You may have heard that the sale of Yahoo to Verizon is being delayed. This is obviously bad news for Yahoo. But honestly, it's probably great news for infosec.
At Rendition Infosec, we've worked a fair number of breaches over the years involving new organization acquisitions. In every case, the acquiring organization failed to perform good due diligence on the purchased organization. They certainly did a financial audit, but failed to perform a security audit. The value they paid to acquire the organizations was in every case too high, since the price was calculated without knowing about an ongoing breach.
So is the case with Yahoo, only the deal isn't complete yet. You can bet that Verizon will pay less for Yahoo than originally planned if the deal goes through at all.
However, this isn't the case with most acquisitions. In most cases, the purchase is complete before the breach is discovered. And unfortunately, the purchasing organization is left holding the bag in these cases. They paid more for an organization than it was worth and likely have buyer's remorse. For smaller acquisitions they might also spend more on the incident response, breach notification, and reputation damage than they paid to acquire in the first place.
Then there's the very real concern that the smaller organization is being used as a compromise vector for the acquiring organization (which likely has better security). We've seen evidence strongly suggesting this has happened in at least one case (and circumstantial evidence for other cases).
Given the importance of cyber security in today's marketplace, M&A teams would be wise to use threat hunting from external teams as a resource. The cost of threat hunting, while not cheap, is far cheaper than making a bad purchase. We anticipate that contracts can be structured such that if compromise is found, the acquired organization pays the bills for threat hunting. Even if this isn't the case, the cost is cheap insurance for the acquiring organization.
If I'm reading the tea leaves correctly, this means more threat hunting jobs by external teams. It should go without saying, but internal teams are certainly not what you want doing threat hunting for this purpose. All in all, this is great for infosec, particularly firms that specialize in DFIR. I'd be remiss not to mention to you that Rendition Infosec provides these services using our own internally developed proprietary hunting software. But whether you use us or someone else, don't acquire another organization without the due diligence of threat hunting.
At Rendition Infosec, we've worked a fair number of breaches over the years involving new organization acquisitions. In every case, the acquiring organization failed to perform good due diligence on the purchased organization. They certainly did a financial audit, but failed to perform a security audit. The value they paid to acquire the organizations was in every case too high, since the price was calculated without knowing about an ongoing breach.
So is the case with Yahoo, only the deal isn't complete yet. You can bet that Verizon will pay less for Yahoo than originally planned if the deal goes through at all.
However, this isn't the case with most acquisitions. In most cases, the purchase is complete before the breach is discovered. And unfortunately, the purchasing organization is left holding the bag in these cases. They paid more for an organization than it was worth and likely have buyer's remorse. For smaller acquisitions they might also spend more on the incident response, breach notification, and reputation damage than they paid to acquire in the first place.
Then there's the very real concern that the smaller organization is being used as a compromise vector for the acquiring organization (which likely has better security). We've seen evidence strongly suggesting this has happened in at least one case (and circumstantial evidence for other cases).
Given the importance of cyber security in today's marketplace, M&A teams would be wise to use threat hunting from external teams as a resource. The cost of threat hunting, while not cheap, is far cheaper than making a bad purchase. We anticipate that contracts can be structured such that if compromise is found, the acquired organization pays the bills for threat hunting. Even if this isn't the case, the cost is cheap insurance for the acquiring organization.
If I'm reading the tea leaves correctly, this means more threat hunting jobs by external teams. It should go without saying, but internal teams are certainly not what you want doing threat hunting for this purpose. All in all, this is great for infosec, particularly firms that specialize in DFIR. I'd be remiss not to mention to you that Rendition Infosec provides these services using our own internally developed proprietary hunting software. But whether you use us or someone else, don't acquire another organization without the due diligence of threat hunting.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.