Microsoft Defender for Endpoint Reviews

I worked for an enterprise client in the public sector with half a million endpoints. I'm in Canada, and that's bigger than most US companies. Defender is an endpoint agent, but it's tied into what I would call a SOC outsourcing stack. It's part of a security operations center that is getting threat intelligence, comparing that to endpoint detection and response, and feeding it all back into a SIEM.

I use either E3 or will upgrade to the E5 full suite, or will go a la carte. You can pick one or two off there, but it usually makes more sense to go all E5. Sentinel and Defender are the two things I like in E5 that I work together.

We use Defender's bidirectional sync capabilities at a high level. I'm more of a high-end security architect, so I do the conceptual designs but not the implementation. Even though I like it, I don't know if it gets implemented and used or not. As a capability, as an architect, that's a good thing to have.

Our deployment is still a work in progress, but it will enable us to mature and automate our cyber incident response and threat security posture. Defender helps us automate routine tasks and the findings of high-value alerts. That's the SOAR part we hope to achieve with the project reaches maturity.  

Defender simplifies things if you are managing a multi-cloud environment or a hybrid deployment. Instead of having 10 dashboards, you're now down to three. It creates a fabric. Do I have a single pane of glass? No. However, I have three panes instead of ten.

It can give early warning signs. I'd stop short of saying Defender protects, detects, responds, and remediates. It still doesn't do the remediate part. Defender will ultimately save time and money when we've fully implemented it. I'll find more problems, but I think the integration will save me a lot more time on the operations,  incident response, etc. It's all speculative until you're fully deployed and got key metrics to prove it.

The biggest reason I looked at Defender is that the world seems to have shifted to Office 365 and Azure in the last couple of years because COVID is forcing many people to work from home. Defender has better out-the-box integration with Office 365 and Microsoft security solutions like Sentinel, and its SIEM. CrowdStrike or other top products are excellent, but I'd still need to integrate them.

Defender is great at identifying threats on Windows and Azure products. If the threats aren't related to Microsoft, I will use something else. My view of Microsoft Defender changed significantly over the past five years. I used to think it couldn't compete with best-in-class solutions like CrowdStrike. It was like a Microsoft version of CrowdStrike. Today, I think it's on par pound-for-pound with CrowdStrike on the EDR Gartner MQ capability list. 

If you have multi-cloud like Google and AWS, the native solutions are better for those particular cases. But if you want Azure covered and you use Sentinel and Defender, you can also integrate Defender well with Zscaler. 

Zscaler is more of a multi-CSP fabric with zero trust capabilities that integrate with CrowdStrike and other third-party tools. I use Defender and Sentinel for Microsoft, but I also like that Microsoft integrates very well with Zscaler and vice versa.

The comprehensiveness of Microsoft threat-protection products is great. Five years ago, I would've said don't use it because other products are better. Today, Microsoft Sentinel by itself is a leading Gartner SIEM tool. It has advantages over competitors because of the ability to integrate with Microsoft solutions and automate continuous monitoring of Microsoft AD and Office 365 data.

Sentinel aggregates logs from everything. It's pretty good at that. If you were on Google Cloud or AWS, you would use the native products, but Sentinel is useful if you already have it and you want to use it as the central log aggregator.

Defender offers SOAR plus UEBA, and you can integrate it easily with the endpoint, making it a compelling security fabric as a SOC technology stack. I would put it in the top four along with IBM, Splunk, and maybe Fortinet as one of the better-integrated UEBA types of technology suites.

Microsoft Defender improved a lot. They weren't even on the Gartner Magic Quadrant, and now they've equaled or surpassed the leading solutions. I would suggest they continue doing what they're doing on their product roadmap and develop more SOAR. The last thing for them to tackle is multi-tenant and multi-cloud handling.

I have been using Defender for about five years.

Defender is robust.

I'm still in the early stage, but the scalability seems impressive based on my research and the size of reference clients.

I've mostly seen the pre-sales part, like doing demos and licensing. As far as doing demos and licensing. My experience with the sales organization has been awesome, but I'm not dealing with maintenance, rollover, or contract.

Five years ago, I looked at Micro Focus, ArcSight, and maybe some best-of-breed UEBA and EDR solutions, like CrowdStrike and Intercept. Business considerations led me to choose Defender. 

Security people will go for the top security solution, but executives are worried about enterprise and return on investment. They push for Microsoft security products because they've got Azure and Windows. I now agree that it also makes sense from a security point of view,

As an architect, my experience with the deployment is limited to evaluations and PoCs, and the full roll-out is ongoing. Ultimately, it's a low-maintenance solution. The payoff on automation and maturity is getting ongoing maintenance and support, training, patches, and new product upgrades. That's part and parcel of why it's a good idea.

The price was a problem for me three years ago, but they improved their E3, E5, and a la carte licensing. In other words, you have to get all of E5. That used to be a problem because you had E3, Defender, and guardrails, but you needed an E5 license to get the management suite and the analytics. 

It's more flexible now. You can switch from a la carte to the entire suite when it starts to make sense. It's becoming more economically competitive to go that route.

Defender is good enough if I compare it to the leading EDR solutions on Gartner. I would place it in the top quartile based on cyber threat intel. Cisco Talos and CrowdStrike are better, but Defender isn't that far behind. The payoff for me is the native Microsoft integration. 

Suppose most of my applications and data were still on-premise and I didn't need to work from home because of COVID. In that case, I'd be looking at IBM, Q1 Radar, Resilient, FortiSIEM, or ArcSight because the legacy SIEM products do on-premise security well. However, most of my cloud data is Office 365 in Azure, so that's what prompted me to start looking at Sentinel and Defender. 90 percent of my criteria shifted to the cloud, specifically Microsoft Azure.

I rate Microsoft Defender for Endpoint nine out of ten. If you're planning to use Defender, you need to understand the options around E3, E5, and a la carte licensing. This is also true if you do a bake-off between IBM, ArcSight, or other best-of-breed products, understand what capabilities you really need. If you're a small or medium-sized enterprise, you won't have the same needs as a corporation with half a million endpoints. 

It is mainly utilized for telemetry collection and correlating specific behaviors or reactions to TTPs, IOCs, or indications of compromise. It is used for getting that level of detail. 

It is good for attack surface reduction, which is how you harden your endpoint so that they're less likely to be infiltrated or compromised if you have an operative in your environment. So, it's mainly used for reducing the opportunity for someone to compromise the system but also for rapid detection when that occurs.

