Microsoft Defender for Endpoint Reviews

We use Microsoft Defender for Endpoint as our EDR solution on all of our user endpoints.

Microsoft Defender for Endpoint provides comprehensive visibility into endpoint security. I've been impressed with its ability to detect and monitor threats without any noticeable gaps in coverage.

We use the entire suite of Microsoft products, which are all integrated. Integrating them is very easy. However, getting them to function as expected after integration was a little more difficult.

The integrated solutions work together to deliver detection and response. However, their behavior may not always align with our expectations.

The implementation of Microsoft Defender for Endpoint has enhanced our organization's security posture by augmenting our visibility, particularly through the integration of MDE, Sentinel, and Defender for Cloud Apps. Additionally, Intune, when utilized in conjunction with these products, provides comprehensive insights into identity and device risks. The deployment began about three years ago before I joined the company. In terms of EDR or just basic visibility, that was achieved within the first year or so. However, we are still working towards a holistic vision of visibility, especially with Defender for Cloud Apps.

Microsoft Defender for Endpoint consolidates multiple dashboards, as all of our security products are Microsoft-based, simplifying our security management.

Microsoft Defender for Endpoint has saved us time compared to our previous solution, which was an on-premises Trellix EDR solution. This is especially evident in the areas of maintenance and operations.

Microsoft Defender for Endpoint's WCS function, a content filtering solution, has proven to be the most useful, stable, and reliable option for our current needs.

Defender for Cloud Apps is one of the most significant products that Microsoft could improve. We've encountered several limitations with Defender for Cloud Apps, such as the inability to create custom cloud applications and add URLs. These features would be valuable for the scoping feature in Defender for Cloud Apps, as each application can currently only have one scope. It cannot have multiple scopes, meaning that an application cannot be blocked for some device groups and allowed for others. This is another limitation we've encountered frequently.

The technical support is slow to respond.

The product development team makes frequent changes that affect the stability of the solution.

I am currently using Microsoft Defender for Endpoint. 

Microsoft Defender for Endpoint is generally stable, but the frequent product changes made by the development team have caused several instances of unusability this year. These changes often introduce bugs that disrupt web functionality, bringing it to a standstill. While the product itself is stable when not affected by these bugs, the recurring issue has occurred three or four times in the past year.

Microsoft Defender for Endpoint is as scalable as any other cloud-based EDR solution. I would give the scalability a nine out of ten.

The technical support is slow to respond and very log-focused.

Neutral

The deployment process is straightforward. We can utilize a script for Intune that can be deployed through SCCM.

The base price for an E5 license, which includes Enterprise Mobility + Security E5, is $57 per user per month. However, there are additional costs for certain security features, such as Premium Threat and Vulnerability Management and Insider Risk Management.

I would rate Microsoft Defender for Endpoint six out of ten. The support and product development team need to improve.

We have deployed Microsoft Defender for Endpoint across the globe on all of our endpoints.

Microsoft Defender for Endpoint updates itself so there is no need for maintenance.

It is advisable to always exercise patience with technical support and occasionally guide them in the right direction. Otherwise, they may become overly focused on irrelevant logs. Additionally, it is crucial to always have a contingency plan in place in case Microsoft Defender for Endpoint encounters unforeseen challenges.

The effectiveness of both best-of-breed and single-vendor security suite methodologies hinges on seamless integration. When products integrate effectively, they provide a unified view of the security landscape, enabling comprehensive monitoring and threat detection. A SIEM, XDR, or similar tool can serve as this centralized dashboard, providing a single pane of glass for security operations. By centralizing visibility and streamlining response times, organizations can effectively achieve their information security analysis and response objectives.

Our primary use case is for protecting Windows 10 endpoints. We use it for email scanning and application control, we can run analytics through it, and the product enables web content filtering. The Defender 365 package is all-encompassing now; it's a good product.

The solution is deployed across our whole business with 3,000 endpoints, including phones, laptops, tablets, and desktops, with 1,700 end users.

We use multiple Microsoft security products, including Defender, Defender for Cloud Apps, Identity Manager, and Intune. We have the whole security package.  

I was the infrastructure engineer who integrated the products, which was elementary; we rolled out via Intune and used SCCM to build the endpoints.  

The solutions work natively together to deliver coordinated detection and response across our environment, and it's better than using Symantec, for example. Defender is the best product out there; it's built into Windows, and it makes sense to use built-in products. This coordination is strategically important to us, as it makes passing knowledge on to the team easier because it's all in one place.   

The solution offers better management of endpoints when it comes to antivirus and malware. It allows us to separate the functionality of managing that security area rather than putting it with the infrastructure team. The infrastructure team handles the monitoring services. At the same time, virus and threat detection can go to the core security team, which takes a load off the infrastructure team and allows the security team to concentrate fully on security.

Defender for Endpoint helps automate routine tasks and the finding of high-value alerts. Once we set our rules, including attack surface reduction (ASR) rules, there's a lot of automation capability. We can apply definitions for all endpoints across our organization.  

