MANY
organisations in today’s economy see a merger or acquisition as an attractive
business strategy to improve financial position and weather a down market. This
is especially true in the financial services sector, where even very large
organisations are being acquired by equally large organisations as a basic
survival strategy. While the results may favour shareholder value and workforce
efficiency, the impact of combining the IT infrastructure and IT management
processes of two entities can be profound.

The merged
network problem

When large
organisations merge two complex networks made up of disparate types of
equipment, managed through many different interfaces, and governed by different
policies and standards, IT is left to plan and implement network changes,
determining how to consolidate devices, processes, and people to ensure
consistent availability, security and compliance. Add to this burden the
frequent demand by senior management to show significant savings as a result of
combining business infrastructures – often in a very short time frame – and IT
faces a Herculean task.

The approach
taken by many organisations that find themselves in this state is to install
firewalls that will dictate access from one infrastructure to the other until
the risk of each heritage network can be determined. Then IT begins an arduous
manual inventory of all existing equipment and assets. This is followed by a
similar manual effort to try to identify all the rules that have been
implemented in both networks to ensure security, privacy, and compliance with a
host of internal and external regulations, such as PCI-DSS. IT will try to sift
through the mountains of data generated by a host of vulnerability scanners,
trying to identify and deal with the most important risks and vulnerabilities
in the ‘new’ network before removing the firewalls separating one from the
other.

Risk modelling to
the rescue

Rather than
resort to tedious, inefficient manual efforts, savvy organisations look to the
approach of risk modelling to support pre- and post-merger risk management.
This concept involves using automated solutions to collect information about
network topology, business assets, vulnerabilities, threats and
countermeasures. The software then creates a visual model of the network and
the asset “battlefield” where potential attacks can be simulated and potential
responses compared. Using such an approach can help the merged companies
develop a game plan to address existing and new risks quickly.

The benefits of
risk modelling to support network consolidation include:

• Quickly
identify the real, immediate risks to business assets

• Quantify those
risks in terms that are understandable to senior management

• Prioritise and
fix security and compliance gaps in the resulting combined network

• Manage complex
network topologies so as to ensure availability and connectivity

• Focus scarce
resources on areas of highest risk

• Understand and
quantify pre- and post-network convergence risk through what-if modelling

• Perimeter
discovery – identify the true network perimeter.

Maintaining
security and compliance

Organisations can
determine their access policy compliance status by automatically validating
configurations against network policies such as PCI, industry best practice or
custom organisational standards. In addition, rather than dealing with the
volume of information produced by vulnerability scanners, and trying to
prioritise the information based on inadequate data, risk modelling enables
security analysts to highlight the most critical vulnerabilities so they can be
remediated.

Using attack
simulation, IT security and compliance managers are able to use the network
model to determine access paths allow the exploitation of vulnerabilities,
leading critical business assets to be compromised. Automated risk modelling
allows an organisation to quickly evaluate its security and compliance posture,
assuring senior management that they are secure and focused on the right IT
priorities.

Ensuring network
availability

By collecting
configuration data from all devices in the network, the risk modelling approach
provides the network visibility that most organisations lack. It is much easier
for IT to look at a network map that includes all the devices in the combined
network and captures all device behaviour, enabling personnel to spot potential
problems. In analysing connectivity issues, the root cause and path of a
potential or actual network outage can be identified. This can be a big help in
ensuring that network issues do not impede the already stressful merger
transition.

Network
consolidation in an M&A scenario is very much about business costs and
risks. Using a risk modelling approach, the network and security teams can
gather quantifiable information about assets, risk levels, and the tradeoffs
between IT expenses and security or compliance levels. This helps business executives
define the business resources needed to ensure an acceptable level of risk
throughout a merger of two infrastructures.

Conclusion

Mergers and
acquisitions hold out the potential for massive cost savings and organisational
efficiencies. However, the task of merging disparate networks almost always
brings new burdens and complexity for IT security and risk management staff.
Those who have succeeded at network consolidation view the approach of
automated risk modelling as a key factor in their success. The use of risk
modelling tools enables IT to quickly understand the converged network, spot
exposed vulnerabilities, prioritise risk scenarios, and maintain a secure,
compliant network while ensuring continuous availability.

*By Gideon Cohen,
CEO and Founder, Skybox Security, Inc