Microsoft Defender for Endpoint Reviews

I am a SOC analyst and I use Microsoft Defender for Endpoint to investigate endpoints in our environment and malicious activity.

The visibility into threats that Defender provides is excellent. The logs I receive are quite comprehensive, allowing me to see what is happening on each endpoint, including the running processes and generated alerts. It does a pretty good job of detecting when certain events occur, which helps me stay attentive to potential issues. Overall, it offers significant visibility.

Defender does a good job in helping to prioritize threats across our entire enterprise because it provides me with context by distinguishing between high and medium threats.

We also utilize Azure Sentinel, Defender for Cloud Apps, Defender for Identity, and Office 365. These solutions are integrated together, and whenever one of them receives an alert, it is sent to the main alert queue. I would give the integration an eight out of ten.

Sentinel allows us to collect data from our entire ecosystem. We primarily use it for the network firewall logs, but it can also handle other types of logs.

Sentinel does an excellent job of providing us with comprehensive security protection and visibility into security alerts and incidents. It informs us about policy violations, such as foreign user sign-ins and sign-ins from multiple or different devices, among other things. Therefore, it offers greater visibility beyond just phishing alerts.

Microsoft Defender for Endpoint has significantly improved our organization by identifying the activities of individual users and effectively hunting for any threatening activities they might engage in. For instance, if a user downloads a malicious file or clicks on a malware-infected link, the software can promptly detect and mitigate the issue on the server.

Defender helps to automate routine tasks and the identification of high-value alerts. Sentinel aids in the automation process by allowing me to address the issue of numerous false positives. Specifically, I automated the handling of certain false positives that originated from a particular IP range. This IP range was generating false positives due to a flagged server, even though the server itself was not actually malicious. In such cases, Sentinel proved to be beneficial as it facilitated the automation and removal of unnecessary noise.

Microsoft Defender for Endpoint has helped save us the trouble of looking at multiple dashboards by providing a single XDR dashboard.

Microsoft Defender for Endpoint has been instrumental in saving us time, especially by identifying true positives instead of wasting time on false positives.

I enjoy using the live response feature, which allows me to remotely access different endpoints and investigate malicious files, such as malware that people may have downloaded, and other related issues.

Threat intelligence has the potential for improvement, particularly by integrating more sources. This will enable us to accurately identify when a domain or an IP is malicious. If we could obtain information from external sources, it would reduce the need to use different open source tools to verify whether a domain or IP is malicious or not.

I have been using Microsoft Defender for Endpoint for a year and a half.

Microsoft Defender for Endpoint is stable. I have only experienced one crash.

Microsoft Defender for Endpoint proved to be scalable in our environment, supporting over 500 endpoints.

I have also used Splunk. Splunk is more modular and portable, allowing us to integrate it with a wide range of different tools. In contrast, features of Defender and Sentinel, such as those provided by Microsoft, do not integrate well with as many other options.

I would rate Microsoft Defender for Endpoint a nine out of ten. It provides me with greater certainty regarding malicious activity compared to Splunk, which demands much more analysis. Defender for Endpoint performs a significant amount of work in terms of identifying and validating malicious elements. This saves us from having to read and interpret a large number of logs. It takes care of the interpretation and conducts about half of the log analysis on our behalf.

I still have to conduct threat intelligence on my own, such as open-source intelligence. I don't automatically search VirusTotal for things, but I still end up doing my own source searching.

I'm part of a team that does governance and consulting for migration from Symantec Endpoint Security to Microsoft Defender for Endpoint.

I haven't really seen anything in the solution that is an improvement over anything else. It's just that as we move to Microsoft cloud, it makes sense to look at some of the other products that sync between onsite and cloud. It's a stretch to say that it has inherently improved things.

You have endpoint security to keep your devices safe. That's the feature that we're interested in.

The visibility into threats is good.

