Microsoft Defender XDR Reviews

We use Microsoft Defender XDR to secure all data transfers between the company network, databases, and user devices. It also protects against malware, ransomware, and other security threats.

Microsoft Defender XDR provides unified identity and access management.

Microsoft Defender XDR can extend beyond to cover more than just Microsoft technology.

The most beneficial aspect of Microsoft Defender XDR is the integration with Office 365.

We can realize the benefits of Microsoft Defender XDR anywhere from two weeks to three months, depending on the organization.

Microsoft Defender XDR stops the lateral movement of advanced attacks.

When a user exhibits suspicious activity, Defender XDR and Microsoft Sentinel work together to provide real-time protection and automation for prevention. This includes threats like insecure connections, lateral movement by malware, and unauthorized email sending. While Microsoft Defender XDR is a powerful solution on its own, combining it with Microsoft Sentinel and automation creates an even more robust defense.

Microsoft Defender XDR helps to discontinue other third-party solutions in our environment.

The cost savings potential of Microsoft Defender XDR depends on the size of an organization and the specific licensing chosen.

Microsoft Defender XDR streamlines security team workflows by offering a unified console for investigation, blocking, and mitigation.

The integration between all the Defender products is the most valuable feature.

The management and automation of the cloud apps have room for improvement.

I have been using Microsoft Defender XDR for 3 years.

Microsoft Defender XDR is stable.

The scalability of Microsoft Defender XDR depends on your organization's network for on-premises deployments, but it offers excellent scalability for cloud deployments.

Scaling Microsoft Defender XDR on-premises can lead to network and access control list problems, as well as VPN restrictions.

Microsoft Defender XDR boasts a straightforward setup process. This ease of use stems from its integration with existing Microsoft products. Once we have the appropriate license, we can be up and running quickly. Extensive documentation is available, and Defender XDR enjoys broad industry compatibility. Many other security solutions readily integrate with Defender XDR, opening their products to its robust security features.

The deployment time depends on each environment and can take anywhere from a couple of days to one month.

The number of people required for deployment also depends on the environment and varies between two to eight people.

The price we see for Microsoft Defender XDR is typically the discounted rate we offer to our customers. However, when we bundle Defender XDR with other Microsoft products, the overall bundle price may differ. Despite any initial price considerations, Defender XDR offers excellent value. It's important to compare similar products to make a fair assessment. For organizations already using Microsoft products, which applies to roughly 90 percent of our customers, Defender XDR is easy to set up. Unlike some third-party security solutions, Defender XDR integrates seamlessly with our existing Microsoft environment, eliminating the need for complex identity management configurations and development efforts.

While the standalone price of Defender XDR might seem high, its value becomes clear when considering the ease of implementation and smooth integration with our existing Microsoft infrastructure, especially when bundled with other Microsoft products.

I would rate Microsoft Defender XDR nine out of ten.

Between one and two people are required for maintenance which is conducted twice a month to roadmap Microsoft and check new features.

I recommend thoroughly reading the documentation. Additionally, if there are opportunities to attend Microsoft events, such as a partner workshop focused on Defender, these would be valuable resources. By participating in these activities, you can gain a deeper understanding of what needs to be done within your environment to successfully implement Microsoft Defender XDR.

We use Microsoft Defender XDR to protect our endpoints, computers, mobile devices, and emails.

In part, Microsoft Defender XDR provides unified identity and access management.

Microsoft Defender XDR can protect 98 percent of devices.

With Microsoft Defender XDR we can now manage all of our non-critical computers from one console. The management level and implementation level are easy. Microsoft Defender XDR is also cost-effective.

We have been using Microsoft solutions for over 25 years so it didn't take much convincing to start using Microsoft Defender XDR.

Microsoft Defender XDR has enabled us to discontinue the use of Kaspersky in our safe computers.

Being able to reduce the number of solutions used has been helpful to our security team's operations. The discontinued use of other security products has reduced manual correlation. Using Microsoft has a lot of advantages, especially in management. The reduction in manual correlation is important for our organization.

Microsoft Defender XDR saves our security team around three hours a day.

The most valuable features are spam filtering, attachment filtering, and antivirus protection.

Microsoft Defender XDR is not a full-fledged EDR or XDR. Any true XDR should be more powerful than what Microsoft is currently providing. For some public-facing companies, computers, and endpoint computers, we need additional security from CrowdStrike or other third-party XDR.

