Microsoft Defender for Endpoint Reviews

We used it as an EPP and EDR solution. 

Microsoft Defender made the work quite easy because we didn't have to rely on multiple tools, and we could look at one thing. It had a specific endpoint-level reporting standard as well where you can see the vulnerable threats and the outdated versions. It was very convenient.

We had certain compliance and usage issues. For example, our company wanted to go with CIS, but we didn't have a proper way of measuring whether the endpoints have the right standards in place or whether they were compliant with CIS. Microsoft Defender was like a one-stop for most things because it gave us the vulnerability and patching scores so that our vulnerability management teams can focus on covering up the vulnerabilities and the patching team can check the vulnerable versions and deploy the right versions. It had multiple advantages for us in terms of patching, vulnerability management, adhering to security standards, and EDR and AV capabilities. 

Microsoft Defender was pretty interesting in terms of visibility. When we compare the solution that we had before with Microsoft Defender, there is almost a night and day difference. Microsoft Defender is pretty advanced with the threats. We used to run, simulate, and see whether we were prone to the latest vulnerabilities. It was a pretty good solution in our experience.

It definitely saved us a lot of time. I don't have the metrics, but because it was a one-stop place, we didn't have to navigate through all the controls and go from one place to another to look for different reports for each section. We had one tool that could do everything in one place. It would have definitely saved us nearly one-fifth or 20% of the time. It would have also saved money because you rely on one single tool for multiple things. When you go with the premium suite, you get other tools as well. There is definitely a cost-saving aspect.

It came in a suite. There were multiple other products that were included with it as well in the premium suite. Another factor was that you don't have to invest in two products, and you can get both components, the EPP and the EDR, in one. You can also do simple vulnerability management, CIS hardening, and things like that from Microsoft Defender. Those were the main reasons for considering it back then.

I haven't used the product in nearly eight months. I use it on my device, but I haven't used it at an administrative level. Previously, with Microsoft Defender, we used to have certain problems with the Mac machines, but later on, they came up with various ways so that we could use the MDM solution to do the job. They provided pretty good support. Their engineers came and tried to figure out the solution.

I'm not too sure of its current capabilities, but I'm pretty sure they are doing a good job on Windows and Mac. However, I'm not sure whether they covered Linux. If I remember correctly, Microsoft Defender didn't have anything proper on Linux back then, but if they have improved it from that aspect, it would already be ticking all the boxes.

I have used Microsoft Defender for eight months to one year in my previous organization.

In comparison to the other solutions that I've had experience with, Microsoft Defender was very good.

It was definitely scalable. In my previous organization, we enrolled more than 20,000 endpoints.

It was pretty good. At that time, Microsoft Defender was very new. When they released it for Mac, that's when we got hold of them. There was a time when their support engineers learned certain things from me about it, and I also did learn something from them. It was a win-win situation for both of us.

I would rate their support a seven out of them. The level of support depends on the complexity of the issue. If an issue is small, anyone can solve it, and it wouldn't take much time, but when you run into a complex problem, you need proper people coming in quickly and giving you some support after looking into the issue. Ideally, if they are very well-trained at all levels, that would be good.

Neutral

We had other products for antivirus and EDR. We removed those two products and replaced them with Microsoft Defender. They both were pretty good solutions in the market back then. One of them is a pretty good solution even now.

We found Microsoft Defender pretty good when we did the PoC as compared to the rest of the tools. Some of the solutions were only antivirus, and some of them were only EDR, whereas this particular tool had a lot of features built into it. So, one agent could do many things. Another reason for going for this solution was that the company I used to work with was a bit biased toward Microsoft. They were a Microsoft customer, and they were comfortable with Microsoft. 

The reliability of support was one of the reasons why we chose Microsoft. When it comes to tools, there are always requirements related to budget, level of support, and other things. When you go for a PoC and look at the demo, you might think a product is stable, but when you run into a problem, the support could be weak. In such instances, what's the use of the product if you don't have good support or if they take at least two to three days to solve a small issue?

I handled the Mac machine part of it. Initially, setting up policies and getting all the configuration profiles in place was a bit of a challenge because they didn't have proper documentation at first. During the PoC, there were not many documents or support articles, but when we were in the deployment phase, they had everything, even specific to particular MDMs, which made it very smooth. We ran into a couple of small problems, but that's pretty common in every deployment. Other than that, it was pretty smooth. 

From Microsoft's side, there is a pretty good deployment strategy in place, but different companies have different objectives and different ways of working. There are situations where certain users and groups might need something specific but other users or groups don't. There could be multiple groups of users with different expectations. So, it is pretty straightforward, but like with any security tool, there could be internal user-level challenges. However, for a company that does not have a very complex environment, it should be a piece of cake. It should be pretty easy.

In terms of our implementation strategy, we first targeted the least impacted devices because we didn't want high-end or critical users complaining about having issues. So, we selected the low-priority users and implemented it for them, and then we tested it out. After that, we implemented it for users with higher priorities. We gradually moved based on the severity.

In terms of maintenance, agent updates are required, which we scheduled automatically. It didn't seem to need much attention. If the product is in a non-complex environment, it won't have many issues, but in a complex environment, there will be some because of VLAN restrictions, network connectivity limitations, etc. We also had issues where agents were not communicating, but it was not because of an issue with the tool. It was mainly because of the complexity of the environment in terms of networking and architecture.

