Microsoft Defender for Cloud Apps Reviews

We primarily use Microsoft Defender for Cloud to secure and provide controlled access to our applications. We have a few hosted applications in the cloud, including some of our critical applications. We need a solid firewall and security setup in the cloud to protect all those applications. Microsoft Defender for Cloud serves this purpose because it provides efficient security for our cloud applications. Its controlled auditing and other filtering setups also offer uninterrupted access to users. 

We use Defender for Identity and Defender for Cloud. Integrating the two is entirely straightforward. Once we deploy Azure or any other Microsoft services, the integration between each product is released. You can integrate Defender for Cloud and identity management with a click. Both are security features that have to work. If we get a similar log issue from Defender for Cloud, this log is automatically passed to Identity to check if there is any mismatch or identity-based concerns. It'll correlate the logs and easily identify the issues.

These solutions work together natively, each addressing a different security dimension. We prefer this identity-based solution focusing on user identity security, whereas Microsoft Defender for Cloud App concentrates on applications. Application security is the priority in this. Application security also requires identity management because users will be accessing applications based on identity rules. If the identity policies are met, it will easily access these applications hosted in the Cloud. Microsoft Defender Cloud has separate policies to maintain specific access for users based on their privileges, so it is all correlated.

It should work in correlation because we are not using a third-party product for all this security. We expect a solid correlation because everything is the legacy software of Microsoft. We are using multiple Microsoft products with Azure, including OneNote, OneCloud, etc., and every product requires security in each layer. We have numerous layers of protection in Microsoft. Each layer must be correctly oriented and governed by a set of policies so that each level satisfies the user policies and each policy forwards to the next level. So in that way, Microsoft has a different level of setups, and this Microsoft Defender for Cloud is one that last setup.

Our cloud strategy will change as we move more applications to the cloud, and all require security. As we migrate more into the cloud, our security becomes more complex. Once we have applications deployed in the cloud, it is better to have a single vendor for all the security solutions because Microsoft has a solution for each aspect of the application setup. Microsoft provides enough security features that we don't require any third-party applications. Each layer has to complement another layer. Because it is a one-vendor Microsoft solution, it's easy for us to identify and troubleshoot issues. I prefer a single solution rather than a multi-vendor solution.

Defender for Cloud Apps is an efficient option for protecting applications you use when working. They can be controlled to avoid risks or loss of information because most of our activities are pretty confidential. We don't want to share this application with many people. Since it is in the cloud, we have less control over that. After deployment, Microsoft Defender for Cloud Application maintains a stable, secure, and efficient security process in the cloud. 

It has different tools to guarantee this security, including various policies, classic control mechanisms, algorithms, and a threat database. It completely solves our security concerns about our cloud applications.

Defender helps automate security tasks. Traditionally, we would require a SIEM tool or costly antivirus software to implement this solution in the cloud. We would need a SIEM solution to analyze data. Most premium antivirus features and threat database features are included in this solution. 

Defender's dashboard has simplified our operations somewhat, but we still require different dashboards for each security setup because we continue to use traditional antivirus software for our on-premise environment. We will have multiple tabs related to security. Each layer of protection has different accounts, and you can browse the options. We need to browse the options and check everything. 

Microsoft Defender has a fantastic dashboard because every option is available in the dashboard. Most of the alerts are found in the dashboard. We just need to click on that to see their issues. Their highly rated issues can be easily checked from the dashboard. Most of the essential features are covered in the dashboard.

The solution helps us be proactive about threats because it features an updated database of the current threats that are most significant in the industry. Some of the cybersecurity threats have been mitigated by most of the antiviruses. Defender's AI-based mechanism can handle novel threats and malware, whereas many antiviruses use application signatures. 

It has saved us some time spent on configuration. Configuring on-premise and cloud applications separately is time-consuming, but Microsoft Defender for Cloud reflects configuration changes in the cloud to the on-premise applications. Everything mainly works as a single network, so it cuts the time spent on the configuration in half. Financially, it has cut our costs by about 20 percent.

It has also considerably reduced our time to detect and respond to threats. Some antivirus solutions won't catch a threat until it has reached more than half of our network. Still, Microsoft can detect a threat once it comes to the perimeter area with advanced artificial intelligence technology. Defender has reduced our detection and response time by about 60 percent. 

One of the most valuable features is auditing. Some of the other protection services have issues with auditing. Microsoft Defender for Cloud has an excellent auditing technique that helps us avoid the risk of filtering or information loss. You can use different tools to guarantee these things. It allows you to conduct an in-depth exploration of applications, users, and files that are harmful or suspicious. You can also enhance your security setup by creating personalized rules or policies that help you better control traffic in the cloud.

As administrators, we have a clear view of all the threats in the cloud. We can even restrict access or provide limited access to the users, which is an essential way to protect your information. From the dashboard, we can see all the permissions and which users are currently accessing the applications. We can constantly monitor each user and the critical applications.

Defender has a threat database that automatically updates to include the latest threats in the industry. It also helps us prioritize by categorizing the threat levels in the dashboard, so we can act accordingly. Defender tells us the high-level threats that require immediate action, whereas some simple threats can be easily mitigated or ignored. 

Microsoft has bidirectional capabilities. When any changes happen on-premises, they will also be reflected in the cloud, while changes in policies we enact in Microsoft Defender for Cloud will be completely reflected on-premises. It's a great boon. We don't need to configure every step on-premises, which is a time-consuming process.

