Blog post

Hybrid SOC Scenarios

By Anton Chuvakin | June 29, 2018 | 0 Comments


One more important angle we are exploring in our SOC paper update is about so-called “hybrid SOCs.” In our SOC materials, this admittedly nebulous term refers to a SOC that uses a substantial (as I warned … “nebulous”) amount of external services and/or uses them for critical functions (so an external coffee delivery service does not count). In slightly more clear terms, this is not a completely in-house SOC, but also not a “complete” (they never truly are complete) MSSP outsourcing arrangement, but something of a hybrid of both.

Now, you can say that every SOC uses some services today and in every MSSP arrangement the client retains control of some security ops functions (like, say, IR). Sure, of course, whatever. Maybe a hybrid SOC is like porn? You recognize it when you see it? In any case, we will figure the crisp definition later, but intuitively we get it.

So, in this post I wanted to “toss out and test” a few of the hybrid SOC models we have encountered. Are there more? What do you think of each? Did one work well for you? Perhaps one let you down?

  1. MSSP at night, your SOC for daytime/workdays – many seem to want it, but handoff and joint operations often get pretty tricky.
  2. MSSP for basic monitoring, advanced — in-house SOC – this seems attractive since commodity stuff gets outsourced, but where do you get the talent to do the advanced if you never did the basic.
  3. MSSP for perimeter/DMZ/web alerts, SOC for inside application/user monitoring – I rather like this model and seen it work well, it may sometimes break for the threats that show up on the perimeter first; also, it suffers from some of the talent challenges above
  4. Services help run your SIEM and other tools for your SOC – this is not truly a hybrid, but an example where services play a critical role in saving your SOC team from the boring tasks like SIEM maintenance (or: you can SaaS the SIEM)
  5. In-house SOC runs and uses a SIEM, but an MDR runs your EDR (typically the one with the name that rhymes with “trike”) – this has come up a few times and it seemed to work well, at least as a transition stage
  6. Some combination of the above.

Now, some may say that “MSSP for Level 1 alert triage, and Level 2+ in-house” is a hybrid model too, but IMHO it is not. It simply means “we use an MSSP.”

And, finally, when doing a hybrid SOC planning remember the classic saying [well, I said it and I kinda like it :-)]: “MSSP’s business is … business, not your security.”

Related blog posts for 2018 SOC research:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed