People work at dusk on various floors of a modern office development in London, England. A new study noted the risks that can come with subsidiaries. (Photo by Oli Scarff/Getty Images)

Corporate subsidiaries – whether recently acquired in an M&A deal or operating for years as a long-standing separate division – often act as a backdoor through which malicious actors can infiltrate a larger parent company, warns a new white paper released this week.

A study conducted by Osterman Research and commissioned by CyCognito questioned managers at 201 enterprises that feature over $1 billion in annual revenue, at least 10 subsidiaries, and employees specifically dedicated to subsidiary risk. Among the respondents, 54.7% said that at least one of their subsidiaries were implicated in a cyberattack chain launched against their companies, while another 11.9% admitted that they lacked the visibility into their systems and digital assets to know for sure.

According to the white-paper report – "Managing Risk from Subsidiaries: Goals, Friction, and Failure," – subsidiary risk management has become even more important due to companies’ digital transformation and remote workforce operations resulting from the COVID pandemic. Indeed, 69% of respondents said this was very impactful or most impactful. Major supply chain breaches, including the SolarWinds and Kaseya attacks, also emerged as a key factor.

In many cases, subsidiary risk and asset management efforts fall short and lack maturity. This is because the process of subsidiary risk assessments typically only offer a point-in-time snapshot, and the process of identifying trouble spots within these divisions takes too long and leaves too many blind spots, according to survey respondents. Remediation of risky assets also takes too long – 71% of respondents want it to occur in a day or less but two-thirds of survey-takers said average remediation time was a week or longer.

The more complex the organization, the higher the risk: Employees at companies with 17 or more subsidiaries were almost doubly as like to have one of these divisions involved in an adversaries attack chain than businesses with 16 or fewer divisions, the study noted.

For more detailed perspectives on subsidiary risk, SC Media spoke with Michael Sampson, a senior analyst at Osterman who spearheaded the research project, and two CyCognito executives – Senior Director of Product Marketing Sam Curcuruto and Director of Technical Product Marketing at CyCognito Jim Wachhaus.

What was the inspiration behind conducting this study?  

Michael Sampson (MS): One of the comments [the Cycognito team] made to me is that there's a lot of information out around the risk of mergers and acquisitions, but there was not a lot of data and insight in terms of managing subsidiary risk. And so… that was part of the driver: to create some insight… around how organizations deal with this. What are the risks and the approaches that they're taking? And… what needs to be done to improve this?

Jim Wachhaus (JW): We live in a time when finding new zero-days, new vulnerabilities, new ways to get in, is what attackers are all about, and there's an entire economy that's based upon finding those credentials, finding those vulnerabilities and using them to plant ransomware, to extract sensitive data... And oftentimes the path of least resistance isn't going to be going at the corporate website, the main site. It's going to be coming in the backdoor, coming in a little-known subsidiary.

Subsidiary risk is a primary use case for attack surface management or attack surface protection. Oftentimes when subsidiaries are acquired, there is brain drain, and that results in assets or projects being left essentially unmanaged, usually in the cloud. And many of these projects can represent some valuable IP, especially to attackers – whether it's remote access to get into systems via the subsidiary, or a DevOps project like a web page or web application that was largely developed in the cloud and is now deployed, and now you basically have the great-great-grandfather of that web application sitting 24/7 in the cloud that you can go investigate.

That subsidiary risk is represented by the lack of communication, perhaps, between the acquiring entity and these subsidiaries, and it's a problem… By policy you may be limiting the vendors that you work with, limiting your supply chain, but that policy that you have in corporate doesn't apply to your subsidiaries or didn't apply to your subsidiaries when you acquired. They had no idea. And so there's this transition period where the subsidiaries hopefully are ramping up to the corporate policy, but they've built their processes based upon tools that you don't cover right now. You have no expertise on them.

SC Media recently published a feature on how companies need to vet businesses that they’re targeting for acquisition. But what about subsidiaries that have already been in the fold for years? To what extent do they represent a risk, especially if they are managed separately from the parent company, and employ different systems and security policies?

Michael Sampson, senior analyst at Osterman Research.

MS: I think the risk that parent companies face over time is the drift of configuration, the drift in governance approaches, the drift as new tools are brought in place that they have no insight or oversight of.

I think the report addresses and focuses on this need to be able to get a sense of, right now, right here, what's going on across this expanded attack surface for us, what's changed since we looked at this last time. It becomes an issue with new vulnerabilities [found] in applications [such that] nature of the attack surface changes. [And so] the ability for the parent organization to reassess where they're at, across that expanded attack surface is vitally important.

Sam Curcuruto (SC): The way that I've looked at this research is: Subsidiary risk is a lot like playing the game of telephone. And the further removed that an acquisition – or divestiture for that matter – has gotten, the less institutional knowledge you have about it.

There’s vetting before an M&A, but what about after? How does the due diligence continue beyond that?

MS: Onboarding is a point in time at the time that we acquire someone – and I think this white paper highlights the idea that there is another process that is required that is the… ongoing assessment of risk at subsidiaries. Because things change, configurations change, new things come around. People change. And if parent companies are not going through that process, then the assessment of risk is going to become further and further out of date as the vulnerabilities, increase more and more as each day goes past.

