How does Cyclotron deploy Defender XDR?

The key to a successful Microsoft Defender XDR deployment lies in understanding the essential components and best practices to ensure a smooth and efficient process. Discover Cyclotron's proven strategies for effective deployment, including project phases, necessary pre-requisites, and collaboration between various teams to achieve optimal results.

Author: Nathan Berger,

Director of Security @ Cyclotron

What does a successful Defender XDR deployment look like? 

As an award-winning Microsoft Partner, Cyclotron’s Security Practice has led hundreds of enterprise deployments of Microsoft Defender XDR. Here, we share best practices to help your organization achieve a successful deployment. 

We’ve done these projects in as short as 6 weeks, but a typical deployment timeframe is 12-14 weeks. If your organization moves slower or is uniquely complex, you can expect longer timeframes. 

This blog covers the following key components of a successful deployment: 

• What you should know before starting a Defender XDR Deployment 

• Who to involve in this project 

• Defender XDR Project Phases 

• Specific considerations for Defender XDR tools 

• How Cyclotron collaborates with your organization for deployment success 

What you should know before starting your Defender XDR deployment 

You should verify the following pre-requisites before the project starts: 

• Do you have Microsoft 365 E5 licenses?  E5 Security licenses can also suffice. To set up the tools for broad deployment, at least one license is needed during tool setup, and all licenses will be needed by the start of the deployment phase.  Microsoft Defender for Endpoint (MDE) Server licenses are not included in E5, so talk to your Microsoft account team about Defender for Server pricing before the project starts. 

• Do you have third-party products to replace? Most of our Defender XDR clients aim to replace their existing tools (Crowdstrike, Proofpoint, NetSkope, etc.) with the relevant Defender tools. If you plan on maintaining some of these tools, there are important considerations for co-existence for each category that we should discuss before the project starts. 

• Do you have access to key personnel? We’ll get into more details about who should be involved in the project below. 

In addition to the above, Cyclotron maintains a robust technical pre-requisite deployment checklist that we’ll use to evaluate your environment at the beginning of the project (Discover Phase). Remediating these items will prevent technical issues in later phases. 

Who to involve in this project 

You should engage the following teams in the Defender XDR project: 

• Security Administrators, who will conduct most of the hands-on work and make key product decisions. 

• Security Operations, who will plan operational strategies and need training to manage incidents and alerts. They will also need to validate Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) connections. 

• IT Administrations, who will need to manage rollout of MDE via their mobile device management (MDM) tool or Configuration Manager. 

• Infrastructure, who will need to provide access to Domain Controllers for Microsoft Defender for Identity (MDI) rollout. Their involvement in server management will also be critical for MDE rollout.  

• Network, as Microsoft Defender for Cloud Apps (MDCA) firewall connections may require access to firewall log forwarders. 

• Cloud app owners. Any enterprise cloud apps you want to monitor and protect will need app owner involvement to set up application programming interface (API) connections for security monitoring. 

• Security leadership & CISO, who will want to monitor progress and value of the product rollout. 

Defender XDR Project Phases 

Cyclotron’s deployment consists of the following phases: 

1. Discover. This includes product education, requirements finalization, current state assessment of third-party tools and Microsoft tools, technical pre-requisites check, and health checks on related services. 

2. Design. Cyclotron will present a comprehensive deployment plan and ask for your feedback. Once all parties are satisfied with the written Design plan, we move to the next phase. 

3. Build. We work with your administration teams to configure initial PoC’s of all tools in preparation of validation activities and prepare removal of third-party tools. 

4. Test. We conduct validation activities in a structured approach to ensure all relevant technical product functions work as expected and removal of third-party tools. This results in a Test Matrix or other test documentation. 

5. Pilot. We identify any end-user impacts and execute a select user & device pilot to gather feedback about end-user experience expectations & results. We use this feedback to amend the deployment strategy prior to rollout. We also provide full project documentation prior to rollout. 

