The Anatomy of Successful Cyber Attacks

By Joseph Raczynski

Preparation for cyberattacks on your network requires a fundamental understanding of the complete picture of who has launched the assault.  Steve Surdu of Surdu Consulting, LLP gave the keynote address at ILTA LegalSEC Summit 2015 in Baltimore, MD describing “The Anatomy of Successful Cyber Attacks.”

Steve outlined four attacker or threat profile group types; Hacktivists, Criminals, Terrorists, and Nation States.  In the matrix below I break out each section he reviewed into a column view to better understand the who, why, where, motivations, advantages, limitations, and impacts for each group.  I removed the Terrorist group as they tend not to pose a threat to law firms.

In summary the table offers an insight into the full anatomy of the threat for law firms.  To mitigate the aforementioned threats, he outlined five key strategies:

  • Awareness: An absolute must is providing education of all parties surrounding the law firm. This includes teaching employees, management, suppliers, and even your clients on the threats that exist, the tactics of the hackers, and the various outcomes from unsafe computing.
  • Visibility: Never assume that you will know everything that is happening on your network. Keep an inventory of assets, logs and all alerts which when gathered together creates actionable intelligence.
  • Focus: Law firms must think how the hackers attack, so avoid misplaced faith in compliance alone.
  • Operational Expediency: Firms should make reasonable operational and security trade-offs. That is, do not spend all of your time on areas with little benefit, like patches for little used systems.  Prioritize on the biggest impact items first.
  • Priorities: The most valuable time spent on cybersecurity is spent on people and process over technology.

Wrapping up his discussion, he touched on cybersecurity in three areas pertinent to law firms; mobile, Cloud, and eDiscovery.

Mobile Technology:

At this juncture, mobile devices do not pose a significant attack vector for large law firms.  The real risk is one-offs including physical loss of the device, or exposure to data stored on the unit.  Firms should remain vigilant by using encryption, password protection, and provide remote wiping on demand.  Lastly he mentioned that Android remains a target.

Cloud:

The Cloud is intriguing from a security perspective.  It provides familiar components to on-prem issues, but is outsourced.  What that means is that the same predicaments arise but since a different operator is in the equation, it can be more complex.  Surdu recommends to counter this threat by vetting your Cloud vendor carefully to manage your risk.

eDiscovery:

Similar to the Cloud, eDiscovery invokes the same issues that it does externally as it would internally.  When you use hosted services those services have to be vetted for controlled access, general integrity, encryption were necessary and to assure that privacy laws are being followed.  He recommends that firms use familiar and consistent platforms when possible.

In his parting thoughts, he focused on several salient points.  While difficult, attempt to retain key players for your firm security.  A revolving door in the Information Security department is ripe for attacks.  Create a process to track key information and assets.  By having these procedures in place the firm will know the who, what, where and when of deflecting cyber-attacks.  Work to cultivate and maintain senior management to establish a sense of normalcy.  Often hackers go after newer management because they are less likely to know systems and process.  He also stressed that your best adversaries understand that details matter.  “You should focus on the little things, because if you cannot get that right you will not get the bigger things.”  Lastly he ended with a push for firms to concentrate on finishing security projects because that is much more important than simply starting them.

eDiscovery:  Backup and Cloud Safeguards

By Joseph Raczynski

“Not preparing for eDiscovery will cause your company to spend millions meeting an eDiscovery request via a lawsuit or investigation or worse losing a multi-million or multi-billion dollar law suit because you cannot retrieve data in time to satisfy a judge.”

These were the ominous words from Curtis Preston, CEO, of Truth in IT, Inc. who presented at an electronic backup and cloud conference called “The Truth About Backup.”  He led a session delving into implications of storing information and eDiscovery.

Adverse Inference

In a case which highlights the storage issue, Morgan Stanley was sued by Coleman Holdings.  Morgan Stanley had to produce emails, but the issue was that they had backup tapes in a wide array of backup and tape formats, as well as varying types of email, e.g. Exchange and Lotus Notes.  As a result, Morgan Stanley asserted that “email searches could be conducted only at enormous cost,” while the judge said “archive searches are quick and inexpensive. They do not cost ‘hundreds of thousands of dollars’ or ‘take several months.’”  Another issue that befell Morgan Stanley was that 1,423 backup tapes appeared after they said they had searched everything.

