SOC and SIEM: what a Security Operations Center is and how 24/7 detection works

Resposta direta

A SOC (Security Operations Center) is the team and set of processes that monitor, detect, investigate and respond to cyber threats around the clock. The SIEM is the central platform that collects and correlates logs from across the infrastructure to generate alerts. Effective detection combines SIEM, EDR/XDR, NDR and SOAR with well-tuned rules. Decripte runs a managed 24/7 SOC with a critical-incident containment SLA of up to 1 hour.

Principais conclusões

  • A SOC is the combination of people, processes and technology that monitors, detects and responds to threats 24/7 — the location is secondary; continuous operation is what defines it.
  • The detection stack has distinct roles: the SIEM correlates logs and detects, EDR/XDR give endpoint and cloud visibility, NDR covers the network and what has no agent, and SOAR orchestrates and automates the response.
  • MTTD and MTTR define the attacker's dwell time. Since intrusions progress in hours, 24/7 monitoring and response with a containment SLA (not just notification) are decisive.
  • MSSP forwards alerts; MDR actively contains the threat. For fintechs and startups, the managed MDR model delivers a mature operation in weeks with predictable cost.
  • Identical technology yields opposite results depending on the operation: continuous tuning, coverage mapped against MITRE ATT&CK and proactive threat hunting are what separate an effective SOC from a noise generator.
  • Decripte runs a managed 24/7 SOC in an MDR model, with a critical-incident containment SLA of up to 1 hour.

What a SOC (Security Operations Center) is and what it does

A SOC (Security Operations Center) is the organizational function responsible for continuously monitoring the technology environment, detecting malicious activity, investigating alerts and coordinating incident response. It can be a physical room with analysts, a distributed team or a service managed by a third party, but what defines it is not the location: it is the combination of people, processes and technology operating without interruption to shorten the time between the start of an attack and its containment.

A SOC's responsibilities are organized into tiers. Tier 1 (triage) receives alerts from the SIEM and detection tools, discards false positives and escalates what is relevant. Tier 2 (investigation) performs in-depth analysis, correlates events, determines the scope of the compromise and initiates containment. Tier 3 (threat hunting and advanced detection) hunts for threats that slipped past automated controls, develops new detection rules and handles complex incident response. Above them, the SOC Manager governs SLAs, metrics and escalation.

In practice, a SOC performs four core functions: continuous (24/7) monitoring of logs and telemetry; alert detection and triage; investigation and initial forensic analysis; and response and containment, isolating hosts, blocking accounts or IPs and activating the incident response plan. Supporting functions include vulnerability management, threat intelligence and the continuous tuning of detection rules, which is what separates an effective SOC from a noise generator.

For fintechs, crypto exchanges and startups that handle sensitive data or move money, the SOC is the control that turns detection into a real operation rather than a tool's promise. Frameworks such as the NIST CSF 2.0 (Detect and Respond functions) and MITRE ATT&CK structure what a SOC must cover: mapping known adversary techniques and ensuring each one has detection coverage. Decripte runs a managed 24/7 SOC with a critical-incident containment SLA of up to 1 hour.

SIEM, EDR/XDR, NDR and SOAR: the detection and response stack

The SIEM (Security Information and Event Management) is the SOC's central platform. It collects logs and events from practically the entire infrastructure — servers, firewalls, identity, cloud, applications — normalizes that data into a common format and applies correlation rules to generate alerts. The value of a SIEM lies in correlation: events that look benign in isolation (a login outside business hours, followed by privilege escalation and access to a database) become, together, an indicator of compromise. Common examples include Microsoft Sentinel, Splunk, Elastic SIEM and Wazuh.

EDR (Endpoint Detection and Response) installs an agent on endpoints — laptops, servers, workstations — and captures telemetry on processes, commands, network connections and file changes. Unlike traditional signature-based antivirus, EDR detects malicious behavior (for example, a legitimate Office process spawning a shell) and enables response on the host itself: isolating the machine from the network, killing processes or reverting changes. XDR (Extended Detection and Response) extends this logic beyond the endpoint, unifying telemetry from email, identity, cloud and network into a single platform for detection and cross-layer correlation.

NDR (Network Detection and Response) analyzes network traffic — including flow metadata and, where possible, content — to detect lateral movement, data exfiltration, command-and-control (C2) and unmanaged devices that EDR cannot see. It is the layer that covers what has no agent: IoT, legacy devices, ephemeral containers and machine-to-machine traffic.

SOAR (Security Orchestration, Automation and Response) is the automation and orchestration layer. It receives alerts from the SIEM and the other tools and runs playbooks: enriching an alert with threat intelligence, opening a ticket, blocking an IP on the firewall, disabling a compromised account or isolating a host — all automatically or semi-automatically. SOAR cuts response time from minutes to seconds on repetitive actions and frees analysts for investigation. To sum up the stack: the SIEM correlates and detects, EDR/XDR and NDR provide deep visibility into endpoints and the network, and SOAR orchestrates and automates the response.

MTTD, MTTR and why time is the metric that matters

Two metrics govern a SOC's effectiveness: MTTD (Mean Time To Detect) and MTTR (Mean Time To Respond, or To Remediate). MTTD measures how much time passes between the start of malicious activity and the moment the SOC identifies it. MTTR measures the time between detection and the effective containment or eradication of the threat. Together, they define how long an attacker stays loose inside the environment — the so-called dwell time.

Time matters because modern attacks are fast. After initial access, ransomware operators and intrusion groups frequently carry out lateral movement and privilege escalation within hours. The 'breakout time' — the interval between the initial compromise and the first lateral movement — can be under an hour in the more agile campaigns. This means an MTTD measured in days or weeks, common in environments without 24/7 monitoring, practically guarantees the attacker will achieve their objectives before any reaction.

Reducing MTTD depends on detection coverage (mapping MITRE ATT&CK techniques to active rules), telemetry quality and continuous monitoring — detecting something at 3 a.m. is useless if no one is on duty. Reducing MTTR depends on clear playbooks, automation via SOAR and the authority to act (isolate hosts, block accounts) without waiting for approvals that cost hours. A mature SOC continuously measures and improves both metrics.

That is why Decripte works with a critical-incident containment SLA of up to 1 hour: the commitment is not merely to 'alert', but to contain. For fintechs and exchanges, every minute of dwell time translates directly into financial risk, exposure of customer data and regulatory exposure before the Central Bank and the LGPD.

In-house vs outsourced SOC (MSSP/MDR): cost, scale and SLA

Building an in-house SOC requires 24/7 coverage, which in practice means a minimum of eight to twelve analysts to guarantee shifts, time off and seniority levels — plus SIEM, EDR and threat intelligence licenses, and detection engineers to maintain the rules. For most fintechs and startups, the annual cost easily reaches millions before the first alert is even investigated. An in-house SOC makes sense when there is scale, regulatory requirements that mandate internal operation, or a need for deep, exclusive knowledge of the business.

The outsourced model splits into two concepts that are often confused. An MSSP (Managed Security Service Provider) manages and monitors security tools, typically focused on keeping the SIEM running and forwarding alerts — the customer usually remains responsible for investigating and responding. An MDR (Managed Detection and Response) goes further: it delivers detection, investigation and active response as a service, with analysts who actually contain the threat on the customer's behalf, including actions such as isolating hosts and blocking accounts.

The core trade-offs are cost, scale and speed of deployment. The managed model (MDR) delivers a mature 24/7 operation in weeks, with predictable cost and immediate access to experienced analysts and threat intelligence shared across clients — something hard to replicate internally. An in-house SOC offers full control and maximum contextual knowledge, at the price of ramp-up time (12 to 24 months) and high fixed expense. Many organizations adopt a hybrid model: a small internal team for business context, backed by an MDR for 24/7 coverage and response.

When evaluating a provider, the decisive criterion is the response SLA — not the notification one. 'Alerting in 15 minutes' means nothing if containment takes days. Verify whether the contract covers detection, investigation AND active response, what the containment SLA is for critical incidents, and whether the provider acts in the environment or merely reports. Decripte runs a managed 24/7 SOC in an MDR model, with a critical-incident containment SLA of up to 1 hour.

Proactive threat hunting and detection use cases

Threat hunting is the proactive, hypothesis-driven search for threats that escaped automated detection controls. Instead of waiting for an alert, the hunter starts from a hypothesis — for example, 'an attacker may be using native system tools (living-off-the-land) for lateral movement' — and investigates the telemetry looking for evidence. It is the answer to the fact that no rule covers 100% of techniques, and that sophisticated adversaries design their attacks precisely to avoid triggering alerts.

Effective hunts are structured around MITRE ATT&CK, which catalogs real adversary tactics and techniques. The hunter selects techniques relevant to the organization's threat profile (for example, T1003 — credential dumping, or T1071 — C2 over application-layer protocols) and checks whether there is detection coverage and whether there are signs of use. When a hunt finds a gap, it becomes a new detection rule — threat hunting continuously feeds and improves automated detection.

Concrete detection use cases a SOC keeps active include: anomalous authentication (impossible-travel logins, brute force, MFA fatigue); suspicious endpoint execution (obfuscated PowerShell, Office processes spawning shells, persistence via scheduled tasks); lateral movement (anomalous PsExec use, RDP between workstations, credential abuse); exfiltration (anomalous outbound data volumes, uploads to non-corporate destinations); and cloud identity behavior (access key creation, IAM policy changes, access to sensitive buckets).

For fintechs and exchanges, business-specific detections are as important as the generic ones: transaction patterns outside the expected, anomalous access to custody systems or wallets, and changes to anti-fraud controls. A SOC that knows the customer's domain builds tailored detections — exactly the kind of coverage that generic monitoring based only on out-of-the-box rules does not deliver.

