I’ve been thinking a lot about SOC efficacy lately, and I’m going to take a position that might make some people uncomfortable. Despite organizations investing millions in security operations centres (SOC) and state-of-the-art detection technologies, we’re seeing breaches at unprecedented levels.
Based on my observations across large enterprises in Australia, the United States, and the UK, only about one in twenty SOCs detects and responds effectively to the sophisticated identity-based attacks that we’re seeing today.
This isn’t a technology problem. It’s a paradigm problem. And it’s time we acknowledged that our current approach to SOC operations is broken. There are seven core challenges we’ll delve into before going into how to fix the SOC problem.
1. AI-enabled social engineering
Despite years building sophisticated defences around identity and access management hackers have found the ultimate shortcut: they simply trick users into handing over their credentials.
Think about it this way: if you wanted to steal a car, you could spend hours trying to break anti-theft systems, or you could just ask the owner for their keys. That’s exactly what’s happening in cyber security.
AI has supercharged social engineering to the point where attackers can craft incredibly convincing impersonation attempts, bypassing millions of dollars’ worth of security architecture by exploiting the one component we can’t patch: human behaviour.
During a recent job at Chaleit, we discovered nearly 100 accounts in a large organization still using derivatives of “ABC123” as passwords. When data is available on the dark web and AI can help piece together personal information to create targeted attacks, these weaknesses become gaping security holes. We need entirely new AI security approaches to counter these attack vectors.
2. Identity security illusion
Organizations have convinced themselves that strong identity and access management equals security. MFA tokens, single sign-on systems, and identity governance platforms create a sense of protection butthe moment someone successfully impersonates a legitimate user, all those expensive controls become irrelevant.
But it’s not just social engineering we need to worry about. Browser-based attacks and cookie theft represent another serious vector that bypasses traditional authentication controls.
The problem is that our systems verify accounts, not actual people. Once an attacker assumes a user’s identity through social engineering, they can often operate within normal parameters for extended periods. Most detection systems aren’t sophisticated enough to recognise that John Doe’s account is being used by someone who isn’t actually John Doe.
Let’s say a user typically logs in at 9 AM, checks the news, reviews emails, and follows predictable patterns Monday through Wednesday. Thursday, they suddenly access a third-party SaaS application they’ve never used before. Friday, they’re back to the news at 9 AM. That Thursday anomaly should stand out like a sore thumb, but most SOCs lack the behavioural analytics to identify such subtle deviations.
3. Tool saturation without integration
Walk into any enterprise SOC today, and you’ll find an overwhelming array of tools: vulnerability scanners, endpoint detection and response (EDR) platforms, security information and event management (SIEM) systems, and AI-enabled threat detection solutions.
Yet, despite this technological arsenal, basic security hygiene remains poor.
I’ve seen organizations with million-dollar security budgets that still lack basic asset registers, consistent password policies, or comprehensive patch management. They have all the scanning tools and monitoring platforms, but they lack a clear understanding of what they’re protecting.
The problem isn’t the tools themselves. The problem is the hodgepodge approach to deployment, the lack of integration between systems, and the absence of ongoing tuning and optimisation.
We’re playing a sophisticated game of security while missing the basics that prevent breaches.
4. Misconfiguration blind spot
Even more concerning is what traditional vulnerability management programs miss entirely: misconfigurations.
In large enterprises with organic system growth, different system owners, legacy environments, and shadow SaaS integrations, misconfigurations are inevitable. No vulnerability scanner will flag identity systems configured inconsistently across domains, cloud services with overly permissive access policies, or network segments that bypass security controls.
These misconfigurations often provide attackers with the lateral movement opportunities they need once they’ve gained initial access through compromised credentials. Yet most organizations have no systematic approach to identifying and remediating these architectural weaknesses.
5. The SOC model crisis
Internal SOCs: Context without capacity. The ideal SOC would be internal, staffed by people who understand your organization’s context, systems, and business processes. Internal teams know which assets are critical, understand normal user behaviour patterns, and can make informed decisions about risk tolerance.
But internal SOCs face crushing capacity constraints. Organizations struggle to staff 24/7 operations with qualified analysts. Financial pressures make it difficult to justify the overhead, especially when vendors promise equivalent coverage at lower costs.
External SOCs: Coverage without context. External SOC providers offer round-the-clock monitoring and specialised expertise, but they lack the organizational context that makes detection effective. They don’t understand your business processes, can’t easily distinguish between legitimate and suspicious activities, and often lack the authority to take decisive action.
Lee Barney, TPG Telecom GM tech security, explains: “How you negotiate your SOC deal will be remembered during the SOC contract. Don’t destroy their margins, understand that their success is your success, be the client they can’t afford to lose, not the one they hate talking to.”