The result Morgan Stanley simply had too many systems that were not easily aligned and searchable.  Technically, the adverse inference order entered March 1, 2005, “reversed the

burden of proof on aiding and abetting and conspiracy elements [of the claims against Morgan Stanley] and included a statement of evidence of [Morgan Stanley’s] efforts to hide its emails to be read to the jury, as relevant to both [Morgan Stanley’s] consciousness of guilt and the appropriateness of punitive damages.” March 23, 2005 Order at p. 9.

Coleman Holdings was awarded $1.57B because Morgan Stanley had very poor backup policies and procedures.

Save Your Company Money:

Since not having data readily accessible and retrievable is a liability here were a few points they outlined to assist:

  • Keeping multiple years of data in backup format costs more than keeping it in archive format due to the duplicate nature of email
  • Backups also cost much more to search than archives if you are given an e-discovery request
  • If keeping emails (or any data) for more than a year, it should be in an archive system, not a backup system
  • You must have an archive system that allows you to search in a matter

Other Highlights:

  • Do not keep anything unless you have reason to
  • Establish an expiration/deletion policy
  • Document the policy
  • Needs to include actual erasure, not just expiration
  • Follow the policy
  • Document that you’ve followed the policy
  • Do this now, before you get the request

The primary theme throughout this discussion was preparedness.  Establish clear policies build or use cloud systems that allow users to conduct simple searches to surface data that is relevant.  The key, remember that backup is to restore data completely lost and archiving is for retrieving data which is used less frequently but is still fully accessible.

 

 

 

 

 

eDiscovery Software Solutions: Lessons Learned

By Joseph Raczynski

eDiscovery software solutions are invaluable in the litigation preparation process.  However, choosing a tool and implementing it poses challenges to law firms.  In the last session of ILTA 2013 a panel discussion of William Kellermann of Wilson Sonsini, Chad Ergun of Gibson Dunn and David Hasman of Bricker & Eckler discussed the implementation of their discovery solutions including the models and workflows.

Software Selection Process:

Wilson Sonsini chose iPro e-Discovery suite based on some fascinating independent analysis.

They used a white paper written at George Mason University’s engineering program.  The premise is based on SysML.  The paper states, “SysML is a general-purpose graphical modeling language for specifying, analyzing, designing and verifying complex systems that may include hardware, software, information, personnel, procedures, and facilities.”  They applied the model to the software decision making process.  The selection process allowed for seamless workflow by establishing waterfalls for decisions and made the application defensible.

The other two firms, Gibson Dunn and Bricker Eckler both chose Relativity.  They based their decisions on the high level of support that Relativity offers; predictive coding and that analytics were ready out of box.  Lastly both firms felt that the application could handle a range of document sizes from small to large.

Contract Negotiations:

The Gibson Dunn negotiations lasted two months.  While every member of the panel eschewed the subscription model currently en vogue, they accepted it as the current state of the e-Discovery business. In Gibson’s case, it was cumbersome figuring out how many seats of Relativity they needed. Their previous system Concordance did not track users.  Ultimately they started with 100-150 users to test acceptance and now they are at 600 users.

Bricker was deeply concerned about the subscription model as well and therefore limited usage for fear of breaching their number of user’s allotment.  If they did surpass their quota this small firm would incur a $50,000 charge.

To underscore the general distain for the subscription model Wilson Sonsini weighed in as well.  They are troubled that subscriptions will become a consumption model.  The flaw in the consumption model is the inability to pass along the per gigabit pricing to their client.

Installations:

Gibson found the hardware necessary for Relativity difficult to comprehend as the numbers of variables; people and usage, can fluctuate.  Their answer was to virtualize their entire architecture.  They also used a SAN for storage creating elasticity with memory and CPU for small and large cases.

Wilson Sonsini had a unique perspective.  For operational use they established a local server which was faster.  Staging data for them works in the cloud while the heavy processing of data is on an in-house solid state drive for speed.  Ultimately Wilson Sonsini cautioned about how long it can take to set up a server.  They suggested this can take weeks to build.

