I had the pleasure of attending LegalSEC 2017 this year. While the conference was a great experience overall, it did leave room for addressing solutions to the security problems we are all facing.
The keynote address aimed to leave no doubt that law firms are under attack. They are a treasure trove of confidential information that an attacker can quickly monetize. Today, attackers fall into two main buckets, advanced persistent threats (APTs) and opportunistic attackers. Opportunistic attackers are just looking to make a few dollars and don’t care about a firm’s data. These are the attacks we consistently hear about in the news (think WannaCry). APT attackers pose the greater risk to firms as they can cause greater reputation damage than the opportunistic attacker.
The keynote address underscored that security is never finished. Continuous security monitoring and improvement in detective measures are critical for success. Having properly trained personnel on staff can greatly enhance a firm’s understanding of all the pieces that encompass information security. When properly done, information security programs will provide actionable metrics to a business that illustrate the return on investment in security initiatives.
There are many areas that law firms can incrementally improve without having to spend a lot, such as training users on not sending “high risk” data, e.g., social security numbers and passwords. To succeed, a security program should have a top-down approach, which requires the involvement of firm leadership.
As an ethical hacker at Kraft Kennedy, I was interested in some of the talks about penetration testing and red teaming. They gave a solid overview of these areas but lacked defensive answers to the problems that were posed. Everyone talked about “lateral movement” inside a network, but there were no solutions to stop this type of movement. I think many attendees would have wanted to know if it would be possible to prevent or detect the specific attacker tricks that were under discussion.
Of all of the talks I attended, I found one of the data loss prevention (DLP) discussions to be the most valuable. Law firms are consistently dealing with confidential information, which makes the DLP problem difficult to address. The first step to DLP is understanding the highest risk data within the firm and ensuring you know where the data is located and how it is handled so it can be properly monitored. I have dealt with many firms that have countless user file shares that end up storing high risk data in an unmanaged format. One of the panelists had some interesting perspective on ensuring that all client data was in the DMS, which is simply to not allow it to go anywhere else. While the users are presented a “share” it is actually back-ended by the DMS. It took the firm some time to get to this point, but it sounded like a very simple solution to a large problem.
The other challenge of DLP is that it needs to have an iterative and holistic approach. Data loss can happen in a variety of ways; consider USB drives, personal cloud backups, and personal/corporate email. A typical DLP rollout can take 6-12 months to complete and should be rolled out in a methodical manner, most notably starting in an “audit” mode to start collecting data on items that would have been blocked.
All in all, I thought there were some good topics covered during the conference, but I found myself wanting more technical details. I think deeper technical discussions on security topics would be a great addition to this conference.