Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SOC detection keeps failing because the environment is still flat


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: SOC teams keep buying SIEM, EDR, NDR, and XDR to compensate for environments that were never built for reliable detection, according to Illumio’s analysis of Zero Trust and architecture-led defence. The core issue is not tool coverage, but the implicit trust and lateral movement built into the network itself, which keeps the alert haystack too large to search effectively.

NHIMG editorial — based on content published by Illumio: The modern SOC is built on a broken foundation and Zero Trust can fix it

By the numbers:

  • The ratio of real threats to total noise has remained stubbornly between 4% and 7%.

Questions worth separating out

Q: What breaks when a SOC is built on a flat network?

A: A flat network makes internal movement look normal, which means the SOC has to detect compromise inside an environment designed to trust too much.

Q: Why do Zero Trust controls improve detection outcomes?

A: Zero Trust improves detection outcomes because it reduces the number of trusted internal paths an attacker can use.

Q: How do you know if a SOC still depends on architectural trust?

A: If internal alerts are dominated by broad east-west activity, if compromised credentials can move widely before containment, or if responders rely on large correlation rules to separate normal from malicious traffic, the SOC still depends on architectural trust.

Practitioner guidance

  • Audit east-west trust paths Inventory where internal traffic is still broadly allowed between users, workloads, and service accounts, then remove or segment pathways that do not have a clear business justification.
  • Tie SOC detections to identity boundaries Refine detection logic so alerts are mapped to specific identity classes, privileged sessions, and workload segments rather than generic internal network activity.
  • Prioritise least privilege for lateral movement reduction Reduce over-broad entitlements in human and non-human identities before adding more SIEM or XDR use cases, because excessive reach inflates the alert surface.

What's in the full article

Illumio's full blog covers the architectural and operating-model detail this post intentionally leaves for the source:

  • The conversation with Dr. Anton Chuvakin and Erik Bloch on why detection tooling keeps inheriting architectural flaws.
  • The discussion of how Zero Trust changes east-west movement, internal trust, and the SOC's effective detection surface.
  • The examples of organisations that rebuilt their SOC model from first principles rather than layering on more tools.
  • The podcast context and practitioner framing around why AI helps only after architecture improves.

👉 Read Illumio's analysis of why the modern SOC breaks on flat architecture →

SOC detection keeps failing because the environment is still flat?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Architecture debt is now a security control failure, not just a design flaw. The article is right to frame the SOC as downstream of the environment it monitors. When flat networks and implicit trust remain in place, detection, response, and even AI-assisted operations are all forced to compensate for a broken baseline. For identity programmes, that means segmentation, continuous verification, and least privilege are operational controls, not abstract principles.

A question worth separating out:

Q: Who is accountable when detection tools fail to stop lateral movement?

A: Accountability sits with the teams that own the architecture, identity policy, and containment model, not just the SOC. If the environment allows broad internal trust, detection tools are only compensating for a governance failure. NIST Cybersecurity Framework 2.0 and Zero Trust architectures both place that responsibility on design and control ownership.

👉 Read our full editorial: The modern SOC breaks down when architecture stays flat



   
ReplyQuote
Share: