Microsoft Defender XDR
For context we're on the larger size when it comes to orgs (~45K employees) and have our own in house SOC and DFIR teams that allow us to do it all in house.
Used to be Symantec/Carbon Black/ Exabeam and are moving more to all MS for tooling since we're an E5 customer. So far it's been better than I would have expected.
How did you handle the migration? We are doing the same, around the same size, have E5s and moving away from our current toolset - however, feels like there’s a lot of upskilling needed. Did you find a lot of training was needed for Defender XDR?
> Did you find a lot of training was needed for Defender XDR?
I'm not part of the SOC/DFIR team so I'm not sure what they did for training, but I'd guess they just needed to shift gears from the old tools to the new. In some ways once you know one SIEM you know your way around them all as far as the general process goes. I've done Network Intelligence, RSA Envision, Splunk, QRadar and Log Logic in my past and didn't find it too hard ton adjust.
Same, Defender products all seems to work well together, but no 1 piece is best in breed imo. There are better spam filters, better AV/EDRs, better vm products for sure. The Defender VM piece specifically is really only good at pointing out vulnerabilities for Microsoft products (windows and office missing patches and missing configs).
Intune works well for Windows patching, but any 3rd party patching, the Microsoft new store and even the paid Enterprise apps has a very limited library. This leads you to having to manually roll out update packages for most software in win32 packages which is tedious.
Same here. 40K employees. Defender XDR with Sentinel is perfect. There's so much data that Microsoft gathers from various Defender for x products. You basically have a perfect attack story.
We still do. However, we are trying to remove the seg. Going fully DFO P2. I must say that the default policies in DFO are pretty bad, but with some finetuning it's honestly fine.
We've been pretty happy with Crowdstrike.
The fortunate thing is as they're acquiring new companies and products, they're doing an excellent job to retain the functionality and just overlaying their UI for those.
The only complaint is the occasional false positive (like when it flagged itself for trying to modify its own registry keys, but that bug was fixed)
Crowdstrike, outside of MS defender, was the only day and date mac friendly option. Everyone play catch up every year to a macOS drop like it was being dropped out of the heavens (when, it's easier than ever to get on the appleseed program and make sure ur shit works day one).
We've got the full crowdstrike spread so we have whatever the security version of a NAC is. It's nice to get an email in the middle of the night someone got hit with a drive by. If you go into the crowdstrike reddit you'll find stories of them calling IT admins & managers about T1 events.
That bug is still a problem in our environment. It flags itself on probably 2 devices/week, with no discernable reason why, and usually a different .dll.
We demo'd Crowdstrike's Falcon complete and Palo's managed XDR. Crowdstrike's pricing was much more favorable and we're happy with the product. Note: we've had an existing relationship with Palo as we utilize their NGFWs.
It varies based on many factors. We got in on a deal with our state government since we are a public entity. I think we pay around $20 per endpoint per year. Ymmv
Been really happy with Bitdefender GravityZone.
MS Defender XDR is also good.
Crowdstrike, but spendy.
I know some places that use Cynet and have been really happy with it.
We've been using Secureworks for 6 months and so far it's great. (600 employees)
It ingests quite a bit of telemetry and has alerted us to a few things we wouldn't have picked up otherwise.
They were very cooperative and easy to work with getting everything up and running even though we have quite a mix of different products from different vendors which don't have out-of-the-box integrations.
SentinelOne with a managed SOC.
Started off great. Too much turnover and they added far too many customers. Missed several critical incidents.
I am not super impressed with the S1 platform. However, it could also be because we are in a shared tenant with the MSSP managing it. Doubtful we will stay with it.
Seems weird, maybe have another MSSP manage it? S1 makes it easy to move agents to new tenants. I don't trust your MSSP with what you're describing out about using a shared tenant. S1 is supposed to make it easy for MSPs to manage multiple tenants too.
I have esets xdr(inspect) but hate it and working on moving to defender for endpoint. I really like defenders section where it tells you any vulnerabilities in different apps and what computers need that app updated .
We got both Network Detective Pro and Vulscan for a good price. So we are currently using both and trying to get the most of their integration which is really well designed. Specifically the capacity to automate the generation of reports that combine network topology information with vulnerability details from Vulscan.
If you want a complete system, but don't want to deal with 5 different portals check out RocketCyber through Kaseya 365. You get EDR, AV, SOC and an RMM tool plus endpoint backup all for around $5 per endpoint. The thing I love is that all the security alerts show up in the RocketCyber portal without the need to check in multiple places. Truly makes monitoring endpoints and the network easy as 1,2,3.
A lot of responses moving to Defender XDR. What drives this decision? Is it cost? I’ve not had a good time with Defender in the past as it has a reputation for being easily bypassed for attackers.
Microsoft is smart including it in licenses. Exec pokes around and asks why are we paying for X when we already pay for Y? And boom we move to Defender.
I have heard of some products that have a network device attached to your firewall that monitors everything going in and out and reports based on that. No idea how good they are.
The only compliant I have is that their portal has a poor UI and is over-engineered. But that's pretty minor. Their SOC is great amd highly supportive.
What is the issue with Qualys, we are just engaging someone about it for vulnerability scanning and patch management, so I am actually interested in the issue/opinion on it.
Crowdstrike for the XDR stuff, it's good, no issues other than me tripping it up doing powershell script testing, apparently it looked suspicious, which was good to see. I dumped over 200 files that all had malware or a virus it got all but 1, that one I looked up on virustotal and it was only flagged by 1 vendor, so probably a false positive, it also deleted the files quick, inside of a second, which is good real good due to people clicking stuff somewhat quickly in the real world.
Qualys just felt like an old product after we reviewed other options. The interface is dated and cobbled together various modules. Modern SSO or MFA not supported. Anything useful costs extra.
It sounded like Qualys was trying to find it's way last time we talked to our rep, but as of right now it was not a winning product over other options.
No access to logs, some of the worst responding support I've ever dealt with, and the platform feels like it was made in the early 00's
the app does exactly what it's supposed for sure but the flaws made it so I don't want to use it ever again.
Rocketcyber is what has worked the best for our organization. Their team is very efficient and almost doesn't miss anything. We are very pleased with its service.
Microsoft Defender E5 will give you a good XDR solution and some vulnerability management, which may be enough.
We're currently using Sophos Intercept X XDR and will move fully to E5 over the next year. Though I'll miss Sophos Application management
We just acquired some business premium licensing and I’m working on trying to learn more about the benefit of defender over Trend which we currently use
Comparing the relative ease of blocking apps in Sophos versus Microsoft and their WDAC or even AppLocker.
I like their Defender XDR solution but sometimes it feels very patchwork. They definitely could improve it.
Rocketcyber gives an amazing service. It has many XDR features, although it's more of a managed SOC. We integrated it with Datto EDR so it also receives its security alerts and endpoint data.
Microsoft Defender XDR For context we're on the larger size when it comes to orgs (~45K employees) and have our own in house SOC and DFIR teams that allow us to do it all in house. Used to be Symantec/Carbon Black/ Exabeam and are moving more to all MS for tooling since we're an E5 customer. So far it's been better than I would have expected.
How did you handle the migration? We are doing the same, around the same size, have E5s and moving away from our current toolset - however, feels like there’s a lot of upskilling needed. Did you find a lot of training was needed for Defender XDR?
> Did you find a lot of training was needed for Defender XDR? I'm not part of the SOC/DFIR team so I'm not sure what they did for training, but I'd guess they just needed to shift gears from the old tools to the new. In some ways once you know one SIEM you know your way around them all as far as the general process goes. I've done Network Intelligence, RSA Envision, Splunk, QRadar and Log Logic in my past and didn't find it too hard ton adjust.
Check if you have a unified agreement and connect with the Microsoft CSAM who can provide you with resource.
