Microsoft Defender XDR Reviews

It addresses various use cases, including monitoring and securing file storage like OneDrive and SharePoint. It has recently incorporated Teams integration to safeguard against malware. Additionally, it serves as a replacement for on-premises Advanced Threat Protection, offering enhanced capabilities. It has proven valuable in highlighting critical scenarios related to credential use and legacy Active Directory, providing substantial assistance in these areas.

When transitioning to Microsoft Defender for Endpoint from our previous use of ATP, we observed significant improvements. Legacy ATP involved numerous signals and a substantial learning curve, but Microsoft Defender for Endpoint establishes a more effective baseline. In comparison to Cylance, which generated a considerable amount of background noise, Microsoft Defender for Endpoint enables us to concentrate on the more critical alerts that demand our attention. Our team is actively phasing out disparate security tools in favor of a streamlined approach. The efficiency gained from having a single pane of glass is a powerful asset for our team.

One of the most valuable aspects is the comprehensive insights it provides into on-premises identities, particularly within Legacy Active Directory. This allows for the examination of use cases related to identities, ensuring there is no misuse of accounts or computers. A crucial aspect for our team is the inclusion of identity and access management tools from the vendor. Despite being a sizable global company, our team is relatively small, considering our global reach. Therefore, minimizing overhead is a top priority for us, and integrating these tools from the vendor becomes crucial in achieving that goal.

My suggestion would be for Microsoft to continue aligning all components within this ecosystem. This consolidation is beneficial as we strive for a more unified and comprehensive view, essentially a single pane of glass, which is highly valued. In the future, I hope for increased third-party integration. While Microsoft plays a role, it's equally important for third-party providers to step up. In our organization, the information security team has endorsed a specific set of products. Integrating the telemetry from these approved products into our systems would be immensely beneficial, providing a more comprehensive view and enhancing our overall security posture. Extending security coverage is of paramount importance. Integrating telemetry could bridge these gaps, fostering greater cooperation among individual teams within the organization. Having teams collectively examine the same information might contribute to advancing collaboration and overall security efforts. The capability to not only thwart attacks but also to adapt to evolving threats is crucial.

I have been using it for the last three years.

It is exceptionally stable, without encountering any notable issues or complaints. Microsoft seems proactive in communication through the message center, keeping users informed about any ongoing issues, and we appreciate the clarity provided through multiple channels.

It has the capability to scale seamlessly, especially with Microsoft's expertise in the cloud. We have over six thousand end users globally distributed across various facilities, with some on-premises deployments due to specific requirements. However, our overarching strategy is cloud-first, and the majority of our infrastructure operates in Azure. In terms of endpoints, the number is substantial, likely exceeding seven thousand when considering both servers and clients.

We haven't had the need to contact them so far. In general, our experience with Microsoft support has been variable—it can be both beneficial and challenging. While they offer a wealth of resources, there are instances where the response may not align with our expectations. I would rate it eight out of ten.

Positive

I made the switch from Bitdefender to Defender primarily due to cost considerations. In my professional assessment, Bitdefender appears adequate from a client perspective, but when it comes to enterprise deployment, I don't view it as fully enterprise-ready. We encountered numerous challenges, particularly with installing Bitdefender's agent on Server 2022, which proved to be a significant hurdle for my team, consuming valuable time and resources. The advantage of Defender lies in its ability to seamlessly bring together threat telemetry from servers across various cloud providers, including Azure, and extend this protection to our Windows endpoints, offering a robust and integrated security solution.

The initial setup was straightforward.

Our implementation strategy was relatively gradual and soft. We enabled the features, allowed it to ingest the data, and then began assessing the generated alerts. Taking a somewhat silent approach, we deferred more to the expertise of our information security team, considering their role as the cornerstone in this aspect. As we moved forward, we aimed to identify areas for improvement and address the specific queries and needs that our team raised during the process. Our ongoing maintenance primarily involves fine-tuning our alerts to align with our specific use cases.

In terms of return on investment, the potential for cost reduction is a key consideration and Defender does provide it. The time saved is substantial, especially if we can navigate through our internal processes efficiently. Specifically for my infrastructure team, using Defender for Endpoint has significantly reduced the time spent delving into emerging issues. As a rough estimate, I would say it saves us approximately six hours a week that would otherwise be spent navigating through the complexities of individual components within Microsoft 365.

