Gartner Reprint https://www.gartner.com/doc/reprints?

id=1-2C6FPM26&ct=230103&st=sb

Licensed for Distribution

SOC Model Guide

Published 19 October 2021 - ID G00754096 - 12 min read

By John Collins, Mitchell Schneider, and 1 more

Selecting the appropriate security operation center model is challenging, choosing the wrong
SOC model can lead to a poor security posture, increased risk, and overexerted security
teams. Security and risk management leaders should use this guide to identify which model
aligns to their needs.

Overview
Key Findings
■ Security operation center (SOC) requirements are often underscoped and misaligned across the
organization, resulting in dissatisfaction with the performance of the SOC function.

■ Failure to recognize the differences between different SOC model options forces organizations
to select an antiquated or custom-made implementation that does not meet security objectives.

■ Operating a SOC in a linear or static manner without accounting for changes in organizational
requirements and/or the threat landscape results in SOC degradation.

Recommendations
Security and risk management leaders should make sure that their security operation center
model selection process is able to:

■ Assess IT architecture roadmaps, staffing, processes and business priorities to determine the
right SOC model.

■ Utilize the Gartner Hybrid-Internal-Tiered (HIT) SOC Model Guide to identify a model that most
closely aligns to the requirements and needs of the organization.

■ Continuously assess the SOC model to enable identification of necessary adjustments based
on changing business needs, use cases, available resources, risks, threat landscapes and
environmental factors.

1 di 11 14/01/2023, 16:24
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C6FPM26&ct=230103&st=sb

Strategic Planning Assumptions

By 2025, 90% of SOCs in the G2000 will use a hybrid model by outsourcing at least 50% of the
operational workload.

By 2025, 33% of organizations that currently have internal security functions will attempt and fail
to build an effective internal SOC due to resource constraints, such as lack of budget, expertise
and staffing.

Introduction
The predominant perception of a SOC model involves a physical location with centralized
operations guided by a broad industry accepted framework for how a SOC is supposed to
function. This image is antiquated and no longer applicable in the modern SOC (see  How to Build
and Operate a Modern Security Operations Center), particularly in a post-COVID-19 world. Security
and risk management (SRM) leaders realized, via a forcing function, that they can deliver security
operations (SecOps) and SOC functions without a physical location and with nonstandard
methods and processes. The security industry must also realize there is no one right SOC model
to operate or deliver modern SOC functions. SOCs vary according to their mission and goals,
which are influenced by characteristics such as their risk tolerance, the vertical in which they
operate, level of maturity, skills and expertise, processes and procedures, tooling employed and
how security services are leveraged — the latter if needed. A modern SOC model (see Figure 1) is
whatever a client needs it to be, in various permutations, to deliver focused threat detection and
response capabilities driven by business risks and priorities. The threat landscape has
consistently evolved faster than defenders can keep pace, and rapid change brought about by
digital transformation has increased the lag exponentially. A modern SOC will not succeed with
rigid model labels that dictate that a SOC can only be a part-time function, hybrid with a provider,
internal only or multi-soc tiered. A modern SOC model provides the flexibility to cover any
permutation of those SOC models and allow SRM leaders and the business to change as needed.

2 di 11 14/01/2023, 16:24
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C6FPM26&ct=230103&st=sb

Figure 1. Modern SOC Model Example

Analysis
Gartner defines a SOC as an organizational function that has the responsibility for managing
processes which are designed for identifying, investigating and remediating security incidents; it
may or may not be a fixed entity or a dedicated team, and may involve resources from across an
organization who are not solely dedicated to security operations. SOCs are principally focused on
IT based security, but can also include functions that manage other areas such as physical
security and fraud. SOCs do not own every element of security processes, but are responsible for
identifying security issues and incidents and coordinating across several organizational
departments to manage security responses, recording and measuring these processes and
informing effective security policy.

3 di 11 14/01/2023, 16:24
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C6FPM26&ct=230103&st=sb

Assess IT Architecture Roadmaps, Staffing, Processes and Business Priorities to Determine the
Right SOC Model
The permutation of security operation needs are extensive, which means that what works for one
entity is unlikely to be the best answer for another. Factors like time to maturity, budget and
available skills will impact the decision on which model is necessary. Utilize the guidance found in
Quick Answer: Insourced, Hybrid or Outsourced? Find the Best Security Operations Center
Approach for You to assist with timeline needs, skill level requirements and budget alignment.

Every organization needs a reality check that forces it to ask: “How many
security functions are we really capable of doing in-house effectively?”

