GF - Navigating Security pitfalls during M&A : Playbooks & Strategies for doing acquisitions right

hello everyone good afternoon and welcome to bides Las Vegas I am Hara nikar and this talk is on navigating security pitfalls during m&a playbooks and strategy for doing Acquisitions right given by our speaker Vin prahu Shanker um before we begin I have a few announcements to make we would like to thank our sponsors especially our Diamond sponsor Adobe and our gold sponsors Prisma Cloud blue cat toota it's with their support along with our other sponsors donors and volunteers that make this event possible these talks are being live streamed and as a courtesy to our speakers in audience we ask that you check to make sure that your cell phones are set to silent if you have any question please use the

audience microphone so that YouTube can hear you as well and with that let's get started please welcome Vin hey hey hope everyone is having fun at bides last few talks so bear with me awesome so I'm here to talk talk about m&a security um security is is a complex landscape and merges and Acquisitions even more so uh and it's one of the critical aspect of of of that requires careful consideration so hopefully no matter where you are in your careers and if you've done m&a or not hopefully you have some takeaways here to go and apply back to your programs I'm V I work as a security lead at snap I primarily have worked in

product security before this uh I was I was lucky to be associated with over 20 plus Acquisitions throughout my career um and one of the most interesting ones was Yammer so anyone remember Yammer yeah yeah there you go that was Microsoft's attempt at Social Network so but they're doing pretty well with LinkedIn so there's that uh and that was at when I was at Microsoft uh we are hiring so please come and talk to me and learn more about infc program we also have a security lead here from our company who also hiring so please go talk to him and we do have a bug Bounty program on hacker one so please participate and if you want to know more

uh please come chat with me this was another co-presenter of mine who unfortunately couldn't make it due to family emergency but hey thanks mly and hope everything is good with with you and your family so today I'll be talking and giving you a crash course on an m&a this is some this these are all the things that I wish I had known when I took over the m&a program and we started doing this as as just a security engineer who started doing meres and Acquisitions so hopefully a lot of you will see how the sausage is made behind the scenes and sort of get a glimpse into the m&a security World which is sort of not very

common right not not of not a lot of companies are doing m&a m&a is kind of like you know hidden hidden and it's within the corporate development strategy teams so hopefully you can take away some of this and see if it actually applies for yourself we'll talk about some key stakeholders how m&a is done what are the different strategies and we'll talk a lot about about the pre-acquisition phase which is all the things that happen before a deal is closed and then I'll talk about what happens after the deal is closed and basically throughout I'll give you some case studies some of things that may or may not have happened you know at my company and then not nothing can be uh

accepted or denied uh and hopefully you'll have some takeaways and hold your questions for the end or if you have a question that in the middle please feel free to walk up to the podium um just a few disclaimers you know obligatory or mileage may vary um this worked for us we had a short time frame to do m&as and we did about 20 of them so we had to do a lot of innovation and sort of adopt new processes you might have a bigger much bigger and better m&a program or you might be starting off so you know take take it with a grain of salt and and if there are areas of improvement please come

talk to me and if you want ideas or these playbooks or these strategies happy to pass them along oh and if any any of you did not watch succession on HBO I'm sorry the memes might may or may not make sense to you so hopefully that that you know forgive me awesome so essentially this slide think take take take it take this slide and see how the m&a is moving from from you know a very busy cycle to it's starting to slow down now right so m&a is very cyclical so during the boom cycle and the bus cycle it goes really up because when valuations are very high companies go shopping and when valuations are really low companies you

know go for sale so this is the transition period so 2023 think of it as like a slow period when there is economic uncertainity valuations are getting readjusted so a lot of m& activity has slowed down but the general trend is it's going to start picking up and then here if you see it's also depends on sectors there are some sectors where it's still kind of happening right like energ and natural resources it's still happening Financial Services it's still happening so the so generally the valuation iita give you gives you an idea of whether the m&a activity is happening or not so in Tech if you see it's fallen down drastically but that that kind of like helps reset

and reevaluate for next year so the general takeaway is that deal making is resuming so be prepared and and so hopefully you can take back some of this to your team for next years so one of the things that m&a program works is it comes from the corporate development strategy so there is a team centralized team within your company called cdev so if anyone hears the word COPD they're just a a team who's thinking about how to do m&a right so you you're a business development manager or you you you're a VP you go to this team and you say hey I want to do an m&a uh I want to add a new product or

service or feature to my portfolio and then the team goes and valuates it and sees potential options sometimes you can bring options to them and they then pursue that deal and that's sort of like how the m&a life cycle begins so one of the useful things for you to understand as a security team or a security or is what your company strategy yes your company could just be an opportunities whereas that those are companies like DocuSign or uipath right they're very strategic they don't do do it do too many um you know Acquisitions then you have the companies like Spotify or Roku or slack which kind of acquires to just add new product capability right