We sometimes get errors when we create policies, which is somewhat annoying because some policies stop working due to misconfigurations. We find this challenging because it limits our options for troubleshooting an issue. 

A user policy might be disabled due to some minor issue, but it affects the policy for the entire group of users. It takes some time to troubleshoot it, find the issue, and correct it. 

I have been using Defender for Cloud Apps for six years.

Defender for Cloud Apps is completely stable.

Defender for Cloud Apps is highly scalable. I rate it 10 out of 10 for scalability.

I rate Microsoft technical support 10 out of 10. Their technical support is excellent.

Positive

The deployment was simple, and it took around two days.

The implementation strategy was straightforward because we had some on-premise policies we needed to mirror in the cloud. We already had a set of rules for each user we needed to create in our cloud application process. We need about two people to monitor security, take necessary actions against security concerns, and modify application rules.

We see a return on investment because some of these cloud apps are critical and they're restricted. We have payment-related features that require the highest security. Guaranteeing a secure environment for the app users delivers a huge return because there have been no security breaches or unauthorized access in the past few years. I would estimate the ROI is about 60 percent. 

The pricing is in the middle. It isn't too cheap or expensive compared to other antivirus or security products. It is priced according to industry standards.

I rate Defender for Cloud Apps 10 out of 10. I would recommend Defender for Cloud if you are concerned about the security of cloud applications. Azure deployments are easy to protect with Microsoft Defender for Cloud. I suggest trying Defender for Cloud for at least one application. If it works for you, you can scale up to multiple applications.

We use Microsoft Defender for Cloud Apps for endpoint management.

It is good for compliance and is effective from the standpoint of risk management.

The most effective features for data protection are data loss prevention (DLP) and data classification.

The product is very good so far, however, it would be better if it could include more up-to-date threat protection.

I have used it for almost two to three years.

The solution is stable, and I would rate it a nine out of ten.

The solution is scalable, but I would rate it between six to seven out of ten.

Microsoft technical support is very good, and I would rate it nine out of ten.

Positive

The setup process usually takes five to six hours. However, from installation to configuration, it took a lot of time in our case.

The maintenance is done by a different team, and we support that maintenance.

There is financial benefit from using the product, however, I don't have the numbers currently.

Honestly, it is expensive. I would rate the price as eight out of ten.

It is always better to contact the technical team for any feedback because they are the engineering team.

I'd rate the solution nine out of ten.

We have multiple virtual machines that we utilize in the cloud space with different applications on them. We utilize Microsoft Defender for Cloud Apps to monitor those individual application VMs as well as, along with Sentinel, our entire Azure ecostructure.

Microsoft Defender for Cloud Apps helps me, on the executive team, to have awareness and knowledge of what is going on in the environment. If a new administrator is created or one is trying to change their authentication types when they log in, or if new software gets put in there that should not have been there, we will get notifications on that.

Microsoft Defender for Cloud Apps helps automate routine tasks and the finding of high-value alerts. We depend a lot on automation. Some of the things I saw with the XDR window at this Microsoft Event are beautiful. I would like to see that. It ties in Defender, Sentinel, and all that into one pane of glass, which has been a problem at times. We see that as moving in the right direction.

It has helped us meet compliance requirements and has saved us costs. What we have now is an acceptable value.

Cloud Apps helps with detection, but I do not have metrics for how much time it has reduced.

It does a great job of monitoring and maintaining a security baseline. For us, that is a key element. The notifications are pretty good. These are the things that are very useful.

I would like more customization of notifications. Currently, you either get everything or you get limited information. I would like to have something in between where we can customize the data that is included in notifications. That is one thing. 

The comment field also needs improvement. If you want to generate a workflow within the organization for a notification that occurs, the comment field is not visible to the next person who logs in. They should make that a little more visible. They should make the history more available to the next person I assigned a task to.

I have been using Microsoft Defender for Cloud Apps for just over a year and a half.

It is very stable. I would rate it a ten out of ten for stability.

It is scalable. I would rate it a ten out of ten for scalability.

It is deployed across multiple locations and teams.

When we get a hold of the right people, it is great, but we are still trying to get a hold of the right people.

We were using another solution. It was not Azure. We switched in large part because that was a region-based company, and they ran into some issues, so we were left for a little while without a cloud environment. When I was comparing this with AWS, as an example, I picked Azure because of the general acceptance of the product in our market and in our space. I felt pretty comfortable going into it knowing that it would be there in five years or ten years as we grow.

I was involved in its deployment from an executive managerial position. It was complex. 

There were a lot of elements that were not obvious even to the point where the documentation was not keeping up with the production. So, we would hit a learning page, and the learning page would be about a prior product than the one we were looking at. It was not relevant to what was in production. My biggest recommendation for Microsoft would be that the learning pages need to be kept up-to-date and relevant to what is current in production.

We started with an integrator. We had challenges with that integrator, so we brought it in-house and finished it ourselves.

We have seen an ROI. We are a cloud service provider, so it is necessary.

Where we are right now, this is an acceptable pricing. I would like to see more transparency given to the end user. The end user given to us is via the cloud service provider. 

There are different programs and license models. Some include this, and some include that. It is all over the place. There can be a little more consistency or simplification in the pricing so that your parts list is not ten pages long, and you are not trying to determine, "If I have an E3, does this cover that?", or "Do I need to pay separately for the license?" Simplification would probably be better. 

To those evaluating the solution, I would advise knowing the goals they want to get to before they start. It can grow very quickly if you just build, but if you have a concept of where you want to end up and you stay within those constraints, then it is a great way to get there.

In terms of Microsoft Defender for Cloud Apps helping us to prioritize threats across the enterprise, we prioritize a little differently. I do not know if the solution helps with the prioritization of that, but prioritization is always important.

We get our threat intelligence from multiple sources. Microsoft Defender for Cloud Apps is one input on that, so it is hard to say whether its threat intelligence has helped prepare us for potential threats before they hit and take proactive steps.

I would rate Microsoft Defender for Cloud Apps a nine out of ten.

We use Defender for Cloud Apps for shadow IT discovery and managing cloud applications. We use all Microsoft security products, including Defender for Endpoint and Sentinel. Our company has a SOC team that investigates and remediates security incidents in the Sentinel portal.

We only need one dashboard for all Microsoft security products. Sentinel acts as a central system for monitoring and investigating all security data. It's a single feed that covers many solutions.

Defender for Cloud Apps saved us about 20 to 30 percent of our time. We've also saved money. I estimate it's about a 10 percent reduction in costs, but I'm unsure. 

Shadow IT discovery is the feature I like the most. Defender for Cloud Apps provides excellent threat visibility. The solution helps us prioritize threats across our enterprise. We use all Microsoft security products. I had no problems integrating or managing them.

Microsoft's security solutions work together natively to deliver coordinated detection and response. We use Sentinel to ingest security data, which is essential. Sentinel allows us to investigate and respond to threats from one place. I like Sentinel because we can collect logs and data to identify suspicious activity in our environments and establish rules for triggering threat alerts. 

Defender for Cloud Apps is primarily useful for Azure apps. It has limited capabilities for applications based on other cloud platforms. Microsoft security products are excellent in the detection phase, but they should have more features for the response component. 

I would like to see a mobile app for managing Defender for Cloud Apps. We currently use the cloud dashboard, but it would be nice if Microsoft offered more solutions for managing the product. 

I have used Defender for Cloud Apps for one year. 

Defender for Cloud Apps is stable. 

Defender for Cloud Apps is scalable. 

I rate Microsoft's support a ten out of ten. 

Positive

Deploying Defender was a little complex, but it only took a few days. Some of the documentation isn't clear, so I'm a little confused. It doesn't require any maintenance after deployment. 

I do not think Defender for Cloud Apps is expensive.

I rate Defender for Cloud Apps a seven out of ten. It's better to go with a single vendor for all of your security products. When I introduce Defender for Cloud Apps to our customers, most of them have the license, but they do not understand the capabilities. The first thing I do is explain Defender's coverage and functionality, so they understand which features they can apply to their environment. You need to generate a list of requirements first. 

Mainly, companies use it for end-user compute devices. 

It has provided more centralization for managing endpoint security. We have greater flexibility. We can have people manage it from anywhere. I could be working from home or on-prem. That's a great thing about the cloud. The portal is accessible anywhere in the world as long as you have an internet connection. It doesn't really limit you from where you can work or manage it.

It's an in-depth tool. It pretty much logs the events line by line, and with the portal, it just makes it searchable on a wider basis. We've got greater visibility than we used to have from historic products.

It helps to prioritize threats across the enterprise. Your AV is now your footprint, which means you can footprint files faster than you can provide a patch. That is the whole idea of security solutions these days. Sophos used to pioneer using file footprints to basically stop stuff at the front door. So, if you got an EXE or something else, such as a JavaScript file or JSP, or any nefarious malware, Trojans, they footprint the file. Such a file will get scanned and blocked. That's the whole idea of it. It can't ever execute on the machine. 

It helps automate routine tasks and the finding of high-value alerts. It allows us to pinpoint threats and automate the boring stuff. Any automation or AI is a good thing.

It eliminates having to look at multiple dashboards and gives one XDR dashboard. I've one dashboard, and it's a unit. So, there is a unified approach. 

Having everything in one place helps because the engineers don't have to log into multiple places to find something, and they can put in best practice rules quicker. If they want new ASR rules, they can put them in. One of the things that security engineers do is create alerts in there. If they want to alert for a specific threat and just create a query, they'll run it through the system, or they put an alert for specific file extensions that might execute, such as ICU.7ZZ. There are code obfuscations and file obfuscations, and they can search for those things. They'll put alerts on for them.

This centralization saves us time. Because it's all in one portal, we can search across all endpoints we manage. That's the whole idea. The automation has probably saved an engineer between 10% to 20% of the time. It's something we just plug in and leave to work. It gets tweaked every now and again. Since I have implemented it, the tickets I've got from the security department and the infrastructure have gone down to about 10% to 15%. Once the rules are in place, they're there forever or as long as the product life cycle lasts.

I am not sure if it has saved us money because that's finance-related. It's probably more about uptime if you can keep threats off the end-user devices and don't have to rebuild them. I don't recall seeing a virus on my PC here in the current client I've worked for in the last five years. If you got a virus on the device, you just have to rebuild it. I don't remember having seen any rebuilds here. They are only for new users.

It reduces the time to respond. Your portal is a few clicks away. The fourth-line engineer can assist the security department within five minutes. Generally, we just get a Teams message if they need assistance or they raise a ticket. It depends on if it's a structural change or if it's a reactive response.

On-demand scanning is the most valuable feature. In addition, it's a fairly fluid product. It syncs back to the cloud and provides metrics. It's pretty intelligent.

They need to improve the attack surface reduction (ASR) rules. In the latest version, you can implement ASR rules, which are quite useful, but you have to enable those because if they're not enabled, they flag false positives. In the Defender portal, it logs a block for WMI processes and PowerShell. Apparently, it's because ASR rules are not configured. So, you generally have to enable them to exclude, for example, WMI queries or PowerShell because they have a habit of blocking your security scanners. It's a bit weird that they have to be enabled to be configured, and it's not the other way around. Normally, you'd expect when something is not configured, it doesn't enable itself, but for the purpose of this, apparently, Microsoft has told us to enable them. So, you've got to enable them because they keep flagging and blocking products even when they're not configured. It was just an oversight in the design department when they deployed an update to the feature, but I'll live with it.

I'd like to see them automate best-practice antivirus rules. If you search Microsoft best practice antivirus exclusions, there are virus scanning recommendations for antivirus computers running Windows or Windows Server. There is a whole list to exclude the most common things, which could be anything from NTFRS, check folders, temp.DB, or EDBs. There are a lot of things for group policy extensions, exclusion, etc. This is a list of best-practice antivirus rules, but they still have to be implemented manually. In Sophos, five or six years ago, if it was a SQL Server, they automatically included the rules to exclude certain folders or file extensions when doing on-demand scanning. I'd like Microsoft to do the same.

I have been using it in my professional capacity for five years.

It's greatly stable.

It's definitely scalable. My current client has 2,000 users.

They're excellent. I would rate them a 10 out of 10.

Positive

I've previously used Symantec, which for some is the greatest product. My top two are Sophos and Microsoft Defender for antivirus or web filtering. Symantec doesn't really come close to these two.

Microsoft Defender is probably now accepted as the best product on the market for antivirus and web filtering. Five or ten years back, there were Symantec and others, but Microsoft has basically built a competitive product to rival those that used to do this kind of thing. Businesses are just happy to accept that it works. It's expensive, but it does what it says on the tin.

The legacy products, like Symantec, on servers and clients no longer work. They require a lot of manual configuration, and they also don't protect the PC or server as well as Defender, which is also more cost-effective. It's already built into your home PC's operating system. If you've got a business PC, it's built-in. With Defender for Cloud Apps or Defender Endpoint management or InTune, you've got the management of the PC, which is what this pays for.

It's cloud-based and deployed through InTune. The device has to be registered, and the device also has to be in the right license period.

The initial setup is straightforward. We use InTune to roll it out. The actual component is already on the Windows PC. It's called Windows antivirus or Defender. From the business side, by putting the devices in InTune, we can gather the metrics from the PC through Defender for Cloud Apps, or the Defender Endpoint management portal. It gives you a bit more management of the PC from that perspective.

In a reasonable deployment, it takes at least a week to deploy. The PCs have to be in InTune first to roll it out, and then, it's generally a matter of just switching on the feature.

For most businesses where I worked, it took a period of time to realize its benefits from the time of deployment. As the product got developed and became more mature, it got greater functionality in the end. It's now a mature product. The initial deployment was done when I was here, but I've been involved in enabling the maturity of the product's life cycle. There were always lots of tickets for changes regarding Microsoft Defender for Cloud Apps. It's a very intelligent product.

In terms of the number of people, sometimes, you need one person and sometimes two. Generally, you're trying to do things in the background.

It doesn't require any maintenance in particular. It's mainly just the configuration of rules and policies and then the security department does the rest and watches it.

The ROI is there. It's the uptime. You don't want end-user devices going offline. It disrupts the business for that user. Every time a user is down or the machines are being rebuilt because of a virus, it's downtime for the business. They can't do their work at that point in time. Increased uptime is always better on end-user compute devices or servers.

It has fair pricing. You pay for what you get. As far as I know, there are no costs in addition to the standard licensing fee.

It's probably one of the top three on the market. You've got Defender and then you've got Sophos, and then, I suppose the other one that comes close is probably Norton. These are probably the top three. I am not really a fan of Trend Micro products or Kaspersky.

I would recommend implementing it. It's the number one product in the market. The only thing they should automate is to put AI on their virus scanner recommendations rather than having to enable them by default. They might already have done that, but from what I've seen, generally, they do things manually.

At the moment, we are not using other Microsoft Security products. We are mainly using Defender. I have previously made use of the Defender for Cloud's bidirectional sync capabilities, which I'd rate a 10 out of 10.  

Overall, I would rate it a 10 out of 10.

We help develop and mostly support applications for clients. It creates reports for clients. It works with Microsoft SQL Server and can tell clients if they need some governance standards for user security profiles. For example, if they are using Linux VM, then there are some security updates that come up. If they haven't been updated, they get a prompt telling them, "Look at this CSV security vulnerability. It should be updated as this part of your application."

We have our main office in Lagos with other offices in the UK and America. Due to COVID, we are mostly working remotely and having meetings online. There are 55 endpoints.

Due to COVID, most of my users are remote. Because of that, we need to manage their applications and let them log on from home. They also have their own personal devices that they are using. So, we have to give them access to those.

My staff uses personal devices that seem to always have issues with malware. So, it notifies me if there is an issue. I can check their usage and the audit logs, e.g., when people logged in last and if they are logged onto a tenant, to see where the issues are. We might tell them to change their login details or reset their two-factor authentication if there is an issue.

They don't have access to the desktop Microsoft Defender Antivirus suite. I need to manage it from the cloud, where I restrict access to the account. They can download a zip file to a folder, then do whatever they want, but I don't give them freedom anymore because the users are always having issues.

When our CEO travels, someone is always trying to hack into his account. We have banned Russian IP addresses, as this is where most of the threats are coming from.

There are security settings that report and advise you on your security settings. The governance reports give you guidance on security vulnerabilities and how to remedy them.

It tells you whether something is high, middle, or low risk, giving you a risk profile. It lets you know which one to handle first.

Everything from Microsoft is integrated. You receive regular reports on them all. You can push your reports, logs, and security alerts, which are all integrated. It is crucial that these solutions work natively together to deliver coordinated detection and response across our environment.

This Microsoft security solution has helped eliminate the need to look at multiple dashboards and given us a single XDR dashboard. This is one of the main features that we like about the solution. We have one dashboard. Anybody who is a part of the security team can look at it and say, "Okay, this is what I noticed." Then, we can have a short discussion on how to remediate or enhance services.

I would give the comprehensiveness of the threat-protection that these Microsoft security products provide a high score. 

Sometimes, Microsoft sends us information and recommendations about changing all our configurations due to something they noticed. So, their reports improve our uptime availability and provide a seamless service for our clients. 

The visibility is 85%. Sometimes, it takes too long to load your page because Microsoft is having issues. There are a certain amount of hours in a day to solve and rectify issues. If you deploy this solution for a client, you need to be able to respond or rectify issues. Because if the solution goes down, your clients won't be happy with you.

We would like to get more information from the endpoint. I don't get enough detailed information right now on why something failed. There is not enough visibility.

The cost could be improved when you need to pay for anything. For example, refreshing files takes time to load, though it may be my Internet. To improve the refresh time, Microsoft says that we need to pay for a Premium license, and I don't like paying for things that help make a solution better.

I have been using it for three years.

The stability is about 95%. I have called and complained to Microsoft about the downtime.

It doesn't require any maintenance.

Sometimes it will take time for Microsoft to respond to technical issues. However, once they start working on an issue, they will try to resolve it. I would rate the technical support as eight out of 10.

Positive

We didn't use another solution prior to this one. We have always used Microsoft.

The initial deployment was straightforward. Afterward, there were issues due to licensing issues moving from Google to Microsoft. It was not free.

It took a couple of hours to make everything work to our specifications. I tried to automate as much as I could with scripts.

I migrated my clients from Google to Microsoft.

Our reaction time is now faster when eliminating problems. We see the generated reports and logs much faster than before when we have to go to different places.

It reduces support calls for internal users. For example, it reduces the number of times that internal callers contact support for password issues.

Issues that frequently used to take support an hour are now only happening every blue moon. This is largely due to the predictive trend reports from the solution.

We have seen a 35% to 45% cost reduction with this solution.

You can activate a free tier of use for a period of time.

When the SolarWinds vulnerability came up, that caused a lot of issues. Our clients got regular updates. It did a scan for them, so they didn't have to start worrying. That was the free tier. 

With the other tiers, you pay more for each feature it gives you, e.g., the security push or regulatory compliance, without you paying extra for that too, which has been advantageous.

We also use Microsoft Defender for Cloud. With other models, you need to pay for an agent, and there is a cost. I don't like spending money. So, we use the free ones a lot. We evaluate the solutions that we need to pay for on a case-by-case basis, then we can decide if we really need them at all.

Sentinel would probably be the cheapest of all SIEM and SOAR solutions. I am not paying for everything because it is hosted by Microsoft. I am not paying the infrastructure costs. The app of this solution is updated regularly. I don't have to worry about that. So, the cost is very cheap for me, except when I have to pay for specific agents. Then, I have to think about the cost.

There are costs associated with SQL Server and Linux as well as their agents.

Microsoft makes sense because it integrates with many applications and provides. However, it depends on your infrastructure.

Endpoint Security is part of the Microsoft Defender suite. We use it to manage systems and force them to update. They can also revoke access to a tenant.

Microsoft Sentinel logs all our reports. This gives us better visibility. This enables us to ingest data from our entire ecosystem. It also allows us to provide security posture reports to our clients. Before starting a contract with a business, we create a report and give that to clients, showing how we handle and solve problems. The report shows our environment and uptime. 

Sentinel enables us to investigate threats and respond holistically from one place. From there, we can now troubleshoot where the issue is coming from. This is for our endpoint or when my external users are trying to access the service. This is very important to us because it makes life easier. We don't have to start running around checking this interface with another interface and a third or fourth interface. It is a single interface and we can get more raw data than what we configured Sentinel to ingest.

The comprehensiveness of Sentinel’s security protection is very high. We don't really use other providers. We use it to connect to AWS or Google Cloud Platform infrastructure to get information on how deployed loads are performing.

I would rate them as nine out of 10.

We use it for security and compliance. We use it for alert policies on activities happening on some of our on-premises and cloud applications. We also use it to restrict some users from downloading files from OneDrive or from some of the applications that we have. In addition, we integrate it with the Azure Active Directory Conditional Access policy.

It gives our clients a sense of confidence that in case there are activities on some of their applications, they will get an alert and the issue will be mitigated, based on the action that has been set. It gives them a sense of comfort that the product helps them secure some of their applications. It depends on the admin who is managing the product. If the admin is not knowledgeable, it might be an issue. But if the admin is knowledgeable, the organization can rest assured that it is covered when it comes to malicious activities on some of its applications.

I like the alert policies because they are quite robust. It has some built-in templates that we can easily pick up. One of them is the alert for mass downloads when a particular user is running a massive download on your SharePoint site. If a user is downloading multiple files in an unusual manner you get an alert.

Another built-in alert is what we call an "impossible traveler alert." If a user logs on from a US IP address at 10:00 AM and, less than 30 minutes later, the same user shows as being logged on from an IP address in the United Kingdom, there is no way you can travel from the US to the UK in 30 minutes. That alert will be triggered.

You can also input an action to be triggered for an alert. You block the user or just alert the admin or manager of that user.

It also comes with in-depth visibility, whereby it creates a pattern. If a user has been flagged multiple times, you can see that pattern. It shows you the IP addresses from which that user has been signing in recently. And it provides you with the kind of suspicious pattern that this particular user has been using over time. So it has very robust visibility.

It also gives you a graphic interface, which is something that I enjoy. If an alert is a very high risk, you see it in red, while if it's medium, you see it in yellow. A low risk doesn't come with any color. It gives me an appreciable pattern of user activities. It covers one month in case you want to deep dive to see the login pattern for your user.

Also, we currently use Defender for Identity, Defender for Endpoint, and Defender for Microsoft 365. All of them have been integrated into our plans. It was quite easy to integrate them. It's just the click of a button to activate it and then a matter of configuring your alert policies. Defender for Cloud Apps works together with Defender for Endpoint as well as with Azure Active Directory. With the latter, you can use the Conditional Access policy to integrate them so that they work together seamlessly.

The fact that these solutions work natively together gives us the advantage of having multiple security solutions doing different things. It's very important for them to work seamlessly together.

One challenge is integrating the cloud apps with third-party and on-premises systems. We have had some scenarios where some third-party systems were not compatible with them. Apart from that, it's quite easy to integrate.

Microsoft has also been able to bring all the security features to a particular portal, so you don't have to look around. But I've heard about some negative effects as a result, as the portal is now cumbersome. You have a whole lot of products there and it makes the whole portal jumbled. It's not bad for me because I just have to go to that particular portal and check whatever I have to check.

It doesn't actually decrease the time to respond. This has been an issue with Microsoft recently. Sometimes, there is a delay when it comes to getting an alert policy email. I can't stay on the portal all day looking through alerts that have been triggered. So we create a flow whereby, if an alert is triggered, an email should be sent. Sometimes it takes two or three hours for that email to be sent. The response time, sometimes, can be very slow.

I have been using Microsoft Defender for Cloud Apps for three to four years.

Performance-wise, the stability is good, but I wouldn't say very good because of the email alert delay issue I mentioned. But when you configure action and particular parameters, the option is carried out, more or less like an automaton.

It's scalable. Once you have acquired the license, you can easily deploy it and add more users to the policies you have configured.

We run a hybrid environment. We have four sites on the domain controller. It is deployed both for users on the cloud and on-premises in different locations. We have some located in the US and some in Europe. So we have the product across multiple locations.

Some of the policies we have configured cover 500 users and one of them covers over 500 users.

I've seen an improvement, over time, in the comprehensiveness of the protection our Microsoft products provide. They are improving on the products year over year. I remember quite well when Defender for Cloud Apps started, there were limited third-party applications that you could integrate with it. But now, there are multiple options for third-party applications that you can integrate with. There are also features that have been added to it. Microsoft is working to improve on it.

We did not have a previous solution.

Since it is embedded with some of the Microsoft 365 licenses, it is like an add-on, and you can create robust configurations with it. You're getting an additional value for the license you have. To me, that is a return on investment.

The pricing is fair. One good thing about Defender for Cloud Apps is that it comes with some of the Microsoft licenses: Microsoft 365 E3 and E5. It also comes with EMS, the Enterprise Mobility & Security.

My advice would be to do an assessment of whether you actually need this particular product. Some people confuse Defender for Cloud Apps with Defender for Microsoft 365, but they are two different products. You also need to confirm if it supports the applications you want to protect because there are some applications that have yet to be integrated with it. Apart from that, it's a good product for any security admin to use.

When it comes to helping prioritize threats, it depends on the angle you're looking at the results from. It can help 50 percent. When you look at the pattern of alerts over time, it can help you prioritize. But if you're looking at it in general, it is not going to give you that visibility into prioritizing.

Defender for Cloud Apps has a little bit of automation for routine tasks, but it doesn't really give an admin automated processes. And when it comes to taking proactive steps, it's more Defender for Endpoint that helps there. Defender for Cloud Apps doesn't help you to prevent an impending attack.

If you are looking to protect your environment, you need to spend more money. I wouldn't say that this solution helps to save money. But by protecting your financial documents from fraud or from an angry worker that is about to leave, it helps in saving money, but not in terms of cutting costs.

The maintenance is not significant because you don't need to update anything. All you have to do is go to your portal and check for and investigate any alerts. Maintenance is handled by Microsoft.

And in the "best of breed versus a single vendor" debate, you should just have a single vendor. In this case you know, "Okay, it's Microsoft," and it's best to just stick with what you know. It depends on what works for you though. For somebody who is comfortable using third-party products with Microsoft, maybe that will work for them. But for me, what is comfortable is using Microsoft products.

MCAS was onboarded for the purpose of detecting shadow IT. As the organization moved towards more SaaS solutions, we wanted to make sure that there is a way to monitor and govern the IT services coming up as shadow IT. We are a very big organization where a lot of services get onboarded, and some of the things may go unnoticed. We wanted to detect the shadow IT software being installed or shadow IT happening within a department or business unit.

We also wanted to make sure that the cloud access security broker provides a DLP kind of solution for Office 365. For example, if I am uploading a document with PI data, MCAS should scan and make sure that the right classification is applied. When the right classification is applied, the document gets encrypted, and relevant information protection is applied. If the right classification is not applied, the users are alerted to make sure that they go and remediate the document, task, file, etc.

This is how we started with this solution the last year. Going forward, as a strategic solution, we are also looking at using MCAS to govern the Office environment. We have started onboarding solutions like Microsoft Teams, SharePoint Online, OneDrive, and Exchange Online. 

Our setup is a mixture of on-premises and cloud solutions. At this point in time, the major cloud providers are AWS and Azure, and we also have on-premises products such as Symantec DLP, Doc Scan, etc.

There are certain regulatory requirements in our bank for personal data and confidential information that need to be monitored from a security standpoint. It is a regulatory and standard requirement to have such a solution in place. 

MCAS is a dedicated solution for Office 365 and other productivity-related solutions, and it really helps to automate some of the processes. It would have been difficult for us to find a similar product. It gels well with some of the solutions or technologies that we have, especially with Microsoft Azure and Office 365.

From a security monitoring perspective, there is a productivity improvement and fewer human errors.

In terms of user experience, if users mistakenly put PI information or some kind of data, it can detect and alert them. From that aspect, it is doing the job, but we are using it from a security standpoint. I'm more from a regulatory environment, and there are security requirements that are enforced by regulators. So, we cannot provide some of the end-user experience features, and there should always be a balance between the end-user experience and the security standpoint. MCAS is more of a backend security posture product. I won't position it as enhancing the user experience.

The feature that helps us in detecting the sensitive information being shared has been very useful. In addition, the feature that allows MCAS to apply policies with SharePoint, Teams, and OneDrive is being used predominantly.

It is a kind of unified solution. As compared to other solutions such as Netskope, Symantec, or McAfee, it provides a more unified reporting structure.

It also integrates with other technologies. We have Azure Information Protection, and it goes well with the solutions that we are already using.

It takes some time to scan and apply the policies when there is some sensitive information. After it applies the policies, it works, but there is a delay. This is something for which we are working with Microsoft.

It cannot detect all the things that are required as per our bank's standards. We are working with Microsoft to see how they are going to help us resolve this, and based on NDA, which new features are coming in because we require a unified solution. We have other security solutions that are working on top of it, but we don't want to use multiple solutions and then end up with a human error. From a security perspective, the weakest link is human error. If certain features are monitored by MCAS, certain features are handled by Zscaler, and certain features are handled by Symantec DLP, it becomes difficult to synchronize from an operational standpoint. This is the situation we are in currently, but these issues come with new products or new cloud solutions. We have to slowly orchestrate and see how to unify the solutions. So, at present, it doesn't solve all the problems. There are many problems, but at least, we have other solutions that are currently providing some mitigation.

It doesn't provide any way to scan Microsoft Teams when an external exchange of images is happening. You can always do the filtering on the documents during the chat, but if there is an image, then some kind of OCR capability is required to detect it. At present, there is no way MCAS can go and detect those kinds of images and alert us. They can maybe integrate it with an existing OCR-capable product. This is something that we are absolutely looking into. There should also be a feature to immediately increase the time to detect some PI information being exchanged via chat.

Its reporting capabilities can be better. Currently, to generate reports, you need to have Power Automate in place. If such capabilities are built into the product, it would be easier because when we bring in Power Automate, we need to make sure that Power Automate also gets monitored from the DLP and governance standpoints. MCAS doesn't have many reporting capabilities, and it's really an operational nightmare to get all these things done at this point in time by using MCAS. These are some of the operational capabilities that our engineers require from this solution from the reporting perspective. Symantec and other solutions are more mature in this area. It could be because MCAS is still an upcoming product.

We onboarded Office 365 and cloud services less than two years ago. MCAS was one of the strategic and DLP kind of solutions for Office 365 and other productivity products. Because the onboarding of the cloud services is in phases and not everything can be onboarded at the same time and it requires the involvement of different security and project departments, MCAS was onboarded last year.

From an enterprise perspective, it meets most of the interoperability requirements. So, scalability is there. I don't see an issue from the scalability perspective. Only features are missing here and there.

Currently, it is almost serving the entire bank. In terms of the SaaS products that MCAS is monitoring and the number of users it is serving, we have onboarded around 40,000 users for Office 365 and other SaaS products. Eventually, it will be serving the entire bank, but at this point in time, it is only serving all Office 365 and SaaS product users. 

It is more of a cybersecurity solution for the bank to comply with all the security requirements and meet the security quotient. The end users don't see MCAS as a direct solution, but MCAS is providing security services for the bank behind all the services.

We have proper help desk support. For example, if someone uploads a document that has PI data and there is an issue, it is highlighted to the user asking them to remediate it. The manager is also copied. The help desk takes care of such things. 

