How Law Firms Strengthen Network Security: Real-World Prevention, Protection, & Automation

Between escalating cyber threats, heightened regulatory and underwriter scrutiny, and uncompromising client expectations, law firms today face a uniquely interconnected set of security-related pressures. Even as the average firm increases technology spending by about 10%, security leaders are grappling with new and persistent challenges, with the bulk of investments geared toward AI-enabled efficiency tools – a signal that new protection gaps may lie ahead, as 87% of organizations report rising cyber risks due to AI vulnerabilities.  

The solution isn’t faster response or better detection – it’s proactive defense that makes law firms resilient against attacks, even with lean teams. Alex Eames, Director of Information Security and Architecture at Cravath, Swaine & Moore LLP, joined Nicholas DiCola, SecurityJedi and VP of Customers at Zero Networks, to discuss how law firms are rethinking network security in a session designed to help legal industry security leaders force-multiply their strategies and defend against modern threats.  

Get key takeaways from the conversation with a real-world look at how law firms are moving beyond reactive detection toward proactive protection, automated containment, and layered, identity-driven defense. 

Why Detect-and-Respond Security Models Fail Law Firms 

An honest assessment of the current threat landscape should cause every security leader in the legal sector to take a closer look at their current strategy.  

Nicholas DiCola: Ransomware is up about 100% since 2024. Breaches reported globally have climbed 660% since 2021 – and that's just what gets reported. We're spending more on cyber, but attacks keep going up and the cost of those attacks continues to rise. This math isn't great. 

The root cause isn't a lack of investment – it's a misalignment in strategy. The security market has over-indexed on detection, with most organizations deploying EDR, XDR, and SIEM solutions that generate enormous alert volumes but still leave attackers free to spread once they're inside. Only 30% of alerts generated translate to real risk reduction, while a single compromised system typically gives attackers access to 85% of the environment in one hop.  

Nicholas DiCola: Nearly one in five ransomware attacks has some data exfiltration within the first hour of compromise. You're dependent on detection technologies catching this in a very, very quick manner, and sometimes they don't. Attackers are very successful because of it. 

Real-world examples such as the Akira ransomware attack bring the shortcomings of reactive security into focus – although EDR detected the initial compromise, the attacker pivoted to an unprotected web camera and used it to laterally move via SMB across many assets in the environment, bypassing the detection entirely. 

Nicholas DiCola: We've seen a lot of ways attackers are evading detection now using lateral movement with other devices. Once an attacker is in, you have to assume breach. The networks are too open, and accounts have too much permission. It's just the way networks were built from the ground up. 

Shifting from Reactive Response to Proactive Protection with Microsegmentation  

The solution for law firms balancing precise customer expectations, mounting regulatory requirements, and rising insurance scrutiny is a fundamental shift from reactive to proactive: comprehensive microsegmentation layered with granular identity-based controls and automated policy enforcement. 

Nicholas DiCola: It’s time to really shift out of reactive and embrace proactive security strategies around prevention. Microsegmentation means putting a bubble around every host and only allowing the things in that are needed, and escalating anything that's privileged with MFA. If you do this and an attacker gets in, the lateral movement breach goes down. Once they're in, they're not able to move. 

As DiCola summed up simply: in a properly segmented environment, one compromised machine equals none compromised – because the attacker has nowhere to go. 

Nicholas DiCola: If an attacker gets in and they can't laterally move, where do they go? They leave. They go to the organization where they can actually laterally move, because that is their intent. 

But microsegmentation has historically come with a significant catch: legacy solutions are incredibly complex to implement and maintain at scale. That complexity led Alex Eames and Cravath on a journey to upgrade their microsegmentation. 

Real Law Firm Journey: From Legacy Tools to Automated Defense 

Cravath used a manual endpoint firewall for many years – and by most measures, they were ahead of the curve. They had invested significant time and effort in building granular firewall policies on critical servers and workstations, but this labor-intensive approach had a fundamental ceiling; in turn, the law firm targeted a set of goals familiar to many legal industry security leaders:  

• Reduce manual firewall management effort 
• Simplify reporting, auditing, and logging 
• Increase compliance for firewall deployment 
• Tighten rules on lower criticality systems 
• Streamline policy creation for new servers 

Alex Eames: Realistically, it wasn't a sustainable solution for us. We couldn't keep up with the policy development for the entire server fleet, so we had to focus on protecting our most critical assets. There really wasn't much product innovation. We were hitting a wall – no Linux support, couldn't go into a central log very easily. We had to develop all these other methods of getting traffic logs and doing rule development and analysis. 

These challenges weren’t unique to the law firm’s existing solution. When Cravath evaluated other microsegmentation solutions on the market, a similar pattern of complexity and manual burden emerged.  

