EY helps clients create long-term value for all stakeholders. Enabled by data and technology, our services and solutions provide trust through assurance and help clients transform, grow and operate.
At EY, our purpose is building a better working world. The insights and services we provide help to create long-term value for clients, people and society, and to build trust in the capital markets.
How next-gen SOCs will shape the future of cybersecurity
In the third episode of our Cybersecurity Awareness Month podcast series, we dive into the future of cybersecurity with a focus on next-generation Security Operations Centers (SOCs) with Murali Rao, Partner and Leader of Cybersecurity Consulting at EY India. With more than two decades of experience in cyber risk management, Murali shares insights on how SOCs are evolving with AI, machine learning, and advanced data architectures, enabling organizations to proactively defend against emerging threats. Tune in as we uncover the strategies and technologies shaping the next era of cybersecurity.
For your convenience, a full text transcript of this podcast is available on the link below:
Pallavi: Welcome to season two of Cybersecurity Awareness Month podcast series, a segment of EY India Insights podcast that brings you insights from the leading minds in cybersecurity and data privacy. I am your host, Pallavi, and in today's episode, we will explore the future of cybersecurity with an emphasis on next-generation security operation centers. We are joined by Murali Rao, Partner and Leader of Cybersecurity Consulting at EY India, who is instrumental in fortifying EY’s cybersecurity presence across the region.
With over 24 years of experience in cyber risk management and cybersecurity defense, Murali has worked with businesses across India, the US and the UK. Prior to joining EY, he served as a general manager and global head of cybersecurity and resilience consulting. In addition to that, he was the head of cybersecurity ventures at a multinational technology company.
Murali, a very warm welcome to you, and thank you for joining us for this episode.
Murali Rao: Thank you, Pallavi. It is my pleasure.
Pallavi: To set the context for our listeners, could you explain what a next-generation security operation center (SOC) is and how it differs from the traditional security operation centers?
Murali Rao: A traditional SOC is defined by its choice of a Security Information and Event Management (SIEM) platform. The types of logs ingested, combined with various enterprise controls, are primarily aimed at ensuring compliance with regulatory requirements.
Over time, attacks on enterprises, their assets, and employees have escalated far beyond what anyone could have imagined. Today, almost every enterprise is under attack in some form. Often, they only become aware of it when they receive a ransom note, experience data exfiltration, or face a similar incident.
This raises important questions about the role of a next-generation SOC. What should its objective be? Is it merely to ensure compliance with regulators, or is it to defend and secure the enterprise? How proactive can organizations be in evolving their SOC capabilities?
The answer lies largely in the architecture of the SIEM. In recent years, new SIEM platforms and architectures have emerged, offering significant changes. Traditional SOCs are usually built on SIEMs that use a relational database management system (RDBMS) at the back end. However, RDBMS databases are designed for transactional purposes, not for analyzing large volumes of data. Organizations using SIEMs with RDBMS back ends must understand that this setup will limit scalability and hinder effective security monitoring.
So, the question becomes: what kind of data architecture should a SIEM have? This is a crucial topic for anyone considering a next-gen security operations center (SOC). It is essential to evaluate whether you have the right SIEM platform with the right data architecture. Can it scale? Can it ingest large volumes of data, including network traffic, applications, IT systems, and everything in the enterprise cloud?
What about its ability to correlate and analyze data? Is it limited to rule-based correlation, or does it support algorithm-based approaches, or perhaps a combination of both? Additionally, how flexible is the system in providing these capabilities?
Then there is the ability to respond. It is not just about the SOC; the more critical part of the response mechanism is your IT service management (ITSM) platform. Do you have a modern platform like ServiceNow, or are you using a legacy ITSM system? Does your ITSM platform have all the necessary resolver groups embedded, and are your processes well-defined to ensure timely and appropriate responses?
Another key aspect is automation. What automation capabilities does your new SOC platform offer? Can you create custom playbooks that directly interface with various technology platforms, whether it is a firewall, Endpoint Detection and Response (EDR), or an application? How flexible are those playbooks? These are critical considerations when deciding on an external SOC.
Above all, the most important factor is visibility. You can only defend and secure what you can see. A next-gen SOC must provide enhanced visibility, or you will be fighting blind. Defining a next-gen SOC based on these parameters is no simple task, as other factors come into play. We will talk about those as we move forward.
