M&A Security: To Ponder or to Act

Where does M&A fit into your Business and IT Security Strategy?  Lately I’ve noticed an uptick in mergers and acquisitions (M&A) security discussions at conferences and in security media posts.  Some of what I hear is centered on due diligence, legal responsibility, why it’s important, the lack of security involvement in acquisition decisions, and what should happen before a purchase. The reality is, many of the discussion occur after the purchase is finalized or announced. I have read a variety of different perspectives on what to do, some convoluted enough to bog down IT governance in a discussion that never reaches a decision. This sometimes occurs when whomever was responsible for assessing the risk hasn’t been in front of the purchase.  Worse, lapses in communications between business leaders in business risk language, has not taken place.  Ultimately, these pitfalls can cause M&A Security to be ignored or get pushed to the “to do later” list.  I’ve worked in the private sector in companies that have routinely purchased other companies as part of their business model. I’ve seen what passes for the norm. When the acquisition is formally announced an M&A IT questionnaire with IT and security questions is sent out to the acquired company and it may or may not be answered. The questionnaire in my humble opinion is pseudo due diligence. If something goes wrong like the company is already compromised, then leaders with M&A oversight can say, “Hey, I sent the questionnaire, the company didn’t answer or didn’t disclose.” Today, we should not be relying on questionnaires for M&A security. I’m not saying that all companies do M&A security this way, I’m just saying this is typical from my experience and the experience of some of my colleagues.

If you are a company that buys other companies routinely you either have a fabulous structured IT integration methodology, or you don’t. Let’s say most do not. I’m a realist and yes this is my qualitative reasoning. For those companies, I suspect many, do not have an IT integration methodology that works well every time a new acquisition occurs. I would imagine the typical company that does not have that integration methodology must be inheriting a tremendous amount of technical debt; software and hardware that is out of date and unsupported. Technical debt translates to risk. Let’s say, your company is that company. You are operating on a reasonable budget for your enterprise, but you are neither manned for nor have budgeted the kind of assessment of IT and IT Security that every new acquisition should go through….in a perfect world. Without a plan for your M&A security, more risk is being inherited.

Security leaders should be able to explain to business leaders that IT and IT security should be seated at the table when new acquisitions are being discussed. Your IT staff should be able to connect remotely to newly acquired companies, possibly pre-acquisition, or go in person to evaluate the candidate company to ensure your company is not buying excessive risks or problems. Yes, it would be nice to do this prior to purchase.  It should be a negotiating point for the acquisition. This is the best-case scenario, but not typical.

So, what do you do?

Baring the immediate change in culture or realization from your company that you really do need to do M&A security right or be willing to accept the risk as part of the business model, you need to solve the risk problem. Socrates not only said, “Know Thyself” but he also said, “Seek Answers.”

One answer is you need to find a fiscally responsible way to interrogate the IT of the recently acquired company as soon as possible in order to understand the risk, plot the risks on a heat map, get answers to the right questions, and determine what happens next. But you can’t do anything until you know the state of security of the new acquisition.

A few reasonable options for understanding the state of security of the new acquisition include:

  1. Send a senior IT analyst and security analyst to the location for a week to meet, interview, connect to the enterprise to get an understanding of it. This is your IT person loaded with interpersonal skills.
  2. Use a third-party vendor to do the same site visit.
  3. If you have agreements with Mandiant, Secureworks, Maddrix, IBM or others who already perform some level of monitoring or assessment of your enterprise with their cloud capability, just add another connection and assess the data.
  4. Obviously there are many other options.

Option “1” can be costly and as I previously mentioned. You may not have the staff available to send across the world, but a small skilled team with the right tools, authority, and personality, can achieve great results.

Option “2” is reasonable because it’s probably easier to have a company or two on retainer to be able to do the same assessment. You would need to ensure they perform at the same level as option “1.”

Option “3” can also be a reasonable option if you already have agreements in place, the requirements clearly specified, and the VPN in place. This option will require cooperation of the new acquisition. If you must send some to the new company, plus use this option, it probably will become expensive. You wouldn’t want to do this for a smaller acquisition, only the larger ones.

In a previous CISO position I wanted to evaluate the performance of the security operations center. I was interested in the skill set of staff, performance of existing SOC tools, how our people, processes, and technology worked together, and of course, blind spots. I brought in a third-party company, 2 people, to perform the review/assessment. Out of the assessment I wanted more than report, I wanted prioritized risk actions to evaluate and execute against that would help me enhance the organization security posture. The evaluation team had a cyber kit that was well integrated. I called it a SOC-in-a-Box. While the contract was for a few months, the review/assessment quickly revealed security challenges that needed to be mitigated. John Latuperissa of JFL Consulting was the vendor. The cyber kit or SOC-in-a-Box at the time was basically half-a-rack but is now significantly reduced in size for mobility. While this assessment was several years ago, I saw first-hand how a small team, or even a single individual with the right skill and cyber kit could help me “know thyself” and understand the risk. I think this same approach could be easily used by companies needing to evaluate new acquisitions.

