Microsoft Defender for Endpoint Reviews

The solution is primarily used for securing endpoints, mainly desktops and laptops.

We're taking the adoption in phases. We started with endpoints and we want to expand into other capabilities at the application level.

We've mainly used it for endpoints. However, we've also used it for DLP as well. We're also in the process of implementing it for cloud and identity as well. However, it's very good for endpoints, and that's our main focus. 

The malware protection is good.

The visibility it provides is very useful. We can combine visibility with wider security features and alerts around malware, misconfiguration, or any other kinds of threats. The cloud portal is quite good. From there, we are able to see alerts and have colleagues review issues and monitor to see if any patterns arise. It's serving us quite well overall. It allows us to look at other items, like application and browser control. 

It helps us prioritize threats. We have a process in place now where we can review issues and remediate them effectively.

We have been able to integrate a variety of Microsoft security products together. We use Azure AD, for example, and we've begun to implement DLP, among other items. We're looking at labeling and tagging and will expand into that soon. 

Defender has more stringent system requirements than, for example, Check Point. So when we implemented the Check Point Endpoint agent, that solution didn't mind what version of Windows you were using. When we moved to Defender, Defender had certain system prerequisites that had to be met. So we had to make sure that we're on a minimum version of Windows when we're utilizing Office, and Office has to be a particular version as well. It has more stringent system requirements that have to be met before you can implement it.

It works natively together with other Microsoft solutions. Once you get more and more of those different components across the environment, then you start to get better visibility. So, rather than having lots of different solutions, you have fewer solutions and a single vendor solution. That way, you start getting into a position where you get better visibility and integration as well.

The standardization is good. It's important. It's helping me with monitoring and learning.

Updates and upgrades are quite smooth and seamless. 

Defender helps us automate routine tasks. Quite a lot of Microsoft is straightforward for us now. Previously, we didn't have enough resources and were unable to look at the alerts. Having this in place makes things a lot more straightforward for us. We have both the technology and the people in place now, alongside the process. We do see the benefits in that, and that's why we're continuing our adoption across the estate in terms of client and server as well. 

It's helping us avoid looking at multiple dashboards and centralized monitoring. We're not fully there yet. We're getting there.

While we haven't witnessed time saving yet, once it's fully deployed, it will. By then, we'll have standardized processes across a single solution. We have saved money, however, as we continue to reduce non-Mircosft systems. Since we won't be using various competing technologies, we can save on licensing costs. We've likely so far saved 15%.

While it's hard to estimate exactly how much, the solution has helped us decrease time to detection and time to respond. 

We'd like to see integrations with more vulnerability scanning solutions like Tenable. It would be good to be able to compare both systems to threats that are arising. 

I've used the solution for the past couple of years. I haven't used it, however, on an active basis. It's not a solution that requires active engagement. 

The solution is stable. We've had no issues. 

We've had no issues with scaling. We're scaling up to just under 2,500 systems.

We haven't had much cause for raising tickets; however, largely support is very good. We did receive initial support during deployment and have a unified support agreement. It's simple and straightforward when we do need help. 

Neutral

We have used a Check Point solution as well in the past. We're moving away from other competing technologies. We had a number of issues with Check Point in terms of the mix of client devices and operating it in a VDI environment. It wasn't as reliable as we would have liked. It might have also been a resourcing issue - not just a Check Point issue.

In terms of the actual implementation, once everything is in place, it's quite smooth, and you see the benefits quite quickly as well.

I was not directly involved in the deployment of Defender. I was more involved in procurement. 

Defender is part of the plan we signed up for. Overall, it's part of a wider suite and is representing well, although it's hard to gauge how much of our overall licensing price is based on Defender as a product. It's part of a wider investment in Microsft 365. 

We have been through a merger in the last five years, so there were multiple solutions we were using, such as Trend Micro and Kaspersky, as well as Cisco, that we considered before deciding to standardize under Microsoft. 

We are starting to also use Microsoft Defender for Cloud. We have a small POC that we are getting off the ground. We have not yet explored bidirectional sync capabilities.

I'd rate the solution nine out of ten.

I would advise new users to just be mindful of system requirements. You do need to have a relatively up-to-date Windows estate. Take into account legacy considerations in terms of displacing other non-Mircosoft solutions.

We utilize Microsoft Defender for Endpoint as our EDR solution, which stands for endpoint detection and response. Through this solution, devices are integrated. If new vulnerabilities or novel attacks emerge, Defender for Endpoint promptly identifies them. It serves as our primary EDR solution amidst the variety available in the market.

The current surge in Defender for Endpoint's popularity is attributed to its real-time detection capabilities. Additionally, we can execute SOAR actions, namely security orchestration response. For instance, if we need to isolate a device from the network or run an antivirus scan on a machine, Defender for Endpoint facilitates these tasks.

Consider a scenario where one of the devices becomes compromised. During the investigation, if a malicious IP address is identified, it can be blocked using Defender for Endpoint.

Microsoft Defender for Endpoint offers excellent visibility. We can observe all the details regarding the attack process, such as the type of activity that occurred, including the entire MITRE ATT&CK framework. This enables us to view the initial actions, the device involved, the IP address used, and the extent of the impact on users and devices all through a single interface.

Microsoft Defender for Endpoint definitely assists us in prioritizing threats throughout our enterprise. Based on the signatures, the alert categories are related to high severity, medium severity, and low severity. Therefore, we can determine which alerts require our focus and prioritize them accordingly.

I am currently the Subject Matter Expert for Microsoft within my organization. This encompasses the entire Microsoft security suite. I specialized in working with Microsoft Sentinel. In the past, I was a part of the Microsoft Sentinel team itself, back in 2017 when Sentinel was in its pilot version, known as Azure Security Insights. 