Coming from an organization where the EDR wasn't strong, it has always been a case of basically searching through the information you already have and looking for something. It was basically trying to find the needle in a haystack. What the Defender platform does is that it reduces the size of the haystack, and it'll say that the needle is over here. Minutes matter, and it certainly zeros you in on the events that are concerning. It also simplifies the effort of trying to get some kind of correlation of behaviors or actions you see in the environment and confirming if something is benign or a threat.

Something that is unique to Microsoft is its licensing model. When you go out and you buy McAfee or Symantec, you know what you're getting out of the box, but with Microsoft, often, when you're looking to achieve a certain set of capabilities, those capabilities are spread across different products. You might try to do something you could do with CrowdStrike, but then find out that you also need to purchase Microsoft Defender for Identity or Microsoft Defender for Azure. You realize that when they talk about what they can offer within the Microsoft platform, it's really the suite of investments. So, sometimes, you may find yourself buying Defender for Endpoint thinking that it matches CrowdStrike, but then you find that Microsoft really needs to sell you something else. One plus one will equal three, but when you have a very concise platform, such as CrowdStrike, you know what you're going to get.

The other consideration is that because it's Windows native capability, your capabilities are largely influenced by what version of OS you're running. For a small-medium business, it is not a big deal, but at an enterprise scale, there are always Server 2000, Server 2003, Server 2008, Server 2012, Server 2016, Server 2019, and so on. So, you're talking about having six or seven different versions where your capabilities are not consistent between 2003 and 2019. It's like asking how robust was security in Windows 2000 versus Windows 2010. You'd say that they're not even the same OS from a security perspective, and that's crazy. When you buy CrowdStrike, you're deploying an agent, and so you get a fairly consistent set of capabilities that are agnostic to the OS version, whereas, with Microsoft, the capabilities are largely influenced by the OS version. For an enterprise, being up to date is a very big consideration to be successful with the platform. So, it forces your platform to not lag behind. You can't have the old server versions and expect that you've got a robust EDR. Defender shines on Server 2016 and higher, but if you were to do some type of penetration or red teaming exercise on a 2003 server, you'd be better off with CrowdStrike or pretty much anything else.

We've been piloting it for the last six months, and this is what we have selected to implement.

There are no scalability constraints because it's all in the cloud. It's a SaaS. So, they can take on more PCs than any Fortune 500 would even have. The only constraint is that in terms of scaling, the strength of the platform is highly influenced by the OS version. If you were largely using Windows XP and Server 2003, you would not want to choose Microsoft Defender as your suite.

It is fantastic, but sometimes, it could be challenging to navigate. If you buy something like a Carbon Black or a CrowdStrike, you normally have one sales rep and one sales engineer, and depending on the level of support you pay for, you may get premium or platinum support, which means you have a very concise escalation path. With Microsoft, there are 20 different account reps. There is a productivity suite guy. There is a security guy. There are so many different places, which can create some confusion at times, but there is no lack of resources. If you have an issue, there are so many Microsoft employees and reps who are engaged at the enterprise level that once you figure out who to speak to, you get traction pretty quick. So, in summary, because there are a lot more people, their support is really great, but sometimes, having a lot more people can also create confusion in terms of where to go.

It is easy. It is native. They're literally like checkboxes. There is really nothing to package and deploy. If you're at a current version, it is a policy. You just turn on the policy. You go through the setup of installing McAfee on your home computer with next, next, next, and finish, or Microsoft will say, "Hey, we noticed you don't have an AV. Do you want to enable Microsoft or Windows Defender?" You say yes, and you slide the box from off to on, and you're now protected. It is like that. It couldn't be easier. There are things like firewall rules and network considerations that have to happen, but from an enablement perspective, because it is native, it really reduces the burden of onboarding the platform.

We didn't go through a real comprehensive analysis when we made the selection. We did some light touching, but we really did not do some comprehensive analysis between Microsoft and CrowdStrike. 

At an enterprise level, a lot of the stuff is based on relationships. It's not like you're starting from a green field. You look at who is your strategic vendor and who is not. With Microsoft specifically, you always get bundle deals towards your renewals. It's always like if you buy more Office 365, we can give you a discount on Defender and things like that. If you don't have a relationship with CrowdStrike or someone else, it is hard for their rep to speak to your CEO or your CSO, but Microsoft does. They've already got standing monthly meetings with them. So, we've made a determination to go with Microsoft because:

1. The technology is compelling.
2. It is a strategic fit for us. 

I would rate it a nine out of 10.

We use Microsoft Defender for Endpoint to manage the firewall and provide endpoint security, such as antivirus protection, on the endpoint.

The visibility of threats is excellent. The most difficult aspect of Microsoft Defender for Endpoint, especially for a small MSP, is the amount of information that needs to be filtered through. There is a lot that can be done in the portal, so it requires someone to spend a lot of time going through all the settings and making sure any issues are resolved. This is why we added Huntress to it, as it helps with the identification of other issues.

Microsoft Defender for Endpoint helps prioritize threats across the enterprise. The great thing about the Defender portal is that if there is a new issue, it highlights the issue for us in the portal, enabling us to easily check the CVE report to see which devices are affected, and make the necessary changes.

The major advantage of Microsoft Defender for Endpoint for us is that we receive a great deal of information. Initially, when we encountered the solution, the most difficult thing was that there was a lot more detail to go through, a lot more logs, and settings that we had to configure. However, once we had everything in place, as we are covering so many devices using the same solution, we were able to make a significant impact on our security.

The solution helps automate the high-value alerts to identify the devices that are at high risk of attack, but we still have to remediate ourselves.

We still enjoy jumping between Defender and Huntress' portals. Microsoft has removed the need for a large number of solutions as the Defender portal itself encompasses a great deal. This is both good and bad as they continue to add to the Defender portal. For a small team, it can be quite overwhelming to have to go through the one Defender portal. However, if the team was larger and we had more dedicated staff, it would be great as everything would be in one place.

Microsoft Defender for Endpoint's threat intelligence helps us prepare for potential threats before they occur and take proactive steps based on the CVE reports, which advise us which devices have higher threat issues.

Being aware of the issues is a good thing, and with solutions like Webroot Business Endpoint Protection, we may think everything is fine as long as the antivirus is installed. However, with Microsoft Defender for Endpoint, we are given a lot of information and become more aware of the issues. This helps us strive to reach the 100 mark on the security score.

Microsoft Defender for Endpoint has saved time by preventing attacks from occurring, and I have been able to rely on it. In contrast, when we used Webroot Business Endpoint Protection, we installed it and then largely forgot about it, assuming it would take care of itself. Webroot rarely gave us any warnings, which may have been due to the product not knowing what to do or not having anything to alert us about. On the other hand, Defender is constantly active and provides us with updates about the endpoints. This may take up more time, as it is making us aware of a lot of other things.

Microsoft Defender for Endpoint is more expensive than Webroot Business Endpoint Protection. However, the value is there in terms of the product we are getting. The cost savings with Microsoft Defender for Endpoint come from being aware of the issues and taking steps to prevent them from occurring. The savings come from avoiding the issues.

Microsoft Defender for Endpoints has a quick response time when it detects a threat. From what I've seen, the system is quite fast. It's not instantaneous when changes are made in the portal and sent to the endpoint, but it is still quick.

The most valuable feature of Microsoft Defender for Endpoint is its ability to bring together all the data, providing more information than just antivirus hits. Additionally, it has a useful security score that is tied into the Defender platform, giving us a better understanding of what is happening at the endpoint.

Microsoft often changes the names of its products, the design of its portals, and what is included in them. This can be confusing for people who are not using them regularly. There is a lot of information to take in, and the portals tend to change quickly due to the fast-paced nature of the industry. This can be frustrating when something that was there one day is gone the next.

I would like to see when NDR solutions become more widespread in other regions. It would be amazing to observe how that progresses. It is something that we are considering, having Microsoft do part of the work using the dependent portal instead of having engineers from our own company do it. Therefore, I am eager to see where that goes.

The stability has room for improvement.

I have been using the solution for over one year.

When testing to see if the antivirus solution is working properly with a lot of different events occurring on the device, we found that the Defender interface can become cluttered. The solution does not always give us a real-time view of what is happening, making it difficult to navigate the user interface. Therefore, there is potential for improvement in terms of stability.

We've deployed the solution in small environments and larger ones. So we haven't had any issues going between the two. Microsoft Defender for Endpoint is scalable.

We have encountered two technical issues in the past. The support team was very competent, and when I contacted Microsoft support, they were extremely helpful.

Positive

We had previously used Webroot Business Endpoint Protection, Bitdefender GravityZone, CrowdStrike Falcon, and Cortex XDR by Palo Alto Networks. Microsoft Defender for Endpoint is now included in our licenses, making it an easy addition for many of our clients since some of them already had the licenses that included the solution. Moreover, since many of us already use Microsoft products and portals daily, we were comfortable with Microsoft and the solution did not require a lot of retraining. Additionally, the price was another factor that made the solution attractive; CrowdStrike and the requirements associated with it are too costly for some of our clients.

The initial setup is not complex. It is more cumbersome than Huntress because it is not just an installer. We have a package that needs to be deployed to a few machines. We can run a script, or use a GPO package to distribute it. Although it is not as easy as some of the other smaller solutions, it is still quite simple. We can roll out a group policy. The deployment didn't take long at all. We had already set people up with licenses to access a Hive with Microsoft, so the deployment solution was straightforward. Most of our clients also have directories managed through Azure, which made the rollout easy.

The deployment process requiring engineering numbers or similar is very minimal as it can be done through a single group policy.

The implementations are completed in-house for our clients.

The licensing costs for Microsoft Defender for Endpoint are reasonable.

I give the solution an eight out of ten. When discussing Microsoft Defender with other engineers, we agree that it can be challenging to become accustomed to and comprehend the UI at first. Once we have a grasp on the UI, it is excellent; however, initially, it is difficult to learn.

Microsoft Defender for Endpoint is deployed in systems located in data centers and on-premises, providing a wide range of devices. Approximately two thousand endpoint devices are in use.

Since the solution is a Windows subsystem, it is not difficult to maintain. We utilize a management solution to run many of those updates regularly, ensuring that they are completed regularly.

No single solution or vendor has all the answers, and it can be risky to rely on just one source. If an attack occurs and we are only using one form of security, if it is breached, the attackers will have unfettered access. Therefore, I believe it is beneficial to have a multi-layered approach, utilizing multiple solutions and vendors with different technologies that can work together.

I suggest people do some Microsoft training regarding the Defender platform to become comfortable with it before deploying it to understand exactly what is necessary to make it work.

Initially, I was running a different endpoint security program but it did not have a dashboard that met my needs. It would only do on-premises. If laptops, desktops, or VDIs were remote, such as people working from home or in a different office, my VDIs—which are really just on-premises but they're in a separate subnet in VMware, Windows 10, Windows 7, Windows 11, 2008, all the way up to 2022—I could only get the servers that were on-prem. That solution had a management console but there was no integrated console within Microsoft so that I could cover all bases. I deployed Defender for Endpoint and now I'm able to see them in there. For some, I've still got the old AMP on them, but Defender will run in passive mode and let AMP run and report to its own console.

The reason I don't want to run AMP, primarily, is that it's a resource hog. Defender for Endpoint integrates it and automatically comes with the Windows operating system or Windows Server Desktop. Plus I can use Defender for IoT and see, on my network—which is a home lab company—my routers, my switches, and, believe it or not, my televisions and refrigerators; the IoT devices that I might have on my network. And that integrates into Defender for Endpoint.

And with Sentinel, I'm hoping to pull that into logs that I have for my cloud-based and on-premises-based servers so I have one pane of glass that will alert me if something is going on. It will correlate those logs from Defender on every endpoint and put them into one incident if there are alerts to be had.

It probably could help me prepare for potential threats before they hit. The nice thing about it is that it has filtering. I can filter on different logs and say, "I'm looking for this user and every place he ever logged into. I can filter on his name and the scope of the machines I'm looking at. If there's a bad actor, a different version of software, I can pull that up. It has simple filtering and advanced filters, which really help out a lot. It does speed things up.

I rely a lot on Defender for Endpoint to find a lot of stuff for me. With Microsoft knowing about a threat in the wild, something that hasn't hit me yet but it's out there and I'm vulnerable to it, it will detect those vulnerable systems for me. I rely on that to patch or update that operating system.

When you install an OS, it could be a year old, it could be brand-new, or it could be five years old and it's not patched and updated. Sometimes there are apps on it, from Google or Adobe for example. This will tell me that my Adobe Acrobat has so many vulnerabilities and that I need to bring it up to this date because I've got 13 vulnerabilities that could be hacked. I rely on it quite a bit to pull those notices together and alert me on what needs to be updated. I don't have to actually hunt for a lot of it. It does the hunting for me automatically.