There are some areas in the proactive threats that are just overwhelming the SOC, so we've had to turn those off until we can figure out how to filter out the false positives. Otherwise, there's no point in using it, as our SOC would be overwhelmed. Their choice would be either to run down every false positive, which would take their attention away from other things or to start ignoring positives, which defeats the purpose of having alerts.

The threat intelligence is too overwhelming right now. The amount of time it takes to sort through and figure out proactive solutions and prioritize—if there was an imminent threat and we just relied on that—means the bad actors would have already had a chance to get to work.

It also hasn't eliminated having to look at multiple dashboards. That's one of the running jokes with the Microsoft products: They keep hinting at a single pane for everything, and they're getting better, but they're still pretty far away from that. That would be revolutionary if Microsoft could figure out how to run all their security stuff through a single pane. They would have people lined up with money in hand, but they are not there. They're not close to it. For them to even talk about it right now is disingenuous. Microsoft is better than that.

The single biggest thing that Microsoft needs to do is figure out how to pull everything together so that all their security products can be accessed through one dashboard; one place where all of that information can be gathered and looked at by people with the appropriate access permissions.

The other thing that they need to figure out is how to move away from the amount of scripting that needs to be done with a lot of their products and move into a GUI. That's especially true because there is difficulty getting people with scripting skills, especially when you get into the Kusto Query Language and putting together tables through scripts. If that could be done with a point-and-click, that would be a notable achievement.

I have been using Microsoft Defender for Endpoint for about a year and a half.

The solution is solid. 

The biggest "catch" is that clients do not always want to implement systems according to the manufacturer's best practices. There's always friction if the client has in mind one way it should be, but it was designed differently.

In our case, we're talking about a big company that is used to being a big enough client that the vendor will change what they do to accommodate them. Microsoft does not have to. That's not a criticism of Microsoft. It's just that Microsoft is big. They are not a little regional provider. They will not change something in their product that's distributed globally to accommodate a client with a non-standard way of wanting to implement something. There's friction with that. 

I do not see that as friction with Microsoft because of Microsoft, I see it as the friction of a client that takes a solution from a huge provider but sometimes has the mindset that they want the attention that comes when they purchase a solution from a small provider.

When it comes to technical support, I have found Microsoft to be outstanding. The answers are not always what people want to hear, but the answers are legitimate. I do not have any criticism of Microsoft on that.

Positive

We previously used Symantec Endpoint Security.

Aside from the possibility that some forward-thinking people see us having more of a presence in Azure, and the logic of using a Microsoft product that goes along with that, I have no clear idea what prompted the switch. That is not a poor reflection on Microsoft. It's just that whatever motivated moving from a solution that was working fine to another solution is beyond my knowledge.

We have about 180,000 endpoints and they are distributed globally. It took us about six months to do the rollout. As we did that, we figured out various aspects that needed to be tweaked or changed for the best.

I doubt, at this point in the migration, that there is going to be ROI. I do not have enough information on that to really make an accurate determination. I think the biggest payoff is going to come in the future, as we throw more and more resources into cloud and we need to have some continuity with systems in the cloud and onsite.

First, have an understanding of Microsoft's best practices. Second, understand that Defender for Endpoint is part of the operating system. It is not a "bolt-on," like most antiviruses are. There are going to be some differences in how Defender interacts with an operating system, compared to an external solution. Be prepared for that.

It helps prioritize threats across an enterprise to some extent, but we haven't delved that deeply into that part of Defender yet.

The solution hasn't saved us time but I'll qualify that with the fact that we are in migration, moving to a new system, which is Microsoft, and that always takes more time and effort, as we work through the teething troubles. That is not necessarily a reflection on Microsoft. It's a reflection that anytime you move from one system to another, it takes a while before the teething troubles are smoothed out.

If a security colleague said to me that it's better to go with a best-of-breed strategy rather than a single vendor security suite, I would say there are pros and cons. It would have to be a discussion about what they need to achieve and their thoughts on why a particular solution would seem best. On a high level, there are good and bad reasons for all kinds of solutions. Without having a clear understanding of what is trying to be achieved, it's really difficult to say whether one is particularly good or bad.