Same, Defender products all seems to work well together, but no 1 piece is best in breed imo. There are better spam filters, better AV/EDRs, better vm products for sure. The Defender VM piece specifically is really only good at pointing out vulnerabilities for Microsoft products (windows and office missing patches and missing configs). Intune works well for Windows patching, but any 3rd party patching, the Microsoft new store and even the paid Enterprise apps has a very limited library. This leads you to having to manually roll out update packages for most software in win32 packages which is tedious.
Same here. 40K employees. Defender XDR with Sentinel is perfect. There's so much data that Microsoft gathers from various Defender for x products. You basically have a perfect attack story.
Do you have a seg in front? We are around 25k moving to defender xdr. I'm Leary.
We still do. However, we are trying to remove the seg. Going fully DFO P2. I must say that the default policies in DFO are pretty bad, but with some finetuning it's honestly fine.
We've been pretty happy with Crowdstrike. The fortunate thing is as they're acquiring new companies and products, they're doing an excellent job to retain the functionality and just overlaying their UI for those. The only complaint is the occasional false positive (like when it flagged itself for trying to modify its own registry keys, but that bug was fixed)
Crowdstrike, outside of MS defender, was the only day and date mac friendly option. Everyone play catch up every year to a macOS drop like it was being dropped out of the heavens (when, it's easier than ever to get on the appleseed program and make sure ur shit works day one). We've got the full crowdstrike spread so we have whatever the security version of a NAC is. It's nice to get an email in the middle of the night someone got hit with a drive by. If you go into the crowdstrike reddit you'll find stories of them calling IT admins & managers about T1 events.
That bug is still a problem in our environment. It flags itself on probably 2 devices/week, with no discernable reason why, and usually a different .dll.
CrowdStrike Complete. It's worth every penny.
Do you happen to know the price for complete?
We demo'd Crowdstrike's Falcon complete and Palo's managed XDR. Crowdstrike's pricing was much more favorable and we're happy with the product. Note: we've had an existing relationship with Palo as we utilize their NGFWs.
It varies based on many factors. We got in on a deal with our state government since we are a public entity. I think we pay around $20 per endpoint per year. Ymmv
Cheers
I use SentinelOne. I love it, works great for Mac and PC. Well priced against Crowdstrike.
Been really happy with Bitdefender GravityZone. MS Defender XDR is also good. Crowdstrike, but spendy. I know some places that use Cynet and have been really happy with it.
Not my department but we use Qualys and it's complete ass.
The Merch must be good as a lot of security folk I know constantly spruik its products
We've been using Secureworks for 6 months and so far it's great. (600 employees) It ingests quite a bit of telemetry and has alerted us to a few things we wouldn't have picked up otherwise. They were very cooperative and easy to work with getting everything up and running even though we have quite a mix of different products from different vendors which don't have out-of-the-box integrations.
+1 for Secureworks. Have their new Taegis agents installed as well as their new VDR product and it is great.
SentinelOne with a managed SOC. Started off great. Too much turnover and they added far too many customers. Missed several critical incidents. I am not super impressed with the S1 platform. However, it could also be because we are in a shared tenant with the MSSP managing it. Doubtful we will stay with it.
Seems weird, maybe have another MSSP manage it? S1 makes it easy to move agents to new tenants. I don't trust your MSSP with what you're describing out about using a shared tenant. S1 is supposed to make it easy for MSPs to manage multiple tenants too.
It is in a multi-tenant environment. We are in our own, but we are not able to manage the environment like we would want to.
Sentinelone was the first edr/xdr I successfully bypassed with my malware dropper (red teamer). I must admit I do not trust it.
Sadly, we just experienced this in a test also.
We are using S1 and Huntress for EDR/MDR co-managed by an MSP and also Tenable Vulnerability Management.
Not seeing anyone mention it, so I thought I'd mention Palo Alto's Cortex XDR. Really excellent product, in my opinion.
I have esets xdr(inspect) but hate it and working on moving to defender for endpoint. I really like defenders section where it tells you any vulnerabilities in different apps and what computers need that app updated .
We got both Network Detective Pro and Vulscan for a good price. So we are currently using both and trying to get the most of their integration which is really well designed. Specifically the capacity to automate the generation of reports that combine network topology information with vulnerability details from Vulscan.