The features I found to be most valuable in Defender for Endpoint are its alerting, policies, and threat-hunting.

For threat-hunting, I'll put some threats in a test scenario. I've downloaded known viruses that are out in the public for testing. They're not really a virus but they've got a signature. Defender for Endpoint will automatically find those, quarantine them for me, and alert me to what it did. It gives me "automated eyes."

A lot of it is hands-off. It just deploys and it updates by itself. With other applications, like McAfee or AMP, I'll have to download a new version and make sure that the signatures were applied. With Defender, one of the things I like is that it has automatic updates.

And Defender has other integrations with Microsoft that are of benefit. It will tell me that certificates are out of date for my certificate server; I've deployed certificates to my laptops or VDIs or servers or switches. There's an automation routine that I can kick in using KQL—Kustom Query Language—so that it automatically remediates the issues that it finds.

And the visibility into threats that Defender for Endpoint provides is fantastic. Since it is a Microsoft product, and they have it deployed worldwide, they pull over a couple of trillion data points a day from other companies and countries. They've got teams of security analysts or researchers who are constantly updating these and they feed me that information. I'll know about a threat that might be down the road or I might be susceptible to, something that I could patch. It tells me if there is a known fix or if there isn't, in which case I might have to go in a different direction. It's the might behind Microsoft. It pulls in all that information so everybody else can see it.

In addition, with the data connectors for Azure or containers or even M365, threats are automatically classified as high, medium, low, or informational. If they're not classified, I can classify them myself or set a priority on them as to whether they need to be looked at right away, whether they're active or in process or resolved.

Microsoft security products provide a little more comprehensive protection than some of the other offerings. One great thing about it is that it's part of the operating system and it's already turned on when you deploy the OS.

But if you do have a third party, like AMP or McAfee for example, Defender will run in passive mode. That means it's not constantly doing a scan, virus check, or malware check. Still, if you open an email, write a document, or load a USB key to copy files, it would scan in all those situations. But in passive mode, it scans once a day, I believe. It does a device discovery and it will tell you, "We found this software, we found these documents, you did have malware or a virus and it has been quarantined." And that's in passive mode.

If you put it in active mode, without the third-party virus and malware checkers, Defender for Endpoint will give you a software inventory and a timeline of every key that was clicked in case you had a bad actor that infiltrated your network or your machine. If an employee went to a rogue support site and downloaded some software, and let somebody in, it would alert me through UEBA: "There is unique behavior that we don't normally see from this person. They don't normally access this site. The alert would tell me which site had been accessed and that software had been downloaded. It would tell me the time it was installed and what it did—every keystroke. That's with Defender for Endpoint being active.

In active mode, it's great that it gives you so much information, but it does record every keystroke so you have a lot of logs. For my home business, I had to turn off quite a bit because the data that it does gather is every event and activity that happens on a server or laptop. For my little testing scenario, it was overwhelming.

I know what I have on my machines so that amount of data logging started to add up in the cost. That's the only downside to Sentinel and Defender that I can see so far: You have to log and store that data somewhere, and it normally stores it in the cloud, unless you have an on-premises SIEM that you can download those logs into directly and store things on your own hard drives.

I had a $200 credit with Microsoft Azure and I didn't pay attention to it and it ate up $179 of that credit in the first two days because I had Defender for Endpoint check DNS to make sure that I wasn't getting spoofed or targeted.

You have to keep an eye on the Sentinel and Defender for Endpoint storage.

I have been using Defender for Endpoint since about November, so about three months.

It's pretty stable.

With a browser or web-based system, it might confuse things, saying, "You don't have access," because you should have logged in with your admin credentials but you logged in with your standard user credentials because you are on the same desktop.

For my home business I just have basic support. I submit a ticket and they get back to me in a couple of days.

Positive

My company isn't off the ground yet, it's basically going to be a family medical practice run by my wife and me. I'm an IT guy and she's a nurse practitioner and, eventually, she wants to work for herself. I'm doing the background and since I do use it for my regular job, I'm doing this on my own labs as well with trial software or things I've bought subscriptions for. I've bought Microsoft E5 so a lot of it is out-of-pocket and on a shoestring budget.

The nice thing about Defender and Sentinel is that the cost is based on the data logs that you ingest from the Defender endpoints and data connectors. I don't have to buy a 25- or 50- or 1,000-user or enterprise license. I can buy one license at a time. For small mom-and-pop shops, that's very important. A lot of startups don't have that kind of budget for enterprise-wide scalability, especially when they don't have many devices in the first place.

Defender for IoT is an add-on to Defender for Endpoint. It's there, but you have to onboard it. I don't really have enough devices, other than my home base, but in a regular business it would find all the switches, routers, security cameras, monitors, printers, modems, and anything else you have attached. With Defender for Endpoint, you need to have an operating system—Linux, Windows, et cetera—to deploy it.

A refrigerator or a camera or a security device doesn't really have a Windows-based operating system on which to deploy the agent. So IoT, within Defender, will scan those devices, find them, and let you know that it found them. It does that out-of-the-box with Defender for Endpoint. If you want to see the actual operating system of IoT devices and get alerts that something is out of date or has vulnerabilities, you have to get a subscription to IoT, which I hope to do.

There's a lot to learn when it comes to using Defender for Endpoint to automate routine tasks and find high-value alerts. KQL is a structured query language for hunting. If I have data ingestion from M365 logs, Defender for Containers, Defender for Storage, and AWS, Defender for Endpoint or Sentinel will allow me to hook up connectors to pull all of those logs into a "master database" with different tables that contain those logs. There are routines that are already written that say, "If you're looking for this type of an event that started with this application that went to a SQL server that was stored on this server that was accessed from a laptop where the guy went through a browser and went to this particular rogue network," and they access all those tables in that master database.

KQL allows me to tap into each of those different tables and correlate like events or like data, and pull it all into an alert or a threat hunt. It's something to master. It's sort of like regular SQL, but there are a lot of tables and schemas and you have to know what the tables and headers and columns and fields are, and then the syntax. It does threat-hunting really well with the canned queries that it has. But if you're looking for something in particular, you need to learn KQL. A SQL Server database admin would know SQL and how to pull data out of tables and do joins, commits, and transaction rollbacks. KQL is on that same level where you have to be an expert in KQL to actually pull all that stuff together. It's quite the learning curve, but there are courses out there that teach you.

I've been doing systems administration and engineering server admin things for quite some time, a couple of decades since Windows came out, and a little bit before that. But jumping over into the security space for my home business, and putting all these things together with Defender and Sentinel, has been a learning curve. It has slowed me down a little bit. A while back, security was always an issue for security teams. Now that I'm working on my own company, I'm a one-man show. But at the same time, I know there are a lot of bad actors out there.

It provides good visibility in terms of the number of devices covered, users covered, and so on. With most people working from home for the past two years as a result of the pandemic, Microsoft has helped us improve our security. Because it's a cloud component, we have been able to have improved coverage for our remote users, which was a challenge when we were using traditional endpoint protection solutions. Microsoft Defender for Endpoint has enabled us to secure devices even when they are off of the organization's premises. It has added value to our organization and has helped improve and mitigate security risks across the organization.

I like the fact that it's prebuilt onto Windows and that it integrates with various solutions.

The Microsoft Defender for Endpoint dashboard gives you a very wide view. If, for example, a device is having some malicious activity, it will tell you who has logged into that device and the history of the activity such as whether the activity began because that particular user clicked a malicious link in an email. It is able to do this because Microsoft Defender can connect to the whole Microsoft 365 ecosystem. Thus, it can provide more visibility as compared to a standalone endpoint solution, which will only give you visibility with regard to the information collected on the client in which it is installed.

It provides a detailed level of visibility considering that it's prebuilt onto Windows. It's able to drill down into the processes, such as the DLL files that are running and the installation files from where the threat is emanating. It gives you a deeper threat analysis in comparison to that of other solutions I've worked with. Microsoft Defender is able to provide details such as whether it is a malicious file, the process that is executing a particular file, how it is initiated, the process number, the particular execution file that is running, and so on.

When it discovers a threat, it has its own inbuilt capabilities to prioritize the severity as low, medium, high, and critical. You can also intervene and assign a particular priority to an incident if the priority was not what you expected. Microsoft Defender gives you visibility not just from a threat perspective but also from a user perspective, for example, to identify the most high-risk users in an organization. It gives you the ability to prioritize the riskiest users and devices.

We use Azure AD Identity Protection, Windows Defender for Cloud, and Microsoft Defender for Office 365.

It is easy to integrate these solutions because Microsoft Defender for Endpoint gives you a central view of all of the security components in the organization. We have integrated these solutions to have one central dashboard.

Having one XDR dashboard has eliminated the need to look at multiple dashboards.

In terms of these solutions working natively together to deliver coordinated detection and response across our environment, Defender for Endpoint works natively well on its own Defender for Office 365. The full integrated visibility doesn't come natively enabled by default. As an administrator, you have to figure out where the configuration is and enable that configuration so that the events are captured by one solution and pushed to the central dashboard for security.

Microsoft has come a long way in terms of security and comprehensive threat protection. They've done quite a lot to mature their solutions. It's hard to find one vendor who covers your email security, cloud security, and endpoint security, giving you central visibility into all of it, and Microsoft is one of the major players at the moment.

Threat intelligence helps us proactively prevent attacks before they happen. Defender can pick up an activity that is happening across other tenants in the organization. You can then look at what controls you can put in place to prevent it from happening in your own organization. It's better to prevent an attack rather than to stop one that is already happening. This approach allows us to proactively put measures in place and be ready to respond in case an attack does occur. It keeps us more alert and prepared.

With Microsoft Defender for Endpoint, you can automate some of the incident response actions. However, we do have false positives that are picked up, and automation needs to be done sparingly. Automation of routine tasks does free up our admins, and they can focus on more strategic initiatives and improvements, and leave the day-to-day administrative duties to the system.

This solution has saved us time in terms of providing centralized visibility and not having to onboard agents when deploying. It has made management a bit easier because it can be accessed from anywhere and has made it a bit more convenient to manage the whole Endpoint protection activities. Our team is still quite lean, and the time spent on EDR activities has probably reduced by about 50%, freeing us up to catch up on other activities that we're following up on in the entire information security program.

Microsoft Defender for Endpoint has decreased our time to detect and our time to respond. Proactive alerts help you send notifications before something actually happens. That means you have more time at hand to quickly detect threats before they happen. If they do happen, it gives you all of the information you need to be able to quickly respond compared to traditional EDR solutions for which you may need to look for VPN production to access your tenant. The ability to automate the responses has also decreased the time it takes to respond to an incident by about 50% because even before the notification is received, the system would have begun to take the action that you had configured for the automation. That is, the response will begin without your intervention.

Automation is one of the areas that need improvement because if you fully automate, then there's a high chance that you're going to be blocking a lot of actual false positives.

With the XDR dashboard, when you're doing an investigation and you're drilling down to obtain further details it tends to open many different tabs that take you away from your main tabs. You can end up having 10 tabs open for one investigation. This is another area for improvement because you can end up getting lost in multiple tabs. Therefore, the central console can be improved so that it does not take you to several different pages for each investigation.

Microsoft keeps changing the name of the solution, and when we go to senior management to ask for a budget, they think you're asking for a different solution. It would be great if Microsoft could decide that Defender for Endpoint is the name and stick with it.

I've been using it for three years.

It's quite stable.

It's very easy to scale because it comes built-in with Windows 10, and you just need to enable it. This can be done on scale using group policies or through Endpoint Manager on cloud or Intune.

We have about 5,000 users.

The technical support is okay, and I would rate them at seven out of ten. It depends on the level of support that you have with Microsoft. If you have enterprise support, you'll get dedicated support, and your issues will be resolved much faster. That is, if you're able to pay for premium support, you'll get good, faster responses. If you have normal support, however, it may take a bit longer to get someone to look at an issue.

Neutral

We previously used Kaspersky Endpoint Protection. One of the reasons why we switched is the fact that traditional endpoint solutions tend to be monolithic. They usually run on an on-premises infrastructure. As a result, you have to deploy agents to all of the machines and to manage them, you have to be on the company's network or be able to access it through VPN. Also, those who work remotely will need to log into the VPN to receive updates. Often, those who don't need access to internal systems will go for months without logging into the VPN, which means that they will not pick up the updates.

We were also looking for a solution that was more cloud-friendly because the organization was moving towards the cloud with the emergence of remote work.

