Microsoft Defender for Endpoint Reviews

Our target is to have control over protected endpoints. As a centralized console dashboard, we want to see the exposure level and security weaknesses associated with those protected endpoints.

We are a consultancy company and a Microsoft Gold partner, so we are strictly attached to the Microsoft stack. We have used Microsoft Defender for Cloud for some of our customers on a few occasions.

The solution is deployed on the cloud. From an infrastructure point of view, it's on Microsoft and likely would be geo-distributed. The solution is typically deployed for all endpoints that require cloud protection in an organization. If a company has 300 devices, typically all 300 devices are connected. It doesn't make sense to divide profiles for different departments.

On average, we have 300 to 600 devices and a similar amount of users. In a few cases, we have Defender for Endpoint protecting shared workstations.

The solution helps us prioritize threats across our enterprise. If we're talking about projected vulnerabilities, like an outdated web browser, then there's a different priority associated with that. Conversely, if we have an endpoint out of data, like outdated Windows security patches, it will be registered with a different, higher priority. It helps a lot.

Sentinel enables us to natively ingest data from our entire ecosystem. By design, Microsoft ingests data from Office 365 to Sentinel.

This ingestion of data is critical to our security operations. Without data ingestion, nothing is shown in the dashboard or in the security and compliance portal. If it stops, we don't have data to analyze.

Sentinel enables us to investigate threats and respond holistically from one place. There are threat investigations directly in the portal, which depends on the license. This feature is really important for enterprise-class companies that have a huge emphasis on security.

Since using this solution, we have seen a better perception of incoming and active threats. We're able to see weaknesses or misconfigurations in applications and operating systems for devices.

It definitely takes time to realize benefits from the time of deployment. After we deployed the agent for Microsoft Defender for Endpoint, it took about a week to collect data.

Defender for Endpoint doesn't help us automate routine tasks or automate finding high-value alerts. The most valuable feature is attack surface reduction rules, and in this case, we have an automated response. It's a lot like SOAR, which helps to contain security risks in an unmanned way, but it's limited to just that feature.

This solution absolutely eliminated the need to look at multiple dashboards because we have one XDR. It's a worthy capability that helps a lot. Having one dashboard makes our security operations more seamless. To retrieve data, we consult different places within the portal.

The solution's threat intelligence helps us prepare for potential threats before they hit and take proactive steps.

The solution saves us time, but it depends on the point of view. It helps to have a better understanding and outlook on our current situation within our organization and plan proactively for tasks in order to improve our security score.

We saved money by not needing to buy additional pieces of software or deploying additional infrastructure for an on-premises security product.

It also depends on the competitor and the infrastructure required.

Detection and response take minutes because as soon as something is compromised or something happens within our organization, an alert will be triggered within minutes. After we receive an email with an alert, we are likely to start the analysis and remediation if it exceeds or doesn't fall within the scope of the attack surface reduction rules.

The attack surface reduction rules are the most valuable. We're able to have unattended remediation actions when the solution works side by side with a local antivirus like Microsoft Defender or Kaspersky. The attack surface reduction rules help us to proactively block and stop threats.

The visibility into threats is fair. It's accurate and gives us control over threats.

Prioritization is pretty important to us because we need to concentrate on new threats with higher risks associated with them.

Generally speaking, Microsoft Defender for Endpoint, along with Sentinel, provides fair, decent capabilities but it depends on the situation.

Reporting could be improved. I would like to see how many security incidents occurred in the last six months, how many devices were highly exposed to security risks, and how many devices were actually compromised.

I have worked with this solution for more than a year.

It's very stable.

Generally speaking, there are no bugs or glitches. We have had issues twice in the past two months, but nothing too critical. Before those two occasions, it hadn't happened in a year or more.

It's highly scalable considering it's a SaaS solution.

I would rate technical support an eight out of ten. It depends on the support engineer who is working on the problem.

Positive

We used Kaspersky, but the version is exactly comparable to Microsoft Defender for Endpoint.

We switched to Microsoft for better integration. It integrates very well with the Microsoft antivirus, so we don't have to deploy additional infrastructure or an additional piece of software. We have extended security controls over Windows devices especially and a single dashboard.

There is also integration with Intune, which is the MDM from Microsoft.

The initial setup was absolutely straightforward. We spent some time reading the documentation in order to understand how the setup and agent deployment worked, but then it was pretty straightforward.

It took a couple of hours to deploy the solution. Assuming you have the current licenses, you need to enable the features at the tenant level, and then you have to create a policy to distribute the Defender for the Endpoint sensor.

One person is sufficient to set up and onboard devices. The solution doesn't require any maintenance because the solution is upgraded from the cloud. Maintenance is very limited.

We have absolutely received ROI. Initially, it's time-consuming to understand how to onboard devices and start protecting them, but it's pretty easy to replicate the configuration across different customers.

The price is fair for the features Microsoft delivers. If you want tailor-made features, you have to mix different licenses. It isn't straightforward.

Intune is an additional cost. Microsoft Defender for Endpoint works really well with Intune, but you may decide to go for a license that encompasses Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Intune, which is typically a Microsoft E5 license.

I evaluated other solutions, but the decision diverted to Microsoft products because we have a Microsoft partnership. I requested more information from PeerSpot about the differences between Microsoft Defender for Endpoint and Sophos Intercept X because I had to provide a business justification to a customer in order to go for Microsoft Defender for Endpoint.

I would rate this solution an eight out of ten.

There are pros and cons to having a best-of-breed strategy versus a single vendor security suite. I would go for a single vendor security solution just to have convergence but it depends. Considering the fact that I'm working for a Microsoft Gold partner, I haven't had the occasion to make a comparison.

