Many thanks to our friends at iManage for sharing this blog post.
by Aaron Rangel, Director Product Marketing, iManage
The secret is out: professional services firms make attractive targets because they have large volumes of privileged client information. High profile cyber-attacks such as the Panama Papers incident have made information security a top priority at the C-level executive suite.
Traditional security approaches and perimeter defenses, however, are no longer sufficient. Over the past few years, fundamental changes in how firms conduct business and how malicious attacks are orchestrated have changed the game. These changes include:
- Phishing attacks. Attacks involving stolen credentials can easily penetrate even the most security-savvy firm in minutes. The low-cost, high-reward potential makes it the dominant mode of attack.
- Malicious insiders. There has been an increase in cases where insiders familiar with the workings of the firm have pilfered privileged information slowly and imperceptibly for personal gain.
- Outsourcing. To be competitive, firms outsource work to 3rd parties. From partners for eDiscovery or contract review, to the outsourced help desk, itâ€™s not uncommon to have tens of hundreds of external users accessing the firmâ€™s network with valid credentials.
- Mobility. The benefits of mobility and round-the-clock productivity are too compelling to ignore. Different device types make it difficult for IT teams to exercise control.
- IoT. The Internet of Things (IoT) opens networks up to yet another huge class of devices that the firm has little visibility or control over. These devices are internet-enabled and can be used as portals to launch attacks.
A New Approach is Needed
The consensus is clear: the traditional security stack must be augmented by a new toolset built to protect information where the threat actor has not only compromised the network perimeter but has obtained control over one or more endpoints and is about to launch a zero-day attack. CIOs and CSOs clearly understand this gap in the security stack and know that any security solution they purchase to address this gap must be able to do the following:
- Work under the assumption of a breach. The solution must be able to immediately detect and neutralize threats where the perpetrator is an insider or external party that has already compromised the network using stolen credentials.
- Reduce false positives. The biggest impediment to the success of information security programs continues to be the cost of investigating a high number of false positives. Solutions must go beyond the capabilities offered by traditional security tools by analyzing contextual information deep within key applications to unambiguously communicate user intent. Tracking network traffic abnormalities, irregular application access patterns or endpoint device activity, and threshold-based alerts results in a high number of false positives because they are lacking in context.
- Intelligently interpret variation in behavior. Users in professional services firms work differently both across and within practice areas. High performers work across a significantly higher number of clients and matters than associates, for example. Tools must offer the capability to intelligently differentiate between variation in behavior that is legitimate and variation that is at-risk.
- Predict high-risk events that are unique to professional services firms. Departing professionals represent a unique risk, as they often carry privileged client or firm information with them. The ability to monitor a group of professionals who have given notice as well as the ability to predict professionals who are most likely to depart makes a significant impact on mitigating risk.
- Learn continuously. Professionals exhibit considerable variation in behavior over time that is entirely legitimate: promotions and new work assignments are often accompanied with substantive changes in information access patterns. Continuous learning ensures that the system is able to learn and adapt automatically as the firm changes.
Introducing iManage Threat Manager
iManage Threat Manager addresses these challenges and identifies threats with the highest levels of accuracy. Available on cloud and on premise, Threat Manager provides:
- Dramatic reduction of false positives with Adaptive User Behavioral Modeling (AUBM) and machine learning. The guiding principle behind AUBM is the fact that the access pattern of malicious use is different from legitimate use. AUBM leverages the power of big data and statistical analysis to analyze hundreds of thousands of individual interactions across document and practice management systems to create a baseline â€œbehavioral fingerprintâ€ for each user. Comparison of a userâ€™s current fingerprint against the baseline is done continuously.Greater accuracy is achieved by applying AUBM against activities that communicate a greater semantic meaning as it relates to at-risk behavior in a professional services firm context. Threat Manager also compares and contrasts the userâ€™s behavior against behavior of the cohort that most resembles the user â€”for example, an attorneyâ€™s behavior against the behavior of attorneys in the practice area â€”to improve accuracy.
- Controls and simulation to deliver the greatest accuracy in a professional service firm context. Capabilities delivered include the ability to fine-tune policies for a practice area, implement separate controls for trainees or help desk roles, back-test against historical data to test efficacy of policies, and predict users most likely to depart.
- 24/7 continuous protection. Threat Manager provides protection against at-risk behavior anytime, from anywhere, across any device.
- Process support to streamline processes and drive efficiencies. Threat Manager can assign and track status of alerts; additionally, powerful forensics and granular event re-construction dramatically accelerates time and reduces cost associated with an investigation.
Join us for a webinar on iManage Work 10 next week!