Cloud Security Newsletter
Posts
🚨 Salesloft Supply Chain Attack Hits 700+ Enterprises, 3 Acquisitions & Lessons from Orca Security's CEO on Modern Cloud Defense

🚨 Salesloft Supply Chain Attack Hits 700+ Enterprises, 3 Acquisitions & Lessons from Orca Security's CEO on Modern Cloud Defense

Bold enterprises are abandoning fear-driven security strategies for AI-powered workflows that reduce vulnerabilities by 1000x while enabling engineering teams. This week's massive OAuth breach affecting Cloudflare, Palo Alto Networks, and Zscaler validates the urgent need for context-driven cloud security approaches.

Shilpi Bhattacharjee
September 04, 2025

Hello from the Cloud-verse!

This week’s Cloud Security Newsletter Topic we cover - Your SecOps Team Can't Save Your Cloud: A New Blueprint for Security (continue reading)

This image was generated by AI. It's still experimental, so it might not be a perfect match!

Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI Security Podcast every week.

Welcome to this week’s Cloud Security Newsletter

The cloud security landscape reached a critical inflection point this week as the Salesloft Drift supply chain attack exposed the fragility of third-party integrations across 700+ organizations. We also have, Gil Geron, CEO of Orca Security, shares insights on how leading enterprises are transforming from reactive alert management to proactive, AI-enabled security workflows that eliminate noise while strengthening their security posture.

📰 TL;DR for Busy Readers

Major supply chain attack: Salesloft Drift OAuth compromise affected 700+ organizations including major security vendors
Industry consolidation: CrowdStrike's $290M Onum acquisition signals shift toward AI-native SIEM platforms
Strategic pivot: Leading CISOs are moving beyond alert fatigue to workflow-based security that enables engineering teams
Context is king: Modern cloud security reduces vulnerabilities from millions to dozens through intelligent prioritization
Trust but verify: Third-party SaaS integrations require zero-trust OAuth governance frameworks

📎 Full analysis & expert insights below

📰 THIS WEEK'S SECURITY HEADLINES

💰 CrowdStrike Acquires Onum for $290M to Supercharge AI-Driven SIEM

CrowdStrike announced its intent to acquire Onum, a pioneer in real-time telemetry pipeline management, to evolve Falcon Next-Gen SIEM into the definitive data foundation for agentic security and IT operations. The acquisition eliminates data migration bottlenecks while delivering autonomous in-pipeline threat detection capabilities.

Why this matters: This strategic acquisition positions CrowdStrike to dominate next-generation SIEM markets by addressing a critical pain point: the overwhelming influx of telemetry data in modern security operations. CEO George Kurtz emphasizes how Onum's capabilities act as both a pipeline and a sieve, enabling faster AI-native analytics that can process up to 5x more events per second than traditional batch methods. Cloud security teams should prepare for accelerated adoption of AI-driven analytics platforms that fundamentally change how we process and act on security data.

Sources: CrowdStrike Press Release, Fortune Interview

🛡️ Massive Salesloft Drift Supply Chain Attack Compromises 700+ Organizations

Between August 8-18, 2025, threat actors used compromised OAuth tokens associated with the Salesloft Drift third-party application to systematically export large volumes of data from numerous corporate Salesforce instances. Major victims include Cloudflare, Palo Alto Networks, and Zscaler, with the attack affecting more than 700 Salesforce customer organizations.

Why this matters: This represents one of the largest supply chain attacks since MOVEit, demonstrating how third-party AI chat agents can become vectors for mass credential harvesting. Google Threat Intelligence Group assessed the primary intent was to harvest credentials, including Amazon Web Services (AWS) access keys, passwords, and Snowflake-related access tokens. The incident exposes the risk of OAuth token abuse across cloud-integrated SaaS applications and highlights critical gaps in third-party security validation. Cloud security architects must implement zero-trust principles for all OAuth integrations, treating every third-party application as a potential attack vector for lateral movement into enterprise cloud environments.

Sources: Google Threat Intelligence, Cloudflare Response

💰 Cato Networks Buys Aim Security to Fuse AI Security into SASE

Cato announced its first acquisition, purchasing AI security startup Aim Security for an undisclosed amount (reports peg the price in the mid-hundreds of millions) while topping up its Series G funding by $50M. Management framed the acquisition as securing enterprise AI use across their SASE fabric.

Why this matters: If you're consolidating network and security edges, native AI-use controls (model/API governance, token exfiltration detection, LLM tool abuse) inside the same SASE plane reduces blind spots between data egress controls and app access policies. Organizations should start mapping where generative AI shows up in their egress/DLP, CASB/SaaS, and private app access policies expect peers to ask their SASE vendors for comparable AI guardrails.