so that's that those companies there it's moderate deal volume and it's very very focused on specific business units then you have the large companies like Microsoft Google which have huge carb Dev teams right so they have entire teams which specialize in m&as they have like teams which can help with integration with due diligence and that's a much different and more uh complex landscape and then you have have the serial acquirers right so all the companies out there they're hoping to get acquired by PA alter Network someday and then you know you know so that's that's sort of like the serial acquirer strategy so depending on where your company fits you can then plan H plan

your own infos program around that so a good thing to be to do is just go talk to your cooperative strategy team and and say Hey you know where do we fall what's our six Monon to onee road map uh do be prepared and and the business likes this and and and if you see if depending on where you land here your deal volume will either increase or decrease so so basic takeaway go talk to your Cooperative team don't be scared get input from them so that you can plan your infos program accordingly uh so why do you why do why should we care about m& security right like a lot of lot of we have as security

people we have a lot of priorities right everything is a priority so why do we care about this well one good reason is the classic you know the unknown risk right so just like just like open source security you have m&a where you might have the most robust defenses within your AR but then you hire a 20% team or 30% team whose focus is not security and they come in with with either a vulnerability or they come in with like malware and then your whole ecos system is then gets affected right so it's important to look at m&a and do the right diligence so that you your whole security posture doesn't get affected by sort of the

weakest link right like it's Back to Basics this is this is just Basics um so let's think about also the business impact who who here remembers Yahoo deal right like so Yahoo when they yeah exactly right when they when they did the diligence they found that Yahoo had been breached and that actually for the first time put a dollar value to the risk right so immediately their value got knocked down and that that that created that actually created inut into a lot of m&a teams to start going and doing the right due diligence and and then there was Marriot right so Starwood at that time was one of the largest US hotel chains and they

got bought out by marot in 2016 I can see some people are recognizing the the meme here so in 2016 when they bought it they then realized that you the U the Starwood had a breach in 2014 so for two years their Network had been breach they had active militia act actors within their Network and when marott and Starwood then integrated that systems guess whose problem it became right so it just then became Marriott's problem so marott had to pay massive fines and then all of this I mean I'm not trying to point fingers but essentially all of these can or could have been un Unearthed if there were the right due diligence strategies were done

which which did happen with Yahoo uh but just that that's one of the reasons why you want to care about an m&a or when you're trying to buy a company is to make sure that you're not owning their risk or at least bring it up to the business that hey this risk exists and the right evaluation or right valuation for the deal can be done so this is sort of like the big picture or like how a m&a is done right so you have the whole period before the deal is closed which is the deal is closed so you have the pre-acquisition due diligence and post close there's a bunch of post close activities that's

done um so I'll bring this slide up a couple of times because you'll see this over and over again but essentially there are a bunch of activities before and then after and then the whole deal timeline is about 8 weeks right so you have about 8 to 16 weeks you're given only 8 to 16 weeks which is you know considering a lot of other priorities that your infos team has this is just a compressed timeline and then depending on how you are going to integrate the company you might take 6 months and sometimes even more than a year for Integrations toer large and complex deals we've had are just you know they just take like year or two um so yeah so

so let me talk about each phase as we go through um the presentation yeah let's go get the deal right now we know the life cycle let's just go and get the deal done no it's not that simple but anyway so why do we do pre-acquisition due Dent so as a Security Org when you are brought into the deal you're basically told hey you know we're going to go and acquire this company we we have about four weeks tell us what the risk is this is typically how it starts like just someone will from the city will reach out to you and say like give me the risk so you start from you know from basically knowing

nothing about the company and so then one of the things or big outcome that you want from doing this pre-acquisition diligence is to tell the business hey what is actually the risk right like they don't care about like how many vulnerabilities do do they have they don't care about like how many you know what their you know what is their like EDR strategy or what their infos strategy is at the end of the day you have to give them some Metric or risk or a view of risk to say like yes these are the red flags and these need to be fixed and these These are okay and we can own this risk right so that business make it

easy for your business to be able to tell what the risks are and the second thing is you want to know what the security posture of the target is right you're acquiring a Target you want to know what their current security posture is like do they already have like everything figured out do they have you know SAS Dash everything integrated or do you have to do a lot of work once you integrate their once you buy them right so just having that having the having a picture of their security posture will help you with your infosec plan for the next 6 months or a year right otherwise you're blindfolded you you you have no clue and then all of a sudden a deal

