ProArch Blogs

What Should Your Data Security Tools Actually Do?

Written by ProArch | Jul 24, 2023 3:37:40 PM

Organizations are creating and managing an overwhelming amount of data that has only increased exponentially in recent years. And on top of managing it, it has become vital for organizations to keep data control and management at the top of their minds. Safeguarding data is essential to satisfying privacy and compliance regulations—not to mention protecting their reputations.

For these reasons, leaders must balance data accessibility that helps them drive business growth while only keeping the data that they need—all while making sure that it is secure.

Of the several data loss prevention (DLP) tools on the market, two stand out:

Each system has its strengths and weaknesses. In this blog, we’ll explore what each can do, the differences between them, how to set yourself up for success, and how you can make a decision about which is the right choice for your organization.

 

Microsoft Purview vs. Symantec by Broadcom

Microsoft Purview and Symantec by Broadcom Software are two prominent DLP solutions that provide powerful data governance and cybersecurity capabilities. Here’s a breakdown of each solution’s strengths, requirements, and costs.

 

Microsoft Purview Broadcom
Great for organizations of less than 7,500 people that are using Microsoft 365 Great for organizations of more than 5,000 people
  • Designed for occasional administrative use
  • Targets mainly Microsoft file formats and Microsoft 365
  • Does not include proxy coverage
  • Involves basic reporting
  • Can be labor-intensive to use
  • Is cost-effective, especially for smaller organizations
  • User interface and functionality that change often
  • Designed to be used daily by an incident response team
  • Protects data in many formats and platforms (Google Cloud, AWS, Azure, custom, etc.)
  • Is scalable to hundreds of thousands of users for cloud, endpoint, and on-premises infrastructure
  • Offers robust detection capabilities, including exact data matching (EDM) that can detect records using only a name
  • Fast updates
Microsoft 365 E5 is required for DLP with EDM and auto-applied sensitivity labels. Microsoft E3 or E5 can be used to include sensitivity labels.
$55/user/month for E5 $75/user/year for DLP Core, plus hardware and staff to operate it

 

 

Where to Find Your Data

Before any data protection tool and process is put in place, executives, IT, and business units must agree on a data classification and acceptable use policy. These will serve as the written foundation any tool will seek to automate. After all, a DLP’s purpose is to change people’s behavior and lower the overall organizational risk of data loss.

The first step in building a great data protection program is to identify the sensitive data that needs to be protected. That includes the location, format, and content itself. Here’s where you can find your data within Microsoft Purview or Symantec.

 

Data at Rest (DAR)

Data at rest is information that is not being accessed, used, or moved from device to device or network to network. This could include any data stored on a hard drive, laptop, or flash drive or archived in another way.

Microsoft Purview and Broadcom each offer different levels for viewing and knowing your data:

 
Microsoft Purview (E5)

Broadcom:

Can see everything on the left, plus the following:
Network servers (CIFS, SMB), on-premises Linux shares (NFS, SSHFS)

On-premises SQL Server and SharePoint

SQL databases (Oracle, MySQL, etc.)
SharePoint Online/OneDrive

Cloud storage scanned by API (Securlets): GCP Suite, AWS, Azure, Box, Salesforce, ServiceNow

Teams chat and channel messages

Local storage of machines with the Endpoint DLP agent running

 

Data In Motion (DIM)

Data in motion—also known as data in transit—is data that is actively moving from one location to another. For example, it could be traveling from network to network or to a cloud storage device. This data is often considered less secure than data at rest. 

Here’s how Microsoft Purview and Broadcom provide extra data protection for data in motion:

 
Microsoft Purview (E5)

Broadocm

Purview DLP on Exchange Online Email security through the cloud or through Email Prevent for on-premises infrastructure

Protected at the endpoint but not at the network level

Web Security Service or ProxySG
Web traffic to specific destinations (Microsoft Defender for Cloud Apps)

CloudSOC gatelets

Power BI

 

 

Endpoint DLP

Endpoint DLP extends the monitoring and protection capabilities of DLP to sensitive items that are physically stored on devices. Here are the features provided by Microsoft in comparison to Broadcom:

 
Microsoft Purview (E5)

Broadcom

Same agent acting for network protection and DLP Different agents acting for network protection and DLP

Windows 10/11, Server, and MacOS 

Windows 10/11, Server, MacOS, and Linux
 

Scan local drive(s) on Windows, Mac, and Linux

 

Locations on the Endpoint for Inspection and Action

DLP systems can also enable you to audit and manage user activities on sensitive endpoint items. Here’s how these two systems compare when it comes to endpoint monitoring:

 

Activity

Windows 10/11

macOS (3-4 latest)