Sources: Cato press note; Bloomberg (deal confirmation/strategy); Aim Security

💰 Varonis Acquires SlashNext for up to $150M to Extend into Email/BEC Defense

Varonis is buying AI-native email security firm SlashNext with reported consideration up to $150M (cash plus earn-outs). The goal is to bring phishing/BEC and collaboration-app detections into Varonis' data security platform and MDDR capabilities.

Why this matters: Expect tighter coupling between identity, data, and communications telemetry (O365/Google Workspace, Slack/Teams) and data-centric controls (DSPM/CIEM). If you're standardizing on Varonis or a rival platform, plan for control overlap (SEG/ICSS, CASB, DSPM) and get roadmaps on SOAR/XDR integrations and tenant-to-tenant detections.

Sources: Bloomberg, Varonis, GlobeNewswire

🛡️ Critical Infrastructure Disruption: Swedish Municipal Services Hit by Ransomware

A ransomware attack against Miljödata, which provides HR/occupational health systems to approximately 80% of Swedish municipalities, disrupted services at roughly 200 municipal organizations and regions. Privacy regulators and CERT-SE are actively engaged in the response.

Why this matters: This represents a classic SaaS/IT-outsourcer single-point-of-failure scenario. Organizations should treat third-party municipal/health SaaS as part of their resilience tier, requiring tenant-segmentation attestations, off-platform backups, and break-glass workflows for HR/health processes while simulating loss of outsourced SaaS in business continuity exercises.

Sources:IT Pro, The Record from Recorded Future, BleepingComputer

🎯 Cloud Security Topic of the Week:

The End of Alert Fatigue: How Context-Driven Security Transforms Enterprise Cloud Defense

The traditional approach to cloud security flooding teams with alerts and hoping they'll sort through the noise is fundamentally broken. Leading enterprises are discovering that the path forward isn't more sophisticated alerting, but rather an intelligent context that eliminates irrelevant findings while empowering engineering teams to build secure systems by default.

Featured Experts This Week 🎤

Gil Geron - CEO and Co-founder, Orca Security
Ashish Rajan - CISO | Host, Cloud Security Podcast | AI Security Podcast

Definitions and Core Concepts 📚

Before diving into our insights, let's clarify some key terms:

Context-Driven Security: An approach that leverages environmental awareness, data flow analysis, and business impact assessment to prioritize security findings based on actual risk rather than theoretical vulnerabilities.
AI-Native SOC: Security operations centers that use artificial intelligence not just for detection, but for providing context, automating responses, and enabling junior security professionals to operate at expert levels.
OAuth Token Abuse: A technique where attackers compromise authentication tokens used by third-party applications to access cloud services, enabling lateral movement without traditional credential theft.
Workflow-Based Security: An approach that treats security as an integrated part of the entire application lifecycle rather than a separate function, emphasizing prevention and enabling engineering productivity.

This week's issue is sponsored by Vanta.

Vanta Trust Maturity Report

Vanta’s Trust Maturity Report benchmarks security programs across 11,000+ companies using anonymized platform data. Grounded in the NIST Cybersecurity Framework, it maps organizations into four maturity tiers: Partial, Risk-Informed, Repeatable, and Adaptive.

The report highlights key trends:.

^{Only 43% of Partial-tier orgs conduct risk assessments (vs. 100% at higher tiers)}
^{92% of Repeatable orgs monitor threats continuously}
^{71% of Adaptive orgs leverage AI in their security stack}

📤 Download the report

💡Our Insights from this Practitioner 🔍

From Fear to Hope: Redefining the Cloud Security Conversation

Gil Geron offers a perspective that challenges the industry's fundamental approach to selling and implementing security solutions. "Find the ones that give you hope and stay away from the ones who are trying to sell you by fear," he advises. This philosophy reflects a broader transformation in how mature enterprises approach cloud security.

The traditional model of highlighting increasingly exotic threats and potential nightmare scenarios has created a cycle of alert fatigue and reactive responses. Instead, leading organizations are focusing on practical improvements that enable their engineering teams while strengthening their security posture. This shift represents more than just a change in vendor selection it's a strategic pivot toward solutions that enhance organizational capability rather than simply identifying problems.

The Context Revolution: From Millions of Alerts to Actionable Intelligence

Perhaps the most striking example from Geron's experience illustrates the power of context-driven security: "We've released a new technology around vulnerability reachability that does it in an agentless manner. One of the companies we've enabled it, they reduced the vulnerabilities from 230 million vulnerabilities to 1,500 they actually need to fix, and then they grouped it by image and they had to fix six images."