We use it for endpoint detection and response.

The agent is installed on the endpoint, on the laptop or desktop, but it's a SaaS solution.

One feature that has proven beneficial is the Threat and Vulnerability Management module of Defender for Endpoint, which provides information on the vulnerability of all the endpoints. We don't have to run active scans via network scanners. It is built-in. That has proven to be helpful, although we're still in the early phases. We have identified vulnerabilities that were in our organization for too long and nobody knew about those machines and the vulnerabilities on them. From a vulnerability remediation point of view, it has been quite helpful to us.

One of the features which differentiates it from other EDR providers is the Automated Investigation and Response, which reduces the workload of SOC analysts or engineers. They don't have to manually investigate each and every alert on the endpoint, since it does so automatically. And you can automate the investigation part.

In addition, there are several features that have helped to improve our security posture at the prevention level, such as the attack surface reduction controls and the exploit prevention control. The attack surface reduction comes with the solution, out-of-the-box. There is Application Control as well, which is kind of difficult to implement, but once you are through the pain of designing and implementing it, it is one of the very good features to have. These tools are some of the things that are missing from other vendors' products, as I have worked with McAfee, Symantec and Carbon Black.

One area for improvement is that, because it comes out-of-the-box, it does not interact well with many applications we have developed in-house. There is no way to exclude them because it interacts with everything on the endpoint. One of the issues is lagging: the in-house-developed applications suffer from this and they become slow. For a big enterprise, it is important that they include a feature so that we can exclude these applications.

Another area where it could be improved is that, while it collects a lot of data, it misses some data, which is important, such as the hardware version of the endpoint and the AV signature version. I think this improvement is in the Microsoft pipeline already but it is not in the solution yet.

I have been using Microsoft Defender for Endpoint for around one and a half years.

It has been quite stable up until now. It does not break. Microsoft is developing on it quite frequently and more and more features are coming in, but overall it is quite stable. It does not break that often.

As we have moved away from Microsoft Defender Antivirus and to the EDR solution, we have seen very few issues so far that users have faced with this. There have been very occasional performance issues for some users, but they have been very rare.

Scalability is one thing which, I think, Microsoft is working on, because it is not yet very scalable. What it provides out-of-the-box is all it has. Any big organization needs customization, but the customization of it and running customized things on top of it are areas where it is lagging. That something Microsoft needs to work on. Examples include running custom playbooks or customizing the events which it is collecting.

We are protecting 100,000 endpoints with this solution. We may increase usage, but there is no plan for that as of yet.

Microsoft technical support is good.

Before Microsoft Defender for Endpoint we had Carbon Black. But when I came onboard, Defender for Endpoint had already been chosen.

The setup process is not very complex, but it is also not very straightforward. It depends what solutions you have. If you have everything set up, which is usually the case for big organizations, then it is pretty smooth. But if there are some things that are not set up properly in the organization, like certain parts of the infra or the cloud onboarding, then it becomes cumbersome, not the installation part, but in setting up the backend which it needs.

Our implementation strategy was that we started with a few pilot machines, to onboard Defender for Endpoint. We noticed that we had around 70 to 80 percent failures. It was a learning phase and we identified the root cause of those failures. There are some settings in Defender AV that need tweaking when you want to onboard Defender for Endpoint. We struggled to tweak those settings, but once that was done, it went pretty smoothly for the next couple of pilots. Then we encountered another roadblock which was related to an OS version dependency.

Overall, it took us about one month to onboard the solution, but we are weak in infra.

We had our consultant from Microsoft for the implementation. The engagement went on for three to four months. But one thing we noticed from this project was that it did not need a consultant. It was not that difficult to do. Maybe we did not get an expert consultant because, for solving issues, he also took time.

In addition to doing onboarding, we wanted our third-party integrations, but that was something they could not do because they were Microsoft. We had to do that ourselves. Over that three or four months, we realized that we didn't need them.