The solution helped eliminate having to look at multiple dashboards and gave us one XDR dashboard, which positively affected our security operations. There are four staff in the department, so they appreciate this kind of management. They can see everything from one place, and our security picture is more integrated. They can even carry out basic auditing from the dashboard.  

Defender for Endpoint saves us time because we can quickly go in and search for issues raised by the security department and eliminate the threat. We have 3,000 assets, so it saves the network around half an hour and the infrastructure staff a couple of hours.   

The virus scanning capability is excellent, and it feeds all the logs into the Microsoft 365 Defender portal, making them easy to search for.

We can track web activity and see what users are logged into. The solution picks up a lot of information from machines and pushes it into the Defender 365 portal and Cloud App Security portal.

The product provides good visibility into threats. We can also log in anywhere, which is handy for the security teams.  

Defender for Endpoint helps us prioritize threats across our enterprise; we can configure specific rules concerning viruses, malware, and threat detection.   

In terms of the comprehensiveness of the threat protection provided by Microsoft security products, it's the best in the marketplace. The top three are Defender, Sophos, and Symantec; the others don't come close to these. 

The solution's threat intelligence helps us take proactive steps to prepare for potential threats before they hit because it tracks definitions and threat footprints from the cloud. These can then be identified and stopped at the front door, which is the whole idea of antivirus products these days.

The integration and effectiveness of email security could be better. It's already built-in to the solution and checks emails, scans the links they contain etc.

I've been using the solution since its first iteration came out in 2005, so about 17 years. 

The solution is scalable; we have it deployed across our entire organization to 3,000 endpoints, and 1,700 end users. 

The support is good; I don't have an issue with them. It's straightforward to go into Azure and raise a ticket, although you must know how to ask the right question.

Positive

As far as I know, my organization used Defender for Cloud Apps for a long time and Symantec for service. Symantec is configurable, but it isn't always quick enough to deal with threats, as it has different quarantining methods.

I installed Darktrace for a data center and prefer to work with MS security products.

I wasn't involved in the initial setup; I was a global admin.  

In terms of maintenance, the product is lightweight; any patches are downloaded automatically, and we can configure when they're installed in our patch definitions.

We have the E5 security license, and the solution comes with that.

I rate the solution ten out of ten.

We use Defender for Cloud and make use of its bi-directional sync capabilities, or use Intune, so all our computer objects are synced via Azure ID and pushed into Intune. This capability is there, and it functions, though there are more important features.

It isn't easy to say if the product saves us money and the business is not overly concerned about the cost of Endpoint. You get what you pay for, it's an integrated solution, and there isn't a better one on the market. It does the job, is configurable, and has limitations like all products.

Once Defender for Endpoint becomes more mature in a couple of years, it'll be the Holy Grail like Windows 7 was.

To a security collogue who says it's better to go with a best-of-breed strategy rather than a single vendor's security suite, I'd say Microsoft is the best of breed for those who want a unified approach or integrated solution. I wouldn't use other security products because it's not necessary. I'd integrate the Microsoft security suite anywhere I go.   

Microsoft Defender is a Windows platform that can be integrated with various solutions. It has a complete dashboard that gives us clear visibility into the total security of things, the endpoint devices connected, and their status. It also gives us information about who has been logged in and at what time. Compared to other solutions, Microsoft Defender for Endpoint gives us more visibility and threat analysis reports.

Microsoft Defender for Endpoint has improved my security score very well. Since it is a fully automated solution, all false positives have been ruled out for me. The investigations provided by the dashboard have compliance functionality and are useful for auditing purposes.

The solution's latest features for threat analysis are updated to provide us with future protection against the latest threats worldwide. It allows us to prepare from our side for the worst scenarios so that the business operations would not be affected.

Microsoft Defender for Endpoint should include better automation that will make it faster to detect the latest threats happening across the world. The solution should also generate an automatic report for any investigation before I generate a report. The solution's cost could be improved as it is an expensive tool.

I have been using Microsoft Defender for Endpoint for four years.

Microsoft Defender for Endpoint is a highly stable solution.

Microsoft Defender for Endpoint is a scalable solution. We have around 3,000 total endpoint devices with two administrators, and we have plans to increase the usage.

The solution's technical support is good. We were able to get proper support from the technical support team.

Positive

The solution’s initial setup is easy.

The solution’s deployment took almost three weeks. Two network engineers and I ensured the configuration of the group policies. We ensured that all the inbound and outbound traffic was properly configured and implemented.

We have seen a return on investment with Microsoft Defender for Endpoint.

Microsoft Defender for Endpoint is an expensive solution.

Before choosing Microsoft Defender for Endpoint, we evaluated other solutions by Azure. We chose Microsoft Defender for Endpoint because of its better functionalities and capabilities.

The solution provides us with clear visibility. We have a clear dashboard analysis, and we don't need to worry about the changes we need to make as it gives a clear solution for us. Threat hunting is the best feature that gives the response to any event happening.