Microsoft Defender XDR does not stop 100 percent of the lateral movement or advanced attacks. Our machines use both Microsoft Defender XDR and Crowdstrike and we have had instances where attacks were missed by Microsoft Defender XDR but caught by Crowdstrike.

I have been using Microsoft Defender XDR for four years.

Microsoft Defender XDR is stable.

Microsoft Defender XDR is scalable.

We previously used Kaspersky, Norton, and CrowdStrike. We switched to Microsoft Defender XDR because of its streamlined management capabilities.

The initial deployment was straightforward. We pushed Microsoft Defender XDR remotely across our system consisting of 300 computers. We are a team of seven people and each of us was involved in the deployment process.

The implementation was done in-house.

Microsoft Defender XDR is expensive.

We did not evaluate other security solutions because I have extensive knowledge of most products, their strengths and weaknesses, and their overall capabilities. Additionally, considering all our products are on Microsoft 365, a cloud-based platform, and we already utilize its various components like mail, documents, and more, integrating Microsoft Defender for threat detection and management was a natural choice due to existing ecosystem compatibility and streamlined administration.

I would rate Microsoft Defender XDR an eight out of ten.

Microsoft Defender XDR is deployed across multiple locations and departments.

Minimal maintenance is required for patching.

We use Microsoft Defender XDR for antivirus, threat intelligence, and email blocking.

Microsoft Defender's XDR platform provides unified identity and access management. It has improved significantly, although other products remain slightly ahead. I would rate it among the top four or five XDR platforms I've used, and Microsoft is continuously enhancing its capabilities. Overall, it's a fairly good solution.

Consolidating identity and access management under one umbrella within Defender 365 offers significant advantages. This unified approach simplifies control and visibility, eliminating the need to navigate through different screens from multiple vendors. With everything centralized, we gain a comprehensive overview of all IAM activities and can easily access specific details through subcategories. The main page provides a clear starting point, highlighting key information and granting quick access to deeper levels of detail when needed.

While Microsoft Defender can effectively impede the lateral movement of advanced ransomware, it cannot guarantee complete protection. No system is perfect, and vulnerabilities will always exist.

Defender's ability to stop attacks includes its adaptability to evolving threats. Microsoft has been steadily improving Defender over the past few years, and they continue to do so. Several updates in recent months have changed Defender's functionality, making it more effective. While technology advances and tools like Defender improve, the skills of hackers and their tools also evolve. This necessitates continuous improvement to keep pace.

Adaptability to evolving threats is crucial. A static system is vulnerable to attack. Its unchanging vulnerabilities can be readily identified and exploited, allowing unauthorized access and manipulation. Constant improvement is necessary to maintain security.

While we have reduced our reliance on other products, we haven't eliminated them at this time. We are actively reducing our use of other products as we progress. Once we have completed the configuration and setup process for Defender XDR, we can then fully transition to using it as our primary product.

Defender XDR has saved our security team approximately two hours per day. Automation is improving steadily, allowing us to automate audit file processing and scheduling. This provides us with continuous insight into our environment. The main page offers a high-level overview of current activity, enabling us to quickly identify any anomalies. Our security team can then address these anomalies promptly.

The threat intelligence is excellent. Email collaboration is very good. Device protection is useful. Overall, 90 percent of Microsoft Defender XDR is used weekly, primarily for email collaboration.

Advanced attacks could use an improvement.

I have been using Microsoft Defender XDR for almost four years.

I would rate the stability of Microsoft Defender XDR a nine out of ten.

Microsoft Defender XDR is scalable and we are planning to increase the usage.

The Microsoft technical support I used in the past was quite good. They were typically responsive and efficient, providing solutions quickly. However, I haven't needed their assistance in the last year, so I can't offer an updated assessment.

Our past experience includes Sophos, Check Point, and ESET. We briefly utilized SentinelOne as well, but ultimately opted for Microsoft Defender XDR. We had Defender included in our purchases but it wasn't being utilized fully until I fine-tuned and set it up to work more efficiently.

I would rate Microsoft Defender XDR an eight out of ten.

We require three people for maintenance.

We have Microsoft Defender XDR deployed across multiple locations, roles, and teams.

Before implementing Microsoft Defender XDR, ensure that all the features will be utilized otherwise it is more cost-effective to go with a smaller package that includes only the features needed by the organization.

We use Microsoft 365 Defender to protect our privacy.

