Blog post

About The Tri-Team Model of SOC, CIRT, “Threat Something”

By Anton Chuvakin | July 07, 2016 | 2 Comments

threat intelligenceSOCsecurity

From the clients with THE MOST mature security operations, we learn the so-called “tri-team” model for detection and response:

  1. SOC – primarily monitoring and threat detection in near real-time, and of course alert triage.
  2. CSIRT – security incident response
  3. “Threat something” (no standard name: we heard “theat fusion center”, “threat management center’’”, “threat intelligence team” and many others)profile threat actors, organize and refine threat intelligence, create internal intel, hunt, etc [in a few cases, in fact, the intel creation and hunting teams were separate too, or hunting was with the CSIRT above]

This model allows for a clean, logical separation – but also collaboration! – between detection/monitoring, response and intelligence functions. It also seems to align well with the skills of the analysts hired for each function (e.g. ex-intel agency people fit into #3). Of course, there are many, many tricks to making it work in real life, and having a 9-digit security budget helps a lot too….

P.S. This post is clearly for:

sec ops maturity-marker hi

Blog posts related to threat intelligence:

Comments are closed


  • Joe Oney says:

    Anton, I agree with this setup, but one aspect that has to be completely flushed out is a formal communication channel like an ISAC, not just between the holy trinity setup you’ve proposed, but also with the internal customers of the business.

    • Thanks for the comment. In this model, the “threat team” is the most likely part that interacts with ISACs and sharing communities, but of course all teams benefit from that.