Building and operating a SOC is a journey with no final end state, which means that the
organization’s needs will inevitably evolve over time. Changes in company direction, digital
transformation initiatives, cloud providers, security leadership and/or their strategy, as well as the
threat landscape will have a direct impact on the SOC’s mission and how it is accomplished. A
complex or fully mature SOC is a goal, not something viable at the beginning of the process. It is
not advisable to immediately build or outsource a complex SOC without prior experience with
such an operation, and certainly not if foundational SOC processes are not established. For
example, building a threat-hunting practice is absurd if the organization has no incident response
playbooks in place, or cannot perform basic threat detection and correlation.

Security leaders need to work with the business and stakeholders to inventory current security
operation capabilities, skills, processes and tools and determine where the gaps are. Read Create
an SOC Target Operating Model to Drive Success or leverage the SOC matrix shown in Figure 2 to
help map out current SOC capabilities, what is the desired or future state, and what is absolutely
off the table.

4 di 11 14/01/2023, 16:24
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C6FPM26&ct=230103&st=sb

Figure 2. SOC Capabilities Matrix

It is important to build a SOC based on business needs to ensure that all stakeholders realize
value from the effort. Defining business priorities and understanding limitations will provide clarity
to select the appropriate model in the next step.

Use the Gartner SOC HIT Model

The Gartner SOC Hybrid-Internal-Tiered (HIT) Model provides a foundational guide for
organizations to determine a pertinent SOC model that aligns to the needs and requirements
discussed earlier. It is not necessary to make SOC models into a complex topic, nor for them to
have a multitude of form factors. Any version of a SOC model can be aligned to one of three core
types.

Hybrid

This is the most diverse of the three core SOC models, and it is arguably the most widely
implemented by organizations across different regions globally. A hybrid SOC is a combination of
internal and external resources that delivers a combined SOC function to meet organizational

5 di 11 14/01/2023, 16:24
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C6FPM26&ct=230103&st=sb

needs. There is no framework for a hybrid model, nor is there a “right” or “wrong” way to
implement it because of its flexibility. Figure 3 is an example of a hybrid SOC model that
outsources some functions to a provider while retaining what the example organization assessed
it could handle internally.

Figure 3. Hybrid SOC Example

A hybrid model usually employs a managed security service (MSS), managed detection and
response (MDR) or a managed/co-managed SIEM (COMSIEM) provider. A considerable number of
Gartner clients outsource threat intelligence and threat-hunting operations to third-party providers
due to the unique requirements and skills required for success. This model can also include a
hybrid network operation center (NOC) and SOC function (sometimes called a multifunction SOC)
with unique requirements and operations, detailed in When Should a SOC Include NOC Functions
and Responsibilities? In some cases, organizations may do this, while leveraging service
providers, whether using the same provider for managed network services (MNSs) and security
services, or using separate providers.

6 di 11 14/01/2023, 16:24
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C6FPM26&ct=230103&st=sb

The important things to consider before converging SOC and NOC functions, however, are:

1. Would the benefits outweigh the costs?

2. Would it help achieve tighter synergies across the organization?

The hybrid SOC model can reduce the cost of 24/7 operations. Therefore, it is well-suited not only
for small to midsize enterprises, which in most cases are working extensively with third parties
(see Midmarket Context: ‘Selecting the Right SOC Model for Your Organization’), but also for larger
organizations and mature SOCs that can selectively outsource some security services. Adoption
of this model is driven by a shortage and gap in the availability of skills, expertise and staffing,
general budget constraints, and the considerable cost of 24/7 security operations.

Internal

The defining attribute of an internal SOC is to have a 24/7 centralized threat detection and
response function, with a dedicated team and robust processes and workflows. It is self-
contained, possessing all of the resources required for continuous day-to-day security operations.
Some specialized functions may occasionally be outsourced — like technical testing (penetration
test/red team), reverse engineering malware or using external threat intelligence sources — but
the core SOC functions and daily operations are delivered exclusively by an internal team.

Internal SOCs are usually suited for well-funded organizations that can afford at least 10-12
personnel for 24/7 coverage, and that have a large array of security tool licenses and a library of
comprehensive processes and playbooks. Additional factors may include sensitive environments,
complex use cases, and high-risk or high-security requirements.

Organizations choose to build, implement and run their own SOCs when:

■ Laws, regulations or governance issues prevent the outsourcing option.

■ There are concerns about a specific/targeted threat.

■ Specialized expertise and knowledge about the business cannot be outsourced.

■ The organization’s technology stack is not supported by third-party security services.

Tiered

A tiered SOC model has multiple independently operated SOCs within the same organization that
are synchronized by a top-tier (command or parent) SOC, to deliver unified threat detection and
response.

Very large and/or distributed organizations (those that have regional offices with operating

7 di 11 14/01/2023, 16:24
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C6FPM26&ct=230103&st=sb

independence), service providers offering MSSs, and those providing shared services (for
example, government agencies) may have more than one SOC under their purview. Where these
SOCs are required to run autonomously, they will function as centralized or distributed SOCs. In
some instances, the SOCs will work together, but must be managed hierarchically. In those cases,
one SOC should be designated as the parent or command SOC.