In a different organization, I contracted with Mandiant for a compromise assessment. Mandiant, like some other companies, uses cloud monitoring/collection. Since this was part of the service, if I needed a new environment evaluated, it was relatively easy and quick. The only challenge here is that you are paying for an existing instance, and for any processing. While quick, this can become costly over time because you need to interpret and analyze the data. Mandiant did quite a great job in producing a white paper on M&A due diligence. https://www.fireeye.com/services/mergers-and-acquisitions-risk-assessment.html

Ultimately, you need to know what the state of security is in the new acquisition in order to weigh and decide what, if anything, needs to be done to ensure the risk to the enterprise is acceptable. And if needed, have a discussion with the Chief Risk Officer to see if any adjustment in risk appetite needs to take place.

As a CIO or CISO, what do you do when you have a new acquisition? You must have a way to know what you are potentially inheriting with the acquisition, the risks to your enterprise and your business. You need to have something better than a security questionnaire to tell you that. Right sizing the solution for your company is the challenge, and you do have fiscally responsible options available. While I know the due diligence discussion is important, what is more important is having a clear understand of risks and taking action on what needs to be mitigated.

To je zelo intimno dejanje. Na čustveni ravni lahko združi partnerje. Pristojni analni seks vključuje bolj natančne in natančnejše priprave, več razprav o tem, kako naj se to zgodi. Poleg tega, če ženska ne vadi na ta način, vendar se strinja, da bo vijagra v dobro partnerja, to pomeni, da mu zaupa.

Un argomento separato per la conversazione è un’auto in movimento. cialis generico prezzo in farmacia di diversificare la lunga strada con padelle innocenti, rischi la tua vita e vive in giro.

Public Sector Cloud Security Strategies

Over the past 8+ years the Federal government and agencies have been adopting the Cloud. And over the past few years the page of adoption has increased.  Cloud offers great opportunities and challenges to public sector security teams defending critical mission systems against advanced threats. These 7 strategies will help your security team.

Like many of you, I was there at the birth of the cloud. I watched the evolution in the private sector, the debates of what a cloud is, the sales pitch that money will be dramatically saved, and other comments; some of which proved true and others false.  I supported adoption in the public sector, which is taking much longer, due to the time it takes government to innovate, implement new technology, determine risks, and obtain an authorization to operate or risk acceptance. In the early years, 2010 to 2015 few government CIOs succeeded on an enterprise scale.  Over the past few years FEDRAMP has evolved and guidance from NIST and the Cloud Security Alliance has been a tremendous help to those seeking cloud security enlightenment.

You must know that the public and private sector differ in cloud adoption and I certainly hope one day they will be equal.  In the private sector adoption yielded cost savings and increased efficiency across many industries. Early adopters’ ability to change and adapt quickly to the cloud fueled their success.  That agility in adoption in the private sector was like trying to put a square peg in a round hole for many large government IT organizations. Speed has not been a government attribute, but indication of change can be seen. As forward leaning public sector CIOs take the lessons learned from the private sector, coupled with productive vendor partnering with Amazon, Google, and Microsoft, will help close that gap.

Opportunities and Blind Spots

For government, there is a great opportunity in having a common architecture that propels intelligence integration and big data analytics. It starts with the flow of intelligence from collectors, people, satellites and sensors into the cloud(s).  Authorized personnel with the right credentials can check out the applications from a library of applications to interrogate, analyze and enhance the data. Products can then be developed, hosted and consumed, with usage tracked for value. The integration that happens in the cloud is a tremendous value. But as this shift takes place, government agencies often find themselves in the middle of a balancing act trying to manage both cloud and legacy systems and applications that remain.

Years ago, when my public sector organization was preparing for an external risk assessment, I wanted to ensure the two large enterprises received a minimum rating of “Excellent” based on the criteria that had been established for the review. My Director also wanted to know the outcome in advance of the inspection. I’ll call the two enterprises, Enterprise A and Enterprise B. As I pushed for compliance on Enterprise A the metrics improved, but at the same time, the metrics for Enterprise B dropped. I pushed for focus on Enterprise B, and voila, Enterprise B improved, however Enterprise A metrics worsened. The reason? The same manpower was responsible for patching both enterprises and could only keep up with one at a time.  At the time this was a very manual process. Lesson learned: managing risk, the continuous evaluation of the security posture of systems and the cloud, often use the same resources. The same resources that may be used to oversee legacy systems and applications.  You need the right balance of skilled manpower to ensure you’re a successful.

Vulnerability to Advanced Persistent Threats

As more government organizations migrate to the cloud, the balancing act of protecting, monitoring and testing thousands of legacy systems will increase, along with the advanced persistent threats from the bad guys — nation-states, cyber criminals, and hacktivists. The threat is advanced, not because of technology but because of the way hackers perform reconnaissance, collect intelligence, and persistently go after very specific targets. Today hackers operate as a consortium of talent, teamed based on their specialty, to ensure they can effectively attack a target. Any organization touching the internet, including demilitarized zones (DMZs) that have not been compromised, will likely be compromised. Only the naïve believe they are impenetrable.  Since I am speaking about the public sector, those who know it, will say, but SECRET, TS, TS/SCI systems do not touch the internet.  If its true, then you are a lot safer, if your IT support does not perform any unauthorized connections, shortcuts, etc.

Nation-State threat actors would love to have sensitive government data, so as an IT and Security leader you need to make sure you are doing the basics to prevent that.  While there are thousands of ways to tackle this challenge I think a robust risk management organization that risk evaluates and approves all IT systems and apps, good testing through the risk management process as well as Blue Teams, ruthless “really ruthless” configuration management processes, great knowledge of internet facing architecture and ingress/egress points and how they are protected, and skilled detection capabilities.

The Problem with Signature-based Technologies.

Legacy systems and the protective capabilities of antivirus, firewalls, and intrusion detection systems face far more advanced threats now than when they were originally authorized to operate in the 2008 to 2014 time period. In 2008, these technologies were solid solutions for defense-in-depth strategies. However, the benefits no longer justify the cost, and public sector organizations will need to make trade-offs for a more modern platform that uses behavioral and heuristic signatures. Solutions for the threats faced today must also incorporate intelligence.  Since we are talking about public sector cloud adoption the question is whether the legacy protective technologies can protect the organizations cloud.  I feel there might be a tendency to suggest that the security controls put in place years ago are able to provide the level of protection needed.  These systems should be re-evaluated for ROI and ability to protect the data in the cloud.

Budget and operational challenges

It’ no secret that government does not move quickly to implement new technology. The budget lifecycle is a long arduous process, typically 18 to 24 months. In the private sector processes may move faster, if desired.  The pace and evolution of threats outpace the security industries ability to adjust and even once new capabilities are available to timeline for adoption can be long. This puts the CIO/CISO in constant communication with others for adjusting the tools based if the budget is available.  As the world moves, evolves with threats and solutions, the budget processes, proposals, justifications and implementations remain as they were—not terribly fast or agile. As a result, government security executives are put in the position of having to obtain approval for silos of capabilities that individually appear great at a given moment of time but are hard and expensive to integrate.

As many large organizations move to the NIST Cyber Security Framework, the technologies required to support the PROTECT and DETECT pillars, are critical. Security Operations Centers, (SOCs) requires a faster refresh rate to keep up with persistent threats because standard SOC technologies (IDS, AV, and firewalls) do not protect against new threats like 0-days or persistent threat actors. When you combine the issues of old or signature-based technologies and the unfortunate probability that legacy system protections could be overlooked, the outcome could be devastating.  Here are 7 critical strategies and practices to avoid a worst-case scenario.

Follow the National Institute of Standards and Technology (NIST) guidance for continuously monitoring the security controls of the systems in operation.

  1. Executive leadership must recognize that legacy systems and government clouds require robust and evolving protection. Measuring the security of both is critical.
  2. Deploying hosting security services in both the enterprise and cloud will make it easier for legacy systems to inherit the services and ensure that continuous monitoring is performed centrally.
  3. Within the SOC, develop a plan to protect legacy systems with a platform that can integrate signature-less (heuristic, behavioral) and signature tools.
  4. Allocate your resources wisely. Make sure you have both the manpower and technology, to cover both existing systems and the cloud.
  5. Analyze the effectiveness of your current SOC capabilities against the cost. Make sure you are getting the value you need and make trade-offs when necessary.
  6. Act with a sense of urgency and purpose. An 18 to 24-month budget cycle is too long to deliver adequate security capabilities against today’s threats.

The cloud offers tremendous value for government agencies, but only if organizations adopt measures that protect legacy systems and ensure that security solutions can defend against today’s advanced persistent threats.