The ‘Midlife Crisis’ of SOCs

Recently, Dan Haagman, the founder and CEO of Chaleit, has deeply reflected on the effectiveness of Security Operations Centers (SOCs), prompting him to propose a potentially uncomfortable viewpoint: despite enterprises investing millions to build SOCs and deploying cutting-edge detection technologies, data breaches continue to rise at an alarming rate.

Based on observations of large enterprises in Australia, the United States, and the United Kingdom, Dan found that currently, only about 5% of SOCs can effectively detect and respond to complex identity-based attacks. This is not due to a flaw in technology, but rather a paradigm crisis — we must acknowledge that the current operational model of SOCs has failed.

Before exploring solutions, this article first analyzes the seven core challenges faced by SOCs.

The 'Midlife Crisis' of SOCs01AI-Powered Social Engineering Attacks

Dan stated that hackers have bypassed the identity management systems built over the years and found the ultimate shortcut: tricking users into voluntarily handing over credentials. Just as a car thief can either break through an anti-theft device or simply ask for the keys. AI has catalyzed social engineering to a new height: attackers can forge highly deceptive identities, targeting the most unrepairable link in security architecture — human behavior.

In a recent project at Chaleit, a large organization still had nearly a hundred accounts using variations of “ABC123” as passwords. When dark web data is combined with AI-pieced personal information, such vulnerabilities become significant security gaps. Dan believes we urgently need new AI security solutions to address these attack vectors.

02Illusion of Identity Security

Enterprises mistakenly equate strong identity authentication with security assurance. Multi-factor authentication tokens, single sign-on systems, and identity governance platforms create an illusory protective wall — once an attacker successfully impersonates a legitimate user, all expensive controls immediately become ineffective.

Moreover, browser attacks and cookie theft are forming new threat vectors that bypass traditional authentication. Existing systems verify accounts rather than real people, leading attackers to often operate normally for extended periods after obtaining identities through social engineering. Most detection systems cannot recognize anomalies like “Zhang San’s account is being used by Li Si.”

Dan noted that if a user typically logs in at 9 AM, browses news, and checks emails, their behavior is highly regular from Monday to Wednesday. If on Thursday they suddenly access a third-party SaaS application they have never used before, and then return to browsing news on Friday — this Thursday anomaly should be as alarming as a siren, but most SOCs lack the behavioral analysis capability to identify such subtle deviations.

03Tool Proliferation but Lack of Integration

Entering a modern enterprise SOC, one is met with a vast array of tools: vulnerability scanners, endpoint detection and response (EDR) platforms, security information and event management (SIEM) systems, AI threat detection solutions. However, beneath this technological arsenal, the basic security hygiene remains concerning.

Dan remarked, “I have witnessed enterprises with million-dollar security budgets still lacking asset inventories, unified password policies, or comprehensive patch management. They possess all the scanning tools and monitoring platforms but have a vague understanding of what they are protecting. The issue lies not in the tools themselves, but in the fragmentation of deployment, lack of integration between systems, and the absence of continuous tuning mechanisms — we are using cutting-edge technology to tackle security challenges while neglecting the fundamentals of vulnerability prevention.”

04Blind Spots of Misconfiguration

Even more severe are the areas that traditional vulnerability management completely overlooks: misconfigurations. In large enterprises with organically grown systems, different system owners, legacy environments, and shadow SaaS integrations make misconfigurations inevitable. No vulnerability scanner can capture: inconsistent configurations across identity systems, overly permissive cloud service permissions, or network segment isolation that bypasses security controls.

Dan pointed out that these configuration vulnerabilities often become the lateral movement springboard for attackers after initial intrusion, yet most enterprises lack a systematic approach to identify and remediate such systemic vulnerabilities.

The 'Midlife Crisis' of SOCs05SOC Model CrisisInternal SOC: Aware of the Business but Overwhelmed

An ideal SOC should be stationed internally, operated by a team well-versed in organizational structure, system characteristics, and business processes. They can accurately identify critical assets, understand normal user behavior patterns, and scientifically assess risk tolerance thresholds. However, the reality is that internal SOCs are often constrained by human resource bottlenecks: enterprises struggle to staff qualified analysts for 24/7 operations, and the high operational costs under financial pressure are hard to justify — especially when vendors claim they can provide equivalent protection at a lower cost.

External SOC: Comprehensive Coverage but Detached from Context

On the other hand, external SOC vendors may offer round-the-clock monitoring and expertise, but their lack of organizational context leads to low detection effectiveness: they do not understand business processes, struggle to distinguish legitimate from suspicious activities, and often cannot act decisively due to insufficient permissions. Lee Barney, General Manager of TPG Telecom Security, candidly stated, “The negotiation of SOC cooperation terms will define the tone for subsequent collaboration. Do not squeeze their profit margins; understand that their success is your success, and become a valued rather than a burdensome client.”

Dan emphasized that this dynamic relationship is crucial. “I have witnessed external SOCs hesitate to act even when threats are detected due to unclear responsibility or authorization frameworks. They capture signs of attacks but hesitate before operations that could impact the business.”

Hybrid Model: Coordination Dilemma

The hybrid SOC attempts to merge internal contextual awareness with external coverage capabilities, but often leads to new challenges such as responsibility attribution and coordination. Dan stated, “When decision-making authority is dispersed between internal and external teams, critical decisions can fall into a vacuum during the precious time needed to contain the spread of vulnerabilities.”

06Detection and Response Crisis

Dan shared, “In a recent collaborative attack-defense drill with a client, we obtained domain administrator privileges within three hours. However, the well-known external SOC employed by the enterprise only identified two minor attack indicators throughout the process. When informed that the system had completely collapsed, the conversation seemed genuinely surprising.”

