We are seeing Artificial intelligence (AI) becoming an important part of the Legal industry, utilising analytics and machine learning technology through Document Management Systems (DMS) to help lawyers perform due diligence and research by automating the discovery process and reducing the high-volume of recurring tasks that could have otherwise distracted teams of lawyers from meaningful and chargeable work.
This increased speed and accuracy through technology delivers the increased productivity and legal insights that are better than the legacy processes they replace.
But as much as these legal organisations look to utilise AI technology through Cloud applications, with the promise of better team collaboration, improved sharing capabilities and always available data access, they also begin to present themselves as an attractive target for a cyber-attack and breach of sensitive client data through external and insider threat.
Fortunately, Artificial intelligence (AI) through Machine Learning can also help to prevent sensitive data loss. While we see some document management vendors providing a level of security and compliance controls, they will often fall short in detecting advanced threats when relying on a legacy rules-based security approach. Using a Machine Learning (ML) architecture provides the ability to detect and rapidly respond to advanced threats by learning what good and bad behaviours look like.
Below are areas Machine Learning (ML) can provide legal firms with advanced data and event visibility to prevent sensitive data loss:
It is not unreasonable to expect numerous document exports or sharing links to be generated through the Document Management System, but it is very difficult to track and determine which of those exports are legitimate and which show signs of malicious intent to expose or steal sensitive data.
An unlawful data transfer can occur manually with users transferring data over the internet or using physical devices, but this may also occur automatically, often as the result of malware infecting local systems or devices. Using Machine Learning through user and entity behaviour analytics (UEBA), it is possible to automatically model the behaviours of every user or partner in the organisation.
UEBA monitors and highlights unusual and unseen levels of network traffic compared to the learned baseline of a specific user, team or device transferring the data.
UEBA brings the detection of data leakage by monitoring emails being sent or forwarded to other entities other than the stated recipient and extending through to the mobile workforce to identify anomalies that could indicate information leakage via a mobile device.
By monitoring and modelling every user’s (Normal/Regular) actions performed within the DMS platform, UEBA is able to quickly detect anomalous behaviour for each user. If a malicious actor had obtained privileged credentials, the attacker would be able to access and compromise high-value assets with no intervention. The result would be devastating.
Detection of privileged user’s anomalous behaviours is challenging as their work patterns may not occur in regular, predictable patterns. The capability to accommodate these changing variables and reliably detect privileged-user compromise should be an essential requirement for law firms to protect the increasing levels of sensitive data being stored in on-premise or cloud environments.
It is important for any organisation to identify from where each user normally accesses the application or Document Management System (DMS). If a user’s account credentials were to be compromised and used to exfiltrate data from the DMS, it will likely come from an unusual or abnormal location or source device. UEBA provides the ability to detect unauthorised access across the combination of a user’s account credentials, devices or IP addresses.
The average time taken from a breach occurrence to detection is still measured at anything between 66 and 90 days. Security alert investigation through legacy tools is a long and challenging process if the data and timeline is fragmented or inaccurate, even for seasoned security analysts.
Alerts may shout “critical!, act now” but legacy threat response demands manual correlation of many log files, interpreting and farming supplementary data sources for clues, and spending considerable time trying to determine the root cause of an alert incident.
UEBA in conjunction with a modern day SIEM, will improve on the accuracy and effectiveness of any organisations SOC analysts. Instead of presenting isolated and disjointed events, a comprehensive machine-built timeline is stitched together to present results with context and risk scoring.