Mitigate M&A Network Security Risks
Growth Through Acquisition Introduces New Risks
When an organization acquires another company, the acquisition team must ensure it has security professionals involved in order to make sure that they don’t expose the acquiring company to threats that may exist undetected on the acquired company’s network. Far too often in the past acquisitions left security evaluations out of the equation and inherited substantial security debt… or worse, integrated the acquired company into their organization without any security vetting at all.
While similar challenges exist (and similar solutions apply) whenever an organization needs to access networks that are not their own, such as partner networks or supply chain networks, this blog post will focus on mergers and acquisitions (M&A).
What Cyber Risks are You Acquiring?
The risks to the acquiring company are numerous. The fundamental question to ask yourself is, are we buying a Trojan Horse that I am about to plug it into my network? More specifically:
- How do we get the needed network visibility to gain a strong picture of the state of the acquired company?
- How do we then cohesively analyze the visibility we have for threats?
- How do we then formulate responsive measures for the acquiring company?
- How do we then merge or integrate the networks with confidence?
There are four areas to consider as you assess the risks of the acquisition target.
1. How do we get the needed network visibility of the acquisition target(s)?
The process starts with an assessment of the network that’s already in place in the acquired organization, including both on-premises networks and data centers, any workloads that have been migrated to the public cloud, the gateways into the network, such as web and email gateways, and other ingress and egress points that need to be secured.
Gain visibility into acquisition network security posture without exposing acquirer.
Lastline’s agentless sensors can be deployed anywhere with no added licensing cost, and can be deployed on virtual machines so there is no additional hardware to purchase. If the acquiring company already is using Lastline’s Network Detection and Response (NDR) platform or is new to Lastline Defender™, they can deploy sensors into the acquired company’s network – on-premises or in the cloud – most cases within an hour and immediately will start to get visibility into any malicious lateral network activity taking place. Lastline Defender also analyzes all north-south activity, such as email attachments, data exfiltration, and URLs, to stop new malware-based attacks before they take hold.
Or if the acquiring company requires a Proof of Concept (PoC), they still can complete an analysis of the acquired company’s network by deploying Lastline Defender as a PoC, quickly deploying Lastline’s lightweight, software-based sensors and using hosted software to immediately see the results.
2. How do we then cohesively analyze network traffic for threats?
Are there active but undetected threats on the network, IT, OT, Internet-of-Medical-Things (IoMT), users, and other hosts of the acquired company, or latent malware on hosts and employees’ personal devices that could infect the acquiring company’s network and hosts? If so, they could expose the acquiring company to attack and the loss of PII, assets, intellectual property, regulatory controlled data, operational capability, and more, as well as the potential for substantial financial loss resulting from paying ransoms.
To confidently answer this question, you need to be able to detect and identify indicators of compromise (IoCs) in the acquired digital footprint. Typically, it takes months to deploy security software that can analyze the acquired company’s network, establish behavioral baselines, and then look for anomalies that could be indicative of an attack; all of which slows the important integration of the two organizations… or worse, the integration goes forward without a complete security evaluation.
Analyze acquired network traffic for malicious activities.
Lastline’s Network Traffic Analytics uses supervised and unsupervised machine learning to detect anomalous lateral movement within a network. Within hours, our software analyzes vast amounts of network activity for any malicious activity that may result from personal devices infected off-site, IoT devices, corporate assets, or other gaps in perimeter defenses.
Furthermore, our software distills petabytes of data down to a finite number of intrusions, identifying all of the activity associated with each threat, instead of typically thousands of “interesting events” that other solutions alert on, most of which are false positives.
Given Lastline’s understanding of malicious behaviors – thanks to its market-leading file analysis capability – it can distinguish between anomalous network activity that is malicious and that which is anomalous but benign, minimizing false positives.
3. How do we then formulate responsive measures for the acquiring company?
Most often the acquiring company is larger and presumably more technically sophisticated than the organization being acquired. But that’s not always the case. A fundamental question to ask is, does the company being acquired actually have a better cyber security posture than the acquirer, and if so, what can the acquiring company learn or adopt? It’s really an opportunity to pull best practices from two organizations and merge them into a collectively better security operation.
Once the policy questions have been resolved, and you’ve completed the threat assessment of the acquired company’s network and devices, it’s time to start the integration of the networks. During this process, it’s essential to have visibility into the network and an understanding of the ground truth on areas like digital asset management and asset inventory. Then, of course, you need adequate security visibility of both networks while ongoing integration occurs, including potential threats attempting to enter the newly enlarged network and lateral movement within the network.
Formulate responsive measures for acquiring company.
Lastline Defender has numerous mechanisms for speeding response. Our integrations with leading firewall, end point protection, SIEM, SOAR, and other types of solutions enable us to immediately push out appropriate response measures. Adding to that, our APIs facilitate fast and easy integrations where needed, for example with custom in-house technologies. We can block malicious IPs, quarantine malicious emails, block access to compromised websites, as well as other automated responses.
When Lastline detects an intrusion, instead of delivering lots of isolated alerts that need to be manually investigated and connected, Lastline delivers a blueprint that visually shows all malicious activity and impacted hosts associated with the intrusion. This high-fidelity, contextual visibility facilitates fast and complete remediation with minimal false positives, focusing security teams’ efforts on the highest risk activity.
4. How do we merge or integrate the networks with confidence?
Lastline Defender delivers the network security visibility that cohesively analyzes network traffic for threats and that security teams need to merge or integrate the network of an acquired company.
Collaboration is instrumental in getting to the ground truth. This couldn’t be truer for network security. Lastline Defender is a Network Detection and Response platform that includes Network Traffic Analysis (NTA), an Intrusion Detection and Prevention System (IDPS), and file analysis software. Each play an important role in detecting and responding to network threats. To get a comprehensive picture of advanced threats, it makes sense to integrate a range of synergistic data across the merged networks to better enable the collaboration for threat detection and response.
Lastline Defender’s IDPS, file analysis, NTA, and threat intelligence capabilities create a synergy that’s more powerful and effective than these features would be by themselves or when provided by separate vendors. The sum is a solution that can detect threats attempting to enter a network, including zero-day attacks, as well as threats moving laterally inside a network. No single solution can do all of this. Only by combining the capabilities of the three core technologies and sharing data among them can Lastline Defender detect the widest array of attacks, across all types of networks, with minimal false positives.