industry metrics: improving the perception of law firms€¦ · alex eames manager of enterprise...
TRANSCRIPT
INDUSTRY METRICS: IMPROVING THE PERCEPTION OF LAW FIRMS
Kenny LeckieSr. Technology &
Change Management Consultant
Traveling Coaches
Jeff FranchettiChief Information Officer
Cravath, Swaine & Moore LLP
Moderator: Frank Gillman, CISO, Lewis Brisbois
Alex EamesManager of Enterprise Architecture
Cravath, Swaine & Moore LLP
A CALL TO ACTION
ABA Journal September 2017
Legal industry ranks high in cybersecurity, report says
Key takeaways:
• The legal industry’s cybersecurity performance is in line with the top-performing finance industry, according to leading cybersecurity rating company. This included a review of 2,295 law firms of “all sizes and geographies”.
• “There’s this impression that the legal sector is behind everyone else. From a quantitative, measurable standpoint, we don’t see that’s true.”
• The legal industry’s performance is due to several factors, including increased attention on the industry’s cybersecurity, internal concern about data privacy, and clients demanding heightened security for their sensitive information.
HOW DO WE TELL THE REAL STORY?
11 CONTROLS
ENDPOINT
PROTECTION
DISABLE
COPY, PASTE, D/L
BLOCK
SITES
DEVICE
ENCRYPTION
SECURE DATA
TRANSMISSION
MONITORING
2 FACTOR
AUTHENTICATION
LOG
AGGREGATION
INCIDENT
PLAN
PATCH
MANAGEMENT
PENETRATION
TESTING
TLS
SFTP
FOUR AREAS OF ENGAGEMENT
Security
Framework
Threat
Intelligence
Vendor Risk
Management
Security
Metrics
ILTA LegalSEC
ISO-27001
Security
Framework
LS-ISAO
Threat
Intelligence
Legal Vendor Network
(Prevalent)
Vendor Risk
Management
Cyber Metrics
(BitSight)
Cybersecurity
Ratings
Themes
i. Cyber maturity and defense
ii. Client requirements
iii. Use to interact with senior management and external parties
SECURITY FRAMEWORKS
• International accreditation for information protection and security.
• Aligns security practices and methodologies with modern standards.
Information Security
Policies
Organization of
Information Security
Human Resources
Security
Asset
Management
Access
Control
Cryptography
Physical and
Environmental
Operations
Security
Communications
Security
System Acquisition,
Dev & Maintenance
Supplier
Relationships
Incident
Management
Business
Continuity Mgt
Compliance
Internal & External
$5k-$10k
per year
DE
MY
ST
IFY
ISO Myth #1: It’s just a bunch of documents
ISO Myth #2: It is something we have to do, but it doesn’t actually add value
ISO Myth #3: It requires a huge investment in technology
ISO Myth #4: It is only applicable to “big law”
