Gartner Blog Network


Arriving at a Modern SOC Model

by Augusto Barros  |  August 8, 2016  |  6 Comments

While writing our new (and exciting) research on “how to build a SOC”, we came into a conclusion that a modern SOC has some interesting differences from the old vanilla SOC that most organizations have in place. In essence, the difference is related to the inclusion of Threat Intelligence and Hunting/Continuous IR activities. The way that a traditional SOC operates is more or less like this:

soc_1

While the “newer” model is something like:

soc2

So far, this is not surprising or particularly exciting. That’s just plain evolution. Now, this becomes more interesting when you start to work on guidance for organizations that right now are planning to build their (new) SOC. Should they plan to build it as a modern SOC, or should they build as a traditional SOC and then move it to the modern model as it matures?

So far we haven’t seen substantial evidence to back any of those two options. I can see how “building it the right way” would make sense, as you don’t want to waste resources planning and writing processes twice, and there is no point in building a less effective model when you know there is a better way to do things. But the modern model also requires more resources (people and tools). Some of those newer processes are also frequently seen as part of organizations with mature security operations. Can they be performed by those that are not as mature? Does those processes actually work on immature organizations? This is a “do it right the first time” versus a “walk, then run” discussion.

Do you happen to have experience with a mature modern SOC? If so, how did you arrive there? Was it built like that or did it evolve from the traditional model? It would be even more interesting to hear from people with FAIL stories from one of those two approaches. Don’t be shy, let us hear your stories :-)

Category: incident-response  insights-and-philosophical  siem-and-log-management  threat-intelligence  

Tags: soc  

Augusto Barros
Research Director
1 years at Gartner
19 years IT Industry

Augusto Barros is Research Director in the Gartner for Technical Professionals (GTP) Security and Risk Management group. Read Full Bio


Thoughts on Arriving at a Modern SOC Model


  1. Endre says:

    This doesn’t seem to be a modern SOC model. The picture (when available) depicts only a modification and extension of the old model.
    A paradigm shift is needed, moving from a roll back model to a roll forward model.
    Another crucial detail is how the threat hunting is used and when. In your model it seems to be applied too late, therefore cementing in a reactive mode instead of enabling pro-activity.

    • Augusto Barros says:

      Endre, not sure if I understand what you mean by a “roll forward” model.

      Also, note that there is no “order” to the process in that model, so hunting wouldn’t be applied too late; you don’t need to wait for detection or TI to arrive in order to hunt. Most of the times it will be based on TI (not necessarily IOCs), but it doesn’t have to be like that. It is a continuous process that is fed by and feeds the others, as the arrows indicate.

  2. Daniel says:

    Hi, the picture of newer model is not displayed. After clicking the link the file is not found.

  3. Thom Mitchell says:

    A next generation CSOC has automated Tier 1 .

    Please read my forth coming book ” How to Build a Next Generation CSOC.

  4. […] the work on our upcoming SOC paper and on the TI paper refresh winding down, we are preparing to start some exciting research in our […]

  5. […] anticipated hereĀ and here, our new paper about how to plan, design, operate and evolve a Security Operations Center […]



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.