What needs improvement with Microsoft Defender for Cloud?

The vulnerabilities are duplicated many times. If it reports that the findings are around 30 or 40, or let's say, 100, it is not the exact number as it is possible that there are multiple findings which are duplicated in nature, and actually, the number is only 62 or 67. Another issue after Microsoft Defender upgraded and left Qualys is that whenever the load for the report data is too high, we cannot export the report in one go, so we have to do it in batches.

The pricing could be better. Additionally, while Microsoft Defender for Cloud adapts well to customizations, it does generate a lot of false positives if the agent is not running. We would also appreciate portion management specifically for Microsoft 365.

For improvements, I'd like to see more use cases integrated with Microsoft Sentinel and support for multi-cloud environments beyond just Azure.

Microsoft Defender for Cloud is not compatible with Linux machines.

Support needs to be highly responsive, especially in large enterprise environments. When support is required, it must be immediate, as there could be urgent situations. For instance, prompt resolution is essential if there's a critical issue like a global cyber threat that impacts networks worldwide. If our team encounters such a problem and needs assistance, we require a support team that can provide immediate, hands-on help to resolve the issue effectively. Quick and expert support is crucial for managing high-level emergencies and ensuring smooth operations.

The documentation could be much clearer. I also think that Microsoft should stop rebranding everything constantly. I'm tired of every name changing every 90 days. It's ridiculous. I understand that they're coupling tools together but look at AIP. It has had over 14 names in the last five years. That's absurd. Microsoft needs to stop rebranding everything and stick with one brand. They can build them out from there. I like the fact that the dashboards are integrated, but I don't like that the CloudApp is now mapped to the Security dashboard. I hate that. I should be able to map dashboards myself. Having one dashboard is great for some people, but I have people who do Endpoint Management and they don't do Incident Management. They're two different groups. I should be able to send them to different portals if I want to. They're not all working out of the same portal. I do like that the dashboards have the option to be put into one portal, the Security portal, but I don't like that now I have to figure out where Microsoft moved everything. I liked it better when they were separate, so I could isolate and assign groups to each tool. Now that they're putting all the portals together, it's more complicated. I like the idea of a single pane of glass, but I think they're adding too much change too quickly without explaining the main purpose or mission of each product. And they're not making a clear distinction between them. When we put them all in one portal, it just adds more confusion. For example, in CloudApps, I see incidents in the "Incidents" section, but in the new Security portal, incidents are not in the CloudApp section. People don't need to search for stuff. They knew how to do it before. Microsoft needs to stop changing things so often. I believe in change, but not every other month. Defenders threat intelligence is useless, I think, because it didn't see SolarWinds coming. After SolarWinds, if we even mention their analytics and threat intelligence, it's just evidence that it doesn't exist. It didn't even see SolarWinds coming. The only value I see in their threat intelligence, from a marketing perspective, is that it allows me to leave logs in their native location and tell clients to leave them longer. So if they find something like SolarWinds later on, they can go back and look through older logs and find it again. After SolarWinds, I'm not impressed at all by anything Microsoft says about their multi-billion dollar login.

The remediation process could be improved. I have seen that Google has a similar Security Center, where they not only identify vulnerabilities but also provide the steps to fix them. If Microsoft Defender for Cloud could provide remediation steps for all vulnerabilities, it would be a significant enhancement. Currently, only some vulnerabilities have remediation steps available.

The product must improve its UI. Looking at multiple devices for the same issue or vulnerability is very cumbersome. The solution should provide built-in features related to trending and graphing over time. If it’s already present, we haven’t found it. It doesn't seem intuitive to find it quite as easily as some other tools with ready-to-go dashboards.

I would like to have the ability to customize executive reporting.

Microsoft Defender could be more centralized. For example, I still need to go to another console to do policy management.

When there is a recommendation by Microsoft Defender that suggests using the Azure Logic App, the remediation step when a user takes action should be created automatically. Microsoft can improve the pricing by offering a plan that is more cost-effective for small and medium organizations.

Six months to a year ago, which was the last time I used the solution, the algorithm that was designed to define whether or not a site is dangerous or not needed to be improved. It didn't have enough variables to make the decision. Another thing that could be improved was that they could recommend processes on how to react to alerts, or recommend best practices based on how other organizations do things if they receive an alert about XYZ. Also, the complexity in the amount of information for this process could be reduced to facilitate those of us who are implementing and using the system, and guide us as to exactly what is needed.

Right now, the solution covers a limited set of resources. If taken into scope, it will improve more. After getting a recommendation, it takes time for the solution to refresh properly to show that the problem has been eliminated. Sometimes we'll receive a recommendation, but the problem still won't be fixed. This could be due to end-of-life machines. If the solution isn't properly refreshed, we need to wait for two or three days to remove those recommendations. Sometimes we have to reach out to Microsoft to check why the problem hasn't been fixed after following the recommendations. For example, after a recommendation about AML files, it didn't show that the fix had been applied even though it was. It took more than four days to show that the fix had been applied. There are some policies that we're not able to use due to some business justifications. For instance, the storage account should be private, but it's public because a third party is interacting with that storage account and we can't limit the public access because there is no whitelisting available in terms of IPs.

Defender is occasionally unreliable. It isn't 100% efficient in terms of antivirus detection, but it isn't an issue most of the time. It's also somewhat difficult to train new security analysts to use Defender.

Sometimes, it's very difficult to determine when I need Microsoft Defender for Cloud for a special resource group or certain kinds of products. That's not an issue directly with the product, though.

The solution could extend its capabilities to other cloud providers. Right now, if you want to monitor a virtual machine on another cloud, you can do that. However, this cannot be done with other cloud platform services. I hope once that is available then Defender for Cloud will be a unified solution for all cloud platform services.

I would like to see better automation when it comes to pushing out security features to the recommendations, and better documentation on the step-by-step procedures for enabling certain features.

It's a severe issue when you need to install Defender for Cloud on Microsoft operating systems older than 2016. Operating systems released after 2016 will seamlessly integrate with Defender with no problems. Older operating systems don't integrate smoothly. The 2012 operating systems will continue to be used for years. The 2008 systems will be phased out, so that won't be a problem for long, but you need some quick fixes to install on a 2012 OS. The older the operating system, the more difficult it is to detect if the solution is working. That was a significant problem. It works fine on a newer OS. On the older ones, we had to do some tricks to determine if it was correctly deployed and working since the integration of Defender in the older OS is a lot less. Microsoft couldn't help us with that. Another thing is that Defender for Cloud uses more resources than for instance, CrowdStrike, which my current company uses. Defender for Cloud has two or three processes running simultaneously that consume memory and processor time. I had the chance to compare that with CrowdStrike a few days ago, which was significantly less. It would be nice if Defender were a little lighter. It's a relatively large installation that consumes more resources than competitors do.

From my own perspective, they just need a product that is tailored to micro-segmentation so I can configure rules for multiple systems at once and manage it. Instead of having to set up individual rules for individual applications, there should be a system that can allow me to set up multiple rules at once and can automatically update the rules as the infrastructure changes.

We haven't really received any customer feedback yet. Once we have some, we'll be able to better discuss areas of improvement. The solution needs to keep improving its log analysis and threat mechanisms. The product was a bit complex to set up earlier, however, it is a bit streamlined now. Basically, we are looking at unique specimens. Linux works best with ONELAB. With Linux, we have a lot of Metasploit, however, it is undetectable sometimes. We want to improve that particular aspect of the Defender.

The entire Defender family requires a little bit of clarity. There is a lot of confusion in the market, especially on the end-user side but also on the consulting side. Microsoft has launched four or five Defender products, including Azure Defender, which Microsoft renamed Defender for Cloud. They also have Defender for Identity, Defender for Endpoints, and Defender ATP. It isn't very clear. I would suggest building a single product that addresses endpoint server protection, attack surface, and everything else in one solution. That is the main disadvantage with the product. If we are incorporating some features, we end up in a situation where this solution is for the server, and that one is for the client, or this is for identity, and that is for our application. They're not bundling it. Commercially, we can charge for different licenses, but on the implementation side, it's tough to help our end-customer understand which product they're getting.

I can't speak to any features that are missing. I need time to get a little bit more into it before making any kinds of suggestions. They could always work to make the pricing a bit lower.

