Microsoft Defender XDR Reviews

We use Defender XDR to monitor our network. We use it for when we analyze email and check endpoints.  

XDR is our second solution. We have two. We have it in basic mode as an antivirus and as an XDR. We use the DLP in our company as well. We can look at threat intel for vulnerabilities, and we check to see if vulnerabilities are present within our environment. We do that through Defender. It's useful for threat hunting. 

We have it integrated with Sentinel and we manage our incidents from Sentinel. We can do a detailed analysis of what actually happened, and it gives us the ability to log in remotely on devices. For example, if you have a problem with your PC, one of my colleagues can take the file from the PC remotely. As long as you have permissions as an administrator you can do that. Otherwise, you can create an incident and escalate it to the right admin.

The file analysis is helpful. When we have phishing emails Microsoft itself can analyze the file in the sandbox and then give you a detailed report. It's helped us respond better and increased the security of our organization.

I like the attack graph of each incident. It's really handy, and there's a summary. For example, you can see what had happened with a timeline. And if you go to investigate, the evidence will be there, including the users and devices. Co-pilot is integrated there as well. With just one click, you have a summary of what to do and the next steps. For young analysts, it is quite helpful.

You can have security administrators or global administrators. You can set up different permission structures outside of Defender.

The solution's security extends or covers more than just Microsoft technologies. Linux machines can be used, for example. It is possible to install an agent for Linux so you can monitor also Linux machines.

Apart from having everything within the same console, you have alerts.

The attack disruption capabilities positively affect our security operations. We can integrate with third parties. If an email comes in with a file attached, Microsoft's intelligence would be able to tell if it's a phishing scam, and it can automate the deletion.

We do educate and train our users, however, it provides an extra security layer that catches suspect emails. It reduces the risk of users accidentally clicking on phishing emails. 

The solution adapts to evolving threats. It's a next-generation solution. The machine learning and AI are integrated. With the help of machine learning, it can block quite a bit of suspicious activity.

It offers multi-tenant capabilities. We have four different tenants, and for each, we have a different console, so I don't directly deal with multi-tenant capabilities; however, it is possible. 

We do use the solution with a variety of others. We haven't reduced the number of other products we use for security. However, it's quite handy. It blocks a lot of malicious attempts. Nothing really gets by it. The automatic incident response and protection have kept us very safe, even though we do have other backups there on offer as well. 

We've saved a lot of time with the automated detection. It reduces the time we need to respond and react. We've saved maybe 30% to 40% of the typical amount of time it would take, thanks to automation. For example, if there is, a phishing email goes to the XDR if we had to do an analysis and a report, that alone might take 20 minutes to an hour. Then, we have to remediate, delete and block. With automation, we can save those 20 minutes to an hour. The process is automatic, so we don't have to manually do it. Also, if you have a bunch of suspicious domains or IPs, it will take time to manually go through everything, one by one. However, we can automate the blocking process and save ourselves a lot of time. 

The AI could be improved. As an analyst, I want to be able to interact more with AI. The AI simply sends summaries. I can't ask it, for example, if it has seen any suspicious activity with device two. I have to go and check device two for myself.

I've used the solution for 15 months so far.

The solution is quite stable. I'd rate stability eight out of ten.

We have 15 to 16 people using the solution in my organization. Then we have users on various Microsoft accounts. There may be 50 or more users in total. We have the solution spread across multiple locations. 

It's a scalable product.

I've had colleagues mention that they were very pleased with Microsoft's support. Once you open a ticket, the response you get is usually within an hour or two. 

Positive

I do use different solutions. Microsoft is very good compared to other market leaders. It's a leader itself. I've used CrowdStrike, for example, and I'm familiar with Zscaler. 

My understanding is it is quite easy to deploy the solution. Between deploying the agent and the initial installation, it may take one to two hours. Then, of course, you have to customize the product. However, as a SaaS product, it's very easy to deploy. I'm not sure if any ongoing maintenance is needed after deployment. 

I don't have visibility into the pricing. However, Defender is included in the price of a larger bundle. As a Microsoft customer, it's my understanding that users can access discounts. 

I'm a Microsoft customer. 

I'd advise new users to try a proof of concept. Before the solution is implemented, figuring out the grouping will be very important. You'll want to implement policies based on groups, so they need to make sense. For example, it would be easy to create a structure based on departments.

I'd recommend the solution to others. Microsoft is quite handy. You can get a full overview of your vulnerabilities, which makes investigations easy.

I'd rate the solution seven out of ten.

I'm using the solution for security.

Previously, we weren't using anything and now we can configure privileged access and rules. We now operate in a more secure environment. 

It's great that it's a cloud solution. You don't need to worry about physical hardware.

You can configure the product very easily. It's simple to implement and easy to run.

The XDR platform provides unified identity and access management.

We only use it to cover Microsoft products; it works really well. 

365 Defender stops lateral movement of advanced attacks, like ransomware or business email compromise. It protects us from spam and ransomware. 

So far, we haven't had any attacks. It also allows us to adapt to evolving threats. 

We use the solution's multi-tenant management capabilities. It's easy to access and helps with investigating and responding to threats across tenants. 

With Microsoft, we get multiple services under one platform.

With Defender, we've been able to reduce costs. We've likely saved around 25% in costs so far. We've also been able to save time - around 10% to 20%.

You can customize the product based on your requirements - and everything is available under one platform.

The solution can improve the rules and privileges it offers. They need to be more transparent with changes. Often, changes come too rapidly.

I've been using the solution for seven months. 

The solution is a stable product. I'd rate it nine out of ten.

It's scalable. I'd rate the ability to scale nine out of ten. You can scale according to your needs. 

Support is very good. 

Positive

I also use SentinelOne and Splunk. Microsoft Defender is easy to implement and is user-friendly. Splunk, however, is not user-friendly.

The deployment is easy.

We have 20 to 30 people working on the solution. 

There isn't really any maintenance needed. 

The pricing is reasonable. It's cheaper than other options. 

I'm a Microsoft customer. 

I'd rate the solution eight out of ten. 

I would recommend the solution to others.

It is a universal security tool across our organization, catering to staff members using standard laptops and PCs. Currently, we employ an in-house solution built upon a smaller product from a Finnish company.

Although it integrates with Microsoft AD, our solution remains somewhat proprietary as we've independently implemented and tailored it to our specific needs.

We do not leverage the multi-tenant management capabilities of the solution. In our scenario, we operate as a single organization, allowing us to utilize a straightforward, single-setup approach.

The identity protection offered by the solution has proven highly effective for us because we developed it in-house. Crafting it ourselves has allowed us to seamlessly integrate all of our specifications with the solution within a relatively short timeframe. 

The significance of using the identity and access management integrated into Microsoft 365 Defender cannot be overstated, as it is vital for the proper functioning of the product. While it is crucial, the available functionality might not be entirely sufficient. We have opted for our in-house solution to complement and address the additional requirements.

It empowers us to phase out the use of other security products.

Its most significant advantage lies in its affordability. Being an integral part of the Microsoft Stack, it comes with a cost-effective package. Especially for higher education, there's an appealing pricing structure.

The management features could be improved, particularly in terms of better integration with Intune, Microsoft's cloud-based management solution. Enhanced integration would contribute to a smoother user experience, and ease of use is a key aspect that could benefit from such improvements.

We have been using it for approximately four years.

It has demonstrated exceptional stability, with no concerns or complaints on my end.

It exhibits sufficient scalability for our specific needs.

We utilize extended support for Microsoft's stability, and the quality is excellent.

Positive

Within our network, we incorporate Cisco products, utilizing various security features and functionalities offered by Cisco. For instance, our firewalls are implemented using Cisco technologies. This adds diversity to our security landscape, as Microsoft alone may not cover all our security needs.

It has been implemented across various locations, spanning our three campuses and multiple departments. Maintenance is handled by a team of four people.

It didn't contribute to cost reduction. Our expenditure has maintained a consistent level, with little change over the years, aside from factors like inflation.

Using it has resulted in time savings for our security team. Currently, the team comprises approximately four individuals working with these technologies, equating to a total of four times thirty-seven hours per week.

It has consistently offered highly appealing academic pricing, with distinct rates for higher education and general educational purposes. This differential pricing is a significant factor and it influenced our choice to use Microsoft products.

Overall, I would rate it nine out of ten.

Our main use cases include securing critical university services and establishing a research tenant for researchers to store and manage their findings across both everyday machines and dedicated research spaces. It involves dealing with malware and managing server security through tags. Additionally, a significant portion of our work involves exploring and investigating emails using the Explorer tool. It is well-suited for addressing these scenarios and ensuring robust security measures.

