Like many law firms, this mid-sized national firm had invested in on-premise IT systems, but its attention to cybersecurity lagged, leaving the firm open to attack. Ransomware was a growing problem, while the pandemic presented new challenges of remote working, digitized business processes, and virtual meetings. The pressure for rapid change was intense, and since the firm was working multiple high stakes cases where slowdowns were unacceptable.
As at many law firms, Skype was an oft-used collaboration tool, but with Microsoft discontinuing Skype for Business and the firm already using Active Directory, the logical move was to Teams, Azure, and Office 365. The long-term plan was to increase its VPN usage to cover the firm’s legal content management system while rolling out MS Teams, along with Azure and Office 365.
“The firm now had a set of eyes watching for and alerting on ransomware attacks around the clock. Within a week of deployment, the team had CyGlass NDaaS ingesting network traffic from their firewalls, VPNs, and from a set of internal network routers. After two weeks, the AI models had aligned and the team had visibility into the devices, networks ”
Visibility, Visibility, Visibility
The IT team evaluated its defensive posture and process based on recent DoppelPaymer and Ryuk ransomware attacks. The results showed alarming gaps in the firm’s visibility into devices on its network, as well as remote VPN usage and network communication inside and moving across its firewalls. These were all areas critical to monitor for protection against these types of ransomware attacks. The audit found that network and cloud firewall coverage was solid with multiple Fortigate firewalls in place, policies current, and operating correctly. The firm also had Sentinel One endpoint protection working effectively, but the lack of a 24X7 security operations center meant that nighttime and weekends attacks were poorly defended. Operating a SOC or deploying a security incident management system were determined to be beyond the firm’s resources.
Further evaluation found risks with the move to more broad usage of Office 365 and Teams. Multi-factor Authentication needed to be widely deployed. Better access control over Azure accounts was required, and policies were needed to ensure that sensitive case and client data was not leaked or shared in Teams or in cloud file systems such as SharePoint.
Network Defense as a Service
The firm came across CyGlass while attending a cybersecurity seminar. CyGlass presented its Network Defense as a Service (NDaaS) network monitoring, threat detection, and response solution, which was cloud-native, operationally simple, and affordable. Most relevant, it was being successfully run by two other law firms of roughly the same size. CyGlass was set up to collect Netflow data from the Fortigate firewall in under 20 minutes. Over the next month, the firm expanded the deployment to include its smart routers so that north/south and east/west traffic were covered. As promised, NDaaS’ unique blend of AI and policy controls kept alerts down to a handful, with guidance on remediation deemed helpful. The product was simple to operate and the reporting even included a “scorecard” report to track progress.
24x7 Monitoring and Ransomware Defense
The firm reported that the greatest value came in the 24X7 automated ransomware prevention controls. Included were 40 pre-built policies that look for risks and vulnerabilities across ransomware’s common attack vectors. AI watched and correlated ransomware attack anomalies against threat intelligence and alerts were sent out when multiple stages of a potential attack are correlated. The firm now had a set of eyes watching for and alerting on ransomware attacks around the clock. Within a week of deployment, the team had CyGlass NDaaS ingesting network traffic from their firewalls, VPNs, and from a set of internal network routers. After two weeks, the AI models had aligned, and the team had visibility into the devices, networks and subnets across their entire organization.
Expanding to Office 365
With the initial deployment for ransomware protection complete, the team looked to cover the Office 365 and Azure deployments. Challenges with these environments had developed rapidly as the deployment grew.
Perhaps the most critical challenge was getting multifactor authentication for all employees. The firm was able to get about 85% of users authenticated, but the remaining 15% were surprisingly difficult. A mix of technical issues with end-user devices, limited internet connectivity based on geography, and technological usage challenges by some of the firm’s more senior people stymied efforts to achieve 100% MFA. The team also realized that the same problem would exist for many of their clients and partners. It was ultimately decided that 100% MFA would not be achievable for some time, so the team focused CyGlass on monitoring for authentication based on attacks against passwords.
The next challenge was dealing with alerts. Just four months into the Office 365 deployment, utilizing the E3 license, the team had been experiencing hundreds of alerts a day – far more than it could handle. Alerts covered everything from authentication and access issues to file movement and location risks.
Office 365/Azure Risk-based Alert Triage
CyGlass connected and began capturing Office 365 and Azure usage logs within a few hours. NDaaS AI models cover anomalous or high-risk authentication events, user access events, file access and file share events, and user administrative rights as well as anomalous file and communications from the network to the cloud. As the models normalized, they detailed a risk-based view of where the Office 365 remediation should focus. Correlation of events allowed the IT team to understand where to start and what to focus on. The reports delivered by NDaaS became an Office 365 triage system. Each day, the five or six alerts detailed a misconfiguration or process issue to fix or change. The team went from feeling scattered and frustrated to making progress every day and having it reflected in lower risk scores. The Office 365 rollout and the challenge to get to 100% MFA continues, but the team has confidence in its risk visibility and threat detection to both the cloud and the network.
The next step is to deploy internal east/west visibility to have a better handle on threats inside the network. The team wants to focus on building zero trust into their network using CyGlass’s identity and micro-segmentation capabilities to further protect critical case and client data. The firm looks forward to increasing the value of the NDaaS platform across the organization.