. It simplifies the process of monitoring a multitude of sources or resources in the environment, making it easier to detect and investigate potential issues. A consolidated dashboard improves collections and visibility, streamlining the investigation process.

The threat intelligence provided by the solution helps us prepare for potential threats and take proactive measures before they occur. Many of Microsoft's security solutions now depend on Microsoft's security intelligence. The ISG collects signals from various products worldwide, providing extensive information on recent global threats targeting different products. Integrating with Microsoft Defender for Endpoint, this information is particularly helpful.

The solution has helped us save time. I suggested that we check Microsoft Defender for Endpoint daily to review the latest incidents that occurred during the process. We can quickly examine the incident and then take action based on the recommendations provided by either Microsoft Defender for Endpoint or Microsoft 365 Defender, as it consolidates the signals.

This solution is cost-effective since we would otherwise have to pay for multiple licenses if we were to use various solutions. Additionally, we prefer not to subscribe to multiple vendors for different services. By integrating these features, we save time, and they are already integrated by default, unlike other vendors who may not offer this feature or integration.

Real-time detection and cloud-based delivery of detections are highly efficient. I have deployed the Microsoft Application Control which I found to be very effective, albeit difficult to deploy. I have implemented point guard and attack deduction rules which enable me to identify attack locations effectively. Microsoft Defender for Endpoint has several excellent features, and the correlation of alerts and investigation experiences within the platform helps lead investigations

The application control feature requires improvement. It is currently challenging to detect and fine-tune the application control policies. A better GUI is needed for configuring the policies, beyond the current partial console, such as a third-party or Microsoft tool. Additionally, more documentation is required for the application control section as there is currently none available in Microsoft's resources. This lack of documentation can make the process confusing.

The policy configuration has room for improvement. Currently, we require additional solutions to configure policies for Microsoft Defender for Endpoint. We need either Microsoft Intune or a new policy object. It seems many individuals find this process confusing. It is perplexing to me why we must configure policies using different solutions when ideally, we should have all configurations for Microsoft Defender for Endpoint in a single portal. It would be more practical to configure policies directly within Microsoft Defender for Endpoint, rather than using external solutions.

I have been using the solution for three years.

Microsoft Defender for Endpoint is stable.

Microsoft Defender for Endpoint is scalable.

I previously used Trend Micro Apex One, but I've found that Microsoft Defender for Endpoint has more benefits. Although I haven't worked with the full suite of Trend Micro, I believe that their Suite is also highly effective. However, I have experience using the full suite of Microsoft Defender, and I find it to be a more powerful tool for threat detection. While Trend Micro Apex One is easy to implement, has a seamless implementation experience, and is superior when it comes to policy configuration; For threat detection capabilities, Microsoft Defender for Endpoint is stronger.

The initial setup is straightforward because we just need to onboard devices, through a script, employment, onboarding package, or any other MDM Solution like Intune. The deployment takes between four and eight hours and requires a maximum of two people.

We implement the solution for our customers.

Microsoft Defender for Endpoint can be costly as a standalone solution. However, when included in a bundled license with other Microsoft solutions, it becomes a cost-effective option. Microsoft Defender for Endpoint provides excellent value for our organization.

There is an additional cost for Microsoft Premier support.

I give the solution an eight out of ten.

Microsoft Defender for Endpoint is deployed across multiple locations and departments. The solution can be used for enterprise, medium, and small businesses but can be expensive for SMBs.

To achieve success with Microsoft Defender for Endpoint, it is crucial to establish best practices and ensure full deployment without causing any disruptions to business productivity. Simply enabling all features without understanding their impact could lead to interruptions in productivity. By adhering to best practices and carefully assessing the impact of each policy, we can ensure a smooth and effective implementation.