MI-One Issue #18 - Perseid Edition

Dive into Black Hat 2025, ongoing platform consolidation, and a closer look at Fortinet.

Hello there.

August has seen some serious moves in the security landscape, most of which seem to be building on the strategic partnership themes we explored in our Solstice Edition.

Zscaler completed its acquisition of Red Canary, and this one's interesting—it's not just buying MDR capabilities, it's acquiring Red Canary's sprawling integration ecosystem and merging it with Zscaler's cloud transaction visibility. The result? An AI-powered security operations platform that makes sense. Meanwhile, SentinelOne signed a definitive agreement to acquire Prompt Security, in what feels like the most 2025 acquisition possible: using AI to secure AI applications.

But the month's biggest potential shake-up is Palo Alto Networks reportedly negotiating to acquire CyberArk for north of $20 billion. If this closes, we're looking at the largest cybersecurity deal since Google's Wiz acquisition that was discussed in our Decembris Edition, and it would reshape identity security. The acquisition certainly showcases Palo Alto's strategic entry into identity management, a sector that's getting urgent attention with AI adoption and high-profile breaches.

The partnership landscape is maturing rapidly too. SentinelOne and Mimecast deepened their integration around human-centric cyber risk management, combining endpoint telemetry with behavioral AI. The premise is compelling: instead of reacting to that inevitable phishing click, it’s now time to predict and prevent it. Claroty teamed up with Google Security Operations for cyber-physical system threat detection, tackling the growing OT and IT convergence challenge.

Platform consolidation is also accelerating. Microsoft made two significant moves: announcing the Sentinel Data Lake for low-cost long-term storage (priced at less than 15% of traditional analytics logs) and the convergence of Defender Threat Intelligence (MDTI) directly into Defender XDR and Microsoft Sentinel at no additional cost. The Data Lake capability is particularly interesting as it continues a trend we've seen from AWS with Amazon Security Lake, SentinelOne with Singularity Data Lake, and Cribl with Cribl Lake. It represents an architectural change to help manage Sentinel's cost challenges. Tenable enhanced their One platform for unified vulnerability management, while Datadog embraced the Open Cybersecurity Schema Framework (OCSF) for common data modeling.

We're certainly witnessing the end of the point solution era. The new reality is platform consolidation at scale, where procurement teams are demanding fewer vendors with wider coverage and enhanced integrations.

Recap of Black Hat USA 2025

In case you missed it, this year’s Black Hat took place in Las Vegas from August 2nd to 7th.

The main takeaway? That agentic AI in security operations has moved from PowerPoint promise to production reality. The product demos were largely autonomous, able to make decisions and take actions while keeping humans in the loop rather than simply drowning them in alerts.

A couple of standouts:

Flashpoint made waves with AI Summarization for Search and Investigations within its Ignite platform at Black Hat USA 2025. Their new capability turns thousands of dark web posts into actionable insights in seconds, automatically identifying key trends, threat actors, and TTPs with footnoted references. No more manual review of forum discussions, the AI distills entire conversations into concise snapshots that analysts can actually use.
Tenable tackled the generative AI security challenge head-on with its AI Exposure platform. This goes way beyond discovery to provide end-to-end visibility and control over enterprise AI usage like ChatGPT Enterprise and Microsoft Copilot. With shadow AI becoming a real exposure risk, Tenable's approach includes risk management and policy enforcement across the entire AI lifecycle.
HPE used Black Hat to showcase their unified security portfolio for the first time since acquiring Juniper. Their new SASE copilot delivers AI-driven network security insights, while the Alletra Storage MP X10000 sets a new standard with 1.2 petabytes per hour backup speed. The CrowdStrike integration adds real-time threat detection that can instantly restore systems to clean recovery points.
Qualys unveiled their AI fabric with a Cyber Risk AI Agents marketplace delivering real-time risk insights across all attack surfaces, prioritized by business impact. Cyera expanded into AI adoption enablement with AI Guardian, including AI-SPM for complete AI asset inventory and AI Runtime Protection for real-time monitoring of AI data risks.
Cribl introduced Guard capability for proactive detection and protection of sensitive information in telemetry data, automatically identifying credit card numbers, passport information, and Social Security numbers in observability pipelines. Abnormal AI boosted Microsoft 365 protection with expanded Security Posture Management, providing broader visibility into misconfigurations and automated prioritization of the highest-risk threat surfaces.
Snyk debuted Secure At Inception tools for AI coding assistants, leveraging the Model Context Protocol (MCP) framework for real-time security scanning and enhanced visibility into enterprise GenAI components. CrowdStrike strengthened AI agent security through OpenAI's ChatGPT Enterprise Compliance API integration, offering improved visibility into GPT and Codex agent usage, plus launched a new release of Falcon Adversary Intelligence with personalized threat insights.
Palo Alto Networks introduced Cortex Cloud Application Security Posture Management (ASPM) with prevention capabilities that address security risks before deployment. They also launched an open partner ecosystem for AppSec, consolidating data from third-party code scanners, including Snyk, GitLab, Veracode, HashiCorp, Black Duck, Checkmarx, and Semgrep into a single centralized platform.

What stood out to us wasn't just the technology, it was the focus on autonomous operation. These aren't AI assistants waiting for human direction - they're systems that actively investigate, decide, and execute responses while keeping analysts informed rather than overwhelmed.

Black Hat USA 2025 underscored that agentic AI, security automation, and integrated governance are no longer distant concepts, they are active components of modern enterprise defense. From securing AI workloads and coding assistants to automating risk prioritization and protecting business-critical APIs, vendors demonstrated that autonomous, business-aligned security operations are now within reach.

Under the Lens — Fortinet

Modern cybersecurity requires integrated platforms that unify multiple security domains rather than managing disparate point solutions. Organizations need technologies that work together seamlessly while reducing operational complexity. This edition examines Fortinet's comprehensive approach to unified cybersecurity through their Security Fabric ecosystem.

Fortinet delivers broad, integrated, and automated security solutions across the entire digital attack surface through its flagship FortiGate firewalls and comprehensive security ecosystem. The Security Fabric architecture integrates multiple security technologies into a unified platform, enabling coordinated threat intelligence sharing, automated response capabilities, and centralized management across all security components.

Let's examine the key security solutions within Fortinet's core portfolio:

Network Security & Management:
- Fortinet Next-Generation Firewall (NGFW) delivers comprehensive network protection with integrated intrusion prevention, application control, web filtering, anti-malware, and VPN capabilities powered by custom ASIC processors for high-performance threat detection and prevention across network perimeters.
- FortiOS serves as the foundational operating system that powers Fortinet's security appliances with consistent security capabilities across physical, virtual, and cloud deployments, supporting a hybrid mesh firewall architecture that spans on-premises and cloud environments seamlessly.
- FortiGate Cloud provides cloud-based network management and security analytics specifically designed for small to medium businesses, offering simplified management through intuitive interfaces, zero-touch provisioning, real-time monitoring, and automated configuration backups.
- FortiManager revolutionizes network management and security operations by automating routine tasks with centralized policy management, mass configuration deployment, best-practice templates for zero-touch provisioning, and compliance monitoring across distributed enterprise environments.
Security Operations & Analytics:
- FortiAnalyzer delivers a unified data lake with centralized logging, reporting, and analytics capabilities that provide comprehensive security visibility through AI-powered threat detection, automated response workflows, forensic investigation tools, and compliance reporting for streamlined security operations.
- FortiSIEM provides comprehensive security information and event management with AI-powered analytics, automated threat detection, event correlation, incident management, threat hunting capabilities, and compliance automation designed for enterprise security operations centers.
- FortiSOAR delivers security orchestration, automation, and response capabilities with playbook automation, case management, threat intelligence integration, multi-tool connectors, and collaboration features that streamline incident response workflows and reduce manual security tasks.
Unified Security Architecture:
- Fortinet Security Fabric serves as the foundational architecture that enables seamless integration and communication between all Fortinet security components, providing shared threat intelligence, coordinated automated responses, unified visibility, reduced operational complexity, and enhanced security effectiveness through native integration.

