Ricci Dipshan, Legaltech News
Inside legal's employee monitoring
failsafe and a look at how legal woke up to the prospect of insider threats.
Of the many factors driving the legal industry, none
is perhaps more vital than trust. For any legal system to operate, clients must
trust their attorneys to treat their data with the utmost confidentiality, and
attorneys must trust in each other to uphold strict codes of ethics and
integrity.
But what if this
essential trust element is turned against the industry itself instead of
fueling its success?
Take, for example, the
much-publicized case of former attorney Matthew Kluger, who held associate
positions at various firms beginning in 1994. Though trusted with many of the
responsibilities of a seasoned lawyer, his legal career would come to a
tumultuous end. In 2012, Kluger was sentenced to 12 years in prison for his
part in stealing confidential company and mergers and acquisitions (M&A)
data from the firms that employed him, a decades-long insider trading scheme
that netted him $37 million.
Uncovering such a long
and embedded instance of insider theft, alongside similar instances of theft,
has woken up law firms and legal departments to risks posed by their own
employees. And these incidents, says William Kellermann, counsel at Hanson
Bridgett, were far more effective as a call to action for legal than
cybersecurity incidents that "are part of the mainstream press."
Kellermann knows the
issue of malicious insiders firsthand. Though he would not name the firm or
specific incident, Kellerman says he was a part of one firm where, over an
almost 20 year period, an "associate attorney [was] accessing confidential
data and delivering it to someone who was trading on it."
"For me in a law
firm, that was probably the first area that I found firms really getting their
act together," he says.
But what exactly does
insider theft entail? How and where do law firms and legal departments monitor
their employees to oust these insider threats?
In the not-too-distant
past, Brandon Daniels, president of the Clutch Group, recalls, insider threats
were solely the responsibility of the IT department.
How times have changed.
Over the past five years, Daniels has "seen CISOs and cybersecurity folks
actually moving over to legal and reporting directly into the legal
department," as general counsel began to understand the "amount of
liability they carry that comes with client information."
Legal was made the front
line against insider threats, in no small part because the data it manages is
held to the highest, and least flexible, standards. "It's very difficult
to negotiate confidentiality and breach standards, and it's also an area
impossible to create stop loss," Daniels explains.
Mitigating insider risk
in legal, however, was no easy task, as it entailed nothing short of changing
the once sacrosanct culture around open workflows and access at legal
departments and law firms. "It used to be the standard was that all
lawyers had access to all legal documents, so they could stay on top of
precedent and get involved in a matter right away," Christopher Zegers,
chief information officer at Lowenstein Sandler, says. But "more recently,
because we have become more of a target for data theft," that has meant
"restricting and monitoring access of documents."
Front and center in this
effort is the centralized document management system (DMS), which controls and
monitors most, if not all, confidential and work-related material. By limiting
attorneys' "access to only the information they need," Zegers
explains his firm can monitor "activity like exporting or emailing
documents," as well as implement "limitations on what can be
done" with the material.
Making sure documents
don't leave the premise, however, is only one part of the challenge. Though the
DMS can also secure confidential documents and emails, it is ill-equipped to
prevent threats emailed in from the outside.
And these threats can be
devastating. Cybercriminals, after all, have been regularly employing social
engineering and phishing techniques, and through these have had alarming
success with tricking users into deploying malware or giving up access
credentials via email.
The monitoring law firms
and legal departments perform, then, will almost always have to include
checkpoints on the roads to their email server. Zegers, for example, uses a
product called Mimecast, which is able to "replace any URL or web links
that are in an email with a link to their system so that when you click on it,
Mimecast goes and checks the link that was originally in the email to see if
it's malicious or not." Such email security programs, he adds, can also
block users with email addresses that are outside of a trusted network or
contact list.
The Outer Reaches
Extra monitoring
afforded to email speaks to a stark cybersecurity reality: While the DMS is the
heart of a law firm's or legal department's security, it cannot be the only
line of defense against insider threats.
There is still a chance,
for example, that employees may seek to install malicious programs on their
computers to infiltrate a firm or company's network. But this, thankfully, can
be easily mitigated. Zegers' firm, for example, "does not allow programs
to be installed on [employee] computers and tracks any attempt to install
software on company assets."
Law offices can even go
a step by further through using virtual desktop software, which hosts
employees' operating systems on centralized in-house servers no matter what
device they are using. This also means a firm or company can "push out
[security] patches instantaneously rather than having to touch every physical
computer that might be in the office," Zegers says.
Outside the DMS and
operating systems, however, there are also myriad forms of enterprise
communication, from instant messages to collaborative spaces, which may at some
point also host sensitive data.
While these can be
secured with access and monitoring abilities in each specific communication
platform, some counsel are moving beyond ad hoc monitoring of employee digital
activity to analyze employee behavior throughout the network as a whole. Clutch
Group's Daniels, for example, has seen most of his clients "evolving to
statistical analysis of communication patterns" to uncover employee
threats.
Towards this goal, firms
and legal departments use insider threat detection applications, Kellermann
says, which sit on top of a company's network infrastructure to collect and
analyze digital activities for risky behavior indicative of a threat. This may
take the form of an employee uploading large amounts of data to a flash drive,
or logging into company computers during suspicious hours.
Most solutions, he adds,
are used to aid in an investigation after a security event or suspicious
bevhaior is uncovered, as continuous monitoring would be "mind numbing and
ineffective."
This technology,
however, also comes with certain downsides. Kellermann explains that for them
to effectively determine risk, such solutions need to be used "long enough
to get a good baseline of what normal and appropriate behavior is," which
may take many months before false positives stop showing up.
The AI Gambit
With the evolution of
artificial intelligence—also known as machine learning—and other related
technologies, insider threat detection software has advanced to the point where
it can automate finding risk not just in behavior, but also in the content of
what employees are communicating across a company network.
Take, for example,
NexLP's enterprise insider threat detection platform Story Engine. The
solution, explains Jay Lieb, Story Engine's CEO, uses modern "technology
to understand everything that is being communicated in emails, loose documents,
chat texts, memos and more. We understand all the people being discussed, [all
the] phrases, concepts, topics, etc."
This technology deploys
a mixture of AI, linguistic and emotional intelligence to detect and understand
the subjects of conversations, as well as their emotional tones. Story Engine
then uses behavioral intelligence to build "baseline averages of
everything that everyone in the organization is doing," through their
network communication, to understand patterns of how employees regularly
interact, Lieb says.
The technology, Lieb
adds, can work at different times during an incident, either finding threats
retroactively during an investigation or detecting threats in real-time to
"identify potential events that may incur in the future."
"What we can do is
detect very early on that an event is escalating or a certain action from a
person or a group of people is the starting block for a certain type of
event," he explains. "So if that is a disgruntled employee, because
they started receiving angry emails with high pressure and negative sentiment
from their boss, we may suddenly start to see they are messaging people in
their network," and the communications may point to a potential future
risk.
Lieb was quick to
caution, however, that the types of analysis NexLP does not do is "hire
someone and then predict, based on the guy's résumé, that he is going steal
from you." This is not "the precognitive 'Minority Report' where we
are using 'psychic' [technology]."
Story Engine's
technology, however, may be only the tip of the iceberg for the future of
insider threat detection. The platform, after all, still relies on human users
to audit the risk findings, and if necessary, direct the findings to the
appropriate party.
It is a problem Daniels
knows well. His company, Clutch Group, is working with Nuix "on a
surveillance cloud" as an extension of its Comms.IQ platform. For all the
new solutions' advancements, however, Daniels notes it, too, will have to rely
to some extent on manual risk assessment.
But solving that pain
point may only be a few years off with advancements in AI. "The next level
[of AI] technology is actually going to mimic what a human would do when they
do that first level risk analysis" and "determine the next step for
the piece of information, if it goes directly to the CISO or if it goes directly
to compliance or legal," he says.
So while insider threats
in legal show little sign of fading, emerging technologies mean attorneys will
likely be well-equipped to mitigate the risk in the not-so-distant future. It's
just a question of machine over man.
No comments:
Post a Comment