This case reflects the gap between ideal and actual detection capabilities. Noel Toal, CTO of Repurpose IT, pointed out, “The high frequency of data breaches proves that preventive strategies have failed. The duration and severity of incidents depend on whether the company is prepared for detection, response, and recovery — the three parachutes.”

The window of opportunity for attackers is rapidly shrinking, and attack paths are becoming increasingly efficient, while dwell times are extending — modern attackers know they must act quickly before detection. Yet, many SOCs take hours or even days to handle alerts that require immediate action.

This presents a dual barrier of psychology and organization: SOC teams are hesitant due to the “boy who cried wolf” effect (false positives erode trust and lead to alert fatigue), causing them to miss early weak signals that could prevent a complete collapse. As Dan discussed with cybersecurity expert Caitriona Forde, the industry has developed a dangerous blind spot regarding the leading indicators of vulnerabilities, as everyone focuses on quantifiable, interceptable, and defensible explicit threats, while subtle, intangible warning signals are drowned in the noise of excessive alerts.

EDR platforms are indeed critical (without them, the situation would be worse), but too many enterprises view them as a silver bullet. EDR excels at detecting anomalous behavior, while advanced attackers are leveraging identity spoofing to simulate normal users and evade detection — when attackers operate with legitimate credentials, their behavior can initially align perfectly with normal parameters.

Dan stated, “Therefore, it is necessary to deploy enterprise-level behavior analysis across endpoints to gain insights into user patterns across the entire environment. SOCs should serve as the last line of defense (the parachute when other controls fail), yet many enterprises rely on untested parachutes.”

During a tabletop exercise, Dan had to request that the enterprise provide a waiver of liability for the external SOC. Why? Because the SOC, overly concerned about legal liability, preferred to watch risks unfold rather than exercise their existing authority to act. “Clearly, when faced with active threats, they would choose to continue collecting evidence rather than risk interrupting business operations.”

07Resource Dilemma

The biggest challenge facing today’s CISOs is not technology, but resource depletion. Dan has witnessed many security leaders mired in vendor management, contract renewals, and board reporting, leaving them little time to address fundamental security issues.

The end of the Australian fiscal year is an excellent observation window: CISOs spend 60%-70% of their time on vendor relationship maintenance and contract negotiations rather than on security architecture and threat response. This vendor management cost constitutes a massive hidden expenditure, yet it is rarely included in security budgets.

Therefore, Dan calls for a rethinking of SOC operations and security monitoring models. “We must stop the fantasy of ‘increasing budget → purchasing tools → expanding manpower → enhancing security.'”

The 'Midlife Crisis' of SOCs08Five-Step Strategy to Overcome SOC Crisis

Dan proposed five key strategies:

1. Strengthen the Basics

Before deploying advanced threat detection, solidify the foundation of security hygiene: a complete asset inventory, unified password policies, systematic patch management, and strict access controls — these foundational projects are prerequisites for effective advanced detection.

2. Integrate Attack and Defense into Operations

Every penetration test should serve as a practical drill for the SOC, and every red team operation must validate detection and response processes. We need to transform security testing into a collaborative forge that enhances operational capabilities.

3. Build Continuous Validation Mechanisms

Break free from the shackles of annual assessments and establish a continuous validation system for security controls. Regularly test SOC detection capabilities through micro-real scenarios, fostering a culture of “learning from simulated attacks is better than pursuing perfect metrics.”

4. Create Contextual Detection

Invest in behavior analysis systems tailored to the organization’s unique patterns. User activity monitoring should go beyond simple threshold alerts to accurately identify subtle deviations indicative of intrusions.

5. Clarify Response Authorization Boundaries

Clearly define the disposal authority of SOCs (whether internal or external), create a written authorization framework, and ensure all stakeholders understand the execution conditions.

Dan stated that we must acknowledge that the current SOC model has failed and embark on the difficult reconstruction project. The key issue is not whether organizations will encounter advanced identity attacks, but whether SOCs are prepared when attacks occur. “Successful organizations often possess these traits: they prioritize fundamentals over functions, emphasize drills over reports, and value resilience over compliance. They view SOCs as an organic capability system that requires continuous refinement, rather than a static service that can be outsourced and forgotten.”

09Conclusion

The crisis of SOCs is never merely a failure of a single technology or tool, but a disconnection between the entire security operations paradigm and modern attack methods. When AI-powered social engineering attacks bypass identity barriers, when misconfigurations become invisible springboards for lateral movement, and when the vacuum of responsibility between internal and external teams consumes precious response time, the cost of clinging to old models is the continued high incidence of data breaches.

Moreover, the ultimate battlefield for security is never in the perfect metrics of the laboratory, but in every small detail of daily operations within the enterprise. Reconstructing SOCs means reconstructing the organization’s resilience in the face of threats. Only by confronting the crisis and undertaking painful reforms can this security fortress truly keep pace with the evolving rhythm of attack and defense, establishing an insurmountable last line of defense for enterprises in an increasingly complex threat landscape.

Original article link:

https://www.csoonline.com/article/4035333/7-reasons-the-soc-is-in-crisis-and-5-steps-to-fix-it.html

Author:

Dan Haagman, Founder and CEO of Chaleit

Source: Anzai

The technologies, ideas, and tools mentioned in the articles published or reprinted by Heibai Zhi Dao are for learning and communication purposes only for security. No one may use them for illegal or profit-making purposes; otherwise, they will bear the consequences!

If there is any infringement, please contact us to delete the article.

END

Leave a Comment