Is Microsoft "lock-in" the right security strategy for your organization?

Introduction

The cybersecurity journey for Microsoft has been a long and bumpy one. It began in July 2001 when the Code Red worm targeted Windows-based systems with Microsoft IIS (Internet Information Services for Windows Server) installed. Researchers at eEye Security originally detected Code Red, but the early detection couldn’t stop the spread as more than 300,000 servers globally running Microsoft IIS were attacked.

While this event catalyzed a cybersecurity focus for Microsoft, similar incidents still occur today, with most targeting zero-day vulnerabilities in Microsoft code. For example, in 2017, the WannaCry ransomware attack was a worldwide cyberattack that targeted computers running the Microsoft Windows operating system. In 2022, a series of vulnerabilities in the Microsoft Exchange mail server affected more than 30,000 organizations worldwide (source).

Given its history, Microsoft takes cybersecurity more seriously today. They now offer a complete security stack, with some products integrated into their current offerings (i.e., data classification for Microsoft Office 365) and add-on products for other security categories, all conveniently bundled into their top-tier E5 license. Chief Financial Officers (CFO) around the world, at the prompting of Microsoft direct sellers and an extensive network of channel partners, are compelling Chief Security Officers (CSO) and Chief Information Security Officers (CISO) to get rid of already installed and often high performing cybersecurity solutions from leaders in their categories (i.e., CrowdStrike) in favor of exclusively implementing Microsoft solutions up and down their security stack.

How did CFOs end up making cybersecurity decisions?

With its far-reaching presence in the corporate world and expansive partner network, Microsoft exerts significant influence on non-security executives, including CEOs, CIOs, CFOs and, in some cases, the Board of Directors. They often tout one thing (and one thing only) in their argument to move their organizations to a full Microsoft security stack - cost saving. For current E5 license holders, it can appear as a compelling financial argument.

Advice for CSOs and CISOs Facing CFO Pressure on E5

I wrote this particular blog post to assist security leaders to parse through Microsoft's Insider Risk and Data Protection offerings and how to effectively navigate the pressures from non-security-focused peers and executives to adopt Microsoft as the single source of security technology.

A Data Protection Case Study: Microsoft Purview & Next DLP

At Next DLP, we have heard of cases where CISOs are told to deploy Microsoft Purview without ever having been involved in the purchase decision or testing the solution to determine if it best fits their organization’s needs. 

What is Purview? 

Formerly known as Microsoft Information Protection, or MIP for short, Microsoft’s data security solution, Purview, is included in many E5 license tiers. Purview is a collection of different technologies, some developed in-house by Microsoft and others acquired, that have been loosely integrated and rebranded Microsoft Purview. As with any security technology-related decision, there are pros and cons that every CSO or CISO should consider when evaluating whether Purview is right for their organization.

The Pros for CISOs

CISOs have been under the microscope for rising security costs. Purview offers opportunities to tackle these challenges:

• Cost Savings: Purview can potentially replace other security tools, reducing software expenses overall.
• Integrated Security Strategy: Purview claims to offer a chance to establish a more cohesive approach to the entire security stack by consolidating to one provider and replacing best-of-breed point solutions.
• Scalability: The Microsoft E5 license can be adapted to your organization's evolving needs.
• Enhanced Visibility: With comprehensive reporting and integrated technologies, Microsoft touts improved insights for better decision-making and threat response.

In summary, Purview could potentially address security cost concerns and offer a scalable approach to improve your cybersecurity posture.

Sounds great, right? 

The Cons for CISOs

A well-respected industry analyst told me, “If all your data is in O365, then Microsoft will allow you to check that box. If it’s not, you need a different solution.”  Leveraging Microsoft Purview requires your business to be all-in on Microsoft as components of the data loss prevention and insider risk solution lean on the capabilities enabled in others (i.e., Microsoft Defender for Endpoint). So CISOs need to think about the following:

• Overall Implementation Costs: Purview implementation is not simple. Remember, it’s a collection of different technologies. Deployment demands expertise, effort, and resources. A Next DLP customer, who happened to have E5, pushed back on CFO challenges to use Purview by showing that it would take two years to perform the labeling and classification needed to get it up and running. If a CISO had any other plans for their team, it would need to wait until the Purview rollout was complete. 
• Ongoing Maintenance Costs: Purview is not a set-and-forget solution; it necessitates ongoing configuration and optimization. George Kurtz of Crowdstrike said, “We've had many enterprise customers look at Microsoft, and when they looked at it, they're like, ‘We need five or six different consoles.’ They've come back and said, ‘We need many, many more people to run the Microsoft suite, and it would cost us more money than having the E5 license already in use.’" 
• Impacting Current Security Posture: As mentioned above, the value of Purview is only fully realized when you are all-in on Microsoft OS, applications, data types and the full Purview stack. Purview works well for O365 and native Microsoft data and file types. Analysts point out that the MS macOS agent only supports O365 and Office apps, plus some Safari capability, and numerous gaps exist in non-Microsoft and Apple native apps and file types, e.g., CAD, source code, multimedia. What companies only use Microsoft apps and Microsoft file types? With the cost of a data breach being $4.87 million for companies in the 1,001-5,000 employee range, is the non-Microsoft gap a risk the CFO is aware of and willing to take on?
• Support Ticket Resolution Timing: Unless you pay additional fees to Microsoft for an upgraded Microsoft Support Plan or choose a pay-per-incident option, it has been reported that average response time to resolve support tickets can take weeks and even months. While Microsoft is clear in defining and often meets their committed response times, issue resolution takes much longer as we have heard from many Microsoft customers. The core challenge is getting access to a support engineer who understands the product or service you are having an issue with. When you choose to work with a company that is delivering a dedicated data protection and insider risk management solution, issues will likely be resolved quickly as every Support Engineer will have deep knowledge of the product or solution.
• Feature Requests and Delivery: Similar to support issue resolution, we have heard of numerous instances where feature requests have been simply declined or take many months or years to get added to the roadmap and ulitmately released. Unless you are a BIG customer of Microsoft and have influence at senior levels of their security product organization, you are compelled to use an online form to request a feature for Microsoft Purview and having it accepted and delivered is hit or miss. Many independent software vendors (ISVs) are highly motivated to meet customer needs in an accelerated fashion and feature requests are not only welcomed but encouraged as ISVs strive to deliver on the use cases most critical to their customers. Put simply, smaller players can be more nimble and agile in their engineering approach to deliver new features faster.

Once the true Purview operational costs are added up, how does the security bundle proposition that caught finance’s attention look? 

How to Maximize Your Microsoft E5 License Investment

So, you have Purview and need to use it. Here are some steps to help you maximize your company’s investment. 

1. Understand Your License: Thoroughly comprehend the components of your Microsoft E5 license, including features like Purview Data Loss Prevention, Microsoft Defender for Endpoint and Purview Insider Risk Management. What do you have? What requires additional investment? 

2. Evaluate Your Current Stack: Assess your current security tools and identify your organization's must-have security requirements. Compare these with the features offered by the E5 license and Purview to identify overlaps or gaps.

3. Identify Opportunities: Consider which tools can be replaced by Purview, which should stay as-is, and identify which tools need to be brought in to supplement Purview and improve your security posture. You should be seeking a balance between optimal security coverage and cost efficiency.

4. Define Your Security Outcomes: Develop a roadmap tailored to your specific security goals, such as enhanced data protection, flagging risky behavior, and tracking, tracing and controlling data. Factor in the cost and time of the transition from existing security tools.

Better Together - Amplifying Microsoft Security with the Reveal Platform from Next DLP

So you have Purview but have identified some of the gaps. How do you build the business case for a specialized insider risk and data protection platform?  Consider the Reveal Platform by Next DLP, a powerful enhancement to Microsoft Purview. The Reveal Platform and Next DLP enhance Microsoft Purview in 5 key ways:

1. Protecting your data, wherever it is. 
2. Supporting advanced Data Loss Prevention (DLP) and Insider Risk Management (IRM) use cases.  
3. Delivering instant value and insights with policy-free visibility.  
4. A single console view into Data Loss Prevention (DLP) and Insider Risk Management (IRM).
5. An innovative and fast-moving R&D team plus world-class customer experience. 

Protecting your data, wherever it is. 

Let me ask you, “What organization has only Microsoft applications, native Microsoft file types, and nothing else?” That would mean no CAD, no PKG, no PSD, no Apache, no Slack, no Salesforce, no Pages, and no source code. I don’t think such an organization exists. In an era where data security and privacy are paramount, Reveal offers a comprehensive suite of features that safeguard your data, regardless of location. It supports a wide array of data types, seamlessly integrates with third-party and SaaS applications, and accommodates data stored in cloud, hybrid cloud, and on-premises environments without requiring expensive discovery and classification projects. 

