Licensed for Distribution

SOC Model Guide

FOUNDATIONAL Refreshed 5 April 2023, Published 19 October 2021 - ID G00754096 - 12 min read

By John Collins, Mitchell Schneider, and 1 more

Selecting the appropriate security operation center model is challenging, choosing the wrong SOC model can lead to
a poor security posture, increased risk, and overexerted security teams. Security and risk management leaders should
use this guide to identify which model aligns to their needs.

Overview
Key Findings
Security operation center (SOC) requirements are often underscoped and misaligned across the organization, resulting in dissatisfaction with
the performance of the SOC function.

Failure to recognize the differences between different SOC model options forces organizations to select an antiquated or custom-made
implementation that does not meet security objectives.

Operating a SOC in a linear or static manner without accounting for changes in organizational requirements and/or the threat landscape
results in SOC degradation.
Recommendations
Security and risk management leaders should make sure that their security operation center model selection process is able to:

Assess IT architecture roadmaps, staffing, processes and business priorities to determine the right SOC model.

Utilize the Gartner Hybrid-Internal-Tiered (HIT) SOC Model Guide to identify a model that most closely aligns to the requirements and needs of
the organization.

Continuously assess the SOC model to enable identification of necessary adjustments based on changing business needs, use cases,
available resources, risks, threat landscapes and environmental factors.

Strategic Planning Assumptions

By 2025, 90% of SOCs in the G2000 will use a hybrid model by outsourcing at least 50% of the operational workload.

By 2025, 33% of organizations that currently have internal security functions will attempt and fail to build an effective internal SOC due to
resource constraints, such as lack of budget, expertise and staffing.

Introduction
The predominant perception of a SOC model involves a physical location with centralized operations guided by a broad industry accepted
framework for how a SOC is supposed to function. This image is antiquated and no longer applicable in the modern SOC (see How to Build and
Operate a Modern Security Operations Center), particularly in a post-COVID-19 world. Security and risk management (SRM) leaders realized, via
a forcing function, that they can deliver security operations (SecOps) and SOC functions without a physical location and with nonstandard
methods and processes. The security industry must also realize there is no one right SOC model to operate or deliver modern SOC functions.
SOCs vary according to their mission and goals, which are influenced by characteristics such as their risk tolerance, the vertical in which they
operate, level of maturity, skills and expertise, processes and procedures, tooling employed and how security services are leveraged — the latter
if needed. A modern SOC model (see Figure 1) is whatever a client needs it to be, in various permutations, to deliver focused threat detection
and response capabilities driven by business risks and priorities. The threat landscape has consistently evolved faster than defenders can keep
pace, and rapid change brought about by digital transformation has increased the lag exponentially. A modern SOC will not succeed with rigid
model labels that dictate that a SOC can only be a part-time function, hybrid with a provider, internal only or multi-soc tiered. A modern SOC
model provides the flexibility to cover any permutation of those SOC models and allow SRM leaders and the business to change as needed.

Figure 1. Modern SOC Model Example

Analysis
Gartner defines a SOC as an organizational function that has the responsibility for managing processes which are designed for identifying,
investigating and remediating security incidents; it may or may not be a fixed entity or a dedicated team, and may involve resources from across
an organization who are not solely dedicated to security operations. SOCs are principally focused on IT based security, but can also include
functions that manage other areas such as physical security and fraud. SOCs do not own every element of security processes, but are
responsible for identifying security issues and incidents and coordinating across several organizational departments to manage security
responses, recording and measuring these processes and informing effective security policy.

Assess IT Architecture Roadmaps, Staffing, Processes and Business Priorities to Determine the Right SOC Model
The permutation of security operation needs are extensive, which means that what works for one entity is unlikely to be the best answer for
another. Factors like time to maturity, budget and available skills will impact the decision on which model is necessary. Utilize the guidance
found in Quick Answer: Insourced, Hybrid or Outsourced? Find the Best Security Operations Center Approach for You to assist with timeline
needs, skill level requirements and budget alignment.

Every organization needs a reality check that forces it to ask: “How many security functions are we really capable
of doing in-house effectively?”