I find the pricing to be quite competitive, especially considering its inclusion in our E5 subscription, which provides a comprehensive set of functionalities. Initially, when I evaluated the pricing for add-ons with our E3 subscription, it seemed reasonable. However, we opted for the E5 subscription, absorbing the additional features seamlessly.

I'd recommend exploring Microsoft's Learn documentation, a resource that is sometimes overlooked but provides valuable insights into the capabilities of Defender. It's a good starting point to understand its features. For large enterprises with tools like Visual Studio subscriptions (formerly MSDN), Microsoft offers the option to set up an E5 tenant for testing. This can be deployed freely for up to twenty-five licenses, excluding the Windows license. I suggest diving into hands-on experimentation in a lab environment, combining practical experience with informational reading for a comprehensive understanding. Overall, I would rate it nine out of ten.

We use 365 Defender to manage organization-level devices and vendor security compliance. We are a retail-focused organization that offers cloud services through Azure, GCP, and AWS, but we manage all the security through 365 Defender. Some of our users are based in other countries, and everything is centralized. We operate in multiple regions. 

We can easily track any other malicious activities or additional applications that will prevent it. We can get it here. It will be a helpful tool once we create policies for DLP and third-party programs. 

365 Defender stops the lateral movement of advanced attacks. It prevents something that happens on the device level from affecting us on the organization level. The solution enables us to track all the details, like the IPs and the device types. 

365 Defender helps us deal with unknown threats by creating custom policies, which enable us to block access by specific unknown sources and unsafe links. 365 Defender has multi-tenant capabilities, and we have multiple tenants, but I'm only involved in the retail part, so I don't have authority over other tenants. 

We were able to discontinue some of our other security products when we implemented 365 Defender, but there are some exceptions. We can use non-Microsoft solutions when the customer requires it. Mostly, we use cloud solutions. We've saved some costs on the security side at the organizational level by reducing equipment costs. Using 365 Defender's automation capabilities, we can cut our vulnerability management time by about 40-50 percent. 

I like 365 Defender's advanced threat hunting. The dashboard is user-friendly with templates for site policies, etc. The most important use case is evaluating the risk links and applications. 

The cost can be high if you want to build custom license packages. Another area for improvement is the policies. In Azure, we need to implement policies in JSON format, but in 365 Defender 365, it would be helpful to use a different format so we can customize the platform.

I have used 365 Defender for more than two years. 

365 Defender can have some performance issues during enrollment. It can take a while at times, but sometimes it's duplicated immediately. That's an issue with some other cloud-based programs like Intune and Azure products. 

I rate Microsoft 365 Defender support nine out of 10. Their support representatives provide solutions based on priorities. They prefer to follow the proper SLA part. 

Positive

The deployment is quick, straightforward, and involves only two people. 

Sometimes 365 Defender is expensive, but it can be moderate, depending on the organization's size and the license type. We're satisfied with the cost because it gives us a product that protects our entire environment with DLP. To compromise some cost, of course, we are to complete the most secure environment. 

I rate 365 Defender nine out of 10. 

We're using it for our email filtering to check incoming emails and URLs. We're also using it for vulnerability management to see the status of our assets that are registered on the system. We also check it to see what kinds of threats and campaigns are currently being launched via emails.

It provides us with better insight into what's going on across our platform. It has also given us a very easy way to respond when threats or alerts come through. And when looking for someone in particular, it helps with that. It hugely improved our insight into what's going on inside the company's premises and environments.

365 Defender also helps find high-value alerts, but we haven't used it for complete automation. It has some automation features where it can try to block or quarantine things, but beyond the default automation configuration, we haven't explored deeper into using automation. The default settings work well.

And while we've always used one or two dashboards, this system has made it easier to have a quick overview on a single platform.

In addition, the threat intelligence helps prepare you for potential threats, to a certain limit, because it gives you insights into where your shortcomings are, your vulnerabilities. It also gives you some security recommendations to make improvements.

And the solution has decreased our time to respond because on high alerts you can get a quick response. The system will notify you very quickly if it detects something at a certain thread level or a custom threat level that you set.

Microsoft 365 Defender has a very great interface to help protect registered devices when it comes to web protection, which is very handy.

We also use the alert systems often. It's a great threat intelligence source for us, providing alerts for things it detects on the network and on the machines. We've used it often when there is a potential incident to see what was done on a computer. That works quite nicely because you can see everything that the user has done, including websites accessed, et cetera. And if something was on the machine, we can see what it was trying to do.