It's very easy to integrate the Microsoft solutions. We have data connectors and APIs readily available. There are no difficulties. If we teach an unfamiliar person for a week how to use Defender for Endpoint and Microsoft Sentinel, they can likely gain insight into the basics of integrating Defender for Endpoint, Microsoft Sentinel, Defender for Identity, or Defender for Cloud Apps.

These solutions work natively together to deliver coordinated detection responses across our environment. When an incident is detected in Microsoft Defender for Endpoint, the same incident will be captured in Microsoft Sentinel within a few minutes. The integration capabilities with both Microsoft and third-party solutions are valuable.

The comprehensiveness of threat protection provided by these Microsoft security solutions is combined into a single interface. We can access all necessary features from one place. The combined solutions offer us User and Entity Behavior Analytics, Endpoint Detection and Response, on-premises, and cloud application security. While no single product can handle everything independently, by implementing basic security practices across all Microsoft products, we achieve a comprehensive threat detection system.

The bi-directional sync capability is a feature that allows us to enable safe devices in both Defender for Cloud and Defender for Endpoint.

Sentinel allows us to ingest data from across our entire ecosystem. If we are utilizing third-party firewalls or other products, we can employ APIs to integrate those solutions with Sentinel.

Sentinel allows us to examine threats and respond comprehensively from a single location. Within this location, we can utilize SOAR playbooks to accomplish different tasks, such as blocking all compromised email sign-in sessions with just one click.

Sentinel is a comprehensive security product, owing to its integrated SOAR, UEBA, and threat intelligence capabilities. UEBA employs built-in machine learning to identify users with high, medium, and low-risk profiles. The user interface also includes a feature that enables us to log out of the user. Threat intelligence has the ability to assimilate all access information from third-party solutions and identify threats originating from the internet. Sentinel consistently operates proactively to prevent compromises. 

I used to utilize Splunk back in 2015, but I have recently transitioned into being a Microsoft security advocate due to the cost optimization benefits. Microsoft Sentinel's pricing is based on the data we ingest. We have the flexibility to choose different models, such as the pay-as-you-go model or the bandwidth model. For instance, if we ingest 500 GB of EPS, we will incur charges for that usage; however, a 20 percent discount is applicable in this scenario. The pricing is directly linked to the amount of data we ingest, which is advantageous. I prefer not to ingest certain security events that are intended for operational purposes. By excluding these events, I can effectively reduce the overall cost of using Microsoft Sentinel. Additionally, being a cloud-native tool eliminates the need for any physical hardware. With just one click, the entire installation process is completed.

There are three ways Microsoft Defender for Endpoint has benefited our organization. The primary advantage is the optimization of our organization's scanning process. We have established a bi-weekly scanning process that runs at midnight, encompassing all machines. This stands as the foremost enhancement. The second advantage revolves around obtaining visibility into vulnerabilities within our environment. Considering our role as an MSSP, responsible for managing over 25 clients, this visibility holds paramount importance. Within Defender, a particularly noteworthy feature is the enabled management. This provides us with the latest information regarding vulnerabilities within Microsoft products as well as third-party software. The third and final advantage pertains to responding to emerging threats. For instance, in the case of a new attack, such as the recent CVE 3688, which targets a Microsoft Office vulnerability, including a zero-day exploit lacking an available solution, our Microsoft-oriented threat intelligence block comes into play. Through custom query languages deployed within Defender, we have the capability to identify anomalous activities. Additionally, this third point ties in with the Application Guard rules. These rules have proven instrumental in proactively preventing ransomware attacks. They operate by automatically obstructing any suspicious processes occurring within the Office environment.

Defender for Endpoint assists in automating routine tasks and identifying high-value alerts. We have APIs established, allowing us to develop our own dashboards using the Defender for Endpoint APIs. For instance, we can utilize Power BI to generate a security report, providing a comprehensive overview of the organization's internal activities.

It has eliminated the necessity for multiple dashboards. This pertains to the MXDR dashboard, which stands for Microsoft Extended Detection Dashboard, as well as the Detection Response Dashboard. Essentially, we have consolidated these into a single comprehensive dashboard, developed entirely by Microsoft. This unified dashboard streamlines the process of accessing organizational insights. As a result, there's no longer a need to access different security products to view their respective dashboards. Within Defender for Endpoint itself, we offer an array of security reports, all conveniently accessible with just one click. For those who may not find the reports relevant, we also provide the option to utilize our in-house developers for Power BI integration. This entails having a centralized dashboard where data from all products is collected and displayed in one location, facilitating a holistic view of security reports.

The integration into a single dashboard has simplified our security operations. Previously, our team had to perform numerous manual tasks for all customers. Therefore, with automation, when we present the report to the customers, they are quite impressed with having everything in one place. 

Microsoft Defender for Endpoints' threat intelligence assists us in preparing for potential threats before they materialize, enabling us to take proactive measures. We identify these proactive threats due to the presence of a threat entry system. If any IOCs are obtained, they are undoubtedly identified by Microsoft Sentinel. Moreover, we have set up indicators ingestion for Defender for Endpoint. This process involves creating steps to acquire data from third-party sources and directly inputting it into Defender for Endpoint. Since Defender for Endpoint has a capacity limit of 15,000 indicators of compromise, we can only ingest data up to this extent. Any surplus data will be automatically removed, provided their IOC scores fall below 60 within a month. Consequently, new IOCs will replace the removed ones.