Building and operating a SOC is a journey with no final end state, which means that the organization’s needs will inevitably evolve over time.
Changes in company direction, digital transformation initiatives, cloud providers, security leadership and/or their strategy, as well as the threat
landscape will have a direct impact on the SOC’s mission and how it is accomplished. A complex or fully mature SOC is a goal, not something
viable at the beginning of the process. It is not advisable to immediately build or outsource a complex SOC without prior experience with such an
operation, and certainly not if foundational SOC processes are not established. For example, building a threat-hunting practice is absurd if the
organization has no incident response playbooks in place, or cannot perform basic threat detection and correlation.
Security leaders need to work with the business and stakeholders to inventory current security operation capabilities, skills, processes and tools
and determine where the gaps are. Read Create an SOC Target Operating Model to Drive Success or leverage the SOC matrix shown in Figure 2
to help map out current SOC capabilities, what is the desired or future state, and what is absolutely off the table.

Figure 2. SOC Capabilities Matrix

It is important to build a SOC based on business needs to ensure that all stakeholders realize value from the effort. Defining business priorities
and understanding limitations will provide clarity to select the appropriate model in the next step.

Use the Gartner SOC HIT Model

The Gartner SOC Hybrid-Internal-Tiered (HIT) Model provides a foundational guide for organizations to determine a pertinent SOC model that
aligns to the needs and requirements discussed earlier. It is not necessary to make SOC models into a complex topic, nor for them to have a
multitude of form factors. Any version of a SOC model can be aligned to one of three core types.

Hybrid
This is the most diverse of the three core SOC models, and it is arguably the most widely implemented by organizations across different regions
globally. A hybrid SOC is a combination of internal and external resources that delivers a combined SOC function to meet organizational needs.
There is no framework for a hybrid model, nor is there a “right” or “wrong” way to implement it because of its flexibility. Figure 3 is an example of
a hybrid SOC model that outsources some functions to a provider while retaining what the example organization assessed it could handle
internally.

Figure 3. Hybrid SOC Example

A hybrid model usually employs a managed security service (MSS), managed detection and response (MDR) or a managed/co-managed SIEM
(COMSIEM) provider. A considerable number of Gartner clients outsource threat intelligence and threat-hunting operations to third-party
providers due to the unique requirements and skills required for success. This model can also include a hybrid network operation center (NOC)
and SOC function (sometimes called a multifunction SOC) with unique requirements and operations, detailed in When Should a SOC Include
NOC Functions and Responsibilities? In some cases, organizations may do this, while leveraging service providers, whether using the same
provider for managed network services (MNSs) and security services, or using separate providers.

The important things to consider before converging SOC and NOC functions, however, are:

1. Would the benefits outweigh the costs?

2. Would it help achieve tighter synergies across the organization?

The hybrid SOC model can reduce the cost of 24/7 operations. Therefore, it is well-suited not only for small to midsize enterprises, which in most
cases are working extensively with third parties (see Midmarket Context: ‘Selecting the Right SOC Model for Your Organization’), but also for
larger organizations and mature SOCs that can selectively outsource some security services. Adoption of this model is driven by a shortage and
gap in the availability of skills, expertise and staffing, general budget constraints, and the considerable cost of 24/7 security operations.

Internal
The defining attribute of an internal SOC is to have a 24/7 centralized threat detection and response function, with a dedicated team and robust
processes and workflows. It is self-contained, possessing all of the resources required for continuous day-to-day security operations. Some
specialized functions may occasionally be outsourced — like technical testing (penetration test/red team), reverse engineering malware or using
external threat intelligence sources — but the core SOC functions and daily operations are delivered exclusively by an internal team.

Internal SOCs are usually suited for well-funded organizations that can afford at least 10-12 personnel for 24/7 coverage, and that have a large
array of security tool licenses and a library of comprehensive processes and playbooks. Additional factors may include sensitive environments,
complex use cases, and high-risk or high-security requirements.
Organizations choose to build, implement and run their own SOCs when:

Laws, regulations or governance issues prevent the outsourcing option.

There are concerns about a specific/targeted threat.

Specialized expertise and knowledge about the business cannot be outsourced.

The organization’s technology stack is not supported by third-party security services.

Tiered
A tiered SOC model has multiple independently operated SOCs within the same organization that are synchronized by a top-tier (command or
parent) SOC, to deliver unified threat detection and response.

Very large and/or distributed organizations (those that have regional offices with operating independence), service providers offering MSSs, and
those providing shared services (for example, government agencies) may have more than one SOC under their purview. Where these SOCs are
required to run autonomously, they will function as centralized or distributed SOCs. In some instances, the SOCs will work together, but must be
managed hierarchically. In those cases, one SOC should be designated as the parent or command SOC.

