CrowdStrike vs. Microsoft Defender for Endpoint: A Cybersecurity Leader Compares EDR Tools

CrowdStrike wins in security effectiveness, operational efficiency, total cost of ownership and ease of use

Falcon pedestal

CrowdStrike customers tend to stay with CrowdStrike, typically starting with endpoint detection and response (EDR), then expanding to other attack surfaces as they consolidate their cybersecurity with the CrowdStrike Falcon® platform. 

But what happens when a business that uses and trusts CrowdStrike is forced to adopt Microsoft Defender due to a divestiture?

That’s exactly what happened to this CrowdStrike customer, a major American retailer. While the organization requested anonymity, it wanted to share its story.

When the new retailer was divested from its parent company, it found itself contractually on the hook to secure a transition environment shared by both companies. In this scenario, Microsoft Defender was put forward by a consultant to provide EDR for the parent company. The new retailer continued to run CrowdStrike Falcon exclusively.

Head-to-Head Comparison

To ensure the new retailer had up-to-date, non-biased data on Microsoft Defender, it hired a third party to test it against CrowdStrike Falcon. 

In the test, the third party obtained licenses for both Microsoft Defender for Endpoint and CrowdStrike Falcon® Insight XDR. The test period took place over two weeks in which both products were tested against known threats. Here’s how a cybersecurity leader at the new retailer assessed the results. 

Security effectiveness: CrowdStrike wins

“Defender wasn’t able to detect anything in-memory. And since fileless malware is now used in more than 70% of attacks, Defender could presumably miss 70% of malicious activity in our environment — and indeed did miss quite a lot. Defender also allowed for the full execution of the malware before taking any action, which could lead to credential harvesting, and allowed the malware to execute using unmanaged PowerShell scripts. CrowdStrike was able to stop everything Defender missed in our tests.” 

Operational efficiency: CrowdStrike wins

“With Defender, you go into reduced functionality mode if you fall behind on OS patches. With our current shared environment, in which we were using CrowdStrike exclusively, we were able to make a lot of risk-based decisions and avoid the disruptive nature of monthly Microsoft patching. After the transition, the parent company loses those protections, so it must immediately start patching systems monthly in order to keep Defender fully supported, which is a heavy lift.”

Total cost of ownership: CrowdStrike wins

“With Defender, the parent company was estimated to need to increase infrastructure spend to ensure adherence to Microsoft’s release schedules. If/when the parent company falls behind and keeps older, unsupported infrastructure in place, it will be forced to either upgrade the infrastructure or live with Microsoft’s limited security support of the last patch date. When all calculations were complete, Defender required more frequent infrastructure investments than CrowdStrike. Expected savings by using Microsoft are also eroded when considering the labor hours required to research, test, upgrade and maintain versions.”

Ease of use: CrowdStrike wins

“Due to the lack of integration of Defender Management Consoles, multiple panes of glass need to be monitored. In order to mirror Falcon coverage of the new retailer, the parent company was estimated to need to manage up to nine different consoles. With CrowdStrike, the new retailer allocates half a full-time employee (FTE) supporting all the modules. With Defender, the parent company requires at least four FTEs.”

The Choice Is Clear

After seeing the test results, the new retailer was able to make provisions to the agreement to absolve it of certain legal risks should Defender lead to a breach, impacting the new retailer.  

Needless to say, the new retailer is happy to continue using CrowdStrike, and it recently added CrowdStrike Falcon® Cloud Security and CrowdStrike Falcon® Identity Protection to its suite of Falcon modules.

This new retailer is not alone in its findings and conclusions. In fact, 8 out of 10 times when an enterprise customer does a proof-of-value technology test, they choose CrowdStrike over Microsoft.

The allure of Microsoft security quickly fades when businesses consider the risks. In 2022, Microsoft issued more than 900 patches to different Microsoft products.1 Of these patches, 20% were critical — nearly twice the industry average — and 30 were for zero-days.2 It’s clear that Microsoft vulnerabilities have become the preferred attack surface of the adversary.

As outlined above, Microsoft Defender also comes with hidden costs and complexities that burden the organization featured in this blog post in terms of maintenance, operations, support and total cost of ownership. 

Customers shouldn’t have to compromise on security. The choice you make on cybersecurity is critical to reducing cyber risk — compare for yourself.

Additional Resources

  1.   CrowdStrike Falcon Spotlight Monthly Patch Analysis, 2020-2023
  2.   CrowdStrike Falcon Spotlight Monthly Patch Analysis, 2020-2023
Related Content