NEW VIDEO: COVID-19: Securing newly remote users and admins (Paul's Security Weekly). WATCH NOW!

Finding Security Landmines in an Acquired Network

Mergers and acquisitions create tremendous growth opportunities for the entities involved. Increased revenue, new product potential, and market share expansion are just some of the reasons two, sometimes disparate, companies join forces. Although opportunity is the top driver for mergers and acquisitions, merging and acquiring business operations, processes, people, and—yes—technology can create huge headaches for months (or even years). A large part of most M&As is the amalgamation of intellectual property, customer lists, and other proprietary company data, all of which reside inside databases or other networked technology. Numerous security “landmines” lay in wait for operations and security teams as they incorporate new networks securely, without disruption to the business. Therefore, it’s imperative to set a solid security strategy that reduces the chance of blowing up the whole project.

In this day and age, many organizations require an audit of IT systems as part of the due diligence process before finalizing M&A. However, a point-in-time audit may not reveal the entire picture of the network, how secure it is, or how compliant it is. This is why, once the ink on the M&A paperwork has dried, security teams must commit to an assessment of the acquired company’s environments. Further, it’s highly unlikely that any two companies will have exactly the same technology, at the same patch levels, with easy integration capabilities installed in their environments, making the acquisition and consolidation of systems exponentially more onerous.

Without a proper process and experienced team, things can go very wrong: new vulnerabilities may be introduced, availability issues may emerge, and data may be lost, just to list a few potential problems. Yet, combining systems—eventually, not immediately or all at once—is über important to the successful synthesis of the acquirer and the acquired. Still, even for the best-prepared, potential catch-22s lie ahead for any technology team acquiring and merging networked systems.

Edgewise will be at the Gartner Security & Risk Management Summit.   Come visit us at booth 925! <>

Inventory and control of hardware and software assets

The key to managing and securing any organization’s systems is knowing what there is to secure. All types of organizations have challenges maintaining thorough inventories of hardware and software assets, even without throwing an entire new business into the mix. During an M&A, it’s especially imperative to understand what technology is being acquired, and a manual review just won’t cut it.

Acquirers must leverage automation to inventory all present and communicating hardware, software, and services on the acquired company’s networks. The foundation of any security strategy is a complete list of things that need to be secured by the new managing organization. Layered directly on top of that foundation is an understanding of all the connections between software and hosts on the network. Automated scanning from traditional address-based tools may not be enough for these purposes. With cloud and cloud-based user technology so prevalent in today’s businesses, and given that cloud architectures aren’t static, automated port scanning, for example, may result in missed connection discovery or inaccurate mapping between resources.

Shrinking the network attack surface

Discovering which hosts talk to which applications talk to which services provides visibility into communication patterns and dependencies, and, provided the right tools are in place, offers insight into the network attack surface. More pointedly, using an automated application-centric discovery tool to learn which application paths are necessary for regular business use helps the organization block paths that are not necessary—and which only serve to provide “hiding spots” for attackers.

In an M&A situation, the number of unnecessary communication pathways in two companies’ disparate systems could number in the thousands, exponentially increasing cyber risk unless they are blocked from use. Traditional network security guidance says to scan for open IP address ranges, ports, and protocols and eliminate them if they are not needed. Going back to an earlier point about the ephemeral nature of cloud architectures, organizations inventorying their systems and those of a newly acquired network need to go beyond network-based constructs to learn how applications and services are connecting. A security tool that relies on network information is only as good as the data it’s fed. If the data has changed or is inaccurate, it will be impossible to determine if the communication pathways are reliable enough to inform strategic security decisions. Using these methods, reducing the network attack surface becomes near-impossible as well.

Having the right data about the state of the network—whether it’s one the network and security teams have been managing for a long time or is one that’s just been acquired—is absolutely mandatory before the organization can affect any decisions, changes, or integrations. That can only be accomplished with automated tools that focus on the applications and services communicating rather than the environment in which they’re communicating.

Data and system migration

Hardware and software asset discovery, application mapping, and using that data to reduce the network attack surface are merely the first steps in a merger of companies’ technology portfolios. Additional security will need to be applied across the board as systems and data are integrated, migrated, and deduplicated. Conventional wisdom says that a layered approach—security at the perimeter, on endpoints, and where access control decisions are made—is the best approach. And though this may be categorically true, one of the most oft-overlooked aspects of network security is the control plane directly around the data and services cyber criminals are targeting—those data-rich databases with client information, intellectual property, and the like.

Especially in an M&A situation where databases and critical systems need to be migrated from one network environment to another, security teams must look at how to protect assets in transit as well as where they land in a new network. Logically, doing so cannot rely on network constructs, because the networks, themselves, are in flux. Instead, security teams should adopt solutions that place controls on the critical assets, themselves, instead of their IP addresses. In this way, protection travels wherever applications, hosts, servers, data, services, etc. go. Decoupling security policies from the network provides the highest level of assurance that the transfer of systems is not subject to a host of vulnerabilities and exploits that could complicate and delay the successful completion of a merger or acquisition.

Ongoing efforts

There are countless steps network and security teams must take to ensure an M&A goes smoothly from a technology point of view. That said, it's critical to start by laying a foundation through asset discovery, application mapping, eliminating network attack surface, and protecting data and systems as they migrate from one company’s environment to another’s. Following these steps will result in a smooth transition, allowing the acquiring company to sidestep any of the historical security landmines that occur when dealing with “unknown unknowns." Though the acquisition of another company’s technology naturally includes some surprises, mitigating risks with a carefully-crafted transition plan will prevent the project from blowing up the integration timeline.


Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.