Health

Ensuring Security in M&A: An Evolution, Not Revolution

October 24, 2022

256

Scott Heider is a supervisor throughout the Cisco Security Visibility and Incident Command crew that stories to the corporate’s Security & Trust Organization. Primarily tasked with serving to to maintain the mixing of an acquired firm’s options as environment friendly as attainable, Heider and his crew are sometimes introduced into the method after a public announcement of the acquisition has already been made. This weblog is the ultimate in a collection centered on M&A cybersecurity, following Dan Burke’s submit on Making Merger and Acquisition Cybersecurity More Manageable.

Mergers and acquisitions (M&A) are difficult. Many components are concerned, guaranteeing cybersecurity throughout the complete ecosystem as a corporation integrates a newly acquired firm’s merchandise and options—and personnel—into its workstreams.

Through a long time of acquisitions, Cisco has gained experience and expertise to make its M&A efforts seamless and profitable. This success is largely to quite a lot of inside groups that hold cybersecurity high of thoughts all through the implementation and integration course of.

Assessing the Attack Surface and Security Risks

“Priority one for the team,” says Heider, “is to balance the enablement of business innovation with the protection of Cisco’s information and systems. Because Cisco is now the ultimate responsible party of that acquisition, we make sure that the acquisition adheres to a minimum level of security policy standards and guidelines.”

The crew appears to be like on the acquired firm’s safety posture after which companions with the corporate to coach and affect them to take needed actions to realize Cisco’s safety baseline.

That course of begins with assessing the acquired firm’s infrastructure to determine and fee assault surfaces and threats. Heider asks questions that assist determine points round what he calls the 4 pillars of safety, monitoring, and incident response:

What methods, knowledge, or purposes are you making an attempt to guard?
What are the potential threats, together with exploits or vulnerabilities, to these methods, knowledge, or purposes?
How do you detect these threats?
How do you mitigate or include these threats?

The infrastructure that Heider’s crew evaluates isn’t simply the corporate’s servers and knowledge heart infrastructure. It may embrace the methods the acquisition rents knowledge heart area to or public cloud infrastructure. Those concerns additional complicate safety and should be assessed for threats and vulnerabilities.

Acquisition Increases Risk for All Parties Involved

Once Heider’s crew is activated, they companion with the acquired firm and meet with them usually to recommend areas the place that acquisition can enhance its safety posture and scale back the general threat to Cisco.

Identifying and addressing threat is important for either side of the desk, nonetheless, not only for Cisco. “A lot of acquisitions don’t realize that when Cisco acquires a company, that organization suddenly has a bigger target on its back,” says Heider. “Threat actors will often look at who Cisco is acquiring, and they might know that that company’s security posture isn’t adequate—because a lot of times these acquisitions are just focused on their go-to-market strategy.”

Those safety vulnerabilities can turn into straightforward entry factors for menace actors to realize entry to Cisco’s methods and knowledge. That’s why Heider works so carefully with acquisitions to realize visibility into the corporate’s surroundings to cut back these safety threats. Some firms are extra centered on safety than others, and it’s as much as Heider’s crew to determine what every acquisition wants.

“The acquisition might not have an established forensics program, for instance, and that’s where Cisco can come in and help out,” Heider says. “They might not have tools like Stealthwatch or NetFlow monitoring, or Firepower for IDS/IPS operations.”

When Heider’s crew can convey of their established toolset and skilled personnel, “that’s where the relationship between my team and that acquisition grows because they see we can provide things that they just never thought about, or that they don’t have at their disposal,” he says.

Partnership over Power Play

One of an important components in a profitable acquisition, in response to Heider, is to develop a real partnership with the acquired firm and work with the brand new personnel to cut back threat as effectively as attainable—however with out main disruption.

Cisco acquires firms to increase its resolution choices to clients, so disrupting an acquisition’s infrastructure or workflow would solely decelerate its integration. “We don’t want to disrupt that acquisition’s processes. We don’t want to disrupt their people. We don’t want to disrupt the technology,” says Heider. “What we want to do is be a complement to that acquisition, – that approach is an evolution, not a revolution.”

The deal with evolution can generally lead to a protracted course of, however alongside the way in which, the groups come to belief one another and work collectively. “They know their environment better than we do. They often know what works—so we try to learn from them. And that’s where constant discussion, constant partnership with them helps them know that we are not a threat, we’re an ally,” says Heider. “My team can’t be everywhere. And that’s where we need these acquisitions to be the eyes and ears of specific areas of Cisco’s infrastructure.”

Training is one other manner Heider, and his crew assist acquisitions stand up to hurry on Cisco’s safety requirements. “Training is one of the top priorities within our commitments to both Cisco and the industry,” Heider says. “That includes training in Cisco technologies, but also making sure that these individuals are able to connect with other security professionals at conferences and other industry events.”

Best Practices for Security Considerations in M&A

When requested what recommendation he has for enterprises that need to preserve safety whereas buying different firms, Heider has a couple of suggestions.

Make endpoint administration a precedence

Having the correct safety brokers and clear visibility into endpoints is important. As is inputting the information logs of these endpoints right into a safety occasion and incident administration (SEIM) system. That manner, explains Heider, you could have visibility into your endpoints and might run performs in opposition to these logs to determine safety threats. “We’ll reach out to the asset owner and say they might have malware on their system—which is something nobody wants to hear,” says Heider. “But that’s what the job entails.”

End consumer training is essential, too

Often, finish customers don’t know that they’re clicking on one thing that would have malware on it. Heider says consumer training is nearly as essential as visibility into endpoints. “Cisco really believes in training our users to be custodians of security, because they’re safeguarding our assets and our customers’ data as well.”

End customers needs to be educated about practices akin to creating robust passwords and never reusing passwords throughout totally different purposes. Multi-factor authentication is an effective follow, and finish customers ought to turn into accustomed to the rules round it.

Version updates and patching are frequent sources of vulnerabilities

Updating software program and methods is a unending job, however it’s essential for maintaining infrastructure working. Sometimes, updating a system can weaken safety and create vulnerabilities. Enterprises should preserve a steadiness between enabling enterprise innovation and maintaining methods and knowledge safe. Patching methods might be difficult however neglecting the duty may enable menace actors right into a susceptible system.

Understand public cloud safety earlier than going all in

Heider says public cloud operations might be useful since you’re transferring possession legal responsibility operations to a 3rd occasion, like Amazon Web Services or Google Cloud platform. “The only caveat,” he says, “is to make sure you understand that environment before you go and put your customer’s data on it. You might make one false click and expose your certificates to the Internet.”

Cisco Continually Strives for Improvement

Heider says that whereas a giant a part of his job helps acquisitions uplevel their safety area to satisfy baseline safety necessities, there’s at all times the purpose to do even higher. “We don’t want to be just that baseline,” he says. His crew has discovered from acquisitions prior to now and brought a few of these functionalities and applied sciences again to the product teams to make enhancements throughout Cisco’s options portfolio.

“We’re customer zero – Cisco is Cisco’s premier customer,” says Heider, “because we will take a product or technology into our environment, identify any gaps, and then circle back to product engineering to improve upon it for us and our customers.”