Microsoft consultancy is good and bad. If you get good consultants, they are really good. But sometimes you get consultants who are not expert enough in their domains and you don't get enough from them.

We have not seen ROI yet, but we are hopeful that in the future it will provide that.

One of the differences between other solutions I have used and Microsoft Defender for Endpoint is that the latter is not yet enterprise-ready to the same extent that the other vendors are. Other vendors provide a lot of customization when it comes to integration, which every big organization requires. No big organization depends on one particular tool. Defender lacks that at this point.

Defender for Endpoint is marketed as an endpoint detection and response tool, but for others who are looking at onboarding it, they should take it as a holistic tool that provides AV, EDR, and vulnerability management all in one. However, it does not provide very good integration with third parties.

We primarily use the solution for security. For most clients, we deploy the solution for security purposes. Some clients just deploy it as part of Microsoft. Some haven't fully set it up even though they've paid for it. Some may be deployed and set it up and then have it disabled. 

They've grown the solution into an XDR EDR type of solution. It's nice. Everyone is going in the same direction. There are good process flows and features that make permissions and setup easier if clients are all under Microsoft.

If you get it set up correctly, it just works. 

It does help us prioritize issues. It depends on how the user has it set up, however. You can make a very nice pane of glass. It depends on who it's set up for and what they are doing with it. Some people throw the Windows Defender EDR solution out there and walk away. It does you no good if you're not sitting there watching it, monitoring and setting it up to get the feeds and the alerts and everything else.

It integrates really well with other security tools. That's something they've done very well. Integration between Microsoft products is very easy. It also works well with API plugins, etc. It works natively with detection and response across the whole environment. There may be pieces that may be tuned or integrated correctly. However, it's all pretty seamless.

The threat protection is pretty comprehensive.  

Defender helps automate routine tasks and find high-value alerts. It's a one-stop shop. You can do integration, for example, with Microsoft Teams. It depends on the business you want to run. A mom-and-pop shop may not need so many tasks sent to very specific people. For larger enterprises, having the same tool across the board makes it very easy.

Defender Endpoint does help prepare for potential threats before they hit. When you're looking at signature-based AV, Defender, just like everyone else, will pick up something known. However, when it comes to user behavior analysis, that's a bit more complicated. 

We've saved five hours or less per month in terms of saving time.

I might help clients save money, depending on the size of the organization. With Defender, you are just paying for licensing. It's all moved to the cloud. 

If a threat actor comes in, and creates a global administrative account, they can gain access to everything and whitelist then block everything else. Having everything, including Defender, under one brand is like having all of your eggs in one basket.

Since they are linked to the operating system, they should have good visibility on what is malicious and what is not. They should be at the forefront in that area. However, they are doing what everyone is doing - especially in threat sharing. Pretty much any EDR solution has the same intelligence. Microsoft should go further since they do develop so much underlying infrastructure since they've "built the house" they should know everything about it. They should be more intuitive.

I haven't been using the solution for too long. I've started using it recently. However, Defender has been around for years.

Technical support is always good. There are different levels you can pay for. I personally have never had to use support for the Defender product. Getting really good technical support depends on what partner level you are. 

I'm also familiar with Sentinel and CrowdStrike. I do move my clients towards third parties and don't necessarily try to set them up under just Microsoft.

Inherently, everyone is using the trend intel. They share and ingest threat information. The intel is there. Some organizations may do it a bit better if you were ranking them. However, Microsoft's job isn't necessarily security. They have cloud infrastructure, et cetera. Unlike CrowdStrike, where security is their bread and butter. For Microsoft, Defender has always been the last on their list in terms of priorities.

Calculating ROI would depend on what your overall security posture is for your entire organization. If you are just trying to do PCI compliance, you may be opening yourself up to threats down the line. Also, if you are never updating, et cetera, you might be a target for ransomware. However, if you take the time to diversify and watch your systems regularly, you will see more ROI.

The solution is cost-effective as it is on-cloud. You don't need to accrue costs related to hosting. 

The pricing is fair. However, it depends on what you are trying to buy and what size your organization is. 