Fortinet's direction centers on FortiAI expansion with agentic AI capabilities, GenAI assistants for autonomous network management, and AI-driven threat detection across over 6,500 AI URLs while incorporating multi-layered data protection and zero-trust access controls for secure AI adoption across the Security Fabric ecosystem. Significant investments are being made in artificial intelligence, machine learning, and custom security processing units that maintain comprehensive threat protection.

Optimizing Fortinet Platform Usage

To achieve optimal security outcomes with Fortinet's Security Fabric, organizations should focus on implementation strategies, chief among them:

Establish a unified network security foundation: Consolidate existing point solutions by migrating to FortiGate NGFW for unified threat management, configure FortiOS hybrid mesh capabilities for consistent policies across environments, and deploy FortiManager for centralized policy management early in your deployment.
Optimize security operations and analytics: Begin with FortiAnalyzer unified data lake deployment for centralized logging, configure FortiSIEM event correlation rules progressively, starting with high-confidence threat patterns, and implement FortiSOAR playbook automation for common incident response scenarios.
Harness the benefits of your Security Fabric Integration: Enable Security Fabric connector capabilities across all components for real-time threat intelligence sharing, configure cross-platform policy synchronization through FortiManager and implement automated threat response workflows that leverage Security Fabric integration to contain threats across network, endpoints, and cloud workloads simultaneously.

Security Application and Version Updates

Palo Alto Networks has released PAN-OS 12.1 Orion on August 14, 2025. Key highlights of this release include:
- Industry-first Quantum Readiness assessment for comprehensive cryptography inventory across enterprises, cipher translation capabilities for legacy applications without native post-quantum cryptography support, and fifth-generation quantum-optimized NGFWs designed to decrypt and inspect PQC-encrypted traffic at scale.
- Automatic asset discovery and mapping of workloads, applications, AI assets, and data flows across AWS, Azure, Google Cloud, and hybrid environments, real-time risk assessment for continuous detection of misconfigurations and exposures, and one-click multicloud security fabric deployment with automated protection scaling for dynamic workloads.
- Advanced DNS Security Resolver (ADNSR) detecting 2x more DNS threats than competitors with resolver-based deployment, enhanced Device Security expanding beyond IoT to protect every managed and unmanaged device with 90% alert fatigue reduction through Precision AI, and AI-driven threat detection, including Single-Query DNS tunneling, in-memory API vector analysis, and Encrypted Sliver C2 prevention.
- Strata Cloud Manager with effortless Panorama migration tools and AI-powered operations, strengthened zero trust posture dashboards with real-time policy optimization recommendations, centralized compliance tracking for NIST, HIPAA, and PCI DSS with automated remediation workflows, and proactive health monitoring across six critical operational categories for faster issue resolution.
SpecterOps has released BloodHound version 8, with various capabilities extending identity attack path management beyond traditional Microsoft ecosystems. Key highlights of this release include:
- Introduction of Table View for sortable, downloadable data presentation and a comprehensive Query Library featuring over 170 curated queries in searchable YAML format, enabling more efficient data analysis and team collaboration workflows.
- Privilege Zone Analysis has been made available in Early Access for Enterprise customers, providing custom security boundary enforcement beyond Tier Zero, while Microsoft PIM integration models just-in-time access patterns across four maturity stages with misconfiguration detection capabilities.
- Complete overhaul of Active Directory trust modeling with four new precise trust edges (SameForestTrust, CrossForestTrust, AbuseTGTDelegation, SpoofSIDHistory) replacing legacy TrustedBy relationships, enhanced ACE inheritance tracking for targeted remediation, and expanded integrations including ServiceNow Incident Response and Cisco Duo SSO support.
- Open ingestion framework enables modeling of arbitrary identity systems, including GitHub, AWS, 1Password, and Kubernetes environments.

