The Gartner Security Operations Centre (SOC) Hybrid-Internal-Tiered (HIT) Model is something we have been working on for a while. It provides a foundational guide for organizations to determine a pertinent SOC model that aligns to their security operations needs and requirements. Contrary to popular belief, choosing a SOC model is not complex. There are three main types of SOC model:
This is the most common of the three core SOC models, and some may even say “every SOC is a hybrid SOC”. A hybrid SOC is a combination of internal and external resources that delivers a combined function to meet organizational needs. There is no framework for a hybrid model, nor is there a “right” or “wrong” way to implement it.
Hybrid SOCs can address a shortage and gap in the availability of skills and expertise. The considerable cost of 24/7 security operations is also a driver. It provides a speed to maturity that can rarely be achieved independently.
An internal SOC generally means your organisation owns and staffs a 24/7 centralized threat detection and response function, they have implemented robust processes and workflows to cope with the vast throughputs required. Even with internal SOCs some specialized functions may occasionally be outsourced — for example: technical testing (penetration test/red teams).
Internal SOCs are expensive and usually only well-funded organizations. Few can afford the numbers of personnel required for 24/7 coverage and the large array of security tool licenses. Sometimes circumstances force the hand of organisations in this regard; they may have sensitive environments, bespoke or complex needs, or regulatory requirements.
Some other factors that drive organizations to choose to build, implement and run their own SOCs are: concerns about a specific/targeted threat, the chosen internal technology stacks are not supported by third-party security services.
A tiered SOC model has multiple independently operated SOCs within the same organization. Synchronized by a top-tier (command or parent) SOC, to deliver unified threat detection and response. This is a hallmark of the needs of very large and/or distributed organizations, service providers, and those providing shared services (for example, government agencies).
Complex organisations with semi-independent sub organisations sometimes run multiple SOCs independently. This can be for various reasons, generally complex variations on the needs for an internal SOC. Its common for Tiered SOCs to work in unison, but managed hierarchically with one designated as the parent/command SOC.
The top-tier/parent or command SOC is responsible for functions such as: Leading and coordinating threat intelligence operations and reporting, and defining standard operating procedure for SOC processes and playbooks.