It enables us to respond to incidents more swiftly, pinpointing root causes with greater speed. Retrieving emails is now a much smoother process compared to the previous method using Power Shell. With Explorer, it's a more straightforward and visually intuitive approach, eliminating the previous concerns associated with Query Drive and reducing any associated anxieties. It allowed us to phase out the use of other security products entirely. Initially, we managed this transition through SXM, and later migrated it to the online version of Defender. It has had a notable impact on the operations of our security team. We've had to reshape our procedures, particularly focusing on alerting. There has been a significant upskilling effort, shifting from the previous model where Cisco admins primarily dealt with alerts within SSC or through email.

The most valuable aspect is undoubtedly the exploration capability. Given that we are consistently engaged in exploration, constantly seeking reasons for message delivery issues and searching for malicious attachments, the Explorer feature stands out as the primary and most beneficial tool for our needs.

I'd like to see more integration with various components. While the ecosystem is quite impressive, there's a noticeable back-and-forth between the Defender console and the Exchange console. It would be beneficial to have a more seamless experience with everything consolidated in one place, particularly when dealing with aspects related to the Exchange console. Currently, we rely on a third-party service for the majority of our IAM needs. The data center extension of security coverage has proven to be highly significant for us. Given our extensive use of Linux and third-party applications, having the capability to monitor these aspects within the Defender console would be immensely valuable.

I have been using it for four years.

The stability is quite high. Despite various outages, we've experienced consistent reliability.

Scalability is indeed very impressive. We can deploy resources globally with just a few clicks, and the use of Terraform to create VMs adds a fast and efficient dimension to the process. In terms of end-users, if we focus on mail and overall usage, we currently have around 105,000 users of VMs. Specifically in Azure, we're nearing the 100,000 mark with more migrations in progress, making the average user count approximately 100,000.

Microsoft support has been performing well, promptly addressing any conflicts that arise. Our account manager is quick to respond and provides additional resources when needed. The frequent check-ins, with calls every hour, contribute to a positive experience. I would rate it eight out of ten.

Positive

The initial deployment was quite straightforward.

The deployment process went smoothly, with check-ins and some policies to configure. Overall, it didn't feel cumbersome.

In the long term, there is potential for significant time savings for our security team. Although currently, many of us are investing time in upskilling and adapting to the new system, overall, I believe that as we become more familiar with it, there will be noticeable efficiency gains.

There has been a noticeable reduction in costs. We've managed to navigate it effectively through our enterprise agreement, and Microsoft's academic discounts have proven to be quite generous. The overall expense is significantly lower, approximately fifty percent less than what we would incur with a traditional enterprise license.

Especially with an enterprise license, the transition is relatively low-risk. If you're currently using the old-school Defender SCCM, moving to the new system is not a challenging shift. It's worth picking a few machines, testing them out, and seeing if it suits your preferences. Overall, I would rate it nine out of ten.

I've been using it for endpoints and for Microsoft 365, along with Microsoft Defender for Identity. I use it to create policies for anti-spam, anti-malware, anti-phishing, as well as safe links.

I also use it for the security score, making sure that our company achieves a good security score across the organization.

It has helped us increase our rules and policies, protecting our users, information, and data.

When I deploy a policy for anti-spam or anti-phishing, the solution automatically helps us mitigate those kinds of attacks that could expand across the organization. The automation stops those attacks and emails and sends the emails to a secure place where the admins can accept or eliminate them.

It has also eliminated having to look at multiple dashboards, which not only makes things easier, but helps us detect, and see for ourselves, the threats that are happening across the organization.

In addition, the threat intelligence helps prepare us for potential threats, providing us with security steps to take based on what other experts have done, the steps and recommendations, to prevent those threats. It collects information from the website that Microsoft has where security experts provide information.

And with our endpoints, it has helped us save time because, before we installed Microsoft 365 Defender, we had an antivirus solution that took our time. In addition, by using Defender for Identity, we have been saving time with the password self-reset, because we no longer need IT members or administrators to help reset users' passwords. They can do it by themselves. And with Microsoft Defender for Cloud, we're no longer installing the software on their computers, so there are time-savings as a result.