It has saved our organization around 30 percent of our time in terms of not having to worry about malware. When any malware does get in, it is automatically remediated. Now, the main portion of our time is dedicated to conducting in-depth investigations and identifying other occurrences.

We have cut our organization's costs in half compared to our previous solutions. This is mainly due to the automation of most tasks, which means we now only need ten people to manage 20 customers, a significant reduction from the 30 engineers we needed before.

Microsoft Defender for Endpoint has significantly reduced our time for detection and response. Our Service Level Agreement entails detecting issues within 15 minutes and responding within 30 minutes. Defender for Endpoint has greatly contributed to these time savings. The incidents that we used to address using Splunk required extensive coordination within our team and with our customers, leading to substantial time consumption. Previously, resolving a single incident took around 40 minutes. Presently, this process takes approximately 15 minutes.

The most valuable feature is the timeline, which allows us to view the details of an event 30 minutes before and after.

Forensic investigation is a valuable feature of Defender for Endpoint.

We can run the virus scan across our entire environment.

We can block suspicious URLs and quarantine malicious files within the Defender for Endpoint portal.

Some of the integrations that Defender should include involve the use of the web app. Utilizing the web app implies that the Defender API should be accessible through mobile devices as well. For instance, if there exists a mobile application, it would be beneficial. Let's imagine a scenario where I'm traveling and I receive a new alert. With a Defender mobile application, I could easily isolate the threat, conduct an investigation on my mobile device, or even automatically escalate or assign the alert to my engineers.

There are certain third-party apps that haven't been integrated with Defender. I would be delighted to witness the integration of those apps with Defender for Endpoint. 

The deployment of Defender for Endpoint should be made smoother via Intune.

I have been using Microsoft Defender for Endpoint for five years.

Microsoft Defender for Endpoint is stable.

Microsoft Defender for Endpoint is scalable.

The technical support is fine but it takes time to reach them.

Neutral

We previously used Splunk but switched to Microsoft Defender for Endpoint because of the cost and smoother operation.

With the proper training, the initial setup is straightforward.

When conducting customer onboarding, the deployment will require a minimum of three days. Therefore, we must ensure everything is executed flawlessly and follow security best practices. Emphasizing precise deployment is crucial. Hence, deploying without careful planning is not an option, aiming to prevent any issues in a larger environment. In contrast, a smaller environment can be deployed within two days.

For a large organization with over 5,000 employees, a team of up to six people is required for the deployment.

We are achieving a 15 percent return on investment, which is contributing to the growth and impact of our company.

If we are acquiring everything in a single place, the front end becomes cost-effective. We won't need to purchase five separate products for various tasks. Instead, it's one product designed for five tasks, which is certainly a cost-effective approach.

I rate Microsoft Defender for Endpoint an eight out of ten.

We also utilize Defender for Cloud. Defender for Cloud is employed specifically for the Azure product. If we have servers deployed within Azure, the system handles alerting, traceability, and security. Therefore, we certainly use it.

We have three locations where Microsoft Defender for Endpoint is deployed. One is in Australia, another is in Qatar, and the third is in India. Consequently, we employ approximately two hundred personnel.

No maintenance is required for Defender for Endpoint on the customer's end.

A single-vendor security solution approach is better than a best-of-breed strategy. We all are using Microsoft laptops and OS.

I recommend completing a POC before adapting Microsoft Defender for Endpoint.

The solution is used as an endpoint solution to provide a 360-degree portfolio around an endpoint. It acts as a next-gen antivirus. 

It’s included with the Microsoft licensing, so we don't need multiple licenses.

Microsoft is very effective in device control. If there is malware that is coming in, It is very quick to remove it. It doesn't let it gain a footprint on your drive, so that prevents further damage from happening to the endpoint.

This solution helps us prioritize threats across our enterprise. When we are looking at our current scenario, post-COVID, most of the employees of the clients that we are dealing with are remote. When it comes to remote, you can make sure that they're logging in to VPN, however, most of their time is online and we need a product that is actively protecting them even if a user is not on a VPN or a company network. This product integrates very well with Windows due to the fact that it's a Microsoft product. It's giving users the protection that they need while ensuring businesses don’t have to spend extra on licenses.

We are using other Microsoft products. Including CASB integrated with our endpoint. We’re also using Azure, for example, and Microsoft Defender for Cloud as well as Sentinel (although a different team manages it). We have seen a very hybrid kind of environment with one of our clients where they were using an on-prem solution throughout, and they were aiming to move to the cloud. It becomes very easy to integrate everything and move most of their infrastructure to the cloud. It does take time and effort, however, with everything integrated, you can get it done. Microsoft solutions also work natively together. That’s a big strength. Everything communicates seamlessly.

We have very good visibility on our endpoints. The level of information it throws back is helpful.

How long it takes to see the level of benefits will depend on the deployment. Our deployment took two months for one client. Within a month’s time, they started seeing the benefits. We had a substantial number of endpoints to roll out, however, we began to note benefits pretty fast.

Microsoft Defender for Endpoint helps automate the finding of high-value alerts. It still needs to mature a little bit. Overall, we are seeing very security-intensive products and Microsoft still has a lot to learn.

It helped eliminate having to worry about multiple dashboards. Now, we have one single dashboard where our team takes care of everything. That has been very helpful. It makes the team focus on one single product. That helps prepare us for potential threats before they hit. We get fairly decent visibility into what's happening. Since we have one single dashboard that is giving us all the information, it becomes very easy for the team to react to incidents as well.

Overall, the solution has saved time. Previously, while we were doing deployment, most of our time was spent figuring out how to handle the products that are not natively from Microsoft. We had to figure out how we could integrate to get the most out of our products. Now, with Microsoft, we have all the integrations present in one place.