Microsoft Defender decreased our time to detect and time to respond. However, we didn't completely rely on one solution. We had other means as well. We used to have another EDR solution as well, and we used to run both together.

I would definitely agree with a security colleague who says that it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite. For example, if you are a one-vendor customer, the day the vendor gets hit with zero-day or any huge attack, none of your tools or software would work. Your data and other things are also at risk. So, having multiple vendors is good because you'll be covered by different products. 

Microsoft Defender's threat intelligence helps to prepare for potential threats before they hit and take practice steps, but there was another team that was using the threat intelligence and reporting capabilities to see whether the organization was ready. In my previous organization, we had overall IT support, which was then divided into nearly 20 different teams. We had one team specifically to do one specific job. 

For prioritization of threats, if I'm not wrong, Microsoft Defender gives you a severity value. I haven't been in the admin part for long, but it gives you a severity value. Based on that, you can prioritize your threats.

I would rate Microsoft Defender an eight out of ten. 

Our primary use case is anti-malware and virus protection for our machines. We don't operate a network as such; our setup is almost entirely in the cloud.

We use the solution across multiple departments and teams, with about 400 total end users.

Around 90% of our estate is Mac, so we rarely have security alerts, but we get daily reports. The solution lets us proactively advise users about security concerns, especially when downloading files.

The solution is a Microsoft built-in tool, so it's very straightforward to use and monitor from the admin center, it's intuitive. 

As with all antivirus software, the benefits of using it far outweigh the risks of not having it. Protecting our estate, machines, and users is essential. We can take action quickly, for example, when a user downloads something suspicious and step in before the threat escalates. As an organization, we have encrypted files and data it is vital for us to protect.

Defender for Endpoint is a robust solution that works well out of the box. 

We can monitor and manage our security picture from one dashboard, and that's one of the primary reasons we use the solution. Our machines are enrolled on Microsoft Intune, which further simplifies management. With the E5 license, everything is in the same place; that makes our job easier and allows us to be more proactive when confronting threats. Not having to log in and out of different systems to manage devices is an excellent improvement to our operation.

The solution's threat intelligence helps us prepare for potential threats and makes us more proactive. We have the information required to warn our users of threats, including malicious links and phishing emails. The product gives us an accurate picture of the threat landscape, enabling us to adapt our strategy to protect our most sensitive and vital data.

There is a difficult balance working in IT, as we don't want to put all our eggs in one basket; if one system goes down, we are compromised. We want the flexibility and reliability offered by different specialized solutions, but that complicates management. With Defender for Endpoint, we don't need to worry about machines slipping through the gaps and remaining unprotected because the product is connected to the user account and pushed by the tenant. There is no agent, and the solution isn't intrusive; the user doesn't even know it's there. Other vendors I dealt with in the past required clients to be installed and updated, with potential problems coming in if the client isn't up to date. This isn't an issue we have with Defender. 

Our team's knowledge of the solution needs to be improved, and Microsoft could do a better job conveying the necessary information to users. We could proactively use the tool more and explore capabilities we are not yet utilizing.

We have been using the solution for about six months.

The solution is stable; Microsoft goes down very rarely. It happened just a few times over my career. If it does go down, the impact is significant.

The solution is very scalable. Microsoft makes that easy, and we plan to increase our Defender for Endpoint usage.

I've only contacted Microsoft support a few times, and they were always helpful. I don't have any issues with the support; they're good.

Positive

We previously used Symantec Endpoint Security. It was somewhat clunky. The engineers found it too intrusive as it required a client to be installed, dramatically slowing down the machines. We switched to Defender for Endpoint because it's part of the Microsoft suite, and we can use it across platforms for Windows and Mac.

The initial setup is straightforward. Initially, we didn't use the E5 licensing, so it was a basic cloud setup with a license per user. Now we have our own tenants, and we're deploying E5 licenses, and Defender for Endpoint comes as part of the license. A user activates the app in the Office 365 tenant, and that's the setup.

The initial deployment didn't take very long; it was just a tick box exercise. We are moving tenants, so we're giving everyone a new E5 license when they move over. It's quick and easy to assign licenses via a tool we have, which provides users with access to the entire Microsoft suite, including Defender for Endpoint.

Five people were involved in the deployment, all of them IT staff.

I'm not directly involved in taking care of the solution, but it seems lightweight in terms of maintenance. Most of the updating is end-user-driven; users are prompted to restart their machines to stay up to date with security patches.

As we have only been using the solution for six months, I don't think we've seen an ROI yet. I imagine in another two years, we will see a return.

AV solutions are pretty expensive because they are necessary, not just for protection, but many businesses need them to comply with regulatory bodies and receive accreditation. We recently purchased an E5 license, which gives us access to the entire Microsoft suite. I would say the pricing is competitive; most tools of this kind are similarly priced. There are minor differences between the competitors, but they aren't spectacularly different. Defender for Endpoint makes sense because all our solutions are in the same place, paid for with a single license. The subscription price is around £50 per user per month, though it may have increased slightly.

We evaluated Sophos Intercept X and Kaspersky Endpoint Security for Business.

I would rate the solution an eight out of ten. 

