Bird & Bird migrates to the cloud to secure its clients’ data

Founded in 1846, Bird & Bird is an international law firm with over 1,400 lawyers in more than 30 offices across Europe, the Middle East, Asia-Pacific and North America. The company’s vision is to be “the number one law firm in the world for organisations being changed by technology and a digital world”.

With thousands of clients in a wide spectrum of industries, they decided to transition their systems, applications and vast stores of client data into the cloud to gain all the advantages of speed, agility, responsiveness, automation and security that the powerful cloud computing ecosystem would give them.

In all, their relatively small in-house security team protects 3,400 users in 32 offices around the globe, and secures 700 servers in three data centres as well as a hybrid onsite/Azure cloud environment.

Ready to transition to the cloud

Once their team had designed a strategy to move to the cloud and completed all the necessary preparations, including buying the Microsoft E5 licence, installing encryption key management solutions to manage keys in Azure, Office 365 and other legal technology products, they could step forward. On reviewing which security tools they needed, Microsoft Sentinel made perfect sense as the cloud-native Software-as-a-Service (SaaS) Security Information and Event Management (SIEM) system.

However, Bird & Bird’s technology leadership wanted the security team to stay lean, mean and efficient. Their main aim was to achieve effective security in the cloud, not build a much larger team of professionals to keep up with the ever-evolving cyber security landscape. They needed a first-class security partner to enable them to take the leap while keeping their client’s information and their own business’s data secure around the clock. So they began a process to find and assess potential security partners.

They put their challenge to Microsoft, who suggested talking to Quorum Cyber. After initial discussions, the two companies ran a one-month trial which was extended into a longer-term contract for the Microsoft Sentinel Managed Detection & Response (MDR) service. With this service, Quorum Cyber’s Security Operations Centre (SOC) team, which is based entirely in the UK, monitors, detects and responds to alerts and potential incidents 24 hours a day, every day of the year.

The team’s biggest challenge was moving to the cloud securely and maintaining that security at the highest level regardless of the evolving threat landscape. Law firms’ reputations depend on them securing their clients’ data. One breach could potentially undo decades of work building up their strong reputation worldwide.

A million times more detail

“Before we had monitoring, logging and encryption capabilities there was no way we could move client data to the cloud,” says Martyn Styles, Head of Information Security at Bird & Bird. “It would not be right and our clients wouldn’t allow it.

“In my opinion, security and data protection in the cloud is a lot more capable than most on-site systems. I didn’t have much security telemetry from our co-location data centres prior to moving to cloud. Now we’re in the cloud I can tell exactly who’s accessing what, where they are accessing it from and which devices they are using. The logging, alerting and reporting I get from the cloud is a million times more detailed than on-site solutions and we’re quite confident that we can tell when someone who is not authorised to access our data is trying to access it. We get an instant notification, Quorum Cyber do too, so together we can investigate it.”

Martyn adds that busy lawyers, who are often on the move and who may be checking information while travelling or when on holiday anywhere in the world, could try to access data at any time of the day or night through the company’s systems. Any effective security solution must allow the right people to have access to the data they need, at the right time. His team can check that access is valid and permitted by an authorised user, and not a threat actor trying to break in.

Around-the-clock monitoring and defence

“We feel that Quorum Cyber provides us with a cost-effective 24x7x365 security operations centre, whilst providing our global technology networks and cloud services environment with rapid security incident response,” says Martyn.

By on-boarding Bird & Bird into the SOC, they were placed under the supervision of a qualified team of cyber security analysts who provide security maturity assessments, vulnerability management and threat monitoring to constantly check for weaknesses across the large hybrid IT estate.

“We were very impressed by both the speed and attention to detail when we were onboarded onto the SOC,” says Martyn. “Log messages configurations have been continually tuned to optimise security alert monitoring and reporting as we have upgraded existing applications and onboarded new log sources over time.”

Cybercriminals are notorious for continually adapting their tactics, techniques and procedures (TTPs) to probe organisations for weakness. So while the SOC team uses automation to help cope with the large volume of signals, human creativity and imagination is required to defend the law firm against threat actors who are trying to infiltrate them.

Teamwork, trust and transparency

Trust and transparency are crucial. Everybody in the partnership needs to trust all components of the technology, and they need to trust that everybody else in the team is using the technology to strengthen cyber resilience and reduce risk.

So, to see any incidents that the SOC team is dealing with in real time and to check the status of the security across their estate, Martyn’s team has 24×7 access to the customer portal, Clarity. Not only can they see all the key information related to their service in one place, but the tool also gives suggestions about how security could be improved. “Clarity is very easy to use, and I often export data from it when I’m preparing monthly service reports for the team,” says Dan Fleming, Information Security Specialist at Bird & Bird.

The plethora of tools involved in defending an organisation’s assets can get pretty complicated. But business relationship needn’t be. To keep the relationship simple and efficient, Bird & Bird has a single Service Delivery Manager (SDM) who holds regular meetings with the law firm’s security team.

“It feels very much like Quorum Cyber, who we work very closely with every day, is an extension to our team. Our other partners work closely with them too – it’s a symbiotic relationship.”

Cybercriminals rely on the element of surprise and often try to breach organisations in places they would least expect. To thoroughly check that the SOC is picking up every alert worth investigating, in every nook and cranny of their IT ecosystem, Martyn’s team also run their own security tests – without notifying the SOC team when and where they are doing it.

“These simulations test the detection technology and keep everyone on their toes,” says Martyn. “It rings alarm bells that the SOC team then reports back to us. I’d be concerned if they missed anything but so far, I’m happy that they have passed all our tests. They are often ‘belt & braces’ to our own security. Alert fatigue can mean people miss something, but we’re confident that nothing’s been missed.”

Lean and mean cyber security

Before embarking on the long-term partnership, Bird & Bird couldn’t move their clients’ sensitive and confidential data to the cloud to secure it to today’s gold standard. In the past year the partnership has significantly strengthened the overall security of the law firm and given them the confidence and peace of mind that all their clients’ data is safe from the frequent attempts they see of threat actors attempting to break in.

Data security is one of the pillars to safeguarding Bird & Bird’s reputation as a trustworthy and reliable company to look after clients’ data, wherever their 1,400 lawyers are working and travelling around the world.

“The MDR service allows our team to remain lean and mean and we intend to stay that way,” concludes Martyn. “To run this service ourselves, we would need to employ a number of SOC engineers and threat analysts and it’s not our strategy or intention to build a larger in-house team. The SOC team allows me to sleep at night, knowing that we’re protected around the clock. We don’t work 24 hours a day, but hackers do.”