Alex Eames: Over the years, that led us to looking at these “higher end” microsegmentation solutions, but every time we looked at them, even though they solved some of the issues we were having, you still had to do a lot of manual rulemaking to make those products do what we'd already done. Plus, there'd be this big switching cost and effort. So, we prioritized other projects and security investments and stuck with what we had. 

After deprioritizing a microsegmentation initiative, the law firm eventually revisited its solution search with a tight focus on host-based network firewalls. Their initial priorities were automation, efficiency, and a minimal footprint on systems; during the vendor evaluation process, Eames learned how a more comprehensive capability set could benefit the law firm.  

Alex Eames: Once we started looking at the current landscape of products, we learned about features like MFA challenges for network connections. We didn't even know that service account segmentation or RPC firewall were things that could be done. Once we learned about those capabilities, our goals for our firewall project went beyond network and started getting to accounts and RPC as well. 

Comprehensive Protection: A Multi-Layered Approach to Law Firm Cybersecurity  

Stopping lateral movement requires more than network segmentation alone. Law firms need a more holistic approach that protects every axis of network traffic, operating across multiple layers.  

Microsegmentation is the foundation: putting a firewall on every host, blocking inbound traffic, and only allowing what's explicitly needed. But even with that in place, identity gaps remain. 

Nicholas DiCola: Identity segmentation is really about limiting where accounts can log in in the environment. Your typical Active Directory user account can log into pretty much everywhere unless you specifically block it. Service accounts are the same – someone adds a service account to a SQL server, and it's supposed to be used only there, but it's very hard to go block it everywhere else. Implementing this and actually limiting identity in the environment is near impossible with the current tools. 

Another key protective layer for law firms addresses RPC – a protocol that's notoriously difficult to control because it must remain broadly open to support services like Group Policy, DFS, and domain authentication. In fact, 71% of threat activity flows through just four admin protocols – RPC is one of them.  

Nicholas DiCola: RPC is the attacker's shortest path to a domain controller. If they get to a domain controller and own it, they theoretically own everything in the domain. You have to leave it open at the network and identity layer, so attackers love it. There are already many tools that take advantage of RPC because they know you have to leave it open. 

The solution is protocol-layer enforcement – by leaving RPC open on the network and identity layers but filtering specific RPC functions, like DC sync operations, organizations can prevent exploitation without breaking the legitimate services that depend on the protocol. 

Building a Self-Defending Network Architecture 

After being introduced to identity-based microsegmentation, the law firm expanded its objective and rapidly strengthened their security posture: within eight months, all workstations and non-critical servers were segmented, over 200 service accounts were fully protected via identity segmentation, and the RPC firewall had been rolled out across all domain controllers. The key capability that made it possible? Automation.  

Alex Eames: You let the product analyze everything that's happening before you implement blocking-level policies. I would say probably 80% of the rules that exist in the system are the learned rules we're relying on now. 

The comparison to their previous posture was stark. Non-critical servers that were previously under-protected because of the manual effort required are now better secured, and their identity controls are materially stronger. 

Alex Eames: On the identity side, we didn't have that capability at all before. We've seen in logs scenarios where a developer launched a web browser on their workstation using service account credentials they checked out from the PAM system. You're not supposed to be doing that, but there's nothing that blocks them until you implement something like [identity segmentation].  

Meanwhile, by layering RPC firewall on top of a granularly segmented architecture, the law firm precisely closed one of the highest-risk attack paths in the environment.  

Alex Eames: One of the key [risks] is DC sync. If you run a pen test or have an attacker in your network, one of the goals of privilege escalation is: if I can get to domain admin and talk to the domain controllers, I can run this DC sync command and make a copy of Active Directory on an attacker-controlled system. Now you've got a full copy of AD – all user accounts, all password hashes. Having protections in place against that was a big improvement in our internal network security posture. 

Critically, automation doesn’t just enable law firms to implement microsegmentation quickly; it also unlocks adaptive policy creation and enforcement without risking business continuity.  

Alex Eames: Given the conservative nature of the rules, I have yet to really see a case where the learning and auto segmentation process breaks something. You're going to have 80% of the security protection benefit just through the automation. 

Engineering Network Resilience: How Law Firms Build Proactive Security with Zero Networks  

The endless cycle of patching, response, and recovery isn’t robust enough to stand up against today’s cyber threats, but legacy microsegmentation solutions that require endless manual tuning, complex deployments, and disruptive agents aren’t a sustainable option for law firms.  

Zero Networks eliminates the forced trade-off, delivering comprehensive protection without the operational headache or the risk of disruption. By tightly coupling identity and network enforcement, Zero helps organizations prevent attacks, minimize blast radius, and maintain business continuity, delivering a dynamic, multi-layered defense via automated, identity-based microsegmentation. 

See for yourself how Zero Networks strengthens law firm security, protecting sensitive client data and billable hours without adding headcount or complexity – request a demo.