Law Firms are Raising the Bar on Cybersecurity

February 1, 2023 | 6 min read

Micah Heaton

Executive Director, Managed Security Center of Excellence

Micah Heaton Square Calcite Duotone

Managed Detection and Response (MDR) Coupled With Microsoft Siem (Sentinel) Plus XDR Provides Law Firms With Streamlined and Privacy-Centric Cybersecurity Options for 2023

Corresponding with recent increases in threat actor activity in the legal industry, law firms are investing more time and attention in modernizing security operations. Both midsize and large law firms are increasingly engaging with cybersecurity partners to help detect, investigate, and contain potential breach activity, including support for incident response and digital forensics.

Securing Alert and Security Logs

An important requirement of many law firms is maintaining control over alert and log data. That includes following the principles of least privilege to grant access to external service providers. Thanks to increased cloud adoption, law firms have better options. Those include services like Azure Lighthouse within Azure Cloud that can serve as core components to a broader zero-trust security architecture.

As a leading cybersecurity provider, BlueVoyant's detection and response architecture align directly with these access control requirements. Our unique approach to using Microsoft technology within a law firm's environment is made possible by cloud technologies, such as Azure Lighthouse, that facilitate granular role-based and auditable access control. This design keeps all raw log data, detection content, workbooks, dashboards, playbooks, and data connectors in our client’s Azure tenant where they maintain Global Admin. That is also valuable for our customers developing security expertise. Their security teams can operate alongside BlueVoyant experts in a co-managed model.

Legal Firms and Sensitive Data

Acquiring or controlling sensitive data is often the goal of threat actors targeting law firms and is usually related to specific clients or ongoing casework. Achieving access or maliciously encrypting data related to mergers and acquisitions or potential litigation can be directly damaging to the law firm and the client’s business interests (and thus easy to leverage into ransom payments) and valuable to the right buyer.

Threat actors often target:

  • Intellectual property
  • Detailed Personally Identifiable Information (PII)
  • Client confidential information
  • Sensitive human resource information, including employee files
  • Forensic data
  • Merger and acquisition data, financial information, and business records

An increasing number of law firms are standardizing on Microsoft M365 productivity and collaboration tools. Rapid advancements in Microsoft security technologies, like Defender, Entra, and Purview, can effectively govern sensitive data, detect threat actors - and have been welcomed by the legal industry.

BlueVoyant leverages signals and telemetry from these Microsoft technologies extensively in our Managed Detection and Response (MDR) services to help identify access attempts before they can become a data breach.

Learn how to secure networks, endpoints, and cloud-based or on-premises apps and workloads for law firms in our solution spotlight, Defending Law Firms from Cyber Threats.

BlueVoyant also recommends that law firms build toward industry-standard security frameworks and controls, such as Center for Internet Security (CIS) benchmarks, which can help to minimize organizational attack surface and opportunities for threat actors to gain access to networks.

Cyber Insurance

The 2022 Zurich/Advisen Cyber Insurance study indicates that 86% of respondents now have cyber insurance, up three percentage points from 2021 and the highest percentage in the history of the survey. About 83% of respondents say they've taken steps to assess their cyber risk, and 69% have invested in cybersecurity solutions to mitigate risk. (1)

Cyber insurers are facing increasing difficulty determining risk and premiums for customers in many industries, and legal is no exception. Unlike most other types of insurance, cyber insurance is difficult because threats are highly unpredictable, and there is little historical data available about threat trends. It is also challenging to measure and assess risk in a standardized way. However, there are steps you can take to make obtaining adequate cyber insurance easier and the associated costs more manageable.

MDR providers, incident response teams, and law firms work as one to demonstrate compliance and help assess risk.

Teaming with MDR providers to demonstrate a lower risk security posture to your insurer or broker can help law firms achieve their required coverage at a manageable cost. For example, BlueVoyant has collaborated with Microsoft to document the deployment, configuration, and management of M365 Defender tools in specific client environments, Thereby confirming a heightened security posture with ongoing expert oversight.

Beneficial outcomes can include:

  • Reduce rate increases
  • Remove coverage denial or restricted coverage concerns
  • Meet coverage security requirements
  • Demonstrate digital forensics and incident response
  • Be granted an adequate, if not comprehensive, policy

BlueVoyant is recognized as a preferred cybersecurity vendor for many leading global insurers and brokers and is on over 20 insurance company panels.

Digital Forensics and Incident Response (DFIR)

Coupled tightly with cyber insurance are considerations around Digital Forensics and Incident Response (DFIR), including incident response planning. Incident Response includes hunt operations, containment, and eradication of persistent threat actors within a network. Cloud-native digital forensics, investigations, digital evidence gathering, chain of custody and secure evidence storage in the client environment help identify and analyze current and past threats. DFIR includes legal testimony that supports the client all the way to the courtroom.

Common DFIR use cases include:

  • Business Credential or email compromise
  • Compromise Assessments and Forensics
  • eDiscovery/eDisclosure
  • Employee Offboarding
  • Extortion/Blackmail
  • Government/Law Enforcement Notification
  • Data Exfiltration/Intellectual Property Theft
  • Pre/Post Mergers, Acquisitions, and Integrations
  • Phishing Investigations
  • Ransomware
  • Workplace Investigations/Insider Threat

Managing Costs While Improving Cybersecurity

A recent Pulse-Report by BlueVoyant on cybersecurity challenges facing all businesses reveals that budget constraints are at the top of the list, followed by too many false positive alerts and the complexity of dealing with a high number of vendors and technologies. (2)

Security tool sprawl is a well-known issue to CISOs, with integration being a substantial resource draw on engineering teams. Threat detection fidelity, automation, and orchestration are also limited, causing security experts to waste their time on false positives and manually closing routine security incidents that could be automated. Moreover, when security analysts need to wade through logs and alerts without clear metrics and limited intelligence, contextual data, or correlation, it's difficult to identify meaningful patterns, threat routes, and infiltration across an organization's entire digital estate.

Our experience has shown that as firms move increasingly to the cloud, attention paid to data governance, security value, and detection methodology at the beginning of a project will pay dividends in the form of more manageable costs over time. Log data generation, collection, analysis, and retention are classic examples of cloud costs being highly variable unless a plan is in place before migration.

Cybersecurity partnerships can reduce costs and resource constraints for SOC operations.

Key areas where external assistance can provide substantial benefits to law firms include:

  • Managing the day-to-day security operations workload, allowing for better allocation of team members’ time and effort
  • Identifying threats early in attack cycles to avoid the costs associated with data breaches
  • Streamlining and managing log ingestion costs by removing data sources that don't matter and optimizing those that do
  • Acquiring access to specialized knowledge in key security domains, including technology-specific expertise such as Microsoft

Many law firms are turning to BlueVoyant MDR to improve their cybersecurity posture.

At BlueVoyant, achieving a mature security posture is more than just analyzing alerts - it's about becoming an extension of our customer's IT and security teams. BlueVoyant MDR is essential in helping law firms remain secure, protect their client data, and be compliant. We also help our law firm clients control their security data and offer services beyond MDR, including digital forensics, incident response, and litigation support.


(1) 2022 Advisen-Zurich survey illuminates growing cybersecurity concerns (Oct 26, 2022) Retrieved Jan. 11, 2022 from of a data breach report 2022 of a data breach report 2022. IBM. (2022, July).

(2) BlueVoyant Sponsored Pulse Survey - Managed Detection and Response Strategies (Nov, 2022).