Microsoft Defender for Cloud Reviews

We use the solution internally.

Azure Security Center works with Azure Defender. Azure Defender is used for identifying the vulnerabilities and loopholes inside our system that we can deploy on multiple layers either from the subscription level, the source level, or on the devices. You can connect multiple devices to this. That's not specific to only servers. You can connect with ER80 as well as SQL servers. Most of the services are covered within the Microsoft Defender.

We find two things inside the Azure Security Center to be quite valuable. One is the recommendations, and the second is the regulatory compliance. Both help to keep everything running smoothly. This will give you the security score as well. You can try to get the highest security score, which is 100%. You can get there just from the recommendations from Microsoft. Not all the recommendations will be applicable on the enrollment side.

Regulatory compliance is PCI compliance. There are multiple compliance options you can follow.

Azure Defender helps improve our security posture. You enable it for each and every server. It is a monthly-based subscription and about $15 per month per server. You can see right on there that the vulnerability is automatically run with the help of a Messages scanner. Messages is running behind Azure Defender. It automatically runs and scans, and that will show up on your portal. You do have to take any necessary steps to run recommendations. Either you can see if any energy port is open, for example, if RDP is open, it will realize, “Okay, just close RDP for outside work." These kinds of recommendations are very helpful from the Azure Security Center.

You have inventory on Azure Security Center, as well as Workbooks. You can create Workbooks. These are automatic playbooks where you can see the entire dashboard. If you prepare a monthly report, or a weekly report, it's better to create it in Azure Security Center instead of Workbooks with the help of JSON, or use drag and drop as an option. That will help you to keep updated more on things.

Inside Azure Security Center, with Workbooks, you can create your own workbooks according to your users. If you have a system update setting inside Azure, with the help of an automation account, if you click it, inside the system update Workbook, you can see all the systems which are taking updates. If that is updated, you can see whether the system is compliant with updates. All the reports are visible. You can see reports on the basis of subscriptions or on the basis of resources if you want.

Azure Security Center does not affect the end-user experience in any way. End users don't feel its presence in the organization.

The solution offers collaborative services. If you enable Azure Defender for servers or any services, basically, you can automatically subscribe for Azure Defender for Endpoints, which is easy.

You can install the EDR on each and every server. That will give you all of the process logs and what a user is doing. You can tell if a URL is open on your system, for example.

You can remediate with automation as well if you want to. That's for malware or any malicious files if they are present on the system. It will detect using the intelligence of the Defender Endpoint. You can take hybrid action on an alert, you can take a fully automated action, or you can take 100% manual action.

With Defender Endpoint, if you find out if one system is compromised, you can actually separate it from the network. If you have to deal with ransomware. If one system is affected by ransomware, you can remove the system from the network.

There is a security alert inside Defender that's per the recommendations and activities that happen inside your network. You will see security events there. If you do not have any other SIEM solution in your environment, you can leverage this. 

The team is already working on one of the latest features, which is having migration techniques right on the portal available. It's possible to use it now. That's one good new feature.

For MIM, they are still improving things on Azure Security Center. There are a few flaws in backend technologies. If you do not have the correct access to the system, you cannot access the files and most of the reported resources.

For example, a general huge storage account, which is exposed for public access. If there are ten storage accounts available, you can see the names. You can identify, those storage accounts that are supposed to be accessed from the outside, maybe, due to some feature happening behind the scenes on a storage account, and these are supposed to be exempt from the portal. You shouldn't see them again and again and this should not affect your security score overall. However, they are not easily exempted from the portal. There's no way to exempt them properly.

You cannot create custom use cases. You can use what is already present on the Microsoft side in terms of security alerts. You can, however, customize whitelisting for alerts.

I've been using the solution for four years now. For one year, I have been working as an architect on Azure Security Center.

The stability is 99.9%. I never have seen any failure. Sometimes you find the service is slow. However, that could be related to an internet connection or something else. Every service has downtime. There is very, very minimal downtime here. I haven't faced any challenges in four years.

The scalability is very good. You don't need to put any extra agent or anything from your side. Everything is automated. It's the easiest security feature, which you can get from Microsoft.

For every project, an architect from the Microsoft side is assigned to the team. You can directly connect with them. You can also create a technical ticket. They will respond immediately. If the issue requires a certain level of severity, you will get a call directly. If it's not as serious and they email you, however, you do not respond to their email, they will call you. Otherwise, they will keep communicating via emails.

I'm in India. When I open a ticket, it may be assigned to the Indian parties and they take time to remediate your problems. If I am routed to the senior team of Microsoft, they won't take much time. They give you new solutions quickly. It's a good thing. 

We do use Azure Sentinel. I'm also familiar with Google Cloud Platform, GCP. It's a bit complex as the structure is not as good as Microsoft. Microsoft, from top-down, offers a management group, subscriptions, and tenants under one group. Inside that resource group, you will find resources. That is easy. On the other hand, inside GCP, there are folders inside folders. Then you can create multiple folders inside one folder. That makes things very complex. There are not too many security solutions available on GCP. I do not have too much experience with GCP, however, given the experience I have, according to that, GCP isn't as good.

You can handle many things on Azure with the UI. There's no need to go for the PowerShell if you don't know it. If you know PowerShell best, you can use it if you want to. If you want any report from the GCP, however, you'll have to first understand the shell scripting. It's hard to find projects due to the way GCP is laid out. There's too much complexity.

The solution is very easy to deploy. This is automatically installed on the Portal. There is no need to install anything on the Portal. There are just a few buttons inside the settings if you want to enable the Defender, et cetera. That will automatically install on all the servers. The agents are already present.

The solution takes six seconds to deploy. If you are on the Portal, you can do it in seconds. The first remediation will show within 30 minutes due to the fact that the scan takes time. The message takes a little bit of time to scan the entire infrastructure. That completely depends on how big a company's infrastructure is.

If there is another service, such as Azure Sentinel, you need to install agents on all the machines. If there is a Linux machine, you have to install the OMS agents. However, that's not the case over here.

One person can easily handle maintenance. A single person handles both Azure and Sentinel. Ours is a small environment. 

In terms of ROI for Azure Security Center, the solution offers basic security features, which Microsoft is providing. That's the main thing. There's no need to go and get any technical team to handle anything. If you know a little bit about the security, you just go and toggle the button and you install it on all the servers and services. With this product, you will start getting recommendations and security alerts. 

In contrast, if you go on any other products, you need a specialized team for security, especially. You need a complete specialized team for different services and for different actions. It's better to use Azure Security Center. There's no need to go and install anything and it's offering good security.

The licensing cost per server is $15 per month. This is the same for SQL which is also $15 per server. It covers the Defender licensing as well. According to my experience, it's a good deal.

I worked on all the Defenders, ten now, and, right now, we are more focused on Azure Defender, which is a part of the Azure Security Center on the Azure Portal. Defender is actually deployed on servers including other staff services, second path services, servers and community, and SQL databases. On each of these, you can deploy Defender.

This product is a Saas solution that is automatically updated from the Microsoft side. Any clients will not need to update manually.

If you have a hybrid cloud network or hybrid environment inside your organization, this solution will still work for you.

I'd rate the solution at an eight out of ten.

When it comes to Microsoft, the education surrounding Azure services and training is very easily available online without having to make any calls. If you want to join their webinars, you can join. If you want to get any certification, it is almost free for everyone. For a student they offer the training at 50% or 40% of the cost, or if you work at a good company. I did not pay anything for any certification. I have eight certifications from Microsoft. 

Our use case for the solution is focused on cost management and security in a multi-cloud environment. We use it alongside solutions like SIEM tools and deploy it as part of a broader security strategy.

The platform has improved our security posture by providing comprehensive threat detection and response capabilities. It helps in managing security across various environments effectively. However, we occasionally encounter issues when on-site products conflict with this solution.

The product's most valuable features offer the latest threat detection and response capabilities. These features are crucial for our SMB customers, especially given the high inflation in Turkey, which impacts cost considerations.

The product's advanced analytics and reporting features could be improved.

I have been using Microsoft Defender for Cloud for about three to four years.

The product performs reliably across various environments.

The platform's scalability is excellent. It is well-suited for both small and large organizations.

The support team is responsive and offers valuable assistance.

Positive

The initial setup can vary in complexity depending on the existing environment and the number of users. It's relatively straightforward for smaller setups, but larger deployments can be more complex.

We handle the deployment and integration ourselves.

The solution's ROI is positive, given its comprehensive security features and integration capabilities, which justify the investment.

The product's pricing policy is generally favorable.

We evaluated other options, but Microsoft Defender for Cloud was chosen for its strong integration with other Microsoft products and comprehensive feature set.

The solution is robust, but staying updated with the latest features and best practices is crucial to maximize its benefits.

Overall, I rate it a nine out of ten. 

We use Defender for network security.

Defender for Cloud is easy to use and enables us to automate routine security tasks. We save a few hours each week. Defender's single dashboard helps us centrally manage security operations and detect threats faster.

Defender is user-friendly and provides decent visibility into threats. We use multiple solutions in the Microsoft security suite, including Sentinel and Defender for Endpoint. They integrate smoothly to offer coordinated detection and response. 

Sentinel ingests data from our entire environment, allowing us to manage everything from one place. We don't need to go to multiple places to find information. Sentinel's capabilities are quite comprehensive.

Microsoft Defender could be more centralized. For example, I still need to go to another console to do policy management. 

I have used Defender for Cloud for two years. 

I rate Microsoft Defender an eight out of ten for stability. It's highly stable.

Microsoft Defender is scalable. 

I rate Microsoft support an eight out of ten. It isn't too bad. 

Positive

Setting up Microsoft Defender is straightforward. It took us around a month to get it fully deployed. Most of the implementation consisted of onboarding. It doesn't require much maintenance after deployment because it's a cloud solution.  

I don't think we've saved more money than we've spent. Defender is expensive, but we might see a return in the long run. 

