In today’s cybersecurity landscape, organizations face a range of challenges, including persistent...
Microsoft Security Tips for Mergers and Acquisitions
Malicious hackers who focus solely on corporate espionage usually target the acquiring company, which we will refer to as the Parent, early in the bidding process to gain a competitive advantage. 62% of organizations that interact in mergers and acquisitions face significant cybersecurity risks or consider cyber risks to be their biggest concern after the acquisition with the help of Microsoft Security. In order to later compromise the Parent company, other threat actors focus on installing backdoors in the entity that is being acquired, or Acquisition for short.
A Parent company has different options for integrating an Acquisition into its IT system. These include linking the IT environment of the Acquisition directly via technological means or integrating the services and users of the Acquisition into the IT environment of the Parent.
Figure 1. Two avenues IT leadership can take with mergers and acquisitions.
Given that only a few elements of the Acquisition are integrated into the Parent environment, the first method has advantages in terms of long-term Microsoft security. On the other hand, this process can be time-consuming and costly depending on how complex both parties are.
The second alternative might be easier to carry out and cause less disruption to both parties’ business operations, but there might be underlying security and technical debt that would be more expensive to resolve over time.
What factors then, should an organization take into account when choosing the best course of action for Microsoft security in a merger or acquisition?
Security Risks in Mergers and Acquisitions using Microsoft Security
It is common for a Parent to base its decision only on economic factors driven by time and labor expenses; but, to maintain the long-term security like Microsoft security of both the Parent and the Acquisition, major cybersecurity issues should be taken into account.
These include:
- Technical debt: Understand the number of technical debts you will inherit. Every firm has some technological debt, and transparency is essential in mergers and acquisitions. For a Parent to understand how the technical debt it will inherit will compound the Parent’s technical debt and help quantify any remediation costs, it is important to have this understanding.
- Existing security (not exclusive to cybersecurity): Consider how the two parties will combine essential security technologies like antivirus or endpoint detection and response (EDR) tools. Also think about how they collaborate to avoid carrying a lot of capabilities, tools, and data sources. Examples of such teams include security operations and security engineering.
- Compliance and regulatory compliance: Find out how the Acquisition manages personally identifiable information (PII), such as bank account numbers, and become familiar with the regulations and rules it must follow. You should also be aware of its compliance practices and history, including any legal infractions. For example, if the Acquisition is located in a different nation or region with tighter data privacy laws, both the Parent and the Acquisition should comply with such regulations in relation to shared data.
- Misconfiguration and misutilization of the existing systems: Review the system configuration at the Acquisition since it’s possible that it was done wrongly due to complexity or a lack of responsibility, or it could be underutilized as a result of incomplete deployment or a lack of experience. It’s possible that the incorrect configuration slipped through since new systems aren’t tested before being used. This is a significant problem because security setup errors make the Parent responsible.
- Identity: Enable other identity controls and multifactor authentication (MFA) flow. The identity setup should be reviewed by security teams. It might be bypassed because it wasn’t created in a way that benefits both parties.
- Network: Consider the best way to connect legacy devices. It might not be able to link older devices to one another during a merger or purchase (for example, if a customer has devices that are not considered next-generation firewalls). Older firewalls don’t allow you to set the Microsoft security rules, and their logging capabilities aren’t as good.
- Cloud: Validate the controls for federated identities with other providers, the ports that are open in Azure infrastructure as a service, and the MFA feature for Microsoft Azure subscriptions. Policies for Conditional Access may conflict with one another.
- Password Management: You or the threat actor, who has greater access? Use solutions like Privileged Identity Management and Privileged Access Management to manage access to your data to make ensure it’s you.
- New threats: Be ready for brand-new and unfamiliar threats. A small manufacturer, for instance, might not be aware of a significant security risk, but if it is acquired by a huge corporation, it could be. An acquisition can give a chance for threat actors to get access to the Parent.
Want to know more about Microsoft Azure? Visit our course now.
The two most common risks are:
- Persistence of the current actor in the acquired environment: When you connect them, you provide the actor a chance to enter the Parent environment as they are already there. The easiest and most suitable approach is this one.
- The environment that was acquired has a security architecture: The Parent environment’s security posture is just too expensive for an attacker to go after, given what they may gain in value, making it incredibly difficult to directly target it. Instead, the Acquisition is the target of a threat actor.
Malicious hackers can undertake reconnaissance on the acquired company to assess whether it has a weaker Microsoft security posture than the Parent if they are aware of a pending acquisition. Having access to the Parent via the weaker acquisition environment can be a more attractive objective.
Different service providers most likely give help for the Acquisition. If one of those service providers becomes vulnerable, a threat actor may enter the environment of the Acquisition and then access the Parent. Consider your relationships with vendors carefully as they may introduce Microsoft Security problems and architectural weaknesses as well as bring a potentially unexpected compromise.
Microsoft Security :Increased diligence is needed
Depending on the company, industry, and region, different due diligence processes will be followed by each company when investing. Although there isn’t a single standard for everything, businesses need to do it right and recognize any potential problems they might be inheriting.
Ultimately, whatever unknowns are present in that environment are being acquired by your firm. That being the case, it is important to ask before, during, and after a merger or acquisition. Anything persistent and any open backdoors that have an impact on your surroundings offer a direct route into the Parent organization.