The top-tier SOC is responsible for:

■ Leading and coordinating threat intelligence operations and reporting.

■ Incident commander responsibilities.

■ Defining standard operating procedure for SOC process and playbooks.

■ Setting technology standards across all SOCs (for example, SIEM, EDR and NDR).

Continuously Assess the Adopted SOC Model

History shows that a SOC’s functions and scope will also evolve and/or expand, given the
inevitable changes to the threat landscape, and the needs, available resources, use cases and
requirements of an organization. For example, due to the COVID-19 pandemic, many organizations
had to adopt new security technologies and processes, acquire and/or develop talent to support
security operations remotely, and/or hire external service providers to help fill in any gaps (see
Embrace Remote Security Operations). The adopted SOC model must be continuously assessed
and evaluated to ensure it is aligning to the organization’s goals and objectives, and maintained at
an efficient and successful operating level. Table 1 provides some example questions and actions
to take for assessing the SOC’s model and efficiency.

Frequently assess SOC (people, processes and technology) capabilities to determine if it is

performing in accordance with the SOC charter and SOC target operating model for which it was
designed.

Such testing includes, but is not limited to:

■ Penetration testing (identifies and exploits vulnerabilities and misconfigurations, and is noisy).

■ Red team exercises (stealthily assesses and tests the organization’s defenses, including
prevention, detection and response).

■ Purple team exercises (a form of red teaming, but performing the security testing in a more
collaborative model, facilitating communication and lessons learned in real-time).

■ Breach and attack simulation solutions (runs attack simulations to identify security gaps and
validate that currently deployed security controls are working efficiently).

8 di 11 14/01/2023, 16:24
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C6FPM26&ct=230103&st=sb

■ Ability to mitigate risks and threats identified by the business.

■ Continuous threat assessments to ensure focus is put on the right solutions, skills and
processes to mitigate risks.

See Using Penetration Testing and Red Teams to Assess and Improve Security and Quick Answer:
What Are the Top Use Cases for Breach and Attack Simulation Technology? for further insights on
security testing options.

Testing allows the SOC to be kept up-to-date, ensures the ability to prevent, detect and respond to
modern and emerging threats, and makes the necessary adjustments in order to align to existing
resources, risk tolerances and available security technology and service needs.

Table 1: Example Questions and Actions to Ask When Assessing the SOC’s Model and Efficiency

Question to Ask How to Answer

Is the SOC mission still aligned to Maintain a relationship and communication with business
the business risk? and risk leaders to keep the SOC aligned to any changes in
perceived threats and risk to the business.

How do we know if our tools are Utilize breach attack simulation technologies for continuous
capable of detecting the latest testing of existing tools and continue to leverage human-led
tactics, techniques and technical testing engagements such as red teaming,
procedures? penetration testing and purple team testing.

Is the SOC addressing the current Perform continuous threat assessments to the organization
threat landscape? and leverage threat intelligence to maintain visibility and
understanding of the what, why, how, when, and maybe the
who.

How do we measure SOC Maintain the course to reach SOCTOM goals and measure
effectiveness? the SOC’s ability to improve threat detection investigation
and response over time.

Source: Gartner (October 2021)

9 di 11 14/01/2023, 16:24
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C6FPM26&ct=230103&st=sb

It can be useful to use a decision matrix to make it easier to track and manage regular
assessments of the SOC model and make necessary adjustments to your operational model as
and when required. Identify the issue or challenges the organization faces or the ambitions of the
security team to increase or outsource capabilities (see the example in Figure 4). Using the
positions of the key issues to decide on the most effective SOC model for your organization at this
time. Regularly run the exercise introducing newly identified issues to ensure you still have the
most effective model, or if you might consider switching to a model that is more appropriate to
show that your organizational needs have evolved.

Figure 4. SOC Model Decision Matrix

© 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc.
and its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior
written permission. It consists of the opinions of Gartner's research organization, which should not be construed
as statements of fact. While the information contained in this publication has been obtained from sources
believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or
investment advice and its research should not be construed or used as such. Your access and use of this
publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and
Evidence
objectivity. Its research is produced independently by its research organization without input or influence from
Thisthird
any research is based
party. For further on client inquiry
information, and existing
see "Guiding Gartner
Principles research and Objectivity."
on Independence

About Careers Newsroom Policies Site Index IT Glossary Gartner Blog Network Contact Send
Feedback

10 di 11 14/01/2023, 16:24
Gartner Reprint https://www.gartner.com/doc/reprints?id=1-2C6FPM26&ct=230103&st=sb

© 2023 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

11 di 11 14/01/2023, 16:24