putilov_denis - stock.adobe.com


Review Microsoft Defender for endpoint security pros and cons

Microsoft wants to make Defender the only endpoint security product companies need, but does the good outweigh the bad? Read up on its features and pitfalls.

Microsoft has been marketing its Defender for Endpoint as a complete endpoint security platform, positioning it to replace most, if not all, endpoint security products. Its sales team stresses companies can meet their endpoint security needs with Defender alone.

Many organizations are now taking a serious look at implementing Defender in place of endpoint security, endpoint detection and response (EDR), and extended detection and response products from security companies such as CrowdStrike, SentinelOne, Carbon Black, Trend Micro and Sophos.

But the jury is out on whether Defender for Endpoint delivers all it promises.

Is Microsoft Defender a satisfactory endpoint security product?

Microsoft believes so. The company has made endpoint security, along with Defender enhancements, a key focal point of upgrading from E3 to E5 licensing. The upgrade comes with a hefty price increase from $36 per user per month to $57 per user per month.

So, for an extra $21 per user per month, organizations won't have to deal with other vendors, but their security should be just as good.

It's the "just as good" that's questionable. Microsoft has historically been a market laggard when it comes to security functionality. The Mitre ATT&CK matrix has more than 120 documented attack techniques for Windows, plus 19 for Active Directory and 28 for Microsoft 365 -- more than for any other vendor.

Plus, in Nemertes Research's primary analysis, reliance on Microsoft as a strategic security vendor correlates negatively with cybersecurity success, as measured by median total time to contain a breach.

Microsoft Defender for Endpoint pros: Its features

That said, Defender's feature list is impressive, particularly when factoring in the E3 and E5 security enhancements. Defender includes the following:

  • antivirus and antimalware
  • threat protection
  • cloud access security broker functionality
  • identity and access management, including the following:
    • risk-based conditional access
    • privileged identity management
    • multifactor authentication
    • biometric authorization
  • information protection, including data loss protection (DLP) with automatic data classification.

These all sound great, but the devil's in the details.

Microsoft Defender for Endpoint cons: Flaws to consider

Microsoft's implementation contains some rather eye-opening -- if not jaw-dropping -- decisions. Defender automatically disables other antimalware and EDR software present on an endpoint. This configuration can be overridden with some constraints, but the reality is that installing Defender as configured by Microsoft amounts to deinstalling any other endpoint protection software. The net effect is that installing Defender can weaken an organization's security posture, depending on what it had installed previously and how it was configured.

In addition, many of Microsoft's most attractive features -- such as automatic label classification and DLP -- work only on Microsoft documents. As companies increasingly move away from a Microsoft-dominated workspace, this limitation becomes more onerous. A company might believe its documents are covered by DLP, when, in fact, only its Microsoft documents are.

There's also a bigger issue than a core feature-functionality comparison. Companies today need to consider how security gets implemented companywide.

Cybersecurity is strategic

For most, if not all, organizations, cybersecurity is strategic. This means table-stakes cybersecurity is just that: table stakes. Cybersecurity can be enhanced strategically with more effective tools and technologies to meet emerging threats and address newly discovered vulnerabilities. Microsoft's stance is, effectively, that cybersecurity features and functionality are simply checkboxes on a checklist -- the kind of selection criteria a company would apply to a mature technology, such as a payroll platform or a CRM system.

If a company's CRM system isn't on par with its competitors', however, it doesn't necessarily spell disaster. But, if its threat protection is subpar, the company could be decimated.

Is cybersecurity the area to purchase "good enough" technology?

The bottom line: Microsoft Defender may look like the perfect, cost-optimized product for endpoint security, but looks can be deceiving. Unless you're a 100% Microsoft company in an industry at low risk for cyber attacks, the correct stance toward Microsoft's Defender for Endpoint hard sell is: Caveat emptor.

Next Steps

Manage shadow IT with Microsoft Defender for Cloud Apps

Dig Deeper on Data security and privacy

Enterprise Desktop
Cloud Computing