Detection & Response Glossary
Security Operations Center (SOC)
A Security Operations Center (SOC) is the central hub for real-time monitoring, detection, and response to cybersecurity incidents. SOCs bring together people, processes, and technology—SIEM, EDR, SOAR—to detect and combat threats 24/7.
A Security Operations Center (SOC) is the "nerve center" of an organization's cybersecurity. SOC analysts continuously monitor security signals, investigate anomalies, and respond to incidents—ideally before an attacker can cause significant damage.
SOC Maturity Levels
Not every company needs a Tier 1/2/3 SOC with 50 analysts:
SOC Maturity Model:
Level 0 - No SOC:
→ No active monitoring, no centralized logs
→ Incidents are handled reactively after user reports
→ Risk: Average detection time > 200 days
Level 1 - Basic SOC (SIEM-based):
→ SIEM with standard use cases (Windows events, firewall, AD)
→ Alert triage by IT admins (no dedicated SOC team)
→ Business hours only
→ Suitable for: SMEs with up to 500 employees
Level 2 - Mature SOC:
→ Dedicated SOC analysts (Tier 1 + Tier 2)
→ Custom detection rules
→ IR playbooks for common scenarios
→ 24/7 operation (in-house or MSSP)
→ Threat hunting as a separate function
Level 3 - Advanced SOC:
→ Tier 3: Threat intelligence and proactive hunting
→ Red team integration (purple team exercises)
→ In-house malware analysis capabilities
→ Automation/orchestration via SOAR
→ Suitable for: KRITIS, large corporations, high-value targetsSOC Technology Stack
Core technologies of a modern SOC:
SIEM (Security Information and Event Management):
Function: Log aggregation, correlation, alerting
Examples: Microsoft Sentinel, Splunk, Elastic SIEM, IBM QRadar
Data sources: Windows Events, Linux Syslog, Firewall, EDR, Cloud
EDR/XDR (Endpoint/Extended Detection and Response):
Function: Endpoint telemetry, behavioral analysis, automatic isolation
Examples: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint
SOAR (Security Orchestration, Automation, and Response):
Function: Automation of repetitive tasks (IP blocking, ticket creation)
Examples: Palo Alto XSOAR, Splunk SOAR, Microsoft Sentinel Automation
Threat Intelligence Platform (TIP):
Function: IOC management, threat feed integration
Examples: MISP (open source), ThreatConnect, Anomali
Vulnerability Management:
Function: Vulnerability inventory for context in alerts
Examples: Tenable Nessus, Qualys, Rapid7SME Alternative: MSSP and MDR
For most German SMEs, maintaining their own 24/7 SOC is not economically viable:
Models for SME Security Monitoring:
MSSP (Managed Security Service Provider):
→ External provider handles SOC tasks
→ SLA: Alert response time < 15–30 minutes (24/7)
→ Costs: EUR 500–3,000/month (depending on number of endpoints and scope)
MDR (Managed Detection and Response):
→ Like MSSP, but with a more active IR component
→ MDR provider can isolate endpoints, remove threats
→ "We come to you" instead of "We send you alerts"
→ Recommended for SMBs without their own security team
Co-Managed SOC:
→ Company operates SIEM, MSSP provides analysts and expertise
→ More flexible than pure outsourcing
→ Internal knowledge buildingSOC Metrics
A good SOC is measured by specific metrics:
- MTTD (Mean Time to Detect): Time until an incident is detected - Target: < 24h
- MTTR (Mean Time to Respond): Time until resolution - Target: < 1h–24h depending on severity
- False Positive Rate: Percentage of false-positive alerts - Target: < 10%
- Alert Volume per Analyst: > 100 alerts/day = risk of burnout, automation required
- Detection Coverage: Which MITRE ATT&CK tactics are detected?
