With mergers and acquisitions comes a new set of tools to integrate. In this RSA 2018 conference preview, customers discuss how they approach M&A in their overall security strategy.
Live Nation Entertainment strives to sell an experience for its customers. The events promoter wants fans to leave a live concert with memories worth capturing.
“Everyone remembers their first concert without their parents,” said Pat Wicks, senior director for information security at Live Nation Entertainment.
But the fleet-footed company, based in Beverly Hills, Calif., operates in a global environment where mergers and acquisitions (M&As) are common. When new organizations join the company fold, they bring new people, processes—and security tools.
That can compromise Live Nation’s security portfolio. Malicious actors can easily exploit a state of flux.
“Complexity makes an excellent place for bad guys to hide,” wrote the editors of Identity Week. “That includes external cyber criminals looking to take advantage of a chaotic time.”
Live Nation has roughly 30% market share in the industry and it has grown to reach 86 million fans, in part through acquisition.
Pat Wicks, senior director, information security, Live Nation Entertainment
“We grow by acquisition year over year,” Wicks said. “And every time we acquire a new company, we have to ensure that a new company adheres to our security standards, which is challenging.”
Companies don’t always investigate a company’s security posture prior to M&A, nor do they consider it part of a concerted security strategy. According to Freshfields Bruckhaus Deringer, a law firm, 78% of respondents to a 2015 survey said that “cyber security is not analyzed in great depth or specifically quantified as part of the M&A due diligence process.”
Live Nation does follow a concerted security strategy for absorbing company acquisitions into its security portfolio. One of the company’s first moves toward standardization, said Wicks, is deploying Cisco Umbrella. Umbrella proactively blocks requests before a connection is established. That means that companies can block internal users from traveling to malicious sites at the outset.
“[Implementing] Umbrella is one of the first things we do,” Wicks said. “It provides an instant level of protection for outgoing traffic: [when users go] to malicious websites, [they are] stopped in their tracks.”
“There’s often going to be a [technology] portfolio shuffle,” said John Burke of Nemertes Research, a consulting firm that focuses on emerging infrastructure technologies. “And you want to have a security architecture that makes it straightforward to incorporate new vendors.”
A security lead for a healthcare company based in the Pacific Northwest that runs a series of multispecialty clinics, said that, at first, he was surprised by the level of protection that Umbrella provides. Like all healthcare entities, the company is concerned about protecting patient data. One piece of that puzzle is preventing employees from going to sites containing malware that could compromise the network—and patient data.
“Early on, [Umbrella] seemed like a nice-to-have,” said the security lead for the healthcare company, who requested anonymity. “But as soon as we turned it on, the other security products that we have just suddenly are blocking a lot less stuff,” said the head of security for the multispecialty clinics. “It blocks things before [a potential event] gets that far. It really is a critical part of an overall security strategy.”
He was also pleasantly surprised by how easy Umbrella was to implement given the company’s array of security tools. “It’s on a whole different layer than any of the other security products [in your environment],” he said.
As a result, companies can implement Umbrella “without making changes to any of the other security widgets in your environment. It’s an ease of implementation in exchange for a real benefit.” Umbrella has become a stress-free addition to the company’s cybersecurity strategy.
For companies like Live Nation, staying ahead of the fraudsters is now just part of the daily landscape. Live Nation sells tickets to live concerts and promotes events. But the bots can swoop in and buy up tickets, then resell them for profit. Selling tickets for fair market value becomes a problem.
“Ticket bots try to purchase tickets as soon as they are available to the public,” Wicks said. “It’s a problem for fans, since scalpers tend to sell purchased tickets for many times their face value.”
But Live Nation has created custom, automated software to block bots. And with automation, it has had an estimated 90% success rate in blocking bots and brokers from purchasing tickets for speculative price hikes, said Live Nation CEO Michael Rapino in a 2017 article.
Tools like Live Nation’s are critical to addressing malware, bots and other cybersecurity threats. It makes companies more productive in their fight against the bad guys “by orders of magnitude,” said Burke of Nemertes. According to Cisco’s recent cybersecurity report, 39% of organizations use some automation for cybersecurity.
“There is a huge benefit to be had from focusing on automation,” Burke said. “Those companies do enormously better in identifying and responding to the problem.”
Similarly, the healthcare organization uses artificial intelligence software to identify whether employees are using their access to patient data for the wrong reasons; if an employee is looking up the patient records of his next-door-neighbor, for example, the AI tool can identify that.
While this healthcare organization employs a best-of-breed strategy to ward off attackers, it can create a fragmented security portfolio. “It’s an unfortunate reality,” he said. “The patchwork is a problem for everybody. Security is always lagging behind what the bad guys are doing.”
Live Nation’s Wicks said that chasing attackers is a reality he’s come to accept.
“Protection and prevention is an ongoing fight,” Wicks said. “We readily accept it as a challenge and provide the best protection for our fans—as well as employees and partners.”
Lauren Horwitz is the managing editor of Cisco.com, where she covers the IT infrastructure market and develops content strategy. Previously, Horwitz was a senior executive editor in the Business Applications and Architecture group at TechTarget;, a senior editor at Cutter Consortium, an IT research firm; and an editor at the American Prospect, a political journal. She has received awards from American Society of Business Publication Editors (ASBPE), a min Best of the Web award and the Kimmerling Prize for best graduate paper for her editing work on the journal article "The Fluid Jurisprudence of Israel's Emergency Powers.”