FireEye Stories

Security Operations Centers: One Size Does Not Fit All

Operational efficiency is critical for any department of an organization. Experts across all industries and verticals theorize that the summation of departmental efficiencies creates efficiency for the entire organization at large. In cyber security, operational efficiency for could mean the difference between an organization being breached or preventing one.

With so many security tools, people and processes to manage, the thought of a creating or evolving a security operations center (SOC) may seem daunting. But those challenges shouldn’t scare leaders away from taking a strategic approach to selecting the right SOC model for the organization.  

A recent Gartner report, Selecting the Right SOC Model for Your Organization*, provides all the information that one might need when deciding on the best SOC model for their organization, such as:  

  • The core elements of a SOC, including threat monitoring, detection and response.
  • Why current capabilities need to expand past traditional SIEM (security information and event management) solutions
  • How to help security and risk management leaders identify the best SOC model for the organization

As a sneak peek, here is a list of the five primary operational SOC models discussed in the report, and what type of organization should consider them:

SOC Model


Typical Adopter

Virtual SOC

  • No dedicated facility
  • Part-time and geographically distributed team members
  • Reactive, activated when a critical alert or incident occurs
  • Primary model when fully delegated to an MSSP

Small to upper-midmarket organizations

Multifunction SOC/NOC

  • Dedicated facility with a dedicated team performing not just security, but some other critical 24/7 IT operations from the same facility to reduce costs

Small, midsize and low-risk large enterprises where network and security functions are already performed by the same, or an overlapping, group of people and teams

Hybrid SOC

  • Dedicated and semidedicated staff, either internally or externally
  • Security operations can be performed by the organization’s internal staff 24 hours per day, 7 days a week; 8 hours per day, 5 days a week; or 8 hours per day, 7 days a week with some responsibilities offloaded to an external provider
  • Control of processes and effectiveness will vary according to how much stays inside vs. how much goes to the external provider

Small to midsize enterprises

Dedicated SOC

  • Dedicated facility
  • Dedicated team
  • Fully in-house
  • 24/7 operations

Large enterprises, service providers, high-risk organizations

Command SOC

  • Coordinates other SOCs
  • Provides threat intelligence, situational awareness and additional expertise
  • Rarely directly involved in day-to-day operations

Very large enterprises and service providers, governments, military, intelligence

Learn more about the benefits of ONE security operations platform and how organizations can feel more secure in the cloud.

*Gartner, Selecting the Right SOC Model for Your Organization, 18 September 2018, Gorka Sadowski, Craig Lawson, Toby Bussa, Pete Shoard, Rajpreet Kaur, Mitchell Schneider