On average, we’ve likely saved nine to 12 hours weekly just by having one single Microsoft dashboard.

We’ve saved money, too. Considering it comes under one existing license, we don’t have to spend money separately or buy another license to get all the features we need.

The solution decreased our time to detection and time to respond. Our turnaround is better. From the moment we receive an alert to the moment we close the case, we’ve seen a reduction of 18% to 20% overall.

The visibility of threats needs to improve a bit. It still has to learn a lot. Where we stand right now, compared to other products that are there in the market, they still have to work on their threat intelligence and the overall maturity of detecting the malware. Sometimes we have seen instances where they have wrongly identified the malware. That is something that we would really hope that Microsoft works on.

Microsoft has to improve the efficacy of the product further. When we are talking about a security product, there are minor frameworks and there are close to 145 different techniques that we are talking about. It broadly categorizes into types yet it doesn't drill it down to techniques, which gives us a very specific idea of what they are aiming for. 

I've been using the solution for the past one and a half years as a solution architect to design and deliver EDR solutions. 

The product is fairly stable. 

The solution can scale. We scaled up initially from 500 to 32,00 endpoints and it was fine. 

We've had to contact support in the past and found them to be very effective. They are knowledgeable in their approach. However, the tasks can be a bit time-consuming.

Positive

We are using CrowdStrike, Palo Alto XDR, and a lot of different products. The client using CrowdStrike may have moved to Defender based on the cost.

The initial setup was simple. 

There is a bit of maintenance required around data retention. It has a data retention period of 80 or 90 days depending on the configuration. We make it a habit of filing data for compliance purposes. Two to three people are normally involved with the maintenance aspect. It's not resource-intensive. 

We are the third party. We help clients implement the solution. 

We have witnessed an ROI. 

The product is very cheap compared to other options. It's very affordable, which is why Microsoft is gaining a foothold in terms of client acquisition.

We're a Microsoft partner. 

I'd rate the product seven out of ten. 

You can spend a lot of money to get a very specific security tool, however, if you don't have the money, Defender does a pretty good job for you.

We use Defender for endpoint security, firewall administration, and antivirus. 

From an administrative perspective, Defender provides a single pane of glass for us to look at compliance throughout the company and for the customers we recommended it to. That's probably the most significant piece. The governance and policy features work together for us because we can easily provide the self-attestation that we need for the federal government.

Automation at this point, as I understand, is a lot of one-offs. It depends on the particular console that you're looking at. I'd love to have them integrated. I understand that there's a larger solution for that, but it's challenging to figure out a cost estimate of what it would take to get it up and running. The automations are often tied to the separate Defender products and not always integrated, but we're still shy about buying the larger product and integrating all the logs. 

Defender for Endpoint saves time by making administration more manageable. It's at least four hours per month per administrator. We save money with Defender because it's packaged with other Microsoft solutions. It's $20 to $60 per user annually, depending on the suite you're getting. 

I like that Defender is integrated and doesn't have a third-party payload trying to advertise subscription renewal. I don't get spam because of it. Regarding visibility, no one has their finger in as many operating systems as Microsoft. No one has the platform or deployment profile that Microsoft has. Microsoft can outshine any third-party vendor when it comes to visibility.

The interface isn't necessarily intuitive to a nontechnical person. You can get stuck in the little endpoint security portal. Sometimes, if you uninstall a competitive product, the end user doesn't always know if it's running or if they're protected even though it's silently running. There could be a notification, widget, or something that's resident on the screen for at least a bit, especially if you're doing remote support. You want to talk them through it, but sometimes, we're not allowed to look at the PCs we support.

I'd like them to improve visualizations for people higher up the reporting chain, such as potential purchasers, directors, VPs, and CEOs. They have little time. They want to see red, green, and yellow lights or some other type of visualization. It would be great to have this functionality out of the box without a lot of custom development.

We're learning about the AI Security Co-pilot. I'm unsure how it integrates, but I'd like to see it integrated. I'm an administrator, so I don't look at the logs constantly, but patching is critical. I would love to see the percentage of PCs patched in a given period. Reporting and alerts are crucial issues. When an alert needs to be triggered, we'd love to see some events flush up.

We often have to wait for and do a report until we find what we're looking for. It would be nice to sort of set it and forget it or have a community board of plugins that we could download and say, "Here's the meantime to resolution for x, y, or z policy or some policies that we could potentially integrate.

I have used Defender for Endpoint for seven years. 

I can't think of any ongoing issues that we have other than our own internal minor configuration. I don't know if this is in there, but I would love the ability to see how we're deployed and get recommendations.

Defender is scalable. The solution covers multiple locations and departments. We have about 100,000 end users. The departments vary in size. 

I rate Microsoft support six out of 10. They're responsive and willing to help. I have no problems with their customer service. However, it's sometimes difficult to find a technician that understands your issue. Sometimes, when you try to do self-service with Microsoft, it refers you to a third-party website for support ideas and stuff. That's absolutely bizarre. Why would I trust a third party linked from the Microsoft community forums and things?

Neutral

We were using Norton Antivirus, but we switched because we were familiar with Defender. We had Defender running on our home machines, and we had positive experiences because it didn't noticeably slow our machines. It was fairly intelligent at what it did. Sometimes, you feel a little restricted by a few of the things that it may not have. But in the end, I don't think that we're missing anything that we didn't already have in the product.

Defender is typically bundled with 365 packages that the customers are already buying. We haven't done an in-depth ROI for right. Often, we leave the customer to make those decisions even though we can point to tools like that on the web or allow an analyst tool to do that type of work. 

