INDUSTRY METRICS: IMPROVING THE PERCEPTION OF LAW FIRMS

Kenny LeckieSr. Technology &

Change Management Consultant

Traveling Coaches

Jeff FranchettiChief Information Officer

Cravath, Swaine & Moore LLP

Moderator: Frank Gillman, CISO, Lewis Brisbois

Alex EamesManager of Enterprise Architecture

Cravath, Swaine & Moore LLP

A CALL TO ACTION

ABA Journal September 2017

Legal industry ranks high in cybersecurity, report says

Key takeaways:

• The legal industry’s cybersecurity performance is in line with the top-performing finance industry, according to leading cybersecurity rating company. This included a review of 2,295 law firms of “all sizes and geographies”.

• “There’s this impression that the legal sector is behind everyone else. From a quantitative, measurable standpoint, we don’t see that’s true.”

• The legal industry’s performance is due to several factors, including increased attention on the industry’s cybersecurity, internal concern about data privacy, and clients demanding heightened security for their sensitive information.

HOW DO WE TELL THE REAL STORY?

11 CONTROLS

ENDPOINT

PROTECTION

DISABLE

COPY, PASTE, D/L

BLOCK

SITES

DEVICE

ENCRYPTION

SECURE DATA

TRANSMISSION

EMAIL

MONITORING

2 FACTOR

AUTHENTICATION

LOG

AGGREGATION

INCIDENT

PLAN

PATCH

MANAGEMENT

PENETRATION

TESTING

TLS

SFTP

FOUR AREAS OF ENGAGEMENT

Security

Framework

Threat

Intelligence

Vendor Risk

Management

Security

Metrics

ILTA LegalSEC

ISO-27001

Security

Framework

LS-ISAO

Threat

Intelligence

Legal Vendor Network

(Prevalent)

Vendor Risk

Management

Cyber Metrics

(BitSight)

Cybersecurity

Ratings

Themes

i. Cyber maturity and defense

ii. Client requirements

iii. Use to interact with senior management and external parties

SECURITY FRAMEWORKS

• International accreditation for information protection and security.

• Aligns security practices and methodologies with modern standards.

Information Security

Policies

Organization of

Information Security

Human Resources

Security

Asset

Management

Access

Control

Cryptography

Physical and

Environmental

Operations

Security

Communications

Security

System Acquisition,

Dev & Maintenance

Supplier

Relationships

Incident

Management

Business

Continuity Mgt

Compliance

Internal & External

$5k-$10k

per year

DE

MY

ST

IFY

ISO Myth #1: It’s just a bunch of documents

ISO Myth #2: It is something we have to do, but it doesn’t actually add value

ISO Myth #3: It requires a huge investment in technology

ISO Myth #4: It is only applicable to “big law”

ISO Myth #5: It is just an “I.T.” thing

ISO Myth #6: It is a waste of time because NIST is coming

ISO Myth #7: I’m a legal vendor. This doesn’t apply to me

ISO Myth #8: It will take years

ISO Myth #9: Clients don’t care about certification

# LAW FIRM-ISO CERTIFIED LAW FIRM - WORKING ON VENDOR

1 Addleshaw Goddard Alston & Bird BigHand

2 Akerman Aquipt Fronteo

3 Akin Gump Strauss Hauer & Feld Arnold & Porter Intelliteach

4 Allen & Overy Ashurst NetDocuments

5 Ballard Spahr Baker & McKenzie Phoenix Business Solutions

6 Bennett Jones Baker Botts Pivot Point Security

7 Berwin Leighton Paisner Baker Donelson RAVN Systems

8 Bevan Brittan Bryan Cave Ricoh Canada, Inc. - Legal

9 Bird & Bird BuckleySandler Ricoh Forensics

10 Blank Rome Cahill Gordon & Reindel Tikit

11 Bond Dickinson Chadbourne & Parke

12 Brodies LLP Chapman and Cutler

13 Cadwalader, Wickersham & Taft Cleary Gottlieb Steen & Hamilton

14 Carlton Fields Jorden Burt Conyers Dill & Pearman

15 Clifford Chance Corrs Chambers Westgarth

16 Cooley Covington

17 Cravath, Swaine & Moore Davis Write Tremaine

18 Davis Polk & Wardwell Day Pitney

19 Debevoise & Plimpton Duane Morris

20 Dechert Epstein Becker & Green

21 Dickinson Wright Fasken Martineau DuMoulin

22 DLA Piper Foley & Lardner

23 Dorsey & Whitney Fragomen

24 Drinker Biddle Frost Brown Todd

25 Ellis & Winters Gibbons PC

26 Eversheds Gilbert LLP

27 Faegre Baker Daniels Gray Robinson

28 Fenwick & West Hillis Clark Martin & Peterson

29 Freshfields Bruckhaus Deringer Holland & Knight

30 Fried, Frank, Harris, Shriver & Jacobson Hughes Hubbard

31 Goodwin Procter Hunton & Williams

32 Greenberg Traurig Jaffe Law

33 Hickey Smith Jones Day

34 Hogan Lovells Kane Kessler, P.C.

35 Irwin Mitchell Karr Tuttle Campbell

36 Irell & Manella King & Spalding

37 K&L Gates Kramer Levin

38 Katten Muchin Rosenman Lerch, Early & Brewer, Chtd

39 Kelley Drye & Warren Marshall Gerstein

40 Kirkland & Ellis Marval, O'Farrell & Mairal

41 Linklaters Mattos Filho Advogados

42 Loeb & Loeb McDermott Will & Emery

43 Milbank, Tweed, Hadley & McCloy McGuireWoods

44 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo Miller & Chevalier

45 Morgan Lewis MinterEllison

46 Nixon Peabody Morrison & Foerster

47 Norton Rose Fulbright Munger, Tolles & Olson

48 O’Melveny Munsch Hardt Kopf & Harr

49 Orrick, Herrington & Sutcliffe Nelson Mullins

50 Paul, Weiss, Rifkind, Wharton & Garrison Nyemaster Goode, P.C.

51 Pinsent Masons Perkins Coie

52 Polsinelli Pryorcashman

53 Proskauer Quinn Emanuel Urquhart & Sullivan

54 Reed Smith Saul Ewing

55 Ropes & Gray Schulte Roth

56 Shearman & Sterling Seyfarth Shaw

57 Shook, Hardy & Bacon Sheppard Mullin

58 Sidley Austin Slaughter & May

59 Simpson Thacher & Bartlett Snell & Wilmer

60 Skadden, Arps, Slate, Meagher & Flom Squire Patton Boggs (US)

61 Sullivan & Cromwell Stoel Rives

62 Troutman Sanders Stradling

63 Vinson & Elkins Stroock & Stroock & Lavan

64 Weil, Gotshal & Manges Susman Godfrey

65 White & Case Taft Stettinius & Hollister

66 Wiley Rein LLP Venable

67 Williams & Connolly von Briesen & Roper, s.c.

68 Willkie Farr & Gallagher Wachtell Lipton

69 Wilmer Hale Waller Lansden Dortch & Davis

70 Winston & Strawn Womble Carlyle Sandridge & Rice

ISO 27001 CERTIFIEDLAW FIRMS

THREAT INTELLIGENCE

Legal Services Information

Sharing and Analysis

Organization (LS-ISAO)

Law firm resource for global cyber and physical

intelligence dedicated to securing critical infrastructure

against threats and attacks through intelligence sharing.

DE

MY

ST

IFY

Email Alerts

Benefit Bronze Tier

<$75M in revenue

Silver Tier$75M - $300M

Gold Tier$301M - $700M

Platinum Tier>$700M

Membership Pricing (annual)

$1,000 $12,000 $15,000 $17,000

Community Portal 1 User Login 3 User Logins 4 User Logins 5 User Logins

Threat Intelligence Platform (TIP)

✓ ✓ ✓

Knowledge Base and Member Directory

✓ ✓ ✓

Portal Mobile Application ✓ ✓ ✓

Monthly Report ✓ ✓ ✓ ✓

Monthly Member Call ✓ ✓ ✓ ✓

Passes to LS-ISAO Annual Gathering

0 1 2 3

VENDOR RISK MANAGEMENT

VENDOR RISKMANAGEMENT

• The Legal Vendor Network™ (LVN) is a membership-based program designed

specifically for law firms to assess and monitor third-party vendors for security

and data risk.