Microsoft 365 Defender's XDR platform provides identity and access management which is important for our organization.

Microsoft 365 Defender's security extends beyond Microsoft technologies, which is important to our organization.

The multi-tenant management capabilities are easy and the support is 24/7.

It has helped save us approximately USD 1,000 per month.

Microsoft 365 Defender has helped save our security team time.

The most valuable feature is the network security.

Since all of our databases are updated and located in the cloud, I would like additional support for this.

I have been using Microsoft 365 Defender for almost four years.

Microsoft 365 Defender is stable. The only downtimes are scheduled by Microsoft and we are provided with advanced notification to prepare.

Microsoft 365 Defender is scalable.

Technical support is one of the reasons we chose Microsoft 365 Defender.

Positive

The initial deployment is easy. Microsoft 365 Defender is plug-and-play. The deployment takes a maximum of one day.

We also evaluated Kaspersky and Trellix XDR but found that Microsoft 365 Defender had additional features that met our needs and their support was better.

I would rate Microsoft 365 Defender nine out of ten.

We mainly use this solution for security reasons. We use it for the complete stack of email security so we don't have to use a third-party tool, and we use the extended security features that are included in M365, like sandboxing.

The solution is deployed on the Azure cloud. We're a cloud-only company, so we only deploy cloud workloads, but we also have customers with legacy systems. If we're not able to migrate them to Azure, Defender for the server can be deployed on-premise.

The solution is deployed across Germany in four regions: Munich, Cologne, Bremen, and Hamburg. However, most people work from home.

There are about 50 endpoint users, but we have customers with thousands of users. We focus on customers with a thousand seats or more.

We use the entire M365 E5 license for everything that's going on in the M365 world. We try to accomplish everything we need with Microsoft products.

It was very easy to integrate the solutions. We integrated them so we could have an overall good view of our assets. The installation was fully automated via Intune.

Overall, the solution has decreased our time to detect and respond. If there is any issue, it's not complicated to get the information we need and respond quickly. We offer managed services to some customers, and we have a very clear view of what's going on in their security environments.

One of our main focuses is IT security. This solution has a huge impact on how we use tools and what we do in IT.

One of the biggest points is that Defender is included in the license. It's integrated fully into the M365 world. There's no need to have a third party, which is more complex and includes additional costs. Especially because we're partners, it's very good to have 100 free licenses. We're able to distribute all the information to our customers and integrate it into our projects in a very streamlined way.

We saw all of these benefits instantly. It's different with customers because they are often heterogeneous in the software they use. There's a little bit of explaining and promoting, but it's a huge benefit for most of our customers when they understand that they can have a centralized view of all these security topics. If we are able to deploy the solution to new customers, the benefits are realized in about six months because we have to train them and implement all of the security.

The solution helps with finding high alerts. I wouldn't say it helps with automation because we are piping the problem into the Jira automation, so our managed service kicks in. I would say that it's half-automated.

It helps save time when it comes to the operation and receiving information because we don't have to skip around with different products and customer situations.

This solution enabled our security operations. The legacy approach, in which the tools are in place and someone occasionally checks them, is not secure as it's meant to be today. 

It eliminates the need to look at multiple dashboards and gives us one XDR dashboard. The consolidated dashboard helps our customers get a faster view, which wasn't possible with the former solution.

The solution's threat intelligence helps us prepare for potential threats before they hit and to take proactive steps. Our security team is able to work well with it, and a lot of information is getting to our internal users. We distribute everything we learn to our customers.

Sentinel enables us to ingest data from our entire ecosystem because we're cloud-only, so there is no other architecture to monitor.

I would say the logging and analyzers are about 80% of our security operations. The ability to have a clear view of the security information is a big win. For legacy implementations, it's normal to have the security installed but not be able to monitor, detect anything, or get the information to the right people.

For the most part, Sentinel enables us to investigate threats and respond holistically from one place. Today, there are different views, different websites, and different portals to use in order to drill down and get to the real problem. It's a good starting point.

I like the easy integration and advanced possibilities. We can implement it at customer sites in a few clicks, but we can also dive deep and drill down to extended features. There's a very good starting point to get into this product and all the features from Defender. We use Plan 1 for email security because it's a common vector for phishing and attacks. The Plan 2 version goes more into advanced features and logging, which we also use for our internal security operations center.