closes and then you own all this risk so having this in advance your businesses will re really appreciate this and your infosec and your ceso will be super happy because then now they know what's coming down the pipeline and half the challenge is just understanding what's coming down the pipeline and other thing is when you uncover risks when you uncover high or critical risks you before the clo before the deal closes you actually have a carrot right and not the stick and I like carrots and not stick right so having that you know carrot and saying hey you know go fix these before the deal closes will make your life much more easier because the

team that is getting acquired actually has an incentive to go fix this right everyone's going to get quite Rich if they if the deal goes well so and then the finally the thing is once you have it it'll help your infosec team to plan prioritize the integration which all happens in the future go for question to have you seen the economic value of the deal affected based on the findings preos presumably down but you have any to that yeah absolutely I mean without going into too many details we do we we did have a few deals where we looked at the security posture and said hey this this text tag or this integration is going to take much more than what we

expected and so then we had to go go and give back that feedback and things like we were able to tell things like hey you you would need an extra two headcounts to even bring this text stack up to the same Tex tack as like as our ecosystem right so just giving that feedback early on is super helpful for them to then be able to like value the deal correctly or at least plan for head counts and and how long will the integration actually take how long can the business actually extract value from the deal because all of this if you wait till the deal is done and you go tell them that hey these

are the these are the blockers we you know you cannot you know integrate it immediately then all of a sudden you're becoming a business blocker and you don't want to be that as a security team you want to be a business enabler so this is the big picture how a due diligence occurs right so imagine you're a security team you're given hey this is the target you have about 4 weeks you can start talking to them and go get some information from them and find out how their security posit is and tell me the risk right so you the then going to go to the team that you're acquiring and then for those of you who

have done m&as or Corb Dev you know you will remember the the the the due diligence software that they send you which which in itself is a pain and you know but anyway so you get you you basically get a uh get a window of opportunity to start talking to the Target so you're usually given access to the CEO or their ceso if they even have one or their security team if they have one but typically you have to understand depending on the size of the deal this could be like 20% to 200% and then you have just engineers in sometimes or sometimes you're just talking to you know like just the IT team right so

whoever you have access to you should make use of them by and you can sell them you can send them a due diligence form right and in the Dual legence form think of it think of this like a health form right you're filling you're giving them this checklist and saying hey fill fill these details out for me so that I can understand what your different teex stack is right tell me what is your what what what what kind of what kind of assets do you have what cloud services do you have what cloud hosting providers do you have like what is your sort of like you know Network architecture right so you start with there and once you get

that you can scope an assessment and typically you Scope this assessment with the help of a third party security vendor and one of the big reasons for using a third partyy security vendor is in that way you don't have access directly to their to the targets IP a lot of time the I the targets will just not be comfortable with you going and looking at their IP at their source code because hey you're trying to acquire them and sometimes deals do fall like deal not all deals go through that's the most important thing you have to remember is like a lot of times the deals don't go through so the targets are not comfortable giving their IP up

so using a third party as a Cod escrow a lot of times is how you go over this barrier so you go to the third party and say hey this is the kind of Target that we are going to acquire here is their Tex act let's do a two to two to three weeks of assessment on that right again the the timeline is super compressed you have 2 to four weeks all of this activity happens in 2 to 4 weeks and then once you do that they find a bunch of findings and depending on the findings sometimes you might go want to do a deep dive and by the Deep dive I mean compromise assessment and

compromise we'll go into details of what a compromise assessment looks like but if there is no compromise assessment then you sort of like work with your internal W management team and say hey here is a bunch of issues that we have found let's track them and fix them right so this is sort of like a high level picture of 4 weeks of sort of Sprint towards finding issues within your target getting them fixed and at the same time presenting a risk to your business so some of the activities that our team sort of does when we look at a company to acquire a company are these right so we start with the architecture review and why do we do this a lot of

times the companies that we are acquiring they're usually with between five and you know 50 and those companies a lot of time don't have an architecture diagram they don't even have a data flow diagram they don't have you know like what are there they they have not mapped their their Network so this is a good time for you to then get the information and a lot of time because again the carrot versus stick approach when you have a carrot things start moving right like the teams will start drawing those diagrams for you the team will start giving that information they'll start offering that information over to you so that's that's one of the things that you you should the the base

is start off with an architecture review Once you do that you do your recon right that's the attack office analysis you go to go talk to your threat Intel team go talk to your you know purple team if you have one and start getting input into your you know get input into what their assets are like what is their Cloud hosting provider you know what is their SAS you know what is their SAS environment um and then also look at their source code right so this source code piece only the third party has access to so you kind of have to like give your third party a clear direction as to what you're looking for so some of