ISO Myth #5: It is just an “I.T.” thing
ISO Myth #6: It is a waste of time because NIST is coming
ISO Myth #7: I’m a legal vendor. This doesn’t apply to me
ISO Myth #8: It will take years
ISO Myth #9: Clients don’t care about certification
# LAW FIRM-ISO CERTIFIED LAW FIRM - WORKING ON VENDOR
1 Addleshaw Goddard Alston & Bird BigHand
2 Akerman Aquipt Fronteo
3 Akin Gump Strauss Hauer & Feld Arnold & Porter Intelliteach
4 Allen & Overy Ashurst NetDocuments
5 Ballard Spahr Baker & McKenzie Phoenix Business Solutions
6 Bennett Jones Baker Botts Pivot Point Security
7 Berwin Leighton Paisner Baker Donelson RAVN Systems
8 Bevan Brittan Bryan Cave Ricoh Canada, Inc. - Legal
9 Bird & Bird BuckleySandler Ricoh Forensics
10 Blank Rome Cahill Gordon & Reindel Tikit
11 Bond Dickinson Chadbourne & Parke
12 Brodies LLP Chapman and Cutler
13 Cadwalader, Wickersham & Taft Cleary Gottlieb Steen & Hamilton
14 Carlton Fields Jorden Burt Conyers Dill & Pearman
15 Clifford Chance Corrs Chambers Westgarth
16 Cooley Covington
17 Cravath, Swaine & Moore Davis Write Tremaine
18 Davis Polk & Wardwell Day Pitney
19 Debevoise & Plimpton Duane Morris
20 Dechert Epstein Becker & Green
21 Dickinson Wright Fasken Martineau DuMoulin
22 DLA Piper Foley & Lardner
23 Dorsey & Whitney Fragomen
24 Drinker Biddle Frost Brown Todd
25 Ellis & Winters Gibbons PC
26 Eversheds Gilbert LLP
27 Faegre Baker Daniels Gray Robinson
28 Fenwick & West Hillis Clark Martin & Peterson
29 Freshfields Bruckhaus Deringer Holland & Knight
30 Fried, Frank, Harris, Shriver & Jacobson Hughes Hubbard
31 Goodwin Procter Hunton & Williams
32 Greenberg Traurig Jaffe Law
33 Hickey Smith Jones Day
34 Hogan Lovells Kane Kessler, P.C.
35 Irwin Mitchell Karr Tuttle Campbell
36 Irell & Manella King & Spalding
37 K&L Gates Kramer Levin
38 Katten Muchin Rosenman Lerch, Early & Brewer, Chtd
39 Kelley Drye & Warren Marshall Gerstein
40 Kirkland & Ellis Marval, O'Farrell & Mairal
41 Linklaters Mattos Filho Advogados
42 Loeb & Loeb McDermott Will & Emery
43 Milbank, Tweed, Hadley & McCloy McGuireWoods
44 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo Miller & Chevalier
45 Morgan Lewis MinterEllison
46 Nixon Peabody Morrison & Foerster
47 Norton Rose Fulbright Munger, Tolles & Olson
48 O’Melveny Munsch Hardt Kopf & Harr
49 Orrick, Herrington & Sutcliffe Nelson Mullins
50 Paul, Weiss, Rifkind, Wharton & Garrison Nyemaster Goode, P.C.
51 Pinsent Masons Perkins Coie
52 Polsinelli Pryorcashman
53 Proskauer Quinn Emanuel Urquhart & Sullivan
54 Reed Smith Saul Ewing
55 Ropes & Gray Schulte Roth
56 Shearman & Sterling Seyfarth Shaw
57 Shook, Hardy & Bacon Sheppard Mullin
58 Sidley Austin Slaughter & May
59 Simpson Thacher & Bartlett Snell & Wilmer
60 Skadden, Arps, Slate, Meagher & Flom Squire Patton Boggs (US)
61 Sullivan & Cromwell Stoel Rives
62 Troutman Sanders Stradling
63 Vinson & Elkins Stroock & Stroock & Lavan
64 Weil, Gotshal & Manges Susman Godfrey
65 White & Case Taft Stettinius & Hollister
66 Wiley Rein LLP Venable
67 Williams & Connolly von Briesen & Roper, s.c.
68 Willkie Farr & Gallagher Wachtell Lipton
69 Wilmer Hale Waller Lansden Dortch & Davis
70 Winston & Strawn Womble Carlyle Sandridge & Rice
ISO 27001 CERTIFIEDLAW FIRMS
THREAT INTELLIGENCE
Legal Services Information
Sharing and Analysis
Organization (LS-ISAO)
Law firm resource for global cyber and physical
intelligence dedicated to securing critical infrastructure
against threats and attacks through intelligence sharing.
DE
MY
ST
IFY
Email Alerts
Benefit Bronze Tier
<$75M in revenue
Silver Tier$75M - $300M
Gold Tier$301M - $700M
Platinum Tier>$700M
Membership Pricing (annual)
$1,000 $12,000 $15,000 $17,000
Community Portal 1 User Login 3 User Logins 4 User Logins 5 User Logins
Threat Intelligence Platform (TIP)
✓ ✓ ✓
Knowledge Base and Member Directory
✓ ✓ ✓
Portal Mobile Application ✓ ✓ ✓
Monthly Report ✓ ✓ ✓ ✓
Monthly Member Call ✓ ✓ ✓ ✓
Passes to LS-ISAO Annual Gathering
0 1 2 3
VENDOR RISK MANAGEMENT
VENDOR RISKMANAGEMENT
• The Legal Vendor Network™ (LVN) is a membership-based program designed
specifically for law firms to assess and monitor third-party vendors for security
and data risk.