I would recommend implementing Microsoft Defender for Endpoint. My advice is to use Intune to have better control, especially for Microsoft devices. I would also advise using third-party local antivirus solutions rather than relying on Microsoft Defender Antivirus, which is a lock-in to a single vendor.

We use Microsoft Defender for Endpoint for our antivirus protection.

The visibility into threats that Defender for Endpoint provides is good because we are using all Microsoft products. 

Microsoft Defender for Endpoint assists us in prioritizing threats throughout our enterprise. This prioritization of threats is crucial for safeguarding end-user devices.

Sentinel allows us to gather data from our entire ecosystem, and the interface is highly impressive. Data ingestion is of utmost importance for our organization, especially concerning the security of our environment.

It allows us to comprehensively investigate threats and respond from a unified platform. This is of great significance to us, as Sentinel plays a pivotal role in our Security Operations Center.

Microsoft Defender for Endpoint assists us in automating the prioritization of critical alerts. I am certified in cybersecurity. Recently, I have begun the process of renewing my certification as it is set to expire next year. I have been reading numerous articles regarding Sentinel, Defender for Cloud, Identity, and Endpoint applications, and there is a multitude of information available. Automation is now fully integrated, which holds significant importance for enterprise-level customers.

The solution assists in eliminating the necessity of using multiple dashboards, providing us with a single XDR dashboard integrated across various Microsoft products.

The threat intelligence assists us in preparing for potential threats before they occur, allowing us to take proactive measures to prevent them. The assessment mechanism analyzes and identifies threats, providing clear instructions before we proceed to the security parameters.

It has saved our clients time, mainly with their SOC operations. 

The antivirus is the most valuable feature.

There are alternative solutions that offer a greater range of dashboard insights when compared to Microsoft Defender for Endpoint. The solution needs better integration with third-party vendors.

The analysis that identifies the threats and remedies them can be enhanced in a future release.

I have been using Microsoft Defender for Endpoint for almost four years.

Microsoft Defender for Endpoint is stable.

Microsoft Defender for Endpoint is scalable.

The quality of technical support is determined by the customer's priority levels: P1, P2, and P3. Overall, they are known to provide good support.

Sometimes, the support takes a while to respond, and their shifts change, so we have to begin again with the new person on the shift.

Positive

The initial setup is straightforward for me. All Microsoft products are easy to configure and integrate data also. To properly utilize all the features the person integrating must understand the architecture code concept as well.

Before deployment, I consistently conduct a rapid assessment to comprehend the customer's infrastructure. Subsequently, I formulate a plan grounded in this information. Typically, we aim for minimal personnel involvement due to the centralized nature of cloud operations. Additionally, we can advocate for either GPO or CCM deployment software. Our approach entails utilizing a singular architect, one resource, and one SME for implementing and overseeing the infrastructure, aligning with the security prerequisites of the customer's locale. Continuous monitoring of the infrastructure is imperative, maintaining a 24/7 vigilance.

The implementation takes around three months to install and configure.

The pricing is competitive. The pay model is pay as we use.

For organizations that make use of all Microsoft solutions, the cost is lower, and the visibility is increased.

I rate Microsoft Defender for Endpoint nine out of ten.

Microsoft Defender for Endpoint is indeed a commendable product. However, despite its implementation, we should consider the integration of other security products. This is due to the escalating variety of cyberattacks prevalent today. While Windows consistently issues patches to update its existing products, I propose the adoption of a dual-product approach within our infrastructure. This approach aims to preempt eleventh-hour security breaches. By juxtaposing and scrutinizing the attributes of different solutions, we can better comprehend their nuances, specifically at the feature level. The pivotal factor lies in how adeptly a solution identifies and mitigates potential threats. Therefore, I advocate for the incorporation of two distinct solutions within our infrastructure. This strategy is poised to yield heightened efficiency, effectively mitigating the risks of both security breaches and data breaches.

We use the solution for antivirus and firewall protection.

Microsoft Defender for Endpoint's visibility into threats is good. The solution helps us prioritize threats across our enterprise.

Microsoft Defender for Endpoint has helped our organization by providing continuous protection across our organization without overloading our CPUs by running in the background. We realized the benefits of Microsoft Defender for Endpoint while we were comparing it with other solutions.

Microsoft security solutions help automate routine tasks and identify high-value alerts. I used to work as a System Administrator or Network Administrator, so I understand how useful it is for admins to have their routines automated. I am aware that the solution supports policies and ensures that it is very beneficial.

Automation has enabled the process to be automated, such as protecting certain roles or allowing digital transactions, etc.

Microsoft Defender for Endpoint's threat intelligence helps us prepare for potential threats before they hit and to take proactive steps.

Microsoft Defender for Endpoint saves us time and money.

The solution has helped reduce our time for detection and response.

Microsoft Defender for Endpoint is easy to load and it runs quietly in the background, unlike other solutions.

The solution is reliable.

Microsoft Defender for Endpoint can use more advertising to promote their features.

I have been using the solution for five years.

The stability of Microsoft Defender for Endpoint is good.

The solution is easily scalable. We have ten people using the solution currently.

I previously used, Symantec Endpoint Detection and Response, ESET Endpoint Security, and McAfee MVISION Endpoint Detection and Response before switching to Microsoft Defender for Endpoint.

I give the solution a ten out of ten.

The solution is deployed across our local network. 

I recommend the solution and it should not be removed from a person's computer.

The type of endpoint security solution that is used in an organization should be based on the environment.