For Kubernetes, I was using Azure Kubernetes Service (AKS). To see that whatever is getting deployed into AKS goes through the correct checks and balances in terms of affinities and other similar aspects and follows all the policies, we had to use a product called Stackrox. At a granular level, the built-in policies were good for Kubernetes, but to protect our containers from a coding point of view, we had to use a few other products. For example, from a programming point of view, we were using Checkmarx for static code analysis. For CIS compliance, there are no CIS benchmarks for AKS. So, we had to use other plugins to see that the CIS benchmarks are compliant. There are CIS benchmarks for Kubernetes on AWS and GCP, but there are no CIS benchmarks for AKS. So, Azure Security Center fell short from the regulatory compliance point of view, and we had to use one more product. We ended up with two different dashboards. We had Azure Security Center, and we had Stackrox that had its own dashboard. The operations team and the security team had to look at two dashboards, and they couldn't get an integrated piece. That's a drawback of Azure Security Center. Azure Security Center should provide APIs so that we can integrate its dashboard within other enterprise dashboards, such as the PowerBI dashboard. We couldn't get through these aspects, and we ended up giving Reader security permission to too many people, which was okay to some extent, but when we had to administer the users for the Stackrox portal and Azure Security Center, it became painful. We were also using it for just-in-time access for developer VMs. Many a time, developers need certain administrative privileges to perform some actions, and that's where we had to use just-in-time privileges. Administering them out of Azure Security Center is good, but it also means that you have to give those permissions to lots of people, which is very cumbersome. So, I ended up giving permissions to the entire Ops team, which defeats the purpose and is also not acceptable at a lot of places. These were the two use cases where I felt that I really had to get into the depth of Azure Security Center to figure out how I can use it much better.

The team is already working on one of the latest features, which is having migration techniques right on the portal available. It's possible to use it now. That's one good new feature. For MIM, they are still improving things on Azure Security Center. There are a few flaws in backend technologies. If you do not have the correct access to the system, you cannot access the files and most of the reported resources. For example, a general huge storage account, which is exposed for public access. If there are ten storage accounts available, you can see the names. You can identify, those storage accounts that are supposed to be accessed from the outside, maybe, due to some feature happening behind the scenes on a storage account, and these are supposed to be exempt from the portal. You shouldn't see them again and again and this should not affect your security score overall. However, they are not easily exempted from the portal. There's no way to exempt them properly. You cannot create custom use cases. You can use what is already present on the Microsoft side in terms of security alerts. You can, however, customize whitelisting for alerts.

I felt that there was disconnection in terms of understanding the UI. The communication for moving from the old UI to the new UI could be improved. It was a bit awkward.

The solution could improve by being more intuitive and easier to use requiring less technical knowledge. In a future release, the solution could improve by providing more automation and clarity in the autoanalysis. When we provide our customers with a Microsoft solution for security, Microsoft has to go beyond the basic expectations to impress the customers.

Most of the time, we are looking for more automation, e.g., looking to ensure that the real-time risk, threat, and impact are being identified by Microsoft. With the Signature Edition, there is an awareness of the real risks and threats. However, there are a lot of things where we need to go back to Microsoft, and say, "Are you noticing these kinds of alerts as well? Do we have any kind of solution for this?" This is where I find that Microsoft could be more proactive.

Customizing some of the compliance requirements based on individual needs seems like the biggest area of improvement. There should be an option to turn specific controls on and off based on how your solution is configured.

We would like to have better transparency as to how the security score is calculated because as it is now, it is difficult to understand. We showed it to a couple of our clients, and they had trouble understanding it and an explanation or breakdown is not readily available. The score includes different weightage for certain controls. For example, if there is a "Control A" and it has a weight of 10 then it would affect the score more than "Control B", which has a weight of five. Being able to see the weights that are assigned to each control would be an improvement.

