
Despite major enterprises investing millions of dollars or RMB in Security Operations Centers (SOC) and advanced detection technologies, data breaches remain frequent and are on the rise. Based on practical experience, currently, only about 5% of SOCs can effectively respond to increasingly complex identity-based attacks. This is not a technical flaw, but a paradigm issue—we must acknowledge that the current SOC operational model has failed.Part01
The Seven Key Issues of the SOC Crisis
1. AI-Driven Social Engineering Attacks
Cybercriminals are leveraging artificial intelligence (AI) technologies to induce users to voluntarily “hand over” credential information, thereby bypassing the identity and access management (IAM) defenses that enterprises have built over the years.
AI makes phishing attacks more deceptive, specifically targeting vulnerabilities that cannot be patched—human beings themselves. In one client environment, we discovered nearly a hundred accounts still using “ABC123” and its variants as passwords. When dark web data breaches combine with AI-driven precise information gathering, such weak points can evolve into significant security gaps.
2. The Illusion of Identity Security
Multi-factor authentication (MFA) tokens, single sign-on (SSO) systems, and identity management platforms create a false sense of security. Once an attacker steals a legitimate user’s identity, these expensive control mechanisms become completely ineffective. In addition to social engineering, browser-based attacks and cookie theft have also become new avenues for bypassing authentication controls.
The core issue is that existing systems only verify account validity but cannot confirm whether the person logging in is indeed the legitimate user. Once attackers obtain credentials, they can often remain undetected for long periods, operating within normal behavioral parameters. For example, a user typically logs in at 9 AM, browses news, checks emails, and maintains a consistent pattern from Monday to Wednesday, but suddenly accesses a third-party SaaS application they have never used before on Thursday—this anomaly should trigger an alert, but most SOCs lack the necessary behavioral analytics capabilities.
3. Tool Overload and Lack of Integration
A typical SOC is filled with various security tools:
- Vulnerability Scanners
- Endpoint Detection and Response (EDR) Platforms
- Security Information and Event Management (SIEM) Systems
- AI Threat Detection Solutions
However, even with these technological weapons, enterprises often overlook basic security hygiene. We have witnessed companies with security budgets reaching millions of dollars that lack even basic asset inventories, unified password policies, or comprehensive patch management strategies. It must be clear: if you do not know what needs to be protected, all scanning tools and monitoring platforms will be ineffective. The root of the problem lies not in the tools themselves, but in fragmented deployment models, lack of system integration, and insufficient fine-tuning.
4. Blind Spots in Configuration Errors
Traditional vulnerability management programs often overlook configuration errors, which can be particularly fatal in large enterprises with the following characteristics:
- Organically grown system architecture
- Decentralized system ownership
- Legacy environments
- Shadow SaaS integrations
Cross-domain configuration inconsistencies in identity systems or overly permissive cloud services often provide attackers with lateral movement pathways. However, most enterprises lack a systematic approach to identify and remediate these architectural-level flaws.
5. The Dilemma of SOC Models
An ideal SOC should possess:
- Internal ModelComposed of employees familiar with the enterprise environment, systems, and business processes, capable of accurately identifying key assets, user behavior patterns, and making risk decisions. However, it faces talent shortages and the cost pressure of 24/7 operations.
- Outsourced ModelProvides round-the-clock monitoring and expertise but lacks organizational context, making it difficult to distinguish between legitimate and suspicious activities, and is often limited by response authority. There have been instances where outsourced SOCs detected threats but did not take action due to issues of accountability.
- Hybrid ModelAims to balance the advantages of both but often leads to issues of responsibility division and coordination, resulting in delays in critical decision-making.
6. Detection and Response Traps
In a recent attack-defense drill, the attackers gained domain administrator privileges in just three hours, while the enterprise SOC (a well-known outsourcing service provider) only detected two minor intrusion indicators throughout the process. This reveals a significant gap between detection capabilities and real threats.
Modern attacks have the following characteristics:
- Shortened attack windows
- More efficient attack paths
- Extended dwell times
Yet most SOCs require hours or even days to investigate alerts that should be handled immediately. This gap is due to both psychological factors (fear of false positives leading to alert fatigue) and organizational factors—often overlooking subtle early indicators that could prevent a full-scale breach. It is recommended to deploy enterprise-level behavioral analytics solutions across endpoints.
7. Resource Bottlenecks
Security leaders often find themselves caught up in vendor management, contract renewals, and high-level reporting, leaving little time to address fundamental security issues. These hidden costs are often not included in the security budget. It must be recognized that security cannot be “bought” by simply increasing budgets, tools, or personnel.
Part02
Five Strategies for SOC Reform
1. Strengthen Security Foundations
Before investing in advanced threat detection, ensure the following are in place:
- Comprehensive asset management
- Unified password policies
- Comprehensive patch management
- Appropriate access controls
2. Testing as Training
Every penetration test should serve as a training opportunity for the SOC, with red team exercises validating the effectiveness of detection and response processes. Transform security testing into a collaborative task that enhances operational capabilities.
3. Continuous Validation Mechanisms
Abandon annual security assessments in favor of:
- Regularly testing SOC detection capabilities (using small real-world scenarios)
- Establishing a culture of “learning from simulated attacks”
- De-emphasizing the pursuit of perfect performance metrics
4. Build Contextual Detection Capabilities
Invest in behavioral analytics technologies that go beyond simple threshold alerts to identify subtle anomalies that suggest intrusions.
5. Clarify Response Authorities
Regardless of the SOC model adopted, it is essential to:
- Clearly define operational authorities
- Fully document authorization processes
- Ensure all stakeholders understand execution conditions
Enterprises should view the SOC as a dynamic capability that requires continuous evolution, rather than a static service that can be outsourced and forgotten. In the face of advanced identity-based attacks, the key question is not “whether an attack will occur,” but “whether we are prepared for it.”
References:
Why the SOC is in Crisis – and How to Change It
https://www.csoonline.com/article/4043049/warum-das-soc-in-der-krise-steckt-und-wie-sie-das-andern.htmlRecommended Reading
