IT Central Station is now PeerSpot: Here's why

What types of Security Operations Center (SOC) deployment models do exist?

Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)

Hi infosec professionals,

Which deployment model should an enterprise organization choose and in which case?

Thank you!

PeerSpot user
33 Answers

reviewer1331706 - PeerSpot reviewer
Top 5LeaderboardReal User

There are many variations for a Security Operations Centre. depending on the organisation's data center, configurations, and setup you will need a different organisation. To give a good answer, we would need more information. eg.

- Do you have your own data centre from which you host applications? Or do you use the public cloud for your applications? More likely probably a mix between own datacentre, and public cloud services.

- If using the cloud, do you have SAAS, PAAS subscription, or do you use only IAAS?


In more general, I believe that for any organisation you will need a multi-layer approach towards SOC. And depending on the setup, you will normally need specialized teams to focus on a particular aspect of security, e.g team for vulnerability management, Team for Network security. Team for e.g DDOS prevention etc. Some of those services you can use external companies, as they are specialized, e.g. with regards to DDOS, you have a couple of companies, that can provide pretty good service to detect, alert and mitigate attacks, like DDOS towards your organisation. 

The minimum that you always need for a SOC, is a centralized team, that can act as a central entity in case of a security issue. E.g take control, take action directly. This SOC will generally collect, information from the different specialized teams, monitor the overall security. And will define and delegate required actions to the right teams, being it network security, patch management, Firewall teams. External services, like virus scanning, etc. 

And as the other answers give ideas, you can build this multi-layer soc, based on outsourcing, in-house, or virtual teams. My personal preference would be at least an in-house central team, in-house, because, in case of critical security events, you will need management involvement, to make decisions, this works faster and more efficient in general when you have an internal team. 

Further, I would recommend for specific security types to use external services,e g. for DDOS, email/ virus scanning you have a number of really good organisations that can cost-effectively product your enterprise, cost-effectively. They do normally see security threats earlier than an in-house team, due to the fact that they are monitoring more organisations, and as such can inform/protect organisation that is not yet impacted. Normally they are specialized, and better equipped, prepared, then one can build within their own organisation, cost-effectively.

So to summarize I would suggest:

1) use a small, effective centralized soc, that has access and mandate from management to act quickly. which will ensure a quick response in case necessary.

2)  Make use of external services, for specific security protections.

3) Ensure a multi-layer internal SOC structure that can tap into the use of the experts within your organization to be effective end2end for your enterprise organization.

4) Most importantly, educate users, and teams, and perform internal audits, build up awareness, policies, procedures, expert knowledge, etc.

Shibu Babuchandran - PeerSpot reviewer
ExpertModeratorReal User

We can have multiple SOC models depending on the requirement and budget :

Dedicated or Internal SOC

The enterprise sets up its own cybersecurity team within its workforce. If you decide to run your own dedicated SOC, you’ll need the personnel and expertise to fulfill all SOC job roles from manager down to analyst.

Virtual SOC

The security team does not have a dedicated facility and often works remotely. Under a virtual SOC model, the SOC manager role becomes even more critical in terms of coordinating individuals across multiple locations.

Global or Command SOC

A high-level group that oversees smaller SOCs across a large region. Large, globally-distributed organizations often favor the global SOC model as it allows them to implement strategic initiatives and standardize procedures down to the threat hunter and analyst levels.

Co-Managed SOC

The enterprise’s internal IT is tightly coupled with an outsourced vendor to manage cybersecurity needs jointly. This is one of the most cost-effective models, as you won’t have to employ every role and can work with your partner’s compliance auditor to ensure proper procedures.

Jairo Willian Pereira - PeerSpot reviewer
Top 5LeaderboardReal User

I´m not sure about the answer, but I'll try...

Insourcing or outsourcing, partial or full MSS, Beginner, Intermediate or Professional (based on your maturity with subject/controls), SOC or BOC (Business Operation Center) - when you attack business IoC/IoT), on-premises or PaaS...

Here you can find others tips:

Buyer's Guide
Network Monitoring Software
July 2022
Find out what your peers are saying about Zabbix, Datadog, SolarWinds and others in Network Monitoring Software. Updated: July 2022.
610,336 professionals have used our research since 2012.