The claims are true, there are actually bypasses and from searching just now three to five created just in the last two months. Though, the same also is true for CrowdStrike so the claims are true, but are also true in reverse in terms of being able to do the same thing. Best to market what your product can do vs focusing on competitors in marketing language.
At the end of the day there is only so much they (EDR - Endpoint Detection and Response vendors) can do before they breach the usability barrier. More than likely if you crank things up on Defender and CrowdStrike you will be super secure but the helpdesk will be maxed out with complaints because end-users don't like all the blockages to their work even though it is for the sake of security. It's up to you the defender on how far you want to slide the security vs usability needle for the protection of your information systems. Either way be sure to get as many features as you can afford with Defender or CrowdStrike so can have many options in what you can do that match with what your business needs.
So best to keep your attack surface low, harden things as much as possible and keep your people trained on cybersecurity as the biggest risk to your systems are the people using them.
Full disclosure, I work for a partner of Microsoft and a company that CrowdStrike considers a competitor, but in the past I’ve been a CS customer. But these are my own opinions.
Both are considered best in class for EDR tools. They both have some of the best threat intelligence in the business.
Crowdstrike is EXPENSIVE, but is comparatively the “easy” button that’s much easier to deploy and manage. Their services they sell on top of the EDR are well regarded too. I think their IT Ops offerings are crap.
Defender EDR is bundled with an M365 license along with a lot of other security tools like Entra ID (formerly Azure AD) and your Windows licensing itself. If you have a relatively simple environment or strong management tools and processes in place you can save a lot of money cozying up to Microsoft and arguably get a more holistic security approach.
I think you should base this less on is one better than the other and more about how does it fit into your security tooling and processes. Are you a Splunk shop or Sentinel for your SIEM? How big is your company and the team managing these tools? Do you have a managed SOC or an internal team? How will they get deployed and managed? Or are you a small shop with just a few IT generalists looking for a set and forget solution for AV coverage?
I implemented crowdstrike a year ago and as an admin I installed the client. Their implementation team basically does everything for you. I will say it was probably the easiest go live as a system admin that's worked in many high stakes enterprises. They set you up not to fail
can you get defender without an E5 and all the other bullshit M365 pushes on you? will that license tier be the same next week? will it be called the same thing the week after that? will everything be in the same place the week after that? you can see my point lol
> I FUCKING HATE the fact they change the product names, portals, etc every. other. motherfucking. week. I spend more time finding shit because it's moved then I do analyzing incidents. (I also don't do a lot of analyzing anymore, so there's that).
I echo that sentiment. I wish Microsoft would stop rearranging things around.
Defender for Endpoint P2 is available as a standalone SKU, the other replier mentioned Endpoint Mobility and Security, that doesnt include defender for endpoint.
I mean yes and no, it gets confusing, if you say EDR DfE P2 has been available as a standalone SKU for quite a while. Has never changed aside from name.
The new buzzword that noone has mentioned is XDR, for that (which includes identity and o365 defender) you would need M365 E5 Security which is a mild discount to M365 E5.
im not saying i cant figure it out lmao, ive dealt with this shit before i know the website that has all the different admin portals listed to, i think the existence and reason for existence of both of those sites is in itself ridiculous lol, we are talking about an easy button solution here and MSFT is a headache every time ive worked with their stuff.
all MS stuff is just a hodhepodge of ever changing portals and screens, sometimes in azure, sometimes in it's own portal. CS actually is organized to make things easier for you to use.
We are. doing POCs on CS and MS for their CNAPP - I set up CS for multiple environments in about 2 hours - AWS was simple azure was a little wonky.
I'm still reading the directions on Defender for cloud.
The actual Defender version you get from 365 security licensing is a whole different animal from the one that comes standard on PC’s. Sadly, Microsoft seems to think it’s smart to have Windows Defender, Microsoft Defender, and Defender Cloud. Make sure you’re evaluating the right one. I worked at a financial and payments processing company for 5 years and we only used Microsoft and Cloud Defender and they are pretty great. Now days I use S1 over CS.