Defender for Endpoint helps us automate routine tasks, but I don't specifically know what kind of automation it does or what we use it for, as the InfoSec team is responsible for that. 

No solution is completely foolproof, but the configuration has a large part to play in the quality of the protection. 

We have been in business for two years, so we're a relatively small and young company. Nevertheless, it's vital to have protection against malicious actors. The threat landscape we face today is complex and diverse, so our threat protection needs to be up to par. That's the benefit of using the product; we need to protect our data, and having a tool that informs us of potential threats is excellent.

As an end user, the solution didn't personally save me time, but I imagine it did for the InfoSec team who deal with it directly. The security reporting will all be in one place, and we don't have to go to the marketplace to look for separate tools to fulfill different functions.

I'm part of a team that does governance and consulting for migration from Symantec Endpoint Security to Microsoft Defender for Endpoint.

I haven't really seen anything in the solution that is an improvement over anything else. It's just that as we move to Microsoft cloud, it makes sense to look at some of the other products that sync between onsite and cloud. It's a stretch to say that it has inherently improved things.

You have endpoint security to keep your devices safe. That's the feature that we're interested in.

The visibility into threats is good.

There are some areas in the proactive threats that are just overwhelming the SOC, so we've had to turn those off until we can figure out how to filter out the false positives. Otherwise, there's no point in using it, as our SOC would be overwhelmed. Their choice would be either to run down every false positive, which would take their attention away from other things or to start ignoring positives, which defeats the purpose of having alerts.

The threat intelligence is too overwhelming right now. The amount of time it takes to sort through and figure out proactive solutions and prioritize—if there was an imminent threat and we just relied on that—means the bad actors would have already had a chance to get to work.

It also hasn't eliminated having to look at multiple dashboards. That's one of the running jokes with the Microsoft products: They keep hinting at a single pane for everything, and they're getting better, but they're still pretty far away from that. That would be revolutionary if Microsoft could figure out how to run all their security stuff through a single pane. They would have people lined up with money in hand, but they are not there. They're not close to it. For them to even talk about it right now is disingenuous. Microsoft is better than that.

The single biggest thing that Microsoft needs to do is figure out how to pull everything together so that all their security products can be accessed through one dashboard; one place where all of that information can be gathered and looked at by people with the appropriate access permissions.

The other thing that they need to figure out is how to move away from the amount of scripting that needs to be done with a lot of their products and move into a GUI. That's especially true because there is difficulty getting people with scripting skills, especially when you get into the Kusto Query Language and putting together tables through scripts. If that could be done with a point-and-click, that would be a notable achievement.

I have been using Microsoft Defender for Endpoint for about a year and a half.

The solution is solid. 

The biggest "catch" is that clients do not always want to implement systems according to the manufacturer's best practices. There's always friction if the client has in mind one way it should be, but it was designed differently.

In our case, we're talking about a big company that is used to being a big enough client that the vendor will change what they do to accommodate them. Microsoft does not have to. That's not a criticism of Microsoft. It's just that Microsoft is big. They are not a little regional provider. They will not change something in their product that's distributed globally to accommodate a client with a non-standard way of wanting to implement something. There's friction with that. 

I do not see that as friction with Microsoft because of Microsoft, I see it as the friction of a client that takes a solution from a huge provider but sometimes has the mindset that they want the attention that comes when they purchase a solution from a small provider.

When it comes to technical support, I have found Microsoft to be outstanding. The answers are not always what people want to hear, but the answers are legitimate. I do not have any criticism of Microsoft on that.

Positive

We previously used Symantec Endpoint Security.

Aside from the possibility that some forward-thinking people see us having more of a presence in Azure, and the logic of using a Microsoft product that goes along with that, I have no clear idea what prompted the switch. That is not a poor reflection on Microsoft. It's just that whatever motivated moving from a solution that was working fine to another solution is beyond my knowledge.

We have about 180,000 endpoints and they are distributed globally. It took us about six months to do the rollout. As we did that, we figured out various aspects that needed to be tweaked or changed for the best.

I doubt, at this point in the migration, that there is going to be ROI. I do not have enough information on that to really make an accurate determination. I think the biggest payoff is going to come in the future, as we throw more and more resources into cloud and we need to have some continuity with systems in the cloud and onsite.

First, have an understanding of Microsoft's best practices. Second, understand that Defender for Endpoint is part of the operating system. It is not a "bolt-on," like most antiviruses are. There are going to be some differences in how Defender interacts with an operating system, compared to an external solution. Be prepared for that.

It helps prioritize threats across an enterprise to some extent, but we haven't delved that deeply into that part of Defender yet.

The solution hasn't saved us time but I'll qualify that with the fact that we are in migration, moving to a new system, which is Microsoft, and that always takes more time and effort, as we work through the teething troubles. That is not necessarily a reflection on Microsoft. It's a reflection that anytime you move from one system to another, it takes a while before the teething troubles are smoothed out.

If a security colleague said to me that it's better to go with a best-of-breed strategy rather than a single vendor security suite, I would say there are pros and cons. It would have to be a discussion about what they need to achieve and their thoughts on why a particular solution would seem best. On a high level, there are good and bad reasons for all kinds of solutions. Without having a clear understanding of what is trying to be achieved, it's really difficult to say whether one is particularly good or bad.