6. Deploy. We coordinate with change approvals and administrators to roll out Microsoft Defender in a predictable, wave-based fashion. 

Specific considerations for Defender tools: 

Defender XDR includes the following features:   

• Defender for Endpoint (MDE): This includes both MDE (the Endpoint Detection and Response agent) and Microsoft Defender Antivirus (the Antivirus agent) in one combined solution.  

  • Device policy, especially Windows policy, matters to harden device configurations, so involvement from your IT admins is critical. Ensure that all end-user device platforms - Windows, Mac, iOS, Android – are planned for rollout.  

  • Servers can also be included if extra licenses are purchased.  

  • If you don’t want to replace a third-party tool, we can run MDE in silent mode to get lots of benefits for devices and shared telemetry with other Defender tools. We strongly recommend MDE in silent mode for clients who don’t want to remove Crowdstrike, SentinelOne, or other EDR tools. That said, we usually replace the competing tool with MDE - clients appreciate the cost savings and typical security improvements. 

• Defender for Identity (MDI): This only matters if you have an Active Directory environment. If you are cloud-only, you’ll rely instead on the following product (Entra Identity Protection) for your identity protections. Make sure your infrastructure teams are involved early, as several project activities for MDI deployment require changing AD audit settings, running capacity checks, and potentially increasing CPU and memory on DC’s. 

• Entra Identity Protection: This automatically enables auditing and alerts the moment you enable an E5 license, as there’s no infrastructure to deploy to. Instead, we configure Conditional Access policies to enforce login challenges on risk detections surfaced by this tool. 

• Defender for Cloud Apps (MDCA): This is the most elusive Defender tool, and it confuses clients. MDCA has at least 9 unique functions – Shadow IT monitoring, cloud app categorization & blocking, activity monitoring, file monitoring, anomaly detection, compliance tracking, malware detection, reverse proxy injection, and more.  Cyclotron has specific recommendations on how to best use MDCA, even if you don’t want to enforce any actions. The visibility from this tool can help secure cloud app access in unique ways. 

• Defender for Office 365 (MDO): Email security protection, M365 collaboration protection, and an attack simulation training platform. Unlike the other tools, it’s difficult to run third-party email security gateways side-by-side with MDO. There are some unique functions that we always deploy even if you use a third party, so project activities will still include this MDO work. To pilot this tool, you’ll want to choose a smaller production domain to move first. This also has several end-user-facing features like Attack Simulation Training and the Report Message button, so we offer additional strategic change leadership support to help educate and train end-users for a smooth transition. 

• Other features: E5 Security and M365 E5 include several great identity features, such as Privileged Identity Management for just-in-time admin access, Access Reviews to verify and right-size Entra permissions, and Access Packages to get started with entitlement management. Although these aren’t usually primary project objectives, we’ll usually help you develop a strategy for these features and get started with them during the project. 

How Cyclotron collaborates with your organization for deployment success 

In general, the project scope will include Cyclotron guiding all project activities and phases, providing comprehensive project management, rollout plan, and thorough project documentation.  

We work closely with you to ensure a smooth and efficient process, but there are some key considerations for your team that are crucial to achieving success together: 

• Make sure all involved project team members are invited to our weekly status call, where we give updates and plan project tasks relevant to all team members.  

• Make sure team members have enough time to participate in weekly meetings. Only representatives from Security Admins, SecOps, and IT Admins are needed for all meetings. All other parties have limited project involvement in specific tasks. 

• We do not decommission third-party tools on your behalf, but we will help you design the process for your team to remove & replace third-party tools. 

Want expert help deploying Defender XDR? 

As a 2024 Microsoft Partner of the Year with a proven track record of successful Microsoft Defender deployments, Cyclotron is here to help you deploy your E5 licenses, accelerate your journey to deployment, and get maximum E5 value.  For more information about Defender XDR deployments, contact nathan.berger@cyclotron.com or get in touch at cyclotron.com/get-started