• Members gain access to a vendor repository where they can initiate and track

third party risk assessments, view vendor information, and populate vendor

information into the vendor repository.

• The LVN currently has over 200 law firm vendors participating in the network.

VENDOR RISK MANAGEMENTD

EM

YS

TIF

Y

CYBERSECURITYRATINGS

➢ Cybersecurity “rating” service akin to a credit score

➢ Ability to proactively quantify and mitigate risk

through continuous rating and alerts

➢ Data is gathered by cybersecurity rating companies

through publically available sources, subscription

services and proprietary mechanisms

USING CYBERSECURITY RATINGS

bitsighttech.com

Range: 500 - 810

Page 20

• Clients may be looking at your reports

– BitSight shows “Searched by” count

• Periodic penetration tests have limitations

– Point in time, narrowly focused, and no console

• Vendor risk management

• Industry reputation

IMPORTANCE FOR LAW FIRMS

• Cost

• “They built a service and expose this information, now I have to buy it”

• Great score doesn’t mean a company is secure

• Score or data credibility

CONSIDERATIONS, SKEPTICISM

ADOPTION

Why hasn’t everyone joined?

– Lack of recognition of risks

– Lack of understanding of benefits

– Other priorities?

– Philosophical disagreement?

– Cost?

ISO 27001 CERTIFIED

ISO

THREAT INTELLIGENCE &

SHARING NETWORK

LS

ISAO

VENDOR RISK MANAGEMENT

LEGAL VENDOR NETWORK

LVN

CYBERSECURITY RATINGS

“740+ CLUB”

740+

• Do cybersecurity risk ratings actually matter?

• How are the Am Law 200 firms doing?

• Do these services really help?

• Top complaints and criticisms

BITSIGHT DEEP DIVE

BITSIGHT DATA ANALYSIS

26www.bitsighttech.com*AIR Worldwide reviewed and approved our data and analyses

** A Growing Risk Ignored: Critical Updates

*** Beware the Botnets: Botnets correlated to a higher Likelihood of a Significant Breach

If 50% of your computers run

outdated Operating System

versions3x

If your Botnet Grade is B or lower

or the File Sharing grade is B or lower

or the Open Ports grade is F

BitSight provides a measurable

range of risk, and is the only ratings

solution with a third party verified

correlation to breaches.

5x

2x

<400

400-500

500-600

600-700

>700

x5

x4

x3

x2

** ***

*

Likelihood of suffering a data breach

• Ratings are becoming standard practice for VRM and cyber insurance

• What if clients raise this with your firm’s management directly?

• Consider ratings data for your own VRM processYou may be surprised by what you learn...

VENDOR RISK MANAGEMENT

REDACTED

IMAGE

AMLAW 200 RATINGS

REDACTED

IMAGE

AMLAW 200 RATINGS

• Continuous “lite” penetration test

• Audit your external footprint

• Catch mistakes and technical problems

– External web servers, SPF/DKIM

Real example– DNS record for DKIM broke

– Affected DMARC disposition for outgoing email for 2 weeks

REAL LIFE BENEFITS

Brokenrecord

Normal DKIM record

• How dare they!– Objective, independent ratings are necessary

– Costs associated with gathering and analyzing ratings data

– Same concept as credit scores

• The data is false!– Then fix it...

– Special topic: Guest networks

THE OTHER SIDE

Page 31

Old IP ranges still assigned to us (CIDR) caused this:

• Historical approach:– Segmented network, authentication required & HTTP filtering

• Leaves a hole though:– Malware & malicious sites are

using HTTPS more

– Poor cyber ratings are a consequence, not a “flaw”

New approach needed– Web filtering based on DNS (and possibly HTTPS for managed devices)

– Better authentication and logging to identify problematic devices

GUEST NETWORKS

Page 32

MOVING FORWARD …A CULTURE OF SECURITY AWARENESS IS KEY

HOW DO WE MOVE FORWARD

• Share your success and innovation

• Upper management support

• Use your Metrics for good

– Big Picture – Use Marketing

– Professional Development – Educate your lawyers

– Internal – Educate ALL

• USE your biggest marketing weapon …your people!