The solutions work natively together to deliver coordinated detection and response across our environment by about 80%. There should be something to get a consolidated view, which doesn't exist at the moment. We have a known tool in place to consolidate all the information into one view for us. That would be a perfect function to have in the future.

I have more than 15 years of experience in IT security, so I have a very good understanding of the tools we need for a use case. I think the documentation helps us and all of our customers comprehend the product. For cloud products, it's normal that something new today is almost outdated tomorrow. Company-wide, we have a very good view of all these products, and we're very firm in deploying them.

I would like more of the features in Defender for 365 to be included in the smaller licenses. Even if I buy a small license and don't need everything, security shouldn't be a question. Security is one of the main aspects of all projects from our side, so it would be nice to have more features in the smaller licenses.

I would also like a more aesthetically pleasing dashboard. For German customers, it's important that the solution is in German. Multi-language support should be in all the features if possible. In many projects, we want to use digital signatures on emails. It would be perfect to have better integration of digital signing in a standard way.

In the last few months, the dashboard changed very often. When they restructure it, it's a little bit painful. Otherwise, the technology is very helpful.

The visibility into threats could be better. For the last six months, getting information from the access points has been difficult. However, the newest version fits very well. It's easy if you've found the right spot to view what's happening.

For legacy organizations or legacy customers, I would say it's possible to save time, but time-saving isn't always the best with security because it needs to be deployed and managed.

It can be installed quickly, but it takes time to check out false positives, have everything in place, and train each end user.

We have been using this solution for five years since our company started. The solution had a different name, but we have been using it since it's been available. We use company-wide E5 licenses.

The solution is stable.

We haven't had any scalability problems.

I haven't had a lot of contact with technical support.

For my personal project, I used many other legacy projects, but not at my company. We aren't selling anything other than the new Microsoft solution at the moment.

The solution doesn't require any maintenance.

We have seen ROI in project situations because we removed legacy email gateways and legacy antivirus on-premise solutions.

I would like to have more security features in the lower licenses because not every customer is able to buy E5 licenses. The bundling isn't always easy for our customers to understand. Compared to other tools, it's a good price.

I would rate this solution as eight out of ten. 

My advice to those who are looking to implement this solution is to get help from the right company so you can use the solution properly.

Defender helps us prioritize threats, but I would say it's a combination of all the information that we're getting from the internet and from other resources.

To a security colleague who says it's better to go with a best-of-breed strategy rather than a single vendor security suite, I would say that it depends on the customer. If someone has their own VSOCK implemented and many security guys on board, then maybe best-of-breed is what they need. 

If someone is a classic customer who doesn't know a lot about security, then they should stick to a one-vendor strategy.

Our primary use of Microsoft Defender XDR is for threat hunting and monitoring potential threats entering through email and URLs. We use the full suite, including Defender for Endpoint, Defender for Office 365, and Defender for CloudOps, especially now that we have upgraded to M5.

Microsoft Defender XDR has significantly improved our operational security. We've observed a notable decrease in click rates since implementing attack simulations, and the overall response to these campaigns has been positive.

Since activating the M5 feature set, we have observed a decrease in malicious clicks and faster incident alerts.

The Email Explorer feature has proven invaluable, offering a broader perspective than automated alerts and incidents alone. Its comprehensive view has simplified the process of targeting and identifying specific threats, including those initially missed but subsequently flagged, enhancing our overall threat detection capabilities.

Microsoft Defender XDR could be improved in terms of speed, especially backend speed. Additionally, some of the automated workflows in Intune, particularly the zero-hour purge, do not always trigger promptly.

I have been using Microsoft Defender XDR for two years now.

Microsoft Defender XDR has maintained high stability despite various service alerts. These alerts are targeted and informative, clearly indicating any potential functionality issues. The service has remained consistently online, with any issues isolated to specific components, suggesting a well-designed and modular architecture.

Our company has not experienced any scalability issues. As a medium-sized XDR company, scaling has not presented any challenges.

The technical support from Microsoft Defender XDR has been disappointingly slow, to the point that I am considering not renewing my unified support contract. However, I have not yet made a final decision.

Negative

We previously used Mimecast for email and Cylance for endpoints. We did not have any solutions for cloud apps. We switched to Microsoft Defender XDR because we already had the licensing for it, and it did not make sense to pay twice for a similar product.

The initial setup of Microsoft Defender XDR was straightforward, and we have not encountered any deployment issues. It was easy to manage with the bundled features.