I use the alert system on a daily basis. It gives you a very good analysis of where something was found, which employee or which device. And it often gives you a good history on that. The alerts help me to monitor and check what is going on. That's a very valuable system to have.

We've also tried the attack simulation, which sends out phishing emails internally as a test to see how the users respond. We get feedback and use the training simulation as a result. We've only done that once, and it's something we want to work on a little more.

In addition, we're using the assets on the system as well as the inventory functionality. It checks all the machines to see what software is installed on them.

We've used a lot of the features on the cloud, although not everything to its full potential, but we've used 70 to 80 percent of all the features on the cloud.

In the beginning, it's difficult to navigate the system because it is quite large. Just trying to find your way and understand how the system works can be hard. After spending quite a lot of time searching it's a lot easier, but I wish it were a bit more user-friendly when you're trying to find things.

The information it provides is great, but for a newcomer, it is quite tedious and takes a long time to load. Here in South Africa, when you click, oftentimes you have to wait quite some time before you get to the next page. It's not necessarily internet-related. I think it's just that the service is a bit slow.

Also, while the solution does help to prioritize threats, unfortunately, it doesn't do so for the entire environment. The reason is that it only supports full integration from Windows 10 and up. It provides you certain information from your server environment, but when you start going with legacy services, it is a bit lacking.

Another issue that is sometimes a headache is that they constantly make changes. Things will be merged, they will get different names, or be moved around. Things will be added and other things go somewhere else. They do a lot of development to make the product better, but it's very frustrating having to search for stuff after they've moved it, because you don't always know that they have moved things. They might have little banners, but if you're just working and don't read them, you don't know where things have gone. 

I would also really like to see better integration with the server platforms for managing your server environment. That's something it currently doesn't do. For all the server environments, you either need to make use of group policies or SCCM to manage that independently. It can provide you information on the system, but it doesn't have control over your server line.

Also, I make use of 365 Defender on a business level and on a personal level. On the personal level, there is a lot less functionality. Something that would be very nice is that, for the level you are on, you would only see the product you are subscribed to. For instance, if you log on via the business, you have all your action areas, anything you can do and see, on the left. Because you're using it at a corporate level, you can see and do everything. On the personal level, or in a small business where you're only using some of the features, you still have all the same options, but when you click on them, it tells you that you need to upgrade or subscribe. They should only show you what you have access to, and not all the tabs and then say, "You need to subscribe to get access to this." It just clutters the whole area.

We have been using Microsoft 365 Defender for about two years.

Overall, it has 95 percent stability. We don't have any issues with it. It works well. Microsoft does provide frequent information when there are issues or delays. But the stability is very good.

We're still learning a lot about its capabilities. It's more capable than what we use it for. That is due to a restriction on our resources and availability to get to know the system even better.

We have contacted Microsoft tech support multiple times. They are quick to respond to the original request. Sometimes I have been quite surprised because they have replied within 15 minutes. Some of the questions we had were resolved quickly, on the order of 60 minutes. I had one that took almost two years to get resolved. But in general, they are quick to respond. Their support is very good and quick.

Positive

Before 365 Defender, we made use of Avast as our antivirus, which had its own web console. For malware protection, we used an on-prem Cisco IronPort system that was scanning all our emails. And most of our SIEM logging information was done manually. We had much less insight into what was going on in the company.

Because it was a new solution for us, we had a company that works with Microsoft assist us, to make sure that all the configurations were standard. But since then, we've maintained most of it ourselves. On our side there were no more than five people involved.

It's a very expensive product, but for any threat it has definitely stopped or protected us from, in that sense, it has saved money and time, by preventing things that could have happened. But is it affordable? No, it's expensive.

If you look at everything that the solution entails, and the big cost to companies, especially medium-sized companies, one would like to have a bit of a price decrease due to economic circumstances. The functionality is fantastic, but for medium and small-sized companies it's overpriced. It would be better if it were a little bit cheaper.

We did look at other solutions. In the end, we decided on 365 Defender because it was all integrated. It worked to our advantage because all the products that we needed were already on the machines. All the products that you get from the Defender area are part of the built-in Windows 10 features. It gave us a better way of controlling and managing things. Overall, it made more sense to have one central place to manage and control and be alerted.