In the past, I needed two, three, or four apps to do my job. With Microsoft Defender for Endpoint, I have all the resources on one site. I can check what the threats are and if the computers need to be updated or if they reboot with various apps. It's very helpful for us. For example, I have colleagues who use different versions of a certain programming software. With this tool, I can check whether they need to update the app because an older version might have a lot of bugs. I can check which applications need to be updated or uninstalled.

I have a lot of alerts set up as well. For example, all our users are here in Mexico. If we get someone connecting in the UK or Venezuela or Colombia, we get an alert. I then know I need to change the password and use two-step authentication.

And I get a message when a new threat comes up or I need to do updates to different tools. This is helpful because threats are always working in innovative ways. These are very important messages for us.

Defender for Endpoint saves me a lot of time because I have all the alerts and information in one application. It also saves money because when you lose information due to an attack, you lose a lot of money on the reconfiguration of the sites or the information or on the recovery of a backup or a server. It's very important to have a tool like this. It saves a lot of money. The cost-benefit is very good.

It's a very complete application. I have all the controls in one site. I can track emails, attacks, and threats, and I can research information. I really like this configuration because I have all the information in place. It was very easy for me to configure it to show me all the things that I need in one dashboard for monitoring.

The visibility into threats is very good. I can track the threats very easily in this application. I have also used Trend Micro and it's more difficult to do with that solution. With Defender, I have all the information and I can follow all of the steps and do my job. It's really easy and very impressive.

I also use Microsoft Endpoint Manager to control all our laptops and cell phones. I take care of all those policies in that solution. In addition, I use Microsoft Azure and Microsoft Exchange, as well as Teams and SharePoint. I have integrated them all into one environment. All the solutions are integrated into one solution and that makes my job easier. Integrating them is really easy because you have one platform to configure all of them. In the role of the global manager, I can make all the changes in these solutions. And the process for connecting all these apps is very easy.

I have two different environments, two different types of accounts. I have accounts for administrators and corporate employees, but I also have accounts for students. I can't split these types of accounts. I need a separate configuration for both. I don't have access to the laptops or computers of the students, so I can't deactivate the alerts from the students' machines. I get a lot of alerts from their machines. I need to research how I can get alerts for only the administrative machines.

I have been using Microsoft Defender for Endpoint for three years.

The stability of Defender for Endpoint is very good. I haven't had trouble with it.

The scalability is pretty good. It's easy to scale it.

I have different locations here in Mexico, with about 300 users here and two or three in the UK, depending on the travel schedule.

I have contact with a Microsoft partner here in Mexico as well as directly with Microsoft. If the partner doesn't have a solution, I can contact Microsoft support.

The support is very quick in communicating. Usually, with one mail or one call, the problem is resolved.

Positive

I used Trend Micro and Symantec in the past to research threats, like viruses and malware, but for me, Defender for Endpoint is the better solution. It's very easy to integrate all the tools and gives me a lot of information in one place. It's very easy to detect an attack or email threat.

I also get all the alerts on my cell phone. Because I have all the alerts, if one of my colleagues in the IT area makes a change, I have all the information. That makes it very easy to maintain.

For me, the pricing is very good, but for management it's very expensive. Other solutions are less expensive. But when I present all the information and all the reports they say, "Well, it's expensive, but the cost-benefit is very good."

If you have all the information, and you are clear about what solutions your business needs, and Microsoft has all that information, the change is very easy. It's a very good solution.

We have been using it in our test environment. On the customer side, we are using the small business variant of the tool. So, we are using Microsoft Defender for Endpoint and Microsoft Defender for SMBs. They're pretty similar, but the one for SMBs is a little lighter.

In our test environment, we have access to 50-seat licenses for everything. So, we are making sure that we are technically in a good place before we begin to offer this kind of solution to our clients. In addition to our solutions, we are delivering services to our clients. So, when we sell an SMB or enterprise Microsoft license, we are able to do the migration, management, and other things for a client.

It works well with different solutions from Microsoft. If a company is using Microsoft 365 package, this security addition is easier to implement and manage because it is from the same vendor. You have greater visibility because they are from the same vendor. Microsoft probably also has larger visibility on the endpoint itself because of its own operating system.

It provides good visibility into threats. I would rate it a seven out of ten in terms of visibility.

Its threat intelligence is helpful for preparing for potential threats before they hit and taking proactive steps. We can manage our own images, and we can also inform the client to patch certain things.

I've started to test it from the security point of view. There are plenty of features that are interesting, but at this time, the XDR functionality is most valuable. It is endpoint security on steroids.

It allows you to prioritize threats across the enterprise, which is very important because the SLAs are different for different cases. If the error is critical, you must act now. If something is just informal, it can be done in weeks. 

I miss having an executive dashboard or a simple view for viewing things. Everything is extensive in this solution. Everything is configurable and manageable, but the environment of Microsoft 365 has about 13 administrative dashboards, and in each of the dashboards, there are a gazillion things to set up. It is good for a large enterprise, but for a 200-seat client, you need to see 5% of that.

A simplified SIEM would work so that we don't have to use everything on the Sentinel, which is great by the way, but Sentinel is too expensive for our kind of market. It is an enterprise product. It is not an SMB product.

We have been using it for half a year in our test environment.

It is good. It is stable. Once you set it up, it works, but we haven't tested it on a large time scale. The solution itself is pretty young. We'll see how stable it will be in the next few years.

It is very scalable. We hope to increase the usage of the product. It is being used only by our team for now at multiple locations. It is for laptops in the office and other networks and also for mobile devices. A few tech guys in our department are testing everything that could happen on the client side, and that's it.