I'm a Microsoft partner. 

This solution does not make my top five.

As far as relatively decent, I'd say they are okay. I'd rate it seven out of ten. However, it's always the number one thing threat actors are targeting. 

I am using Defender for one of my customers. 

We use Defender with Sentinel, so we can see everything from one dashboard. You can also use the 365 security portal to manage all your Microsoft solutions, but Sentinel covers the entire estate. It has automation features, but I am not the one who configured that. A separate team does that for the customer. 

Defender helps us be more proactive about security with suggestions on how to improve. It provides a Microsoft security score for 365 and Azure, both of which are helpful. 

Defender saved us time. I believe it saved the customer some money, but I could not provide exact figures.

Defender's analytics are much better than CrowdStrike's. It has the ability to intelligently learn and respond to threats. We conducted a simulated ransomware attack to test it, and Defender detected it faster than CrowdStrike. 

My customer is also happy with Defender's interface. It helps them prioritize threats across their environment. We also use Sentinel and Defender for Cloud. I also tested a VM deployed with Defender that reports back to the 365 portal. It's easy to integrate Microsoft security solutions. All of the solutions work in concert, and they're synchronized. I have no problems with integration and can see the entire landscape. The protection is comprehensive. I'm impressed. I have no complaints about the product.

The bidirectional sync with Defender for Cloud is crucial. If I check the other side of the signal, I can update the source of the alerts. It's vital to have a bidirectional connection for analysis and feedback. 

The documentation could be better. When they update their manuals, sometimes they refer to products by their old names, so it is a little confusing. For example, the documentation might still say "Advanced Threat Protection" instead of Defender for Endpoint. 

I have used Defender for Endpoint for three months. 

I rate Defender a nine out of ten for stability. 

Defender scales well. 

I rate Microsoft's support a nine out of ten. They were impressive. Microsoft has excellent support engineers.

Positive

I previously worked with CrowdStrike Falcon. Defender is more effective because it identifies more threats than Falcon.

I rate Microsoft Defender for Endpoint a nine out of ten. If someone asked me whether a best-in-breed or single-vendor strategy was better, I would say there's no right or wrong answer. It's better to use one vendor from an integration perspective because it's easier to set up. 

A single-vendor approach also simplifies support. For example, if you use CrowdStrike, you might be using Splunk as your SIEM. When you open a ticket with CrowdStrike, they will only be able to answer questions about their own products. 

Our primary use case is anti-malware and virus protection for our machines. We don't operate a network as such; our setup is almost entirely in the cloud.

We use the solution across multiple departments and teams, with about 400 total end users.

Around 90% of our estate is Mac, so we rarely have security alerts, but we get daily reports. The solution lets us proactively advise users about security concerns, especially when downloading files.

The solution is a Microsoft built-in tool, so it's very straightforward to use and monitor from the admin center, it's intuitive. 

As with all antivirus software, the benefits of using it far outweigh the risks of not having it. Protecting our estate, machines, and users is essential. We can take action quickly, for example, when a user downloads something suspicious and step in before the threat escalates. As an organization, we have encrypted files and data it is vital for us to protect.

Defender for Endpoint is a robust solution that works well out of the box. 

We can monitor and manage our security picture from one dashboard, and that's one of the primary reasons we use the solution. Our machines are enrolled on Microsoft Intune, which further simplifies management. With the E5 license, everything is in the same place; that makes our job easier and allows us to be more proactive when confronting threats. Not having to log in and out of different systems to manage devices is an excellent improvement to our operation.

The solution's threat intelligence helps us prepare for potential threats and makes us more proactive. We have the information required to warn our users of threats, including malicious links and phishing emails. The product gives us an accurate picture of the threat landscape, enabling us to adapt our strategy to protect our most sensitive and vital data.