the things that we look for are credentials simple things like credentials but we also look for how well this what is the source code sanity right like do they have things like do they have just SQL you know concatenation or do they actually have much more well- written and well thought out code how difficult is it going to be to integrate the service once you purchase it onto your ecosystem right so that's what we're sort of looking for those are the signals we're looking for is it a completely different language that you don't have any clue like if someone's using Scala and you don't use Scala at all that's that's a good red flag to bring up to the acquisition team

and say hey this is a completely different extract it might you might have to rewrite this and this is where sort of you're starting to move from just wearing the security hat to actually the business hat because you're giving signals to the to the Corp of team that hey this might not be the you might not you might have to you might have to build this into your deal this might not be a six-month deal this might be a year long you know Sprint and then we do network and infrastructure scan we do a quick penetration test to find out what's the footprint because remember a lot of time once the deal gets closed if it gets

announced in the news you have a lot of folks who especially from the bug Bounty program they start like poking in right they start poking into the into this target that was recently acquired and they start submissions into your bug Boni program so things like these that if you have not thought of this start like thinking through these things because the moment you close the deal and then the domain you own the domain the the hackers will go run who is and they start seeing Oh this is owned by Snapchat this the Snapchat is the parent domain and they start like poking and they start submitting so just having that pipeline that having that insight into

what who into what domains they own all of that it's better to have it before the deal is closed and then of course right now on everyone's mind there is s bomb so just having an idea of what their open source spraw is and I can see a lot of people saying and that's this is the reality right like so you just want to know what kind of Open Source software they use and finally log that's the most critical piece if there's one takeway you want to do from here is before the close of the deal make sure that they turned their lock collection off and a lot of time in lot of deals we

saw that they did not have lock collection turned on they did not have cloud trail they did not have Cloud watch turned on so we went and asked them to turn it on and so when you do this you can then like you have four to six weeks of lock logs at least at your disposal to go do forensic analysis to see if you if there if there is any indicators of compromise or if there's any malicious activity right so so bare minimum these are the things that you need to do and remember all this occurs in 2 to 4 weeks so don't complicate things you know all these playbooks just build them into your project management system

right so this we just use our own ATL software that's all we did we just built this and this is useful for tracking right because remember at the height of our acquisition timeline we were doing about two deals per month which means that we had multiple people on the team going and running the Playbook right right and so I have some people smiling here because remembers of that time when we we were doing multiple deals in in in the same month um so having a Playbook which is easily executable by multiple people on your team will will save you a lot of time so some of the uh examples that I have that that come to that come to mind

that hopefully you can take away is we had deals where we started doing the diligence and we saw that there was an earlier Ransom event so they had a ransom event the the the company or the Target that we were trying to acquire had a ransom event so you have to be prepared for anything how do you handle it from there once you once you see that something like that occurs now how do you start like you know mapping your priod diligence so you have to go much more deeper it's not enough to just do a network scan now you have to go do forensic analysis right so be prepared for that we had a deal where we were

talking to the Target and our threatened Intel team gave us gave us credible input that they are being actually looked at by a nation actor and so all of a sudden your threat profile changes and especially for Snapchat because we are our sort of adversary is a nation states right like so think about like someone wants to take over your account and someone wants to do a blackmail or it's it's a much more different threat profile and some of the other social networks are I can see them nodding but that's sort of your threat profile so depending on who you are and what your threat profile is you you might have to consider doing much more deeper Dives

during the due diligence large and complex environment what do you mean by LGE large and complex is essentially where we have things like Hardware we have a hardware division so sometimes we go and acquire companies that manufacture components right Hardware components and they have a completely different environment they have snap they have labs and in the labs they have things like manufacturing equipment they have iot spraw so all of a sudden from doing software we started looking at companies which are doing hardware for for a living right so so that's a completely different way to look at due diligence there and then irrespective of what the environment is if the deal size starts going towards a threshold of like

you know hundreds of million dollars you just want to do a deep dive right because at that price point it's better to be sure and and try to do as much duees as possible uh to make sure that you're you know you're not owning or buying a company which is being breached so the takeaway here is try not to buy a breach and and that sounds easy but the more signals you can gather from the company before the close the more risk you can present to your team so that they can then make the make the call right so that's basically my takeaway okay so compromise compromise assessment is basically a deep dive so anytime you see that you want to go and

find out a little bit more about the company and it's not a straightforward deal and it's going to be integrated deeply into your ecosystem you do something called as compromise assessment uh as fancy as the as the ter as the name sounds it's essentially installing an EDR and doing forensic analysis on the environment right like at the end of the day that's that's what you're doing you're installing agents you're waiting for 4 to 6 weeks you're you're looking at the network you're making sure that there's no indicators of compromise right and there are companies that that do this for a living right who do you remember when you get breached like you pick up the phone you