I rate Microsoft Defender a three out of ten for affordability. The price could be a little lower. 

I rate Microsoft Defender for Cloud an eight out of ten. Getting all your security solutions from a single vendor makes things easier to manage. However, the Microsoft security suite is quite expensive.

There were many use cases. We were monitoring auto IT applications and creating internal processes to understand which ones were going to be allowed and which were going to be blocked. We created the policies internally. 

It's an IT tool to monitor employees' usage on the internet and of web apps. We created policies so that, for example, when employees reached certain websites, like games, they would be blocked. We created a message for the email that they would receive, and there were links for whom to contact if they needed to override it. We created all the processes behind it.

From a security perspective, it reduced the amount of risk for employees, contractors, and users who might try to go to dangerous sites, as we blocked them. It helped us to identify dangerous sites so that we could make decisions on blocking them or not.

The effect on time to detection using Microsoft Defender for Cloud was very positive. The policies we created were providing information as threats arrived. When someone clicked on a website or on a link that was dangerous, it detected that and our team was able to control the situation right away. It was very highly effective because they got a live notification as soon as it happened. It improved things very positively.

It also had a positive effect on time to respond. As soon as an alert was received or something potentially dangerous happened, a process behind the scenes that we created helped them to react immediately.

The first valuable feature was the fact that it gave us a list of everything that users were surfing on the web. Having the list, we could make decisions about those sites. 

Second, it tried to categorize the apps, from riskier to less risky, with a behind-the-scenes algorithm. Even though we didn't use that, it was a starting point for our first review of the applications. We started with the riskiest ones and decided whether each one should be blocked or not. The fact that it provided a risk rating was very valuable. 

And it's very easy to use. Those are the top three.

Six months to a year ago, which was the last time I used the solution, the algorithm that was designed to define whether or not a site is dangerous or not needed to be improved. It didn't have enough variables to make the decision. 

Another thing that could be improved was that they could recommend processes on how to react to alerts, or recommend best practices based on how other organizations do things if they receive an alert about XYZ. 

Also, the complexity in the amount of information for this process could be reduced to facilitate those of us who are implementing and using the system, and guide us as to exactly what is needed.

I used Microsoft Defender for Cloud for a year and a half.

The stability was very high. We never had any issues with it.

With Microsoft products, you can keep adding more information if needed. For the purposes of the tool, it covers everything.

We never used their technical support.

We didn't replace anything with this solution. It was something we added to what was already in place. Our threat department continued to use all the products that it had been using. This one was additional and brought more alerts.

The initial setup was straightforward because the platform was already in place. It comes with the system and you just activate it.

The first phase was creating all of the policies. Then we did a total review of the more than 10,000 apps and we started categorizing them in a different way than the tool does. It was a challenge because what the tool recommended was different from what we wanted to implement. We created our own policies.

We used a security consultant to help us, but that was for the processes we put in place, not for the tool, per se. It was along the lines of, "Okay, when we receive this, what do we do?" They helped us create policies and told us what the best practices are; everything that the tool doesn't give you.

It's very expensive in terms of the need to maintain it actively. You need a group of people in the organization to do the job because if the tool is sending information, a bunch of alerts on policies that we created, and nobody is reviewing it, it is doing nothing. Once you create policies, you have to have a very established group that, based on the design of all of the policies, will follow a process to take action on each of them. Some of them were very complex and some of them were very simple. Some of them were automated and others were escalated, depending on the danger. So it can be very complex, depending on how you implement it in your organization.

The tool doesn't solve the problem, it just gives you the information so that you can solve the problem. Solving the problem takes a lot of resources, a lot of time and, it turns out, money. So it's expensive.

I don't think it saves time because it discovers things that would never have been discovered in any other way.

We have a managed detection and response solution, a type of SOC/SIEM/SOAR product, and we are adding data sources to our solution. We want to have data for our Azure cloud environment as well, so we use Microsoft Defender for Cloud as one of the sources for our Azure environment.

We use it as an extra way to gain trust for our environment. We have purposely secured the total Azure cloud environment with firewalls, application gateways, et cetera, but we also want to have trust in our resource groups. That's an extra line of defense we have for our security.

It helps our teams to have more security awareness because, first of all, they have to think about setting up Defender for Cloud, and the cost of Defender for Cloud is borne by those teams. So they are more aware of protecting their own environments.

It also helps automate routine tasks and the finding of high-value alerts because the alerts sit in the data source itself. It's easier to prioritize alerts.

The main advantage is the detection and response. Threat intelligence helps you prepare for potential threats before they hit. If something is there, we will detect it. And there are special teams threat-hunting through the data.

We have our data sources everywhere, on endpoints and in the cloud. When we find something anywhere, we can act everywhere, because it's an integrated solution. It gives us more possibilities to take action automatically.

We like the security aspect. Most importantly, it's an integrated solution. We not only have Defender for Cloud, but we also have Defender for Endpoint, Defender for Office 365, and Defender for Identity. It's an integrated, holistic solution. In our MDR solution, it's not a Microsoft Sentinel SOC, rather we have a third-party SOC/SIEM and they also do threat hunting for us.