We have a dedicated team that handles all security-related aspects of the solution, however, my understanding is that the solution helps guard the endpoints in our organization. 

Along with security, there are certain IT policies in terms of accessibility of different sites, which are there in the organization. With everything put together, there haven't been any instances where I have seen any kind of issues such as malware or other malicious event getting through on my laptop. From that perspective, everything is fine. 

The patch updates and version updates are very good. Those happen on an automated basis whenever I'm connecting to the organization network, either through LAN or through the VPN. I never have to worry about anything being out-of-date.

The solution scales well.

I have found the stability to be good.

From a general user perspective, I don't see any further improvements needed. 

The price, in general, could always be a little bit cheaper.

I've used the solution for two years or so. It's not much more than that.

The stability of the product is good. I have not dealt with bugs or glitches. It doesn't crash or freeze. the performance is good. It's reliable. 

The solution scales well. If a company needs to expand it, it can.

We have 1,000 to 2,000 people on the solution currently.

I've never directly dealt with technical support for issues related to Defender. Many years ago I had reached out to Microsoft support for an issue related to Visio, a different product.

The initial setup is straightforward. There are certain automatic patches as well that keep on updating and those automatically install.

I don't recall how long the product took to deploy. When any new laptop or anything is assigned in an organization, all these things are installed prior to coming to us. Therefore, I wasn't actually a part of the installation process. 

We have a few contractors working with the in-house team. There may be around five to ten people. Any maintenance that is needed would be done by them.

The pricing could be lower. That said, I cannot speak to the exact costs involved as I do not directly deal with that aspect of the product. I'm unsure if the company is set up with a monthly or yearly subscription package. 

I'm just a customer and an end-user.

I'd rate the solution at an eight out of ten. I've been very pleased with how it has worked for me over the last two years. 

I would recommend the solution to others, however, I'm just a passive end-users and not as technically involved as those deploying the solution in our company. However, from my perspective, there has never been an issue on my machine with malware and therefore it seems to be doing what it's designed to do.

Microsoft Defender for Endpoint can be used for protecting personal information and file in my organization.

The solution has saved us time by not having to install separate third-party antivirus solutions.

Microsoft Defender for Endpoint is beneficial because we are using Microsoft Windows and all the core solutions are made by Microsoft, such as the authentic platform, operating system, and antivirus protection. It is a heterogeneous environment. We had to use third-party solutions before and update everything separately. For example, the policy for antivirus. With Microsoft Defender for Endpoint, when Microsoft Windows receives updates it will update with it. This is one main advantage of this solution.

Microsoft Defender for Endpoint can improve by making the reporting faster. It takes some time to reflect back to the administration portal of what has been updated. For example, out of 100 Computers, approximately 90 computers received updates, but when you check the administration portal over one or two days, you will only see 75, even though 90 were updated.

I have been using Microsoft Defender for Endpoint for approximately one year.

The solution is stable.

Microsoft Defender for Endpoint has been scalable.

We have more than 200 users using this solution in my organization.

Previously we used McAfee and Symantec Endpoint. Every five years we change the solution. However, this time we changed to Microsoft Defender for Endpoint because we wanted a unified platform.

When you install Microsoft Windows 10, Microsoft Defender for Endpoint comes with it. There is no installation of the solution other than installing Windows 10. It saves time because you do not have to use any new kind of policy or deployment.

We have a team of three that do the management of the solution.

The solution comes free with Microsoft Windows 10.

I rate Microsoft Defender for Endpoint a ten out of ten.

We primarily used the solution as Endpoint Detection and protection (EDR, EPP) with secondary benefits of threats and vulnerability management, security incident response, automated query and real-time device monitoring, and with the capability of email security, identity management (DFI), and task automation (Power automate). We used respective licenses where required.

The solution was also used for an endpoint antivirus for workstations in a multi-OS environment, including Windows and Mac OS. We had file, device, and user trajectory monitoring for the security operations team.

The solution benefited the company via:

• OS-level/Tool compatibility for endpoints running Windows (since both are Microsoft products and Defender core files are included in Win10 or later delivery).
• Heuristic capability. Consistent usage of MDE indicates that the tools are continuously learning new prevention techniques by pulling real-time up-to-date cloud resources.

• Alert chaining. The solution makes security Incidents, events, and alerts less tedious from a Security Operation Center standpoint. This can result in false negatives or detriment for small to medium-scale firms running no or semi-automated threat response features.

The most valuable aspects of the solution include:

• Advanced hunting. The product offers flexibility, visibility, and automation capability using a user-friendly query language (KQL).
• Reporting. Clear and concisely plotted graphics show real-time data representation - which is valuable to upper management.

• Scalability/API. We are able to productively integrate with existing on-prem, hybrid, or cloud applications. 
• Great OOB features. The solution comes with SIEM-ingestion-ready features for extensive visibility, automation, and integration, including advanced hunting, threats and vulnerability management, embedded simulation for end-to-end testing, ransomware prevention (Controlled Folder Access), and Attack Surface Reduction (ASR) rules.

Improvements could be made via:

• Clicks. There's a poor user experience with lots of optimizable opportunities of user interface particularly on the newly improved portal (https://security.microsoft.com/). Features like device inventory continue to lack essential workstation drill-downs showing the entire device information with the least effort.