And one of the greatest characteristics of 365 Defender is that it natively helps you coordinate, detect, and prevent threats, and it provides investigations across the organization's domain. And with the responses across the endpoints and various resources in the cloud, it has many sophisticated solutions integrated to protect against cyberattacks. It has absolutely helped us to save money because it is just one solution, rather than paying for multiple services at the same time.

The security score and the threat intelligence are really good features. I also like the Exchange message trace.

The visibility into threats is also very impressive because Microsoft helps you predict things and provides analytics to help you really improve your security. And all of this technology works across the domain, so it is pretty helpful in terms of threat analytics. It immediately detects and tells you what you can do, with recommendations.

The solution also indicates threats as high, medium, or low priority. When the priority is high, that is when I put all of my effort and knowledge into it, and focus on it, because it is valuable for the enterprise.

We also use the solution's role-based access control across the organization. Because, as a company, we work remotely, we make sure that our users have access to what they need and we better protect our company from intruders and cyberattacks.

Intrusion detection and prevention would be great to have with 365 Defender.

I've been using Microsoft 365 Defender for nearly a year.

The stability has been great so far.

It's very scalable. That's one of the benefits of the cloud. You can scale or downsize it whenever you want.

We have many locations and departments around the world. I'm located in the Dominican Republic, but there are people in Europe and the United States.

Their technical support is great because they mostly provide responses in less than 24 hours.

We were facing downtime with our Outlook email, and they told us what was happening with our data center. After they responded to us, we provided the information to the head administrators. After two hours, they restored our services.

Positive

The solution doesn't require any maintenance, as far as I have seen.

Between a single- and a multi-vendor security solution, it depends on whether you are using multiple technologies. Microsoft solutions are pretty much integrated, and help you with the pre- and post-breach. If you are using Microsoft, I would absolutely recommend Microsoft 365 Defender. But if not, I would recommend something else because, with just Microsoft, you probably would not be getting the best solution. There would probably be latency.

Microsoft 365 Defender is one of the first layers to our security. It's our first layer security product, e.g. we use it, then we also use Exchange Online Protection for email, Safelink, etc.

We always recommend these products to our customers, e.g. if the customer is using another third-party product. We are always recommending these compliance and security products, e.g. Microsoft 365 Defender, Cloud App Security, etc.

We usually recommend cloud security because it connects all of these security and compliance products in one center to take logs and make them meaningful, plus you can also create alerts. We are also recommending it because of Microsoft Teams usage, especially because in Microsoft Teams, users sometimes do mass deletion, mass download, etc. We always say: "Let's connect your Cloud App security with your Azure Information Protection, with Microsoft 365 Defender and your Microsoft Teams, your Engula, etc. We find cloud security to be very useful.

What I found most valuable in Microsoft 365 Defender is that it's able to scan emails and protect users from dangerous links or attachments. This is important in a first layer or base layer security product such as Microsoft 365 Defender. You can even combine Microsoft Defender for Endpoint with this solution to get the most benefits.

I also find Microsoft 365 Defender user-friendly, so that's another valuable feature of this solution.

What could be improved in Microsoft 365 Defender is its licensing. It needs to be more consolidated, because there are so many plans for Microsoft 365 Defender, and every other year, there will be new licensing options, e.g. plan one, plan two, etc., that become more and more different from each other. The most valuable product would be the most expensive product, and customers usually say: "We really need the last version, but that's really expensive for us, because we are in Turkey and the currency is very, very high now." Three years ago, this wasn't a problem, because $1 was three or four Turkish liras, but now it's 15.

In the licensing options, it would also be better if there can be some optimizations, similar to what Power BI Pro offers. There are two options in Power BI: user-based and capacity-based. It would be good if there can be another option for one consolidated product for the whole company with a higher price, but you cannot depend on user count.

What I'd like to see in the next release of Microsoft 365 Defender is for them to provide more details in the alerts and notifications they send out.

We've been a partner for Microsoft for 10 years.

I found that the stability of Microsoft 365 Defender is good.

Scalability is good in Microsoft 365 Defender.

What we have is Premier Support from Microsoft, e.g. we are a CSP partner, so we were required to buy Premier Support and Cloud Consulting from Microsoft. We are really happy with the support we've been receiving for Microsoft 365 Defender, but on the customer side, they don't have Premier Support, and sometimes, depending on the case, they're not very satisfied with the support. 