I didn't use their support for this solution, but the knowledge base, training, and documentation are pretty good. I would rate it a nine out of ten.

Positive

It is complex. You need to first have a list of computers. Then, you need to set up the plan for these computers, and then, you need to deploy it and apply it. There are too many steps to deploy this kind of solution because it is a Microsoft native solution.

In terms of the implementation strategy, first, you need to have a view of the inventory. You have to have knowledge of what is already installed on an endpoint. You don't want to cause any clashes with some other endpoint security vendor. So, you need to know your devices. The next one is to prepare the package and then decide to deploy it via Intune or via MSI, through group policy.

In terms of duration, you can deploy it on one computer in minutes. If you are deploying it on a thousand computers and everything is set up correctly, it can be done in a few hours, but if everything is not set up correctly, it can take up to a day or a week. 

It took a month for us to realize its benefits from the time of deployment. It takes some time to understand the settings, portal, etc. 

It has not yet saved any time. It has only consumed my time for now because I need to learn and do the training and PoCs, but it is an investment for the future.

The number of people required for deployment depends on the size of the client or the company. I can do it by myself if I have a client with 100 seats, but if there is a corporation or enterprise in several locations, we need to involve the local IT people to confirm everything is okay, etc.

It doesn't require any maintenance, but it requires somebody to take care of the consequences. You can implement endpoint security and just have it there. You don't have to maintain the solution itself, but you need to take care of the alerts. You need to take care of the patches and other things. The number of people required depends on the size of the client.

It hasn't saved us any money yet. It might save in the future, but it depends on the pricing of Microsoft because there are several different parts of the Microsoft solution. 

Everybody would like to see a lower price on everything. The Slovenian market is basically an SME market with clients having up to 100 seat licenses, comprising 90% of the company. They're very price sensitive. So, the price could be cheaper. 

Any additional costs depend on the basic license of the client. There could be additional costs. If somebody needs Plan 2 of Defender for Endpoint, if I'm not mistaken, it is only available as an add-on. It is not included in any license, not even in the E5 license. So, there are some things at an additional cost.

We are always open to suggestions and newer and better things. We are constantly looking around for similar solutions and testing them. Microsoft is the biggest player. Everybody uses something from Microsoft. So, it is a logical next step. For an MSP, by having everything from one vendor or everything under one umbrella, managing clients is easier. This is the main reason for exploring this solution.

At the moment, we are using the Cynet XDR solution, and we also tried SentinelOne. We are going to put it in our portfolio in the following months, but mostly, we are comparing everything to Cynet because we have more clients on Cynet.

In comparison to other solutions that we are using, Microsoft Defender for Endpoint has not decreased our time to detect and time to respond much.

In my opinion, from the management and maintenance point of view, it is better to go with a single vendor, but from the security point of view, multiple vendors on multiple layers could work better than one vendor. If one vendor is breached, then everything goes, but if you have several layers with several vendors, and only one is breached, you have other vendors.

My advice to those evaluating Microsoft Defender for Endpoint is to stick with it and train themselves. They should know the solution and try it as much as they can. Microsoft is on the right path here.

It helps to automate routine tasks and the finding of high-value alerts, but we haven't yet implemented automation. We are planning to implement it, but at this time, because of a small number of clients, it is easier to do it manually. We just look into the alerts and resolve them one by one. We don't have a few thousand alerts per day, per week, or per month. So, it is manageable to handle them manually.

It would help us to eliminate looking at multiple dashboards and have one XDR dashboard, but we haven't yet managed to do that.

I would rate it an eight out of ten. I would have rated it a ten, but it is a pretty pricey solution.

We use it as an antivirus and EDR solution. We also use it for vulnerability scanning and threat hunting.

It is cloud-based. We have a cloud-first strategy when it comes to our organization.

We are a very small, lightweight start-up organization who has only been around for a couple of years. We have 17 endpoints. 

We have it deployed on our endpoints and virtual servers. We have a few Windows Servers 2019, and we have onboarded those both onto Defender for Endpoint as well. Those servers are not managed by MDM because they are Server 2019, but we have onboarded them so they are being managed by Defender for Endpoint as well.

This solution definitely increases our security posture. When you are reviewing your existing fleet or endpoints and based on the configuration that you put out of your Defender for Endpoint, you then receive a security score from Microsoft. Depending on what rules you have configured, what policies you have deployed, and what attack surface reduction rules that you have set up and deployed, it is almost gamifying information security in the sense that you are always trying to achieve a higher score. The more hardening you perform on your endpoints, the better score you receive. This generally tends to give you a better peace of mind, but also makes you secure at the same time.

I like the fact that it is baked into the Microsoft platform. 

Since we have deployed it, we have been really impressed with the way that everything just stitches together really well. You can access all your security data and telemetry from a single pane of glass on the Microsoft Security admin console. You can access all your endpoints, see how your antivirus is running, and get all your vulnerability scans and reports. In the software inventories, you can review your known vulnerabilities and understand whether those are zero days or if there are active threats out in the wild. Essentially, you don't need to jump into different admin consoles. You have everything built into Windows Defender Security Center, which we find really useful.

If you consider our organization, we are a fairly Mac-heavy organization. At the moment, around 80% of our fleet are Mac OSs. We made a conscious decision to roll out Defender for Endpoint against all our endpoints, whether it is Windows or Mac OS. However, one thing that we have noticed is that there is definitely no parity on the platform between the two operating systems. When you are configuring, deploying, and onboarding machines, you can get very granular with your security configuration when you are deploying it to a Windows's endpoint. For Mac OS, it is a lot more straightforward. You don't have the ability to apply as much configuration as you would on Windows. That is definitely something that has room for improvement. 