False positives and why tuning defines a SOC's value

A false positive is an alert that flags malicious activity where there is none. They are a SOC's biggest operational enemy: when most alerts are noise, analysts develop alert fatigue and start treating everything with less rigor — increasing the risk that the true alert, lost in the noise, goes uninvestigated. In many immature SOCs, the overwhelming majority of alerts are dismissed as false positives, which makes the operation expensive and dangerously inattentive.

Tuning is the continuous process of adjusting rules, thresholds and exception lists so that the SIEM and detection tools generate high-fidelity alerts. This includes suppressing known legitimate behaviors (an authorized vulnerability scanner should not trigger a scan alert), adjusting thresholds (how many login failures constitute brute force in that environment), enriching alerts with context (is this IP from a known partner?) and retiring rules that only generate noise. Tuning is not a one-off deployment task: it is permanent detection-engineering work.

That is why technology alone does not deliver security. Two customers can buy the same SIEM and the same EDR and get opposite results — the difference lies in the operation: the quality of tuning, the detection coverage mapped against MITRE ATT&CK, the response playbooks and the competence of the analysts. A SOC's value is measured by the signal-to-noise ratio of its alerts and by the speed with which it acts on the real ones.

At Decripte, tuning is treated as a discipline of continuous engineering: every recurring false positive is an opportunity to refine a rule, and every real incident becomes a lesson that improves future detection. It is this finely tuned operation — not the brand of the tool — that sustains the critical-incident containment SLA of up to 1 hour.

Passo a passo

  1. Define the scope and critical assets: map systems, sensitive data and risk surfaces (custody, anti-fraud, identity, cloud) and prioritize detection coverage starting from what matters most to the business.
  2. Centralize log and telemetry collection: deploy a SIEM and integrate essential sources — identity, firewalls, servers, cloud, applications and endpoints — normalizing the data for correlation.
  3. Deploy deep visibility: roll out EDR/XDR on endpoints and servers and add NDR to cover network traffic, agentless devices and lateral movement.
  4. Map detections against MITRE ATT&CK: identify the techniques relevant to your threat profile and ensure each one has an active detection rule, closing coverage gaps.
  5. Write response playbooks and automate with SOAR: define clear actions for each incident type (isolate host, block account, contain IP) and automate the repetitive ones to reduce MTTR.
  6. Establish 24/7 monitoring and SLAs: ensure uninterrupted coverage — in-house, MDR or hybrid — with a containment SLA for critical incidents, not just notification.
  7. Continuously tune and hunt threats: refine rules to eliminate false positives, run proactive hypothesis-driven threat hunting and turn every incident into an improvement in future detection.

Perguntas frequentes

What is a SOC?

A SOC (Security Operations Center) is the team, processes and technology that continuously monitor an IT environment to detect, investigate and respond to cyber threats. It operates in tiers (triage, investigation and threat hunting) and runs 24/7 to shorten the time between the start of an attack and its containment. It can be in-house or outsourced as a managed service (MDR).

What is the difference between SIEM and SOAR?

The SIEM (Security Information and Event Management) collects, normalizes and correlates logs from across the infrastructure to detect suspicious activity and generate alerts. SOAR (Security Orchestration, Automation and Response) receives those alerts and runs automated response playbooks — enriching, blocking IPs, isolating hosts, disabling accounts. In short: the SIEM detects and SOAR orchestrates and automates the response. They are complementary layers of the same stack.

What is the difference between EDR and XDR?

EDR (Endpoint Detection and Response) monitors and responds to threats at the endpoint level — laptops, servers and workstations — capturing telemetry on processes, commands and connections. XDR (Extended Detection and Response) extends that detection beyond the endpoint, unifying telemetry from email, identity, cloud and network into a single platform, enabling cross-layer correlation that standalone EDR cannot see.

What are MTTD and MTTR?

MTTD (Mean Time To Detect) is the average time between the start of malicious activity and its detection by the SOC. MTTR (Mean Time To Respond/Remediate) is the average time between detection and the containment or eradication of the threat. Together they determine dwell time — how long the attacker stays in the environment. Since attacks progress in hours, reducing both metrics is a SOC's central objective.

Is it worth outsourcing the SOC?

For most fintechs and startups, yes. Building an in-house 24/7 SOC requires eight to twelve analysts plus SIEM, EDR and threat intelligence licenses, with an annual cost in the millions and a 12-to-24-month ramp-up. A managed MDR service delivers a mature 24/7 operation in weeks, predictable cost and active response. The decisive criterion is the containment SLA (not just notification) for critical incidents.

What is the difference between MSSP and MDR?

An MSSP (Managed Security Service Provider) manages and monitors security tools and forwards alerts, leaving investigation and response to the customer. An MDR (Managed Detection and Response) delivers detection, investigation and active response as a service — the analysts actually contain the threat on the customer's behalf, isolating hosts and blocking accounts. MDR is the right model for those who want containment, not just notification.

Want a managed 24x7 SOC with SIEM, EDR/XDR and threat hunting?

Decripte runs a 24x7 SOC with detection and response, reducing threat detection and containment times.