It's really easy to integrate these products. It's just an interface, the Microsoft Graph Security API. We can collect all the data and forward it to our solution. We don't only use Microsoft products as a data source, but all kinds of security products. We have data about our firewalls, our gateways, and our event collections from Windows, but also from Unix.

Sometimes, it's very difficult to determine when I need Microsoft Defender for Cloud for a special resource group or certain kinds of products. That's not an issue directly with the product, though.

I have been using Microsoft Defender for Cloud for less than a year.

It's a very stable solution. I haven't heard of any problems.

It is a scalable solution.

We use it across multiple regions including Europe and Oceania. We have multiple solutions for our data analysis and system development platforms. Our web shops are using it. It's used for almost everything in the cloud. We have about 2,000 endpoints.

Microsoft's technical support is fine. We don't have any issues with it.

Positive

We have a lot of other products, like McAfee, but we are changing everything to Microsoft Defender. We are switching because, enterprise-wide, we want to have one standard for everything to make everything easier to manage. And we want all the data it delivers to be the same. We want one view of the truth for everything.

It's very easy to deploy. That is the least of any problems. It's just a simple yes or no in the cloud. It took 10 seconds.

We have an Enterprise Agreement with Microsoft but we also have a Cloud Service Provider contract with several parties so we can easily get the licenses we need. It's very easy to install. It's almost by default.

The solution itself doesn't require maintenance in the traditional way, but everything we're doing with it is about innovation. We are trying to innovate each platform, and each solution. Innovation is an ongoing business process.

It hasn't saved us money, as it's a cost to our company, but we're safe. It's the same as insurance: If there are no burglars then you don't need it. So it doesn't save costs but it might save you costs if something happens. Safety will cost money, but it shouldn't be too much.

The pricing is very difficult because every type of Defender for Cloud has its own metrics and pricing. If you have a Cloud for Key Vault, the pricing is different than it is for storage. Every type has its own pricing list and rules.

We don't use the full capabilities of Defender for Cloud so I don't know if it is the same as Defender for Endpoint. That solution is autonomous and acts on incidents immediately, based on playbooks for a type of incident behavior. Defender for Endpoint is capable of acting immediately when an attacker wants to encrypt a disk, for instance. I don't know if Defender for Cloud has the same capabilities, but it should.

In the discussion about going with a best-of-breed strategy or a single vendor's security suite, we have a mix. My thought is that I would like to have at least two big vendors, rather than one for everything. That way they can challenge each other.

Overall, I'm happy with Defender for Cloud. We're just at the beginning of using it but we want to extend our own solutions with Defender for Cloud as much as possible.

We use it to keep our Azure infrastructure up to date with the security best practices that Microsoft suggests. We also use it to have better visibility into changes in our databases.

It helps me know if a new virtual machine or an app gateway or a functional service has come online that doesn't have the best security practices enforced on them. The impact we've had is a better security posture being enforced throughout our Azure environment.

The solution has also simplified management of endpoints and servers and gives us visibility in a single pane of glass. And it's easy to identify security corrections in the environment.

It has helped save us SOC time and increased their efficiency. While we haven't measured by how much, we see it in their day-to-day activities. And it has likely improved our time to detection, but we just haven't had anything to detect.

The most valuable features of the solution are the insights, meaning the remediation suggestions, as well as the incident alerts.

We have also integrated Microsoft 365 and Microsoft Defender for Cloud with Microsoft Sentinel and the integration was easy.

In addition, it's good at helping us proactively discover unknowns and defend against threats.

I would like to see better automation when it comes to pushing out security features to the recommendations, and better documentation on the step-by-step procedures for enabling certain features.

I have been using Microsoft Defender for Cloud on a day-to-day basis for about a year.

It's quite stable. We don't have many problems.

The scalability is very good.

We have 100 internal users and we are deployed across multiple sites. It's 100 percent cloud and our infrastructure handles API responses for our clients.

For the cloud infrastructure, their technical support is good.

Positive

In my previous company, I used the native portal, which is pretty much what Defender does, on AWS.

The intelligent threat hunting provided by Microsoft 365 and Microsoft Sentinel based on the alerts, incidents, and logs passed along by Microsoft Defender for Cloud is moderate.

The ability of Microsoft solutions to work natively together to deliver integrated protection as well as coordinated detection and responses across the environment is improving a lot, but it still has a ways to go.

Overall, if you are worried about security, you should have Microsoft Defender for Cloud. It's the minimum you should have.

We are primarily using Azure Security Center to bring a level of security into the environment. Before I started to work with this solution, I was a Kubernetes and Azure Cloud architect. I was working for a service provider where I did not get the opportunity to look at how do they secure the resources, but in the last one and a half years, I had to get into those aspects because the organization I was working for wanted to introduce Kubernetes into the ecosystem, and the main concern was regarding all the hacking that was going on. For introducing Kubernetes as a platform, all business managers wanted to know if it was secure or how to make it secure. We started to look at Azure Security Center and its capabilities because Azure was their main solution. We also used AWS and GCP to some extent, but predominantly, we had Azure. So, we first took Azure Security Center and started to leverage its features.