call mandant right so there's a lot of companies that just do this so make sure that you engage them way in advance but when you engage them you have to make sure that you have logs turned on you have to have these assets early on so that you can then hand it over and make sure that they can do the these investigations so some of the things that we look for was well we just sometimes look for commodity malware infections all of these we have learned through the Hardway so we wanted to pass on lessons for you and then a lot of times the output of this can just become a can become input to the vulnerability

management because you have a lot of times they they would not have thought about like doing a proper Network configurations on on their Network right because because these teams are resource constrained and they don't have dedicated security teams so yeah so essentially for a compromise assessment it's the same this can be done in parallel so as we doing the due due diligence you can do this in parallel you you can you you essentially you go and install real-time monitoring agents and then you do the analysis reporting and then once it's done it's basically considered like just any other assessment report and you start mitigating right so hopefully during this time you don't have to call Mandan

that's that's basically the takeaway it's like when you when this is happening which you know touch would we haven't done yet so um so a lot of times when you're doing pre-acquisition due diligence you might incur these you know sort of like edge cases that I wanted to share and some of the lessons that we learned right so one thing is when you're trying to acquire any company that is based in the EU you have to be really careful about their privacy policies like they're not comfortable with with you going and installing agents onto their Network so remember this only your team and a few people within the target are privy to the deal right like everyone else has no

clue that this is happening and you cannot reveal to them that you're actually evaluating them to buy them out right so this is the during the due diligence period so so what we started doing is whenever we engage a team with an EU we would also include a data security statement which means that we would give them an insight into what actually we are going to do by by installing these agents and that we not collecting any employee productivity data or that we're not collecting anything related to employee you know um you know employee activity it's more about the host activity right so just clearly telling them that this is what's happening saved us a lot of

time because this in one of the deal took us almost two weeks to unblock right and that that's and with deal timelines with between four to 6 weeks two losing two weeks is is it's sort of like it's a big deal some of the and in another deal when we were trying to acquire a company we saw that the IT team did not have capability to actually install agents onto their hosts they did not have a centralized way to manage their Cloud assets right so this was a blocker because without that we cannot even like roll out agents like you would have to like especially during Co they the employees could not come to the office

to get these agents installed remotely and they had turned on things like no USB and things like that and they also had turned on no remote installed software so even so in a way security was becoming a blogger because they had turned on all these security features to not be able to install or run scripts remotely but that's exactly what we wanted to do right so so think about those things early on in your deal so that you can then do things like well you know we are installing this new EDR so everyone come to the office and we had to kind of do it that way right so it sounds trivial but just having this

when you're doing your due diligence and asking them for hey do you have a capability to actually install and maintain your host remotely that's that's a critical question to ask and then once the deal closed we realized that our own company did not have a BYOD policy right so Snapchat does not allow you to bring your own policy but we had 6 months to a year you know supply chain nightmare a lot of times people could not even find the laptops right like so how do you then you know allow the business to work with with yourself so we had to go back and redesign our um our infos policy and we had to sort of work with the carp SEC

team here and then put Beyond trust and zero trust networks and then we were able to like unblock these teams so so just being able to prepare for these kind of scenarios was was critical for us and some of this we just you know we couldn't anticipate it so even though you do everything right there might be some curve balls but just be ready for it and just adapt to it because the last thing you want to do is is is lift your hands and say we can't we you know we can't enable the business right so again I'm coming back to this slide we finished all the pre-acquisition due diligence now so we were we were able to

go and tell to the business that hey these are the immediate risks these are the things that we want you to close and then everything now I'm going to talk about like the post close uh process the post close process essentially you go and do a deep dive Gap analysis and understand what the team is missing right like what what are the different controls that they're missing and you prioritize that with their with their business and with their security team and their it team you prioritize that and then you give them a multi-on road map and tell them hey this is how we are going to like start bringing you to the maturity that our company is right so

that's the goal the goal is at the end at the end of the day you want to bring the target to the same level of security as you and at the end of the day you want to also have an exit criteria defined because without an exit criteria Integrations can Linger on for you know for in indefinitely and the exit criteria could be different for different teams right so I'll talk you I'll talk to you through some of the exit criterias that we chose for graduating the m&a right like once you close the deal when do you actually graduate them so post close integration we kind of bucketed into three different areas one is first we try and find out

all the asset inventory and I know you might be thinking hey we already did this during the pre pre-acquisition diligence form right like we we got all the asset inventory from them why are you do doing this again well guess what turns out that you only have you can you can only trust but you can't verify right before the deal is closed you ask them a question and they'll give you an answer and that's all you're just going by that right so you actually don't know what all assets they have we have found that 50% of the time that what the due diligence form is filled out is not accurate because someone is running a