My advice is don't be frightened when you start getting into the solution. If you are not used to the environment, it is a mouthful, and it can really scare your socks off. There's just so much to it that you won't really know where to start.

The best thing I can recommend to anybody who is starting is to get somebody who knows the system to give you a walkthrough. Also, look at the tutorials to see what the functionalities are. It will be beneficial for any person to get a good overview of what's going on in 365 Defender, the capabilities and how it looks. But getting in contact with somebody who has some experience already in using it will help you to ask where to find things. "Where do I go from here? Show me how you're set up, so I can at least see some of the functionalities."

My very first impression of 365 Defender was that I was looking for something, but I didn't even know where to start. It was too overwhelming. As I spoke to other people who knew about the system, they gave me an overview and that made it easier for me to understand and to know where to go.

365 Defender is our main deployment, but we've got the endpoints also connected on Intune. They work together to deliver coordinated detection and response in our environment. Our complete suite is pretty much all Microsoft. Our environment is a 50/50 hybrid. We use Intune for certain policy changes and some of the deployments. But because our environment has a lot of legacy systems, we make use of the normal, on-prem deployment services as well.

Sentinel is linked to our on-premises Active Directory. It helps identify things that are happening on-prem. For example, when a user's account instance gets locked out, it will show you, on Defender, from which local machine it was locked out. Or if certain things are accessed, it will show that information on the on-prem Active Directory. It works well. For investigating and responding to threats, it definitely helps by dumping the information in a centralized location with the alerts to identify a bit more flow pattern. If something happens that's not on the cloud area, but it's on-prem, it helps track and identify movement. The information from Sentinel is an added bonus.

Overall, Defender 365 has saved us time, compared to the old ways of doing things, but at the same time, I wish the site was faster. Sometimes it can be very slow.

Best-of-breed solutions versus a single vendor's suite comes down to personal experience. With best-of-breed, at least you know that they have been tested in the industry and have a lot of history behind them. Also, the redundancy would be a lot better. Going with a single vendor sometimes makes it a little bit difficult, especially if they are only focusing on one area. It's a difficult question. It might come down to the way someone was "brought up" in the security industry or the way that they trust these companies.

I give Microsoft 365 Defender a nine out of 10. Once you get to know the system, it's really awesome. It provides a lot of insights.

I'm a Security and Compliance consultant providing 365 Defender as a security solution for my clients.

All our solutions are Microsoft 365 products, including security, identity, etc., so we have better protection from advanced cyber attacks. It's also easier to ensure compliance with data regulations through the Microsoft Purview portal, which has templates for various regulations on medical privacy and personal data.

365 Defender helps us automate routine tasks and prioritize high-value alerts. Automation allows us to use time more efficiently. It makes functions easier by consolidating data from multiple Microsoft portals into a single dashboard. You can customize the playbook however you like and get a centralized view of the various components.  

The Threat Explorer feature helps us understand emerging threats in real-time and take steps to safeguard our environment. 365 Defenders saves us money because it's a bundle. If you purchased each of these solutions as a standalone product, it would cost you more than $60 per user per month, but you get them for $12 a month in a package. 

365 improved our detection and response times because we catch issues earlier in the chain of events. All the components of 365 Defender work together to provide instant detection. 

The most valuable feature depends on the scenario. For compliance, I like Microsoft Purview Information Protection and Data Loss Prevention. Sentinel is the most helpful feature for security. 365 Defender helps us prioritize threats across an enterprise. It's a crucial feature for the managed services team. 

I also have Defender for Cloud Apps and Defender for Office. Integrating other Microsoft solutions with 365 Defender is seamless. Microsoft has better documentation than some other solutions. I also work on AWS, but I feel more comfortable with Azure. There are some limitations with a standalone license, but integrating Microsoft products is a seamless experience that produces insightful analytics.

Sentinel enables us to ingest data from our ecosystem, giving us a complete picture of the entities associated with an incident. Those analytics are pretty helpful. We develop playbooks customized for any executive or developer-based summary. It depends on what we want to show and our creativity. 

365 Defender has multiple subsets, including Defender for Cloud Apps. When integrating Defender for Cloud Apps with apps on third-party cloud platforms like AWS or GCP, there are limitations on our ability to control user activities. If Microsoft added more control over third-party products, that would be a game-changer and help us quite a lot.

I have used 365 Defender for five years.