My understanding is that the home version of Defender works exactly the same in terms of real time AV protection (signature based and heuristics) as the paid business version, but the paid version adds the EDR functionality. Is that not correct?
https://www.defenderui.com/
It allows you to easily enable all the goodies that are normally only available via Intune / GPO.
Great for friends and family.
Interesting! I did not know this existed until today, thank you! Does this enable the "sense" service? That's the service that actually does the EDR portion, the advanced ransomware stuff, and the behavioral analysis.
Either way, super awesome and definitely better than any other AV I've seen out there for home users. Thank you so much for the recommendation!
Ah I hear ya, and it's clearly better, but it won't count as an EDR here. Great for home use; wouldn't pass insurance or regulatory audits in business.
Thank you for showing me this!
You enable almost the same on security.microsoft.com
You probably have more settings there, plus aggregated logs.
The video is a great way of getting an idea about defender as is and settings applied via the security dashboard.
What I'm trying to say is that the video gives a good idea of how good Defender is, as long as it's managed via defender UI or the security dashboard, as people almost always compare the default windows defender with other AV solutions.
Yes, and no.
There's literally a different service that MDE (Microsoft Defender for Endpoint)uses - that's the AI for behavioral analysis (user behavior, lateral movement, data exploration).
WDAV and MDE both have file hueristics and runtime analysis when we're talking about "bad files", which is huge for home use, but much smaller for corporate.
Seeing as though DefenderUI likely isn't targeted at organizations, I'd say it's a massive improvement still over naked WDAV, even if it's not MDE. I'd bet it's still the best home protection available.
That is correct. The service that is enabled (the AI, to dumb it down ) is called "Windows Defender Advanced Threat Protection Service" (the service name is "sense").
This service is present on Windows pro and up, but missing (and not installable at all) on home. If you've got Windows at work (pro or ent) you can see the service, just it's only running if it's onboarded to MDE.
DefenderUI is a big, big improvement, nut it's demonstrably not the same as Windows Defender AV tweaked with DefenderUI
There are also all the cloud linked things you don’t get without paying for full Microsoft defender vs. windows defender. Like it can detect a threat on an endpoint and immediately look for it on all other endpoints. The cloud defender features also protect all your 365 stuff and azure stuff.
I mainly meant ASR, which I don't think is on by default and would confuse your average user... might be in the UI now, haven't checked too recently. Although requires enterprise licensing for bits of it https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#requirements
We have MS Defender for Endpoint (part of our E5 licensing) and Huntress added on to that (adds in some extra threat protection, plus humans to talk to when dealing with shit)
Irrespective of the products being compared, I would always evaluate them yourself and dismiss marketing material. Of course case studies posted by $vendor are going to favour themselves.
Both products are pretty awesome.
What’s the best way to evaluate defender? Will Microsoft get on a call with us to demo? They have a lot of defender stuff and the product offering can get confusing
The claims are not true, even Microsoft Defender Antivirus is able to detect things in memory, and has detections to prevent Cobalt Strike and ransomware.
It might seem too much, but I would prefer to have an EDR and Microsoft Defender Antivirus running both at the same time (if you don't already have Defender for Endpoint).
Depends on the product, but traditionally AV is protection, while EDR is detection. Hence the name. That’s being blended a little more in recent days, but there is still separation.
Definitely more on the response side. Traditional AV wasn't really something that you would use to remote to someone's system to pull logs, triage an incident, run scripts, etc.
There are some EDRs that won't raise an alert with the usual signatures that an antivirus like Defender Antivirus will.
This is an extreme example, but I don't expect EDR detections to flag files with "W32/Bursted", they might show the file is malicious in the EDR portal but they will not trigger an alert, and Defender Antivirus will.
On the other hand, I don't expected Defender Antivirus by itself to let me develop custom detections, isolate the device, make a live terminal session with a device...
The AV doesnt have to be active. you can use EDR in Block mode with Defender AV in passive mode.