This relationship dynamic is crucial because I’ve seen external SOCs detect threats but fail to act due to liability concerns or unclear authorisation frameworks. They spot the indicators but hesitate to pull the trigger on response actions that might disrupt business operations.
Hybrid models: Coordination complexity. Hybrid SOCs attempt to blend internal context with external coverage, but they often create new problems around accountability and coordination. When responsibility is shared between internal and external teams, critical decisions can fall through the cracks during the precious minutes that determine whether a breach is contained or spreads throughout the organization.
6. Detection and response crisis
Recently, during a collaborative simulation exercise with a client, we achieved domain administrator access within three hours of initial compromise. The organization’s SOC — a well-regarded external provider — only identified two minor indicators of compromise during that entire period. When we informed them that their client had been completely compromised, they seemed genuinely surprised.
This scenario highlights the gap between what we believe our detection capabilities are and what they achieve in practice.
As Noel Toal, chief technology and transformation officer at Repurpose IT, told me: “The high number of breaches shows that the focus on prevention has failed. The impact duration and severity depend on whether you prepared the parachute to detect, respond and recover effectively.”
Attack times are shrinking rapidly whilst attack path efficiency is sharpening and dwell time lengthening. Modern attackers know they have limited windows before detection, so they move fast. Meanwhile, many SOCs take hours or days to investigate alerts that require immediate action.
The challenge is psychological and organizational. SOCs are terrified of “crying wolf” because false positives erode trust and create alert fatigue. But this caution often means they miss the subtle early indicators that could prevent full compromise.
As I discussed in a recent live session with cyber security expert Caitriona Forde, the industry has developed a dangerous blindness to these leading indicators of compromise that appear long before the obvious signs of a breach. The problem is that everyone wants something they can measure, block, and defend against. But it’s precisely these subtle, intangible warning signs that get lost in the noise of our over-alerting security systems.
EDR platforms are crucial, and without it, we’d be in a far worse state. But too many organizations treat EDR as a silver bullet solution. EDR excels at detecting abnormal behaviour, but sophisticated attackers know this and bypass EDR by behaving like a normal user, which is exactly what successful identity compromise enables. When an attacker assumes a legitimate user’s credentials, their activities often fall within acceptable behavioural parameters, at least initially.
This is why we need behavioural analytics that go beyond individual endpoint monitoring to understand user patterns across the entire enterprise environment.
Your SOC is supposed to be your parachute: the last line of defence when other controls fail. However, many organizations are relying on parachutes that have never been tested under real conditions.
During a recent tabletop exercise, I had to authorise the organization to formally indemnify their external SOC provider for taking decisive response actions. Why? The SOC was too concerned about legal liability to actually use the authorities they’d been given. They preferred to gather more evidence rather than risk business disruption, even when facing an active threat.
7. Capacity crisis
One of the biggest challenges facing CISOs today isn’t technology, it’s capacity. I’ve watched security leaders become so overwhelmed by vendor management, contract renewals, and board reporting that they don’t have time to work on fundamental security problems.
The Australian financial year-end period provides a perfect case study. I’ve seen CISOs spending 60% to 70% of their time managing vendor relationships and contract negotiations rather than focusing on security architecture and threat response.
This vendor management overhead represents a massive hidden cost that organizations rarely account for in their security budgets.
It’s time we change how we approach SOC operations and security monitoring. We need to stop believing that we can spend our way to security through bigger budgets, more tools, and additional staff.
5 steps to surpass the SOC crisis
1. Focus on fundamentals first. Before investing in advanced threat detection, ensure basic security hygiene is in place. Asset inventories, consistent password policies, comprehensive patch management, and proper access controls form the foundation that makes advanced detection meaningful.
2. Integrate testing with operations. Every penetration test should be a training exercise for your SOC. Every red team engagement should test whether your detection and response procedures actually work. Make security testing a collaborative exercise that improves operational capabilities.
3. Implement continuous validation. Move beyond annual security assessments to continuous validation of your security controls. Test your SOC’s detection capabilities regularly with small, realistic scenarios. Create a culture where learning from simulated attacks is valued over perfect performance metrics.
4. Build context-aware detection. Invest in behavioural analytics that understand your organization’s unique patterns. User activity monitoring should go beyond simple threshold alerts to recognise subtle deviations that indicate compromise.
5. Establish clear response authorization. Define exactly what authority your SOC has to act, whether internal or external. Document these authorities clearly and ensure all stakeholders understand when and how they can be exercised.
We need to acknowledge that our current SOC models are inadequate and begin the difficult work of rebuilding them from the ground up. The question isn’t whether your organization will face a sophisticated identity-based attack, it’s whether your SOC will be ready when it happens.
Those who succeed prioritize fundamentals over features, rehearsal over reporting, and resilience over compliance. They treat their SOC as a living capability that requires constant training and refinement rather than a static service that can be outsourced and forgotten.
No Responses