That’s Why We’ve Chosen Microsoft Defender for Endpoint

Studies have shown that as much as 70% of all attacks originate from the endpoint and as a result, employees’ desktops, laptops, smartphones, and other devices represent a large potential attack surface that should be continually monitored.

Tens of millions of these devices are tempting targets for malicious actors who see them as easy entry points for penetrating an enterprise’s systems. Clearly this makes it critical to keep them from being compromised or at least preventing breaches from expanding beyond the initial target.  Detecting when an endpoint has been compromised is paramount.

And this is why we have standardized on Microsoft Defender for Endpoint as the endpoint sensor for our MDR+ service.

Defender for Endpoint provides not only alert data but allows us to access the raw events that created the alerts.  This is like having the full 1100 page text of War and Peace versus skimming the CliffsNotes version and trying to understand the story.  Having both alerts and raw events as well as the ability to live query running state makes Microsoft Defender for Endpoint a valuable tool in identifying true positive security incidents.  We combine this capability with data from our Network Detection and Response (NDR) sensor, the customers’ security stack and log data from the identity layer and networking stack to complete the picture.

This improves the signal-to-noise ratio and results in high fidelity threat detection, enabling our SOC engineers to focus on real threats rather than being distracted by low-fidelity alerts.


With faster identification comes the opportunity for faster containment, and in this regard, we have a further advantage because our MDR+ service – unlike virtually any other – can be seamlessly integrated with our Secure Access Service Edge (SASE) solution.

This combination not only gives us the deep visibility into the network to identify compromised devices, it also allows our SOC engineers to contain threats using a complete security stack.  Most MDR and EDR providers contain threats by isolating compromised hosts from the network and this is often important to prevent lateral movement of viruses and malware.  However, not all threats are the same and containment of some attacks is better implemented using a firewall, DNS, authentication management system or web proxy.  As the saying goes, when you only have a hammer everything looks like a nail.  Assuming all threats are best contained through host isolation alone is not the best approach to timely containment.   

Ours is the only MDR+ service capable of stopping such breaches at the network level and providing complete coverage of the entire cyber kill chain.

Bolting together separately developed MDR and SASE solutions always looks easy in a vendor’s slide deck, but that’s not the reality in most cases. Typically, it’s a time-consuming nightmare to configure and requires SOC engineers to toggle between multiple screens with error prone, manual configuration – hardly ideal when you’re racing against the clock to keep a breach from expanding.