This transformation from 230 million theoretical vulnerabilities to six actionable items represents the fundamental shift happening in mature cloud security programs. Traditional vulnerability scanners identify every possible issue without considering whether those vulnerabilities are actually exploitable in the specific environment. Context-driven approaches consider factors like:

Reachability analysis: Is the vulnerability actually accessible given the current network configuration?
Data exposure assessment: Does the vulnerable component have access to sensitive information?
Business criticality: What would be the actual impact if this vulnerability were exploited?
Exploitation likelihood: Are there known attack vectors for this specific configuration?

AI as Security Force Multiplier, Not Replacement

Geron's perspective on AI in security operations challenges both the hype and the fear surrounding artificial intelligence in cybersecurity. "The vast majority of CISOs that I talked to understand that actually AI could be their salvation in the sense of the challenges they've been facing so many years," he explains.

The practical application he describes resonates with senior practitioners: "I just had a call yesterday with a CISO. A very large company and we've enabled for them a new feature and said, I love it because you can ask questions and no one's there to judge you. You don't need to ask it in a call of enablement... they can gain confidence and they can gain knowledge with this assistant without the need for it to take years or even time for them to gain confidence."

This approach positions AI as an enabler of human capability rather than a replacement for human judgment. For organizations struggling with the cybersecurity skills shortage, AI-powered tools can accelerate the development of junior team members while providing senior professionals with better context for decision-making.

The SecOps Integration Challenge: Beyond Throwing Alerts Over the Wall

The conversation around integrating cloud security with Security Operations Centers reveals a nuanced understanding of organizational dynamics. "It's also ridiculous to think that only SecOps can secure your cloud because SecOps are operations. SecOps are reactive," Geron points out.

This observation highlights a critical architectural decision that many enterprises face. While SecOps teams excel at incident response and threat hunting, they often lack the cloud-specific context needed to make intelligent decisions about infrastructure security. The most effective approaches combine:

Preventive measures implemented during development and deployment
Context-aware alerting that reduces noise for SecOps teams
Collaborative workflows that leverage both security and engineering expertise

The key insight is that effective cloud security requires shifting as much prevention as possible to the left while ensuring that runtime security operations focus on genuinely critical issues that require immediate attention.

Modern Remediation: From Automatic Fixes to Intelligent Orchestration

Traditional automated remediation often creates more problems than it solves, as Geron illustrates: "I had a customer discussion last week. One of their runtime solution caused the downtime of two weeks of a new service because it blocked access to a bucket. That bucket had essential data and images that they needed for the service to operate."

Modern remediation approaches focus on intelligent orchestration rather than automatic fixes. This includes:

Dynamic decision-making: Adapting remediation strategies based on environmental context
Impact assessment: Understanding business consequences before taking action
Governance integration: Ensuring appropriate stakeholders are involved in remediation decisions
Root cause addressing: Fixing issues at their source rather than just symptoms

The most sophisticated implementations can recommend different strategies based on context: "Maybe the right move is to change the waffle and open a Jira ticket to update this issue. And once this issue is resolved, once it's updated, let's remove the waffle."

Identity as the New Network: Zero Trust in Practice

The evolution of identity and access management in cloud environments represents one of the most significant architectural shifts in modern security. "Identity is basically the new networking," Geron explains. "When you think about challenges you used to have around access, around permissions, around segmentation, all of that today needs and should be solved by identity."

This transformation becomes even more complex with the introduction of AI and agentic systems: "You suddenly have a lot more applications or processes... that communicate, that have interface, that have access to data, that can produce actions. And then it becomes on steroids because you need a much more reduction of risk and permission and access to every basically portion of the process."

The practical implications for enterprise architecture include implementing just-in-time access controls and moving beyond theoretical least privilege toward pragmatic permission management that enables business operations while maintaining security.

OWASP Cloud Security Top 10 - Comprehensive framework for cloud security risks
NIST Cloud Security Guidelines - Federal standards applicable to enterprise environments
Cloud Security Alliance (CSA) Controls Matrix - Industry-standard security controls framework
Google's BeyondCorp Zero Trust Architecture - Real-world zero trust implementation guidance

Your SecOps Team Can't Save Your Cloud: A New Blueprint for Security

Question for you? (Reply to this email)

Given the insights from Gil Geron about context-driven security

How might you measure the effectiveness of context-driven approaches in your environment?

Next week, we'll explore another critical aspect of cloud security. Stay tuned!

📬 Want weekly expert takes on AI & Cloud Security? [Subscribe here]”

We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Peace!

Shilpi Bhattacharjee

Was this forwarded to you? You can Sign up here, to join our growing readership.

Want to sponsor the next newsletter edition! Lets make it happen

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

checkout our sister podcast AI Security Podcast