Categorize SOCs that are internal to the constituency into five organizational models of how the team is comprised,
1. Security team.
No standing incident detection or response capability exists. In the event of a computer security incident, resources are gathered (usually from within the constituency) to deal with the problem, reconstitute systems, and then 16 stands down.
Results can vary widely as there is no central watch or consistent pool of expertise, and processes for incident handling are usually poorly defined. Constituencies composed of fewer than 1,000 users or IPs usually fall into this category.
2. Internal distributed SOC.
A standing SOC exists but is primarily composed of individuals whose organizational position is outside the SOC and whose primary job is IT or security related but not necessarily CND related.
One person or a small group is responsible for coordinating security operations, but the heavy lifting is carried out by individuals who are matrixed in from other organizations. SOCs supporting a small- to medium-sized constituency, perhaps 500 to 5,000 users or IPs, often fall into this category.
3. Internal centralized SOC.
A dedicated team of IT and cybersecurity professionals comprise a standing CND capability, providing ongoing services.
The resources and the authorities necessary to sustain the day-to-day network defense mission exist in a formally recognized entity, usually with its own budget. This team reports to a SOC manager who is responsible for overseeing the CND program for the constituency. Most SOCs fall into this category, typically serving constituencies ranging from 5,000 to 100,000 users or IP addresses.
4. Internal combined distributed and centralized SOC.
The Security Operations Center is composed of both a central team (as with internal centralized SOCs) and resources from elsewhere in the constituency (as with internal distributed SOCs). Individuals supporting CND operations outside of the main SOC are not recognized as a separate and distinct SOC entity.
For larger constituencies, this model strikes a balance between having a coherent, synchronized team and maintaining an understanding of edge IT assets and enclaves. SOCs with constituencies in the 25,000–500,000 user/IP range may pursue this approach, especially if their constituency is geographically distributed or they serve a highly heterogeneous computing environment.
5. Coordinating SOC.
The SOC mediates and facilitates CND activities between multiple subordinate distinct SOCs, typically for a large constituency, perhaps measured in the millions of users or IP addresses.
A coordinating SOC usually provides consulting services to a constituency that can be quite diverse.
It typically does not have active or comprehensive visibility down to the end host and most often has limited authority over its constituency.
Coordinating SOCs often serve as distribution hubs for cyber intel, best practices, and training. They also can offer analysis and forensics services, when requested by subordinate SOCs.