We did not use an integrator, reseller, or consultant for the deployment of Microsoft Defender XDR. Most of the deployment was done in-house.

Ever since we turned on the M5 feature set back in June, we have seen a reduced number of potentially malicious clicks and faster alerting when incidents occur. It has improved our security posture.

The bundling of software makes it easier to manage our setup, but Microsoft purposefully obfuscates this through marketing ploys to hide costs. Although this can be challenging, ultimately, it simplifies budgeting.

We evaluated several options before switching to Microsoft Defender XDR, but ultimately chose it due to cost-effectiveness, as its features were already included in our existing license, though previously unused.

I would rate Microsoft Defender XDR an eight out of ten. I believe it is underrated by many, and some companies miss out by not knowing how to configure it properly. Microsoft's pricing makes setups difficult to manage, but the overall value is significant.

It is a universal security tool across our organization, catering to staff members using standard laptops and PCs. Currently, we employ an in-house solution built upon a smaller product from a Finnish company.

Although it integrates with Microsoft AD, our solution remains somewhat proprietary as we've independently implemented and tailored it to our specific needs.

We do not leverage the multi-tenant management capabilities of the solution. In our scenario, we operate as a single organization, allowing us to utilize a straightforward, single-setup approach.

The identity protection offered by the solution has proven highly effective for us because we developed it in-house. Crafting it ourselves has allowed us to seamlessly integrate all of our specifications with the solution within a relatively short timeframe. 

The significance of using the identity and access management integrated into Microsoft 365 Defender cannot be overstated, as it is vital for the proper functioning of the product. While it is crucial, the available functionality might not be entirely sufficient. We have opted for our in-house solution to complement and address the additional requirements.

It empowers us to phase out the use of other security products.

Its most significant advantage lies in its affordability. Being an integral part of the Microsoft Stack, it comes with a cost-effective package. Especially for higher education, there's an appealing pricing structure.

The management features could be improved, particularly in terms of better integration with Intune, Microsoft's cloud-based management solution. Enhanced integration would contribute to a smoother user experience, and ease of use is a key aspect that could benefit from such improvements.

We have been using it for approximately four years.

It has demonstrated exceptional stability, with no concerns or complaints on my end.

It exhibits sufficient scalability for our specific needs.

We utilize extended support for Microsoft's stability, and the quality is excellent.

Positive

Within our network, we incorporate Cisco products, utilizing various security features and functionalities offered by Cisco. For instance, our firewalls are implemented using Cisco technologies. This adds diversity to our security landscape, as Microsoft alone may not cover all our security needs.

It has been implemented across various locations, spanning our three campuses and multiple departments. Maintenance is handled by a team of four people.

It didn't contribute to cost reduction. Our expenditure has maintained a consistent level, with little change over the years, aside from factors like inflation.

Using it has resulted in time savings for our security team. Currently, the team comprises approximately four individuals working with these technologies, equating to a total of four times thirty-seven hours per week.

It has consistently offered highly appealing academic pricing, with distinct rates for higher education and general educational purposes. This differential pricing is a significant factor and it influenced our choice to use Microsoft products.

Overall, I would rate it nine out of ten.

We provide MXDR services. Initially, they are professional services such as setup and deployment, and then after that, we provide Day 2 services, which include working on the incidents and alerts the products generate, determining which one is a true positive and which one is a false positive, taking response actions, and maintaining a steady state.

We are expanding use cases with Defender for IoT integration. Now that the E5 license includes the enterprise IoT sensors, we are getting more of that telemetry to our SOC. Because most SOCs do not have that telemetry, it is something that we have had a couple of clients invest in. 

In terms of our in-house usage of this solution, there is not a lot of in-house infrastructure when it comes to workstations and things like that. As a security company, we are pretty infrastructure-light.

It helps with the well-rounded investigation where it does the automated investigations and does a lot of enrichment for you, so the SOC analyst does not have to play run and go fetch as much. They can go deeper into an investigation in a shorter amount of time.