Azure gives access to a lot of policies and allows you to group those policies into initiatives. There were about 170 subscriptions spread across sandbox, dev, test, non-prod, and prod environments, which were spread across India, Canada, and the USA. Each geography had its own data resiliency requirements, so these policies had to be applied stringently. For example, if somebody created a virtual machine, it had to be in a specific region, or if someone was storing the data in a database, it had to be only in that region. It could not cross the border. So, we had to first enforce policies at the level where we had to identify where the storage resources were, which network could talk to which network, and who could do what, and then it went on to all levels. Azure provided very good, robust, and built-in policies for each resource, and we had to set some to audit and some to enforce. 

While setting policies for about 170 subscriptions, we needed to ensure consistency. We needed to apply them consistently across all subscriptions. Azure Security Center helped us in ensuring that we audit certain policies, and we also enforce certain policies. We had set some policies to audit because we wanted to see what's going on, and we had set some policies to enforce because of regulatory purposes or because of the way the entire network and all the systems were designed. We used Azure Security Center as our central place to administer policies. We had to group all the subscriptions into management groups, and there was a hierarchy of groups. We could apply the policies at one specific level, and any subscription that we would create under that group would have the same set of policies. It helped us in getting a bird's-eye view through dashboards. We could see what was happening across the enterprise.

We started using it for Kubernetes, but it expanded into a wider initiative of more stringent policies across the board. In terms of lift and shift, a lot of people get tempted to go to GCP because it is cheaper, but we were primarily using Microsoft products. So, we started adopting Azure, and we did not pay attention to Azure Security Center at the beginning. When we looked at Azure Security Center for the first time, it had already been three years, and we had done almost 100% lift and shift, but we could recover from any aspect of security. Azure Security Center helped us in recovering from our mistake. If we had worked with it at the start of our journey, it would have been easier, and even though we were looking at it halfway through our journey, it still helped us. I consider it halfway because lift and shift is only one part of the process. You are saving a lot of money, but you are still not cloud-based. The real power of the cloud comes when you start using the platform services, and before starting to use them, we were able to get into a secured environment. Kubernetes was the first platform that we were looking at, and when we were able to secure it, everything else was pretty simple. That's because, with Kubernetes, there is a shared responsibility model where the cloud provider takes care of some of the aspects, and you have to take care of a lot of things. Azure Security Center helps in ensuring that you have taken care of and secured everything.

Its recommendations are really good. Most of the time, they are appropriate. Azure comes with a lot of default policies that are set to audit only. As the enterprise grew and we started adopting the cloud, initially, we didn't pay much attention to Azure Security Center. For us, Azure Security Center was like an afterthought; it was not planned from day one. In our enterprise journey, when we started looking at it halfway through, we realized that there were so many violations. We started with auditing. We found policies that nobody was using, and then we started enforcing them. It was really good in terms of built-in policies, recommendations, and then applying them across the board with a minimal set of actions.

It is very intuitive when it comes to policy administration, alerts and notifications, and ease of setting up roles at different hierarchies. It has also been good in terms of the network technology maps. It provides a good overview, but it also depends on the complexity of your network.

For Kubernetes, I was using Azure Kubernetes Service (AKS). To see that whatever is getting deployed into AKS goes through the correct checks and balances in terms of affinities and other similar aspects and follows all the policies, we had to use a product called Stackrox. At a granular level, the built-in policies were good for Kubernetes, but to protect our containers from a coding point of view, we had to use a few other products. For example, from a programming point of view, we were using Checkmarx for static code analysis. For CIS compliance, there are no CIS benchmarks for AKS. So, we had to use other plugins to see that the CIS benchmarks are compliant. There are CIS benchmarks for Kubernetes on AWS and GCP, but there are no CIS benchmarks for AKS. So, Azure Security Center fell short from the regulatory compliance point of view, and we had to use one more product. We ended up with two different dashboards. We had Azure Security Center, and we had Stackrox that had its own dashboard. The operations team and the security team had to look at two dashboards, and they couldn't get an integrated piece. That's a drawback of Azure Security Center. Azure Security Center should provide APIs so that we can integrate its dashboard within other enterprise dashboards, such as the PowerBI dashboard. We couldn't get through these aspects, and we ended up giving Reader security permission to too many people, which was okay to some extent, but when we had to administer the users for the Stackrox portal and Azure Security Center, it became painful.

We were also using it for just-in-time access for developer VMs. Many a time, developers need certain administrative privileges to perform some actions, and that's where we had to use just-in-time privileges. Administering them out of Azure Security Center is good, but it also means that you have to give those permissions to lots of people, which is very cumbersome. So, I ended up giving permissions to the entire Ops team, which defeats the purpose and is also not acceptable at a lot of places.

These were the two use cases where I felt that I really had to get into the depth of Azure Security Center to figure out how I can use it much better.

I have been working with this solution for the last one and a half years. 

