Here’s Your Primer

1. Explaining a SIEM in Simple Terms (Kind Of …)
2. What Kind of Things Can a SIEM Do for Law Firms?
3. What Are the Core Functions of a SIEM?
4. What Are the Benefits of Using a SIEM for a Law Firm?
5. How Does a Law Firm Implement a SIEM?
6. How Much Will a SIEM Cost Your Small Law Firm?
7. The Role a SIEM Will Play for Your Law Firm

Explaining a SIEM Briefly in Simple Terms

It isn’t easy to explain it simply, but here we go. SIEM — pronounced “sim” — is an acronym for “security information and event management.” In the simplest terms, it is a security solution that detects threat activities before your law firm is significantly impacted. SIEMs can detect, analyze and, most importantly, respond to security issues.

SIEMs harvest log data from many sources, performing the sorcerer’s trick of identifying activity that is not normal with real-time analysis. Best of all, it can take action without human involvement — the need for human involvement slows everything down. Like so much technology, SIEMS have morphed over the last few years and now they detect threats and respond to them faster and with more assurance that they are taking the correct action with the aid of artificial intelligence.

What Kind of Things Can a SIEM Do for Law Firms?

Here’s one example of what a SIEM can do quickly. It can flag a user account as suspicious when it generates 25 failed login attempts in 25 minutes but it would likely be regarded as a lower priority because the attempts were likely made by a user who forgot their login information. However, a user account that generates 130 failed login attempts in five minutes would be tagged as a high-priority event because the most likely explanation is that a brute-force attack is taking place against your law firm.

Another example is impossible travel.

After one successful login, there might be a second successful login from an IP address that would indicate an impossible travel time. For example, perhaps the second login is over 2,500 miles away and occurred five minutes after the first one. It may be that the user is utilizing a VPN, and the access is valid. It most certainly doesn’t involve the use of a Star Trek transporter to cover the distance, but rather, it may be an attacker who obtained valid user credentials.

What Are the Core Functions of a SIEM?

This is the hard part, so bear with us. SIEMs vary in their capabilities, which means you must pay attention to what any particular SIEM platform offers. However, the core functions are these:

1. Log management. SIEMs harvest vast amounts of data in a central location, organize it, and then determine if there is data indicating a threat, an actual attack or a breach.
2. Event correlation. This basically means the SIEM will sort the data to identify relationships and patterns, which allows it to identify security incidents across your law firm’s network, which permits fast detection and response to possible threats.
3. Incident monitoring and response. In brief, a SIEM will monitor security incidents across a law firm network, providing alerts and audits of all activity connected to an incident.

What Are the Benefits of Using a SIEM for a Law Firm?

Law firms have an ethical duty to protect their confidential data. Law firms of all sizes must take reasonable steps to reduce cybersecurity risks and meet regulatory compliance standards.

SIEMs are the best way to strengthen a law firm’s cybersecurity, offering the following:

• A view of potential threats.
• Real-time threat identification and rapid response, which minimizes damage to the law firm.
• Highly advanced threat intelligence.
• Regulatory compliance auditing and reporting.
• A LOT more transparency monitoring users, applications and devices.
• In the event of a breach, it can perform a detailed forensics analysis.

How Does a Law Firm Implement a SIEM?

Here are some of the elements involved in implementing a SIEM:

• Define your requirements for SIEM deployment. You will likely need the assistance of your managed service provider or your in-house IT/cybersecurity employees.
• Once you install it, do some test runs.
• Make sure you’ve got a sufficient amount of data for testing purposes.
• Having a SIEM is not a guarantee that you won’t have incidents or suffer a breach, so make sure you have an incident response plan — just in case!
• As improvements become available for your SIEM, integrate them.How Much Will a SIEM Cost Your Small Law Firm?
• Not as much as you might think. While pricing will vary for the various SIEM solutions, look for offerings that are cloud-based and priced on a per-user basis. Such solutions should cost around $10 per user per month — which is very affordable even for a solo attorney.

The Role a SIEM Will Play for Your Law Firm

Having a SIEM is an integral part of a firm’s cybersecurity. Most law firms these days have a managed IT/cybersecurity provider. A SIEM gives that provider a central place to collect and analyze volumes of data, streamlining security workflow. Additionally, it has operational capabilities such as compliance reporting, incident management, and sophisticated dashboards that prioritize threat activity.

It is endlessly frustrating to hear law firms say they choose not to install a SIEM for budgetary reasons. Though we sound like a broken record, we often tell our client firms, “If you can’t afford security, you can’t afford a breach.”

And trust us, the breach is far, far more costly.

Authors and Contributors

Sharon D. Nelson is a practicing attorney and the president of Sensei Enterprises, Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association and the Fairfax Law Foundation. She is a co-author of 18 books published by the ABA. snelson@senseient.com.

John W. Simek is vice president of Sensei Enterprises. He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH) and a nationally known expert in digital forensics. He and Sharon provide legal technology, cybersecurity and digital forensics services from their Fairfax, Virginia, firm. jsimek@senseient.com.

Michael C. Maschke is the CEO/Director of Cybersecurity and Digital Forensics of Sensei Enterprises. He is an EnCase Certified Examiner and a Certified Computer Examiner. mmaschke@senseient.com.