Pallavi: Thank you, Murali. What do you think needs to be done to bring in proactiveness instead of a SOC being just a reactive function?
Murali Rao: A proactive SOC should have the ability to scale, ingest, correlate, analyze, respond, automate, and continuously enhance its visibility. That is one aspect of being proactive.
The second part is understanding that a SOC is merely a reflection of what is happening in your enterprise. It is crucial to have the right controls in place—at the perimeter, on endpoints, in the data center, or in the cloud.
The question is: do I have the right controls? How effective and efficient are they? Another critical point is network architecture. Have I segmented my network properly? Are my assets in the right zones? When was the last time I reviewed this architecture?
Another important thing is that we grant privileges in the enterprise to various systems, servers, controls or applications. Do I have a control over that? When was the last time that I reconciled my privileged rights granted to different people in the organization? Do I have control over this process? Am I revoking access effectively? Is there a method to the madness when it comes to granting and revoking such privileges? Do I have the right set of processes? Because it is critical that both human-to-human and human-to-tech handshakes are governed by the kind of vital processes present in the enterprise.
When was the last time we actually reviewed those processes and made adjustments in line with changes in the enterprise's business environment? Do I have skilled threat hunters? Threat hunting is an extremely critical function for a proactive SOC. Unless I can actively hunt for the various threats posed by bad actors on my enterprise or assets, I will not know what to defend or how frequently, or how effectively, to defend each asset.
Do I have the right visibility into my attack surfaces? Who is doing what in my enterprise? Am I constantly under attack? Is there anything in my enterprise that would attract the attention of bad actors or threat actors? Am I getting the right kind of visibility for all the assets in my enterprise? That is a very critical question.
Then, the most important question of all is: Am I monitoring the right data? If I am not monitoring the right data, a SOC will be rendered toothless. It is absolutely critical to monitor the right kind of data at the right time, using the right set of correlation rules and processes, with the right people.
So, a proactive SOC results from a proper and appropriate set of controls, a streamlined architecture, streamline ETL (Extract, Transform, Load) processes, effective automation, appropriate analysis, proactive threat hunting, and constant discovery of threat surfaces within the enterprise. In essence, it is a combination of many factors involving the Chief Information Officer (CIO), Chief Risk Officer (CRO), Chief Data Officer (CDO), and Chief Information Security Officer (CISO). It is no longer just a CISO function.
Pallavi: Thank you, Murali. How do emerging technologies like artificial intelligence (AI) and machine learning play a role in the evolution of SOCs?
Murali Rao: One must understand that when enterprises invest in digital transformation programs—whether for CRM, sales, or other business-driven functions—they must ensure the data engineering is done appropriately. Today’s SOC must be engineered to leverage the data and systems developed through these digital transformation initiatives.
Moreover, today’s SOC must also harness the power and potential of artificial intelligence and machine learning. Data engineering and data pipeline management are absolutely critical to ensure and enhance the effectiveness, the efficiency, and the efficacy of the SOC functions. There are different machine learning models that can be exploited to build out the analysis and detective functions in the enterprise to reduce the stress on the people in the SOC.
There are agentic architectures which are emerging to reduce the human analysis to a bare minimum. Deep learning models need to be leveraged to bring in the ability to predict, which is extremely critical because we are constantly facing newer kind of threats on a day-to-day basis.
Pallavi: Thank you, Murali. Now what is your opinion on platformization pitch being brought by many vendors in the marketplace and should enterprises really be adapting to it?
Murali Rao: Enterprises have always had an enterprise resource planning (ERP) system to manage manufacturing processes, inventory, and other functions. However, until now, there has not been a single platform to manage security effectively within the enterprise.
Platformization by a few vendors is now shaping the entire security function. Think of it as an ERP system, but for security lifecycle management. Just as platforms like SAP manage inventory, purchasing, or manufacturing lifecycles, platformization in security serves as an ERP for managing the security lifecycle in the enterprise.
While there are both advantages and disadvantages to platformization, what is critical is understanding that security decisions should no longer be the sole responsibility of the CISO. These decisions should align with the enterprise's cloud and data strategy. When there is a data platformization or digital transformation program, key stakeholders like the CIO, CRO, CEO, and CDO need to collaborate to make these decisions.
However, the CSO function is currently the owner of the entire decision at this particular point of time when it comes to a SOC, which should not be the case. Decision making on the next generation SOC or platformization should be in line with the enterprise’s cloud strategy, data strategy because it is absolutely critical that I make decisions involving the CIO, the CDO, the Enterprise Architect, the CISO as well, but in line with what is my enterprise cloud strategy. Ask yourself: where am I going to go three years from now or five years from now? What is my data strategy? How do I retain my data? How do I protect my data? All these are decisions which are intertwined with each other.
Platformization can give you a lot of simplification, but at the same time, it comes with vendor locking and you will have a certain ability to futureproof yourself with respect to the quality of the controls, the type of controls, the efficacy of the controls. However, platformization is not a straight walk in game. It needs the buying and the ability to debate and make decisions along with various different stakeholders in the enterprise.
Is platformization good or is it bad or is it needed? Well, that depends upon each of the enterprises differently. While it may work for one enterprise, it may not work for another. It needs to be a well thought of decision, as we move forward.
Pallavi: Considering the heavy investments in digital programs by enterprises today, do you feel that the current SOCs are equipped to protect them? If not, what changes should we be considering?
Murali Rao: When it comes to digital transformation or any digital program in an enterprise, a significant amount of debate occurs. Rightfully, the same kind of debate and decision-making
If enterprises are going to design SOCs that can effectively defend and secure them, it is absolutely critical that security by design, privacy by design, and trust by design are embedded in the data engineering lifecycle itself. Embedding security, privacy and protection related controls is absolutely critical at the right stage, at the right level in the organization.
Ensuring that the SOC has visibility into these digital environments is absolutely critical. But how to do it? You can only do it if you understand the kind and quality of data with which you are dealing. If you know that this data is absolutely critical to the enterprise, that it is critical from a regulatory standpoint, and that it is vital for demonstrating ethics and compliance in the marketplace, then appropriate controls—both from a privacy and security perspective—need to be embedded at the data engineering level itself. Protection, detection, monitoring, and response management controls must be designed, architected, and embedded at that level. Otherwise, the SOC cannot be effective; it will not be able to perform appropriately.
In essence, what we are talking about is the embedding of security, privacy, and trust into data engineering by design and by architecture, at that fundamental level, which needs to happen in enterprises today.
Pallavi: The human aspect has always been crucial. Can you share some insights on how the human element within the next-gen SOC is important and the importance of the skilled professionals in this field?
Murali Rao: This is something that is going to change drastically. Today, everyone realizes that the effectiveness of a SOC largely depends on how skilled its analysts are—whether they are level one, level two, or level three analysts. The expertise of these individuals directly impacts the SOC's effectiveness.
But in the coming days, we will completely move away from human dependency. There will be very less dependance on level one, two and three analysts. This is because a lot of it will be taken over AI. The nature of the skillsets required in the SOC will completely change. We will move away from dumb analysts, who were just meant to follow a standard operating procedure to intelligent, AI-driven agents who will take over that function completely and make these people redundant in the next few years.
That is how we see it moving, but the nature of the skillset required to run the next generation SOC will be completely different. We will need more programmers, data engineers, and data scientists embedded within the SOC. The traditional level one, two, and three analysts will become obsolete. New functions will emerge, requiring expertise in Python, JSON, KQL, and YARA programming. Managing training datasets will become part of day-to-day operations, and building and training algorithms will become an essential SOC function. Testing machine learning algorithms and agents will also become a core responsibility. The nature of a SOC, as it exists today, will likely undergo a complete transformation, potentially shifting 360 or even 720 degrees in the next two to three years.
It is important that everybody recognizes that this is the way the world is headed towards and that this is what is going to give us the kind of results and the kind of output that we all want from a SOC. And it is important that we start to harness these kinds of skillsets in the enterprise, and for everybody who runs a SOC today.
Pallavi: In terms of strategy, what do you believe companies should focus on to ensure that its SOC can withstand the constantly evolving threat in this landscape?
Murali Rao: The nature of threats is changing and will keep changing. This is because the nature of technologies is changing. When the nature of technology changes, the manifestation of threats will also change; and when the manifestation of threats changes, attack surfaces that were not exploited earlier will start to be exploited.
So, threats will, in essence, become more complicated. The ability to map and detect will become absolutely critical for the effective running of a SOC. The ability to detect and curate telemetry will become very important, and much of this will need to be done by AI.