Once the solution is implemented, it is almost auto-run. From the support perspective, it is mostly about why did I get this alert, what was wrong with this document, etc. Such things are usually taken care of by the user because users are responsible for what content they are allowed to load on a particular website, SharePoint site, or software. A robust change management process and help desk are already in place, and I don't see a big concern on this aspect.

Previously, we didn't have any cloud product. We only had on-premise products. Our organization joined the cloud around one and a half years ago mainly because of this pandemic situation.

It depends on the requirements. Certain requirements are really complex. The deployment itself is quite fast because MCAS is on the cloud, but there are a lot of requirements from the regulations and the bank's standards perspective.

It took us one week for the architecture and to decide things like whether we need a reverse proxy. To have all the requirements and get all the things done in an enterprise environment, typically, a simple product like MCAS can take three to six months. That's because there are a lot of governance requirements, and we need to make sure there is no PI data, and the keys are encrypted somewhere in the user ID part. 

In terms of the implementation strategy, at the high level, for Office 365 and SaaS solutions, we wanted a unified product to replace our existing one. From the strategy perspective, we wanted to go to the cloud. MCAS was able to integrate with most of our Office productivity tools. We procured the licenses and then went through the strategy of the bank and how the product can meet the needs. This was at a very high level. Of course, when we go into operations, we get operational challenges. That's why we need to have a longer time period to make a product coexist with the existing products.

We have our own department, and they are trained in it. We also engage all sorts of vendors to provide us the results. At least for the interiors, we do not engage a third-party reseller or contractor.  

It was more of an in-house implementation, but Microsoft helped us in coming up with a service design for Azure-related products including Office 365. Based on our requirements and infrastructure, they provided high-level architecture and design documents and told us about the things to be included or considered. We took that service design document and built our operations based on that and got it to work. So, the service design came from Microsoft, but hands-on was by our bank.

In terms of maintenance, this is actually managed by security folks and cybersecurity services. Currently, it is being managed by three people. There are only three operators. Of course, when there are new things to be implemented and new policies to be created, it goes to engineering. For changes, we need one more person on average. So, there are a total of four people.

I can't give a specific number. One of the returns on investment is that we will soon be getting rid of our on-premise infrastructure and maintenance. The CapEx costs and repeated hardware refresh cycle are gone. From that perspective, there are savings. All we need is the skill set to maintain and manage a particular cloud access security broker. Today, we have four people, and tomorrow, it could be eight people because of the increase in the number of applications. The bottom line is that we will get rid of all operational issues in terms of patching and fixing different systems. We don't have to patch the Windows systems, Linux systems, etc. All these are taken care of and are maintained in the cloud.

I'm not totally involved in the pricing part, but I think its pricing is quite aggressive, and its price is quite similar to Netskope. 

Netskope has separate licensing fees or additional charges if you want to monitor certain SaaS services, whereas, with MCAS, you get 5,000 applications with their Office 365. It is all bundled, and there's no cost for using that. You only have the operational costs. In the country I am in, it is a bit difficult to get people with the required skill sets.

I have been here for just around one year.  When I came, they were already using MCAS. In my previous organization, I made the decision to use MCAS for Office 365. For the entire cloud, I decided to use a dedicated cloud access broker like Cisco. It really depends on the organizational requirement and how they want to size their IT department. 

There are pros and cons. If you are totally on Microsoft products, MCAS has an integration. Otherwise, there are other products that may work better. Of course, you may still be dependent on some APIs from the cloud providers. It really depends on the organization's strategy.

My advice would be that an organization should assess where they are today and then map out what do they want from a cloud access security broker product. After that, they should decide whether MCAS or another product meets their requirements. This is important because you may have all the things in terms of interoperability and a solution may be the best fit from an operational perspective, but if all of the requirements are not met, you may end up using multiple products. Therefore, an organization must assess its current IT infrastructure, where do they want to go, and what are the key requirements from a regulatory and IT governance standpoint. They also have to make sure they have the right skillset in the market. For example, in Singapore, if I want to implement Google Cloud, the skillset is very less as compared to the skillset for AWS.

From a vendor perspective, you should assess the reputability of the vendor and what kind of capability the vendor provides. For example, it's very obvious that Microsoft is very good at integrating its own products. They have now also started to integrate with others. These are some of the aspects you should consider before making a decision between product A or B. There is no magic silver bullet.

From a security standpoint, overall, it has satisfied 80% of our requirements in terms of regulatory and bank standards. For 20% of our requirements, we still need additional products or features. They are currently not really there, and we are trying to find the solution for those gaps. In general, MCAS has a long way to go. It is definitely a good product that integrates with Office 365 Suite very well, but from a capability perspective, other products such as SkyHigh, McAfee, or Symantec have more features. It has the potential. A lot of features are lined up in MCAS, and eventually, they'll be there. These features are mentioned on Microsoft's website, and they are in development. I am looking forward to those.

In terms of data governance, we have a very good tool, and we just need to focus on how to govern the data, DLP policies, etc. We don't have to bother about the physical data center, physical network, or physical host. The entire layer below the server is gone, and we just have to focus on the identity and security aspects. We just need to focus on what kind of security we need to put and which policies do we need to implement. We get better visibility by focusing on the key client endpoints by using MCAS. The team is now really focused. Previously, every day, teams used to come up with issues like, "Network has this problem. Data has this problem, and Host has this problem." Now the focus is, "Hey, this MCAS DLP isn't doing the job." The focus is more on the product's capability.

I would rate Microsoft Cloud App Security a seven out of 10.