There is a difficult balance working in IT, as we don't want to put all our eggs in one basket; if one system goes down, we are compromised. We want the flexibility and reliability offered by different specialized solutions, but that complicates management. With Defender for Endpoint, we don't need to worry about machines slipping through the gaps and remaining unprotected because the product is connected to the user account and pushed by the tenant. There is no agent, and the solution isn't intrusive; the user doesn't even know it's there. Other vendors I dealt with in the past required clients to be installed and updated, with potential problems coming in if the client isn't up to date. This isn't an issue we have with Defender. 

Our team's knowledge of the solution needs to be improved, and Microsoft could do a better job conveying the necessary information to users. We could proactively use the tool more and explore capabilities we are not yet utilizing.

We have been using the solution for about six months.

The solution is stable; Microsoft goes down very rarely. It happened just a few times over my career. If it does go down, the impact is significant.

The solution is very scalable. Microsoft makes that easy, and we plan to increase our Defender for Endpoint usage.

I've only contacted Microsoft support a few times, and they were always helpful. I don't have any issues with the support; they're good.

Positive

We previously used Symantec Endpoint Security. It was somewhat clunky. The engineers found it too intrusive as it required a client to be installed, dramatically slowing down the machines. We switched to Defender for Endpoint because it's part of the Microsoft suite, and we can use it across platforms for Windows and Mac.

The initial setup is straightforward. Initially, we didn't use the E5 licensing, so it was a basic cloud setup with a license per user. Now we have our own tenants, and we're deploying E5 licenses, and Defender for Endpoint comes as part of the license. A user activates the app in the Office 365 tenant, and that's the setup.

The initial deployment didn't take very long; it was just a tick box exercise. We are moving tenants, so we're giving everyone a new E5 license when they move over. It's quick and easy to assign licenses via a tool we have, which provides users with access to the entire Microsoft suite, including Defender for Endpoint.

Five people were involved in the deployment, all of them IT staff.

I'm not directly involved in taking care of the solution, but it seems lightweight in terms of maintenance. Most of the updating is end-user-driven; users are prompted to restart their machines to stay up to date with security patches.

As we have only been using the solution for six months, I don't think we've seen an ROI yet. I imagine in another two years, we will see a return.

AV solutions are pretty expensive because they are necessary, not just for protection, but many businesses need them to comply with regulatory bodies and receive accreditation. We recently purchased an E5 license, which gives us access to the entire Microsoft suite. I would say the pricing is competitive; most tools of this kind are similarly priced. There are minor differences between the competitors, but they aren't spectacularly different. Defender for Endpoint makes sense because all our solutions are in the same place, paid for with a single license. The subscription price is around £50 per user per month, though it may have increased slightly.

We evaluated Sophos Intercept X and Kaspersky Endpoint Security for Business.

I would rate the solution an eight out of ten. 

Defender for Endpoint helps us automate routine tasks, but I don't specifically know what kind of automation it does or what we use it for, as the InfoSec team is responsible for that. 

No solution is completely foolproof, but the configuration has a large part to play in the quality of the protection. 

We have been in business for two years, so we're a relatively small and young company. Nevertheless, it's vital to have protection against malicious actors. The threat landscape we face today is complex and diverse, so our threat protection needs to be up to par. That's the benefit of using the product; we need to protect our data, and having a tool that informs us of potential threats is excellent.

As an end user, the solution didn't personally save me time, but I imagine it did for the InfoSec team who deal with it directly. The security reporting will all be in one place, and we don't have to go to the marketplace to look for separate tools to fulfill different functions.

We are using this product as part of our EDR solution, and we use it in conjunction with CrowdStrike. We are a solution provider and this is one of the products that we deploy for our clients.

This product has features that improve our security posture including good vulnerability detection, maintaining endpoint devices, and unified management. The management feature allows us to manage all of our devices from a single location.

The advanced techniques used by Microsoft Defender are improving our user experience. Our users used to complain that they didn't need certain features, but this was because the legacy antivirus and other EDR solutions were hampering their usage. Nowadays, vulnerability detection is very effective and they are comfortable with the security, as well as the administration, giving them a better overall experience.

