Case Study

Winthrop & Weinstine

Rapid7 Managed Detection and Response provides cybersecurity “eyes and ears” for leading law firm

Winthrop & Weinstine is ranked as one of the leading law firms in the United States. Representing 15 industries and scores of practice areas, including corporate/M&A, general commercial litigation and real estate law, its 130+ attorneys work round the clock to help their clients. IT Director, Craig Wilson, has been at the helm of the firm for 21 years, and over that time has seen the technology landscape transform.


• Maintaining strong security in a virtualized, remote work-enabled environment

• Staying on top of the volume of threats and alerts firms face today

• Preventing threats as early as possible in the attack chain


• As a virtual organization, they were able to reach 95% deployment of the Insight Agent, which collects data from across the entire IT environment

• The MDR team became the 24/7 “eyes and ears” Winthrop & Weinstine needed

• Honeypot technology in InsightIDR alerts on intruder activity, whether internal or external

Wilson’s mission has always been to make his end users as efficient and productive as possible, which is why the entire firm now runs virtualized servers and desktop infrastructure. This has been complemented with the introduction of iPads and OneNote accounts to support remote working, enhanced collaboration with legal assistants, and an overall improved company work-life balance.

However, Wilson is also aware that this kind of digital transformation must be matched by investments in cybersecurity, or the wished-for benefits will be outweighed by increased risk exposure. Law firms like Winthrop & Weinstine deal with immensely sensitive client information, and are an increasingly popular target for online attackers.

Eyes and ears

Wilson knew he needed an accurate, automated way to detect and respond to cyber threats. He started by gauging whether the job could be done in-house by adding to his 10-strong IT team. However, he soon came to the conclusion that the sheer volume of threats facing firms today is such that only an expert third-party provider would be able to offer the 24/7 protection Winthrop & Weinstine needed. That’s where Rapid7 Managed Detection and Response (MDR) services came in.

“I wanted an outside company to be the eyes and ears looking out for us all the time. So I did my own research, talked with peers and seeing which company would fit,” he explains.

“When I started this process, our account manager was excellent. She had so much passion for Rapid7 that she was very open with the product. She helped me along the way and had all the answers,” Wilson added. “We looked at seven companies...when I get involved, it’s like I’m doing an interview as if you’re part of my department. It came down to three different providers, and everybody I’ve worked with in Rapid7 has been just as informed and passionate.”

A new CISO

Rapid7’s Managed Detection and Response services combine the expertise of Rapid7’s SOC analysts and threat intel team with the company’s leading threat detection and response technology, InsightIDR. Crucially, InsightIDR centralizes disparate security data and applies both user and attacker behavior analytics (UBA & ABA) to find compromise, leaving no place for the bad guys to hide—whether they’re external or insider threats. In addition to the analytics, InsightIDR comes with an EDR agent—the Insight Agent supports Windows, Mac, and Linux—as well as multiple forms of deception technology, ranging from honeypots to honey users, credentials, and files.

Rapid7 is my security arm providing ‘change thought’ in my department. I really feel that I have my own CISO on staff.
Craig Wilson, IT Director at Winthrop & Weinstine

The MDR service began with a compromise assessment and deployment of InsightIDR. Winthrop & Weinstine quickly reached 95% deployment of the Insight Agent, thanks to being a 100% virtual organization. The ability to spot threats was called into action early on when InsightIDR detected a live, multi-faceted attack simulation being carried out by another vendor red team, says Wilson.

“It was interesting,” he adds, “because when I talked to my MDR customer advisor (CA) and shared that this was just an exercise, our CA responded, ‘let’s have our team investigate and respond as though it’s not.’ I thought that was great and showed a proactive mindset where Rapid7 wanted to test and improve their team, too.”

Preventing threats as early in the kill chain as possible is essential for firms if they want to minimize the cost and reputational damage that can result from a serious attack or breach.

Wilson has also been impressed with the one-to-one help he has received from the Rapid7 team with things like identifying risky misconfigurations. He notes that the suggestions he’s received have helped to “change the way I’m thinking.”

“Rapid7 is my security arm providing ‘change thought’ in my department,” he adds. “I really feel, particularly for Rapid7, that I have my own CISO on staff. My customer advisor does a great job every month of going through key findings and reports. He’s providing critical, consistent information to us that we can use and move forward with.”

What’s more, Wilson has confidence that any communications he sends will be answered accurately and in detail by the team. “If we have an issue, we know we can send it to the email and you have a group of people looking out for you,” he says. “I never feel like I’m sending something into a black hole.”

Looking ahead

As for the future: Wilson and his team are excited about the possibilities Rapid7 has brought to the table. While the detection and response capabilities in MDR are already making a real difference to the company’s risk mitigation efforts, Wilson is looking forward to creating custom automated workflows and managing more tools with InsightIDR. He’s also considering utilizing Rapid7 reports to assist answering clients security assessments.

It’s clear Wilson takes his organization’s security seriously, and he’s leveraging Rapid7 MDR and InsightIDR to give his team the monitoring and flexibility they need. He’s eager to continue upholding this standard for their customers.

Rapid7 Managed Detection & Response

Don’t miss a thing: Let Rapid7 experts monitor and hunt attackers in your environment.

Get More Info