The solution helps me prioritize threats across our enterprise because I'm able to map all the devices across my enterprise. It is improving my security score compared to the earlier one. Compared to our earlier endpoint protection solutions, we have a good edge over the mapping we have with Microsoft Defender for Endpoint. Any new devices getting added to our ecosystem are getting secured in a better way.

We use more than one Microsoft security product. We have integrated all of these products, and it was easy to integrate them.

The integrated Microsoft security solutions work natively together to deliver coordinated detection and response across our environment. This is very important for us because we follow a framework where protection, detection, response, and recovery have to happen in a seamless manner.

Microsoft security products give visibility into the information about the latest threats happening across the globe. This gives us awareness and helps us to be well-prepared before the attacks.

We use Microsoft Defender for Cloud, and we make use of its bi-directional sync capabilities. Microsoft Defender for Endpoint has both on-premises and cloud capabilities.

We use Microsoft Sentinel, which enables us to ingest data from our entire ecosystem. We have different types of endpoints. The ingestion of data gives more data and more credibility to the logs, which makes my environment more secure.

MS Sentinel enables us to investigate threats and respond holistically from one place. It provides vulnerability management and threat detection so that we'll be able to see different logs and parameters. Normally, the threat collection, detection, and response are very much important for an organization.

MS Sentinel’s built-in SOAR and UEBA are different higher-end functionalities with artificial intelligence that provide a secure environment for any platform. It can analyze more volumes of data.

Compared to MS Sentinel, SOAR solutions are more costly.

Our Microsoft security solution helps automate routine tasks and help automate the finding of high-value alerts. It gives us a clear investigation report to find the RCA appropriately, thereby speeding up our response time.

Our Microsoft security solution has helped eliminate having to look at multiple dashboards and given us one XDR dashboard. I can integrate all my security parameters into one dashboard, and looking for the management review is easy for me.

The solution’s threat intelligence helps prepare us for potential threats before they hit and to take proactive steps. It alerts me immediately from which IP the threat is coming so that I can block that respective port immediately and prevent it from entering my network.

Our Microsoft security solution has saved us time by making the operations faster and reducing the response time. The solution has saved me almost 15 days in a month.

Our Microsoft security solution has saved us money by providing a single integrated solution and eliminating the need for different security solutions.

The solution has decreased our time to detect and respond. The solution has enabled me to act quickly on any issue before it hits me.

Microsoft Defender for Endpoint is a one-stop solution for your protection, and it gives overall visibility of your endpoint devices. You can easily add on the devices whenever the enterprise is growing.

With Microsoft Defender for Endpoint, you can club your endpoint protection, email protection, network protection, and application protection and ensure they are in good hands. We can handle anything regarding security operations, investigations, or complaints from a single point.

Overall, I rate Microsoft Defender for Endpoint a nine out of ten.

We deploy the solution for our customers, typically with Plan 1, as they generally have E3 licenses. We also use Microsoft Purview, the compliance system consolidating every security aspect into its portal. This offers centralized management and tight integration with Azure and Intune, which are identity and device management tools, respectively.

Our customers have a variety of cloud providers; Azure and GCP are the most popular, but we have some AWS users too. 

We use multiple Microsoft security products, including Azure Information Protection and DLP, in addition to the other flavors of Defender, such as Defender for Cloud and Defender for Identity.  

We integrated all of these products and the integration was easy. 

These solutions work natively together to deliver coordinated detection and response across our environment, which is essential. The beauty of Microsoft is the tight integration of their various products.  

The solution helps us prioritize threats across the enterprise, which is essential for every organization. If a malicious actor or another type of threat gets into the network, we need to know exactly what's happening, how it happened, who triggered it, lateral movement, etc.  

Defender for Endpoint is a 360° solution that sees and covers all areas. Microsoft also has a zero-day protection framework, so they are thinking ahead.

The product decreased our time to detect and respond to threats.

Defender for Endpoint provides good visibility into threats and has favorable threat intelligence. 

The product helps us automate routine tasks and the finding of high-value alerts; it discovers all threats and categorizes them as low, medium, or high priority, then begins remediation automatically based on the threat severity. It's also possible to automate the isolation from the production network of a device infected with ransomware. As always, the workflows and configurations should be optimized based on the environment.

The solution's threat intelligence helps us prepare for potential threats and take proactive steps before they hit. Some bots take care of remediation and an automatic ticketing system whereby open items trigger tickets sent to the team concerned.  

The solution has minimal customization options, especially compared to Mandiant, so we want to see more scope for customization. A single portal for customization would also be a welcome addition. 

A high level of expertise is required to maximize visibility into threats as the tool provides the data, but it isn't crystal clear. Other products are more straightforward and user-friendly, so admin and management-level staff can easily understand the root cause of a threat, which isn't the case with Microsoft. The threat detection and response are there, but significant expertise is required if we want the same level of visibility provided by third-party tools.

There are some issues around ingesting data from MS Sentinel. If we configure Purview, then our compliance is configured for our entire Microsoft tenant, but the integration isn't easy, and there are some known challenges.