Actual Software Install:

All three firms echoed the same advice for the actual software installation:

  • Make sure you plan it out
  • Have a dedicated project manager at the firm and with the vendor
  • Get access to a knowledge base for the product you are installing and create one for yourself inside the firm
  • Confer with your peers on their experiences for installation
  • Test, Test, Test.

 Lessons Learned:

The main theme during this conversation of orchestrating a software installation dealt with planning.  Map everything and create templates on how users will interact with the application, their data, and the overall workflow.  They also reiterated that doing as much pretesting as possible, including load testing i.e. 200 people hitting the service at the same time, is paramount.  Lastly using tools like a project management Gantt Chart will help determine dependencies and produce sequential alignment.

 

 

 

eDiscovery Trends: New Technology, Employment Affects & Native File Productions

By Joseph Raczynski

eDiscovery continues rapid technological evolution and significant adoption across law firms.  At this ILTA session David Cowen of The Cowen Group and Steven Clark of Lathrop & Gage facilitated an open discussion, with standing room only, on the hottest topics in e-Discovery.  The subjects covered in this forum were “New Technology Trends and Tools,” “Employment Trends,” and “Native File Productions.”

New Technology Trends and Tools

TAR (Technology Assisted Review) was discussed at length.  Everyone in the room understood the importance of these types of tools in discovery which create efficiency and better results.  Multiple firms had utilized TAR to prioritize linear review.  The goal is to help establish focus for later human review.  However the inescapable theme was fear of TAR.  The trepidation surrounded the importance of proper identification of documents and review.  Firms lack in-depth experience with these tools.  Ultimately it was discussed that education should assuage these fears while people continue to test TAR.

Some other trends with technology and e-Discovery included:

  • Predictive Coding: the biggest challenge is defensibility of using it and how much it can be trusted.
  • Firms are relying on partners/vendors to help train and make sure the e-Discovery tools work
  • e-Discovery consultants are being hired more
  • In the future the use of tools will target specific datasets rather than hitting all of the information as most do currently

Employment Trends

With all of the adoption of new technologies there are many impacts on employment. There was a flurry of important points discussed.

  • 50,000 law students graduated in 2012 and there were 15,000 law jobs available
  • Many new positions are being crated as they relate to the new technology tools
  • Salaries are falling. There is a glut of people in the business, many of whom may not have the newer skills
  • A talent flow issue has popped up. Many attorneys are coming into law firms from outside the law firm world. Some are coming from the consultancy world of PWC and Kroll while others are previously vendors dealing with the technical piece.
  • In 2009 one law firm processed 45 TB of information using 165 people. Today the firm would need 30-35 people to handle the same amount of data.
  • Certifications are fine, but most of the firms that spoke would prefer real experience in e-Discovery.
  • The MVP in a law firm now is the triumvirate; a legalist, technologist and project manager

Native File Productions

Another hot topic discussed pertained to the use of native files in production of e-Discovery.  One individual mentioned that native files make little sense to use.  He noted that they are expensive and unnecessary except for Excel or a few others formats.  The best solution is to use quasi native production as a viewer.  Since native is so expensive to produce, the best example illustrated was describing the difference between a picture in color verses black and white.  It might be nice to have color, but do you really need that for document review?  The economic aspect makes it cost prohibitive currently.

The overall sense from the discussion was that we are in a new age of discovery.  The effects of these technologies are far reaching.  It is altering the business of law at firms impacting employment, resources, education, and efficiency.  As with any transformative technology there will be some discomfort but ultimately firms will be stronger and clients better served with e-Discovery tools.

State of the eDiscovery Software & Service Market

By Joseph Raczynski

eDiscovery has matured into a petulant toddler.  At least, that is the sentiment of a panel discussing the “State of the eDiscovery Software & Service Market” at LegalTech.  Since its inception in December 2006 as an amendment to the Federal Rules of Civil Procedure (FRCP), electronic discovery, has grown exponentially; however, the means to harness and extract pertinent discovery has not evolved inline.  This is rapidly transforming.