We looked at Norton, McAfee, and another one that I can't recall. Ultimately, our decision primarily came down to integration into the system. If it's integrated, it isn't overwritten by the security patch, and it doesn't add to the payload we're already sending down to manage the PC. We wouldn't use it if the quality wasn't there, but all else being equal, it's always easier to use an integrated solution from a single vendor.

I rate Microsoft Defender for Endpoint nine out of 10. 

We use it as an Enterprise Detection and Response (EDR) solution. We use it for compliance purposes, and we are starting to use it for DLP purposes.

Microsoft Defender for Endpoint allows our threat hunting and threat remediation teams to reduce the footprint of viruses when they come on the network.

We have immediate visibility on all endpoints. It is very good at visibility.

For prioritizing threats across our enterprise, the threat-hunting system in Microsoft Defender for Endpoint is not top-notch. We usually integrate it into things like our SIEM or Sentinel or other things to prioritize or our SOAR system to automate.

We can feed the alerts coming out of it into our XSOAR system to immediately act on events versus waiting until people see them and use the ticketing system.

Microsoft Defender for Endpoint has saved us time. It has saved us at least 40 hours a week. We are able to automate and have the ability to handle threats on an enterprise with 50,000 devices.

Microsoft Defender for Endpoint has not saved us costs. It is a Microsoft product.

Microsoft Defender for Endpoint has reduced our time to detect and respond. By going from a manual process to an automated process, depending on the severity, the time reduced has gone from minutes and days to seconds.

The endpoint detection of threats is valuable. The initial detection of things like ransomware and viruses and being able to shut down machines immediately and stop a threat is valuable. We can stop a threat at a source versus allow it to propagate it across the network.

The product itself does not necessarily need improvement, but the support and implementation of the product are the disaster cases. Instead of being able to go back to Microsoft and ask how to do something, we have to work with a vendor who does not exactly know how to do that and has to go to Microsoft to say, "How do we do this?" so that they can answer our questions. There are a lot of things in relation to various compliance standards such as CIS. The primary levels of support of Microsoft do not know or cannot implement that. Working through vendors is time-consuming. It is a painful process to get back to them to get the answers.

I have been using Microsoft Defender for Endpoint for three years.

We have never seen any downtime in it, so it is incredibly stable.

It is incredibly scalable. However, its ability to bind things into the groups on its dashboard is limited. You can see your 50,000 machines empire, but dividing it into regions, and dividing it into subgroups and management areas is very limited.

It is deployed across the world. There are 250 sites worldwide with 50,000 devices.

I would rate their support poorly. I would rate them a two out of ten.

Negative

The history would be a Symantec product, but I do not remember what it was. Then we went up through Azure ATP to Microsoft EDR. 

I was involved in its deployment and initial setup, but I was not a part of PoC at the time. The deployment was very easy. We pushed it out with SCCM.

Our implementation strategy was PoC, small user groups, and then wide or regional deployments.

We have on-premises and cloud deployments. It is an endpoint protection platform. It goes on any endpoint that we have or that we have running. It could be an endpoint that is sitting in the cloud. It could be an endpoint that is sitting on-prem. We use Azure, GCP, and AWS. There is also some limited rack space from IBM.

We used CDW.

We have reduced man hours using the product. We have definitely been able to leverage automation with it more than other products that we have used previously and other products that we are using.

I recently switched from education to private business, and all I can say is that private business licensing from Microsoft is not cheap until you hit certain quantities or scale. That does not mean that it is not comparable to other industries. It is similar pricing, but it is still crazy to me how much you pay for a client. I feel it is high, but it is in line with other vendors.

We evaluated Cortex XDR, Carbon Black, and QRadar or whatever that solution was from IBM.

The Microsoft ecosystem is the main difference. Everything under the umbrella of the Microsoft security toolkit makes life easier when all the systems talk together nicely.

To those evaluating this solution, I would advise first figuring out what your needs are. Figure out what levels of granularity you need in the system to see if it will support your needs. For example, if you have something like department-level control over devices, you might want to look at another system versus a central security solution that controls all devices. Beyond that, make sure your machines have the resources necessary to support the features you turn on in the environment. A lot of the resources in Microsoft Defender for Endpoint can be shut down for slower machines and older machines.

I would rate Microsoft Defender for Endpoint a solid nine out of ten.

Microsoft Defender for Endpoints supports any changes to file permissions, file access, and modifications to file delivery, as well as anti-virus and anti-malware protection. We enable Microsoft Defender on subscription. We depend on the solution for anti-malware, antivirus, and threat protection.

Regarding visibility into threats, Automatic integration enables Microsoft Defender on the level of subscription on the virtual machine. On the level of resources, and OS services, the direct integration between Azure Resources and Microsoft Defender is very smooth. The solution is perfect compared to using third-party software such as antivirus, Symantec, or any other option. We may face some issues in some integrations, but Microsoft Defender for Endpoint integration with Azure Resources is much better than trying to integrate with other solutions.

We use additional Microsoft solutions such as Gateway which is automatically integrated with Microsoft Defender by enabling it from the portal.

The integrated Microsoft products we are using work together to provide a coordinated detection response. The logs are all integrated and sent to a Log at network spaces. Level network spaces and Azure Monitor are already integrated with Microsoft Defender, and if an alert appears in the environment from a firewall, the web, or any other security component, it will automatically generate a security alert on Microsoft Defender. Microsoft Defender becomes the interface or supporter that manages all the security alerts in the environment.