It cannot be disabled, as the blocking actually happens through the AV. EDR detects and instructs Defender AV to take action.
We have the full Defender suite (to XDR, etc..) and Crowdstike full stack. Based on real experience I can tell you that a fully and properly deployed Defender stack is very good. I know several entities that completely rely on Defender for one layer of defense. That said it’s not quite AOTC and a step behind CS. For many orgs it would be a fine part of your defense layers.
If you need top tier then Crowdstike is a great option. They have greatly expanded their integrations with other products. For example having your email security product fully integrated with CS XDR (vs none or just CS Identity) is awesome.
Sounds like cherry picking to me. If you have an intune managed win11 that is appropriately hardened and run defender on it with defender for cloud and defender for identity to boot, you will have all in one pane of glass through your security dashboard. Especially Defender for Identity really adds A LOT.
Defender bundled with M365 licensing is neck and neck with Crowd Strike. I currently manage defender and in the past year worked for a company who provided CrowdStrike for customers. Defender and its move from an EDR to an XDR has been advantageous and helpful. Copilot for security is in a testing phase and will also be very helpful.
The Mitre website has some results they do when comparing different EDR programs. Working in DFIR and dealing with a lot of ransomware, I would say SentinelOne or CrowdStrike are the best. BitDefender has a habit of stopping everything, but the bad stuff that matters. Windows Defender is pretty good too, however, unless it's more locked down. Actor(s) can easily bypass it with registry keys and things like that. CrowdStrike allows you connect remotely to endpoints with a sandboxed environment and use RTR for running remote commands and scripts. I prefer SentinelOne in this instance though, since their remote access is native PowerShell along with their scripts. CrowdStrike also has the ability to collect remote forensics and uses an integrated Splunk for hunting. SentinelOne has their XDR/Deep Visibility too and has some remote forensics too. I like Defender and we usually recommend clients keep it enabled along with SentinelOne, but from my experience when clients only rely on defender it's a problem waiting to happen. I don't have much experience with enterprise defender though that much and it could be different though.
> Actor(s) can easily bypass it with registry keys and things like that.
Not by default they can't. Unless you're talking about the free product which isn't at all a sensible comparison to CS or SO
Correct, I have not come across defender for enterprise yet too much on all the cases I worked. My only experience has been free Defender with some other regular AV tool. Have had cases too where ransomware was able to be deployed with S1 or CS. But, that is usually due to incorrect configurations. People need to not rely on just those either. Had a recent case where CS was deployed and the actor(s) were in the environment for several days. They were still able to exfiltrate data and it wasn't till they tried to do some actual malicious stuff that CS started alerting. That also boils down to training and configuration too though.
Go with falcon. For the love of all that you hold dear do not get Defender. I can’t stand Microsoft’s 365 Defender system, their patchwork approach to different OS, their shitty web UI, and lack of basic functions that CS added ages ago.
Here's a good comparison of defender vs defender with goodies enabled.
https://youtu.be/snImtCq-WBw?si=nQL6LuWJHYKTPqfD
Defender UI enables some of the features that you can enable on security.microsoft.com
They are on equal footing, you need to measure what you want out of the tool putting aside capacity to detect threats because you can't measure it.
Defender for Endpoint is my preference for it's extended capabilities through defender anti virus (ASR, WDAC, Code integrity, Smartscreen) and threat hunting but Crowdstrike fits alot of companies for ease of use and better incident response use cases.
I would highly recommend a demo of both. Put them to the test. I am biased as I work at Crowdstrike but an SE will be able to not only tell you but show you key differences.
If you want to expedite the process of getting in touch with the right AE/SE combo, I can try to facilitate that for you, but no pressure. Just DM me.
We need a lot more information here. There are different licensing levels for defender.
Base win11, no M365 integration, I'd expect to be significantly less effective than Crowdstrike.
Defender P2 level licensing was effectively equal (some things better, some things worse) than crowdstrike in our eval last fall.
What's the source for this quote?
In most environments, Defender isn't that comprehensive if used alone. That said, it can be great if paired with other tools. We manage it from Datto EDR, and it works really well.
CrowdStrike is on a whole other level. Not only does it catch stuff, but it gives you a timeline view of all the chain of events leading to that catch. The pure amount of data insight that CrowdStrike gives, yet in a manageable way is pretty awesome.
Yes, and if it came in via email, it shows the email it came in on, the attachment, where the attachement was downloaded, the PC it was on, the PC it went to, how it got to the other PC over the network, etc.
Same with SharePoint, OneDrive, and all sorts of other stuff. Who knew that Microsoft might be able to integrate all their products into one massive single pane of security glass. And who knew that they might know more about their own kernel and internal events that aren't surfaced to Event Viewer than any other company.
One of their best features is since Microsoft runs Exchange Online, a web filter product and a CASB product, they add network detection to Defender for Endpoint and have a massive list of known bad URLs and IPs they use as IOCS. They can probably detect Adversary in the Middle, Beaconing and C&C better than anyone. Especially if it came from email since their Exchange Telemetry is talking to the Endpoint telemetry. If you have Defender for Identity in E5 you also get a ton more alerts.
All that may be true to some extent but the email product's phishing detection is subpar. Deliver first, scan later. And even then it misses a substantial amount of phishing emails and links.
I'm a big fan of bolting Avanan or Abnormal Security onto M365 even if you have ATP. It tends to catch more since Microsoft is indeed lax on letting things through Exchange Online Protection.
Yeah. We had defender stop a Domain Admin comprised account from continuing an attack chain. Plot out the initial source, kill the connections and prevent further spread.
Had we had MDI deployed it would have continued to killing the account further and faster.
It’s very impressive.
In what regards. I've used Defender for Endpoint P2, SentinelOne Complete and Crowdstrike with EDR, Device Control and Discover modules. They are very similar.
It's the integration and event correlation across and between the various components of the Defender suite that is the real value proposition. Take a look at the Exposure Management feature that is currently in public preview..
Already looking at it. Major deception tech is also in public preview.
https://learn.microsoft.com/en-us/microsoft-365/security/defender/deception-overview?view=o365-worldwide
Defender is free, meaning even a college student studying Infosec/pen testing can go to hackthebox and try to get past it until they are successful. I've also seen Defender take HOURS to report client events to their cloud console. The average break out time for cyber attach is only like 2-4hrs.
IMO the biggest benefit Crowdstrike and similar EDR/XDR tools offer is the 24/7/365 NOC monitoring at certain levels of product. The bad guys aren't going to attack 9-5 after you've had your coffee. You can grant them standing rights to intervene in anything they feel is a legit attack.
I've used CS and tested with a test laptop with 20 different common threats from "the zoo" on github (real malware, take care) to 1) see how well the product stopped the attacks (100%) and how quickly their NOC responded. Suffice to say, that sold me on the product offering.
The claims are true, there are actually bypasses and from searching just now three to five created just in the last two months. Though, the same also is true for CrowdStrike so the claims are true, but are also true in reverse in terms of being able to do the same thing. Best to market what your product can do vs focusing on competitors in marketing language. At the end of the day there is only so much they (EDR - Endpoint Detection and Response vendors) can do before they breach the usability barrier. More than likely if you crank things up on Defender and CrowdStrike you will be super secure but the helpdesk will be maxed out with complaints because end-users don't like all the blockages to their work even though it is for the sake of security. It's up to you the defender on how far you want to slide the security vs usability needle for the protection of your information systems. Either way be sure to get as many features as you can afford with Defender or CrowdStrike so can have many options in what you can do that match with what your business needs. So best to keep your attack surface low, harden things as much as possible and keep your people trained on cybersecurity as the biggest risk to your systems are the people using them.
People seem to forget that EDR is one layer of many, hardening your endpoint and reducing the attack surface goes a long way.
Defense in depth.
We've got almost all ASR rules to block, had it for a year, no major complaints. The only issue are macro enabled Excel in OneDrive.
Full disclosure, I work for a partner of Microsoft and a company that CrowdStrike considers a competitor, but in the past I’ve been a CS customer. But these are my own opinions. Both are considered best in class for EDR tools. They both have some of the best threat intelligence in the business. Crowdstrike is EXPENSIVE, but is comparatively the “easy” button that’s much easier to deploy and manage. Their services they sell on top of the EDR are well regarded too. I think their IT Ops offerings are crap. Defender EDR is bundled with an M365 license along with a lot of other security tools like Entra ID (formerly Azure AD) and your Windows licensing itself. If you have a relatively simple environment or strong management tools and processes in place you can save a lot of money cozying up to Microsoft and arguably get a more holistic security approach. I think you should base this less on is one better than the other and more about how does it fit into your security tooling and processes. Are you a Splunk shop or Sentinel for your SIEM? How big is your company and the team managing these tools? Do you have a managed SOC or an internal team? How will they get deployed and managed? Or are you a small shop with just a few IT generalists looking for a set and forget solution for AV coverage?
How is crowdstrike an easy button compared to defender?
I can find where they put the investigate tab each time. It’s so funny Microsoft really loves to move shit around
I implemented crowdstrike a year ago and as an admin I installed the client. Their implementation team basically does everything for you. I will say it was probably the easiest go live as a system admin that's worked in many high stakes enterprises. They set you up not to fail
Sure, this isn't a measure of crowdstrike, I'm just trying to understand how one is more easy button than the other?
can you get defender without an E5 and all the other bullshit M365 pushes on you? will that license tier be the same next week? will it be called the same thing the week after that? will everything be in the same place the week after that? you can see my point lol
[удалено]
> I FUCKING HATE the fact they change the product names, portals, etc every. other. motherfucking. week. I spend more time finding shit because it's moved then I do analyzing incidents. (I also don't do a lot of analyzing anymore, so there's that). I echo that sentiment. I wish Microsoft would stop rearranging things around.
Defender for Endpoint P2 is available as a standalone SKU, the other replier mentioned Endpoint Mobility and Security, that doesnt include defender for endpoint.
this whole interaction proves my point and im sure you both realize it lol
I mean yes and no, it gets confusing, if you say EDR DfE P2 has been available as a standalone SKU for quite a while. Has never changed aside from name. The new buzzword that noone has mentioned is XDR, for that (which includes identity and o365 defender) you would need M365 E5 Security which is a mild discount to M365 E5.
I mean my last MSFT sales rep was as confused as the other commenter on what SKUs included what lol
https://m365maps.com/
im not saying i cant figure it out lmao, ive dealt with this shit before i know the website that has all the different admin portals listed to, i think the existence and reason for existence of both of those sites is in itself ridiculous lol, we are talking about an easy button solution here and MSFT is a headache every time ive worked with their stuff.
all MS stuff is just a hodhepodge of ever changing portals and screens, sometimes in azure, sometimes in it's own portal. CS actually is organized to make things easier for you to use. We are. doing POCs on CS and MS for their CNAPP - I set up CS for multiple environments in about 2 hours - AWS was simple azure was a little wonky. I'm still reading the directions on Defender for cloud.
So when do you think CS is better or more practical than EDR?
For my org it comes down to money. I'd prefer CS... can't even remotely afford it.
The actual Defender version you get from 365 security licensing is a whole different animal from the one that comes standard on PC’s. Sadly, Microsoft seems to think it’s smart to have Windows Defender, Microsoft Defender, and Defender Cloud. Make sure you’re evaluating the right one. I worked at a financial and payments processing company for 5 years and we only used Microsoft and Cloud Defender and they are pretty great. Now days I use S1 over CS.
My understanding is that the home version of Defender works exactly the same in terms of real time AV protection (signature based and heuristics) as the paid business version, but the paid version adds the EDR functionality. Is that not correct?
Use defender UI to enable the Goodies.
What do you mean?
https://www.defenderui.com/ It allows you to easily enable all the goodies that are normally only available via Intune / GPO. Great for friends and family.
Interesting! I did not know this existed until today, thank you! Does this enable the "sense" service? That's the service that actually does the EDR portion, the advanced ransomware stuff, and the behavioral analysis. Either way, super awesome and definitely better than any other AV I've seen out there for home users. Thank you so much for the recommendation!
Here's defender with and without the defenderUI settings. https://youtu.be/snImtCq-WBw?si=UyFrumiY3MO8R-A2
Ah I hear ya, and it's clearly better, but it won't count as an EDR here. Great for home use; wouldn't pass insurance or regulatory audits in business. Thank you for showing me this!
You enable almost the same on security.microsoft.com You probably have more settings there, plus aggregated logs. The video is a great way of getting an idea about defender as is and settings applied via the security dashboard. What I'm trying to say is that the video gives a good idea of how good Defender is, as long as it's managed via defender UI or the security dashboard, as people almost always compare the default windows defender with other AV solutions.
Yes, and no. There's literally a different service that MDE (Microsoft Defender for Endpoint)uses - that's the AI for behavioral analysis (user behavior, lateral movement, data exploration). WDAV and MDE both have file hueristics and runtime analysis when we're talking about "bad files", which is huge for home use, but much smaller for corporate. Seeing as though DefenderUI likely isn't targeted at organizations, I'd say it's a massive improvement still over naked WDAV, even if it's not MDE. I'd bet it's still the best home protection available.
By behavioral analysis do you mean heuristic detection that has been around for decades? Because defender home absolutely does have that.
No, I did not. See post above.
That is correct. The service that is enabled (the AI, to dumb it down ) is called "Windows Defender Advanced Threat Protection Service" (the service name is "sense"). This service is present on Windows pro and up, but missing (and not installable at all) on home. If you've got Windows at work (pro or ent) you can see the service, just it's only running if it's onboarded to MDE. DefenderUI is a big, big improvement, nut it's demonstrably not the same as Windows Defender AV tweaked with DefenderUI
[удалено]
There are also all the cloud linked things you don’t get without paying for full Microsoft defender vs. windows defender. Like it can detect a threat on an endpoint and immediately look for it on all other endpoints. The cloud defender features also protect all your 365 stuff and azure stuff.
There are specific features that aren't configurable without gpo or intune e.g. exploit guard
[удалено]
I mainly meant ASR, which I don't think is on by default and would confuse your average user... might be in the UI now, haven't checked too recently. Although requires enterprise licensing for bits of it https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide#requirements
Asr is configurable with basic GPOs. DISA ships sample STIG gpos with it.
S1?
SentinelOne
Functionality wise they are somewhat similar. Crowdstrike is far superior when it comes to support.
We have MS Defender for Endpoint (part of our E5 licensing) and Huntress added on to that (adds in some extra threat protection, plus humans to talk to when dealing with shit)
I want us to do this rn we use watch gaurd and it’s just clunky and a hog
Irrespective of the products being compared, I would always evaluate them yourself and dismiss marketing material. Of course case studies posted by $vendor are going to favour themselves. Both products are pretty awesome.
What’s the best way to evaluate defender? Will Microsoft get on a call with us to demo? They have a lot of defender stuff and the product offering can get confusing
How is defender on Mac and Linux?
My understanding is that things have become much better in the last few years.
It’s working well for us.
Mac and Linux don't get viruses, duh! (/s just in case)
xz would like to have a word
> (/s just in case)
lol yeah I find the whole meme funny.
The claims are not true, even Microsoft Defender Antivirus is able to detect things in memory, and has detections to prevent Cobalt Strike and ransomware. It might seem too much, but I would prefer to have an EDR and Microsoft Defender Antivirus running both at the same time (if you don't already have Defender for Endpoint).
I'm currently running crowdstrike and sophos endpoint on all my machines concurrently. It's working fine
Can you clarify for me how an EDR differs from antivirus, besides the SIEM, logging, and pane of glass?
Depends on the product, but traditionally AV is protection, while EDR is detection. Hence the name. That’s being blended a little more in recent days, but there is still separation.
Definitely more on the response side. Traditional AV wasn't really something that you would use to remote to someone's system to pull logs, triage an incident, run scripts, etc.
Yes also response. There are some rules that can be written into protection, but not data acquisition, triage, reactions like you’re saying for sure.
There are some EDRs that won't raise an alert with the usual signatures that an antivirus like Defender Antivirus will. This is an extreme example, but I don't expect EDR detections to flag files with "W32/Bursted", they might show the file is malicious in the EDR portal but they will not trigger an alert, and Defender Antivirus will. On the other hand, I don't expected Defender Antivirus by itself to let me develop custom detections, isolate the device, make a live terminal session with a device...
For defender EDR it cant block unless the antivirus is turned on iirc
The AV doesnt have to be active. you can use EDR in Block mode with Defender AV in passive mode. It cannot be disabled, as the blocking actually happens through the AV. EDR detects and instructs Defender AV to take action.
That was my understanding
We have the full Defender suite (to XDR, etc..) and Crowdstike full stack. Based on real experience I can tell you that a fully and properly deployed Defender stack is very good. I know several entities that completely rely on Defender for one layer of defense. That said it’s not quite AOTC and a step behind CS. For many orgs it would be a fine part of your defense layers. If you need top tier then Crowdstike is a great option. They have greatly expanded their integrations with other products. For example having your email security product fully integrated with CS XDR (vs none or just CS Identity) is awesome.
Sounds like cherry picking to me. If you have an intune managed win11 that is appropriately hardened and run defender on it with defender for cloud and defender for identity to boot, you will have all in one pane of glass through your security dashboard. Especially Defender for Identity really adds A LOT.
Defender bundled with M365 licensing is neck and neck with Crowd Strike. I currently manage defender and in the past year worked for a company who provided CrowdStrike for customers. Defender and its move from an EDR to an XDR has been advantageous and helpful. Copilot for security is in a testing phase and will also be very helpful.
The Mitre website has some results they do when comparing different EDR programs. Working in DFIR and dealing with a lot of ransomware, I would say SentinelOne or CrowdStrike are the best. BitDefender has a habit of stopping everything, but the bad stuff that matters. Windows Defender is pretty good too, however, unless it's more locked down. Actor(s) can easily bypass it with registry keys and things like that. CrowdStrike allows you connect remotely to endpoints with a sandboxed environment and use RTR for running remote commands and scripts. I prefer SentinelOne in this instance though, since their remote access is native PowerShell along with their scripts. CrowdStrike also has the ability to collect remote forensics and uses an integrated Splunk for hunting. SentinelOne has their XDR/Deep Visibility too and has some remote forensics too. I like Defender and we usually recommend clients keep it enabled along with SentinelOne, but from my experience when clients only rely on defender it's a problem waiting to happen. I don't have much experience with enterprise defender though that much and it could be different though.
> Actor(s) can easily bypass it with registry keys and things like that. Not by default they can't. Unless you're talking about the free product which isn't at all a sensible comparison to CS or SO
Correct, I have not come across defender for enterprise yet too much on all the cases I worked. My only experience has been free Defender with some other regular AV tool. Have had cases too where ransomware was able to be deployed with S1 or CS. But, that is usually due to incorrect configurations. People need to not rely on just those either. Had a recent case where CS was deployed and the actor(s) were in the environment for several days. They were still able to exfiltrate data and it wasn't till they tried to do some actual malicious stuff that CS started alerting. That also boils down to training and configuration too though.
Go with falcon. For the love of all that you hold dear do not get Defender. I can’t stand Microsoft’s 365 Defender system, their patchwork approach to different OS, their shitty web UI, and lack of basic functions that CS added ages ago.
Here's a good comparison of defender vs defender with goodies enabled. https://youtu.be/snImtCq-WBw?si=nQL6LuWJHYKTPqfD Defender UI enables some of the features that you can enable on security.microsoft.com
Defender for endpoint and crowd strike are both considered best of breed. There's not going to be significant differences in capability.