I didn't find any issues with its stability. When you start using Azure Security Center to look at your on-prem application or resources, you might have issues with monitoring these on-prem resources, but it is not related to the stability or reliability of Azure Security Center. It has nothing to do with Azure Security Center; it is related to how you have configured, what kind of resources you have, and what permissions you have given. 

Sometimes, the network operations team and security operations team are not in tandem with each other. We had done lift and shift for most of the resources, but there were still some resources that were on-prem. For on-prem resources, people are comfortable with Dynatrace and other similar tools, but they are not really security tools; they come under the observation and monitoring tools. It can be very hard to sell Azure Security Center for something that is on-prem, and because of the corporate silos, someone might not give you access to an on-prem resource. For example, your Oracle Database is still on-prem, and you are systematically strangulating the application and moving it to Cosmos DB or SQL Server on the cloud, but you are not allowed to monitor it. In such situations, Azure Security Center can only report one part of the application, which makes it tough to tell business managers

why this application is down, what went wrong, why there is latency, what is the problem, etc. So, more than the product, it has to do with ensuring that the SOC team works with the NOC team and ensures that they have the required access so that they can also observe on-prem resources from the security aspect. Otherwise, you won't know what's happening. You won't know if any hacking is going on, or if somebody is doing SQL injections to the on-prem Oracle Database. You wouldn't have a clue.

I'm an architect. I don't deal with the regular operations aspects.

There is nothing in terms of the setup. It comes by default. It is only about paying attention to the Azure Security Center in terms of giving correct roles to subscription owners, security administrators, etc. It is only about properly setting up those roles.

It only required going through the documentation in detail and having a couple of brainstorming sessions. We didn't have to hire any special consultants. We could do it ourselves. We spent a week properly going through the documentation. Having a word with the product managers also helped. Many times, such implementations have more to do with the way organizations are structured in terms of departmental silos. So, it helps to get everybody on board and ensure that everybody has the same understanding. It is related to an organization's culture; it has nothing to do with the product. It is more related to outsiders and insiders and different levels of knowledge and backgrounds, but the product itself is pretty simple to start with.

We did it ourselves.

It is bundled with our enterprise subscription, which makes it easy to go for it. It is available by default, and there is no extra cost for using the standard features.

I don't know if any other solution was evaluated. Most probably, we didn't because Azure Security Center is available by default, and there is no extra charge for using the standard features.

When you're using such platform services, you've got to be a little bit careful because the products are always getting updated. You need to keep an eye on the product roadmap in terms of what's coming up so that you are not duplicating. That's what we had to do with Stackrox. We discussed with Microsoft's technical support team, and we got a confirmation that they're not going to take care of CIS benchmarks in the near future. It was a little bit disheartening, but at least, we knew upfront that Microsoft is not going to look into this area. They were open and candid about what they were going to do and what they were not going to do. So, we started looking at other products. Microsoft keeps on updating its products to keep them relevant. So, you need to know what they are implementing in the next three months or six months so that you can at least tell the security teams that a certain feature is coming up.

We didn't have to do it for Azure Security Center, but for Azure Firewall, we had to request certain features, and there are a lot of features that are still pending. For example, if I use Azure Firewall, just-in-time permissions do not work. If VMs are behind Azure Firewall, then through Azure Security Center, I can't give permissions, but if I use the Palo Alto firewall, I can do the same. So, we had to set up our VMs by using the Palo Alto firewall. Sometimes, Microsoft does strange things, and they don't talk to the Azure Firewall team. After one and a half years of asking for that feature, it is still a no-go. We want to use Azure Firewall because it is not VM-based. With the Palo Alto firewall, I have to provide one more VM in between and start administering it. So, I have one extra resource that needs to be administered, and it is non-Azure or non-Microsoft.

When you start enforcing policies across multiple subscriptions, you need to be very careful. You need to pay attention to the notifications that come out. The notification details were where we had to do some customization. We had to prioritize the notifications and then put them into a group mailbox so that instead of one person, a group of teams gets notified. We could write an Azure function around it to integrate with Microsoft Teams. We could push them to the Microsoft Teams channel. It took some amount of effort. It took about a week of tinkering, but we were able to notify the entire development team. As we started auditing and enforcing from our sandbox to the development environment, we started discovering a lot more things. We got formal requests on why we had to disable some policies. We got more specific feedback. When we are able to catch such things early in the life cycle, it becomes easier to protect the higher-level environments properly. It was very good in terms of the dashboard, converting from non-compliance to audit, or enforcing policies across multiple subscriptions. We had to customize the notifications, and it would've been nice if there was a more intuitive way of customizing the notification, but it might also be because of our knowledge level at that time. We could have also integrated it with Slack because it supports integration with Slack, but we predominantly use Microsoft Teams.