We can't see all the data in one place, so we have to log into different portals to access various data, and this needs to be more straightforward. We want to see a single portal with one URL, so those with the appropriate credentials can gain access and see the big picture regarding the threat landscape.

We've been using the solution for over five years. 

The product is stable. 

Defender for Endpoint is scalable.

The deployment was relatively straightforward, but one issue is the knowledge base articles are not particularly accessible.

Regarding implementation strategy, we do discovery, make an assessment, and match with business needs; then, we know precisely what we have to do and which license is required. We can then start the implementation and deployment.

For maintenance, two team members are sufficient to manage 5,000 users or devices. 

We're a service provider, so we carry out the deployments ourselves. 

We have seen an ROI. 

I'm not too familiar with costs as I'm an architect, though I know about online pricing, as I help two teams with online purchasing and procurement. Nowadays, everyone has an enterprise agreement, such as an E3 license, which we provide to our customers.

The solution saved us money. 

We evaluated many solutions, including Mandiant, Cortex XDR, McAfee MVISION, and Fortinet FortiClient.

I rate the solution nine out of ten, and I recommend it.

We use Microsoft Sentinel, and it allows us to ingest data from our entire ecosystem.

Sentinel enables us to investigate threats and respond holistically from one place, which is important to us.  

We use Microsoft Defender for Endpoint to protect our devices from virus and malware attacks.

Microsoft Defender for Endpoint provides visibility into threats. Using the solution we can see threats easily and address them in order to protect our devices.

The solution provides an overview and we can configure it to have a higher queue, to take action against any risks.

The prioritization of threats is very important to us. With Defender, we can prevent attacks in a number of ways. When we are alerted about a potential threat, it is important to prioritize and take action quickly. We can check the type of incident and confirm the threat level.

We also use Microsoft Sentinel. The solution enables us to investigate threats and respond holistically from one place. Our success is also a result of our four-year investment. I have invested a lot of time in studying Microsoft products and technical subjects such as firewalls.

Microsoft Defender is a good tool. As an anti-virus solution, it helps monitor for any attacks. The solution works similarly to an alarm and is very important. Microsoft Defender is the best protection solution for me, it's safe to use, and I can see the alerts in real-time.

The benefits of Microsoft Defender for Endpoint are immediately clear when implementing it across the enterprise. Within a week the entire enterprise noticed the benefits. The solution communicates with all employees through all devices across the organization. For me, Microsoft Defender for Endpoint is the best.

Microsoft Defender for Endpoint has saved us around two months a year of time.

The solution significantly reduced our detection and response time because it is integrated with all the devices across the enterprise. All the devices are constantly being analyzed and monitored so in the instance there is an anomaly detected we are notified and able to respond quickly.

Microsoft Defender for Endpoint is different from other security tools because we can configure it to use multiple types of scanning or archiving. Microsoft Defender is an important tool for our security arsenal. We can also use the solution to perform many tasks.

Integrating Microsoft Defender for Endpoint with other Microsoft solutions is easy as long as the organization has a proper implementation process. The devices and materials need to be organized and connected in a way that is efficient for the organization, and the implementation process must be considered.

Our integrated solutions work natively together with Microsoft Defender for Endpoint to deliver coordinated detection and response across our environment which is very important.

Sometimes the software doesn't work the way we expect it to, and in those cases, we can't communicate with a device because it may be infected. When this happens we can't access the device directly or implement the interface.

I have been using the solution for three years.

The solution is stable.

The solution is very scalable.

I give the solution a nine out of ten.

The comprehensiveness of Sentinel's security protection is linked to identity management and is very easy.

It is our endpoint protection solution as a part of the full Defender Suite that we use. We use it for every one of our devices, including Macs and Windows.

Each endpoint is with Intune, and then the management is done out of Azure.

It takes automated actions. If a device is found to have a virus, it will automatically remove it, isolate the device, and then notify us to follow up. That way, things are less critical when we get to them. It will stop the spread. We're a worldwide company with very few people on the security staff. It allows us to remove the risk in an immediate fashion without the staff having to jump on it, which just takes time.

It helps us prioritize threats across our enterprise. We have limited resources to deal with the threats. So, this prioritization is critical to us.

We use more than just Defender for Endpoint. We use Defender for Identity, Defender for Office 365, and Cloud App security. We use the whole 365 Defender suite. It is easy to integrate these products. The challenge is having all the features in your environment and obviously making it work within your environment because of your different applications and business processes, but all these solutions work natively together to deliver coordinated detection and response across our environment. This is critical for us because we have limited resources. So, allowing the machines to talk to each other and not having to jump from place to place just makes life a lot easier.

We use Microsoft Defender for Cloud for the hybrid cloud environment. We are not multi-cloud at this point. We use it to identify weaknesses within our environment, both prem and off-prem so that we can prioritize. We do not use Sentinel at this time.

For the most part, it gives me what I need in one spot. I do have to drill down into other dashboards for more defined reports. We go into the Intune dashboard for compliance and things like that.