• De-centralized console features. Discrepancies with enabling core features at the click of a button within the MDE portal is mostly due to prerequisites that are tied to the functionality or partial enforcement requirements from other Microsoft tools (Group policy, Azure, Sentinel, SCCM, Intune). EDR in block mode requires Intune security baselines and tamper protection requires MAPS enabled. Web content filtering also has security baseline dependencies

• No single pane of glass. There are too many loose ends with tiny bits and pieces to enforce essential security policies compared to other EDR solutions within the same caliber. A typical example is having to create exclusions in different locations for entirely different functionalities, such as: automation folder exclusion, group policy exclusions (per tenant), Controlled Folder Access (ASR) Allowed application, and Attack Surface Reduction (ASR).

• Service Requests. Noncritical cases with MDE technical support teams tend to be queued for over a week before the first customer engagement. Most of these tickets also end up in the hands of temporary or contracted non-Microsoft employees who are scripted and offer little attention to unique incidents.

Suggested additional features that should be included in the next release include:

• Digestible interface/filter for crown-jewel capabilities like ASR, CFA and Exploit mitigation occurrences.
• Restoration of an always visible search bar from the previous console view (https://securitycenter.windows.com).
• A definitive action plan for Secure Score recommendations and deduplicate of controls.

We were using Microsoft Defender for Endpoint prior to its change of name from Defender ATP. We experienced a plethora of GA changes including, but not limited to, IOS/multiple OS support, device discovery, web content filtering, API updates, and continuous integrations with existing security tools.

The solution is used for endpoint detection and response, however, it also has vulnerability management. I don't use that as much as the endpoint detection and response. I use it in combination with Cloud App Security and Endpoint Manager.

The most valuable feature is the fact that, if you have the M365 E5, it's included and everything is in the bundle. 

It's a very solid security system and the advanced hunting and everything really lets you dive deep into things.

Overall, they're doing a much better job. However, recently, they added the Azure Defender. When you use the Azure Defender licenses, you're already enrolled. 

I prefer that they had the old interface that was not combined with compliance, and still, they've changed that to make it better. I would just like them to have more consistency, and that's a comment that's across the board with Microsoft. They change things a lot.

I probably started diving into Microsoft Defender about two years ago.

Stability-wise, I have not had another product that has been as stable and has had fewer issues. It's amazing.

The solution is scalable. For example, I helped a 12,000-person company put it in and automated it without any issue.

In terms of technical support, I have not had to call them related to anything on Defender for Endpoint. I'm a CSP, so I'm calling and I'm getting different assistance than, say, a home user. That said, at the same time, it really depends on if you're getting level one or level three support.

The initial setup is very straightforward. There's a lot of people putting it in that don't understand it, however. They're not using device groups and auto-remediation settings.

I do a lot of security reviews as well, and what I find is that, although it works well out of the box, there are missing components. Another thing is that people will basically use the product, and yet, not set up the integrations with Cloud App Security and Endpoint Manager. When they do that, they're not getting the full functionality of it. I, on the other hand, know the system, so I see people often having trouble with it. If people are trained or go through training, they would be able to get the full functionality out of it.

I can't give numbers, however, for the price, when you're increasing from an E3 to an E5 license, the amount of features you get eliminates a lot of other systems. Therefore, you do get a pretty good ROI. On top of that, you only have one management system and one reporting system. Overall, the numbers have been quite impressive.

I don't know the standalone costs. It is my understanding that the M365 E5 is $56 a month or something close to that pricing. That would be for the full suite. Just Defender might be $8 a month. I can't say for sure.

I'm a consultant. I primarily work with Microsoft and I do the threat management and check vulnerabilities on the database. I'm looking for something that is not super expensive yet covers vulnerability management and where you can pick the products, and pick alerts, and you get a weekly digest report, just so that we can better manage everything.

I work with pretty much all of the 365 products. I'm pretty widely experienced in Defender. I work for a managed service provider. I'm one of the people that's, besides having my Microsoft Azure architecture, Azure security, Microsoft 365 expert level, plus M365 security knowledge. I focus on Azure and M365 security.

For Microsoft Defender, the product is cloud-based, therefore it is managed and it's updated constantly.

I would advise users to take advantage of Microsoft integrations. I would suggest that they put it all together, so they can use it as a full bundle.

I'd rate the solution at a ten out of ten.

Our use cases, and the way we deploy it, depend on the different situations we encounter.

There may be a company that is already using the Endpoint Protection solution and we have to do a migration.

Another scenario is that a company may be migrating away from another endpoint threat protection solution.

And there are some companies that are already using SCCM, and we may have to go through one of two scenarios. One is to co-manage with what they call Microsoft Endpoint Manager and Configuration Manager. If they are already using SCCM, and only SCCM, we will typically have to go through a process where we integrate SCCM into Endpoint Manager and then they'll usually bring some endpoints into Intune and they'll do a PLC. They have to Azure AD-join or register a device into that so it can be managed through Intune. They may even co-manage it for a while until they fully onboard into Intune only. A lot of people are looking to get away from co-management and managing through Endpoint Manager. But there are some prerequisites to accomplish that.

The endgame for most companies is they want to manage things from Intune only. There are different paths to get there, depending on what they already have in place.

Overall, Defender for Endpoint has created a better security posture, particularly in these COVID times where no one is on-premises anymore and they're working remotely.