I would advise others to start playing with it. They can start with a sandbox environment. If an enterprise has multiple resources, such as VMs, databases, they should put all of them in different resource groups in a subscription and categorize their resources properly. All resources should be structured properly. Otherwise, it is really difficult to administer policies at the resource level. They have to group them properly so that they are managing resource groups or subscriptions rather than individual resources. So, structuring of the resources is the key to the administration of policies. It took quite some time for us. It was not an easy task. We create Terraform scripts for setting the entire infrastructure. So, we had to reorganize our Terraform scripts to ensure that the resources were created in appropriate resource groups and communication can happen across resource groups. We had to set up the NSGs properly from the network point of view so that they all were accessible. It took us quite some time, but organizing the resources pays very well when it comes to spinning the higher-level environments and ensuring that they're compliant or they work.

I would rate it an eight out of 10.

It is our main solution for our Azure cloud infrastructure. We do about 1.1 million dollars in cloud spending every year. It's a quite big infrastructure and pretty much in our main system and we are planning on integrating with Microsoft Sentinel, which is going to be our SIM solution. Right now we don't use a Microsoft solution, however, Microsoft Sentinel is very complete and we're excited to dive into a POC. Right after I joined the company, that was one of the first things that I advised them to do and a couple of weeks later, we caught at least two big vulnerabilities that could have caused a catastrophic problem for our business. That's a true testament to the power of the tool.

The solution has improved how our organization functions. For example, the security score is the biggest improvement, as it's a compilation of all the results. That's where we have been doing established goals. When I joined the company and when we first implemented the product our secure score was about 35%. We are now sitting at 71%.

That gives us a clear direction as that's the most difficult issue. Azure is a complex solution. You have so many moving parts. If you say "I want to improve my security posture," it's hard to know where to start. That metric's going to give you an idea. You're going to take a look at your identity and access management strategy. You go there and you fix those issues.

Once that's done, you can take a look at your malware protection, so you see all the machines. You have the ability with this product. All of these actions compile percentages on a score and they drive up the score. That way, you know how good you're actually doing and how you can continue to progress.

We do a lot of mergers and acquisitions. One of the features that I like about the solution is it is both a hybrid cloud and also multi-cloud. We never know what company we're going to buy, and therefore we are ready to go. If they have GCP or AWS, we have support for that as well. It offers a single-panel blast across multiple clouds.

The most valuable aspect of the solution is visibility. You truly have visibility. That’s the first thing that you're going to have in the cloud.

The solution’s capabilities of assessment and real-time assessment is another big thing for us. In terms of remediation and capabilities, most of the time, I even have a quick fix, a quick button that I click and they're going to fix it for me, where they are going to provide me with everything that I need to do to fix that.

The main thing that I like about the tool is that Microsoft collects trillions of data points across their cloud and they leverage that threat intelligence to teach the machine learning AI-driven models to assess for security. We can even see across the cloud, and it’s so much better than going with a third-party product, where you don't have that advantage.

The solution has features that have helped improve our security posture. The security score is one of the biggest pluses. They do have a series of metrics that combine into a security posture score. Netsecure started giving me a good snapshot of where we are when it comes to security posture, and then we can drill down.

If you click on your secure score, you are going to be able to see why you have that calculated score. They have very good documentation surrounding how, for example, if you have 74%, why you do. You are going to be able to drill down and see where your weaknesses are and then you can address those items directly.

The compliance policy feature is great. They do offer support, such as PCIS. You have access and they can compare to your security posture and they can give you your score based on that, for example, how compliant you are with those tenders. That's another great aspect of the tool as well. That's all visual and on a dashboard.

The solution positively affected our end-user experience, however, not in any shape or even form that they can notice. They're getting all the benefits from it in the background. For example, security alerts are one of the main values about the users that I like. You have access to security alerts and those security alerts are giving you a real-time type of reading on how you are doing when it comes to threats. If there's something that can affect a user negatively, you have access to fix it before it becomes an issue. Therefore, while it has affected them positively, they never had to change anything that they're doing.

In the past, when you wanted to compile a list of resources that effected a vulnerability, it was kind of hard to do that. You had to use the graphic interface and write some queries for you to get that information from the Microsoft Graph API. Right now, with Microsoft Cloud Defender, they actually have that and you have access to that. Therefore, for me, it's pretty much a problem that has been solved. That was pretty much the only thing that I thought we could use. Then, yesterday, I saw that they included it. Therefore, as of now, I don't have any big issues with the product.

In the beginning, the score was shown using a points system. Now they made it into percentages, which is way better. It's hard to show you your C-level points. It required some explanation. For example, if you show them 2000 points, they're going to ask, "Okay, is this bad or good?" If you show them 75%, on the other hand, that they can understand. That's another thing that they made better as well.

Within this company, I've used the solution for about 10 months. I was also using the solution with my previous company for around a year and a half.

The product is pretty stable. The only thing that you've got to remember is that it takes some time. Some of the variabilities, for example, the remediation processes, when you apply them, it takes a bit. The remediation in order to count it has got to run the vulnerability assessment agent. Sometimes it takes a couple of hours for some resources. That said, it's pretty stable. I've never had any problems. It runs very well.