Its threat intelligence helps prepare us for potential threats before they hit and take proactive steps. We use the secure score to help identify what we need to do to protect against things as they come up. It lets us know about any ransomware out there so we can jump right on those and do protections. We also use it for the compliance piece against NIST, PCI, and things of that nature.

It saves time. If I didn't have the integrated pieces of Microsoft Defender, to do the same amount and be on top of things, I would probably need two FTEs.

It has absolutely decreased our time to detect and time to respond.

The best thing I like about it is its interaction with the other Defender products. It provides the ability to push telemetry up. It gives me endpoint visibility and allows me to take automated actions. 

It is excellent in terms of visibility into threats. It is very comprehensive in terms of threat detection, and it keeps on getting better. They are consistently adding new features.

They're in the process of pulling more things together. They can continue with the integrations and provide a better way of seeing the impact of security changes, especially on the endpoint side. Before we actually flip the switch, we should be able to see the impact of security changes on the business or business applications. It would prevent breaking any business applications.

In its current rendition, I have been using it for two years.

Its stability is very good.

Its scalability is very good. It definitely scales easily.

Their support is okay. We get support through Insight, which is also our CSP. They're better. I would rate them a five out of ten.

Neutral

On the endpoint side, I've used Sophos and Symantec. We switched because of the integration between all different securities.

The deployment was relatively easy, but when you get into turning on the switches, things can get complicated because it has a lot of different features. Overall, it was easy.

We did it in-house. We had two security systems engineers doing it. 

We have seen a return on investment, but it is hard to give metrics. It has definitely allowed us to maintain a small team and increase our security posture. 

If you're on Microsoft products, and you've bought into what they're doing with Teams Voice and Office, then adding in the security piece is just a slight bump. You go with the E5 licensing, which saves you a lot of money.

With the bundling that Microsoft does, we have saved money. Buying individual point products would've cost us a lot more money than one integrated solution that also capitalizes on Teams Voice and things of that nature. Given our size, buying individual products would have easily cost us a million dollars.

We've looked at other solutions. We've looked at CrowdStrike. We've looked at Symantec. We went for Microsoft because of the full integration. The breadth of the products and the pricing were the main reasons.

I would advise following those secure scores and watching out as you start to communicate with your user base because you're going to impact applications.

To a security colleague who says that it is better to go with a best-of-breed strategy rather than a single vendor’s security suite, my response would be that you got to measure trying to do the integration because with security, to me, bringing that integration together is the key thing. You need to know how quickly you are going to be able to move from your detection to your mitigation. Are you going to turn on things on the firewalls or can you go right to the devices and isolation? The best of the breed is great, but trying to get them all to work together becomes very complex.

I would rate it an eight out of ten.

It provides good visibility in terms of the number of devices covered, users covered, and so on. With most people working from home for the past two years as a result of the pandemic, Microsoft has helped us improve our security. Because it's a cloud component, we have been able to have improved coverage for our remote users, which was a challenge when we were using traditional endpoint protection solutions. Microsoft Defender for Endpoint has enabled us to secure devices even when they are off of the organization's premises. It has added value to our organization and has helped improve and mitigate security risks across the organization.

I like the fact that it's prebuilt onto Windows and that it integrates with various solutions.

The Microsoft Defender for Endpoint dashboard gives you a very wide view. If, for example, a device is having some malicious activity, it will tell you who has logged into that device and the history of the activity such as whether the activity began because that particular user clicked a malicious link in an email. It is able to do this because Microsoft Defender can connect to the whole Microsoft 365 ecosystem. Thus, it can provide more visibility as compared to a standalone endpoint solution, which will only give you visibility with regard to the information collected on the client in which it is installed.

It provides a detailed level of visibility considering that it's prebuilt onto Windows. It's able to drill down into the processes, such as the DLL files that are running and the installation files from where the threat is emanating. It gives you a deeper threat analysis in comparison to that of other solutions I've worked with. Microsoft Defender is able to provide details such as whether it is a malicious file, the process that is executing a particular file, how it is initiated, the process number, the particular execution file that is running, and so on.

When it discovers a threat, it has its own inbuilt capabilities to prioritize the severity as low, medium, high, and critical. You can also intervene and assign a particular priority to an incident if the priority was not what you expected. Microsoft Defender gives you visibility not just from a threat perspective but also from a user perspective, for example, to identify the most high-risk users in an organization. It gives you the ability to prioritize the riskiest users and devices.

We use Azure AD Identity Protection, Windows Defender for Cloud, and Microsoft Defender for Office 365.

It is easy to integrate these solutions because Microsoft Defender for Endpoint gives you a central view of all of the security components in the organization. We have integrated these solutions to have one central dashboard.

Having one XDR dashboard has eliminated the need to look at multiple dashboards.

In terms of these solutions working natively together to deliver coordinated detection and response across our environment, Defender for Endpoint works natively well on its own Defender for Office 365. The full integrated visibility doesn't come natively enabled by default. As an administrator, you have to figure out where the configuration is and enable that configuration so that the events are captured by one solution and pushed to the central dashboard for security.

