Law firm MinterEllison is refocusing its IT security effort and investment on endpoint protection on the expectation that remote work in its current form could persist for up to two more years.
Head of cyber and information security Sunil Saale told a webinar that COVID-19 had “completely changed the dynamics” of how the firm’s 2500 staff worked, and that in turn influenced its strategy and approach to security.
“We had our security strategy and security roadmap - everything - planned out and COVID threw a curveball, so we had to shift our investment and also our thinking to see how we are going to support our staff working remotely,” Saale said.
“Remote working is here to stay. We are expecting this to continue for at least another 1-1.5 years, if not two years.
“Everything that we were looking to invest in terms of network security we're rethinking to shift to endpoint security.”
Like other firms, re-establishing communication and collaboration for a fully remote workforce was a big early focus for MinterEllison.
“The federal and state courts moved to Zoom, BlueJeans, and Teams. They started using all these communication and collaboration platforms and started inviting our lawyers to jump on for court hearings,” Saale said.
“But all of our users run with standard user rights. They don't have admin rights, so now we had all these new technologies being pushed to be installed on our laptops.”
Saale said the company had been forced to draw lines around the use of some tools, particularly Zoom, as security issues with the platform emerged.
“We took a stand on Zoom, for example - when Zoom had these issues, we said we can't really use Zoom, so in what circumstances do we allow Zoom to be open in our network?” Saale said. “We had all these [types of] challenges.”
In general, MinterEllison is gravitating more towards cloud and software-as-a-service applications, accessed via two-factor authentication.
However, it is still dealing with a vastly different IT environment than pre-COVID.
Pre COVID-19, “people weren't taking their laptops home” and mostly left the machines in an office.
Usage is also erratic.
“We use some behavioural analytics tools, which went completely crazy during COVID times because people's working patterns changed,” Saale said.
“The typical login behaviour that we used to see when someone worked from the office has changed. Now, people sometimes login at 8am and sometimes we see the logins coming in at 8pm. As people are trying to balance their work and personal lives, their login behaviour and email behavour has completely changed.
“We are still working on how we balance that because the [old] patterns are not valid anymore.”
Additionally, behaviour is more apparent - and controls more easily applied - when staff connect to MinterEllison’s corporate systems via VPN.
“But when someone disconnects off the VPN, we are reliant on their home wi-fi network. We have no visibility into their home wi-fi setup, so we have all these challenges around how we secure system access and data,” Saale said.
“How do you make sure that when they're not on VPN, they don't connect to some random website because they've been sent a phishing email?
“We have to beef up our endpoint security a lot, so that is quite a challenge.”
Saale said MinterEllison is using Secureworks’ Red Cloak threat detection and response (TDR) to provide some visibility around endpoint security.
“We generate around 2 billion events each month, and that number is only increasing,” he said in a video published earlier this year.
“With the help of Secureworks, we are able to crunch down that number to 20 to 30 high fidelity alerts, and that makes my team's job much easier.
“Having unparalleled access to threat reports [and] skill sets in the security domain helps us a long way in terms of how we run our security operations.”
However, in the webinar, Saale flagged more technologies that the company is looking at.
These investments had become a necessity, driven by stringent lockdowns in Victoria and the threat of similar lockdowns spreading to other locations where the firm operates.
Saale said that only in “extreme cases” - where a laptop blue-screens and needs re-imaging or replacement - did the firm ask staff to come into an office for IT assistance.
“Everything else - security patching, a new Office update - will be done remotely,” he said.
“We are looking at technologies where we can do split tunneling, where we can do internet-facing SCCM [system centre configuration management], and [exploring] MicroVPNs.”
The firm is also looking at technology to enable it to keep data secure “even if the laptop is off-network”.
“Data now is more living on the endpoints, and endpoints can be on-network or off-network, so we are looking at technologies where we can be sure that even if the laptop is off-network, even if we have limited visibility of the laptop, the data is still secure,” Saale said.
In addition, while Saale said Minter Ellison had technology already that it could use to “isolate a laptop if we suspect that laptop to have some sort of malware or malicious software [on it, or] any sort of suspicious behavior [is detected]”, the company is unsure how it can lock down a computer remotely and still enable the staffer to be productive.
“In some cases, our staff have only one laptop,” he said.
“They don't have a spare desktop to work with, so ... if we isolate their laptop, they don't have any other ways to work, and they can't come into the office. We can't fully cut down their access. We're still working on how we deal with that.”
Wary of the uptick in COVID-related scams, particularly phishing, MinterEllison is taking a multi-layered approach to awareness and protection.
Saale said his team had worked hard to “educate users on how to identify a phishing email” and to reduce internal barriers to report it.
“We show them [examples of] real attacks that we have received and why it’s phishing,” he said.
“The real attack hits home because they know that someone within their organisation has seen this. It's not some random organisation that out there has received an email that anyone can receive.”
The company had also run phishing simulations on users, “specifically on COVID-19 scams”.
“It was a very interesting result,” he said, without elaborating.
The result led the company to offer new help topics via a monthly security awareness newsletter it sends to all staff.
“We had to change the topics to educate our users on home networks, data, and how to secure their own routers,” he said.
Saale said his team also wanted to ensure there weren’t any “barriers or frictions” that staff would encounter when trying to report a suspected phishing scam they had received.
And, to ensure that all suspect emails were being flagged, MinterEllison recently incentivised staff to make reports.
“We recently launched a phishing reward, so if someone reports a suspected phishing email, we put them into a pool to be eligible for a particular reward and we pick one winner each month,” he said.
“[We saw] an immediate increase in the number of reports of phishing emails. It was good because we started getting a lot of reports in.
“Some of them were spam, newsletters - it didn't matter. The main thing was that they were reporting it back to us and that in some cases they were able to identify [malicious emails].”