by Scott Jack
Content Contributor, E-N Computers
More than a decade of experience in technical support including end user support, mobile device management, application deployment, and documentation.
In 2024, we started asking whether Microsoft Defender can replace our third-party MDR solution of choice, Blackpoint, for endpoint detection and response (EDR). This is something we still talk about, even though we’ve published an article on How Microsoft Defender XDR simplifies cybersecurity. Since it continues to be a topic of discussion internally, we thought it would be worth sharing our team’s thoughts publicly.
QUICK ANSWER:
Can Microsoft Defender replace your third-party EDR solution?
Yes, Defender can replace a third-party EDR solution for many businesses, and in most cases, we think its the better choice. This is especially true if you are already using Microsoft 365 or need to meet cybersecurity compliance requirements. For small to medium organizations, we recommend Microsoft 365 Business Premium licenses with the E5 Mobility + Security add-on, a combination that provides a host of advanced security features and tight integration that ultimately save time and money otherwise spent on administration, investigation, and response. Defender won’t be a good fit if you’re not using Microsoft 365 or refuse to spend more on Microsoft subscription licensing.
Why it matters
There continue to be major shifts in the security landscape, all of which should affect your choice of security tools.
- The rise of AI-powered attacks requires more sophisticated detection capabilities
- Cloud-first security approaches are becoming standard rather than optional
- Compliance requirements are increasingly complex, especially for government contractors
- Integration between security tools is no longer just nice-to-have—it’s essential
Microsoft’s commitment to security is evident in their $20 billion investment in cybersecurity over the past two years. This investment shows in Defender’s capabilities, which now extend far beyond traditional endpoint protection.
Why we started using Blackpoint and how it’s going
Before we started using Blackpoint, we were using Webroot for endpoint protection. But Webroot is traditional anti-malware software and was limited in what it could defend against. We weren’t confident in Webroot’s ability to handle modern threats around cloud services and credentials. We needed something that could catch and prevent risky logins and that had logging capabilities.
Blackpoint met those needs for us at a time when Microsoft’s security tools weren’t as robust. It is great for catching risky logins and blocking applications. It’s also easy to talk to someone helpful at Blackpoint when we have a question. Over time, though, we’ve identified a few pain points we have with it:
- Logging: Even though Blackpoint has logging, it’s not in a format that is easy for our security partners to access.
- Threat detection: With Microsoft’s extensive investment in the Defender security platform, we are finding that Blackpoint isn’t as good at catching some issues as Defender is.
- Pricing and features: Clients with greater security needs are probably already using Microsoft 365. Combining Business Premium with E5 Mobility + Security provides a better balance of cost and features, better security recommendations, and tighter integration than any third-party tool can provide.
- FedRAMP authorization: FedRAMP authorization demonstrates that a cloud service provides an appropriate level of security and protection for unclassified federal data. Blackpoint is not FedRAMP authorized, and we want to be sure that the tools we use can meet the needs of government agencies and contractors.
What we think about Microsoft Defender
Microsoft Defender is feature-rich and customizable. It is flexible enough to meet the needs of modern small businesses as well as strict federal security requirements. It’s particularly good for contractors and government agencies that handle CUI and need Microsoft 365 GCC High.
Its broad feature set and customizability can also be a downside. In contrast to Blackpoint, which is mostly pre-configured, Microsoft’s products require careful configuration. It’s also more difficult, if not practically impossible, to reach a helpful support person.
Pricing: Defender P2 is worth every penny
Microsoft is notorious for making their products and licensing confusing, but let’s try to untangle some of the details. Defender is a security product with two parts: Defender for Office 365 and Defender for Endpoint. Defender for Office 365 provides security for email and collaboration tools, while Defender for Endpoint provides security for devices. They each have a Plan 1 (P1) and Plan 2 (P2), which you can think of as Limited and Advanced.
The most important distinction, the one that makes Plan 2 worth paying extra for, is that only Plan 2 includes automated investigation and response for threats, whether they are detected in the cloud or on device. It reduces response time and the need for human intervention to keep your systems secure. In turn, you can catch and thwart attacks earlier.
Defender P1 is included with a Microsoft 365 Business Premium license ($22/user/month) and Defender P2 is available with the E5 Security + Mobility add-on ($10.50/user/month). This add-on is about the same price as Blackpoint ($10/user/month). Looking at the direction Microsoft is moving with subscription licensing, we think this combination provides the best value to our customers.
Performance: Defender is very effective, with few false positives
Some people might feel that Blackpoint’s human-driven Security Operations Center (SOC) makes it better at catching threats, but that doesn’t seem to be the case. In our experience, Defender is at least as effective at catching modern threats in real-time.
Defender uses human threat intelligence analysts to examine aggregate signals and emerging threats, and provide security recommendations. Automatic detection works 24/7 to catch and block threats as they happen. In a recent announcement about Defender’s effectiveness during independent testing, Microsoft highlighted its cross-platform detection, delivery of zero false positives, and ability to unravel the behavior of malicious PowerShell scripts.
You can be confident in Defender’s ability to catch threats without many false positives that waste the time and resources of our security team. This allows us to spend more time on the alerts that matter most.
What should you use?
In most cases, we think Microsoft Defender is the way to go. It’s the best option if you’re already using Microsoft 365. Compliance-conscious organizations, including government agencies and contractors, will quickly appreciate its tight integration with the Microsoft 365 platform, which makes monitoring and reporting much easier. Managing multiple third-party tools and trying to align the data exported from each of them quickly becomes a headache. Scenarios where we think another solution makes sense is 1) if you don’t use Microsoft 365, or 2) you simply don’t want to pay more on your Microsoft licensing.
We also don’t think you should bother layering Blackpoint on top of Defender for Endpoint Plan 2. There are two reasons for this. First, if you already have Defender P2, you are already getting best-in-class protection and Blackpoint is an additional $10/user/month for no real benefit. Second, it can actually make you less secure by introducing compliance risk.
With all of this in mind, we are working on rolling the cost of Microsoft 365 licensing into our managed services plans. We believe this is the best way to provide you with a suite of tools that improve productivity and security while streamlining administration.
Next Steps
When you have the right people working together, you can implement systems and processes that actively help you reach your business goals. We sometimes call this IT maturity. But for many organizations, something is off when it comes to their partnerships, strategy, systems, and settings. How can you know what’s working well and where you have room for improvement? Start by taking our free IT Maturity Self-Assessment. You’ll walk away with some pointers and, if you want, a free appointment to discuss your results.
Not sure if you need managed IT services?
Take the IT Maturity Self-Assessment
In a few minutes, get actionable insights on your IT strategy, plus a free strategic consultation.
Industries
Locations
Waynesboro, VA
Corporate HQ
215 Fifth St.
Waynesboro, VA 22980
Sales: 540-217-6261
Service: 540-885-3129
Accounting: 540-217-6260
Fax: 703-935-2665
Washington D.C.
1126 11th ST. NW
Suite 603
Washington, DC 20001-4366
Sales: 202-888-2770
Service: 866-692-9082
VA DCJS # 11-6604
Locations
Harrisonburg, VA
45 Newman Ave.
Harrisonburg, VA 22801
Sales: 540-569-3465
Service: 866-692-9082
Richmond, VA
3026A W. Cary St.
Richmond, VA 23221
Sales: 804-729-8835
Service: 866-692-9082