Inventory and control of hardware and software assets
The key to managing and securing any organization’s systems is knowing what there is to secure. All types of organizations have challenges maintaining thorough inventories of hardware and software assets, even without throwing an entire new business into the mix. During an M&A, it’s especially imperative to understand what technology is being acquired, and a manual review just won’t cut it.
Acquirers must leverage automation to inventory all present and communicating hardware, software, and services on the acquired company’s networks. The foundation of any security strategy is a complete list of things that need to be secured by the new managing organization. Layered directly on top of that foundation is an understanding of all the connections between software and hosts on the network. Automated scanning from traditional address-based tools may not be enough for these purposes. With cloud and cloud-based user technology so prevalent in today’s businesses, and given that cloud architectures aren’t static, automated port scanning, for example, may result in missed connection discovery or inaccurate mapping between resources.
Shrinking the network attack surface
Discovering which hosts talk to which applications talk to which services provides visibility into communication patterns and dependencies, and, provided the right tools are in place, offers insight into the network attack surface. More pointedly, using an automated application-centric discovery tool to learn which application paths are necessary for regular business use helps the organization block paths that are not necessary—and which only serve to provide “hiding spots” for attackers.
In an M&A situation, the number of unnecessary communication pathways in two companies’ disparate systems could number in the thousands, exponentially increasing cyber risk unless they are blocked from use. Traditional network security guidance says to scan for open IP address ranges, ports, and protocols and eliminate them if they are not needed. Going back to an earlier point about the ephemeral nature of cloud architectures, organizations inventorying their systems and those of a newly acquired network need to go beyond network-based constructs to learn how applications and services are connecting. A security tool that relies on network information is only as good as the data it’s fed. If the data has changed or is inaccurate, it will be impossible to determine if the communication pathways are reliable enough to inform strategic security decisions. Using these methods, reducing the network attack surface becomes near-impossible as well.
Having the right data about the state of the network—whether it’s one the network and security teams have been managing for a long time or is one that’s just been acquired—is absolutely mandatory before the organization can affect any decisions, changes, or integrations. That can only be accomplished with automated tools that focus on the applications and services communicating rather than the environment in which they’re communicating.
Data and system migration
Hardware and software asset discovery, application mapping, and using that data to reduce the network attack surface are merely the first steps in a merger of companies’ technology portfolios. Additional security will need to be applied across the board as systems and data are integrated, migrated, and deduplicated. Conventional wisdom says that a layered approach—security at the perimeter, on endpoints, and where access control decisions are made—is the best approach. And though this may be categorically true, one of the most oft-overlooked aspects of network security is the control plane directly around the data and services cyber criminals are targeting—those data-rich databases with client information, intellectual property, and the like.
Especially in an M&A situation where databases and critical systems need to be migrated from one network environment to another, security teams must look at how to protect assets in transit as well as where they land in a new network. Logically, doing so cannot rely on network constructs, because the networks, themselves, are in flux. Instead, security teams should adopt solutions that place controls on the critical assets, themselves, instead of their IP addresses. In this way, protection travels wherever applications, hosts, servers, data, services, etc. go. Decoupling security policies from the network provides the highest level of assurance that the transfer of systems is not subject to a host of vulnerabilities and exploits that could complicate and delay the successful completion of a merger or acquisition.
There are countless steps network and security teams must take to ensure an M&A goes smoothly from a technology point of view. That said, it's critical to start by laying a foundation through asset discovery, application mapping, eliminating network attack surface, and protecting data and systems as they migrate from one company’s environment to another’s. Following these steps will result in a smooth transition, allowing the acquiring company to sidestep any of the historical security landmines that occur when dealing with “unknown unknowns." Though the acquisition of another company’s technology naturally includes some surprises, mitigating risks with a carefully-crafted transition plan will prevent the project from blowing up the integration timeline.