More than anything, what I find most valuable is the holistic integration with all Defender products and MCAS. You can not deploy this in a vacuum. It's like most Microsoft technology. If you want to do a Zero Trust model and framework, you have to deploy things in a holistic solution.

Among the new features I like is that you can ingest your Defender events directly into your SIEM/SOAR product, particularly Azure Sentinel, although not a lot of people are using that and you don't have to be using it. You can ingest them into any SIEM/SOAR product directly.

There are features that have helped improve a company's security posture, now that remote work has come into play. Microsoft had to come up with a solution because identity is the new security plan. The largest attack surface is going to be your endpoints, so you have to be able to control your endpoints. There is malware that can collect IDs and it doesn't have to be from privileged accounts, it could be from any account. Once they get in, then they can start looking around to see if there are any security holes, move laterally, and get a hold of a privileged account. And if they get a hold of a privileged then they can just turn off all your security controls and get to your data and you've got a ransomware attack. With Defender for Endpoint, it's the combination. Every one of the features in it is equally important, but the most important thing is integrating it with the other Defender products, to create a holistic solution.

The best feature is the fact that for certain mobiles you can control your corporate profiles versus your personal profiles. That is amazingly important. Apple just supported the separation of corporate and personal profiles, whereas Android has been doing that for quite some time. You are better off as an organization, when it comes to BYOD—because Apple just now started supporting separation of corporate and personal profiles—to start with the version that supports that feature. If you go below that level, you don't get that feature, and it makes it very difficult to separate corporate and personal profiles. Because Android supports that, if an Android phone is lost or stolen, I can wipe out all the corporate-related information from that phone and not touch the personal side. I can separate the apps and I can separate the ability to cut and paste between apps. I can cut the ability from sharing files between apps between the personal and corporate profiles. From a data loss prevention standpoint, I can completely segment corporate apps and data from personal apps and data.

Another feature is that it is now supported across multiple platforms, where it was regulated at one time for just Microsoft-supported operating systems. That development is very important.

There are a few caveats, things we have run into. It's not easy to create special allowances for certain groups of users. It can be a little heavy-handed in some areas where Microsoft has decided to lock a feature out, meaning they make it hard to make an exception. I'll give you two examples. One company we work with needed to use about 20 different thumb drives for about 20 users. To make that exception for them was very difficult. In fact, you can't really make an exception. But what you can do is allow them to use it and, while it will still alert, you can actually suppress those alerts. Another example was where a group needed to be able to go in and manipulate their PC ERP settings. To make an exception for them was also a difficult process. A lot of people have suggested that Microsoft should not, by default, make it so difficult by locking your ability to make exceptions.

Another issue is that when you implement this it is not a single solution in and of itself. You have to implement what are called security baselines for each platform. But Microsoft does not have security baselines, other than for its own products. That means that when you want to do a security baseline for say, iOS or Android, you have to depend on other security organizations' recommendations and set the security controls to create those security baselines for other platforms. You would typically use CIS. But when it comes to iOS, it's a real pain. iOS requires you to create a security baseline for every version of iOS. Android does not.

I've been using Microsoft Defender for Endpoint since it first came out. They bundled it into M365 licenses, particularly E5 licenses or the equivalent, around 2019.

Like every other security product out there, the stability of Defender for Endpoint is a work in progress. The solution is trying to address a tough problem and anybody will tell you that cyber security is not a fair fight. It's just incredibly hard to defend against the bad actors. Everybody is scurrying right now to come up with different ways to stop the problem and it's just not there yet.

In terms of scalability, we have run into organizations that are very large and that have said it doesn't scale well. I'm part of MISA, the Microsoft Intelligence Security Association, and we did a review of all their products and they all had scaling problems, including SIEM/SOAR, MCAS, Endpoint Manager, et cetera.

There are two "fronts" for anybody who is using a SIEM/SOAR: one is how fast they can ingest, and the other one is how fast they can make decisions. You want to do this in real-time, or near real-time.

The ingestion problem is that you're ingesting a bunch of stuff from everywhere: from the network, from identity, from all your services, and your apps. It's a crazy amount of data. Some organizations are doing on the order of 5 billion events daily. How do you ingest all that in a timely manner and correlate it? You have to do it in a distributed way. There will be a top-level SIEM/SOAR and several underneath it that are collecting data for a particular location or a set of users. You trim that down and eventually ingest stuff to the top so that you can see things from the holistic viewpoint. Or you decentralize it, where office A and all its users have their own, and office B has its own, and you don't necessarily roll it up into a single, corporate-wide solution.

There are products out there that are addressing this by not storing the events directly onto disk, but into flash drives, so they're super-fast. They never put it on a disk and save it. You can have the option of saving it to disk for long-term retention. But the immediate ingestion of events is happening through flash drives. It sits in fast memory, never gets written to disks, and that's how they're speeding things up. And there are AI/ML engines pulling that stuff in and they can act much faster.