Our satisfaction is five out of five, but our customers would only have three or four out of five, in terms of their satisfaction with Microsoft 365 Defender support.

The initial setup for Microsoft 365 Defender is really easy. It's not very complicated. I didn't see any other difficulties with setting it up, but customers sometimes think it's not very easy. They purchase consulting services from us, so it doesn't bother us, but sometimes the customer says: "I don't know how to start, but I use Microsoft Security." Microsoft is very late in the security niche, so customers sometimes say: "We have Symantec", or they would mention that they have other products from other vendors, and these vendors are very reliable for many, many years.

In the last three or four years, though, customers start to depend on Microsoft Security products, but they are not early adopters, because they usually tell us: "When we buy the product, some policies cannot be used, but after sometime we can use it." It's not really a problem, but I wanted to relay some of the feedback we get from our customers.

The most valuable licensing option is expensive, so pricing could be improved. Licensing options for this solution also need to be consolidated, because they frequently change.

We've been dealing with the latest version of Microsoft 365 Defender.

For an average project, deployment of Microsoft 365 Defender can take a week, but we do need some change management models, because we still need to train the users about safe links and attachments, so we sometimes have to expand the average time, but implementation is not very hard. If we only do the implementation, one week is more than enough.

We rely on just one to two persons, particularly engineers, for the deployment and maintenance of Microsoft 365 Defender.

My recommendation to others looking into implementing Microsoft 365 Defender is that reading the documentation is really good. If you are a Microsoft partner, you'll also have benefits, e.g. CDS tenants and demo tenants that are free to you for one year, so you can test the products first, before you implement. If you are a partner, my advice is to use your Microsoft partner benefits.

I'm giving Microsoft 365 Defender a rating of eight out of ten.

The solution is primarily used for security response. We work with many government ministries that use Microsoft, Microsoft 365, or security tools like Azure XDR. This solution integrates with other products, helps with detection, and offers quick response times.

The threat-hunting and incident investigation capabilities are very strong. It can investigate and block phishing attacks and monitor them effectively. We can even do endpoint behavior analysis. 

The solution's XDR platform provides unified identity and access management for customers. If the customer is using a Microsoft Enterprise XDR solution, it does. We do have Microsoft Defender for Identity. It's part of the suite itself. Customers can have Defender for Endpoints, Defender for Identity, and Defender for Cloud. All these things combined form the XDR. The main use cases are around identity - to understand whether there is identity hacking, privilege escalation, or some malicious user in the environment. It helps us respond to those events very quickly.

From a coverage point of view, it's good. We are quite happy with it. If we have users with multiple devices, the solution provides comprehensive coverage.

While the solution does cover technology beyond Microsoft, it's strongest when monitoring the Microsoft Suite. We do have servers, and it can monitor them. They don't necessarily have to be Windows servers.

Defender XDR can stop advanced attacks, like ransomware or business email compromise. It depends on how the solution is configured. It does a lot of monitoring and helps the SOC team or the analysis team find issues. 

The solution has the ability to stop attacks and can adapt to evolving threats. It can ingest a lot of threat intel data, which actually gives us the latest information about how the threats are happening. It does a quick analysis of that. 

Some customers use Defender XDR's multi-tenant management capabilities. That said, most of the time, they might not need a multi-tenancy. In one or two cases, customers may have done it, but not very frequently. The multi-tenant management capabilities for investigating and responding to threats across tenants are pretty decent. It provides a very unified view. That's one of the core capabilities of Microsoft XDR - the unification of the view. In a security situation, I might have solutions in multiple places. However, our tenant will be protected, and we will receive alerts. It helps a lot with individual client monitoring. It will help me hunt other tenants as well. It makes it so we have a very cohesive environment. 

Defender XDR has enabled some of our customers to discontinue the use of other security products. However, it's not always based on capabilities. In Qatar, for example, it's a government mandate to use Microsoft as much as possible, so we move a lot of customers over exclusively to Microsoft in those cases. That doesn't mean the other product wasn't performing. It just means there is a heavy preference towards being solely on Microsoft. 

The Microsoft XDR solution has helped some customers to reduce costs. One of the major cost reductions is on the resources side (not on the technology side). As a service provider, we can move to a much leaner team with the XDR setup than with a non-XDR setup. When you have different environments to monitor and different alerts coming in from different devices, then you need more people to do the monitoring and analysis. However, when you have a unified view of the environment, then you can reduce the team to a certain extent. We can do a 25% reduction on a team, which is a considerable reduction since resources are expensive. How much a company can save depends on the environment. If it's small, the reduction in cost may not be significant. It can be as low as 10% or as high as 25%, depending on the size of the environment. 

