Surprisingly the vendors in cybersecurity differ on their approaches to protecting your law firm. At the ILTA LegalSEC Summit 2015 in Baltimore, MD they had a panel discussion on how each vendor tackles the ever bounding threats. For background when this post refers to endpoint security I am describing securing the user at the device level; i.e. the mobile phone or individual’s computer.
Gal Badishi of Palo Alto Networks started off his analysis with ominous statistics. On average a firm does not recognize that they have been breached for 225 days after the initial strike. In addition, of those attacks, 84% are found by third parties. His primary theme throughout the conversation to counter these attacks was the proper implementation of a “Next Generation Firewall.” This is defined on Wikipedia as “an integrated network platform that combines a traditional firewall with other network device filtering functionalities such as an application firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS) and/or other techniques such as SSL and SSH interception, website filtering, QoS/bandwidth management, antivirus inspection and third-party integration (i.e. Active Directory).” (Wiki, 6/14/2015)
Keith Palumbo of Cylance fascinated the audience with a unique and futuristic tact to cybersecurity for law firms. They use a form of Artificial Intelligence to uncover and deflect penetration from malicious intruders. In fact Keith described the use of mathematical endpoint solutions including algorithms to help predict what types of “ones and zeros” will be malicious based on like or similar files. Their equations employ similar processes financial institutions have devised for rapid electronic trading. The cutting edge autonomous driving cars also operate under similar algorithms. What fosters this is the utilization of extremely efficient computers and their prowess in mathematical processing. In essence, Cylance collects samples of viruses, extracts common features in the code then transforms that code into feasible branch code. At this stage the software vectorizes the viruses to then train the system on what might arrive at the firm’s door. Finally it classifies the virus and clusters it into a defined grouping for future learning.
The third speaker, Harry Sverdlove of Bit9 begin his discussion with the statement that, “antivirus protection is almost pointless.” He noted that what firms have been employing for the last 20 years with virus detection through updates is dead. With the number of virus on the Internet, there is no feasible way to scan, collect, submit and maintain a log of the rapidly changing viruses.
Harry suggested that each firm start from the assumption they are or will be breached. He painted an example of a house that a thief gains access to daily. If you think about it in this sense, prevention of that thief from entering is no longer enough. Firms must invest in detection and response. Most firms do not have systems that seek out real-time detection mechanisms. This lends itself to much longer periods of time that the thief remains inside the firm’s firewall. If the initial firewall breach was not detected by the firm, that intruder could remain inside for significant periods of time.
Ultimately the three panelist concluded that a three pronged approach to endpoint security was necessary; prevention techniques, detection once the breech has occurred, and lastly creating a documented response using various tools and processes. Whatever solution, they all suggested turning your firm data (logs, user profiles, patterns of access) into intelligence. If you set precedents for how people access your network, you can identify the variance and seize the thief.
Wikipedia, Next-Generation Firewall, 6/14/2015, https://en.wikipedia.org/wiki/Next-Generation_Firewall