The initial deployment can be straightforward if you have Windows 10 Enterprise Professional because it will come preinstalled. All you will have to do then is to enable it. In our case, we wanted to enable a particular GP and encountered some complexities in terms of connectivity. It took us about six months to deploy it.

It's a SaaS solution, so you don't require much effort in terms of deployment. Once installed, there's very little maintenance required. We don't have to upgrade any agents; it's straightforward. It mainly requires administrative work from the console.

Our environment is across multiple branches in the organization with branches in different locations and countries.

We had a team of three with someone to configure the group policies, someone to look at the admin center on Microsoft, and someone to ensure that the traffic is allowed.

Because Microsoft Defender comes as an add-on, it can be a bit expensive if you're trying to buy it separately. Another option is to upgrade, but the enterprise licenses for Microsoft can also be quite a bit pricey. Overall, the cost of Microsoft Defender compared to that of other endpoint detection solutions is slightly higher.

If you have a big team, then you can go with a best-of-breed strategy where you have dedicated teams that are looking at your endpoint protection, email protection, network protection, and so on. You may have a SOC team as well that gets the events and incidents from all of the different teams, analyzes centrally and provides a general view from a security operations perspective. In summary, if you have a well-resourced, mature organization, then it may make sense to go for the best-of-breed strategy.

However, if you have an organization without a big security team, it makes sense to have a single vendor's suite. At times, it may appear to be a single point of failure, but in terms of management and usability, it's a bit easier to work with and deploy. It will give you some level of visibility that will cut across the different domains.

Overall, Microsoft Defender for Endpoint is a good solution, and it'll give you good visibility and protection. It's worth considering, and I will rate it at eight on a scale from one to ten.

I used MDE to investigate individual alerts. We were able to initiate AV scans on devices from MDE. That was our normal practice as soon as we pulled up an alert. My understanding was that it wouldn't slow down the throughput or the productivity of the endpoint device. We could theoretically isolate the device via MDE.

We also used Cloud App Security, Microsoft Defender for Cloud, and Azure Sentinel. At my last two organizations, they were in the process of moving from Splunk to the Microsoft security suite. It was standard procedure for us to install MDE on Microsoft Defender as the endpoint solution for every device. We didn't have anything on-premises.

I have experience with Microsoft Sentinel. We were transitioning toward using that as our SIEM. They encouraged us to learn the Kusto Query Language, which is extremely useful.

My organization was in the process of using Sentinel to ingest data from their entire ecosystem.

The solution was deployed across multiple departments and multiple locations in North America. It was deployed on a private cloud.

MDE eliminates the need to look at multiple dashboards, given it has only one XDR dashboard. It has a good user interface for looking at campaigns and the big picture as opposed to just one incident. They also have good graphics.

MDE decreased the time it takes to do detection and response. It allows us to quickly look at the timeline and see what caused the alert. In my organization, they wanted to know what caused the alert, not just whether or not it was a false positive. 

If there is malware on a device, they wanted to know how it got there. If there is malware on the device from another device in our environment, that is a huge deal. If someone clicked on something in an email or went to a suspicious website on their own, that is extremely important to determine quickly in our environment. It's very helpful to determine the level of the threat.

The investigation aspect is the most useful. It's user-friendly and has a good user interface. There's a universal search bar at the top of MDE. Plugging in the hostname brings up the page for the host. From there, we can see any alerts and an overview of the host, who it's assigned to, and who is logged into it.

I usually quickly go straight to the alerts tab and start investigating the alerts. It has a really great timeline function on it. It shows everything that occurred on the device and any connections it made on the internet or with other devices on the network. It shows activities like who logged in and who logged off. I could pull all of that through the timeline and figure out what happened and why it happened. The investigative capabilities are really good.

MDE provides pretty good visibility into threats. I would give it an A-. Overall, I was pretty impressed by it.

Sentinel enables us to investigate threats and respond holistically from just one place. Sentinel's security protection is pretty good. We had some alerts that we considered for a potential campaign. There were some instances when we had the AI perform an investigation for us, and it was pretty comprehensive.

MDE helps automate routine tasks. This was at a level higher than mine, but the automation seemed to work well for them. They had some queries and other tasks that they would schedule and set up alerts for.

MDE has also saved us time.

One of our main problems in cybersecurity is dealing with noise. If you look at the logs for any device over a 10-minute period, it's just too much information. The timeline on MDE is very good at whittling down the noise to find the answers to our questions.

I would like MDE to have the ability to isolate a certain amount of time on the timeline. Splunk has a better UI when it comes to isolating a certain amount of time. I need to know exactly what happened two minutes prior to and two minutes after an incident. I don't need to see half an hour's worth of information.

With Splunk, the UI is perfect. With just a couple of clicks of a button, it'll show us 30 seconds prior to and 30 seconds after an incident. The timeline for MDE is more difficult to understand.

After a failed log-in, Splunk shows when the event happened on the timeline down to a thousandth of a second. Theoretically, we could do that with the Kusto language, but that would mean changing the query every time. It's just not as user-friendly as it could be.

I used MDE for two years.

The stability is great.

I used Carbon Black and McAfee ePO in my previous organization, but they were in the process of moving everything to the Microsoft security solution.

Splunk was our main SIEM and alert system. It pulled alerts from different sources. When we received an alert, Splunk would quickly give us basic information, and then we would go straight to MDE. We received a lot more information from MDE's alerts than we did from Splunk.

I didn't spend a lot of time with Splunk. I normally input the hostname of the affected device that triggered the alert. I pulled all of the information from there, like the timeline of the event, the IOCs it had spotted, the name of the alert, and all of the other details. From there, I did a full investigation of the alert through MDE. I was very impressed with MDE. It gives great details, and it's very easy to use.

We didn't have dedicated personnel for any problems. We purchased full support with the license. Setup wasn't flawless, but there weren't any major issues.

I would rate this solution as eight out of ten.

If you have the money for it, I would recommend the Microsoft security solution.

I would recommend a single-vendor strategy if you have the money for it. I believe in defense in depth. Regarding endpoint protection, I think it's better to stick with one vendor. In my previous organization, they had conflicts between MDE and McAfee. McAfee would read MDE as a virus, and MDE would read McAfee as a virus.

The problem with endpoints is that if you have more than one solution, each of those solutions will see the other guy as a virus or potential virus. When it comes to endpoint protection, I would go with a single vendor.