I am also not sure how well the EDR functionality works on the Mac OS platform. It just provides an antivirus and the full EDR capability is not there on a Mac OS. 

The web filtering needs a little bit of work. We are actually in the market at the moment for a third-party web filter or cloud secure web gateway to try and plug that hole since it is a bit of a pain point for us. I don't think we will use the baked in version from Defender for Endpoint.

On the Mac OS platform, there is no parity between Windows and Mac OS. The solution is very feature-rich and very well-integrated into Windows, and I guess baked into Windows 10 and Windows 11. Whereas, on the Mac OS platform, there is still some work there to give it a more feature-reach platform.

I have been using it for about a year.

With Windows, we have been very happy. We have had no issues or problems whatsoever. We had one issue on the Mac OS platform when an update to Mac OS was deployed. It wasn't a major update, like Monterey. It was a point update. So I think it might have been 12.2.1 where the Defender icon was starting to display across, which means I found a threat or it's not working properly. We had that across a handful of machines. I did a bunch of Google searches and sort of realized this was happening to a lot of other organizations, so it was probably a false positive.

I contacted Microsoft support who confirmed that it was just a visual glitch. I guess Apple is well-known for this. When they do push out their updates, they attempt to break the occasional third-party system. That was the only issue that we have encountered, which was more a visual glitch than an actual threat.

It is pretty much zero-touch because the definitions sort of update themselves. The application updates itself because it is deployed through Microsoft Intune. Therefore, the maintenance is pretty straightforward.

It is very scalable. Because it is cloud-based, it is elastic in its nature. You can onboard machines en masse. Whether you are onboarding 15 machines or 1500 machines, it is very straightforward.

As we scale up, this is now our AV and EDR of choice. Every new machine will be rolled out or onboarded to Defender for Endpoint. We will be sticking with it in the long-term. We have also the logs and telemetry from Defender for Endpoint being ingested into our MDRC platform.

The technical support is very good. Wherever I have worked with them, we have always been enterprise customers. Whenever I have raised a ticket for support, you generally receive a phone call anywhere from 10 minutes to three hours after raising your ticket. Even if it is not a P1, but a P2 or P3 ticket or just a request for information that you have generated in the form of a ticket, they will respond back to you quickly.

They have good levels of escalation. So, if their first line support is unable to help, they can quickly escalate to the second or third line. I have never really had any problems with Microsoft support. That is across Defender for Endpoint and Microsoft Endpoint Manager as well as for the productivity throughout Office 365 and Azure Active Directory.

I would rate them as eight out of 10.

Positive

We currently have an MSP in place, which is a managed service provider, who manages all our IT support, service desk, and desktop support functions. They had already purchased an antivirus subscription for the organization when I joined the organization, and it was a fairly basic one. Our biggest problem was that it does not have any SIEM integration. 

When we decided to go down the route of having a SOC or MDR service, we couldn't ingest the logs from the antivirus platform into their SIEM. That is when the hunt started for a new AV service.

I wouldn't say the user impact has changed on top of the AV product that we had before.

The initial setup was very straightforward. Microsoft, as an organization, is quite well-incentivized to get you to use their own products. There are hoards of material out there via their social media channel, through their own documentation, or the Microsoft Learn platform. There are reams and reams of user guides for you to go through, all of which are fairly straightforward. They are regularly updated as well.

It is all cloud-delivered so there isn't any on-premise infrastructure that I need to maintain, patch, or configure. It is literally all configured in the cloud. So, it was a very easy setup process for me.

It took days to get a proof of concept together on a handful of machines. Over the next few weeks, once we got the go ahead and thought, "You know what? We are going to go with this." It was just a matter of weeks and that was more down to team availability. We needed to sit down and offboard the existing AV, which we weren't particularly happy with, then onboard Defender for Endpoint. So, we tied that project with our MDM rollout. Therefore, while we were deploying our MDM solution and enrolling the device, we were onboarding the machine to Defender for Endpoint as well.

I actually set it all up myself. I am the only technical person at the organization. I have worked with Microsoft quite extensively in the past, and I have used their fast track consultancy services in other organizations that I have worked with as well. Therefore, I am quite confident and familiar with Microsoft technologies. 

We then signed up with an MDR supplier who does managed detection and response. Essentially, that is a team of cybersecurity experts who connect to our infrastructure and all the data telemetry from our endpoints feed up to their platform. If they see any threats, anomalies, or events, they will then jump in, reviewing and remediating as required.

We had a consultancy session with one of their Microsoft consultants around a month ago, where they reviewed the setup that I configured. They put in two or three recommendations to harden the setup a little bit more, but they were overall pretty happy with it. Thus, if I can do it, then it can't be that difficult.

There is less overhead in terms of having the system administrator or information security manager jumping around different systems and trying to actively keep a handle on our security posture across the organization. Instead, everything is right in front of me.

One of the first things that I did when I came onboard in the organization was scrapping our reseller agreement. I registered us as a not-for-profit with Microsoft, and we now get subsidized licensing at effectively half price. It just sort of makes sense for us. Now, we buy our licenses directly from Microsoft rather than our formal license reseller.

Even if you are not registered as a not-for-profit, the offering that they have is definitely worth consideration. This is in the sense that the E5 stack just gives you so many benefits. You get your entire productivity suite through Microsoft 365 apps. You get all your security and identity protection. You get the Defender for Endpoint and Defender for Identity. You get the cloud access security broker as well. You get Azure Active Directory Premium P2, which gives you so many good things that you can configure and deploy. You don't have to configure them on day one, but you have access to so many different tools that will protect your data, security, endpoints, and identities that you could build out a security strategy 18 months long, and slowly work your way through it, based on what you have available to you through your license.

You can purchase some add-ons, like Microsoft Threat Expert team. I have not read too much into that, but my understanding is that comes at an additional cost. Since we have a dedicated MDR and SOC sitting on top of our Defender for Endpoint, it is not something that applies to us anyway.

We are E5 customers. Essentially, we have the flagship license. We looked at a lot of different organizations and vendors for our antivirus needs. We spoke to the usual suspects: CrowdStrike, Sophos, and Darktrace. 

Because we also have a Gartner subscription, we reached out to our Gartner analyst, and said to them, "Look, we have the E5 license and know that Microsoft doesn't have the greatest reputation when it comes to their antivirus products, but we understand they have come on a lot over the last few years. This is the direction that we proceed. We want to deploy Microsoft Defender for Endpoint. We then want to layer an external managed detection response service on top of it that will essentially provide 24/7/365 monitoring for alerts and anomalies." Gartner advised us that it has improved to the point where they are now considered one of the leaders on their magic quadrant, so we should be absolutely fine with it. 

Originally, Microsoft wasn't in mind for us at all. We sort of had our heart set on CrowdStrike because we were really impressed with them. We got quite deep into advanced discussions with them and Darktrace as well.

The deciding factor for going with Microsoft was the budget. We were already paying for the E5 licensing. So, we were allowed to use Defender without any extra costs. We could just enable and configure it. We thought that we would use the budget left over to purchase a dedicated MDR service who would maintain an overall ability for all the endpoints to connect with it. We could also expand that to our Google Cloud Platform as well as our AWS and Azure Cloud environments. We could also extend that service onto our physical appliances, e.g., the logs from our on-premise firewalls, security appliances, and routers.

We felt that in terms of scaling up to get to the security posture that we needed, this might be a better solution for us. Whereas, CrowdStrike and Darktrace, at the time, were more focused on the endpoints. For example, if there was some suspicious behavior happening on our Azure Active Directory and our CEO's user account was under a brute-force attack, then CrowdStrike wouldn't necessarily pick up on such an attack because they are more focused on the endpoint rather than the cloud instances. Thus, we thought Microsoft gave us better coverage overall as well as the fact that we were already licensed for it.

It just made sense for us to go down that direction. We just felt we would have a more well-rounded approach if we went with Defender for Endpoint supported by the MDR service, who would then provide monitoring over all our cloud instances, endpoints, and on-premise infrastructure and appliances.

One of the main benefits is cost. Being an E5 subscriber, we are essentially already paying for Defender for Endpoint. However, it wasn't on our initial list of antivirus solutions when we were going out to market. We really felt that we were going to go for a managed service, such as CrowdStrike or Darktrace. When we decided to go for Defender for Endpoint, we created a cost savings. So, it was easier for us to prove the business case to our senior management.

A good antivirus is something that sort of happily sits in the background and just pretty much does its job until it is needed. It is just sitting there constantly watching and monitoring. Then, if it does need to intervene or remediate against the threat, that is when you know, "My antivirus is happily working." We haven't had many incidents to deal with. To be honest, we have had a couple of false positives. 

Definitely shortlist them in your list when you are out looking for a new vendor. What tends to happen with a lot of IT professionals is that they overlook the Microsoft offering because of the reputation that Microsoft Defender has had in the past, when it came to its consumer version. However, they have spent the last few years completely revamping their security stack. I think it offers a really well-rounded, holistic approach to cybersecurity now. They are definitely worth considering next to CrowdStrike, Sophos, and Darktrace.

A lot of organizations are probably like, "Oh, no, we don't want to get Microsoft. We don't want to get Defender. We want to get an established name," but I think Microsoft has put a lot of effort, budget, and development time into their security stack. It is a great suite. 

As their Azure platform grows, they leverage that to power and drive their Defender for Endpoint. A lot of the protections that they deploy are cloud-delivered platforms. So, they are picking up telemetry from millions of different signals and endpoints. They have so much data and can see trends really quickly.

I would rate them as eight out of 10.

Microsoft Defender that you get by default on Windows is an unmanaged solution. It detects, but it is conventional EDR in the sense that it can detect malicious code on the machine, but it is not good from an enterprise point of view because you can't see what is being detected. The difference between Defender and Defender ATP is that you get what's called the execution chain, which is its classic use case. 

When I try to open an attachment to an email, Defender tells me that this is malicious, but when you are in an enterprise and you do receive an alert that the file is malicious, the problem usually for the analyst is that they don't know what the person clicked on. They know there was a malicious file but was it an attachment? Was it something on the USB stick? Did they download it from the internet? That's not clear. Defender ATP gives you the execution chain. In this particular example, you can see that it was outlook.exe that launched the suspicious file which then launched or tried to download various components. You can see the whole execution tree because very often, the initial thing you get is a dropper, which then downloads subsequent components, and very often, the subsequent components get missed.

It essentially gives you visibility into the execution chain. So, you are better able to do a risk assessment. For instance, if something came from Outlook, then you know that you need to go and look in exchange or look in the mail system. If the trigger came from winword.exe, then you know that it was a document, and the person had opened a document from the email. You might see Internet Explorer, when it was still there, spawn PowerShell or a command shell, which is unusual, or you might see calc.exe open a command shell. All of this detection is invaluable for identifying whether something is suspicious or not. Your EDR might not detect any of this, but ATP would see this suspicious sequence of opening and flag it. So, essentially it is the visibility and the ability to detect unusual behavior that conventional EDR would not necessarily do for you.

Its version is usually up to date. It is a cloud solution. 

Its visibility is the most useful part of it, and it also increases the effectiveness of your response. You spend less time asking the users the standard question of what did they click on. To which, they usually say that they didn't click on anything. You can go in ATP, and you can see that they opened an email and then clicked on a link, and the link is this. There is no hiding this. Users do lie.

You can detect threats that are not necessarily known because of a behavior. If you have Internet Explorer opening a command shell, that is not normal. That does not happen unless there is some kind of malicious activity. It is also very good for visibility into what PowerShell scripts do. PowerShell is a double-edged sword. It is very powerful, but in a lot of cases, there is no visibility on what it is doing. With ATP, we generally have that ability.

I like the process visibility. This ability to visualize how something was executed is valuable, and the fact that Defender ATP is also linked to the threat intelligence that they have is also valuable. So, even if you have something that doesn't have a conventional signature, the fact that you get this strange execution means that you can detect things that are normally not visible.

The other feature that I like in Defender is that because it is up in the cloud, when you're trying to do any kind of managed service, it is fairly easy to set up if you're just within one tenant, but there are a lot of things wrong with the way Microsoft does it as compared to other products like Palo Alto Cortex, SentinelOne, or CrowdStrike.

The catch with ATP is you have to have the right Microsoft license. The licensing of ATP is linked to the licensing of Office 365. You have to have an E3 or an E5 license. If you have a small office license, it is not possible for you.

Another challenge is that it is not a multi-tenant solution. Microsoft's tenant is a licensed tenant. I'm an MSSP. So, I have multiple customers. In Microsoft's world, that means that I can't just buy an E5 license and give that out to all my customers. That won't work because all of the customer data resides within a single tenant in Microsoft's world. Other products—such as SentinelOne, Palo Alto Cortex, CrowdStrike, et cetera—are multi-tenant. So, I can have it at the top of the pyramid for my analyst to look into it and see all the customers, but each customer's data is separate. If the customer wants to look at what we see, they would only see their data, whereas in the Microsoft world, if I've got multiple customers connected to the same Microsoft tenant, they would see everybody else's data, which is a privacy problem in Europe. It is not possible to share the data, and it is a breach of privacy. So, the licensing and the privacy aspect makes it problematic in some situations.

It is also very complicated. If you decide to outsource your monitoring through an MSSP, the model for allowing the MSSP to connect to your Defender cloud is very complicated. In Office 365, it is relatively simple, but because of the way it has been done in Defender—because Defender is not part of the same cloud—it is a mess. It is possible, and it is workable, but it is probably one of the most complicated integrations we do.

It is still clunky as compared to products like Cisco AMP, SentinelOne, and CrowdStrike. Microsoft took the Defender product, and they bolted on the extra features, but you can see that there are different development teams working on it. Some features are well integrated, and some features are not. They keep on improving it, and it is better than it was. It is better than an unmanaged solution, but it is far from perfect.

I have been using it for about two years. I've got a couple of customers today with it.

Its stability is lesser than some of the competition. I've seen machines having a blue screen. I've seen machines block, but it is usually a problem related to the lack of resources. I wouldn't deploy it on a machine with less than 16 gigs of memory. All the issues that we had on the laptops were essentially related to memory because it does all the analysis in memory, and it eats a lot of memory to do that. So, stability is more a function of making sure that your endpoint farm has what's available. If you've got less than 16 gigs, I would not recommend it. You need to either change your endpoints or consider using another solution because although it'll work, it can be very slow.

It is like Microsoft Office. Its scalability is good, but I don't know how manageable it would be on a big scale. The biggest deployment I've worked on was about 5,000 endpoints, and it seemed to be okay.

It is Microsoft support. It can be very good, and it can be very bad. It depends on who you get on the phone. I would rate them a five out of ten.

Neutral

It is very simple. You can deploy it through the normal tools that you use, such as SCCM. The deployment for it is linked back to your tenant. 

We use it as a headless install. It is pushed out onto all the machines. Our normal rollout process rolls out about 50 to 100 machines in no time. They can pull the agents from the internet, or they can pull the agents internally, deploy them, and turn them on. For an antivirus, it is quite quick.

In terms of maintenance, it is pretty much like other Microsoft solutions. If you are able to do the auto-update functions, that's good. The downside to it is that it is fairly heavy on network traffic. On one of the large deployments, we found we had problems with the internet gateway because the console and all the telemetry and everything else is in the cloud. It was problematic.

It runs in the background. It is like any other antivirus solution. Sometimes, it needs tuning. An example would be that we have developers who do a lot of source code compiling. They might have tens of thousands of files that get touched or accessed when they do a compile. We have to make sure that those particular file types and certain directories are not scanned on read when they're opened. Otherwise, what normally might take an hour to compile can take more than 12 hours. That's not a problem specific to Defender. It is a problem in general, but it is fairly easy to create profiles to say that for those particular groups of machines or those particular groups of users, these file directories are exceptions to the scanning.

The licensing fee is a function of your Office 365 license. The feature set you get is a function of the license as well. There is probably an E2 version, an E3 version, and an E5 version. There are several versions, and not all features are the same. So, you might want to check what features you're expecting because you might get shocked. If you only have an E3 license, the capability isn't the same.

You have to look at the total cost of ownership (TCO) because the license component is only one aspect of the block. So, if your internal IT teams know well about IBM cloud solutions, then Defender is very easy because there is nothing new. What hurts the projects is integration. It is a hidden cost because it is beyond licensing. It can be problematic if you don't have some of the other integration tools from Microsoft. So, if you don't have the package deployment platforms and all the cloud equivalents, then there is a lot of manual work involved.

