Every SOC Today Is Answering the Wrong Question

Ask most detection engineers what a SOC does, and they’ll say: it finds compromised machines.

That’s the wrong question. Attackers stopped compromising machines as the primary objective years ago — machines are just where identities and trust relationships happen to execute. A stolen session token, a federated role assumption, an over-scoped service account: none of those are “a machine got popped.” They’re a trust relationship quietly doing exactly what it was configured to do, on behalf of someone who shouldn’t have it.

This article has been indexed from DZone Security Zone

Read the original article: