Microsoft Defender for Cloud Reviews

We use Microsoft Defender to scan for vulnerabilities related to any container or server in the cloud environment in Azure. Microsoft Defender suggests recommendations and security alerts according to the default framework. We can also use other frameworks like ISO benchmarks to assess our infrastructure and get recommendations on what can be fixed.

The solution is deployed on a public cloud, and Azure is the cloud provider.

We use Microsoft Defender for Cloud to natively support Azure.

We are resellers. We customize the solution and sell it to clients.

The solution has improved our organization in terms of benchmarking. Our Secure Score has improved a lot, and we're compliant with particular benchmarks.

The single-pane-of-glass view gives us the Secure Score in a single dashboard. It shows us all of the collective resources we have, including what is on-premises and on the cloud. It's a single graphical representation and a unified view that we can customize according to the client. We can adjust the Secure Score dashboard to show whatever the client wants to see. It can show the Secure Score, security alerts, and compliance score. The compliance score shows how compliant the environment is.

Our current security posture is a combination of the benchmark plus Zero Trust. We have a set of policies in Zero Trust that covers all six layers of the cloud, like the identity network, infrastructure, applications, endpoint, and end data. It's structured to cover every aspect of the cloud using the customized policy in Microsoft Defender.

The solution has improved our Microsoft Security Score a lot. 

Microsoft Defender is set to scan the virtual machines, SQL databases, and private endpoints every 30 minutes. For some of them, we just clicked "quick fix" and it created a private endpoint instantly and showed that it was rectified. Those quick fixes were instantaneous.

For our response time, critical findings take approximately two days while medium findings take three to seven days.

The solution has increased our efficiency.

The security policy is the most valuable feature for us. We can go into the environment settings and attach any globally recognized framework like ISO or any benchmark. We can also use our customized benchmark, like Zero Trust, if we want to implement it.

We can deploy different net agents on the on-premises assets, and Defender will scan those on-premises resources and give us recommendations to fix them.

The solution gives us recommendations to enable a DDoS protection plan on our virtual network. Right now, the DDoS, enforcing MFA, and conditional access policies make our organization more secure.

It's a good tool for keeping multi-cloud infrastructure and cloud resources secure. It's a market leader right now.

Right now, the solution covers a limited set of resources. If taken into scope, it will improve more.

After getting a recommendation, it takes time for the solution to refresh properly to show that the problem has been eliminated. 

Sometimes we'll receive a recommendation, but the problem still won't be fixed. This could be due to end-of-life machines. If the solution isn't properly refreshed, we need to wait for two or three days to remove those recommendations. Sometimes we have to reach out to Microsoft to check why the problem hasn't been fixed after following the recommendations.

For example, after a recommendation about AML files, it didn't show that the fix had been applied even though it was. It took more than four days to show that the fix had been applied. 

There are some policies that we're not able to use due to some business justifications. For instance, the storage account should be private, but it's public because a third party is interacting with that storage account and we can't limit the public access because there is no whitelisting available in terms of IPs.

I have used this solution for three years.

It's scalable, but it's an additional cost to increase the scalability.

I would rate the technical support a seven out of ten. They respond quickly and give us detailed information.

Neutral

We have also used CSPMs and other tools, but there were some limitations there. Defender gives us more customization in terms of frameworks, which is why we chose it.

The initial setup was straightforward. It took one day. We used two full-time team members for deployment. 

We deployed the solution in-house and designed the architecture.

This solution saved us money.

There are two different plans. We're using the secure basic plan, but we have used the end security plan as well. There are additional costs, but it gives us more functionalities compared to the basic plan. It provides threat detection and integration capabilities. We have not enabled that due to the cost, but it's a possibility.

I would rate this solution an eight out of ten. Using this solution gave us confidence.

Defender for Cloud is a unified platform. Within that, you have Defender for virtual machines, Defender for Servers, Defender for App Services, and Defender for Containers. It is a centralized solution, which you can leverage to bring your security practices in place so centralized security auditing can be done. 

You can use it for approximately 90% to 95% of Azure workloads for infrastructure, platform as a service, or database as a service. You can use it for all these.

I am working for a service-based company. We provide Azure Cloud Services. We are a Gold-Certified partner from Microsoft in the GCC region. We are the only ones for whom Microsoft hands over their business. 

We mostly use it for public cloud, but it can also be used with hybrid cloud and on-premises. We also use private clouds with government entities.

We have had many customers where we deployed this solution. They are secured and guarded by this solution, so they are happy now.

It can be done as a multi-regional deployment.

It can be used to secure GCP, AWS, and your on-premise infrastructure. You need a security solution like Defender to secure any type of workload. Your workload may consist of infrastructure, platform, database, or anything in between those. Obviously, you want it to be secure from day one. When you start from anything on the cloud, you want it secured right away. If it is not secured, then you are at risk of a data breach. There are many security issues, which is why it is important to secure your application infrastructure from day one. This is 100% important.

Most customers have an on-premises ITSM solution. If they want P1 or P2 tickets to be initiated, then within Defender for Cloud, it will trigger the ticket or invoke the ITSM solution. Also, they can use SMS- or email-based ticketing. If they don't have anything, then they can utilize the dashboard provided by Defender for Cloud and get everything from one place.

If you don't have this solution then you will be analyzing things with some sort of algorithm or writing some code, then your team will be monitoring emails or some kind of logs every day. When you have commissioned Defender, you have these things visible already on your dashboard. This gives the efficiency to the people to do their actual work rather than bothering about the email, sorting out the email, or looking at it through an ITSM solution, whey they have to look at the description and use cases. Efficiency increases with this optimized, ready-made solution since you don't need to invest in something externally. You can start using the dashboard and auditing capability provided from day one. Thus, you have fewer costs with a more optimized, easier-to-use solution, providing operational efficiency for your team.

Within a SOC team, you monitor tickets and emails, but you cannot automate them unless your company bought some solutions. In the case of Defender, a solution is already provided. You just need to extend it per your needs.

All of the features are valuable. When you are designing a solution, you are designing not only the infrastructure but designing the application solution and database. On top of that, you are designing the connectivity solution. Defender takes care of all kinds of security, starting from infrastructure to platform to database. All of them are useful, depending on the workload of different clients. 

I work at a service-based company. We use this for almost all our customers. Usually, it will be on your infrastructure, which is a virtual machine and needs an antivirus solution. Then, if you have a platform as a service, you would need OWASP 10 security. All of these are given.

When you commission Defender for Cloud, it provides a portal. The portal has auditing and tracing capabilities. If you want to secure your virtual machines, then you can enable the RDP port by default, if you don't have a security solution. Now, when you are using Defender for Cloud, you can access the machine on an ad-hoc basis through Defender for Server, where you are securing your application. Then, even if someone gets into your account, they still cannot enable RDP. 

The portal provides you with auditing and logging capabilities. Along with that, there is a machine learning algorithm. You can even have your own workbook, where you can write in Python, then you can bring it into Defender for Cloud where you can do the injection, verification, and blocking of IPs. 

It offers a ready-made solution. In addition, you can enable a customized workbook, which will secure your application. Therefore, you are provided a portal, customer facility, and in-built security from day one and can start using it.

Microsoft works day in, and day out to look for new vulnerabilities happening in the market, which cannot be resolved with human intervention. Every day, they keep searching for vulnerability signatures in the market, then adding those. They automatically get built into Defender for Cloud. For example, there are some vulnerabilities that have been going around. If you are on-premises, then you need to download the signatures out there, then your antivirus software should be capable enough to identify them. With the Microsoft platform, the signature is already provided from Microsoft, i.e., Datastore. This is by default enabled as soon as Microsoft figures it out. This is the first thing that it provides.

The solution could extend its capabilities to other cloud providers. Right now, if you want to monitor a virtual machine on another cloud, you can do that. However, this cannot be done with other cloud platform services. I hope once that is available then Defender for Cloud will be a unified solution for all cloud platform services.

I have been using it for more than three years.

The maintenance part is taken care of by Microsoft. The platform's responsibility lies with Microsoft, not with the customer.

Stability-wise, it is stable.

it can be extended to multiple regions as well as to on-premises.

When upgrading the solution, by default, no technical support is required. If it is required, it will then depend on your SLA, i.e., what kind of agreement you have. You may have an eContract, CSP, open agreement, or a normal one by default. Microsoft uses that SLA to deliver the solution at a particular time. 

I would rate the technical support as 6.5 out of 10. In general, you don't need to reach out to Microsoft's support.

Neutral

Before Defender for Cloud, the solution was on-premises or some kind of third-party managed solution that we bought from the Azure portal. This integration had issues because you needed to go through the VPN tunnel, look for your solution, raise a ticket, and then have your teams look at the logs and ticket. If you had some networking issues or a major security issue, your ticket would not be raised.

There have been a couple of customers who start on their own with their own tenants. Then, at a certain time, they figure out that something wrong has happened, e.g., a hacking issue or a security breach. They then come to us through Microsoft because their security appliances and security practices are not proper, asking us, "Can you please help us to secure them?" 

The first step is to start securing their virtual machine. So, you enable Defender for Cloud. From the first instance, all their workloads are automatically added and enabled by default. So, if a customer is not secured enough when they go for Defender for Cloud, then it will automatically enable all kinds of security practices for them. Anyone can enable it. You can have Defender as the front face security for your cloud. Because of this, all our clients are secure.

This is a cloud service. It is provided as a platform as a service. So, it is not infrastructure or something which you deploy. No configuration is required by default.

Azure Sentinel is a SIEM solution. Within the SIEM solution, you get logs. On top of that, you receive some kind of tracing. You then have your runbook. So, the integration is very easy. It is just click, click, and click. You can integrate it within five seconds. Azure Sentinel also takes care of Defender. This means that when you go into Azure Sentinel, you say, "I want Azure Sentinel to have whatever logs you have in Defender." Whatever workload is secure, you want to have the auditing part of that in Azure Sentinel, then you want to trigger or invoke something. Therefore, it just takes five to 10 seconds with three clicks, then it is enabled for you.

The external integration component has been provided. You have a ready-made appliance where you download the appliance and install it onto that particular machine, then it will start monitoring your virtual machine. This is easier on the Azure side to integrate. With on-premises, you need to download something called Agent. You download and execute that, then everything is connected. You just provide the security token already shown on your portal, then you integrate.

We have seen a 50% reduction in costs.

It is a ready-made solution that you just start using from the day one until whenever you want to use it, paying as you go. Or, you can do either a one-year or three-year RI.

Pricing depends on your workload size, but it is very cheap. If you're talking about virtual machines, it is $5 or something for each machine, which is minimal. If you go for some agent-based solution for every virtual machine, then you need to pay the same thing or more than that. For an on-premises solution like this, we were paying around $30 to $50 based on size. With Defender, Microsoft doesn't bother about the size. You pay based on the number of machines. So, if you have 10 virtual machines, and 10 virtual machines are being monitored, you are paying based on that rather than the size of the virtual machine. Thus, you are paying for the number of units rather than paying for the size of your units.

In case you want your own signatures in-built, you have the workbook where you can enable it to couple with your Defender solution. It will start analyzing your specific algorithm or signature. If there is data specific to your organization or your developer knows something that no one else knows, and you want to restrict that. So, you have a free hand to customize it and a standard way is already provided. Every day, you will get a security update by default. You don't need to bother doing it manually. This has already been given to you free of cost. There are no costs other than the Microsoft workload itself.

If you have the solution with Microsoft Azure, then you will not need to look at other products. For on-premises, we were also using F5.

When you are designing the solution, you should activate the solution from day one.

I would rate this solution as 8.5 out of 10.

We typically use Azure Defender for securing our infrastructure-based virtual machines and database solutions on the Azure subscription. We've integrated a couple of the Defender agents into our on-premise servers too.

Azure Defender has improved our overall security posture. In particular, Defender's exploit protection mechanism protects our servers from unseen threats like process memory attacks, hash theft, or any direct script-based attacks.

Defender is just one component because the organization also uses endpoint security solutions and firewalls. This product is not an endpoint solution. It usually operates at the server level, improving the posture of the Azure cloud environment. Our end-users never deal with Azure Defender. It's purely on the administrative level. The server administration team handles it, so the end-user has nothing to do with it.

Defender is a robust platform for dealing with many kinds of threats. We're protected from various threats, like viruses. Attacks can be easily minimized with this solution defending our infrastructure.

The entire Defender family requires a little bit of clarity. There is a lot of confusion in the market, especially on the end-user side but also on the consulting side. Microsoft has launched four or five Defender products, including Azure Defender, which Microsoft renamed Defender for Cloud. They also have Defender for Identity, Defender for Endpoints, and Defender ATP. It isn't very clear.

I would suggest building a single product that addresses endpoint server protection, attack surface, and everything else in one solution. That is the main disadvantage with the product. If we are incorporating some features, we end up in a situation where this solution is for the server, and that one is for the client, or this is for identity, and that is for our application. They're not bundling it. Commercially, we can charge for different licenses, but on the implementation side, it's tough to help our end-customer understand which product they're getting.