The other aspect that comes into the cost is that there is an option to store. You can make the agents report a lot more information, but if you increase the storage, then you increase your Azure storage costs, which can be painfully expensive. You typically have about 7 to 30 days of basic detection data included, but if you want to keep a more detailed log so that your IT guys can go back and figure out what was going on, it would increase your storage requirements, and that can get expensive. I know customers who turned on some of the features to increase the detection rate, and they got a huge bill from Microsoft.

A weakness, as well as an advantage, of Defender is that it is always on the cloud. There is no on-prem. You deploy additional agents into the customer infrastructure, but the console and the feedback are through the cloud.

Customers often say that Microsoft has included it in their license. So, it is license-cost neutral, but just because it is included in the license and appears to be cheap, it isn't necessarily a good reason for doing it. It isn't equivalent to other EDR or XDR solutions, but to an extent, you get what you pay for. ATP is a work in progress. To me, it is not a complete product.

Customers also go for it because it gives them visibility, and it means it is one less system to manage. They have the license for it, and they just want everything in the same ecosystem. There isn't much that we can do about that. As an MSSP, we're agnostic from a technology point of view. If the customer says, "This is what we want to do," we'll take it over.

I would advise asking yourself:

• What do your endpoints consist of?
• Which operating systems, such as Windows, Linux, iOS, or Android, will you have to support? The functionality that you get depends on your license.
• What is it that you're trying to achieve by taking Defender? 
• Are there more capable XDR-type solutions out there? 

If I was comparing them, from most effective to least effective or least integrated, I would put SentinelOne, Palo Alto Cortex, Cybereason, Microsoft Defender, and Cisco AMP.

If you want to get into the advantages of XDR solutions, which is about the detection capability coupled with artificial intelligence (AI) and data leaking, then it may not be the solution that you want. If you also want to be able to do threat intelligence, it is not the solution for you. That's because essentially the threat intelligence features are not there. You can get some threat intelligence from Azure, Microsoft Sentinel, etc, but it is not in the product like with Palo Alto Cortex, SentinelOne, or Cybereason.

I'd give it a cautious six out of ten.

I am a SOC analyst and I use Microsoft Defender for Endpoint to investigate endpoints in our environment and malicious activity.

The visibility into threats that Defender provides is excellent. The logs I receive are quite comprehensive, allowing me to see what is happening on each endpoint, including the running processes and generated alerts. It does a pretty good job of detecting when certain events occur, which helps me stay attentive to potential issues. Overall, it offers significant visibility.

Defender does a good job in helping to prioritize threats across our entire enterprise because it provides me with context by distinguishing between high and medium threats.

We also utilize Azure Sentinel, Defender for Cloud Apps, Defender for Identity, and Office 365. These solutions are integrated together, and whenever one of them receives an alert, it is sent to the main alert queue. I would give the integration an eight out of ten.

Sentinel allows us to collect data from our entire ecosystem. We primarily use it for the network firewall logs, but it can also handle other types of logs.

Sentinel does an excellent job of providing us with comprehensive security protection and visibility into security alerts and incidents. It informs us about policy violations, such as foreign user sign-ins and sign-ins from multiple or different devices, among other things. Therefore, it offers greater visibility beyond just phishing alerts.

Microsoft Defender for Endpoint has significantly improved our organization by identifying the activities of individual users and effectively hunting for any threatening activities they might engage in. For instance, if a user downloads a malicious file or clicks on a malware-infected link, the software can promptly detect and mitigate the issue on the server.

Defender helps to automate routine tasks and the identification of high-value alerts. Sentinel aids in the automation process by allowing me to address the issue of numerous false positives. Specifically, I automated the handling of certain false positives that originated from a particular IP range. This IP range was generating false positives due to a flagged server, even though the server itself was not actually malicious. In such cases, Sentinel proved to be beneficial as it facilitated the automation and removal of unnecessary noise.

Microsoft Defender for Endpoint has helped save us the trouble of looking at multiple dashboards by providing a single XDR dashboard.

Microsoft Defender for Endpoint has been instrumental in saving us time, especially by identifying true positives instead of wasting time on false positives.

I enjoy using the live response feature, which allows me to remotely access different endpoints and investigate malicious files, such as malware that people may have downloaded, and other related issues.

Threat intelligence has the potential for improvement, particularly by integrating more sources. This will enable us to accurately identify when a domain or an IP is malicious. If we could obtain information from external sources, it would reduce the need to use different open source tools to verify whether a domain or IP is malicious or not.

I have been using Microsoft Defender for Endpoint for a year and a half.

Microsoft Defender for Endpoint is stable. I have only experienced one crash.

Microsoft Defender for Endpoint proved to be scalable in our environment, supporting over 500 endpoints.

I have also used Splunk. Splunk is more modular and portable, allowing us to integrate it with a wide range of different tools. In contrast, features of Defender and Sentinel, such as those provided by Microsoft, do not integrate well with as many other options.

I would rate Microsoft Defender for Endpoint a nine out of ten. It provides me with greater certainty regarding malicious activity compared to Splunk, which demands much more analysis. Defender for Endpoint performs a significant amount of work in terms of identifying and validating malicious elements. This saves us from having to read and interpret a large number of logs. It takes care of the interpretation and conducts about half of the log analysis on our behalf.

I still have to conduct threat intelligence on my own, such as open-source intelligence. I don't automatically search VirusTotal for things, but I still end up doing my own source searching.