Microsoft has come a long way in terms of security and comprehensive threat protection. They've done quite a lot to mature their solutions. It's hard to find one vendor who covers your email security, cloud security, and endpoint security, giving you central visibility into all of it, and Microsoft is one of the major players at the moment.

Threat intelligence helps us proactively prevent attacks before they happen. Defender can pick up an activity that is happening across other tenants in the organization. You can then look at what controls you can put in place to prevent it from happening in your own organization. It's better to prevent an attack rather than to stop one that is already happening. This approach allows us to proactively put measures in place and be ready to respond in case an attack does occur. It keeps us more alert and prepared.

With Microsoft Defender for Endpoint, you can automate some of the incident response actions. However, we do have false positives that are picked up, and automation needs to be done sparingly. Automation of routine tasks does free up our admins, and they can focus on more strategic initiatives and improvements, and leave the day-to-day administrative duties to the system.

This solution has saved us time in terms of providing centralized visibility and not having to onboard agents when deploying. It has made management a bit easier because it can be accessed from anywhere and has made it a bit more convenient to manage the whole Endpoint protection activities. Our team is still quite lean, and the time spent on EDR activities has probably reduced by about 50%, freeing us up to catch up on other activities that we're following up on in the entire information security program.

Microsoft Defender for Endpoint has decreased our time to detect and our time to respond. Proactive alerts help you send notifications before something actually happens. That means you have more time at hand to quickly detect threats before they happen. If they do happen, it gives you all of the information you need to be able to quickly respond compared to traditional EDR solutions for which you may need to look for VPN production to access your tenant. The ability to automate the responses has also decreased the time it takes to respond to an incident by about 50% because even before the notification is received, the system would have begun to take the action that you had configured for the automation. That is, the response will begin without your intervention.

Automation is one of the areas that need improvement because if you fully automate, then there's a high chance that you're going to be blocking a lot of actual false positives.

With the XDR dashboard, when you're doing an investigation and you're drilling down to obtain further details it tends to open many different tabs that take you away from your main tabs. You can end up having 10 tabs open for one investigation. This is another area for improvement because you can end up getting lost in multiple tabs. Therefore, the central console can be improved so that it does not take you to several different pages for each investigation.

Microsoft keeps changing the name of the solution, and when we go to senior management to ask for a budget, they think you're asking for a different solution. It would be great if Microsoft could decide that Defender for Endpoint is the name and stick with it.

I've been using it for three years.

It's quite stable.

It's very easy to scale because it comes built-in with Windows 10, and you just need to enable it. This can be done on scale using group policies or through Endpoint Manager on cloud or Intune.

We have about 5,000 users.

The technical support is okay, and I would rate them at seven out of ten. It depends on the level of support that you have with Microsoft. If you have enterprise support, you'll get dedicated support, and your issues will be resolved much faster. That is, if you're able to pay for premium support, you'll get good, faster responses. If you have normal support, however, it may take a bit longer to get someone to look at an issue.

Neutral

We previously used Kaspersky Endpoint Protection. One of the reasons why we switched is the fact that traditional endpoint solutions tend to be monolithic. They usually run on an on-premises infrastructure. As a result, you have to deploy agents to all of the machines and to manage them, you have to be on the company's network or be able to access it through VPN. Also, those who work remotely will need to log into the VPN to receive updates. Often, those who don't need access to internal systems will go for months without logging into the VPN, which means that they will not pick up the updates.

We were also looking for a solution that was more cloud-friendly because the organization was moving towards the cloud with the emergence of remote work.

The initial deployment can be straightforward if you have Windows 10 Enterprise Professional because it will come preinstalled. All you will have to do then is to enable it. In our case, we wanted to enable a particular GP and encountered some complexities in terms of connectivity. It took us about six months to deploy it.

It's a SaaS solution, so you don't require much effort in terms of deployment. Once installed, there's very little maintenance required. We don't have to upgrade any agents; it's straightforward. It mainly requires administrative work from the console.

Our environment is across multiple branches in the organization with branches in different locations and countries.

We had a team of three with someone to configure the group policies, someone to look at the admin center on Microsoft, and someone to ensure that the traffic is allowed.

Because Microsoft Defender comes as an add-on, it can be a bit expensive if you're trying to buy it separately. Another option is to upgrade, but the enterprise licenses for Microsoft can also be quite a bit pricey. Overall, the cost of Microsoft Defender compared to that of other endpoint detection solutions is slightly higher.

If you have a big team, then you can go with a best-of-breed strategy where you have dedicated teams that are looking at your endpoint protection, email protection, network protection, and so on. You may have a SOC team as well that gets the events and incidents from all of the different teams, analyzes centrally and provides a general view from a security operations perspective. In summary, if you have a well-resourced, mature organization, then it may make sense to go for the best-of-breed strategy.

However, if you have an organization without a big security team, it makes sense to have a single vendor's suite. At times, it may appear to be a single point of failure, but in terms of management and usability, it's a bit easier to work with and deploy. It will give you some level of visibility that will cut across the different domains.