It does not necessarily provide unified identity and access management. Most of that comes from Entra ID, but it absolutely provides security visibility. For identity protection, the combination of Azure Identity Protection and Defender for Identity in the same place is the most powerful part because it is your on-prem identity world and your cloud identity world. Those two things are connected in most environments. Most of the people who have issues or most Microsoft customers have hybrid environments. That means they have two IMs and a bidirectional trust. One is the old-school one, which is Active Directory, and that lets everybody in with a username and password, whether you are good or bad, and then the newer one is the one that has conditional access, and that is Entra ID. Most corporate environments have both, so you have all of the weaknesses of both systems in one nice little package. From a defensive monitoring standpoint, we get a lot of cases, and most clients have that situation. Most clients that we see for incident response, and who are dealing with whether they are going to have our business online tomorrow, are in that hybrid situation.

In terms of covering more than just Microsoft technologies, most of 365 Defender is focused on its own technologies. There is that extensibility to be able to bring in threat indicators. The Zeek integration in Windows provides a lot of functionality, but most of the time, when we are getting that third-party signal, it is via a SIEM. That is where we go look for that third-party cross-correlation signal. The XDR signal is in that 365 Defender portal, and using things like custom detections is helpful there, so you can do SIEM-like functionality, but not on a third-party data set. This third-party correlation is the logical place for Sentinel. Some of the federated search between the two and being able to see both datasets in both places relieves that pain. The vast majority of our MDR clients are using 365 Defender and Sentinel, but there are definitely people who have E5 licensing but still have QRadar, Splunk, or something like that. Sometimes, we have somebody who starts with just 365 Defender but has a Sentinel adoption plan because they have a year left on their QRadar contract. The cool part about Sentinel is that it is software as a service, so you can start small and then add to it. You can start with what we call Sentinel Light, which is basically just the free data connectors. A lot of times what people do is that they have E5 licensing in their contract, and they start with 365 Defender. They then start with free data sources in Sentinel and incrementally add server logs or Palo Alto logs as their budget allows them.

365 Defender has enabled us to discontinue the use of other security products. There is always realization in terms of whether we still need, for example, Tenable agents with 365 Defender TVM. The answer is probably not. Normally, it is building out that process where we are going to remove Tanium because we now have Intune, so everybody has that adoption roadmap. Typically, you go for the things that create the least amount of friction when you are going through that adoption roadmap and you save the things that are going to be painful, such as DLP, for the end. It is always about dollars. When it comes to security budgets, potentially, you are replacing five to six line items on your security budget with one. I have been getting extra functionality on top of it for Teams and things like that. When you make the business case to the decision-makers and you get all of the information at the table, it is normally a pretty overwhelming case.

The savings depend on what their actual spending is and how many other security vendors they are purchasing. For most information security professionals, half of their day goes into vendor meetings and maintaining those vendor relationships. You have active relationships, contract relationships, etc. You have all these different relationships, and you have to go out to their conferences, their dinners, and things like that, so you end up dealing with vendors all day instead of actually doing the work. There are two types of costs. There is that hard cost, which is pretty easy to define, and there is also that soft cost of what if you had this common security fabric that you could take, customize, and then add to it. That is what the Microsoft security play is. Instead of bolt-on security, it is built-in security, and then you can still add to it. You can still add custom tools like Velociraptor and all the other tools that complement the Microsoft security suite, but what you do not have to do is play with vendors all day and do the bolt-on security play, which is, "Install our agent and everything will be good. There will be 99% ransomware protection." That is not how real life works.

It saves time and brings operational efficiency. As threat hunters, looking for an initial compromised assessment, going into a SIEM, and looking through a SIEM can take a lot of time. With 365 Defender, I can run four or five queries on you, and if they light up, I know you have problems. If they do not light up, you are probably alright. It is about being able to get there relatively quickly and assess the situation. Should we go ahead and send out the notice and call the general counsel, or is this just a little thing we need to run down and keep traps on? The time saved depends on where they are coming from. If it is a relatively old school company that has got an old school SIEM, and then they have a next-gen antivirus and a separate EDR solution, they could be doing 100% manual investigation, so it is saving them 300% because the chances are that they were not even investigating all their alerts. 

The ability to hunt that IM data set or the identity data set at the same time is valuable. As incident response professionals, we are very used to EDRs and having device process registry telemetry, but a lot of times, we do not have that identity data right there with us, so we have to go search for it in some other silo. Being able to cross-correlate via both datasets at the same time is something that we can only do in Defender 365. We do not get it in the other products.

