Using AI to Prevent Sensitive Data Loss from Law Firms

Artificial intelligence is finding exciting new applications and changing workflows in many industries. One example of change is for law firms, particularly larger organizations that process expansive quantities of sensitive data. Before AI, the discovery process for a complex litigation may have required large teams of a dozen or more attorneys to analyze data for weeks or months. With AI such as that applied by iManage for document management, results for a discovery project can take just a few seconds. Speed brings more productivity with legal insights that are as good as or better than legacy processes.

As law firms put their clients’ sensitive data into cloud systems, however, they are automatically primed as attractive targets for cyberattacks. It’s like the twentieth century criminal Willie Sutton who was said to rob banks because “that’s where the money is.” Law firms are now surrogate targets because that’s where the data is.

Fortunately, AI approaches such as machine learning (ML) can also help prevent sensitive data loss from law firms. While providers of document management and other AI applications for law firms may furnish some controls for security and compliance, these often fall short for advanced threats that defy detection by typical security processes – especially legacy correlation-based tools that rely on rules. That’s where an ML-based approach in a modern security information and event management system (SIEM) such as Exabeam Security Management Platform provides the ability to detect and rapidly respond to advanced threats.

Here are a few ways how ML can help law firms with advanced data loss prevention:

Detecting data leakage via document exports

A myriad of legitimate reasons to export documents from the system can easily mask malicious exposure or theft of sensitive client information. Data exfiltration happens manually when a user transfers data over the internet or copies it to a physical device and moves it outside the premises. Exfiltration may also be automatic, which often occurs as the result of malware infecting local systems. Using ML with user and entity behavior analytics (UEBA), Exabeam automatically models behavior for every user in the law firm. It detects network traffic to command and control centers and identifies infected systems transmitting data to unauthorized parties. UEBA monitors for unusual amounts of network traffic over protocols that facilitate large data transfer compared to the baseline of a user or machine transferring the data. It monitors usage of organizational web applications by outsiders, or inside usage of external web applications, which might involve downloads or browser access to sensitive data. UEBA detects emails forwarded or sent to other entities other than stated recipient. It also monitors data from the mobile workforce to identify anomalies that might indicate information leakage via a mobile device.

Abnormal activity in the document management system

The UEBA approach models every user’s action normally peformed in the DMS, across the organization, peer group and per user. For example, when a hacker obtains privileged-user credentials, the attack can proceed directly to those high-value assets with impunity. The result can be devastating – especially if a legacy security system is unable to detect the initiation and follow-on actions of a privileged-user compromise. Detection is challenging because a privileged user’s work patterns may not occur in regular, predictable patterns. The ability to accommodate these variables and reliably detect any privileged-user compromise is an essential use case requirement for law firms fulfilled by UEBA algorithms.

Abnormal source accessing the DMS

Law firms must be able to identify from where each user normally accesses the DMS. If a user’s credentials have been compromised and their account is being used to exfiltrate data from the DMS, it will likely come from an abnormal source machine. When a hacker uses stolen credentials, legacy security tools cannot identify unauthorized access. This scenario allows the attacker to proceed at will to access sensitive data or internal resources. Clearly, the result of compromised user credentials can be devastating, which makes this use case mandatory for law firms. UEBA provides this function to detect unauthorized access across the combination of a user’s account credentials, devices or IP addresses.

Accelerate security investigation and response

Security alert investigation with legacy tools is an onerous process. Alerts typically consist of arcane data in raw log files that defy comprehension – even for seasoned security analysts. Alerts may scream “time is of the essence!” but legacy threat hunting demands manual correlation of various log files, interpreting meaning, manually culling ancillary data sources for clues, and spending considerable time trying to determine the root cause of an alert incident. Exabeam UEBA can dramatically improve the productivity of a law firm’s SOC analysts. UEBA, in conjunction with a modern SIEM solution, uses machine-built timelines that offer a better interface for threat hunting even by a junior analyst. Instead of presenting discrete events, a machine-built timeline presents the results with context and risk scoring to help rapidly distil the essence of a threat – and how to quickly remediate the issue.

It’s interesting to note that many law firms are specializing in cybersecurity law. How apt it is that the application of AI for modern legal work has an equally valuable role for protecting law firms and their clients’ data! To learn more about these benefits, check out a new case study “Baker Donelson Advances the Maturity of Their Cybersecurity Program with Exabeam.” This Am Law 100 firm is using a modern SIEM to help secure sensitive legal data for more than half the Fortune 100 and a quarter of the Fortune 1000.