What is most important is building the ability to predict. This will be one of the most defining aspects of tomorrow’s SOC or next-gen SOC. The constantly evolving threat landscape will need to be met with the effective use of artificial intelligence and various machine learning models, not only to analyze, correlate, and handle what is happening, but also to bring in the ability to predict and become more effective.
Pallavi: Looking ahead, how do you picture the SOC of the future and what trends do you think that the companies can keep an eye on?
Murali Rao: It is a combination of different things that I mentioned in the last few minutes. Number one, what is absolutely critical is that it should be a data-driven architecture. A SOC should be driven by data architecture. We need to do inline data pipeline management, cyber data pipeline management, cyber observability, along with network observability, IT observability, and application observability. Data observability is extremely critical for keeping an eye on whatever is happening across different assets in the enterprise.
Agentic architecture, driving analysis and threat hunting functions, is definitely going to emerge. GenAI is something that can be leveraged and exploited to automate everything—whether it is human-to-human, human-to-tech, or tech-to-tech handshakes occurring in an enterprise. These can be completely automated by leveraging GenAI.
The SOC also needs to build a function to auto-discover assets because, as I mentioned earlier, you are only as good as the visibility you have. If you do not have the right visibility, you are blinded. If you are blindsided, your ability to detect and analyze will decrease drastically.
So, one of the most critical functions in the SOC of the future is to ensure that there is an ability to auto discover assets on an ongoing basis or auto reconcile assets on an ongoing basis. What I foresee is a data scientist with a team of data engineers and programmers will be the ones who will be running the effectiveness, the efficiency and the efficacy of the SOC of the future in the coming days.
Pallavi: For organizations looking to build or upgrade to next-gen SOC, what would be your top recommendations?
Murali Rao: I have four to five recommendations. Number one, please consider redesigning and re-architecting your SOC. A SOC is no longer just about choosing a SIEM platform; it is about making data-driven decisions. The SOC is simply the eyes of your enterprise, but you must look beyond it and consider the other controls in the enterprise.
Leveraging technology is absolutely critical, but at the same time, you need to ensure that the technologies embedded in your enterprise are harmonious. They must be able to leverage data effectively so that decision-making can become a seamless, day-to-day function.
Pallavi: Before we let you go, for our cybersecurity enthusiasts and professionals who are listening, what skills and competencies are becoming essential in the context of next-gen SOCs?
Murali Rao: I think for a period of time, cybersecurity became a function where there was no place for programmers or those who could write logic. It was left to OEMs, who developed products catering to different functionalities.
Today, anyone looking to enter cybersecurity—or anyone already in the industry—needs to understand that knowledge of AI and machine learning is now a base-level skill for everyone in the cybersecurity function. Cyber data engineers are essential. Additionally, programming skills, whether in Python, JSON, Kal, YARA, or other Q languages, have become fundamental and are now a baseline requirement.
Apart from the regular cybersecurity functions—such as ethical hacking, threat hunting, understanding controls, and familiarizing yourself with different technology platforms—what is new, critical, and can advance your career is the ability to integrate your cybersecurity skills with expertise in AI and machine learning. Additionally, proficiency in a couple of programming languages is essential. These are the skills that cybersecurity professionals or enthusiasts need to focus on moving forward.
Pallavi: Thank you, Murali. With that, we come to the end of this episode. Your insights have been invaluable in highlighting the critical role of next-gen SOCs in modern cybersecurity. We appreciate you taking the time to share your knowledge with us.
Murali Rao: Thank you very much, Pallavi. I hope everybody can make sense out of this because many of the things that I articulated are absolutely critical. As we move forward, and I would be happy to take any questions from anyone who may want to reach out to me. Thank you for this wonderful opportunity.
Pallavi: Thank you, Murali. Thank you to all our listeners for tuning in to today's episode. We hope you have gained a clear understanding on next-gen SOCs and their impact on cybersecurity. Do join us next time for more discussions on the latest topics in cybersecurity. Until then, stay informed and stay secure. This is Pallavi, signing off.
If you would like to listen to our podcasts on the go:
Discover how EY's cybersecurity, strategy, risk, compliance & resilience teams can help your organization with its current cyber risk posture and capabilities.
Discover how EY's identify and access management (IAM) team can help your organization manage digital identities for people, systems, services and users.
