5 models for SOCs – which is more effective?

By: Guurhart

From a Gartner paper, what do you think of these 5 types of SOCs? Which should a medium/large size enterprise aim for? The NOC&SOC together does make sense to me, for broadening the skills of everyone over time, but maybe the lack of specialization will hurt your Infosec DFIR efforts?

The distributed/co-managed one is hard for me to wrap my head around, I do not think it makes sense, it seems to expose a whole lot of extra threat surface to multiple third parties.


A virtual SOC does not reside in a dedicated facility. Instead, it is composed of team members who have other duties and functions. There is no dedicated SOC infrastructure, relying instead on decentralized security technologies and becoming active in case of an incident.

A virtual SOC is the least mature of SOC models and suited to smaller enterprises who experience only infrequent incidents or work with a managed security service provider or other third party. Gartner also sees this model being adopted as an interim approach during the transition to a more dedicated SOC capability. A virtual SOC is usually purely reactive, although a more proactive posture can be achieved in this model by leveraging automated monitoringcapabilities such as correlation or rule-based alerting, and in high-risk environments anomaly detection and behavioral-analytics-based alerting (see “Best Practices and Success Stories for User Behavior Analytics” ).


In some end-user organizations, there is a convergence of sharing resources between a SOC and NOC. It can be a successful model; however politics, budget, process maturity levels, etc. can lead to doing multiple things, but none of them well. This is the risk with this model. Where there is a workable relationship with other IT areas, this can be pursued as it can save significant capital outlay on tools and facilities in terms of budget. However, IT security leadersmust never be distracted by this convergence in terms, or else it may affect the mission of the SOC and its ability to help deliver and enable business outcomes.


A distributed SOC consists of some dedicated staff and infrastructure, augmented by additional team members from other teams, departments or service providers. One or more dedicated people are responsible for ongoing SOC operations, involving semidedicated team members and third parties as required. If an organization cannot operate 24/7, the resulting gap can be covered by a managed security service provider, resulting in a distributed SOC model.

The co-managed model can greatly reduce the cost of 24/7 operations while maintaining the primary security functionwithin the organization. In addition, it can augment in-house capabilities with specialist knowledge, such as forensics, and reduce gaps in expertise.

Driving the adoption of this model are a shortage and gap in availability for skills and expertise, general budget restrictions and the considerable cost of 24/7 operations. As a consequence, 5×8 operations with an MSSP covering the weekends and nights are a popular model that Gartner clients are following.

This model is suited for small to midsize organizations and especially for those working extensively with third parties, such as outsourcers and managed security service providers

Recommendation: If funding is constrained, the preference should be in keeping high business value and critical security functions in-house. Examples of these include architecture design, governance, risk management and compliance (GRC) management, analytics and incident response. Staple and menial security functions such as device management can go to an MSSP who can deliver good SLAs at a better price point and provide an additional set of eyes available to your team. They can also provide assistance for burst or unusual events like security incidents, holidays or facilities failure.


A centralized SOC has a dedicated facility, infrastructure and team. It is self-contained, possessing all of the resources required for continuous day-to-day security operations. The team is typically composed of security engineers, security analysts and a SOC manager. In the case of multishift operations, each shift will also have a shift lead or duty manager.

A fully centralized SOC is suited for large and midsize enterprises with multiple business units and geographically dispersed locations, sensitive environments and high security requirements, as well as those that provide internalsecurity services. This specifically includes MSSPs and service providers more generally.


Very large organizations, service providers and those providing shared services (for example, government agencies) may have more than one SOC. Where these are required to run autonomously, they will function as centralized or distributed SOCs. In some instances though, the SOCs will be working together, and must be managed hierarchically. In that case, one SOC should be designated the command SOC. The command SOC coordinates security intelligencegathering, produces threat intelligence and fuses these for consumption by all other SOCs, in addition to providing additional expertise and skills such as forensics or threat analysis.

Originally posted at Peerlyst
By: Guurhart