365 Defender is stable.

365 Defender is scalable. It's easy to create and manage groups, set policies, and add users. 

I rate 365 Defender support a seven out of ten. When I raise a ticket, I'm usually redirected to a third-party vendor like Convergence. I would prefer it if Microsoft India handled our tickets instead. That would be helpful. The third-party vendor sometimes doesn't have comprehensive knowledge of the product. 

Neutral

The deployment varies from client to client. Our implementation strategy is based on the client's business requirements and the RFP. You need at least two people to deploy 365 Defender, but you might need more support staff for larger jobs. 

It all depends on how a client wants to proceed, but we typically perform an audit before consulting to identify missing components or security controls. For example, if the client requires HIPAA compliance, we must control the data about specific patients. After following up on everything, we recommend the appropriate Microsoft product, and each has a separate timeline. 

I'm on the consulting side, so once we are done with the implementation, a managed services team takes over the maintenance on an SLA of one to three years. 

The price of 365 Defender is reasonable. 

I rate Microsoft 365 Defender a ten out of ten. Microsoft is a one-stop solution, and it has an answer for any problem you're facing. Before implementing 365 Defender, you should be clear about the problem you want to solve. Hiring a consultant can help, but typically, my clients know maybe three out of the five things they should know. 

We are yet to use Microsoft Defender XDR for ourselves as we are yet to procure the product.

Vulnerability assessment and just-in-time access are some valuable features of Defender for server plans. Additionally, the threat detection at the OS level is a very good feature of Defender.

Microsoft could improve on threat hunting and build more on threat detection and handling. The cybersecurity and cloud security posture features are a bit lesser than standard security products.

We have not yet used Microsoft Defender XDR as we are yet to procure the product.

I was working with CrowdStrike before Microsoft Defender XDR. CrowdStrike has advantages in terms of threat hunting.

We are doing it for the first time, so I have nothing to compare in terms of ROI.

The pricing is a little high, however, it is on par with other competitive tools in the market.

I have not evaluated other XDR solutions besides CrowdStrike.

I would recommend Microsoft Defender XDR to others as long as they are aligned with Microsoft products, cloud, or on-prem, especially if they are using Microsoft Windows architecture. I would rate Microsoft Defender XDR six out of ten overall.

We implement it on client endpoints and server endpoints. We also integrate it with Microsoft Entra ID for the identity part because the security part of Microsoft Defender is completely correlated to user activity.

Microsoft Defender XDR is important for the mitigation of threats, visibility of vulnerabilities, and identification of issues within the environment. It has been a leader in the market for consecutive years.

We have a single pane of glass for servers, endpoints, and mobile devices. It makes it very easy to identify which devices are at risk when you go to the vulnerability part. There are also recommendations. Especially for me, these recommendations are gold. You see exactly what you need. Microsoft Defender XDR is completely different from your antivirus solution. It detects based not only on signatures but also on the policies, so you are forced to harden your servers or client endpoints, which makes a much stronger solution.

Being a Microsoft solution, it integrates well with other Microsoft systems. The majority of the systems are Microsoft-based. This integration comes without the need to install a client on the local machine. It makes the life of the operators and whoever implements it way easier.

Microsoft has a range of Defender products. There is Defender XDR, Defender for Endpoint for clients and servers, and Defender for Office 365 which protects mailboxes, SharePoint, and OneDrive. Then you have Defender for Identity, which is integrated with Defender XDR. You also have Defender for Cloud Apps that is connected to Defender XDR. When integrated, you can get sources of threats, for example, from Defender for Identity connected directly on the endpoint. Defender for XDR protects the endpoint devices against ransomware and different threats. We need to see more holistically at all the Defender solutions instead of isolating them. There is an element of correlation of identity. For me, nowadays, it is much more important to protect the identity than the endpoint device itself because the majority of the vectors are coming from identity attacks. They are more than the viruses attacking the endpoints.