 

Technology will nurture eDiscovery into maturity.  According to the panel, law firms and corporate counsel will better utilize technology with all forms of eDiscovery.  These types of eDiscovery data, including voice, video, and real-time streaming coupled with the sheer volume and the speed of accessibility is simply too overwhelming for human consumption.  Technology is the answer, but how?

 

The answer lies in what trends we will see in 2013:

  • A rapid increase in corporate migration of unstructured ESI to SharePoint and cloud repositories;
  • Steady increase in SaaS;
  • Predictive coding competition heats up;
  • How to collect new forms of ESI like social media and mobile device content;
  • More focus on Information Governance (IG) activities like defensible deletion, while IG initiatives will seize on opportunities to clean up expired and or redundant information;
  • Legal departments will struggle with application of selective preservation; and
  • Requests for social media will increase, but gathering information will still remain challenging.

 

What do law firms plan on initiating in the next year:

  • 26% Big Data governance;
  • 36% Cloud Computing;
  • 39% Social Media Governance;
  • 52% Shared Drive cleanup; and
  • 38% Formulized Legal Hold.

 

Ultimately, the panel suggests that law firms will be replacing a large portion of internal litigation support services, i.e. processing, hosting, and support with managed services partners.

 

Final anecdote:  Howrey, one of the largest law firms to collapse a few years ago, always has been cited for accounting issues as the basis of its demise.  However, one person noted that a little known major contributing factor was that they were “eDiscovery inept.”  Essentially, vendors had better eDiscovery solutions, and Howrey spent too much on human resources instead of technology for its discovery needs.

Social Media & eDiscovery: The Water Is Rising 

Lawyers are mired the immensity of eDiscovery materials.  Enter into the quagmire social media, which in part encompasses Facebook, Twitter, YouTube, and LinkedIn creating a massive flood of discoverable data.  At LegalTech Michael E. Lackey, Jr., Partner at Mayer Brown, Jack Halprin VP of eDiscovery and Compliance at Autonomy, and Honorable David J. Waxse of the US District Court District of Kansas dive into various topics surrounding social media and eDiscovery.  Some of the issues they explored included; if social media is discoverable, how to handle it, and the challenges of social media.

Social media can be discoverable.  According to Michael Lackey, the Federal Rules of Civil Procedure (FRCP) defines a document as “any designated documents or electronically stored information…”.  Therefore Social Media Sites (SMS) can be considered discoverable if relevant and within that definition.  One important point that the Judge mentioned was that “lawyers are treating social media differently than normal discovery, which is wrong.”

Since 75% of the Fortune 100 companies are using social media and the Library of Congress is recording every tweet, the panel examined how to handle the data.  Firms are taking one of three tactics: Block, Punt or Tackle.

Block: The firm prevents all access for employees; however, typically employees find work-arounds.  In addition, most firms are actually using social media so that makes the policy cumbersome.

Punt: Other firms are actually doing little to nothing to regulate.  This will leave the organization open to risk.

Tackle: Increasingly firms recognize a need to add social media to corporate information and governance. These groups realize social media is here to stay, that data is discoverable, and see the negative effects of not having a policy.

Technologists and attorneys must deal with the challenges of social media itself.  They have to consider the complexity, massive volume, informality of the conversation, anonymity of users, and lastly the transient and dynamic nature of the medium.  With respect to the informal and dynamic nature mentioned, the panel pointed out that words can be interpreted in multiple ways given variances in culture, language and age.  They gave an example that the word “dog” could be interpreted: as an animal, a negative connotation, e.g. that stock is a dog, or vernacular, “He’s my dawg”.  Multiple meanings complicated this process.

Technology is the solution in dealing with the challenges of properly understanding and organizing this discovery.  Judge Waxse stated, “Lawyers need to be convinced that technology has to be used now.”  The sheer challenge of volume, web content, conversational text, and slang necessitates highly scalable algorithmic technologies.

These technology tools should be:

  • Language independent
  • Have the ability to dynamically understand slang and abbreviations
  • Scale to manage ever growing volumes of data
  • Able to cull through all media including audio and video

Ultimately social media can be discoverable.  Law firms must take an active role in creating an information governance plan thus becoming proactive in addressing any possible issues that could arise.  Lastly, technology should be utilized to help unearth and understand the volumes of information that are now within the realm of discoverable.