I've been using Defender for Cloud for more than a year.

It's hard for me to talk about the stability of Defender because, in my experience, "stability" is not a word that is relevant to security. A security product is either good or bad. It protects me, or it doesn't. There is no middle ground.

If we are talking about crashes or other issues, I don't see any problems, and the scalability is fine. We can protect storage, key vaults, SQL servers, etc. Defender can protect eight or nine Azure services, and it all works fine, but it would be great if all Azure services could come under the umbrella of Azure Defender. 

For example, we use Defender to protect our SQL databases, but not all of our databases are Microsoft. I have to search for another security solution for the same database vertical because it's not a Microsoft database.

I am a solution designer and architect, and I incorporated Defender for Cloud into three different projects. The smallest had more than 200 virtual machines and 20 database servers plus a couple of Kubernetes and container environments. The largest is around 600 virtual machines on-premises and on Azure, and around 10 web applications, a couple of key vaults and databases, and some storage.

I have contacted Microsoft support, but I haven't opened any tickets for Defender so far. Generally speaking, Microsoft Azure support is quite good. 

The time needed for the initial deployment phase depends on the requirements, but generally, the deployment is quite fast because it's a cloud-native tool. They have just upgraded the Azure Security Center to add Defender.

When talking about cost versus value, you have to consider Defender in the context of Microsoft's cloud solutions as a whole. It's a cloud-native tool, so why is Microsoft charging so much? 

The features are good, but Microsoft created Azure, and they provide monitoring and backup solutions. It's also Microsoft's responsibility to offer security solutions, so why do they charge so much? Why isn't it incorporated into the old security center products? It should typically come with the security center. 

Defender for Cloud is pretty costly for a single line. It's incredibly high to pay monthly for security per server. The cost is considerable for an enterprise with 500-plus virtual machines, and the monthly bill can spike. 

If we're just dealing with servers and Azure infrastructure, then Defender for Cloud is the way to go. But if we want to cover endpoints, emails, and other entry-exit points, then we need to think about another solution

Symantec and a few other tools have end-to-end solutions that protect everything in a single console. You can't do that with Defender for Cloud. Depending on the client's requirements, Defender might not be the best option because it might not cover all the use cases that a client needs.

It's good for clients who are mainly or entirely dependent on Azure resources. If a client's infrastructure is more than 70 percent Azure, it's a good product because it has native control by Microsoft only. In other cases, it's a challenge. The product is good if you're working entirely within a Microsoft, like Windows Server, Azure services, or Office 365 services, but you run into a problem the moment you start going into macOS, iOS, Android, Linux, etc. 

The agent installed there for Defender works differently. But on the flip side, a competitor's product never addresses the spatial bias on Windows. Every product line is the same. Their agents behave the same way on Linux, macOS, iOS, Android, and Windows. That is the fundamental difference I see.

I rate Defender for Cloud eight out of ten. I would recommend it depending on your use case. It's a single solution that can address mixed infrastructure that includes on-premises, AWS, GCP, or Azure. Defender can provide security for all four.

My client, a construction company, needed to replace their antivirus solution, including their Azure and on-prem services. They decided they wanted to use Defender for Cloud, so I started to implement it for them. The license for their antivirus software was about to expire, and they didn't want to spend much money. They opted for Defender for Cloud to replace Symantec. System Center (endpoint protection), Security Center and Advanced Threat Protection were all consolidated into one product called  Defender for Cloud. 

The company I worked for was divided into several teams. We had an Azure Infrastructure team and workplace teams providing local on-premise services. The client was the biggest construction company in the country, with multiple locations. 

The strong point of Defender, especially when using Azure Arc to bring in on-premises systems, is that it doesn't matter where these systems are. They're just resources in the portal. If you see them and can install agents on them, it's fine. It doesn't matter how it's distributed or where the locations are. 

I believe that Microsoft Defender for Cloud raised our client's Microsoft Security Score to around 79 percent. That includes other security components. It's not just antivirus. There are all sorts of things that contribute to the score, for instance, the use of public IP addresses on VMs.

Our clients also saw some financial benefits because they didn't need to renew the Symantec license, but the biggest benefit was the ability to install Defender on Azure and on-premises machines from a single point.

Defender lets you orchestrate the roll-out from a single pane. Using the Azure portal, you can roll it out over all the servers covered by the entire subscription. Having that unified portal was nice, but it was a challenge. We first implemented Azure Arc, which allowed us to incorporate our on-prem machines like they were actual Azure resources. The single-pane-of-glass management is highly practical. We are accustomed to managing systems across different portals or interfaces, so it's convenient to do it from one place. That's a bonus, although it's in no small part thanks to Azure Arc. Defender then takes all the services it finds in Azure Arc and it rolls them out seamlessly as long as they ause Server 2016 version or above.

It's a severe issue when you need to install Defender for Cloud on Microsoft operating systems older than 2016. Operating systems released after 2016 will seamlessly integrate with Defender with no problems. Older operating systems don't integrate smoothly. The 2012 operating systems will continue to be used for years. The 2008 systems will be phased out, so that won't be a problem for long, but you need some quick fixes to install on a 2012 OS.

The older the operating system, the more difficult it is to detect if the solution is working. That was a significant problem. It works fine on a newer OS. On the older ones, we had to do some tricks to determine if it was correctly deployed and working since the integration of Defender in the older OS is a lot less. Microsoft couldn't help us with that.

Another thing is that Defender for Cloud uses more resources than for instance, CrowdStrike, which my current company uses. Defender for Cloud has two or three processes running simultaneously that consume memory and processor time. I had the chance to compare that with CrowdStrike a few days ago, which was significantly less. It would be nice if Defender were a little lighter. It's a relatively large installation that consumes more resources than competitors do.

I have been implementing Microsoft Defender for a large construction company. We started the contract about three or four months ago. I was only responsible for the installation. We aren't the team that monitors or maintains the solution. That was not my task. We were just responsible for installing it and ensuring it worked on every machine.

Defender is relatively stable as far as I can tell. It works great except for the issues with older operating systems. In some cases, you may need to come up with a workaround. 

The solution is scalable if you activate the Defender plan for all servers and containers. When you deploy new ones, it automatically picks them up and installs the components. It's perfectly scalable in that sense.

I rate Microsoft support five out of ten. You can open up a support ticket and get into Microsoft's general support chain. You need to explain the issue, and they'll get back to you. Nine times out of ten, you will get someone new and need to explain the situation again. That doesn't help much. In the end, we had to fix it all ourselves.

We had a contact at Microsoft Amsterdam who was helpful. He was more of a sales contact. He told us the best approach and turned out to be correct.

Neutral

It wasn't my decision to go with Defender for Cloud.  That doesn't mean that I would've chosen anything else per se, but those decisions are made on the managerial level. 

Installing Defender was straightforward as long as you're dealing with a more current operating system. On a post-2016 operating system, it's only a few mouse clicks. That's the beauty of the cloud. It arranges everything for you. The on-premise solution usually works the same. It's seamless. You activate the plan, select for which resource types you want to enable Defender, (including on-prem machines using Azure Arc) then hit "go." All that changes on older operating systems.

We had to create a design, test it, and get approval from management. We first tried it on a 2019 operating system, which was a piece of cake, but we faced challenges deploying it on 2008 and 2012 systems. That's why it ultimately took us three weeks to complete the deployment. If you don't have any older operating systems, it's quite effortless. 

We had four people working on the implementation, including three technicians. I was the only one from our Azure team, and there was another person from the workplace team who had access to the on-premise servers. He could log in to run some scripts and see if everything worked. We also had a project manager and a person from the client's team to test as soon as we were ready. 

I rate Defender for Cloud eight out of ten. It uses more resources than competing solutions, but that's the only issue. If you plan to implement Defender for Cloud, I recommend considering the operating systems you use. 

If there are a lot of Server 2008 and 2012 VMs, it might not be the best solution. It is still possible, but it's harder to monitor and manage. It's tricky to check if everything works. These issues don't exist as long as you use the 2016 version or above. 

There were many use cases. We were monitoring auto IT applications and creating internal processes to understand which ones were going to be allowed and which were going to be blocked. We created the policies internally. 

It's an IT tool to monitor employees' usage on the internet and of web apps. We created policies so that, for example, when employees reached certain websites, like games, they would be blocked. We created a message for the email that they would receive, and there were links for whom to contact if they needed to override it. We created all the processes behind it.

From a security perspective, it reduced the amount of risk for employees, contractors, and users who might try to go to dangerous sites, as we blocked them. It helped us to identify dangerous sites so that we could make decisions on blocking them or not.

The effect on time to detection using Microsoft Defender for Cloud was very positive. The policies we created were providing information as threats arrived. When someone clicked on a website or on a link that was dangerous, it detected that and our team was able to control the situation right away. It was very highly effective because they got a live notification as soon as it happened. It improved things very positively.

It also had a positive effect on time to respond. As soon as an alert was received or something potentially dangerous happened, a process behind the scenes that we created helped them to react immediately.

The first valuable feature was the fact that it gave us a list of everything that users were surfing on the web. Having the list, we could make decisions about those sites. 

Second, it tried to categorize the apps, from riskier to less risky, with a behind-the-scenes algorithm. Even though we didn't use that, it was a starting point for our first review of the applications. We started with the riskiest ones and decided whether each one should be blocked or not. The fact that it provided a risk rating was very valuable. 

And it's very easy to use. Those are the top three.

Six months to a year ago, which was the last time I used the solution, the algorithm that was designed to define whether or not a site is dangerous or not needed to be improved. It didn't have enough variables to make the decision. 

Another thing that could be improved was that they could recommend processes on how to react to alerts, or recommend best practices based on how other organizations do things if they receive an alert about XYZ. 

Also, the complexity in the amount of information for this process could be reduced to facilitate those of us who are implementing and using the system, and guide us as to exactly what is needed.

I used Microsoft Defender for Cloud for a year and a half.

The stability was very high. We never had any issues with it.

With Microsoft products, you can keep adding more information if needed. For the purposes of the tool, it covers everything.

We never used their technical support.

We didn't replace anything with this solution. It was something we added to what was already in place. Our threat department continued to use all the products that it had been using. This one was additional and brought more alerts.

The initial setup was straightforward because the platform was already in place. It comes with the system and you just activate it.

The first phase was creating all of the policies. Then we did a total review of the more than 10,000 apps and we started categorizing them in a different way than the tool does. It was a challenge because what the tool recommended was different from what we wanted to implement. We created our own policies.

We used a security consultant to help us, but that was for the processes we put in place, not for the tool, per se. It was along the lines of, "Okay, when we receive this, what do we do?" They helped us create policies and told us what the best practices are; everything that the tool doesn't give you.

It's very expensive in terms of the need to maintain it actively. You need a group of people in the organization to do the job because if the tool is sending information, a bunch of alerts on policies that we created, and nobody is reviewing it, it is doing nothing. Once you create policies, you have to have a very established group that, based on the design of all of the policies, will follow a process to take action on each of them. Some of them were very complex and some of them were very simple. Some of them were automated and others were escalated, depending on the danger. So it can be very complex, depending on how you implement it in your organization.

The tool doesn't solve the problem, it just gives you the information so that you can solve the problem. Solving the problem takes a lot of resources, a lot of time and, it turns out, money. So it's expensive.

I don't think it saves time because it discovers things that would never have been discovered in any other way.

We have a managed detection and response solution, a type of SOC/SIEM/SOAR product, and we are adding data sources to our solution. We want to have data for our Azure cloud environment as well, so we use Microsoft Defender for Cloud as one of the sources for our Azure environment.

We use it as an extra way to gain trust for our environment. We have purposely secured the total Azure cloud environment with firewalls, application gateways, et cetera, but we also want to have trust in our resource groups. That's an extra line of defense we have for our security.

It helps our teams to have more security awareness because, first of all, they have to think about setting up Defender for Cloud, and the cost of Defender for Cloud is borne by those teams. So they are more aware of protecting their own environments.

It also helps automate routine tasks and the finding of high-value alerts because the alerts sit in the data source itself. It's easier to prioritize alerts.

The main advantage is the detection and response. Threat intelligence helps you prepare for potential threats before they hit. If something is there, we will detect it. And there are special teams threat-hunting through the data.

We have our data sources everywhere, on endpoints and in the cloud. When we find something anywhere, we can act everywhere, because it's an integrated solution. It gives us more possibilities to take action automatically.

We like the security aspect. Most importantly, it's an integrated solution. We not only have Defender for Cloud, but we also have Defender for Endpoint, Defender for Office 365, and Defender for Identity. It's an integrated, holistic solution. In our MDR solution, it's not a Microsoft Sentinel SOC, rather we have a third-party SOC/SIEM and they also do threat hunting for us.

It's really easy to integrate these products. It's just an interface, the Microsoft Graph Security API. We can collect all the data and forward it to our solution. We don't only use Microsoft products as a data source, but all kinds of security products. We have data about our firewalls, our gateways, and our event collections from Windows, but also from Unix.

Sometimes, it's very difficult to determine when I need Microsoft Defender for Cloud for a special resource group or certain kinds of products. That's not an issue directly with the product, though.

I have been using Microsoft Defender for Cloud for less than a year.

It's a very stable solution. I haven't heard of any problems.

It is a scalable solution.

We use it across multiple regions including Europe and Oceania. We have multiple solutions for our data analysis and system development platforms. Our web shops are using it. It's used for almost everything in the cloud. We have about 2,000 endpoints.

Microsoft's technical support is fine. We don't have any issues with it.

Positive

We have a lot of other products, like McAfee, but we are changing everything to Microsoft Defender. We are switching because, enterprise-wide, we want to have one standard for everything to make everything easier to manage. And we want all the data it delivers to be the same. We want one view of the truth for everything.

It's very easy to deploy. That is the least of any problems. It's just a simple yes or no in the cloud. It took 10 seconds.

We have an Enterprise Agreement with Microsoft but we also have a Cloud Service Provider contract with several parties so we can easily get the licenses we need. It's very easy to install. It's almost by default.

The solution itself doesn't require maintenance in the traditional way, but everything we're doing with it is about innovation. We are trying to innovate each platform, and each solution. Innovation is an ongoing business process.

It hasn't saved us money, as it's a cost to our company, but we're safe. It's the same as insurance: If there are no burglars then you don't need it. So it doesn't save costs but it might save you costs if something happens. Safety will cost money, but it shouldn't be too much.

The pricing is very difficult because every type of Defender for Cloud has its own metrics and pricing. If you have a Cloud for Key Vault, the pricing is different than it is for storage. Every type has its own pricing list and rules.

We don't use the full capabilities of Defender for Cloud so I don't know if it is the same as Defender for Endpoint. That solution is autonomous and acts on incidents immediately, based on playbooks for a type of incident behavior. Defender for Endpoint is capable of acting immediately when an attacker wants to encrypt a disk, for instance. I don't know if Defender for Cloud has the same capabilities, but it should.

In the discussion about going with a best-of-breed strategy or a single vendor's security suite, we have a mix. My thought is that I would like to have at least two big vendors, rather than one for everything. That way they can challenge each other.

Overall, I'm happy with Defender for Cloud. We're just at the beginning of using it but we want to extend our own solutions with Defender for Cloud as much as possible.

I have a highly specific use case for Azure Defender, so I don't think I've used most of its features. We primarily use it to secure Kubernetes clusters in other cloud environments. For example, I have Kubernetes in Amazon AWS, and we're trying out Azure Defender to protect those Kubernetes clusters.

We also use Defender to scan the image repositories held in Azure Container Repository or ACR. We use Defender plus Azure ARC and Windows Defender. All three products work in conjunction to give us some security insights into our cluster.

We haven't fully implemented Azure Defender yet. Right now, we're at the POC stage. However, if people have a genuine use case, they should see its value, especially because of its cross-cloud compatibility. I don't think any other tool provides the same cross-cloud compatibility as Azure Defender combined with Arc, so that's a significant selling point for this product.

The security scorecard is something I find helpful. It tells me what's missing and identifies new vulnerabilities inside my registries. Once I publish the image, the scorecards automatically update. I don't need to constantly run a security scan for my images because the scorecards are updated by Azure periodically. That makes my job easier.

I haven't been using Azure Defender for long. It's been around three months. 

Overall, Azure Defender's availability is excellent. However, the Kubernetes security is a new offering that is still under development, so the service's availability and support are not mature at this point and definitely need improvement.

I rate Defender's scalability about eight out of 10. If you compare Azure Defender to a similar product AWS offers, there isn't much difference in scalability. The solution is able to accommodate all your requirements. I don't think I have ever reached a point where the solution couldn't scale to meet my needs. 

I deduct two points because you incur more costs as you increase usage, so it's more expensive when you have lots of logs flowing into the system. That is why I rate it eight. Otherwise, I don't see any technical issues there.

Azure's system could be more on point like AWS support. For example, if I have an issue with AWS, I create a support ticket, then I get a call or a message. With Azure support, you raise a ticket, and somebody calls back depending on their availability and the priority, which might not align with your business priority. 

I can't talk about Microsoft support generally, but I can speak to my experience specifically with Azure Defender support. I would rate it five out of 10. Maybe it's because this is a product that Azure is still developing on the side. I don't think they have made Azure Defender for Kubernetes available to the general public yet, so that could be why their support is not up to par. I don't know the reason, but I haven't had a good experience with the support.

It is just a POC, so I don't have many endpoints. The whole setup took three days for around 10 endpoints. They have an agent-based security system. It's always complex because you need to deploy the agent to all endpoints which is a lot of work to get it set up. 

We have still have not decided to implement Azure Defender because we are also trying out other products in the same line. Once the RFP process is finished, we will know which one we'll implement.

Azure Defender is definitely pricey, but their competitors cost about the same. For example, a Palo Alto solution is the same price per endpoint, but the ground strikes cost a bit more than Azure Defender. Still, it's pricey for a company like ours. Maybe well-established organizations can afford it, but it might be too costly for a startup. They should try some open-source tools. That's how it is today.

Compared to other products, Azure Defender's main advantage is native integration with all Azure services. If your company uses Active Directory and builds everything on Azure, you get it as a complete package. There's no need to buy another tool and set it up in your cloud environment. 

Everything is built into Azure, and if we go for cross-cloud development with Azure Arc, we can use most of the features. While it's possible to deploy and convert third-party applications, it is difficult to maintain, whereas Azure deployments to the cloud are always easier. Also, Microsoft is a big company, so they always provide enough support, and we trust the Microsoft brand. 

I rate Azure Defender eight out of 10. If you're looking for standard Azure Defender services like cloud posture management or application security, these features are all highly mature. Defender also has newer capabilities that they recently introduced, such as endpoint security, cross-cloud integration with Azure Arc, and Kubernetes runtime security. 

These are all new services, so potential users need to think twice before buying into it solely for these features because I don't think the support is there to encourage customers to buy the product. I don't feel confident about Microsoft's support in these particular areas. I would exercise caution before buying Defender for these particular use cases. 

We had multiple use cases at my previous company. I changed companies during their implementation stages of this solution. From what I saw, the solution has a good use case for SIEM.

It helped improve my previous organization's security posture. Their previous solution was running separately in each region. That has now been centralized by moving to the cloud. This was a huge change for their operations because they used to have multiple vendors managing their SIEM. Now, that has been consolidated under a single vendor. This consolidation has improved response times.

We saw improvement from a regulatory compliance perspective due to having a single dashboard.

I felt that there was disconnection in terms of understanding the UI. The communication for moving from the old UI to the new UI could be improved. It was a bit awkward.

I have been using Azure Security Center for five to six years. I was using it as my previous organization up until six months ago.

The stability was good.

The solution was very much scalable.

Overall, there were around 150,000 users beginning to use it at the organization.

We didn't use technical support directly from Microsoft. We used the third-parties' support.

We were previously using multiple solutions that integrated with SAP. For example, one region would be running QRadar and another region would be using Symantec. Each region of the company was just running it in silo mode off their internal Exchange. As part of centralizing a global solution, we chose to go with Azure Security Center, because our on-prem solution was not really working for us. This is why we started using Azure Security Center.

The initial setup was easy; it was not complex.

The deployment took a month.

The transition went well. I didn't see any challenges.

The setup was done by a third-party vendor, Fujitsu, who was very good. There was also another vendor, Microland, who had good knowledge and helped us with building it.

Not too many people were needed for the transition between solutions. I am unsure of the number of people needed because multiple activities were being run during the process, e.g., SharePoint migration.

The solution helped out management a lot. It reduced about 50% of the time needed to spend on this after implementation.

The organization saved money by consolidating into one solution instead of two or three. 

Microsoft's licensing and pricing are sometimes complicated. If someone is new to Microsoft's licensing, they might have difficulty with it.

We might have looked at other competitors. However, Azure Security Center was attractive because of its licensing, which was packaged with the Office 365 licensing, as well as the fact that it is a single solution.

I liked the centralization that it offered. However, I am cautious about the licensing part because I am unsure how you would manage the solution if it wasn't bundled.

When we started, our team didn't make a clear roadmap, which slowed us down. I recommend that you clearly define your roadmap before getting started.

The solution is very good. I would rate it as eight out of 10.