I do not have much experience with Linux as such. I am very focused on Microsoft solutions. I never focused on Linux, but I have worked with my peers, for example, on projects to enroll Linux devices. We needed to prepare simple scripts or puppet scripts to automate the process of pushing policies and automate the update of the antivirus. It is trickier. It is more complex to manage because of the nature of Linux itself. It is not as straightforward or integrated as Microsoft solutions, such as Microsoft Windows 11 or Windows Server, but Microsoft Defender still covers everything. There are some limitations regarding Linux servers and endpoints because you need to have the version of Linux that is supported by Defender, but at the same time, with whatever is supported, Microsoft Defender does the job. Linux and Windows operating systems work in different ways, and the way that antivirus interacts with the operating system is completely different. There is role-based access control in Windows. You have local administrators and domain administrators. On Azure, you define roles for users to access certain environments. On Linux, you have the root user, and as a core front operation system embedded in it, you do not have the least privileged access management solution. This comes with a price because you need to control much better to whom you give access. SSH keys, for example, are very important to be protected, which is a different protocol than the Remote Desktop Protocol (RDP). You need to protect Linux servers in different ways, which is very different from Windows. Defender or Defender XDR extends the protection, especially when you need to connect with Azure Ark, which is part of Microsoft services.

Microsoft Defender XDR has consolidated security solutions. Previously, you had an antivirus, and you had a different type of endpoint protection for servers, and then you had a web content filtering solution, which is part of Microsoft Defender XDR. It consolidates all the extra products that you require, but it does not give all the elements. It is not a firewall. It is not a web application firewall (WAF). It does not give you everything required as a security solution, but as an extended detection and response system, it gives a lot of leeway for you to meet your security objectives. If we compare it with other products, Defender XDR is much more complete than the competition.

The integration, visibility, vulnerability management, and device identification are valuable. You can automatically deploy the clients depending on how you are implementing the solution. 

The web filtering solution needs to be improved because currently, it is very simple. It is very important.

Integrations with Linux should be done in a better way. With the AI world and the security part, things are going to be much simpler and easier to set up, configure, deploy, and maintain. I am looking forward to new releases of Microsoft Defender XDR to have better integrations, but the web filtering solution is the main pain point.

I have been working with Microsoft Defender since it was released. It has been about four years. I started working with it when it was not even called Defender. It was Advanced Threat Protection. It then changed to Defender for Endpoints and then to Defender XDR.

I have not experienced many bugs or issues. Sometimes, you have delays in the response, but that is due to connectivity issues. It is a cloud-based solution, so you cannot expect to have a real-time response, but this can be improved by Microsoft. I know that they are trying to improve. I would rate it a nine out of ten for stability.

It is ultra-scalable. I would rate it a ten out of ten for scalability. 

I love Microsoft, but due to its growth, the overall support quality has decreased a lot. My recent experience with support was not that good. For the Defender part, it was not that bad. I would rate their support a six out of ten. Their response time and knowledge could be better.

Neutral

I work with Trend Micro. I work with Kaspersky. Trend Micro has its own cloud-based solution similar to Microsoft Defender XDR, but it is not the same. It has some problems. It is not as effective as Microsoft Defender XDR. Especially whenever it comes to vulnerabilities and recommendations, Microsoft Defender XDR is amazing because of its integration with Microsoft operating systems. Microsoft is much ahead of the competition.

I would never touch Kaspersky again. It is not because it is a bad product. It has been a very good product for several years, but because of the Russia and Ukraine war, it has become a prohibitive product at least in Malta to use. A lot of customers moved from Kaspersky immediately to different products. The majority of them went to Microsoft Defender XDR, especially because it also comes integrated with some products. Microsoft is bundling its own products, and Microsoft Defender XDR is very attractive to implement as a cloud solution. It is a no-brainer for the customer. That is where Microsoft has an advantage over Trend Micro, Kaspersky, and other vendors.

With Cloud servers, it is easy and very straightforward. You can almost do it automated, but in a hybrid environment, you have the element of the on-prem servers, which becomes a little bit more complex. You also have the element of Azure that simplifies the deployment process.

It can be difficult to deploy in the beginning because you need to consider different products and elements, but the deployment is the simplest part of the onboarding process. The configuration process is much more difficult, especially because on servers, you need to deploy group policy objects (GPOs) and set all the policy options to protect from the vulnerabilities. You need to configure the antivirus to protect from exploits. There are so many features and configuration possibilities that it becomes more complex to implement on server endpoints. On the client side, it is easy, especially when you implement Defender through Intune, which is the mobile device management solution of Microsoft. With a platform like Intune, it becomes easy because you have policies that assist you already out of the box, such as security baseline policies. With Intune, it is much easier to set a policy. It is way less complex to implement. When you have a hybrid environment with endpoints joined on a local active directory, the complexity increases because you need to deploy GPOs as well if you do not have Intune involved. It is complex to implement.

The deployment takes a few weeks, but it also depends on the size of the customer. If you have just Windows 11 client endpoints, it is easier to implement. Client endpoints are easy to implement because you do not need to test that much. You configure the policies. The policies are all known because of our experience. When it comes to servers, it depends on the server's workload. It depends on what type of service you have installed on the server side. If it is the IIS web server, you need to test certain policies that can block that service. You cannot simply go and implement the best practices of the policies because then you are going to make the server unusable. You are going to generate downtime, which is not ideal and also not the objective, so you need to be very knowledgeable on the infrastructure side and the security side of all applications. You need to study. You need to create a test environment and start implementing server by server. You require details, and it is complex to implement because of this reason.

I am currently doing an implementation for a company with 300 people, and it would take around two months to implement because of the number of servers and endpoints. You need to go into each and every device and analyze the environment. It takes a while. In smaller companies, it is very quick. Within a week or two, you can manage to implement it.

In terms of maintenance, there is no maintenance of the product, but there is maintenance of the environment. Microsoft releases frequent recommendations, and they detect new vulnerabilities very frequently, which requires constant maintenance of policies.

I usually allocate two people. There is one person more focused on the client endpoints, and the other one is more focused on the servers because of his expertise. We split the roles and responsibilities within the team.

It has not saved us costs, but we have invested in a proper solution. We have a better return on investment. We now have better visibility. We are investing in a product that gives what we need instead of a product that does not fulfill our requirements and our customers' requirements.

As a service provider, it is very hard to calculate an ROI. For customers, it is more of a return on value rather than a return on investment. If you have not been under any threat after implementing the solution, it provides the value you need. This is my point of view on security because there is no perfect solution, but there is a solution that works better than the others where you have much more control. With Microsoft Defender XDR, in my experience, we have managed to give that to our customers. Our customers are satisfied with the product, and none of them have replaced or changed Microsoft Defender XDR.

There is the cost of the license, and there is the cost of implementation services. Only by enabling a license for your user, all the features are not going to be enabled and the policies are not going to be configured. It does not work like this. You need specialized people to implement, monitor, and maintain the systems. It comes as a package.

I would rate Microsoft Defender XDR a seven out of ten for pricing. It is costly, especially on the cloud part. There is also Defender for Cloud, which is part of Microsoft Defender XDR. It is 15 dollars per server per month. It is worth it, but it can be costly. It depends on the company's size. That is the big issue.

If you have a company with ten employees and ten servers because you have your own infrastructure hosted within virtual machines, you need to protect ten client endpoints. It is cheap if you get a business premium license. It costs around 17 euros per user. To protect the servers, you need to pay an extra 14 euros per server per month. For ten servers, it is 140 euros per month. Per year, it is around 1600 euros. Small companies or companies with a small budget would not go for it because they do not want to invest in IT. They do not see this value. In my opinion, big companies can justify this cost.

In the countryside of Malta, it is tricky to sell the solution. I have to give them all the advantages. I always have a test environment, so I show them how it works, how the automated detection works, how it behaves, and how it acts on the threats. I give them an overview, and they get amazed. When it comes to the pricing, they get a little bit scared, but ultimately, they go because they see value in it. Everything depends on the value that a product gives and how you sell a product as a solution provider. An XDR solution provides value because it protects your assets. Your data is your major asset. If you do not have it protected, you can get hacked or have a ransomware attack. Companies are now starting to understand the importance of it, and they are starting to invest more. It is still a long way for us to have the mindset where they say that it does not matter how much it costs, we need to invest in security.

I would recommend Microsoft Defender XDR. It is the best solution in the market.

For me, Microsoft Defender brought a career change. It made me go deeper into the security products. Previously, I was more of an infrastructure guy. I was more focused on on-prem and Windows servers, but then I moved away from infrastructure. I work for a data center company, and I am a presales solutions architect designing solutions for financial companies, banks, and gaming companies or companies with online casinos.

A lot of people did not like Microsoft Defender because Microsoft was not known as a security company, but Microsoft has been investing billions of dollars every year in security, and now, they provide cutting-edge technology, especially with AI.

I have been following Microsoft, and I go to Microsoft events. There is a new product called Security Copilot that is going to be completely connected to Defender XDR. It will give much faster feedback and response to threats by issuing reports. Today, a security analyst takes four to five hours to prepare a report. With Microsoft Security Copilot and Defender, it is going to change massively. Within five to ten minutes, you can prepare a report with the Security Copilot solution. It is going to be released very soon, and I am looking forward to it.