SC: Once the [M&A] honeymoon phase is over, there's a lot of interesting things that happen, and I think that for most organizations, they don't look back in a year and say, “Did it really all take place the way that we wanted it to? And did we actually really absorb everything?” Same thing goes the other way around. You divest the company: “Did we really disconnect everything that was there from our infrastructure, so that we aren't liable anymore but also so that we're not monitoring things that aren't ours anymore?”

What would you identify as one of the top one or two challenges associated with assessing and identifying sources of risk within your subsidiary organizations?

MS: A top challenge that I would identify would be the lack of cybersecurity professionals across all of the subsidiaries. Cybersecurity is a pretty big issue – a big deal – and finding top-flight talent across the world is a challenge that all organizations are facing. And that lack of net talent at every single subsidiary is automatically going to put a parent companies in a dangerous position because there just aren't bodies on the ground to look at what should be looked at.

JW: We wish everyone did but “not my job” is probably the biggest risk… It’s like [when a group witnesses] a crime... It's like, who's responsible for that? You assume somebody is responsible for it, because obviously it's a corporate entity. But there might not be.

SC: On top of that, you also have to think about what normally happens with a merger and acquisition: There's often a lot of turnover from the acquired organization because, in start-up land, you watch an acquisition happen and then the company employees that were acquired… change jobs because they're either ready to start back, or maybe they weren't happy with the way that things transpired during the acquisition process, [or they were made redundant] –which means you lose all of that institutional knowledge and often it's in it's in one fell swoop.

And by doing that, again, this game of telephone gets harder and harder. Cause… if you lost someone who had been with the company for 20 years, and they knew where all the skeletons were buried. Well, when they left, then, then there's, there's no finding and unless you go and track them down and say hey, do you remember this thing might have happened. if you're willing to even talk to us again. Can you give us some details how that transpired?

Can you provide any examples you’ve personally experienced of companies that were unaware of risks posed by their own subsidiaries?

JW: I had a great example where we reported on subsidiaries that were located in Malaysia, and the parent company said, “We have nothing operating in Malaysia, we don't have a business there. And it turned out that it was the subsidiary that had been acquired by an M&A target from five years ago. They had acquired a subsidiary five years before that. So here you had RDP servers that were 10 years old, out of date. None of the people that managed them were still with the company. They were located in Malaysia and they were essentially open for business, still to this day. And imposed a risk to the main organization.

SC: It stood out because the customer denied that it was their asset, and we had to prove it to them…

JW: And it was three acquisitions deep… They actually had to go find a CFO in retirement, and say “Did we actually do this?” You're relying on the previous organizations to tell you exactly what you need to know or what you need to hear. And at the end of the day, chances are it's not the whole picture.

MS: I was hoping you would also tell the story about the Exchange Server vulnerabilities – that when Microsoft disclosed those earlier in the year, you were able to look out across the customers that you had and get in contact with them and say, “Did you know that there's this vulnerability in this organization on this [subsidiary’s] server?” I love that story.

JW: We did that for Microsoft Exchange, we did that for Accellion, we also did that for SolarWinds, and in many cases, it was an unexpected surprise for the organizations that we were talking to. Many of them had decommissioned ones that were maybe one hop away from the main corporate entity, but when you get two, three hops away – a subsidiary of a subsidiary – it becomes much more of a challenge. It's kind of like shadow IT except…

MS: It’s sanctioned.

Let's talk also about some of the highest ranked concerns regarding conducting risk management in your subsidiaries. For starters, assessments usually provide just a point-in-time snapshot. What are examples of this problem.

JW: [SolarWinds, Server Exchange and Accellion] are great examples of where an asset that had no vulnerabilities maybe at one point now has critical vulnerabilities that should be remediated, right away, or the entire asset should be taken offline.

Another issue: assessments and remediations take too long. For instance, 54% of survey respondents said it currently takes from one week to three months to measure the risk of all their subsidiaries, but 71% said they actually wanted the process done in a day or less. Thoughts on this?

SC: The problem is that, of course, there’s a massive gap between how long it takes with their existing processes because you have to go through tools, you have to talk to different people you have to do questionnaires. And then once you circle back, you've already wasted a week. So there's almost no possibility to get down into that ideal range. [Same thing for remediation:] Resolving issues within a day would be great, but at the end of the day the entire process still takes more than a week.

A third problem: IT visibility is limited, resulting in blind spots. What’s your analysis on this?

JW: Most attacks are coming from blind spots in the infrastructure. About 70% – give or take 10% – are coming from places where people just weren't aware of the problem. And that makes sense, because obviously if you were aware of the problem you would fix it.

Being able to provide visibility on the subsidiaries is part of eliminating those blind spots on an ongoing basis and it's absolutely critical to good cybersecurity. The big problem is that I think a lot of defenders are still working in kind of a manual mode with a lot of tools. They're doing regular vulnerability scans and prioritizing them and things like that, maybe they're doing regular sweeps to find the assets that they know about, but they aren't going a step further. It's kind of an audit approach versus a management or protection approach to the attack surface.

So how do subsidiary-heavy companies go about addresses these problems?

JW: Get a platform play that allows you to consolidate your tools and minimize your time spent on this assessment process and actually does it with technology... Finding these Internet-facing assets, doing the security testing on them and doing it continuously and then reporting on it – that can all be done by a machine.

MS: If you are dedicating cybersecurity people to the manual process of looking for threats, you're doing it wrong. Because there are tools available that enable you to supplement and complement the strengths of people.