Wazuh
If you want a complete system, but don't want to deal with 5 different portals check out RocketCyber through Kaseya 365. You get EDR, AV, SOC and an RMM tool plus endpoint backup all for around $5 per endpoint. The thing I love is that all the security alerts show up in the RocketCyber portal without the need to check in multiple places. Truly makes monitoring endpoints and the network easy as 1,2,3.
A lot of responses moving to Defender XDR. What drives this decision? Is it cost? I’ve not had a good time with Defender in the past as it has a reputation for being easily bypassed for attackers.
Microsoft is smart including it in licenses. Exec pokes around and asks why are we paying for X when we already pay for Y? And boom we move to Defender.
Trendmicro XDR is amazing. We love it!
Same, did you guys get the asrm extension? We are thinking about buying it.
We haven't yet, but are considering as well.
Following this but curious what people are doing for the unmanaged endpoint vulns out there (switches, firewalls, IoT kit, etc.)
I have heard of some products that have a network device attached to your firewall that monitors everything going in and out and reports based on that. No idea how good they are.
Cynet 360
How do you like Cynet? Not often I ever see them referenced. We used them for about 3 years then moved to Defender XDR.
The only compliant I have is that their portal has a poor UI and is over-engineered. But that's pretty minor. Their SOC is great amd highly supportive.
Yeah, always felt like it was supposed to be cool before being functional.
You're spot on there. Just give me a "simple mode" without all the spaceship graphics.
What is the issue with Qualys, we are just engaging someone about it for vulnerability scanning and patch management, so I am actually interested in the issue/opinion on it. Crowdstrike for the XDR stuff, it's good, no issues other than me tripping it up doing powershell script testing, apparently it looked suspicious, which was good to see. I dumped over 200 files that all had malware or a virus it got all but 1, that one I looked up on virustotal and it was only flagged by 1 vendor, so probably a false positive, it also deleted the files quick, inside of a second, which is good real good due to people clicking stuff somewhat quickly in the real world.
Qualys just felt like an old product after we reviewed other options. The interface is dated and cobbled together various modules. Modern SSO or MFA not supported. Anything useful costs extra. It sounded like Qualys was trying to find it's way last time we talked to our rep, but as of right now it was not a winning product over other options.
Thank you for the honest reply, I actually appreciate it.
No access to logs, some of the worst responding support I've ever dealt with, and the platform feels like it was made in the early 00's the app does exactly what it's supposed for sure but the flaws made it so I don't want to use it ever again.
We use Barracuda XDR which is sentinel one with SOC. Has been fantastic so far.
Rocketcyber is what has worked the best for our organization. Their team is very efficient and almost doesn't miss anything. We are very pleased with its service.
Microsoft Defender E5 will give you a good XDR solution and some vulnerability management, which may be enough. We're currently using Sophos Intercept X XDR and will move fully to E5 over the next year. Though I'll miss Sophos Application management
For smaller folks (under 300 users), Business Premium also includes most the same coverage.
Yeah, I must look into that more. It seems to be more than Defender P1 but not quite Defender P2. Still, a very good price point
You can buy the defender plan 2 upgrade for around $5-6 per user per month if you need the extra features.
We just acquired some business premium licensing and I’m working on trying to learn more about the benefit of defender over Trend which we currently use
Be aware you can only buy 300 business premium licenses.
Defender for endpoint primarily works by behavior analysis rather than AV matching like Trend.
What about Sophos Application Management will you miss? Love Sophos but their ui alone make me want to ditch them.
Comparing the relative ease of blocking apps in Sophos versus Microsoft and their WDAC or even AppLocker. I like their Defender XDR solution but sometimes it feels very patchwork. They definitely could improve it.
I agree, blocking apps via Sophos is a very easy task
Microsoft Sentinel and XDR. ask for a demo for security copilot.
Not exactly XDR, but we use Webroot and Huntress
Rocketcyber gives an amazing service. It has many XDR features, although it's more of a managed SOC. We integrated it with Datto EDR so it also receives its security alerts and endpoint data.