The most valuable feature is threat detection. We have been notified of viruses and threats of problems such as ransomware attacks.

The Cloud App Security features are useful.

We apply the DLP policies across a range of endpoints and it is very accurate when reporting vulnerabilities, including those in email attachments.

Microsoft Defender integrates well with Office 365.

Especially these days, with the COVID situation, this product helps us to better reach our users and solve problems. For example, we no longer need to ask them to bring in their laptop to check for and address issues. We can apply policy, automatically define rules, and remedy problems using the central management features. 

It would be helpful if they included XDR features, on top of the EDR functionality. It would improve the capabilities, as XDR solutions are doing better.

I have been working with Microsoft Defender for Endpoint for almost a year, with the E5 licenses.

Stability-wise, it is responsive and I don't see any drawbacks. They have additional features that make it a little more robust.

Scalability-wise, considering the integration that they have, it's good. For example, it can be integrated with Azure Sentinel. We have two or three people who work with managing and deploying this product.

We deploy across Qatar and currently have about 68,000 endpoints protected with Defender. Our usage will increase based on the number of clients we have that buy the product. Ultimately, it depends on the licensing model.

Prior to working with Microsoft Defender, we used CrowdStrike and SentinelOne. We switched because these other products are standalone, and require that we install and maintain them manually. Microsoft Defender is unified and comes as part of Microsoft 365, which makes it easier to set up and manage.

The advantage that these other products have is the XDR features.

The initial setup is straightforward. We deploy this product using Microsoft Intune, which is very helpful. It took us one month to deploy approximately 5,000 users. We had a specific plan that we followed for the implementation. 

I completed the deployment.

This product offers cost-effective threat protection, which integrates with Office 365 and has unified endpoint management features.

We currently use the enterprise-level, E5 licensing scheme. It is a complete bundle that includes the Microsoft 365 products, the Zero Trust solution, and Microsoft Defender.

The E5 license is the one that I recommend because it comes with Cloud App Security, which is a good thing to have on top of Microsoft Defender. It means that you can monitor any threats, sign-in attempts, and other resources whether on the cloud or on-premises.

I would rate this solution an eight out of ten.

We have been using it in our test environment. On the customer side, we are using the small business variant of the tool. So, we are using Microsoft Defender for Endpoint and Microsoft Defender for SMBs. They're pretty similar, but the one for SMBs is a little lighter.

In our test environment, we have access to 50-seat licenses for everything. So, we are making sure that we are technically in a good place before we begin to offer this kind of solution to our clients. In addition to our solutions, we are delivering services to our clients. So, when we sell an SMB or enterprise Microsoft license, we are able to do the migration, management, and other things for a client.

It works well with different solutions from Microsoft. If a company is using Microsoft 365 package, this security addition is easier to implement and manage because it is from the same vendor. You have greater visibility because they are from the same vendor. Microsoft probably also has larger visibility on the endpoint itself because of its own operating system.

It provides good visibility into threats. I would rate it a seven out of ten in terms of visibility.

Its threat intelligence is helpful for preparing for potential threats before they hit and taking proactive steps. We can manage our own images, and we can also inform the client to patch certain things.

I've started to test it from the security point of view. There are plenty of features that are interesting, but at this time, the XDR functionality is most valuable. It is endpoint security on steroids.

It allows you to prioritize threats across the enterprise, which is very important because the SLAs are different for different cases. If the error is critical, you must act now. If something is just informal, it can be done in weeks. 

I miss having an executive dashboard or a simple view for viewing things. Everything is extensive in this solution. Everything is configurable and manageable, but the environment of Microsoft 365 has about 13 administrative dashboards, and in each of the dashboards, there are a gazillion things to set up. It is good for a large enterprise, but for a 200-seat client, you need to see 5% of that.

A simplified SIEM would work so that we don't have to use everything on the Sentinel, which is great by the way, but Sentinel is too expensive for our kind of market. It is an enterprise product. It is not an SMB product.

We have been using it for half a year in our test environment.