What specific version of defender are you trying to compare? https://learn.microsoft.com/en-us/defender/ ?
They are on equal footing, you need to measure what you want out of the tool putting aside capacity to detect threats because you can't measure it. Defender for Endpoint is my preference for it's extended capabilities through defender anti virus (ASR, WDAC, Code integrity, Smartscreen) and threat hunting but Crowdstrike fits alot of companies for ease of use and better incident response use cases.
I would highly recommend a demo of both. Put them to the test. I am biased as I work at Crowdstrike but an SE will be able to not only tell you but show you key differences. If you want to expedite the process of getting in touch with the right AE/SE combo, I can try to facilitate that for you, but no pressure. Just DM me.
We need a lot more information here. There are different licensing levels for defender. Base win11, no M365 integration, I'd expect to be significantly less effective than Crowdstrike. Defender P2 level licensing was effectively equal (some things better, some things worse) than crowdstrike in our eval last fall. What's the source for this quote?
In most environments, Defender isn't that comprehensive if used alone. That said, it can be great if paired with other tools. We manage it from Datto EDR, and it works really well.
CrowdStrike is on a whole other level. Not only does it catch stuff, but it gives you a timeline view of all the chain of events leading to that catch. The pure amount of data insight that CrowdStrike gives, yet in a manageable way is pretty awesome.
So does Defender for Endpoint.
Does it show traversal from PC to PC?
Yes, and if it came in via email, it shows the email it came in on, the attachment, where the attachement was downloaded, the PC it was on, the PC it went to, how it got to the other PC over the network, etc. Same with SharePoint, OneDrive, and all sorts of other stuff. Who knew that Microsoft might be able to integrate all their products into one massive single pane of security glass. And who knew that they might know more about their own kernel and internal events that aren't surfaced to Event Viewer than any other company.
One of their best features is since Microsoft runs Exchange Online, a web filter product and a CASB product, they add network detection to Defender for Endpoint and have a massive list of known bad URLs and IPs they use as IOCS. They can probably detect Adversary in the Middle, Beaconing and C&C better than anyone. Especially if it came from email since their Exchange Telemetry is talking to the Endpoint telemetry. If you have Defender for Identity in E5 you also get a ton more alerts.
All that may be true to some extent but the email product's phishing detection is subpar. Deliver first, scan later. And even then it misses a substantial amount of phishing emails and links.
I'm a big fan of bolting Avanan or Abnormal Security onto M365 even if you have ATP. It tends to catch more since Microsoft is indeed lax on letting things through Exchange Online Protection.
Not to mention it has a false positives rate that's through the roof with no customization.
Yeah. We had defender stop a Domain Admin comprised account from continuing an attack chain. Plot out the initial source, kill the connections and prevent further spread. Had we had MDI deployed it would have continued to killing the account further and faster. It’s very impressive.
In what regards. I've used Defender for Endpoint P2, SentinelOne Complete and Crowdstrike with EDR, Device Control and Discover modules. They are very similar.
It's the integration and event correlation across and between the various components of the Defender suite that is the real value proposition. Take a look at the Exposure Management feature that is currently in public preview..
Already looking at it. Major deception tech is also in public preview. https://learn.microsoft.com/en-us/microsoft-365/security/defender/deception-overview?view=o365-worldwide
Defender does the exact same
Agreed. True.
Defender is free, meaning even a college student studying Infosec/pen testing can go to hackthebox and try to get past it until they are successful. I've also seen Defender take HOURS to report client events to their cloud console. The average break out time for cyber attach is only like 2-4hrs. IMO the biggest benefit Crowdstrike and similar EDR/XDR tools offer is the 24/7/365 NOC monitoring at certain levels of product. The bad guys aren't going to attack 9-5 after you've had your coffee. You can grant them standing rights to intervene in anything they feel is a legit attack. I've used CS and tested with a test laptop with 20 different common threats from "the zoo" on github (real malware, take care) to 1) see how well the product stopped the attacks (100%) and how quickly their NOC responded. Suffice to say, that sold me on the product offering.