I'm contemplating moving from CrowdStrike to Microsoft Defender for Endpoint (DFE) as we're now on a Microsoft subscription that includes it. I've really enjoyed the telemetry and threat visualization that DFE offers, but I'm eager to hear from those who have made the switch recently. I'd love to know: How does the threat detection rate of DFE compare to what you experienced with CrowdStrike? How easy is it to manage exceptions and additions within DFE? Also, what's the difference in threat hunting and containment capabilities? Are there particular aspects you love or dislike about DFE? Lastly, do you feel confident that DFE can adequately protect your fleet similar to how CrowdStrike did?
5 Answers
Honestly, if you're budget-conscious but still want good security, CrowdStrike is better overall in my opinion. It offers solid protection without causing too much of a drain on resources, unlike DFE which seems to use a lot of RAM and CPU.
In our setup, we use CrowdStrike for VIPs and servers while MDE covers everyone else. It balances cost and protection pretty well, though I do feel that CrowdStrike's performance justifies its price. Also, deploying DFE in passive mode can help log events better if you're using SIEM tools.
Totally agree! I think people assume that because something costs more, it offers better security. But honestly, I'd test MDE in passive mode first to leverage its logging capabilities.
Between the two, I've used both for about three years now. CrowdStrike is still top-tier, but DFE has really stepped up its game recently. MDE flags more items and gives clearer context, which I think helps in understanding incidents.
You know, you can actually run DFE in passive mode alongside CrowdStrike to get all the telemetry without losing your existing EDR. In my experience managing security, DFE does require a bit more tuning to filter out noise compared to CrowdStrike, but some folks might appreciate that level of detail.
That’s interesting! I've heard DFE might not capture all logs when in passive mode, especially regarding ASR rules. Have you found that to be true?
For context, we have DFE running alongside CrowdStrike in passive mode with an MDR provider. DFE actually flagged more potential threats than CrowdStrike but needed some configuration adjustments upfront. The trade-off is worth it if you have the time to optimize it. Plus, its incident containment features are better in terms of allowing user communication during an attack.
I feel you there. I chose CrowdStrike because of its smaller footprint on system resources, although I haven't used DFE in a while, so I can't comment on its latest incarnation.