Splunk has released Enterprise version 10.0 on July 28, 2025. Key highlights of this release include:
- Updated FIPS 140-2 and new FIPS 140-3 module support with validity through March 2026, mutual transport layer security (mTLS) encryption capabilities, and OpenSSL 3.0 support with Python 3.9 runtime environment replacing deprecated legacy versions.
- Introduction of Edge Processor service for network-boundary data filtering and transformation, Bulk Data Move functionality enabling precise index reorganization using search criteria, and dynamic scheduled search concurrency limits for optimized resource allocation between ad hoc and scheduled workloads.
- Fine-grained access management for search knowledge objects with three new capabilities replacing the legacy admin_all_objects permission, Effective Configuration viewing for forwarder settings without machine access, and Sidecars architecture supporting new platform features through dedicated processes.
- OpenTelemetry Collectors monitoring with centralized agent status visibility, OAuth 2.0 support for email server authentication, including Microsoft Exchange Server, Observability metrics integration in Dashboard Studio with Splunk Observability Cloud chart imports, and enhanced federated search support with savedsearch command capabilities for standard mode remote datasets across distributed Splunk deployments.

Insights: From Our Integration Factory

Google SecOps + MSSP

Enables comprehensive, automated ingestion of Google SecOps security telemetry data into MSSP environments, transforming Chronicle and Backstory insights into normalized, actionable security events for enhanced threat detection and SOC operations.

Core Functions: API data polling, OCSF normalization, alert generation, detection rule processing, IoC management, and asset correlation enhance threat visibility, accelerate triage workflows, and streamline multi-tenant security operations.
Trigger & Flow: Polling-based API calls enable continuous extraction of alerts, assets, IoCs, detections, and events from Google SecOps endpoints for real-time security monitoring.
Authentication & Security: Google SecOps API authentication with role-based access controls ensures secure, standards-compliant connectivity between Google's cloud security platform and MSSP infrastructure, maintaining data integrity and compliance requirements.
Impact: Unified Google cloud security visibility, standardized threat data processing, and automated detection capabilities bridge the gap between Google's native security ecosystem and traditional MSSP operations to improve SOC efficiency, reduce investigation complexity, and accelerate incident response across hybrid cloud environments.

Splunk ES + Splunk OT + OT Security Platform

Enables comprehensive operational technology security monitoring through automated ingestion of OT platform security data into Splunk, transforming industrial control system alerts and asset intelligence into normalized Enterprise Security events with specialized dashboard analytics and vulnerability tracking capabilities.

Core Functions: Syslog Alert Ingestion, API Asset Data Collection, Post-Ingestion Normalization, CVE Correlation, Dashboard Visualization, Asset Context Integration, and Vulnerability Assessment enhance industrial security visibility, accelerate threat analysis, and streamline OT-specific SOC workflows.
Trigger & Flow: Dual-channel data acquisition through syslog-transmitted security alerts and API-driven asset information collection enables continuous OT security monitoring with normalized data feeding specialized dashboards and downstream ES/OT applications for extended analysis.
Authentication & Security: API token-based authentication with generated API keys ensures secure, standards-compliant connectivity between OT platform systems and Splunk infrastructure, maintaining operational security and industrial control system integrity.
Impact: Unified OT/IT security visibility, specialized industrial asset monitoring, and comprehensive vulnerability tracking bridge the gap between operational technology environments and enterprise security platforms to improve industrial SOC efficiency, enhance asset security posture analysis, and accelerate incident response across critical infrastructure and manufacturing environments.