shadow it someone's gone and started their own cloud account somewhere so working with their it and Sr team after it's closed is crucial to understand the asset in inventory and once that's done we do basic onboarding them security tooling and here the biggest thing is work with your corporate security team because here the bare minimum you want to do is monitor their assets and their Network so if this is corporate security heavy because at a minimum before even thinking about SASS and Das and all that fancy stuff you want the basics covered and that your corporate security team is is your friend there and then finally once the deal is closed sit down with your business and the acquisition and

talk about what is the business plan like what are you trying to do with this company now that you have acquired are you going to integrate it within the next 3 months are you just going to you know deprecate it within the next 3 months depending on this you can plan accordingly because you don't want to go and write up this huge integration plan and the and the company is like well we're just going to like Sunset the product right so just having that open and honest conversation with the business will help your infos team to be better prepared for the things that are coming down the line so this is sort of like our mental

model to understand how Integrations are done right so the main takeaway here is you want to know where where what are you going to do with the company once they're closed right so is is it going to be a full integration is is all the products and services are going to be integrated into your ecosystem are you going to all do a lift and shift into your network or into your Cloud architecture into your micros service architecture so that usually would would mean then you would have to learn plan for it accordingly right so if it's just a aquire where you're just like going to deprecate the whole system and then you're just acquiring the talent and

then maybe an SDK or something like that then your integration effort is pretty low right so you can then go and prioritize it on another acquisition which is actually slightly more complex right so having a mental model here and presenting this to the management can then help you get the resources that you need to go and do this integration right so there were times when we had limited Integrations which means they operated separately but we then opened up apis between between both the companies right so that was that was a different integration scenario and then finally we had a company where we just operated them with at arms length and they kept operating it think about like something

like GitHub or LinkedIn where they just operate at an arms length and you just integrate as and when needed right so so having this mental model and present to the business is crucial same thing when you want to do an integration Playbook so remember the pre-acquisition due diligence Playbook I gave you a bunch of activities the same way post close you want to have a mental model of what are the priorities you want to have a checklist again when I say checklist remember these checklists are extremely flexible this is not a hard hardcoded checklist right you want to have a checklist checklists are good as long as they're not hardcoded and as long as they're flexible right when you

can go and modify them so we went and talked to all our internal security teams like depending on how big your security team is everyone will have their own requirements so go collect the that requirements and then pres and create it into an operational Playbook and present it to the Target right so give them that hey this is what we expect from you and they once they look at that take their input and understand which ones is actually re relevant to them some of these activities may not be relevant to them and they'll be open and harness so keep that in mind so make sure that you're you have a checklist but make sure they're also flexible so

we just built out a Playbook using our own project management system you can have your own project management system uh but keep it simple right let's keep it something that you can actually assign it to someone and they're hold and they can be held accountable so we had so for example we had we have our own productivity Suite right like we have we use internally we use G Suite or you might be using Microsoft Office 365 a company that you acquire might come with their own piece of software right so you might think oh it's just another productivity Suite what's the harm right let's let them go and do it but you have to understand

that just adding an extra productivity Suite means that your it team now has to maintain and manage a whole new system your corporate security team won't like it because now they have to go and put this onto their SSO they and their detection and response team will not like it because they have to like now write ttps for a whole new productivity software so just adding a new piece of software might sound pretty simple but having that open and honest conversation with the Target and explaining to them that why you cannot add this or why it's going to be a huge burden or at least have a strong business reason before approving them right so that's sort of

like what you want to do as as an infoset team is to give them the context like the more context you give we saw that there was less friction because just telling them like we are the mothership we're just going to tell no to you won't go well but actually giving them the context and explaining to them when watch well and the same way right like Cloud hosting provider if you want to just say okay let's add Azure tomorrow that's a whole different conversation with the infrastructure security team if you're just an AWS shop or a GCB shop right so so have those conversations early on yeah so the big takeaways here are to get the right inventory go and talk to

your I your Finance team because at the end of the day they are the ones who are going to pay the bill and guess what the moment the deal closes your target is going to put all their bills onto your Finance team so a lot of time we found that when we match the inventory with the finance team we added another 20 20 25% of the inventory so do that make sure that you have shared ownership of critical accounts on day one I'm exaggerating or day one but like try to get it done as quickly as possible but because remember we are in an age where you know things like reduction in force could happen they could be folks who

just leave after the deal but they might be the only owners of an account like remember these are small teams like 20 25 people right so there could just be one admin who's holding on to all the critical accounts and then you lose them when that person you know decides to leave the company and things like that so shared ownership if there's one thing that you can take away from the stock is make sure that you have Shar shared ownership on day one and that's that's a difficult conversation but you have to have that early on so that you can you know what their critical accounts are and and you have your it team or your

