The Modern SOC Is Built on a Broken Foundation. Zero Trust Can Fix It.

In 2003, Gartner published what became known as the IDS is Dead paper. The industry responded to the demise of intrusion detection system (IDS) tools by building security information and event management (SIEM) tools.  

By the mid-2010s, SIEM had been declared a compliance tool, so the industry built endpoint detection and response (EDR). When EDR couldn’t cover everything, network detection and response (NDR) arrived.  

Then extended detection and response (XDR) arrived, generated enormous confusion, and has since been declared dead by the same Gartner that watched IDS meet its end.  

Each transition was framed as progress. And yet, as Dr. Anton Chuvakin, security advisor for the Office of the CISO at Google Cloud, and Erik Bloch, VP of information security at Illumio, told me on the latest episode of The Segment podcast, most enterprise environments were never architecturally designed to make detection reliable.  

The SOC tools built on top of those environments inherited that flaw, and most of the new tools built since have worked around it rather than fixed it. Until security leaders address the underlying architecture, the cycle of tool investment without improved outcomes will continue.  

Zero Trust breaks that cycle by treating architecture as the problem to solve rather than the assumption to work around.

The band-aid economy, and why it’s so lucrative

When I asked Erik why the outcomes from detection and response haven’t meaningfully changed despite billions in investment and decades of innovation, he attributed it to the industry trying to fix symptoms rather than the root cause.

“I look at a lot of security startups out there today, and they’re building band-aids,” he said. “The investors know they can invest in band-aids, they know the band-aids will work for some time until they don’t, and then they can invest in the next band-aid, rather than going after the fundamental problems that are causing issues to begin with.”

The security vendor landscape thrives on incremental improvements to detection capability. Each wave of detection and response technology promises to be the one that finally tips the scales. And each wave, when measured against outcomes, largely disappoints.

Erik continued, “There are things we could do architecturally that would solve a lot of the problems that we respond to today. Do we do that? No. We buy more band-aids to cover up the architectural problems, and then we respond to all those alerts, too.”

The “needle in the haystack” problem — finding actual threats in an ocean of alerts — hasn’t improved despite decades of tooling investment. Erik noted that the ratio of real threats to total noise has remained stubbornly between 4% and 7%.  

More tools haven’t moved that number, and they won’t, because the tools are downstream of the problem.

What “architectural problems” means for a CISO

When Erik and Anton talk about architectural problems, they’re describing a specific failure mode that most security leaders live with every day but rarely name explicitly.

Most enterprise environments were built on a foundation of implicit trust, including flat networks, broad lateral movement permissions, and assumed clean perimeters. When you build detection capability on top of a flat, over-permissioned environment, you’re effectively asking your SOC to find needles in a haystack that you deliberately made larger and harder to search.

A flat, over-permissioned network generates alert volume that no SOC can realistically manage. Lateral movement looks like normal traffic because the architecture treats it that way. Compromised credentials go undetected because internal access was never designed to be verified.  

The SOC is cleaning up a mess the environment was built to make.

Zero Trust changes what your SOC has to detect in the first place. When you enforce least-privilege access, verify identity continuously, and segment workloads so that east-west movement requires explicit authorization, you fundamentally shrink the attack surface your detection tools need to cover.  

You stop making the haystack bigger and start reducing it.

The architectural fix Erik and Anton described during our conversation means rebuilding the foundational assumptions about how access and connectivity should work.

A 1990s SOC with AI is still a 1990s SOC

Both agreed that AI has genuine value in security operations. But applying AI to a structurally broken SOC produces a faster version of the same broken outcomes.

Anton argued that too many organizations are using AI investment as a reason to avoid a deeper rebuild. AI has distracted many security teams from doing this fundamental yet critical work.

When the SOC model itself is 30 years old, AI simply speeds up old processes without addressing why the process produces so little signal. The environment the SOC monitors was never designed to surface the right information reliably, and faster analysis of unreliable signal is still unreliable.

“With AI, certain links can go much faster, maybe much better, but the whole chain is largely still wherever it was,” Anton said.

A Zero Trust architecture changes the chain itself.  

When your network is segmented and workloads can only communicate through explicitly permitted pathways, your SOC has a dramatically smaller detection surface to cover.  

This means that the AI you apply to that environment can actually work how its intended because the signal-to-noise problem shrinks with the attack surface. Zero Trust makes AI in the SOC useful.

Every SOC transformation success story begins with architecture

During our conversation, Anton described the handful of organizations that have genuinely broken the cycle.  

Netflix went “SOC-less” in 2018. Google uses an engineering-led detection model. Anton even mentioned a major European bank which has completely rebuilt its SOC from first principles.

What these organizations did differently was address the architecture head on. That means rebuilding how access works, how traffic is trusted, and how the environment is structured.  

It’s slow, expensive work. Most organizations choose to buy tools instead, and the cycle continues.

Getting unstuck requires organizational will, executive buy-in, and a willingness to stop patching and start rebuilding. It also requires a clear architectural target.  

Zero Trust provides that target as a set of design principles that, when applied to the environment your SOC monitors, changes the fundamental economics of detection.

Zero Trust is the only answer to an attack surface that won’t stop growing

AI is expanding the attack surface faster than any previous technology wave, and most SOCs aren’t built to handle it.  

The perimeter assumption was already broken before AI arrived. Adding AI tools on top of that broken foundation produces the same result as every previous wave of tooling investment: faster processes but the same outcomes.

Both Erik and Anton were clear on two points. The fundamental architectural problems driving poor detection outcomes are well understood and largely unaddressed. And the teams that choose to address them are demonstrably better off.

Zero Trust is where that work begins. It reframes architecture from a fixed constraint into the core problem to solve. That reframing is available to every security leader regardless of organization size, budget, or legacy debt.  

Listen to the full episode of The Segment: A Zero Trust Leadership Podcast on Apple Podcasts, Spotify, or our website.