Supporting advanced Data Loss Prevention and Insider Risk Management use cases. 

Purview does well with table-stakes data protection use cases and scenarios: for example, a user attempting to send email via Outlook while connected to the network or blocking patient info from being shared in a Teams channel. Reveal takes DLP and IRM to the next level, utilizing Machine Learning on endpoints to establish a baseline "normal" data behavior and swiftly identifying deviations from this norm. Furthermore, Reveal ensures secure data flow by tracking, tracing, and, when necessary, controlling data movement within your ecosystem, guaranteeing robust protection. 

Delivering instant value and insights with policy-free visibility.  

We all know that subpar data classification undermines DLP policies and that misconfigured policies can impede business users from getting their work done. This is one of the reasons why DLP has such a bad reputation. Microsoft DLP requires discovery, labeling and classification to enable successful policy creation. As mentioned earlier, customers need to go all-in on Microsoft, which creates a dependence on Azure Information Protection (f.k.a. MIP) as the sole source of determining sensitivity. Labeling and classifying can take years, leading to accuracy issues. Finally, once that policy is written, unfortunately, it is not shared across the rest of the Purview collection. 

As Reveal doesn’t require discovery or classification, it provides immediate visibility into data movement and real-time inspection. Reveal customers derive value from the platform within the first week. Additionally, the Reveal platform can easily import Microsoft Purview Information Protection sensitivity labels, which enables data protection policies to be defined to detect and control the flow of labelled files and emails. Crucially, those labels can be combined with content aware policies and enforced across Windows, MacOS and Linux desktops.

A single console view into IRM and DLP.

As Purview is a collection of applications, customers report needing five or six different consoles and a significant investment in training its people to run it. Visibility into all sensitive data events requires multiple applications, agents, and consoles. The alerts must then be manually aggregated and reviewed or sent to another solution, e.g., Power BI, for analysis. We all know that DLP alerts can be noisy and difficult to act on. When the time to respond is essential, every added step, process, or tool contributes to alert fatigue, reduces effectiveness, and increases risk. 

What sets Reveal apart is its ability to provide instant value and insights, all without the need for complex policies. It offers a unified console view that gives you complete and contextual visibility into IRM and DLP events, empowering you with the knowledge you need to make informed decisions regarding your sensitive data. Reveal consolidates all IRM and DLP events, giving analysts the insights to see “who did what with what data” and the context around the actions. 

An innovative and fast-moving R&D team plus world-class customer experience. 

Anyone who has ever dealt with Microsoft Support knows how difficult it is to work with them to resolve issues or implement new features. With an innovative and agile R&D team at its core and a commitment to delivering world-class customer experiences, Next DLP takes your satisfaction seriously. In fact, 96.8% of Next DLP customers have expressed high satisfaction in surveys, with a remarkable net retention rate of 134%. This demonstrates not only the effectiveness of the Reveal Platform but also the growing trust and expansion of its user base.

Beyond built-in capabilities, Reveal’s API integrations with Splunk, MIP, LDAP, and SaaS apps and alignment with MITRE ATT&CK framework and MITRE Insider Threat knowledge base significantly strengthens a security ecosystem's detection and response capabilities.

Conclusion

Maximizing the value of your Microsoft E5 license and Purview requires a strategic, well-informed approach. It involves more than adopting new technology or embracing an aggressively discounted license that finance teams adore; it's about reshaping your security strategy, leveraging Microsoft's capabilities, quantifying the total cost of ownership, understanding your gaps, and aligning them with your organization's goals and security needs.

For more reading on this topic:

• Gigaom: Is there a case for Microsoft as your only enterprise security partner?
• Forrester: The CISO’s Guide To Microsoft Investments
• Federal Business Council: Comparing Varonis and Microsoft 365 Security & Compliance Offerings
• Avertium: What does the Microsoft E5 license mean for your cybersecurity?
• Crowdstrike: Why customers choose CrowdStrike vs. Microsoft
• CRN: Microsoft’s ‘Failures’ Put Everyone At Risk
• CPO Magazine: Licensing or Lock-In? Evaluating Microsoft’s ‘New’ Approach to Cloud Competition
• Gartner: How Should Executive Leaders Respond to Cloud Vendor Lock-In Concerns?