cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Comparison required from experience: Microsoft Defender vs Carbon Black or others

Hi All

 

I need an objective assessment from your experiences:  Microsoft Defender is yet, another heavily discounted solution from the same stable.  So lets paint the scenario the Microsoft tool set is compromised, how can you then trust the same tool set to detect, prevent and respond to those same threats?   Can you trust it? 

 

Cost is a great weapon, to the CEO, CIO, CFO but from a practical security perspective would you feel safe to put your name behind the decision? 

 

Even NIST talks about layers of defense, so putting cost aside - how would you rate Microsoft Defender within your organisation?

 

Regards

 

Caute_cautim

13 Replies
me_shail
Community Champion

We are using defender. Also using crowdstrike in some machines (edge network and web facing). We are getting better results with defender, when it comes to catching the malware. We actually replaced bitdefender with MS defender across the organisation after doing a trial of defender for about 6 months. In some cases the third party tools like bitdefender or others did better than ms-defender but overall results were in favour of ms-defender. Cost was one of the factors. 

Steve-Wilme
Advocate II

Different anti malware vendors are sometimes better at detecting particular strains than others.  It varies with time depending on how up to date the signatures they issue are and how good their heuristic detection is.  If you go with a free / low cost product you're trade this cost off against the risk of down time and data loss.  A more sensible approach is to have a layered defence in place and consider the risk holistically and contextually.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Beads
Advocate I

Depends on your first line and compensating controls. Would using Defender at the desktop be sufficient stopping enough malware on its own? Do you see your other controls detecting malware before hitting your desktop? What do your other network level controls look like? For example, BADs, Nbads, 802.1x, sandboxing at the firewall, ingress screening and many others all have their place at the table.

 

I am currently consulting for a major US based retailer that uses Defender and from a security standpoint, works quite well next to all the other goodies capable of supporting a well managed security platform.

 

If you can cut some money out of your budget and gain more security elsewhere, go for it. Keep metrics on your before and after statistics concerning number of detections, infections, events, incidents and breaches (pro and con) to prove or disprove your A/V choice down the road, of course. Like any business purchase the "proof is in the pudding". Always be prepared with metrics to defend your purchase or revert to more expensive solutions.

 

Personally, having not seen my home machines detect anything since the mid 1990s, stopped subscribing to expensive malware suites about a year ago and simply use Defender on all my machines. Backed up by a small firewall with an open source NIDS, daily backups, etc. Its all "delightfully excessive" (overkill) of course but that's a trade off for being a security person, isn't it?

 

 

Caute_cautim
Community Champion

@Steve-WilmeTotally concur with the layered defense perspective.  Also from an objectivity perspective as well, many stories of Azure, Microsoft having been compromised - and we know Microsoft are putting a great deal of investment into protecting their brand. 

 

Independent assessments, talk about the lack of support ongoing and none of the additional capabilities that other suppliers have such as Characterisation, Application Whitelisting etc - essential for Government agencies.

 

But as others have stated cost take out is a great carrot. 

 

Yes, the risk mitigation strategy has to also be put into the equation.  I have seen at least one occasion, where dependence on traditional AV has failed and the Incident Response Teams, have had to go into emergency response mode and actually use additional what some call New Generation AV suppliers to resolve the situation and ensure ongoing operational resilience.

 

Regards

 

Caute_cautim

Caute_cautim
Community Champion

@BeadsSeveral things come to mind:  "You get what you pay for" is one old adage.  The other "Horses for Courses"  or the practice of choosing the best person for a particular job, the best response for a situation, or the best means to achieve a specific end.

 

I have seen several retailers caught out in the past and had to deal with the Saturday 9am call , using traditional methods in the past, especially those interlinked internationally - and having to mop up and ensure they could open at 9am on Monday. 

 

Layers of defense is all good, but it will only take one slip up and the reputation of the single vendor will be tarnished vs cost vs risk vs impact to the business.

 

I agree, even I take a layered approach even for my home system too. 

 

Regards

 

Caute_cautim

 

Caute_cautim
Community Champion

Also an interesting article on ransomware attacks not being detected by traditional AV:

 

https://securityintelligence.com/news/efs-ransomware-attacks-overcome-major-antivirus-tools-in-proof...

 

Layers layers of defense altogether now.

 

Regards

 

Caute_cautim

jmarshall1956
Newcomer I

Steve-Wilme said it best below - layers are good. We also use MS Defender on the end points, coupled with Palo Alto Firewalls for Web and Content filtering and Proofpoint for eMail filtering. We are also looking for an AI/ML tool for the Network/Zero-Day space - right now I like Senseon but we have not purchased yet.

 

Jim Marshall

Jim M
Caute_cautim
Community Champion

@jmarshall1956   Thanks Jim for the response.  One of my colleagues also pointed out to me in order to obtain NGAV (New Generation AntiVirus) the client would also have to add ATP as well.  However, this brings in implications as they would have to go through a cloud risk assessment, as well especially as they are a government agency.

 

Regards

 

Caute_cautim

jmarshall1956
Newcomer I

Hmm, I'll have to look into that - I did sign up for the ATP pilot but then never followed up after the pilot ended. Thanks for the reminder.

Jim M