From an integration standpoint, it is always improving overall. With Security Copilot coming out, as partners, we are waiting for the GDAP support so that we can actually see Security Copilot on behalf of customers if they subscribe to it. I assume that will happen in the next couple of months, but there have been smaller improvements like that. I started with the Defender ATP product back in 2019. In terms of where it started versus where it is now, it is very different. A lot of the automated defense capabilities for auto-remediation and the threat and vulnerability management features that are coming out are the most exciting because they answer that CISO question, which is, "How covered am I for ransomware?" Most of the time when people answer that question, it is a very generic answer. They can look at the top twenty methods that most ransomware groups are going to use to see how protected they are, but they are probably not going to do that well, or they are pretty secure, and they are probably going to do pretty well. It gives more of that real-world experience that most people do not have. 

We have been using this solution for about four and a half years.

From a partner standpoint, typically, we do our best not to contact support. We are very sensitive about how we spend our time. The more time we burn on something, the less profitable we are. Normally, playing kick-the-ticket-around in any support organization does not help, so most of the time, our engineers can arrive at some type of solution without engaging anybody else. If we do have a hard blocker that is well-defined and well-documented, we typically escalate that through the product team and not through the support channel because the more time we spend on the phone with support, the less we believe in our overall relationship, so we just avoid that activity, and we feel good about the relationship.

We definitely have had some major instances with large customers where something bad was happening and they needed immediate resolution, but they did not even get a callback for 48 hours. When you are in the middle of that relationship just doing the SOC servers, you wonder why you are getting 300 attack alerts in an hour. You then escalate and call everybody inside of Microsoft. You blow up the horn right on Friday because these things always happen on Fridays. It is a bad situation for everyone. The one thing that I have learned especially with MDE is that most of the time, the people who can fix your issues are in Tel Aviv. A lot of times, if I put an entire well-documented explanation together and drop it in Teams to somebody, I will get a response at 2 AM, so the next day, I will check my messages first thing, and a lot of times, it is like, "That issue is fixed now." I know where I need to go when I need to get things solved, but calling any help desk, including our own internal help desk, does not work. 

In the right context, Microsoft's support can easily be a seven or an eight out of ten adventure. In the wrong context, it can easily be a two or three adventure. It is like rolling the dice. Sometimes they come up with snake eyes, so it is all about expectations.

I also deal with Azure a lot because most of the time, I am responsible for our backend systems. We are rebuilding our entire platform in Azure. We did a greenfield build, so I am teaching a lot of Java developers on Azure. Their default answer when something does not work is that Azure is broken. I know that Azure is not broken. They are doing it wrong. I then show them, but their general thought is, "Why don't we just open a ticket with Azure support?" My response is, "Why do you want to wait three hours for them to tell you the same thing, which is, that you are doing it wrong?" A lot of it is engineers learning. If they have the appropriate exposure and investment in education, it helps with digital transformation, but it also helps with security transformation. A lot of times organizations buy things and then tell their engineers to implement them. Nobody bothered to send them into training first, so they are doing their best with the information they have. They did not send them to Microsoft Ignite. They did not send them to any of the great local resources. We have all these different meetup groups where you can see the difference in people. You get to know who is succeeding with Azure or succeeding with Microsoft Security. When you get stuck, you know whom to call and ask how to do something because you are not able to figure it out even after wasting six hours. You can ask them to at least point you in the right direction. That is a better solution than calling an 1800 number because it is going to be more focused and more prescriptive.

We support a couple of other security vendors as well, which always gives us a great comparison to how they are doing. It is the difference between holistic security and non-holistic security. You get one set of data. It could be a good set of data, but it is not mixed with the other data points. When you got an email alert here, and then you got an identity alert, and then you got an EDR alert, and then you got the domain controller alert, you can go through that entire kill chain versus those separate technologies. With separate technologies, you are going to spend an hour and a half putting that story together, and chances are they are already on ten different servers by now, so you are behind the gun. You know the story, but now, you have a bigger story because it just blossomed over there.

In terms of comparison, there are quite a few other XDR products, and all of the XDR products suffer from the same kind of challenge, which is—they are only as good as the data they have available. For instance, if you are a 365 Defender shop, but you are using Okta, a lot of that identity information is not flowing through 365 Defender. It is flowing through Okta, so it is 60% to 70% blind. Trend Micro has its XDR solution, but if you do not have all the things deployed, and you only have 30% of the things deployed, you are looking at 30% percent of the data. That is one of the key components. When we deal with an IR situation, we have a lot of people who are like, "We have E5. We deployed Defender for Identity. We deployed Defender for Endpoint to some of the endpoints, but not all of these servers yet because that is scheduled for next year." In such scenarios, we have limited visibility. We can see certain things, but those other alerts tell us some other things are going on on some endpoints that we cannot see. That is the situation that you have to solve rather quickly, so halfway-done deployments are the issue. When we see them, we know why they are calling us because it was always bound to happen. It is then that classic situation where they will have to do it all in two days on Saturday and Sunday. They will have to completely redo it and finish off that deployment because this is what they needed to do for threat eradication.