The solution is used as an endpoint solution to provide a 360-degree portfolio around an endpoint. It acts as a next-gen antivirus. 

It’s included with the Microsoft licensing, so we don't need multiple licenses.

Microsoft is very effective in device control. If there is malware that is coming in, It is very quick to remove it. It doesn't let it gain a footprint on your drive, so that prevents further damage from happening to the endpoint.

This solution helps us prioritize threats across our enterprise. When we are looking at our current scenario, post-COVID, most of the employees of the clients that we are dealing with are remote. When it comes to remote, you can make sure that they're logging in to VPN, however, most of their time is online and we need a product that is actively protecting them even if a user is not on a VPN or a company network. This product integrates very well with Windows due to the fact that it's a Microsoft product. It's giving users the protection that they need while ensuring businesses don’t have to spend extra on licenses.

We are using other Microsoft products. Including CASB integrated with our endpoint. We’re also using Azure, for example, and Microsoft Defender for Cloud as well as Sentinel (although a different team manages it). We have seen a very hybrid kind of environment with one of our clients where they were using an on-prem solution throughout, and they were aiming to move to the cloud. It becomes very easy to integrate everything and move most of their infrastructure to the cloud. It does take time and effort, however, with everything integrated, you can get it done. Microsoft solutions also work natively together. That’s a big strength. Everything communicates seamlessly.

We have very good visibility on our endpoints. The level of information it throws back is helpful.

How long it takes to see the level of benefits will depend on the deployment. Our deployment took two months for one client. Within a month’s time, they started seeing the benefits. We had a substantial number of endpoints to roll out, however, we began to note benefits pretty fast.

Microsoft Defender for Endpoint helps automate the finding of high-value alerts. It still needs to mature a little bit. Overall, we are seeing very security-intensive products and Microsoft still has a lot to learn.

It helped eliminate having to worry about multiple dashboards. Now, we have one single dashboard where our team takes care of everything. That has been very helpful. It makes the team focus on one single product. That helps prepare us for potential threats before they hit. We get fairly decent visibility into what's happening. Since we have one single dashboard that is giving us all the information, it becomes very easy for the team to react to incidents as well.

Overall, the solution has saved time. Previously, while we were doing deployment, most of our time was spent figuring out how to handle the products that are not natively from Microsoft. We had to figure out how we could integrate to get the most out of our products. Now, with Microsoft, we have all the integrations present in one place.

On average, we’ve likely saved nine to 12 hours weekly just by having one single Microsoft dashboard.

We’ve saved money, too. Considering it comes under one existing license, we don’t have to spend money separately or buy another license to get all the features we need.

The solution decreased our time to detection and time to respond. Our turnaround is better. From the moment we receive an alert to the moment we close the case, we’ve seen a reduction of 18% to 20% overall.

The visibility of threats needs to improve a bit. It still has to learn a lot. Where we stand right now, compared to other products that are there in the market, they still have to work on their threat intelligence and the overall maturity of detecting the malware. Sometimes we have seen instances where they have wrongly identified the malware. That is something that we would really hope that Microsoft works on.

Microsoft has to improve the efficacy of the product further. When we are talking about a security product, there are minor frameworks and there are close to 145 different techniques that we are talking about. It broadly categorizes into types yet it doesn't drill it down to techniques, which gives us a very specific idea of what they are aiming for. 

I've been using the solution for the past one and a half years as a solution architect to design and deliver EDR solutions. 

The product is fairly stable. 

The solution can scale. We scaled up initially from 500 to 32,00 endpoints and it was fine. 

We've had to contact support in the past and found them to be very effective. They are knowledgeable in their approach. However, the tasks can be a bit time-consuming.

Positive

We are using CrowdStrike, Palo Alto XDR, and a lot of different products. The client using CrowdStrike may have moved to Defender based on the cost.

The initial setup was simple. 

There is a bit of maintenance required around data retention. It has a data retention period of 80 or 90 days depending on the configuration. We make it a habit of filing data for compliance purposes. Two to three people are normally involved with the maintenance aspect. It's not resource-intensive. 

We are the third party. We help clients implement the solution. 

We have witnessed an ROI. 

The product is very cheap compared to other options. It's very affordable, which is why Microsoft is gaining a foothold in terms of client acquisition.

We're a Microsoft partner. 

I'd rate the product seven out of ten. 

You can spend a lot of money to get a very specific security tool, however, if you don't have the money, Defender does a pretty good job for you.

In an enterprise setting, I use the product to protect workstations, and more recently servers, from all sorts of threats, including malware, viruses, trojans, etc.

Defender for Endpoint gives us greater visibility. Cybersecurity professionals always need that because what we don't see can get us into a lot of trouble. We also need visibility to be easily applied across platforms and with an improving ability to gather information from Linux or Mac-based end platforms. AWS and Google Cloud give better visibility, which we need from a security standpoint.

The other Microsoft security products we use are Defender for Cloud Apps, Defender for IoT, and Defender for Cloud.

The integration is pretty straightforward. It depends on a company's licensing and deployment team, and Microsoft makes it simple to integrate multiple solutions. It is easy to integrate into a test environment, though it depends on the infrastructure and networking team because they have to carry it out. Each company has different solutions; whether they are entirely cloud-based, on-prem, or hybrid, there's a lot of flexibility. Depending on the package, Microsoft is usually very helpful and available to assist with implementation and integration.

Coordinated detection and response between the solutions are essential. Depending on the company and its capabilities, it can sometimes be challenging to bring different tool sets to bear. For example, integrating endpoint protection, XDR, theme tools, CASB apps, and security from different companies can be very tricky. What Microsoft is doing in terms of easy integration makes their product an easy sell because it's critical to spend time doing the work of security rather than worrying about and dealing with integration. 

Threat protection is extensive; it covers most of the concerns we face as a company. I have limited experience with the IoT side, although I'll be working with that soon. Microsoft is thinking ahead and looking toward the future of protection, and I think they're on the right path. The comprehensive threat protection is there, and that results in a steep learning curve because an organization may have a whole bag of tools, some of which they may not use or need depending on the size of the enterprise. The extensiveness is impressive, and Microsoft is doing the right thing in attempting to cover all threat avenues. The necessary side effect of trying to cover every threat is not being the best in class at dealing with any one threat; more of a jack of all trades, master of none. It also increases the learning curve for analysts.  

The threat-hunting service is very useful for a security professional.

The ability to fine-tune specific policies to protect our enterprise is also advantageous.