The scalability potential is one of the biggest aspects that I like, as it works with Microsoft, as an Azure back lane. As you add more subscriptions, all you have to do is just go and enable Azure Defender - in this case now, Azure Defender for all the consumer subscriptions that I have. That's it. It's free scale. It scales out very, very well. You don't have to do anything and you don't have to install anything on the Azure portal - it's already there. That said, you do have to deploy vulnerability agents, however, Azure does that for you due to the fact that the VMs are already being managed by Azure. You have all the security in place. It will deploy the agents and it's going to be seamless. You don't have any downtime either.

Right now, we have about 7,000 users. It's quite a good number, however, we are growing. We're adding companies every month. We're adding tons of companies and plan to expand usage as we grow.

I've been working with Microsoft technical support for more than 15 years. We have really good support, always. We do have an enterprise agreement with Microsoft, which makes support very easy. If you have Azure, you probably have an enterprise type of support. Every single interaction that I have had with them was pleasant. They were very, very precise and effective. We've had no problems.

We never had a different cloud solution. For us, choosing this solution right off the bat was a no-brainer.

The initial setup is very straightforward. It comes with the free version. It's out-of-the-box and already enabled for users for the most part. It gives you just a little bit of visibility, so you have to go with the paid version and the cost is not that bad. 

It's pretty much diluted into your Azure bill. It is totally worth the price. You basically go to the portal and choose the option and just enable online subscriptions and give it some time so that it can gain visibility. After that, it's going to deploy the agents. It takes 24 to 48 hours. After that, you're going to have tons of visibility and data coming back. It's pretty straightforward, very simple to set up. For me to roll out was about an hour tops.

You do not need a big maintenance team. I'm an architect and I'm also a very hands-on type of engineer. In most cases, I would say it's good to have at least two people especially if you have a global infrastructure. That way, you can have people in different time zones, such as Europe central time, for example, and in US Eastern time. For most aspects you have auto-remediation and you have automation that you can implement, which is great. I would say that two people would be ideal to manage the solution, especially for the remediation process. With the remediation process, you can engage other people from other teams as you're going to have to talk to the operations guys to say, "Guys, you've got to fix this, this is a liability." Therefore, two people dedicated to Azure would do it. It doesn't need to be dedicated to security, to Defender in this case.

I was reading some studies that the ROI is 200%. It's really good, due to the risk prevention and threat remediation processes.

I like the licensing due to the fact that it's simple. In terms of pricing, there's a very good ROI. The ROI is pretty great, and everything is diluted into your overall Azure costs. It's not a product that you buy, it's a contract. If you want to stop using it, you can stop. It's an on-demand type of product. I like that as well. 

It's very cost-effective if you compare it to other products, especially if you want to combine other features from a licensing standpoint. You're going to spend a lot of money if you try to implement various other options.

We do have some security, other security that is still in place. For example, we work with CrowdStrike. We work with a team solution. We have another team solution, which is not an apples-to-apples comparison. What Azure center does is very specific. It's very large. For us to do the same thing with any other security solutions out there, would mean we're going to spend a lot of money. Azure does not have competition per se. You would have to onboard tons of other products to do the same thing that they do. It's also simpler than the other solutions. The orchestration features that you have access to are great. It doesn't make a lot of sense to combine several other solutions and try to protect all your resources.

I am just a customer and an end-user.

I'm using the latest version of the solution, which is now the Microsoft Cloud Defender. They just changed the name of the product. They combined Azure Security Center and Azure Defender into Microsoft Cloud Defender and that's the version that I'm using.

For now, we are cloud-only, however, we have plans to enroll our on-prem devices as well, including servers, especially through Azure Arc and we are also looking at Azure Sentinel. We are going to have a complete ecosystem, similar to a Microsoft XVR, truly for our Cloud environments.

I was working with Sentinel in the past with my previous company, however, I was not able to fully roll out the product. Here, we're planning on having a Microsoft partner that's going to help us to onboard our Azure infrastructure and Sentinel, however, we are going to be enrolling a POC first.

I would advise other potential users that they need this, absolutely. If they have Azure, they need this. It's going to give them the visibility and the remediation capabilities that they're looking for and it's going to make them aware of issues that they are not even seeing. 

If a company has resources exposed to the outside, chances are that people are trying to get in. I'm catching people every single day trying to get in. It's really amazing what you see when you have visibility. Businesses that bring this on really need to involve the team. It's got to be a team project. Everybody's got to be playing on the same team. That way, a company can make sure they have effective implementation.

I would say, a company has got to watch very carefully the recommendations and the security alerts, especially recommendations, which is pretty much what's going to drive the score up and increase the positive security posture.

The alerts are going to give them real-time insight, like a temperature reading on security, including what's happening, who's trying to get in, who reports or attacks you and weren't successful, and how many times did they try? What kind of accounts did they use? Recommendations are going to help you look for activity and the security alerts are going to help you with the reactivity. You can react to events that are happening, however, you can't remediate issues that haven't happened yet. 

Overall, I would rate the solution at a ten out of ten. I'm a big fan. It makes my life way easier and gives me some peace of mind so I can sleep at night better.