Upload to cloud service or access by Edge, Chrome*, and Firefox*

Supported

Supported

Upload to cloud service, or access by Safari

Symantec only

Symantec only

Copy to another app

Supported

Supported

Copy to USB removable media

Supported

Supported

Copy to CD/DVD

Symantec only

Not supported

Copy to local drive

Symantec only

Not supported

Copy to a network share

Supported

Supported

Copy network share to local drive

Symantec only

Not supported

Print a document

Supported

Supported

Copy to a remote session

Supported

Not supported

Copy to a Bluetooth device

Supported

Supported (preview)

Create an item

Supported

Supported

Rename an item

Supported

Supported

Copy to clipboard

Supported

Supported

Access by unallowed apps

Supported

Supported

Location-based monitoring

Symantec only

Symantec only

Application file access

Supported

Supported

Cloud storage

Supported

Supported

Outlook

Supported

Supported

Lotus Notes

Symantec only

N/A

 

Text Extraction for Viewable Files

Optical character recognition (OCR) allows you to extract text from images like posters, product labels, articles, reports, and more. Microsoft Purview and Broadcom support the following file types for text extraction, with Broadcom specifically supporting over 100 file types:

 
Microsoft Purview (E5)

Broadcom

MS Access, Email, HTML, Excel, OneNote, PowerPoint, Project, Publisher, Visio, Word, Open Document, JSON, TXT, PDF, WordPerfect, and OCR supported images Encapsulated files like Zip, Jar, Gzip, 7-Zip, Tar, cpio, PGP, Pkzip, Rar, SMTP document, and Winzip

No subfile extraction support

Offers subfile extraction, such as ZIP, RAR, and TAR (e.g., Zip within a Zip)

Supports Zip, 7-Zip, Tar, and Rar (1 level)

Can scan local drive(s) on Windows, Mac, and Linux

 

Data Detection

On top of the capabilities we’ve already discussed, a DLP also offers data-detection features that make it easier to know the ins and outs of your data. When your organization knows what data you have and how it’s used, you can identify unauthorized access and protect data from misuse.  

 
Microsoft Purview (E5)

Broadcom

Keywords, RegEx, sender, recipients Encapsulated files like Zip, Jar, Gzip, 7-Zip, Tar, cpio, PGP, Pkzip, Rar, SMTP document, and WinzipKeywords, RegEx, sender, recipients, file properties

Sensitive Info Type (SIT)

Data Identifier

Exact Data Match (EDM) Classifier

Exact Match Data Identifier (EMDI)

Does not offer Exact Data Match (EDM) index

Exact Data Match (EDM) index

Trainable classifiers

Vector Machine Learning (VML)

Does not offer Indexed Document Match (IDM)

Indexed Document Match (IDM) 

Fingerprint-based SIT

Form recognition

Pay-as-you-go Optical Character Recognition (OCR)

Optical Character Recognition (OCR)

Insider risk management user risk scores (not available in other areas)

User risk score

Does not offer custom file types and custom content extraction

Custom file types and custom content extraction

 

 

How to Choose the Right DLP for Your Organization

Now that we’ve broken down the basic differences between Microsoft Purview and Symantec by Broadcom Software, we’re ready to discuss how to choose the right tool for your organization’s data security needs. Before you select the right tool, identify your primary goals, budget, and desired outcomes. Then you can make a well-informed decision. Here are two considerations to keep in mind.

 

OCR

First, we recommend considering your optical character resolution (OCR) needs. If your organization has many images that need to be inspected, this is a priority you’ll want to invest in. When it comes to OCR, Microsoft charges $1 per 1,000 items scanned. This means that stand-alone images (JPEG, JPG, PNG, BMP, or TIFF) each count as a single transaction. It also means that each page in a PDF file is charged separately. Because OCR is CPU-intensive and Purview is SaaS, this is not unreasonable.

In comparison, while Symantec does not have this incremental cost, they don’t provide the hardware either. If an organization has many faxes or other images to scan, this should be a consideration. However, its OCR is on its second iteration and is very reliable and accurate even when the image is skewed.

 

Policy Updates and Editing

Another thing to consider is how easy it is to edit a policy. For example, editing a policy is more difficult in Purview because it may stop saving midway due to name collisions of rules; on the other hand, in Symantec, names are just labels and not intrinsic to the structure of the policy.

Similarly, Symantec policies update within a few seconds (server) to a few minutes (endpoint), whereas Purview can take hours or days. This leaves the customer exposed longer and greatly expands policy tuning time. In Purview, an EDM can only be updated in the command line of a permitted workstation or VM five times per day as of July 2023. Prior to that, it was once every 12 hours.

Overall, if your organization can justify the cost of servers and the staff to operate them, then Broadcom is a great choice. However, Microsoft also offers a solid product that has gained in features and functionality over the last few years. Purview can work especially well for those already invested in the Microsoft cloud.

 

Relying on a DLP Partner

No matter the choice, implementing a reliable and measurable data protection program is vital to any organization. ProArch can guide your organization through data loss protection implementation and on-going management.

Are you ready to dive into your data protection program with a top Microsoft partner that will go above and beyond for your organization? Learn more about ProArch today.