Overall, I would rate Microsoft Defender XDR a ten out of ten.

Defender XDR is a solution that protects your enterprise systems and devices.

Defender XDR has helped a lot in terms of capturing all kinds of activities happening on the endpoints where it is. If you want to know what happened at a point in time, you can go to the history and search everything. This helps you investigate exactly what happened if you have a security breach. It doesn't take much time, but I don't have anything to compare it to because Defender is the only XDR we've used. 

Defender XDR has a feature called the timeline that lets you track all activities. It helps a lot with investigations. Microsoft has many identity management features and products that complement each other.

It covers the weaknesses and vulnerabilities of non-Microsoft solutions, but it will not help you to do the remediation. You need another third-party tool to do the remediation. 

Defender protects against advanced attacks like ransomware or email phishing. The protection Defender provides is excellent. It's a great product for preventing attacks and reducing risks for organizations. 

There are a few technical issues with Defender XDR that can be improved. Sometimes, the endpoint devices are not reporting properly to the Defender 365 portal. When you're getting all the information from the Microsoft portal, the devices are sometimes not in sync. We have hundreds of endpoint devices, some needing to be onboarded again. 

I have used Defender XDR for three years.

I rate Microsoft support nine out of ten. It's excellent. 

Positive

We did a POC for a McAfee product. There weren't many differences, but Microsoft Defender was included with our E5 license. The major difference is that we saved money by not purchasing another product. 

Defender XDR is a cloud-based solution. You can access it and see all the information you need inside the Microsoft portal. 

Defender XDR is not expensive. It's average compared to other products. 

I can get Defender bundled with the E5 package. We had considered replacing it, but after evaluating some competing products, we decided there was no significant difference between the third-party products and Defender. 

I rate Microsoft Defender XDR eight out of ten. I think there is room for improvement in terms of its coverage of non-Microsoft technologies. 

We use Microsoft Defender XDR to protect our endpoints, computers, mobile devices, and emails.

In part, Microsoft Defender XDR provides unified identity and access management.

Microsoft Defender XDR can protect 98 percent of devices.

With Microsoft Defender XDR we can now manage all of our non-critical computers from one console. The management level and implementation level are easy. Microsoft Defender XDR is also cost-effective.

We have been using Microsoft solutions for over 25 years so it didn't take much convincing to start using Microsoft Defender XDR.

Microsoft Defender XDR has enabled us to discontinue the use of Kaspersky in our safe computers.

Being able to reduce the number of solutions used has been helpful to our security team's operations. The discontinued use of other security products has reduced manual correlation. Using Microsoft has a lot of advantages, especially in management. The reduction in manual correlation is important for our organization.

Microsoft Defender XDR saves our security team around three hours a day.

The most valuable features are spam filtering, attachment filtering, and antivirus protection.

Microsoft Defender XDR is not a full-fledged EDR or XDR. Any true XDR should be more powerful than what Microsoft is currently providing. For some public-facing companies, computers, and endpoint computers, we need additional security from CrowdStrike or other third-party XDR.

Microsoft Defender XDR does not stop 100 percent of the lateral movement or advanced attacks. Our machines use both Microsoft Defender XDR and Crowdstrike and we have had instances where attacks were missed by Microsoft Defender XDR but caught by Crowdstrike.

I have been using Microsoft Defender XDR for four years.

Microsoft Defender XDR is stable.

Microsoft Defender XDR is scalable.

We previously used Kaspersky, Norton, and CrowdStrike. We switched to Microsoft Defender XDR because of its streamlined management capabilities.

The initial deployment was straightforward. We pushed Microsoft Defender XDR remotely across our system consisting of 300 computers. We are a team of seven people and each of us was involved in the deployment process.

The implementation was done in-house.

Microsoft Defender XDR is expensive.

We did not evaluate other security solutions because I have extensive knowledge of most products, their strengths and weaknesses, and their overall capabilities. Additionally, considering all our products are on Microsoft 365, a cloud-based platform, and we already utilize its various components like mail, documents, and more, integrating Microsoft Defender for threat detection and management was a natural choice due to existing ecosystem compatibility and streamlined administration.

I would rate Microsoft Defender XDR an eight out of ten.

Microsoft Defender XDR is deployed across multiple locations and departments.

Minimal maintenance is required for patching.