The top-tier SOC is responsible for:

Leading and coordinating threat intelligence operations and reporting.

Incident commander responsibilities.

Defining standard operating procedure for SOC process and playbooks.

Setting technology standards across all SOCs (for example, SIEM, EDR and NDR).

Continuously Assess the Adopted SOC Model

History shows that a SOC’s functions and scope will also evolve and/or expand, given the inevitable changes to the threat landscape, and the
needs, available resources, use cases and requirements of an organization. For example, due to the COVID-19 pandemic, many organizations
had to adopt new security technologies and processes, acquire and/or develop talent to support security operations remotely, and/or hire
external service providers to help fill in any gaps (see Embrace Remote Security Operations). The adopted SOC model must be continuously
assessed and evaluated to ensure it is aligning to the organization’s goals and objectives, and maintained at an efficient and successful
operating level. Table 1 provides some example questions and actions to take for assessing the SOC’s model and efficiency.

Frequently assess SOC (people, processes and technology) capabilities to determine if it is performing in accordance with the SOC charter and
SOC target operating model for which it was designed.

Such testing includes, but is not limited to:

Penetration testing (identifies and exploits vulnerabilities and misconfigurations, and is noisy).

Red team exercises (stealthily assesses and tests the organization’s defenses, including prevention, detection and response).

Purple team exercises (a form of red teaming, but performing the security testing in a more collaborative model, facilitating communication
and lessons learned in real-time).

Breach and attack simulation solutions (runs attack simulations to identify security gaps and validate that currently deployed security controls
are working efficiently).

Ability to mitigate risks and threats identified by the business.

Continuous threat assessments to ensure focus is put on the right solutions, skills and processes to mitigate risks.

See Using Penetration Testing and Red Teams to Assess and Improve Security and Quick Answer: What Are the Top Use Cases for Breach and
Attack Simulation Technology? for further insights on security testing options.

Testing allows the SOC to be kept up-to-date, ensures the ability to prevent, detect and respond to modern and emerging threats, and makes the
necessary adjustments in order to align to existing resources, risk tolerances and available security technology and service needs.
 Table 1: Example Questions and Actions to Ask When Assessing the SOC’s Model and Efficiency

Question to Ask How to Answer

Is the SOC mission still aligned to the business Maintain a relationship and communication with business and risk leaders to keep the SOC
risk? aligned to any changes in perceived threats and risk to the business.

How do we know if our tools are capable of Utilize breach attack simulation technologies for continuous testing of existing tools and
detecting the latest tactics, techniques and continue to leverage human-led technical testing engagements such as red teaming, penetration
procedures? testing and purple team testing.

Is the SOC addressing the current threat Perform continuous threat assessments to the organization and leverage threat intelligence to
landscape? maintain visibility and understanding of the what, why, how, when, and maybe the who.

How do we measure SOC effectiveness? Maintain the course to reach SOCTOM goals and measure the SOC’s ability to improve threat
detection investigation and response over time.

Source: Gartner (October 2021)

It can be useful to use a decision matrix to make it easier to track and manage regular assessments of the SOC model and make necessary
adjustments to your operational model as and when required. Identify the issue or challenges the organization faces or the ambitions of the
security team to increase or outsource capabilities (see the example in Figure 4). Using the positions of the key issues to decide on the most
effective SOC model for your organization at this time. Regularly run the exercise introducing newly identified issues to ensure you still have the
most effective model, or if you might consider switching to a model that is more appropriate to show that your organizational needs have
evolved.

Figure 4. SOC Model Decision Matrix

Evidence
 This research is based on client inquiry and existing Gartner research

© 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be
reproduced or distributed in any form without Gartner's prior written permission. It consists of the opinions of Gartner's research organization, which should not be
construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all
warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not
provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s
Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without
input or influence from any third party. For further information, see "Guiding Principles on Independence and Objectivity." Gartner research may not be used as input
into or for the training or development of generative artificial intelligence, machine learning, algorithms, software, or related technologies.

About Careers Newsroom Policies Site Index IT Glossary Gartner Blog Network Contact Send Feedback

© 2023 Gartner, Inc. and/or its Affiliates. All Rights Reserved.