Cloud Security Newsletter
Posts
🚨SentinelOne's $300M AI Security Bet: How Modern SOCs Are Pivoting from SIEMs to Data Lakes

🚨SentinelOne's $300M AI Security Bet: How Modern SOCs Are Pivoting from SIEMs to Data Lakes

Major AI security acquisition signals market shift, while security leaders at companies like Perplexity reveal why traditional SIEMs can't handle modern threat detection. Plus critical Windows vulnerabilities from DEF CON 2025 and expanding cloud compliance frameworks.

Shilpi Bhattacharjee
August 13, 2025

Hello from the Cloud-verse!

This week’s Cloud Security Newsletter Topic we cover - Why Modern SOCs Are Abandoning SIEMs for Data Lake Architectures (continue reading)

This image was generated by AI. It's still experimental, so it might not be a perfect match!

Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI Security Podcast every week.

Welcome to this week’s Cloud Security Newsletter - where we break down the biggest moves in AI security, the latest high-impact vulnerabilities, and the real-world strategies security leaders are using right now.

This week:

$300M AI Security Acquisition redefining how enterprises secure generative AI
DEF CON 2025 zero-click Windows exploits that can weaponize your own infrastructure
Why SOCs are ditching SIEMs for scalable, data-driven detection

If you’re building or running security operations in 2025, this issue is packed with lessons you can apply immediately.

🎙 Featured Conversation: How Modern SOCs Are Pivoting from SIEMs to Data Lakes
Kyle Polley (Perplexity) shares how to build scalable, AI-powered SOCs without burning out your team.
Listen & Read the Full Interview →

📰 TL;DR for Busy Readers

SentinelOne Acquires Prompt Security: SentinelOne has acquired Prompt Security for $250-300M, a move that signals a major market shift from "AI for security" to "security for AI". The deal aims to provide real-time visibility and enforcement for generative and agentic AI in enterprise environments.
Black Hat & DEF CON 2025: Researchers disclosed a critical vulnerability in on-premise Microsoft Exchange that can be used to compromise connected Microsoft 365 cloud environments, highlighting the persistent risks of hybrid infrastructure. A new tool, ATEAM, was also released to enumerate over 500,000 Azure resources, exposing data for reconnaissance.
Microsoft expands compliance frameworks across multi-cloud environments, adding DORA and EU AI Act support
Security operations are evolving beyond traditional SIEMs toward data lake architectures that can handle modern threat volumes with Kyle Polley, Perplexity

📰 THIS WEEK'S SECURITY HEADLINES

💥 SentinelOne Acquires Prompt Security for $250-300M

What Happened: SentinelOne signed a definitive agreement to acquire Prompt Security, a pioneer in securing AI in runtime, for an estimated $250-300 million in cash and stock. The deal extends SentinelOne's AI-native Singularity platform to secure generative and agentic AI in enterprise environments.

Why It Matters: This acquisition represents a critical shift from "AI for security" to "security for AI." Prompt Security's platform provides real-time visibility into how AI tools are accessed, what data is being shared, and automated enforcement to prevent prompt injection, sensitive data leakage, and misuse. As enterprises rapidly adopt AI tools like ChatGPT, Claude, and Gemini, this acquisition addresses the growing shadow AI problem and gives CISOs control over AI adoption at scale.

Strategic Impact: The deal positions SentinelOne as the first major cybersecurity vendor to comprehensively address AI security risks in production environments, creating a new market category worth monitoring for competitive responses.

Sources: Read Full Story

🚨DEF CON 2025: Win-DDoS Vulnerabilities Weaponize Enterprise Infrastructure

What Happened: At DEF CON 33, SafeBreach researchers unveiled "Win-DDoS," a novel attack technique that can transform thousands of publicly accessible Windows domain controllers worldwide into a powerful DDoS botnet without requiring code execution or credentials. The technique exploits four newly discovered zero-click vulnerabilities in Windows LDAP, LSASS, Netlogon, and Print Spooler components.

Why It Matters: This research demonstrates that enterprise Windows infrastructure can be weaponized for DDoS attacks without traditional botnet deployment. Domain controllers are critical authentication infrastructure - successful DoS attacks can paralyze entire organizations by preventing user login, Group Policy deployment, and Active Directory services. The ability to transform legitimate enterprise infrastructure into attack platforms represents a paradigm shift in DDoS methodology.