All of our subscriptions are on the Cloud. We don't use anything on-prem. Microsoft Defender is a portal that manages all Endpoint Defender resources in an environment. This includes Defender for Endpoint on virtual machines, Defender for Cloud, Defender for App Service, and any other Defender resource.

We integrated Microsoft Sentinel with Defender Endpoint enabling us to ingest data from our entire ecosystem.

We utilize the interface for our Security Environment. We don't install any other third-party products such as Microscan at the outset, but we are a partner of Microsoft, and we only use Microsoft products.

We act according to the automatic alerts triggered by the Microsoft Center.

Microsoft Defender for Endpoint helps us eliminate the need to look at multiple dashboards by automatically providing one XDR dashboard to show the security score of each subscription and the vulnerability that needs to be remediated for each resource.

Having a consolidated dashboard allows us to address the vulnerabilities that automatically appear on the portal sooner using the recommendations provided by the solution.

Microsoft Defender for Endpoint automatically protects our environment once a virus or malware is detected without any action from our end.

Microsoft Defender for Endpoint has saved us time detecting viruses, but we still have to manually manage any viruses related to the Windows updates batching in order to fix vulnerabilities on a monthly basis.

The solution has decreased our time to detect and respond to threats. Microsoft Defender for Endpoint should secure the environment automatically. We just act when any threat is detected on the back end by the SOC team.

File protection is the most valuable feature. Antivirus security on the Level OS, Microsoft Defender, and Microsoft Guard for 2019. 

Threat protection is a critical part of Azure security and is managed under the umbrella of Microsoft Defender. All threat protection services work directly with the Microsoft Defender agent or the Qualys vulnerability scanner.

Microsoft Defender for Endpoint is enabled on the machines to automatically route tasks and help us automate the findings of high-value alerts. The alerts appear on the security alert under the Microsoft Defender for Cloud.

The solution should be updated by Microsoft with new features from time to time. The backend may have been changed to be more stable and secure, but there have been no major changes to the portal itself.

For the next update, I would like a link that connects directly to the resource, instead of having to connect manually. This will make it easier to identify any issues related to App Service.

I have been using the solution for four years.

The solution is stable.

The solution automatically scales to our requirements and we currently have plans to scale up.

The quality of Microsoft's technical support depends on the service type. Some services are okay, and some are not. Sometimes we open a case and get the result the first time, and sometimes it takes more than one session.

Neutral

The initial setup is straightforward and takes about an hour.

We enable all subscriptions, which come with free basic services, and we can upgrade to premium services by selecting the required resources. If we have Azure Sequel, or infrastructure, such as virtual machines, we enable it at the virtual machine level. We enable services according to the current resource.

The implementation was completed in-house by a team of two people.

Bundling our Microsoft products is more effective and cost-efficient.

The license cost is around $35 per machine, which is not expensive compared to other products. In addition to the solution's license fee, Azure DevOps Standard costs around $30,000. I believe this is too expensive and hope that the cost can be lowered in the future.

I give the solution a nine out of ten.

The solution is used for a website and is deployed in one location. We have 1,000 users.

Maintenance is completed once a month for batching the products in the environment for Sequel, SharePoint, and Microsoft products. Two people are required for the maintenance.

Microsoft Defender for Endpoint is a very good solution. I recommend the solution to others and suggest using only Microsoft products in order to receive all the support from one place.

We use Microsoft Defender for Endpoint as an enterprise security solution.

The visibility is great. For example, Microsoft Defender for Endpoint's portal has a section called threat analytics. There's a threat intelligence box. So all new threats and trending threats are visible. If any of our devices in our organization are susceptible to this threat, the solution will let us know because it searches for that specific particular vulnerability, which can be exploited. The Microsoft threat analytics tool gives us that type of visibility into the threats that might affect our organization. For example, the threat analysis updates every half hour to one hour with the top ten latest threats. The scan tries to ensure that these threats don't belong to our organization and if they do, it identifies the infected device. Microsoft Defender for Endpoint makes a lot of security recommendations when we onboard it to quarantine a lot of security recommendations that help to improve the security posture of our environment.

Microsoft Defender for Endpoint assists our organization in prioritizing threats across our enterprise by providing security recommendations based on the weaknesses in our organization. It includes a department that provides management licenses and uses analytics to identify high-priority threats in our environment. This is connected to a common protocol that assigns a priority level of five to devices with vulnerabilities, indicating what actions should be taken. Thus, we have all the necessary information in one place.

Prioritization is crucial because there is a possibility of a high-priority threat entering our environment. This is how the solution determines the priority of threats. For instance, if one of our high-impact business devices is vulnerable to a top-priority security five threat we need to address it first. Alternatively, we may choose to address the sixty computers with a level two or three security threat, which are mostly associated with lower impacts. Therefore, prioritization aids in determining which critical business infrastructure requires immediate attention.

There are several lines with multiple solutions, but Microsoft offers a comprehensive solution with its E5 license. This license includes a wide range of features such as purview information protection, data protection, and other business-related tools. In my previous experience, I have noticed that some organizations utilize multiple Microsoft products, such as Defender for Endpoint, Identity Management, Defender for Cloud Applications, and Defender for IoT. This combination of different products can be quite useful.

Microsoft Defender for Cloud on Azure can be easily integrated with Defender for Endpoint, including on-premise solutions that can be onboarded to Azure with different subscription values. The integration will already onboard it to the device with Defender for Endpoint, along with additional features such as Just-in-Time Access, Defender for Vulnerability Management, and Control Sign-in Monitoring. These features provide robust cloud security monitoring and can be added to Defender for Endpoint. Moreover, Defender for Cloud is integrated with Defender for Endpoint portals, enabling a one-stop shop for onboarding devices with all the cloud posture management required for a single computer or software. This integration is highly beneficial, and other applications can be similarly integrated.