The increasing deployment availability on different platforms and OSs is a good functionality.

Seamless integration with the Microsoft SIEM tool and other tools such as Splunk and Sentinel is excellent.

Defender for Endpoint provides good visibility into threats, and there is always room for improvement.  

The tool allows us to prioritize risk factors and fine-tune those based on our requirements as a company. That's extremely important because different companies face different threats from an enterprise point of view. Everyone is concerned about phishing, but only certain companies deal with personal health information, for example, and those dictate the security priority landscape. This functionality is one of the essential elements in an endpoint solution.

In Defender for Endpoint, we can create a certain alert logic to alert us on either high-value assets or individuals. With Sentinel integration, we can develop playbooks for the tool, which helps us gather the information for an investigation or automate a lot of threat intelligence searching. Endpoint has its standalone functionality in this respect; Microsoft does a good job providing sufficient threat hunting in each tool in case a customer only has one. Overall, the solution's threat-hunting and investigation resources are extensive.  

Eliminating multiple dashboards saves time. It may save between five and 30 seconds, but at the end of the day, if I've done eight investigations, that's minutes saved each month. That adds to hours of work saved by not having to deal with multiple dashboards.   

Our time to detect and respond decreased; even a few minutes saved by not searching through multiple dashboards helps. Threat intelligence also informs the end user if a website or link has a bad reputation. These features help reduce the time we spend investigating an incident or alert.  

My main issue with the tool is that there are too many menus. This causes a steep learning curve for those without training or unfamiliar with Defender for Endpoint. From an end-user perspective, the solution is there on the machine and does its job; it works seamlessly. However, as a security professional dealing with it behind the scenes, the learning curve can be steep, but not too steep. Still, it has taken some of my analysts up to a month to get familiar with the product.

Microsoft is slow to act on improving the threat intelligence elimination of false positives. They have a feed of indicators of compromise, which they are constantly updating, but some of the category intelligence is sometimes off base. Microsoft is working to improve that, but threat intelligence is vital; it's there, usable, and requires some fine-tuning and adjustment. That's good, although automated threat intelligence has room for improvement.

Threat intelligence is an area Microsoft needs to improve on; if a company only has Defender for Endpoint, that's their single point of truth regarding threats. Therefore, the tool must provide as much threat intelligence and automation as possible. Defender and Sentinel offer more options, but companies with only Defender need it to be improved.

A significant area for improvement is better integration with other tool sets in the industry. The solution integrates well with other Microsoft products, but only some environments have those products or the flexibility to adopt them. Microsoft Defender for Endpoint needs to integrate with different systems, for example, Cisco or other firewalls. Better integration with more cloud vendors would also be excellent, as not everyone will have Azure.

I've been using the solution for over 15 years. 

The solution is very stable, and that has improved with time. It used to be hard on the workstations, but we experienced those issues eight years ago. Microsoft always came out with a patch within a week or two, which would fix the problem. Nowadays, the tool is very stable; the only potential issue is if something happens on the cloud end, as the dashboards are cloud-based. That's something I've yet to personally experience, though.

The scalability is there, and there's always room for improvement. I need to incorporate more outliers, but the solution is easy enough to deploy that I can quickly onboard many workstations or servers. The product is an eight out of ten in terms of scalability.

Customer support responds rather quickly; it depends on the service level agreement, but they are pretty good about getting back to us and following up on any issues we may have. 

Positive

Most of the companies I've worked for used Defender for Endpoint. I have used different SIEM tools like Splunk and briefly used QRadar a long time ago.

I was involved in the deployment planning, but different teams did the actual deployment. I understand the deployment to be easy. 

In terms of maintenance, the solution requires updates from time to time, which are handled by the infrastructure team.

I would rate the solution eight out of ten. 

The infrastructure team has bi-directional sync capabilities set up and running well. It's essential when it comes to having hybrid cloud solutions and cloud solutions from different vendors. Various systems need to have seamless communication and shared issue reporting.  

Microsoft is increasing its data connectors, which is very helpful for ingesting data from different feeds, though some elements aren't fully fleshed out yet. How much data needs to be digested depends on the enterprise; every SIEM tool has a price to pay for how much data is ingested. The simple answer is that Sentinel allows us to ingest a ton of data, and that's vital. If we can't see a threat, we can't detect it and protect against it.  

Sentinel enables us to investigate and respond to threats from one place, which is very important for us. This is an area Microsoft has improved because we used to have to go to three different portals for our security picture. Now, everything we need to find can be seen in one pane of glass in Sentinel, whether we are looking at alerts or incidents.  

The comprehensiveness of Sentinel's protection depends on an organization's security program's maturity and capacity to leverage the solution. There's room for growth, but Microsoft is making good strides in the machine learning and AI portion of its product. The setup and fine-tuning of the tool play a significant role in how smoothly SOAR operates and whether it fulfills an organization's specific requirements. The default playbook may not fit with needs precisely, and staff with knowledge of Kusto Query Language are necessary for fine-tuning. A certain level of expertise is required to leverage Sentinel's sort and machine learning capabilities fully. 

I don't know how much Sentinel costs as I don't see the bills, but the biggest standalone SIEM and SOAR competitor is Splunk. Splunk does a better job but is also much more expensive; people often complain about the cost. I can't compare the value and pricing of the two as I need to know precisely how much they cost. Splunk is supposed to have changed its pricing model to become more affordable recently, and I wonder if Microsoft did the same with Sentinel. However, because Sentinel integrates with other solutions an organization may already use if they're a Microsoft shop, it makes it worth the price.

When it comes to a best-of-breed versus a single vendor security suite, it depends on the people higher up in the organization and usually comes down to cost. Everyone wants the best of the best, but only some companies are capable or willing to pay for that because it can be costly. Microsoft is trying to provide a pricing model that encourages customers to use a suite that seamlessly integrates with Windows and server OSs and increases integration with Linux and Mac OSs. That can provide a better ROI than getting the best of the best but having limited visibility and integration with other tools and the network. Microsoft leverages the security suite model as its selling point, and it's working for them. 

I advise potential customers to read up on the community boards and look into their specific needs. Defender for Endpoint is a good competitor for those looking for an EDR solution, and for those looking for a complete security suite, it's one of the better choices. The tool is competitive, but there are other choices if a company wants the best. Microsoft Defender for Endpoint is in the top three, only considering EDR, but for those looking for a line of products to protect their company and thereby make some savings, it's one of the premier choices.