Enterprise Impact: Organizations must reassess assumptions about internal system security and implement egress monitoring alongside traditional perimeter DDoS protection. Microsoft has patched these vulnerabilities (CVE-2025-26673, CVE-2025-32724, CVE-2025-49716, CVE-2025-49722), making immediate patching critical.

Sources: Read Full Story -1, Read Full Story - 2

🔴 Microsoft Defender for Cloud Expands Multi-Cloud Compliance

What Happened: Microsoft Defender for Cloud's Regulatory Compliance expanded support to include four new frameworks across Azure, AWS, and GCP environments: Digital Operational Resilience Act (DORA), European Union Artificial Intelligence Act (EU AI Act), Korean Information Security Management System for Public Cloud (k-ISMS-P), and Center for Internet Security (CIS) Microsoft Azure Foundations Benchmark v3.0.

Why It Matters: The addition of DORA and EU AI Act compliance frameworks signals Microsoft's proactive approach to emerging regulatory requirements. The simplified SQL Server protection reduces deployment complexity while the GCP Vertex AI support acknowledges the multi-cloud AI reality facing enterprises.

Strategic Considerations: Organizations using multi-cloud AI deployments can now centralize compliance management through Microsoft's platform, potentially influencing cloud strategy decisions and reducing audit overhead.

Sources: See Technical Detail

Curly COMrades: New Russian-Aligned APT Targets Eastern Europe

What Happened: Bitdefender researchers discovered a previously undocumented threat actor dubbed "Curly COMrades" targeting entities in Georgia and Moldova as part of a cyber espionage campaign. The group employs a custom backdoor called MucorAgent that hijacks Windows .NET Framework components for persistence.

Why It Matters: This campaign demonstrates sophisticated persistence techniques using legitimate Windows components for evasion. The targeting of judicial bodies and energy infrastructure in geopolitically sensitive regions aligns with Russian strategic interests. The group's use of compromised legitimate websites as traffic relays complicates attribution and detection efforts.

Detection Considerations: Organizations should monitor for unusual NGEN service activity, unauthorized NTDS database access attempts, and suspicious PowerShell-based Active Directory enumeration.

Sources: See Research -1 , See Research - 2

🎯 Topic of the Week:

Why Modern SOCs Are Abandoning SIEMs for Data Lake Architectures

The traditional Security Information and Event Management (SIEM) model is breaking under the weight of modern cloud environments. As Kyle Polley from Perplexity explains in our featured conversation, the fundamental assumptions that guided SIEM design no longer match enterprise reality.

Featured Experts This Week 🎤

Kyle Polley - Member of Technical Staff, Security, Perplexity
Ashish Rajan - CISO | Host, Cloud Security Podcast

Definitions and Core Concepts 📚

Before diving into our insights, let's clarify some key terms:

Data Lake for Security: A scalable storage architecture that can ingest, store, and analyze security data from multiple sources without requiring pre-defined schemas, unlike traditional SIEMs that struggle with diverse cloud-native log formats.
MCP (Model Context Protocol): A standardized way for AI agents to interact with external tools and services, enabling security automation without rigid SOAR workflows.
Shadow AI: The unauthorized or unmonitored use of AI tools within organizations, creating security and compliance risks similar to shadow IT.

This week's issue is sponsored by Vanta.

Vanta Trust Maturity Report

Vanta’s Trust Maturity Report benchmarks security programs across 11,000+ companies using anonymized platform data. Grounded in the NIST Cybersecurity Framework, it maps organizations into four maturity tiers: Partial, Risk-Informed, Repeatable, and Adaptive.

The report highlights key trends:.

^{Only 43% of Partial-tier orgs conduct risk assessments (vs. 100% at higher tiers)}
^{92% of Repeatable orgs monitor threats continuously}
^{71% of Adaptive orgs leverage AI in their security stack}

📤 Download the report

💡Our Insights from this Practitioner 🔍

The Death of Traditional SIEMs in Cloud-Native Environments

Kyle Polley makes a compelling case for why traditional SIEMs are fundamentally incompatible with modern cloud security operations. "I never liked the term SIEM," Polley explains. "It just feels so old school to me because I think at the time you had your internal infrastructure, a bunch of Linux boxes, DNS, network traffic, server logs, and authentication - like three different log sources. A SIEM was designed for those three log sources in mind."