It is easy to integrate Microsoft Defender for Endpoint with other solutions.

These solutions seamlessly integrate to create a zero-trust platform, as offered by Microsoft. This platform ensures protection from various threats such as networks, applications, and infrastructure, with the added benefit of Microsoft Sentinel. The Sentinel tool combines threat analytics from multiple sources into a user-friendly workspace, providing optimal productivity. Additionally, sending logs from any of these products, including Sentinel, to the cloud connector is a simple process.

The integrated Microsoft security products offer comprehensive threat protection, such as Microsoft Defender for Office. With these products, our office is now able to identify and address email threats in a single platform, instead of checking each platform individually for application, identity, vulnerability management, and endpoint security. Moreover, these products can be easily integrated into a single workspace solution. With the help of pre-existing methods in Sentinel, we can efficiently handle a large number of alerts that we receive. Rather than going through each alert individually, we can activate a playbook that provides solutions for common alerts and takes actions in parallel to resolving them. This integration simplifies the process of achieving a complete security solution.

When we transition from on-premise servers to Azure ARC resources and activate Defender for Cloud Applications, it becomes easier to manage our servers from different networks, especially when it comes to security features. For example, we can check the compliance of our devices and organization with PCI DSS or other security protocols. Running compliance checks during the transition while syncing data with a different SL Cloud provides us with a significant amount of data and valuable information, including recommendations for improving compliance. This process involves bi-directional communication between devices, the cloud, Azure, and different network clouds.

Microsoft Sentinel allows us to easily ingest data from our entire ecosystem.

Microsoft Sentinel allows us to investigate threats and respond holistically from a single platform. Sentinel is both a SOAR and SIEM solution, meaning we can perform responses, but we must create a separate playbook for them. The default method may include some pre-built responses. The most important aspect is that if our company uses SentinelOne instead of Defender, we can still easily send logs through our Sentinel Workspace using API calls. This can be accomplished with a few connections, and we can create our own playbooks for different types of alerts. For example, if SentinelOne is not sending data, we can generate alerts of this type and respond accordingly. This significantly reduces user effort.

The security protection offered by Sentinel is extensive. It can be integrated with any Microsoft solutions, including information protection, and can be connected directly to Microsoft's threat intelligence sources and other resources. This allows for comprehensive protection.

Our clients have reported that Sentinel's cost and ease of use, in comparison to other stand-alone SIEM and SOAR solutions, are favorable. They find the user-friendliness of Sentinel to be worth the cost.

Microsoft Defender for Endpoint assists in automating routine tasks and identifying high-value alerts. We can automate actions based on the alert's sensitivity, and in case we are uncertain of how to handle those alerts, we have the option to seek assistance from a Defender expert. This feature is particularly valuable, as it can provide guidance in identifying and investigating such alerts.

Microsoft Defender for Endpoint helps eliminate multiple dashboards by giving us one XDR dashboard.

The solution's threat intelligence helps us detect and respond to threats proactively by identifying suspicious behavior.

Microsoft Defender for Endpoint has been instrumental in saving us time by alerting us about potential threats and automatically guiding us through the necessary steps to eliminate them. The solution logs all the actions taken, saving us from having to spend valuable time retracing the steps.

By detecting threats in advance before they can propagate, Microsoft Defender for Endpoint helps our organization save money. The tool helps to identify potential security risks early, preventing their escalation and the associated costs of mitigation.

Our detection and response time has improved. This is thanks to Microsoft Defender, which has Endpoint Detection and Response capabilities. Before, we used to manually create policies to address security incidents, but now the system can automatically remediate issues without us having to intervene.

The most valuable aspect is the information, specifically the automatic investigation of packages. For instance, during an automated investigation, data and information are collected. Additionally, there is an encapsulated view that shows the origin of the package, how it was propagated, and any blockages or attacks that may have occurred. The most critical factor is the information gathered regarding various types of incidents, including how they are mapped and propagated, and what actions should be taken in response.

Creating antivirus profiles for Linux is a more challenging task compared to other operating systems. The profiling method currently in use is not very user-friendly and has ample scope for improvement.

I have been using the solution for over four years.

Microsoft Defender for Endpoint is stable.

Microsoft Defender for Endpoint can scale effectively to meet the needs of our environment, regardless of its size.

The technical support team is highly knowledgeable, and in cases where they are unable to provide a solution, they escalate the issue to the second level of support. Their services are available around the clock, and if the assigned representative is unavailable, they promptly transfer the ticket to another capable person to ensure a seamless resolution of the issue.

Positive

I previously utilized SentinelOne, Kaspersky Endpoint Detection and Response, Symantec Endpoint Detection and Response, and Carbon Black CB Defense. However, I find Microsoft Defender for Endpoint to be more user-friendly than the other solutions. The information provided by Defender is valuable, and the deployment process is easy. Additionally, it offers several valuable features.

The complexity of deployment depends on the client's environment. The number of people required for the deployment depends on the number of servers the organization has. For example, in a deployment of 700 workstations and 500 servers, one full-time and two part-time consultants are required.

We implement the solution for our clients in-house.

We experienced a positive return on investment by using Microsoft Defender for Endpoint. This solution allows us to streamline our operations by consolidating all necessary components under a single umbrella and eliminating the need for additional vendors and extra costs.

Microsoft Defender for Endpoint is included with a Microsoft E5 license.

I give the solution an eight out of ten.

The most cost-effective and user-friendly option for security is a single-vendor security suite. This approach also eliminates the need for multiple integrations.