This product has a lot of features but to get the best out of it, it requires a lot of insight into Azure itself. An example of this is customizing Azure Logic Apps to be able to send the right logs to Security Center. The overview provides you with good information, but if you want more details, there is a lot more customization to do, which requires knowledge of the other supporting solutions. You can get the best out of it, but then you will also need to do a lot of work. Improvements are needed with respect to how it integrates the subscriptions in various Azure accounts. You can have a lot of accounts, but you don't get detailed information. Specifically, it gives you overall score statistics, although it's not very intuitive, especially when you want to see information from individual subscriptions. For example, if there are five subscriptions sending traffic to Azure Security Center, it gives you the summary of everything. If you want to narrow it down to one particular subscription and then get deep into the events, you really have to do some work. This is where they could improve. In terms of narrowing things down, per account, it is not granular enough. In general, it gives you good summaries of what is happening everywhere, with consolidated views. You're able to get this information on your dashboard. But, if you wanted to narrow down per subscription, you don't want to have to jump into the subscriptions and then look at them one by one. Simply, we should be able to get more insights from within Azure Security Center. It's possible, but this is where it requires a lot more customization.

Agent features need to be improved. They support agents through Azure Arc or Workbench. Sometimes, we are not able to get correct signals from the machines on which we have installed these agents. We are not able to see how many are currently reporting to Azure Security Center, and how many are currently not reporting. For example, we have 1,000 machines, and we have enrolled 1,000 OMS agents on these machines to collect the log. When I look at the status, even though at some places, it shows that it is connected, but when I actually go and check, I'm not getting any alerts from those. There are some discrepancies on the agent, and the agent features are not up to the mark. Sometimes, we are getting backdated logs, and there could be more correlation.

Consistency is the area where the most improvement is needed. For example, there are some areas where the UI is not uniform across the board. You can create exemptions, but not everywhere are the exemptions the same. In some areas, we can do quick fixes, but that is not true across the board. So in general, consistency is the number one item that needs attention.

There is no perfect product in the world and there are always features that can be added. Innovation is something that is always on the table.

As an analyst, there is no way to configure or create a playbook to automate the process of flagging suspicious domains. Azure Defender does not have this capability and that is one of the features that is very crucial. When we receive an alert on suspicious domains, we have to do it manually. We go to VirusTotal, or AlienVault to confirm. It would be useful to have it done automatically.

I think that the documentation and implementation guides could be improved. It would make the implementation process easier.

Azure Security Center should be more easily understood by a non-technical person. It's more about the security before getting into the product. It needs to be simplified and made more user-friendly for a non-technical person. In the next release, I would like to see a better dashboard and more integration with IT sales Management.

From a compliance standpoint, they can include some more metrics and some specific compliances such as GDPR.

Pricing could be improved. There are limited options based on pricing for the government. The initial setup could be simplified. In the next release, I would like to see more development in the area of NECES scanning or Splunk, or Universal Forwarding.

The solution is quite complex. A lot of the different policies that actually get applied don't pertain to every client. If you need to have something open for a client application to work, then you get dinged for having a port open or having an older version of TLS available. Even though the TLS is only allotted for a single application, single box, and everything else is completely up to date, it just gives us an inaccurate reporting of how secure the environment actually is. The solution could use a bit more granularity.

We built our hierarchy incorrectly and we're struggling now with some of the features that are up there. Once we straighten our hierarchy out, we are going to applied policies, whether it's through Security Center or any other thing. It's going to be a lot easier once our hierarchy is fixed. We need to apply things in a certain place and then we realize that we need to apply them to the subscription as well. And next thing we know we also need to apply it to another subscription, it's unmanageable. We're applying different policies across all our different subscriptions, which is fine, but at 21 subscriptions you can have over a dozen policies. We're trying to skinny that down to four or five policies. It's not a defect in a Security Center. It's a defect in how we built it.

I'm quite active on the Azure product blogs. We're able to provide recommendations to Microsoft and they work together with Azure towards achieving them. One of the issues with the product is that it's not possible to write or edit any capability. For example, if there is a false positive detection on the security center, the only option I have is to flag it off. I can dismiss the alert, but there is no option to provide comments or reviews, so that somebody else looking into the portal can brief them. I'd like to see some additional features that would include an option for the security team to provide comments on the alerts and also to improve the recommendations. I would like to see them fine tuned. We're also getting a lot of false positive alerts and Azure can reduce that using the Microsoft AI and ML feature.