It's helped us save time. It's difficult to specify how much; however, it's likely up to 25% thanks to the reduction in the analysis needed. 

From a performance standpoint, improvements could be made. 

I've used the solution for one and a half years. 

I'd rate the stability eight or nine out of ten. If it's just a Microsoft environment, the reliability is very good. If it's a mixed environment, I'd rate the stability seven out of ten. 

The solution is highly scalable. 

Technical support is good. We have enterprise support and they are responsive.

Positive

I do not handle the initial setup process. The customer may deploy it across multiple locations. The size of the environment can vary from 100 users to 1,000.

There isn't really any heavy maintenance. You just have to renew the licenses. If it's a small environment, one person can handle that. If it's bigger, there may be two or three people. 

My understanding is that Microsoft is trying to change the pricing. However, right now, it's bundled together. If it could be decoupled a bit, it would help customers be able to afford the solution. 

We are service providers, and we resell Microsoft solutions. 

XDR is basically used for unification. It's more of a dashboard. When you have an XDR, you can monitor the entire environment. You can also see and take actions across the entire environment, which is actually a very big advantage when it comes to a particular software analyst's day-to-day job. They can be monitoring one screen. Typically, if an issue is found, a ticket needs to be made, and that's passed onto an engineer, but with XDR, a lot can be automated. It can help reduce costs related to manpower and make the process more efficient. 

I'd rate the solution nine out of ten and recommend it to others. Smaller companies may not need it; however, if a company is growing fast or is already sizable, it's a good option—especially if it is a mostly homogeneous Microsoft environment.

We implement it on client endpoints and server endpoints. We also integrate it with Microsoft Entra ID for the identity part because the security part of Microsoft Defender is completely correlated to user activity.

Microsoft Defender XDR is important for the mitigation of threats, visibility of vulnerabilities, and identification of issues within the environment. It has been a leader in the market for consecutive years.

We have a single pane of glass for servers, endpoints, and mobile devices. It makes it very easy to identify which devices are at risk when you go to the vulnerability part. There are also recommendations. Especially for me, these recommendations are gold. You see exactly what you need. Microsoft Defender XDR is completely different from your antivirus solution. It detects based not only on signatures but also on the policies, so you are forced to harden your servers or client endpoints, which makes a much stronger solution.

Being a Microsoft solution, it integrates well with other Microsoft systems. The majority of the systems are Microsoft-based. This integration comes without the need to install a client on the local machine. It makes the life of the operators and whoever implements it way easier.

Microsoft has a range of Defender products. There is Defender XDR, Defender for Endpoint for clients and servers, and Defender for Office 365 which protects mailboxes, SharePoint, and OneDrive. Then you have Defender for Identity, which is integrated with Defender XDR. You also have Defender for Cloud Apps that is connected to Defender XDR. When integrated, you can get sources of threats, for example, from Defender for Identity connected directly on the endpoint. Defender for XDR protects the endpoint devices against ransomware and different threats. We need to see more holistically at all the Defender solutions instead of isolating them. There is an element of correlation of identity. For me, nowadays, it is much more important to protect the identity than the endpoint device itself because the majority of the vectors are coming from identity attacks. They are more than the viruses attacking the endpoints.

I do not have much experience with Linux as such. I am very focused on Microsoft solutions. I never focused on Linux, but I have worked with my peers, for example, on projects to enroll Linux devices. We needed to prepare simple scripts or puppet scripts to automate the process of pushing policies and automate the update of the antivirus. It is trickier. It is more complex to manage because of the nature of Linux itself. It is not as straightforward or integrated as Microsoft solutions, such as Microsoft Windows 11 or Windows Server, but Microsoft Defender still covers everything. There are some limitations regarding Linux servers and endpoints because you need to have the version of Linux that is supported by Defender, but at the same time, with whatever is supported, Microsoft Defender does the job. Linux and Windows operating systems work in different ways, and the way that antivirus interacts with the operating system is completely different. There is role-based access control in Windows. You have local administrators and domain administrators. On Azure, you define roles for users to access certain environments. On Linux, you have the root user, and as a core front operation system embedded in it, you do not have the least privileged access management solution. This comes with a price because you need to control much better to whom you give access. SSH keys, for example, are very important to be protected, which is a different protocol than the Remote Desktop Protocol (RDP). You need to protect Linux servers in different ways, which is very different from Windows. Defender or Defender XDR extends the protection, especially when you need to connect with Azure Ark, which is part of Microsoft services.