It is good. It is stable. Once you set it up, it works, but we haven't tested it on a large time scale. The solution itself is pretty young. We'll see how stable it will be in the next few years.

It is very scalable. We hope to increase the usage of the product. It is being used only by our team for now at multiple locations. It is for laptops in the office and other networks and also for mobile devices. A few tech guys in our department are testing everything that could happen on the client side, and that's it.

I didn't use their support for this solution, but the knowledge base, training, and documentation are pretty good. I would rate it a nine out of ten.

Positive

It is complex. You need to first have a list of computers. Then, you need to set up the plan for these computers, and then, you need to deploy it and apply it. There are too many steps to deploy this kind of solution because it is a Microsoft native solution.

In terms of the implementation strategy, first, you need to have a view of the inventory. You have to have knowledge of what is already installed on an endpoint. You don't want to cause any clashes with some other endpoint security vendor. So, you need to know your devices. The next one is to prepare the package and then decide to deploy it via Intune or via MSI, through group policy.

In terms of duration, you can deploy it on one computer in minutes. If you are deploying it on a thousand computers and everything is set up correctly, it can be done in a few hours, but if everything is not set up correctly, it can take up to a day or a week. 

It took a month for us to realize its benefits from the time of deployment. It takes some time to understand the settings, portal, etc. 

It has not yet saved any time. It has only consumed my time for now because I need to learn and do the training and PoCs, but it is an investment for the future.

The number of people required for deployment depends on the size of the client or the company. I can do it by myself if I have a client with 100 seats, but if there is a corporation or enterprise in several locations, we need to involve the local IT people to confirm everything is okay, etc.

It doesn't require any maintenance, but it requires somebody to take care of the consequences. You can implement endpoint security and just have it there. You don't have to maintain the solution itself, but you need to take care of the alerts. You need to take care of the patches and other things. The number of people required depends on the size of the client.

It hasn't saved us any money yet. It might save in the future, but it depends on the pricing of Microsoft because there are several different parts of the Microsoft solution. 

Everybody would like to see a lower price on everything. The Slovenian market is basically an SME market with clients having up to 100 seat licenses, comprising 90% of the company. They're very price sensitive. So, the price could be cheaper. 

Any additional costs depend on the basic license of the client. There could be additional costs. If somebody needs Plan 2 of Defender for Endpoint, if I'm not mistaken, it is only available as an add-on. It is not included in any license, not even in the E5 license. So, there are some things at an additional cost.

We are always open to suggestions and newer and better things. We are constantly looking around for similar solutions and testing them. Microsoft is the biggest player. Everybody uses something from Microsoft. So, it is a logical next step. For an MSP, by having everything from one vendor or everything under one umbrella, managing clients is easier. This is the main reason for exploring this solution.

At the moment, we are using the Cynet XDR solution, and we also tried SentinelOne. We are going to put it in our portfolio in the following months, but mostly, we are comparing everything to Cynet because we have more clients on Cynet.

In comparison to other solutions that we are using, Microsoft Defender for Endpoint has not decreased our time to detect and time to respond much.

In my opinion, from the management and maintenance point of view, it is better to go with a single vendor, but from the security point of view, multiple vendors on multiple layers could work better than one vendor. If one vendor is breached, then everything goes, but if you have several layers with several vendors, and only one is breached, you have other vendors.

My advice to those evaluating Microsoft Defender for Endpoint is to stick with it and train themselves. They should know the solution and try it as much as they can. Microsoft is on the right path here.

It helps to automate routine tasks and the finding of high-value alerts, but we haven't yet implemented automation. We are planning to implement it, but at this time, because of a small number of clients, it is easier to do it manually. We just look into the alerts and resolve them one by one. We don't have a few thousand alerts per day, per week, or per month. So, it is manageable to handle them manually.

It would help us to eliminate looking at multiple dashboards and have one XDR dashboard, but we haven't yet managed to do that.

I would rate it an eight out of ten. I would have rated it a ten, but it is a pretty pricey solution.