• Members gain access to a vendor repository where they can initiate and track
third party risk assessments, view vendor information, and populate vendor
information into the vendor repository.
• The LVN currently has over 200 law firm vendors participating in the network.
VENDOR RISK MANAGEMENTD
EM
YS
TIF
Y
CYBERSECURITYRATINGS
➢ Cybersecurity “rating” service akin to a credit score
➢ Ability to proactively quantify and mitigate risk
through continuous rating and alerts
➢ Data is gathered by cybersecurity rating companies
through publically available sources, subscription
services and proprietary mechanisms
USING CYBERSECURITY RATINGS
bitsighttech.com
Range: 500 - 810
Page 20
• Clients may be looking at your reports
– BitSight shows “Searched by” count
• Periodic penetration tests have limitations
– Point in time, narrowly focused, and no console
• Vendor risk management
• Industry reputation
IMPORTANCE FOR LAW FIRMS
• Cost
• “They built a service and expose this information, now I have to buy it”
• Great score doesn’t mean a company is secure
• Score or data credibility
CONSIDERATIONS, SKEPTICISM
ADOPTION
Why hasn’t everyone joined?
– Lack of recognition of risks
– Lack of understanding of benefits
– Other priorities?
– Philosophical disagreement?
– Cost?
ISO 27001 CERTIFIED
ISO
THREAT INTELLIGENCE &
SHARING NETWORK
LS
ISAO
VENDOR RISK MANAGEMENT
LEGAL VENDOR NETWORK
LVN
CYBERSECURITY RATINGS
“740+ CLUB”
740+
• Do cybersecurity risk ratings actually matter?
• How are the Am Law 200 firms doing?
• Do these services really help?
• Top complaints and criticisms
BITSIGHT DEEP DIVE
BITSIGHT DATA ANALYSIS
26www.bitsighttech.com*AIR Worldwide reviewed and approved our data and analyses
** A Growing Risk Ignored: Critical Updates
*** Beware the Botnets: Botnets correlated to a higher Likelihood of a Significant Breach
If 50% of your computers run
outdated Operating System
versions3x
If your Botnet Grade is B or lower
or the File Sharing grade is B or lower
or the Open Ports grade is F
BitSight provides a measurable
range of risk, and is the only ratings
solution with a third party verified
correlation to breaches.
5x
2x
<400
400-500
500-600
600-700
>700
x5
x4
x3
x2
** ***
*
Likelihood of suffering a data breach
• Ratings are becoming standard practice for VRM and cyber insurance
• What if clients raise this with your firm’s management directly?
• Consider ratings data for your own VRM processYou may be surprised by what you learn...
VENDOR RISK MANAGEMENT
REDACTED
IMAGE
AMLAW 200 RATINGS
REDACTED
IMAGE
AMLAW 200 RATINGS
• Continuous “lite” penetration test
• Audit your external footprint
• Catch mistakes and technical problems
– External web servers, SPF/DKIM
Real example– DNS record for DKIM broke
– Affected DMARC disposition for outgoing email for 2 weeks
REAL LIFE BENEFITS
Brokenrecord
Normal DKIM record
• How dare they!– Objective, independent ratings are necessary
– Costs associated with gathering and analyzing ratings data
– Same concept as credit scores
• The data is false!– Then fix it...
– Special topic: Guest networks
THE OTHER SIDE
Page 31
Old IP ranges still assigned to us (CIDR) caused this:
• Historical approach:– Segmented network, authentication required & HTTP filtering
• Leaves a hole though:– Malware & malicious sites are
using HTTPS more
– Poor cyber ratings are a consequence, not a “flaw”
New approach needed– Web filtering based on DNS (and possibly HTTPS for managed devices)
– Better authentication and logging to identify problematic devices
GUEST NETWORKS
Page 32
MOVING FORWARD …A CULTURE OF SECURITY AWARENESS IS KEY
HOW DO WE MOVE FORWARD
• Share your success and innovation
• Upper management support
• Use your Metrics for good
– Big Picture – Use Marketing
– Professional Development – Educate your lawyers
– Internal – Educate ALL
• USE your biggest marketing weapon …your people!