The reality facing modern security teams is vastly different. "Now everything's in the cloud, you have a hundred different SaaS providers, and it's getting a lot crazier," Polley notes. This explosion of data sources has created a fundamental mismatch between traditional SIEM architectures and enterprise needs.

The Data Lake Imperative

Instead of forcing cloud-native environments into legacy SIEM constraints, Polley advocates for what he calls "data lake infrastructure built for detection and response." This approach acknowledges that modern security operations are fundamentally data science problems requiring scalable, flexible infrastructure.

"Security engineers are not data experts, and so why are they dealing with this burden alongside the data team hired to do data stuff?" Polley asks. This insight highlights a critical resource misallocation in many organizations - security teams struggling with data engineering challenges instead of focusing on threat detection and response.

The practical implications are significant. Companies like Apple and Netflix have already demonstrated this approach works at scale, using tools like Jupyter Notebooks and Databricks for threat detection operations. As Polley observes: "It sounds crazy, and even now it could sound crazy - why are you hiring a data scientist for threat detection response? But it is a data science problem, right? It is a big data problem that's very hard to wrangle."

AI Agents: The Future of Security Operations

Perhaps the most transformative insight from Polley's experience is how AI agents are reshaping security operations. Rather than replacing human analysts, these agents handle the repetitive, high-volume tasks that burn out security teams.

"You could just have every alert assign a new AI agent to it and have them triage it and deal with it," Polley explains. "Maybe once a month you can look to see which alerts created the most false positives and for cost sake, you go and tweak it. Instead of burning out your entire SOC team or even worse, turning off the alert entirely and missing a true positive."

This approach addresses one of the most persistent challenges in security operations: alert fatigue. By delegating initial triage to AI agents, human analysts can focus on high-value activities like threat hunting, architectural improvements, and strategic security initiatives.

Building SOCs for the AI Era

Polley's approach to building modern security operations centers on three key principles:

Start with detection fundamentals: "Day one, don't even purchase a SIEM, just turn on CloudTrail logs and GuardDuty logs. You can do that the day you're hired."
Invest in scalable infrastructure: Choose platforms built on modern data infrastructure like Snowflake that can handle enterprise-scale data volumes.
Prioritize API-first tools: "I will at least require every security tool I use to have a robust API, if not an MCP server," Polley emphasizes, recognizing that AI integration requires programmatic access to security tools.

The Strategic Shift in Security Operations

The conversation reveals a fundamental shift in how security leaders think about their role. Rather than focusing solely on compliance-driven initiatives, Polley advocates for a capabilities-first approach: "If you build a really great security program, compliance just comes along with it and everything becomes super easy."

This philosophy extends to incident response preparedness. "Attackers and hackers, they're not gonna wait for you to become compliant and spin up all these resources and infrastructure," Polley warns. "Imagine a breach happened tomorrow - the first question everyone's gonna ask is what happened and what did they take? Without a detection response process, you're just not gonna know."

Practical Implementation for Enterprise Teams

For organizations looking to modernize their security operations, Polley recommends a phased approach:

Foundation: Enable basic logging (CloudTrail, GuardDuty) and establish data collection
Infrastructure: Implement modern SIEM alternatives built on scalable data platforms
Detection: Focus on high-impact, low-false-positive alerts initially
Automation: Integrate AI agents for alert triage and investigation

The key insight is that this evolution doesn't require wholesale replacement of existing security teams. Instead, it empowers them to work at a higher level, focusing on strategic security improvements rather than manual alert processing.

This transformation aligns with broader industry trends toward AI-powered security operations, as evidenced by SentinelOne's major acquisition of Prompt Security and the growing focus on AI security at conferences like DEF CON.

OWASP Top 10 for LLM Applications - Essential security considerations for AI applications
Microsoft Defender for Cloud Documentation - Multi-cloud security posture management
NIST AI Risk Management Framework - Governance framework for AI security
SafeBreach Win-DDoS Research - Technical details on Windows infrastructure vulnerabilities
Model Context Protocol Specification - Standardized AI agent integration protocols

AI for SOC Automation: A Blueprint for the New world of Incident Response

Question for you? (Reply to this email)

Where should human analysts draw the line in letting AI handle alert triage?

Next week, we'll explore another critical aspect of cloud security. Stay tuned!

We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Peace!

Shilpi Bhattacharjee

Was this forwarded to you? You can Sign up here, to join our growing readership.

Want to sponsor the next newsletter edition! Lets make it happen

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

checkout our sister podcast AI Security Podcast