Microsoft Defender XDR has consolidated security solutions. Previously, you had an antivirus, and you had a different type of endpoint protection for servers, and then you had a web content filtering solution, which is part of Microsoft Defender XDR. It consolidates all the extra products that you require, but it does not give all the elements. It is not a firewall. It is not a web application firewall (WAF). It does not give you everything required as a security solution, but as an extended detection and response system, it gives a lot of leeway for you to meet your security objectives. If we compare it with other products, Defender XDR is much more complete than the competition.

The integration, visibility, vulnerability management, and device identification are valuable. You can automatically deploy the clients depending on how you are implementing the solution. 

The web filtering solution needs to be improved because currently, it is very simple. It is very important.

Integrations with Linux should be done in a better way. With the AI world and the security part, things are going to be much simpler and easier to set up, configure, deploy, and maintain. I am looking forward to new releases of Microsoft Defender XDR to have better integrations, but the web filtering solution is the main pain point.

I have been working with Microsoft Defender since it was released. It has been about four years. I started working with it when it was not even called Defender. It was Advanced Threat Protection. It then changed to Defender for Endpoints and then to Defender XDR.

I have not experienced many bugs or issues. Sometimes, you have delays in the response, but that is due to connectivity issues. It is a cloud-based solution, so you cannot expect to have a real-time response, but this can be improved by Microsoft. I know that they are trying to improve. I would rate it a nine out of ten for stability.

It is ultra-scalable. I would rate it a ten out of ten for scalability. 

I love Microsoft, but due to its growth, the overall support quality has decreased a lot. My recent experience with support was not that good. For the Defender part, it was not that bad. I would rate their support a six out of ten. Their response time and knowledge could be better.

Neutral

I work with Trend Micro. I work with Kaspersky. Trend Micro has its own cloud-based solution similar to Microsoft Defender XDR, but it is not the same. It has some problems. It is not as effective as Microsoft Defender XDR. Especially whenever it comes to vulnerabilities and recommendations, Microsoft Defender XDR is amazing because of its integration with Microsoft operating systems. Microsoft is much ahead of the competition.

I would never touch Kaspersky again. It is not because it is a bad product. It has been a very good product for several years, but because of the Russia and Ukraine war, it has become a prohibitive product at least in Malta to use. A lot of customers moved from Kaspersky immediately to different products. The majority of them went to Microsoft Defender XDR, especially because it also comes integrated with some products. Microsoft is bundling its own products, and Microsoft Defender XDR is very attractive to implement as a cloud solution. It is a no-brainer for the customer. That is where Microsoft has an advantage over Trend Micro, Kaspersky, and other vendors.

With Cloud servers, it is easy and very straightforward. You can almost do it automated, but in a hybrid environment, you have the element of the on-prem servers, which becomes a little bit more complex. You also have the element of Azure that simplifies the deployment process.

It can be difficult to deploy in the beginning because you need to consider different products and elements, but the deployment is the simplest part of the onboarding process. The configuration process is much more difficult, especially because on servers, you need to deploy group policy objects (GPOs) and set all the policy options to protect from the vulnerabilities. You need to configure the antivirus to protect from exploits. There are so many features and configuration possibilities that it becomes more complex to implement on server endpoints. On the client side, it is easy, especially when you implement Defender through Intune, which is the mobile device management solution of Microsoft. With a platform like Intune, it becomes easy because you have policies that assist you already out of the box, such as security baseline policies. With Intune, it is much easier to set a policy. It is way less complex to implement. When you have a hybrid environment with endpoints joined on a local active directory, the complexity increases because you need to deploy GPOs as well if you do not have Intune involved. It is complex to implement.

The deployment takes a few weeks, but it also depends on the size of the customer. If you have just Windows 11 client endpoints, it is easier to implement. Client endpoints are easy to implement because you do not need to test that much. You configure the policies. The policies are all known because of our experience. When it comes to servers, it depends on the server's workload. It depends on what type of service you have installed on the server side. If it is the IIS web server, you need to test certain policies that can block that service. You cannot simply go and implement the best practices of the policies because then you are going to make the server unusable. You are going to generate downtime, which is not ideal and also not the objective, so you need to be very knowledgeable on the infrastructure side and the security side of all applications. You need to study. You need to create a test environment and start implementing server by server. You require details, and it is complex to implement because of this reason.

I am currently doing an implementation for a company with 300 people, and it would take around two months to implement because of the number of servers and endpoints. You need to go into each and every device and analyze the environment. It takes a while. In smaller companies, it is very quick. Within a week or two, you can manage to implement it.

In terms of maintenance, there is no maintenance of the product, but there is maintenance of the environment. Microsoft releases frequent recommendations, and they detect new vulnerabilities very frequently, which requires constant maintenance of policies.

I usually allocate two people. There is one person more focused on the client endpoints, and the other one is more focused on the servers because of his expertise. We split the roles and responsibilities within the team.

It has not saved us costs, but we have invested in a proper solution. We have a better return on investment. We now have better visibility. We are investing in a product that gives what we need instead of a product that does not fulfill our requirements and our customers' requirements.

As a service provider, it is very hard to calculate an ROI. For customers, it is more of a return on value rather than a return on investment. If you have not been under any threat after implementing the solution, it provides the value you need. This is my point of view on security because there is no perfect solution, but there is a solution that works better than the others where you have much more control. With Microsoft Defender XDR, in my experience, we have managed to give that to our customers. Our customers are satisfied with the product, and none of them have replaced or changed Microsoft Defender XDR.

There is the cost of the license, and there is the cost of implementation services. Only by enabling a license for your user, all the features are not going to be enabled and the policies are not going to be configured. It does not work like this. You need specialized people to implement, monitor, and maintain the systems. It comes as a package.

I would rate Microsoft Defender XDR a seven out of ten for pricing. It is costly, especially on the cloud part. There is also Defender for Cloud, which is part of Microsoft Defender XDR. It is 15 dollars per server per month. It is worth it, but it can be costly. It depends on the company's size. That is the big issue.

If you have a company with ten employees and ten servers because you have your own infrastructure hosted within virtual machines, you need to protect ten client endpoints. It is cheap if you get a business premium license. It costs around 17 euros per user. To protect the servers, you need to pay an extra 14 euros per server per month. For ten servers, it is 140 euros per month. Per year, it is around 1600 euros. Small companies or companies with a small budget would not go for it because they do not want to invest in IT. They do not see this value. In my opinion, big companies can justify this cost.

In the countryside of Malta, it is tricky to sell the solution. I have to give them all the advantages. I always have a test environment, so I show them how it works, how the automated detection works, how it behaves, and how it acts on the threats. I give them an overview, and they get amazed. When it comes to the pricing, they get a little bit scared, but ultimately, they go because they see value in it. Everything depends on the value that a product gives and how you sell a product as a solution provider. An XDR solution provides value because it protects your assets. Your data is your major asset. If you do not have it protected, you can get hacked or have a ransomware attack. Companies are now starting to understand the importance of it, and they are starting to invest more. It is still a long way for us to have the mindset where they say that it does not matter how much it costs, we need to invest in security.

I would recommend Microsoft Defender XDR. It is the best solution in the market.

For me, Microsoft Defender brought a career change. It made me go deeper into the security products. Previously, I was more of an infrastructure guy. I was more focused on on-prem and Windows servers, but then I moved away from infrastructure. I work for a data center company, and I am a presales solutions architect designing solutions for financial companies, banks, and gaming companies or companies with online casinos.

A lot of people did not like Microsoft Defender because Microsoft was not known as a security company, but Microsoft has been investing billions of dollars every year in security, and now, they provide cutting-edge technology, especially with AI.

I have been following Microsoft, and I go to Microsoft events. There is a new product called Security Copilot that is going to be completely connected to Defender XDR. It will give much faster feedback and response to threats by issuing reports. Today, a security analyst takes four to five hours to prepare a report. With Microsoft Security Copilot and Defender, it is going to change massively. Within five to ten minutes, you can prepare a report with the Security Copilot solution. It is going to be released very soon, and I am looking forward to it.

Overall, I would rate Microsoft Defender XDR a ten out of ten.