I have helped clients deploy it. I have helped a little bit with the internal deployment. We do not have that much infrastructure. Most of our infrastructure is containers, and 365 Defender does not come into play. That is mostly the Defender for Cloud Storage.

In terms of the time it normally takes for different users to get fully deployed and functional with the solution depends on the users and the infrastructure. Those are two different things. For humans, typically those enablement sessions can go in a matter of weeks, and then it is also a matter of the client investing some of their own time in their own lab and things like that because you are never going to learn a tool unless you get hands-on with it. Watching me work on it is not going to teach you that much. You have to work on it, and then because Microsoft security is a holistic security and not a bolt-on thing, you are also dealing with some tech debt at the same time. If they have had 2012 servers and they have not updated those servers in eight years and there are no security patches, you will have to resolve some of those dependencies before you can onboard those servers to Defender. It is not Defender's fault. They should have been patching those all the way anyway. That is according to the best practices, but they were not, so now you will have to wait three weeks for the server team to update these and then you onboard them to Defender. Every corporation has different change controls. If it is a small corporation with only four or five thousand endpoints, there are probably three or four guys who can pretty much do whatever they need to do. A big corporation with a hundred thousand endpoints will have to put that through change control and then four people have to sign off in blood. It is a much bigger thing and lots of paperwork has to happen.

Normally, a good accelerator project takes three to four weeks. That includes going through the basics, making a deployment plan, doing a test group, and then validating that all of those policies are going to work in the environment. One of the big advantages that changed just in the last year is the built-in configuration management. When I initially started with 365 Defender about four or five years ago, we had a problem where a lot of people would run the onboarding packages but forget to deploy the policy, so it did not work as well as it could. The difference those other platforms had was that they had built-in policy management, so you make your settings and apply them to your group of endpoints, but now, it is there in Defender. Previously, with Defender, we had nine different ways to do it, such as configuration manager, registry, and PowerShell, and clients struggled with that because none of the options were perfect for all their endpoints. With the built-in configuration management, you have that feature parity now. You can do built-in policy management for Windows, Mac, and Linux endpoints, and that speeds up deployments. As the deployment engineer, you do not have to say, "Here is the list of ten different options. Let us select which one is going to work for which group of devices." Now you can just say, "We have a good solution. It is probably going to work for about 99% percent of your devices. You might have a few offline servers or old Linux servers. We will have to do a slightly different custom solution for them, but we have a 99% solution. Let us go ahead and get started on it," and that is very good because you do not necessarily lose the room when you are explaining it to your security team members who never had to do something like that. You can just say, "We have a solution here, guys. We are good."

When we go through all of the information security training, typically, we are trained on other systems, so there is a learning curve for most information security professionals. If there is executive sponsorship to say, "We are going to invest in learning our Microsoft security tools so that we get maximum bang for our buck out of them," that typically goes very well. Microsoft has programs, such as accelerators and the ESIS programs, that enable partners to guide that mission. 

Our deployment engineers have done the Sentinel and 365 Defender deployments for four or five years. They work on these projects all day and every day. A lot of time, they are just helping other people who are doing their first project and saying, "Oh, you probably do not want to load it on these servers.", or "This is the shortcut for this issue." They are just guiding them on that process and helping them avoid some of the mishaps and things that people normally struggle with. Once you get them fully deployed, the ROI starts showing up daily. It is just a matter of getting them to that steady state versus that halfway-done state because a halfway-prepared defense never performs well in combat.

I would rate 365 Defender a nine out of ten. It is a very powerful tool. My favorite gig is explaining it to other incident response professionals and saying, "Now that the customer has an E5 license, and this is all deployed, let me show you this. You run this query, and you bring all of this stuff back. This is how you create custom detections that will automatically isolate things if anything jumps off on this device." I can explain that in a two-hour crash course. If you can explain it the right way to other professionals, they end up realizing how powerful it is. It works great.