In addition, some AI/ML engines are more mature than others. There is a lot of work being done on that front. When it comes to Endpoint Manager there are a bunch of events coming from a ton of endpoints. It's no different than ingesting events from a thousand database servers. Or they could be from your whole application reference architectures, and your data analytics reference architectures. Everybody sees the problem coming, the problem of big data. That's what we are really talking about. There is a whole lot of stuff coming in and we have to make sense of it, figure out what's relevant, have a scoring system and prioritization system to make decisions fast. For example, the bad guys are able to get into your systems and, within 20 minutes, they've already done an assessment. Usually, if you're lucky, you can respond to that in 30 minutes. And if you're a huge enterprise, you may not even be able to respond that fast.

That's the reason everybody says it's not a fair fight. We don't have the tools right now to react fast enough.

As for how extensively it's being used by our clients, anyone who is going to use it plans to use it as a one-stop solution. They won't be using multiple solutions and they will roll it out to every endpoint. It makes perfect sense to do so because you don't want to have multiple products and require your staff to have knowledge of multiple products.

For big corporations, it takes a little while to get there. It's something that has been evolving for 30 years now. Organizations want to settle on a standard desktop and want to be able to do configuration control that allows them to control the apps and the usability from a security standpoint. It used to be, "Let's make it easily usable." But now the industry is flipping that over to, "It has to be secure." The vendors have finally come to the point where the balance between usability and security is leveling out.

I've used multiple solutions in the past. We switched based on our customers' requests. Some do it for solution architecture reasons and some of them do it for enterprise.

The enterprise customers say, "Oh, we know we need Endpoint Manager, but we need to align a solution with our business requirements first. Before you even select a solution we are going to look at our business requirements, then do a bake-off possibly, and then select a solution." Or they'll just look at industry ratings of the solutions and say, "Oh, this is the best one," not knowing that those ratings don't necessarily look at every new solution out there. There are so many. We are a VAR and we resell hundreds of security and regulatory compliance products. Usually, unless they bring us in at the early stages of the process, our clients have already picked a solution.

The initial setup is very complex. To me, it's one of the more complex solutions because it touches so much. I have to know every platform and every platform version, when I create security baselines. As I mentioned, certain versions of iOS don't support the separation of corporate and personal profiles, and then you run into the scenario where they're already using some other endpoint protection and they want to migrate it to Microsoft Defender for Endpoint.

Or there is the scenario where they are using SCCM and to then use Microsoft Defender for Endpoint you should really require Endpoint Manager, meaning that you have to transition to that. And as I noted, making exceptions is hard. 

And when you integrate it across all the Defender products, and are managing a project like that, you have to get to a point where they're ready to be integrated, which is an issue of timing. So it's one of the more complicated things to roll out, compared to Defender for Identity. Defender for Office 365 is pretty large too, but Endpoint is the hardest of the three.

It even touches identity, because there are Azure Active Directory conditional access policies, and those are connected with Endpoint Manager. You've literally got to look at what policies and what setup within Endpoint Manager can apply to different versions of iOS. You have to dissect so that if you're going to do BYOD, for example, and allow a version of iOS from some early version and up, you have to understand that there may be some options that you can use with one version that you can't with others. It's much easier to do with Android than it is with iOS.

When you start heading down that path, it's a maturation process. You have to roll things out in phases. It's a very complicated product. Like with SIEM/SOAR products, when you start getting events, you could be flooded with them. You have to learn to tune it, so that you can differentiate the trees from the forest. You have to correlate things and automate your responses. That type of tuning process is a long process one to get the clutter out.

A product like Sentinel is pretty cool because it has predetermined workbooks, and predetermined manual and automated responses. It has playlists. They are making it very much easier to trim that clutter and to get to the nitty-gritty, and they have done so with Defender for Endpoint.

The deployment time, with fine-tuning, depends on the size of the organization. If it's a small or medium business, it could take three months to deploy and tune, and it could take longer; up to six months. It depends on many factors that I've mentioned, such as if they're migrating, or if they have an integration between SCCM and Intune. It also depends on the expertise level of the organization, its maturation level, and skill sets. All of that comes into play.

It also depends on their starting point in terms of some of the prerequisite services. You don't generally roll out Defender for Endpoint until you've got identity governance and protection. That's the first thing you do because everything is dependent upon that. After that, the prerequisite is rolling out Endpoint Manager, and then Defender for Endpoint. If it's a hybrid situation, you may roll out Defender for Identity so you can cover your Active Directory controllers and provide threat protection for them, although you can do all the "Defenders" in parallel; you just have to time them correctly so that when you integrate them together they're ready to go.

For large organizations, it could take a year or two. For example, if there are half a million endpoint devices—and that's possible if you have an organization with 200,000 employees and contractors, and each has a laptop and a mobile—it can take some time.

In terms of an implementation strategy, I have developed work-breakdown structures for just about every Azure service and almost every Azure M365 service. They look at working with them holistically, but they are broken down into each individual service and mention the other services within the work-breakdown schedule, and how you integrate them. The first thing I do is a current-state assessment and that gives me an indication of the readiness for deployment. The next steps are plan, design, deploy, manage, secure. There are strict sets of security controls and I have to gather every single one of those per platform. It's quite a long process. It follows the saying, "If you fail to plan you plan to fail."

As for staff required to maintain Defender for Endpoint, once you get it set up and tuned it's not too bad. It depends on the size of the organization again. If a business has 100 people, one person can do it easily. If there are a few thousand people, you may need two or three people. It often depends on your getting all the features rolled out. In IT it often happens that we roll stuff out and we always intend to get to that other piece but we just never get the time to do it. Many organizations are going to a lean staff and bringing in consultants to help roll things out. For us, as a contractor, it's great. Our business is booming.

