Minimizing Your Attack Surface During M&A and Divestitures

Commercial due diligence minimizes risks and provides an organization’s board with the confidence needed to proceed with negotiations on an acquisition or sale of a part of the business. However, as cybersecurity becomes an increasingly important piece of the evaluation process, can IT teams actually complete the transition to new ownership without exposing the enterprise to undesirable levels of risk?

In a recent Forescout report, technology acquisition was agreed to be a top priority for M&A strategy and two-thirds of the respondents said that cybersecurity concerns led to regret within their companies in making an M&A deal.

These corporate moves or changes in machinery of government often come with incentives for management to complete within aggressive timeframes. The obvious goals of simply bringing a 3^rd party’s systems into the fold, or separating the systems being divested, sounds great on paper, but when fingers hit keyboards it’s the IT security, networking and infrastructure teams with the daunting task of making this activity happen.

Acquisition of cyber risk can be seen as a negative aspect of M&A. However, when implemented correctly, a cybersecurity program is an asset in M&A and an important factor when you are the selling side.

Changes to commercial makeup and IT operation are rife and opportune targets for malicious actors to benefit from the disruption to business as usual. Without Zero Trust security already strived for on both sides of the negotiating table, exploits of pre-existing security flaws and an increased attack surface can mean the change of ownership can act as a ‘Trojan Horse’, where any post-close ransomware, malware or targeted attack or existing advanced persistent threat (APT) propagates into and across the buyer’s business.

From the same study, more than half of respondents reported that they had encountered a critical cybersecurity issue or incident during an M&A deal that put the deal into jeopardy.

Acquisition security considerations

Either before or after a deal is signed, it is particularly pertinent to determine the risk related to data centre security hygiene within acquired applications and hybrid cloud data centers. Australia’s Cyber Security Centre advises that organizations entering such activity understand the operating environment and security controls that protect data and systems to ensure equivalent or greater protection is afforded in the new operating environment. There are also potential financial consequences for the parties involved in relation to regulatory compliance and privacy legislation.

With little to no control over the applications inherited through an acquisition, IT teams are most often left questioning: What have we just inherited? Do they utilize different infrastructure technologies than we do such as Kubernetes or alternate public clouds? What data protection, application, endpoint security and vulnerability management practices have been followed? And what does ingesting these workloads mean to our current attack surface?

The buyer’s security teams are often impeded in any assessment by a lack of visibility into the data centre assets they are purchasing and a lack of opportunity to identify existing flaws enabling lateral movement and exposure of sensitive data. Without understanding how applications and workloads are connected and communicating, acquiring companies risk breaking applications and disrupting service during migration or while securing acquired applications once received. Also, as acquisitions don’t always involve purchasing completely complimentary applications, that understanding is equally important in the phased adoption of receiving and getting systems into the data centre, identifying redundancy and decommissioning overlaps, and then leading to the value-add between the systems that the M&A was designed to achieve.

Divestiture security considerations

Acquisition of cyber risk can be seen as a negative aspect of M&A. However, when implemented correctly, a cybersecurity program is an asset in M&A and an important factor when you are the selling side. In a survey conducted by ISC2, 95% of surveyed M&A professionals considered cybersecurity a tangible asset that is underpinned by the technical stack of the application or service but extends to the broader security and risk management program. A strong cybersecurity program can be utilized as a differentiator and value add in the M&A process. An investment in this not only makes your sale more attractive but could demand a higher price.

Although one might feel that being on the “for sale” side of the fence should make the process simpler (as you should know more about your own environment), the technical debt and interconnected nature of systems within your own data centers poses a challenge to identifying and being able to untangle and cut off the assets to be sold. It may likely be challenging to answer your own questions like, what workloads run the applications or the part of the business being sold, and do we know what those systems are connected to and who is accessing them today?

You may also be constrained by existing controls to uplift security to the level that is required by the acquirer or that would weigh the balance in your favor during negotiations. It is also common that contractual obligations of the sale require you to continue to run those systems for an extended period within your environment, so an efficient mechanism is needed to untangle and isolate them without removing them completely.

In short, the common challenges of both acquiring and divesting include:

• Lack of visibility into application dependencies to understand, migrate, and either integrate new or separate the assets/workloads in the scope of the sale.
• Existing security policies are most often static, tied to the infrastructure and data centre security implementation and, therefore, can’t be adaptively migrated with the workloads as they are passed between the entities.
• Migrating unknown applications without compromising security or disrupting services is difficult since modern applications are interdependent and may be fragile.
• Not breaking software whilst the transition process completes is vital to maintain as much business as usual as possible.
• Risk of compromise of customer and company data for the duration of migration with edge firewalls opened up.

How Illumio helps

Application migration without compromising on security is the essence of a successful outcome, and the Illumio Adaptive Security Platform (ASP) is foundational to the M&A strategy of some of the most acquisitive organizations in the world. Illumio ASP solves the most common challenges by enabling you to:

1. Map application dependencies within your own (divestiture) or the target’s (acquisition) environment. Illumio ASP’s application dependency map provides real-time insights to help companies visualize acquired or sold off applications and their workloads across all environments before migration. With understanding of application dependencies, teams can ensure the migration is efficient and application behavior is not disrupted.
2. Build segmentation policy to isolate the critical IT infrastructure, leveraging the application dependency map. Illumio’s Policy Generator automates segmentation policy creation with optimized micro-segmentation policy that saves time, accelerates security workflows, and reduces the risk of human errors by ring fencing the acquired or sold systems so any breach is contained.
3. Protect your infrastructure from the target company’s servers and applications. Adaptive micro-segmentation policy adjusts to changes in the application environment – as applications move, so does security. This allows applications to be secured before migration and policy to automatically adjust post migration, maintaining consistent and continuous protection during the transition process.

Whether you are acquiring and need the confidence to do so in a safe manner, or selling and can bolster your price whilst reducing the effort to cut off those assets, Illumio ASP will de-risk your commercial initiatives.

Read the story of a Fortune 500 organization who seamlessly finalized a high-profile acquisition, deploying Illumio ASP on the acquired company’s 700 servers.