I recommend that organizations avail themselves of Microsoft's trials and demos, and compare Defender with other solutions in their environment to determine the best fit. With a Microsoft E5 license, organizations can access all of Microsoft's solutions and use whatever they need.

We use Defender for Endpoint to secure our Windows 10 endpoints and Windows servers. We use Microsoft Defender as an antivirus, and we also leverage the EDR capability. If any malware or threat is present, Defender can take action on those threats and remediate if there are any malicious actors present in our environment.

It is deployed on-premises, on the cloud, and on multi-cloud solutions like AWS on Azure. We have a diverse, global environment with devices or servers in Europe, the US, and the Asia-Pacific region, except for China.

One feature I like the most is vulnerability management, which shows any vulnerable software or OS present in my environment. Microsoft Defender for Endpoint provides a complete overview and also recommends the steps to mitigate the vulnerabilities or threats. Most of the other antivirus or EDR solutions generally don't provide vulnerability management. It is an add-on that Microsoft Defender for Endpoint provides.

Also, because of this solution's EDR capabilities, we can determine what we want Microsoft Defender to do and then automate the entire process. We have already enabled these automated response capabilities and are leveraging them.

The visibility into threats that Microsoft Defender provides is very detailed. If we want to investigate how a threat was initially integrated into our environment, we can do that with a detailed activity timeline. It will be across the servers or Windows Endpoint, so we will be able to see the correlation and gain a complete picture of any threat within that timeline.

It helps us prioritize threats across our enterprise to a certain extent. Whenever there is a threat, we'll get a risk score along with the level of severity. We will then be able to see whether the threats are of high, medium, or low severity and can prioritize them accordingly.

Prioritization is really important to our organization because with 100,000 people working, we see an immense number of threat alerts including phishing, identity, and other kinds of threats. We have a limited number of people working in security operations centers, and we may see 30,000 alerts come through. Therefore, it's very important for us to prioritize those alerts so that we don't end up working on threats that are not important and miss critical alerts.

Along with Microsoft Defender, we also use Microsoft Defender for Cloud Apps, Microsoft Defender for Cloud, and Microsoft Defender for Identity. Integrating these products is quite simple. You just toggle the button, and the integration will be turned on. Once you have turned on integration, you will see feeds from the other portals. That is, if I get something in Defender for Identity, then I will be able to see relevant items in the Defender for Endpoint portal as well. It's out-of-the-box integration, and no additional measures are required.

These solutions work natively together to deliver coordinated detection and response across our environment. They work in the background and share common intelligence with each other and provide correlated feeds within these portals. They provide comprehensive threat protection.

When the integration is in place, it eliminates the need to look at multiple dashboards. Initially, we used to have different portals for incidents, but now, we have one central console. We can see alerts and incidents from Defender for Cloud, Defender for Identity, etc. It saves us a lot of time because our analysts don't have to spend time looking at different dashboards or consoles.

In terms of preparing for potential threats before they hit and taking proactive steps, the feeds in Microsoft Defender for Endpoint help us detect zero-day vulnerabilities or any ransomware. The threat analytics show us what the current and upcoming threats are. I can get the indicators of compromise from that particular list and can prepare my team on how to act on those particular threats. It has helped us to become more efficient.

Overall, this solution has helped us save 30% to 40% of our time.

Also, our time to detect and respond has decreased by around 40 to 50%.

One major item for improvement is the ability to add exceptions. We can add some exceptions, but not at the level we need to.

The second major area for improvement involves enhanced capabilities for different operating systems or platforms. That is, even though we have coverage for different operating systems or platforms such as Linux, we don't get all of the controls and enhanced capabilities that are available with Windows devices.

Reporting could also be improved because, at present, we get limited results at times. For example, in an environment with more than 100,000 devices, you may just get 10,000 results when you run a report.

I've been using it for close to four years.

It's not very stable because Microsoft keeps making a lot of improvements as it's a new product. For example, today I might see something on one page, on another day, it might be located on some other page or portal. However, I have seen stability to some extent over the last couple of months.

It's definitely a scalable solution. Almost all of the users in my organization, close to 70,000, use this solution.

Technical support is an area that needs a lot of improvement. Microsoft does not have the right people who can help with any challenges or problems, and ultimately, we end up finding the solutions on our own rather than relying on them. They take a lot of time to work on a support case, and we can't find the right level of support as well. Therefore, on a scale from one to ten with one being the worst and ten being the best, I would give technical support a rating of four.

Neutral

We have seen a return on investment in the last few years in terms of our organization being protected against threats.

Microsoft Defender for Endpoint is cost-effective because there's one unified license, and with this unified license, you get the capabilities for your cloud applications, servers, and endpoints as well. Therefore, it saves us a lot of money because the cost with other solutions is for just one piece of OS or maybe an urban environment. The licensing process is not complex as well.

Your use cases, how your organization is configured, and what your infrastructure is like will determine whether you go with a best-of-breed strategy rather than a single vendor's security suite. From a cost perspective, I think it's better to just go with one technology because when you have two technologies in place, there may be conflicts with policies that may result in additional time spent investigating.

However, if an organization has a high number of macOSs and they have a lot of Linux servers, they may choose to go with two technologies if Microsoft Defender doesn't provide a complete set of security capabilities.

Before you implement the solution, first see what your use cases are and what you're actually looking for. Then, define your environment and what you're going to protect first, whether they be application servers or just endpoints. Then, you can have a detailed discussion with the implementer or vendor.

On a scale from one to ten, I would give Microsoft Defender for Endpoint an overall rating of seven.