production security team has access to those and then make sure that you communicate early and often with your business right so every month we started sending out critical touch points and saying where the deal and how it's progressing because giving that that information then meant that the business then came back to us and say hey you know what 3 months later we we are planning to completely add new you know feature to this product or this service so sometimes having that communication early on gave us more input than that that we could then use for our integration plan right just working in silos won't help so go talk to all the teams that are involved and have like

monthly communication syns or newsletters or the ways that your team and the way that your team communicates with your company make use of those channels so finally we then went back to our customers who in this case are targets and then we asked them hey you know did at the end of the day you want to make sure that all of this is helping them improve their security posture right so you could be doing all these activities but you want to make sure that this is actually helping them so we went and directly asked them after every deal we made it a point to ask the target hey how did this help you and your security posture and sometimes they

gave us very valid feedback they said hey don't give us huge reports right so what we did was in in Li of transparency we gave them the whole report and said hey you know you have a penetration testing report go fix these issues but they just wanted to tell us exactly what to do don't don't give me a report just tell me exactly what to do so that was that was a useful input they also wanted to have you know high level overview they wanted to know what's coming down for them 30 60 90 days in a year right so give them this information in advance and we found that at least 90% of them said that they actually helped

right so this this was a success metric is like no matter what we do or how much security controls are you know checks we do does the Target actually think this is valuable and to our surprise they did find it useful right so for us that was that was a win finally so if you see we started with the pre-acquisition process and then we did the Gap analysis and found out what controls they were missing then we found out that how to how to do the integration right and then finally we had a graduation criteria like for some companies we had a graduation criteria such as like okay you you will be onboarded to our bug Bounty program

that's when you sort of are like graduated right so then there was a company where we said your graduation criteria is when we Sunset all your services and the reason was because they had active contracts right so sometimes you have to remember that these companies walk in with their own customers and their own contracts so you can't just Sunset them the second day so you want to then you then you end up owning a service which is around for a couple of years until those contracts run out right so having the having that kind of like due diligence helps you to know how to prepare and and give the right resources so takeway is make sure that

you balance the business and security priorities because those two sometimes could be you know in those two sometimes could be in Tangent with each other right so you you want to slow as a security team you sometimes want to take a step back and evaluate what direction that you the team wants to go to but the business might just want to Sprint and try to integrate and try to open up you know holes and try to start start getting data from each other right so make sure that you're balancing those business and uh security priorities cross functional collaboration is key here there is there is no way you your team can work in Silo and by yourself

you have to work with the finance team you have to work with the legal and it teams so have these sink regularly with these teams and make sure that you're getting their input oh there you go okay yeah so the one thing that I would also say is be humble because a lot of times you want to make sure that the team that you're acquiring also is able to give you input sometimes they might have much more robust practices in a certain area that than you you yourself right so make sure that you learn from each other with the with the team that's coming in to your ecosystem and don't make it seem like hey we know

it all and then we're just going to give you a bunch of tasks to do right so that's that's probably not the best approach the best approach that we found is to be able to say hey this is the security control this is how we plan to mitigate it are you able to adopt it and sometimes they came back and said we had a we have a much more robust control and we were able to say that's fine that works for us and again this is the key communicate early and communicate often with your business with the Target that you have Acquired and make sure that they both align and the plans are in sync so that

you're able to then do the integration correctly and finally I want to thank a lot of folks who built this program initially it's impossible for me to build this program by myself but I want to thank the leadership Nick who's here who built the program initially and then I built on that Foundation or leadership because a lot of time while you're doing m&a things will go wrong like this is um these are complex integration scenarios right like people get laid off deals fall through but having your lead the back of your leadership is critical for any m& security program hopefully you found this interesting and if you have any questions I'm ready to take them

[Applause] now

oh go for it hey buddy uh hey yeah okay cool hey uh I was wondering if you could go into a bit more detail around like the amount that you provide for these run books like if you have a Recon run book for example is it as far as run these tools in this order and then aggregate or like what does that tend to look like absolutely so we have yes the for specifically for the Recon run book we do have a couple of tools but we tried to go in as much detail as possible for each activity and say for for example for cloud configuration depending on what cloud they have we say run you know the industry standard scout

scout speed and things like that and get give us a picture and then for credentials we have like tools so we give them we give we try to make this as consistent as possible because we don't want to have inconsistencies right with one deal to another so that's sort of like what Nick do you have anything to add here no I think that's spot on actually I remember writing the Scout site Playbook uh years ago I think it was 2018 when I did this uh it's so cool to see these slides cuz that like overview graphic the left to right I actually drew that maybe 2018 and now we're in 2023 strong foundations right thank you B but the