Most organizations that we have come to want to replace their current endpoint protection solution for Defender. A reason many of them do that is that they aren't pleased with whatever they have. They may not know what features are relevant and just don't know how to roll them out. They realize, "Oh, I bought M365/E5 licenses, and Defender comes with them already. Why not use it?" 

Most people don't realize M365/E5 licenses are an amazing deal. They think "Oh, it's expensive," and I'll ask, "Compared to what?" If you don't have it you will have to buy licenses for multiple products to fill the same security space that you would have gotten with the Microsoft product. Go figure out how much it costs you per product, per user, and then come back and tell me how things add up financially.

If our client brings us into the process at the right time, we evaluate products for them, since we're evaluating products constantly. That's part of what we do. We have to know, through a deep-dive, the pros and cons of each. We are constantly being updated by our vendors about how they're addressing a particular security area.

Is Defender for Endpoint the best product out there? No, it's not. I can think of several others that are pretty amazing. It's still a product that's evolving, but it does a really good job for the most part. It does the best job when it is integrated with the whole Microsoft holistic solution. If you look at Microsoft's site, you will see what capabilities Microsoft has. They will show you how these products integrate and work together to give you a holistic solution to develop a Zero Trust model framework.

And while it's not the best solution overall, some of the pieces are. There are several areas where Microsoft is good or better than most, and then there are some weaknesses when you do Zero Trust. They don't have a secure web gateway product. Their MCAS or CASB product leaves a little bit to be desired. There are other solutions, in those two components of a Zero Trust model, that do a much better job. Zscaler probably has the bulk of the business but I'm a big fan of Netskope. There is Crowdstrike, and Forcepoint may be making some inroads because they just developed a new anti-malware technology. But none of them are going to be perfect because malware is a hard problem to solve.

There is also a new product I just reviewed for M365 Security that is pretty amazing on paper. Although I haven't actually kicked the tires on it yet, it looks really good and it's from one of the fastest-growing companies out there.

Think of it like this: If you don't buy E5 licenses or the equivalent with M365, you don't get Defender for Office 365. People don't realize that product is a kind of a split product. It's a multi-function product. It has some DLP pieces that work with MIP and it has some pieces that work with the Office 365 outlying suite. It's a little bit of a funky product.

But one of the things it has is a part of your Exchange Online protection. Without it, you don't get the features like anti-spam, anti-virus, safe links, and safe attachments. That combination addresses what is called a combined attack. You get an attachment and the attachment may have a link in it, or you get an email that has a link in it. They all look legitimate. If someone clicks on it, it takes them to a malware site, and bam! You just downloaded it into your computer and now endpoint protection comes into play.

Eighty percent of malware is still spread via email today. That's how they attack you. They're trying to penetrate your apps and they're even trying to penetrate your M365 online apps. This product works inline and they've already proven that, even with Defender for Office 365, there are still malicious messages getting through. The bad actors figure out how. They actually buy the product and figure out where its weaknesses are and they attack it. Because it's such a popular product it's the one they're going to target. It has the biggest attack surface. They've been attacking the weaknesses of M365, particularly the Exchange Online protection and all the weaknesses in Defender for Office 365. They've just been clobbering it. We're having a lot of people say to us, "Do a security assessment on our M365". All I can tell them is that it's not their problem as much as it's the product's problem right now.

Microsoft is trying to address things as fast as it can, but it's going to take months to get there. But here is another product you can add on that can help you fill those flaws. What this other company has done is that they've said, "We'll fix those flaws for you and we'll make it an easy process to do so." Usually, the circumstances in which you need an email security gateway is when you don't have an E5 license. But now they're even attacking that. And when that happens you have to change the MX record. With this new product that I've read about, you don't have to do that. It just supplements the weakness of M365, not only in Exchange Online protection but throughout all the other apps, like Sharepoint, Teams, and OneDrive. That's pretty impressive. And it works with all those products easily, without change in administration or training. It installs in minutes. I was floored when I saw that.

The organizations I have worked with that are using Microsoft Defender for Endpoint are mostly small- and medium-sized businesses. Our larger customers are generally not using it.

There was a service built within our organization, a service that is very much hooked in with CrowdStrike. If you've ever seen the CrowdStrike products, you'll understand why. They are pretty impressive products. They do some things that help them see malicious activity in near real-time. Can they react to it in near real-time? No. But like everybody, they are trying to find a way to be able to react faster. They just bought a company called Humio, which is a SIEM/SOAR product I referred to earlier that does not store events directly to disk, so it can act on things much faster.

Used alone, I would rate Defender for Endpoint a seven out of 10. When integrated with other Microsoft products, I would give it an eight. It really depends on other pieces of the solution for Zero trust to work properly. It won't work well if you deploy it by itself. If you're going to use Defender for Endpoint, you should also use Defender for Identity, Defender for Office 365, and the full gamut, including MCAS and MIP, and then you will need your SIEM/SOAR. It's a long journey. And you had better have done your identity very well. If you haven't, it won't really matter what you throw in place, once they breach your identity plane. That's the most important one. I can put every possible safeguard in place, but if someone gets the keys to the kingdom, I might as well just turn them off.