Overall, Microsoft Defender for Endpoint is a good solution, and it'll give you good visibility and protection. It's worth considering, and I will rate it at eight on a scale from one to ten.

I'm a security coach with multiple clients. I provide security implementation, planning, and maintenance through Microsoft Defender. I use all the Defender products, including Defender for Identity, Defender for Office 365, and Defender for Cloud. 

It's easy to integrate the solutions. You only need to go into the settings and switch on the connectivity to all the Defender for Endpoint connectivity telemetry. Microsoft documentation is thorough, and it walks you through all the necessary steps.

We're multi-client and multi-cloud. We're working with multiple organizations and departments, so it's complex. We have domains and sub-domains that we must account for on the deployment side. We also use Defender for ATP, which is the Defender for domain controllers.

Defender for Endpoint helped to bridge the gap with remote workforce solutions because it protects managed and unmanaged devices. It's also easier to use because Defender for Endpoint is cloud-managed, so it stays maintained and updated. It has a leg up on competing solutions that require more system resources and maintenance. 

The tight integration with Microsoft operating systems is another advantage because it's easier to manage. It also goes beyond Windows OS. Defender for Endpoint supports other platforms and operating systems, such as Linux, iOS, and Android. I like that Microsoft is expanding the product's scope beyond Microsoft operating systems. Microsoft is developing a holistic approach, so you don't need a third-party product to protect these other non-Microsoft platforms.

Defender helps us to prioritize threats across the enterprise. The weighted priorities are based on all the MITRE security standards. Defender products work together to provide comprehensive protection. I agree with the placement of Defender Products on Gartner's Magic Quadrant. Defender is a leader in that area of threat protection. I'm pleased with the outcome of a lot of the investigations. I can protect and harden areas that didn't usually didn't have that level of visibility and granularity. 

Defender integrates with Sentinel, enabling me to ingest data from my entire ecosystem. Sentinel also covers non-Microsoft products with the third-party connectors that are provided. I enjoy that part of the Sentinel functionality and feature set. It has several features for aggregating the log data and analytics for the on-premises environment. Having that visibility is crucial.

Sentinel provides the SIEM and the SOAR capabilities, offering a single pane of glass for all of the security operations centers and providing on-site reliability for many of my clients. Sentinel is Microsoft's answer to competing tools such as Splunk and other log application tools. Sentinel seems to provide more added value from the ease of use and visibility. The licensing is also competitive.

You can set up Sentinel to forward alerts if you want to create a managed Cloud environment solution for Sentinel for a client. There's a way to set that up through Azure Front Door. You're seeing the data reporting and single pane of glass for other tenants and customers. It enables you to offer security as a service to maintain visibility for clients.

I like that it considers the status of a device (whether the device is online or offline, VPN or not, etc.) and provides several options for telemetry, depending on where and how the device is being used. It gives a lot of flexibility with the installations, maintenance, and management of the Endpoint solution. In addition to Defender for Endpoint's feature set, other parts of device management reduce the attack surface and protect those devices.

Defender's automation features have been a significant advantage with many of my clients because the remediation has been automated. Most of the time, it doesn't require any human intervention unless there's something that hasn't been set up. I must demonstrate the automated investigation and remediation to my clients to ensure their environment is automatically protected on weekends and after business hours.

The single pane of glass is vital to us as security consultants and our clients, who need a high level of visibility. You can go into the high-level executive dashboard view and drill into each telemetry graphic to provide you with more granular data. I see how easy it is to see the big picture and effortlessly drill into the details using the side navigation menus and more.

Consolidating things into one dashboard streamlined them significantly. When working with multiple tools and vendors, you typically have to stitch the reporting together to get an overarching view of everything. It's time-consuming. By the time some of these tasks are accomplished, the data starts to get stale, so you need to refresh and create an all-new view again. Having real-time capability in a single pane of glass is essential.

Defender Threat Intelligence helps us develop a forward-looking approach to threats and plans. That's one aspect of the product I find incredibly helpful. It will highlight things that may require intervention, such as turning on conditional access rules or setting up some geofencing for anything that looks like it could be a password spray attack from a known location that we can block. 

There are opportunities to turn off any legacy protocols that may be in use. That's been a common thread with some of my clients who still use legacy protocols for sign-in and authorizations. The ability to do that has been a considerable help proactively.

You don't know what you don't know until you know. The continual flow of real-time data and analytics from Defender products helps create a security roadmap and harden many areas. With improved visibility, we can build a better roadmap to harden those areas by prioritizing and doing things methodically. Previously, we were guessing what to do next or what would be most important based on an educated guess. Now, we have data to guide our security decisions.

Microsoft Defender has saved us hours and hours. It has probably paid for itself many times over. I would agree that it has saved a lot of time and money. I estimate it probably saved us the equivalent of two people working full-time. You typically have at least one person overseeing on-premise resources and another dedicated to cloud resources.

In my opinion, the most valuable aspects are the reporting analytics and integration with Sentinel. Defender does an excellent job of correlating the different entities that comprise threat analysis, analytics data, and log analytics. It helps to piece together investigations into any exploit or malicious activity within a specific tenant. AI and analytics tools are probably the most valuable components.

The bidirectional sync capabilities and off-app sanctioning of the SaaS applications are helpful. The identity security posture feature set provides investigation recommendations for risky users. The heat map for locations is also handy. Defender integrates with the AIP DLP for data governance and protection. I use all of that.

There's a need to have augmented workforce capability. You need to see the data streams for client work augmentation for the security operation center and act on the information. Having data in near real-time is essential to my organization and the work we do for our clients. The built-in SOAR, UEBA, and threat detection features are comprehensive.

It always helps to have onboarding wizards. Microsoft has done a lot of work in that area. I would like to see some more refinement in the wizards to allow more diverse use cases and scenarios that help us deploy Defender globally. In particular, I would like to see more deployments considering localization barriers and networks or devices common in various regions. 

Localization is always a challenge, especially with new products you typically want. Solutions are designed to be deployed where the most licenses are being consumed, such as in the United States. They focus on US products, devices, and networks. Specialized deployments for other countries would allow for a smoother experience in transition.

I have been using Microsoft Defender for about two and a half years.

It's pretty stable. I haven't had any reliability concerns with Defender, and there have not been too many complaints from users that have to have extensive reboots or any kind of performance impact. So I would say it's pretty stable.

Scalability is built into the product. It's a cloud-managed solution, so it's capable of scaling pretty quickly as needed. You don't have to unlock another key or do something else to scale the product. It's scalable by design.

I rate Microsoft support a seven out of ten. We've opened a few Microsoft tickets. For example, we've seen some discrepancies between Defender for Exchange Online and the reporting from Sentinel. We raised tickets to determine why Sentinel's logging data doesn't match what we see in Exchange Online.

It can be slow and tedious sometimes. Microsoft has different support level agreements. If you want prompter and higher-quality support, you typically need to pay for an Ultimate Support contract. If we compare that with other companies or organizations, Microsoft is probably on par with everyone else. You don't get a higher level of support unless you pay for it.

Neutral

I've worked with all the major antivirus and endpoint protection vendors, including Splunk, CrowdStrike, Sophos, Norton, and McAfee. Microsoft's advantage is its integration with the operating system, ease of deployment, and support for the 365 Cloud experience. It makes everything easier to deploy, maintain and manage. It comes down to cost and integration. We realize cost savings because it's integrated into the E5 licensing product.

The setup is straightforward and mostly automated. You only have to intervene when you experience errors. Those typically happen on non-US systems or in other countries. For the most part, it's effortless to deploy.

We try to use the auto-onboarding capabilities that come with Autopilot. If you have new systems deployed with Windows Autopilot onboarding capability, that's going to turn Defender on with the proper policies and security parameters. 

One person is enough to deploy Defender if you have a plan and proper communication. You notify everyone that the deployment is happening and push the button. You need to let everyone know if reboots are required and the like. Other than that, it's pretty much a one-person deployment job.

In terms of maintenance, Defender is probably somewhere in the middle. Microsoft maintains a lot of automated updates. There are feature sets that come into play with things that are put in preview and you may want to see if it's something you want to turn on and try out while it's in preview. Those are the only areas that require some discussion and intervention. Most of the maintenance is automated. At the same time, you also need to be trained and aware of the updates and feature sets as they mature. You must stay on top of changes to the UI, reporting, etc.  

If you look at what we pay on average and all the potential ransomware and malware threats we've averted, we've definitely saved tens of thousands of dollars, depending on the client. Some of the bigger clients have saved millions of dollars of potential ransomware payouts because Defender products helped protect those areas of attack. 

The cost is competitive and reasonable because most of the expense is log analytics, storage, and data consumption and ingestion. They can be throttled and controlled, so they are highly flexible. Defender has a lot of advantages over competing products.

From a licensing aspect, you're not just getting a security product. You're getting a lot of other capabilities that go beyond the Defender products. You get an E5 or E3 license and some form of Defender for Endpoint included with all the other security features of the other Defender products. 

It didn't take too long to decide on Microsoft because of the integration and simplicity. CrowdStrike is probably the closest competitor.

I rate Microsoft Defender for Endpoint a nine out of ten. Defender is one of the best I've seen, and I'm not saying that as a Microsoft reseller. We use Defender and have gotten our Microsoft certifications to provide a high level of service for our clients. It's crucial to have a product we stand behind and believe in wholeheartedly. We're not getting kickbacks from Microsoft for saying or doing any of that. We use it because it works. 

I would say there's a trade-off. Once you start adding complexity to security, you're going against best practices that say simpler is better. Adding another vendor or a level of complexity is usually unnecessary. Unless there's something Microsoft completely missed, I would question the value of going to another vendor. 

Communication and planning are most important. Any time you change products or deploy something for the first time, you should test it first in a smaller use-case scenario. That will help you identify any issues with your network, firewall, or legacy applications that may be falsely identified as a threat. It's always best to test your use case scenarios in a proof of concept before you deploy it.