question I wanted to ask is more like an anecdote can you share maybe an interesting technical example without exposing too much detail of course you know we're we're in company here of of findings that you found that were particularly novel or unusual that you had to work through either as part of pre-u diligence or or as part of post close as part of as part of the deep Dives I think it'd be really beneficial for the audience maybe here interesting technical example fair enough um one one thing that comes to mind was the slap lab scenario right like we we a company um where where they were basically manufacturer components for our spectacles Vision so all this is

public information um it's called Uh I believe wave Optics so there we we as a don't don't have shared accounts right we just don't allow shared accounts you know you everyone has to have their own account but we had a scenario here where basically they run a lab where they're testing these you know equipment which run for 24 hours 36 hours sometimes right so our expiration policy is 8 hours like guess what happens when someone finishes a shift for 8 hours and then walks away you don't want that to expire because the those test cases they're running sometimes might take 24 hours all token is being revoked exactly so and now we need to work around that

yeah so you remember that for it yes yeah so so basically we had to then like take a step back and say that hey this these scenarios might work for a software company where everything is s but might not work for a you know lab scenario where they're running these tests for 24 46 so we had to go and rethink this strategy right so so being flexible and not just saying well this is a rigid security policy and we won't change it that's kind of that's one of the things that came to mind and another thing that came to mind is we had a scario where a company was using you know like a software called Cadence and

if you wanted to upgrade them that would be like10 million right so so we we said like oh you want you have to be on a on on the most latest and greatest software but you don't realize that hey that software upgrade can take $10 million right so so we had to go back and say we want we'll instead isolate this network and completely caught on it off instead of trying to be like hey everything has to be updated right so so taking that step back and actually giving novel solutions to them which might just be simple sometimes is super useful yeah for for the laps case we had to allow longer sessions but we put in place

compensating controls to make sure those rooms were effectively locked and under strict access controls which nominally maybe they wouldn't be as strict to allow the spectum analyzers I think that's what they were to basically complete their runs and if you guys are familiar with that like these things are are are are highly uh uh methodical and they need to complete their their analysis process before data can be generated for for them to act on app setting which is completely different than how our company operated so we needed to learn what to do with this and yeah I I think that's super helpful because you as the m&a security team cannot do everything by yourself and

having key Partners like this is critical right basically I I saw one more person raise their hand if they had a question yeah uh have you had any instance where some of the vulnerabilities that was found cannot be fixed within the target time of acquisation and what happens then do you extend the date or exceptions can talk a little bit more about it awesome yeah I'm smiling because that that happens all the time that happen anytime you do a due diligence you're going to uncover a bunch of issues right and then you have to prioritize them there were times when we found critical and high issues we had to sit down with the company and work

with them and say you have to fix this before the deal you do get the opportunity to build it within the deal this is where you go to your legal team and say hey they have an issue but they won't be able to fix it within your time timeline because this is an authentication issue that requires the re writing their entire authentication framework so you go and build it into the deal that within 90 days of close you actually work with our security team and you close it so so literally there are times when you you want to tell them don't try to fix this because this is a complex fix please let's close the deal

and then once you come into our security team we'll have our absc team help you and then build build you know build the build the mitigation control so not so the answer is not try to fix everything right even though if it's critical or high sometimes you want to make sure that it's done correctly so that was a good question yeah thanks thanks for bringing that up hi so this is actually what I do I do diligence as a as an external vendor awesome um so but what we focus on is really sort of the sdlc and software architecture and code and it seems like what you're doing is kind of bundling it sdlc operational security U and I'm just

wondering how you think about that or if you treat those as separate silos and like how you how like what how do you view the relative importance of those things um like the different kind of security silos as part of a deal excellent question I'm glad I'd love to chat with you offline as well but yeah so depending on the type of deal we prioritize the activities differently right so if we are doing a hardware deal we're not really worried much about their code sanity because essentially we're going to most likely have that Hardware you know the firmware integrate as part of our spectacles firmware anyway so that that's not like the goal of that assessment whereas if

we are doing you know we're buying it buying a company for just for their SDK or if we're buying a company for their SAS service which is going to integrate immediately into our ecosystem then we go and look at the closely at the code sanity right so so really looking at what the deal is and then so there are deals like where we looked at and we we knew out of the gate that we're going to completely shut down the service it's aquire so we we did took took a different approach there were deals where we were going to shut down their Network so that was not prior whereas we we wanted to keep their you know code so

that was prioritized but yes absolutely so that having that context early on and that's why working with the business early on and asking hey even though your plans might change just tell us like what do you think you're going to do 30 60 90 days after the deal closes just having that and then going and scoping your assessment is critical but i' love to chat more about like how that sdlc piece you look at and and things like that so awesome well thank you so much folks hopefully you had a you know you had a good take but I had fun thank you