Security questions to ask before a merger or acquisition
Both parties must support honest and open communication when sharing technical information. Decide to be transparent. Both parties should be aware of the expectations from the initial stages of exploration through the official merger and acquisition negotiation process so they don’t miss anything important.
Acquisitions and mergers are complex and dynamic processes. Business leaders need to be aware of the attack surface they are bringing on board to achieve the economic goals of mergers and acquisitions. An important aspect of any due diligence procedure is finding and cataloging the partner company’s resources and digital assets, both online and within the corporate boundary. These include both known and unknown assets, as well as tools created by teams outside of security and IT, such as shadow IT. These audits cannot be contracted out or performed only for compliance. They are top goals that every CEO should take into account to secure their investments.
Building a baseline set of well-known facts is the first step. During your initial discovery phase and as part of a proactive assessment, ask the following questions:
- What is your basic security structure?
- What is your antivirus and is it up to date?
- What is your EDR solution?
- How are you managing identity protection?
- How are you managing data access protection?
- Does the acquired company meet the current security standards of the Parent?
- How are security issues triaged?
- Do you have a form of central logging solution?
- How are you tracking and repairing your online vulnerabilities and compliance risks?
To learn more about their history of compromise as you progress through the due diligence steps, elicit the following information:
- What is your history of security compromise?
- When did these compromise(s) occur?
- What are the details?
- What are the root causes of those security compromises?
- How were the threats mitigated?
- Do you have a post-incident review process? What were the results?
The most important inquiry to make following this admission is, “Did you fix it? What happened if the Acquisition was the target of a ransomware attack or other cyberattack? What is your patching, we inquire, if the Acquisition has an unpatched vulnerability and was able to privilege-escalate to the domain admin and install the ransomware.
Identify the causes of past events before establishing legal frameworks so that they can be fixed. Ignore this advice to stay away from non-celebratory fireworks.
Security questions to ask after a merger or acquisition
Establishing trust or integrating hundreds or thousands of systems into the parent company’s enterprise architecture is, arguably, the biggest threat to mergers and acquisitions security. There should be a security risk analysis of the status and configuration of those systems. After the merger, the parent company may be put in danger if the subsidiary company has any malware or backdoors for advanced persistent threats (APTs).
Risky choices and security flaws turn become liabilities for the Parent firm. Additionally, threat assessments must be updated to reflect any geopolitical modifications brought about by the mergers and acquisitions process. For instance, a small components manufacturer might not be expected to be knowledgeable about the threats faced by more established threat actors (such as Phineas Phisher2), but one that has been acquired by a global oil corporation will have to be.
Decide how to integrate that environment into yours while defining the necessary technical procedures. Use the information acquired during the pre-merger question and answer sessions, such as compromise exposures and a review of the Acquisition’s current security posture against a reference standard. You must raise the acquired company’s security posture to your level to integrate it into your environment. Basic security procedures will need to be set by the Parent company. Here are some ideas for selecting and analyzing:
- Analyze the risks involved in the acquisition of the existing systems.
- Apply corrective action in light of those findings.
- Know whether the data is on-premises or in the cloud and the schedule for merging the networks.
- Understand the system retirement and asset refresh processes.
- Conduct a penetration test or risk assessment and examine security policies and security gaps.
What actions should companies take?
When businesses are compromised within an hour of concluding a post-merger integration, the Microsoft Detection and Response Team (DART) was called in to deal with the situation. In these cases, the parent company’s Microsoft Azure Active Directory (Azure AD), third-party identity providers with any type of federation, and on-premise Active Directory forest all are available to the threat actor’s subsidiary backdoor via two-way trust.
The potential link between the backdoor of an APT actor discovered in DART’s environment and the fact that its new Parent company’s bid was the lowest amount—to the dollar—that they were willing to accept during the acquisition has also been made clear to DART’s consumers. Many of DART’s customers request security assessments before, during, or immediately following mergers and acquisitions for these and other reasons.
Take these steps:
- Early on in the discussion, establish the parameters for disclosure and the depth of information disclosed about security issues. When establishing the legal framework for how the merger and acquisition will work, make this a regular component of the exploratory process.
- Perform a security assessment before mergers and acquisitions, whether it be a proactive threat hunt possibilities offered by systems (Mac and Linux) and external identity providers, an Azure AD security assessment, or a measurement of the environment’s security posture’s maturity.
- Early in the mergers and acquisitions process, put a priority on analyzing and improving security visibility and logging. This allows first-party and third-party security teams to identify security issues quickly and take appropriate action. Prioritize protecting identity, access control, and communications when faced with threats associated with mergers and acquisitions.
- Focus security and risk audit on creating a list of the company’s assets and digital resources, including its external attack surface—a list of assets with internet exposure that an attacker could use to establish a foothold for an attack. A range of hygiene issues, corresponding indicators of compromise and vulnerabilities, and compliance problems can be illustrated by external attack surface management (EASM) products, providing mergers and acquisitions teams with the base they need to conduct a cyber risk assessment and guide post-mergers and acquisitions programs.
Cybersecurity risk in mergers and acquisitions is a growing concern for decision-makers in IT security and business. The amount of that risk that can be managed will depend on how much time is given to the IT security teams to conduct detailed assessments, due diligence, inventories, and put more controls in place.
Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.
For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com