Gartner’s Guide to Choosing a SOC Operating Model

Choosing a SOC target operating model

A security operations center (SOC) is crucial to keeping your organization secure, but to succeed in your security investments, you must align your strategy with a clear SOC operating model.

According to Gartner, SOC is a considerable amount of security expenditure for organizations — “57% spend over 20% of security’s total budget on the SOC,” but how organizations use that budget varies greatly and many companies grapple with choosing to insource or outsource their SOC.

Gartner’s report, Selecting the Right SOC Model for Your Organization, reveals five types of SOC operating models to help security and risk management leaders identify the best approach. Here are the key findings — including the benefits and downfalls — of each SOC operating model.

Five Types of SOC Operating Models

1. Virtual Security Operations Center (vSOC)

Not every organization can afford a fully scaled and mature security operations center. A vSOC does not reside in a dedicated facility and those that use this model usually lack a formal process and workflow for efficient detection and response. The maturity of this type of SOC model is very low: it is a reactive approach where organizations rely mostly on available IT personnel to take action once an incident is discovered.

A vSOC is suited for smaller enterprises that have low security risk with infrequent incidents and lack the resources for well-rounded security infrastructure or elaborate SOC tools. Companies use their best efforts to review alerts generated by software such as firewall and antivirus, or to periodically analyze critical logs in support of threat detection and response.

If you desire to decrease security vulnerabilities, but lack the budget and dedicated staff, download our white paper, How to Build a SOC with Limited Resources, for guidance on improving the effectiveness of your team.

2. Multifunction Security Operations Center

A Multifunction SOC has a dedicated team, facility, and infrastructure that brings Internet of Things (IoT), operational technology (OT), Incident Command System (ICS), and sometimes 24/7 network operations center (NOC) in scope for the SOC. The maturity of this model ranges from low to medium.

Multifunction SOC is well suited for small to medium-sized enterprises (SMEs) with low-risk exposure that need to deliver multiple use cases from the same facility. Sharing recourses between SOC and NOC is possible, but their procedure for incident management can vary. Politics, budget, and process maturity levels can also lead to staff members doing multiple things, but none of them with the upmost efficiency. Gartner advises security leaders to not get distracted by this convergence or else it could affect the mission of the SOC.

3. Hybrid Security Operations Center

Hybrid SOC uses internal resources, as well as outsourced services to help offset costs and gaps in coverage. One or more dedicated professionals are responsible for ongoing SOC operations, including semidedicated team members and third parties.

Maturity of a Hybrid SOC can range from low to very high depending on the infrastructure, processes, and expertise that are in place. Organizations can work with a variety of external providers to fill the gaps such as a managed service provider (MSSP), a manage detection and response (MDR) provider, a co-managed SIEM, or a special security consulting provider or systems integrator (SI).

The key drivers for adoption of this model are cost of 24/7 security operations, lack of skills and expertise, and budget limitations. Hybrid SOC is well suited for small to midsize enterprises and especially for those working with third parties. This model allows for organizations to maintain security stability, while also improving internal operations, processes, and workflows over time.

If you’re interested in making improvements, start by evaluating your organization’s maturity level with LogRhythm’s Security Operations Maturity Model.

4. Dedicated Security Operations Center

A Dedicated SOC is a centralized SOC that has a facility, infrastructure, security team, IT department, and the necessary resources to oversee efficient daily security operations in house.

This SOC operating model ranges from medium to high maturity and is well suited for large global enterprises with vulnerable data in dispersed locations. Companies typically use this model if they are at high-risk or have high-security requirements.

According to Gartner, large enterprises implement their own SOC when:

  • Governance issues prevent outsourcing
  • There are concerns about targeted threats
  • Knowledge about the business cannot be outsourced
  • The organization’s technology stack is not supported by third-party services

5. Command Security Operations Center

Large enterprises, service providers, and government agencies may have more than one SOC. When multiple SOCs must work together, the Command SOC manages and supports other SOCs within an organization’s hierarchy. Rather than executing day-to-day operations, the Command SOC coordinates overall security intelligence, produces threat intelligence, and provides additional expertise on forensic investigations or threat analysis. The maturity of this SOC model is high to very high.

Gartner’s Recommendations for How to Choose a SOC Model

Building out a SOC is a huge endeavor and every organization is faced with unique challenges which require tailored solutions and different SOC operating models.

When choosing a SOC model, Gartner suggests:

  1. First develop goals and metrics the SOC needs to deliver that align with business outcomes
  2. Have a sustainable budget secured for the first two to three years for SOC operations
  3. Centralize personnel either physically or virtually and assign them as full-time or part-time
  4. Create repeatable and automatable processes and workflows while clearly defining, who is in charge of what and when action should be taken, especially if a third party is involved
  5. Implement necessary SOC tools to meet security requirements (e.g., CLM, SIEM, SOAR, SIRP, or ITSM)
  6. Define the breadth and depth of scope of your SOC

Regardless of the SOC model you implement, staff retention for SOC analysts tend to be high. Gartner recommends developing a retention strategy from the very beginning to ensure potential gaps do not overwhelm the process and workflow.

As you continue to plan your SOC strategy, read Gartner’s full report to guide you through the process and align you with the SOC operation model that best fits your needs.