How to transform your

Security Operations
Center (SOC), powered by
Microsoft Azure Sentinel and
Microsoft 365 Defender
Helping to solve today‘s biggest cybersecurity
monitoring and response challenges
EY Cybersecurity Managed Service
Today’s biggest cybersecurity monitoring and response challenges

“
At EY, our mission is to provide our
clients with the latest futureproof
security capabilities and solutions.
As businesses continue to leverage digitalization and • Expanded IT landscape: lack of visibility
cloud adoption to open themselves up for new business and attack surface increase
opportunities, executive leaders are now facing even
• Users, devices, applications and data are
more challenges than ever before.
moving outside of the enterprise perimeter
Cybersecurity threats are aggressively evolving. and zone of control
Cyber attackers today are patient, persistent and
• “Trust but verify” is no longer an option as
sophisticated, and able to quickly deploy new attack
targeted, advanced threats are moving inside
tools and methods. It is imperative that SOCs keep
the corporate perimeter
pace by focusing on priority threats, and leveraging the
detection and response capabilities available to them. • Shadow IT and data leakage (operational agility)
Enterprises across all sectors face an evolving cyber • It is easy to produce the use of a cloud solution or
threat landscape. Work has gone beyond the desk, service to fulfill a need, regardless of organizational
under the impact of COVID-19. Cloud environment policies, processes or security requirements
enables the ability to scale vertically and horizontally
according to business needs. As a result, we now • Traditional perimeters are complex and are no
have a faster work-force to complete tasks, generate longer compatible with today’s business models
ideas and innovate; as well as identify and respond
to problems and opportunities at a faster rate.
Challenges that these trends bring are:

1
Today’s biggest cybersecurity monitoring and response challenges
• Continuous stream of threats and attacks
(constant and seamless connectivity)
• Threats can originate and are to be expected
from any place, any device and any entity
• Increase in volume and velocity of data needs
to be analyzed in real time
• Near-real-time or real-time response
expected (culture of speed)
• Activities that are reliant on manual or
human interventions are hindered by
the lack of resources
• Large volumes of data need to be analyzed
in real time to produce and predict response
and execute actions
• Accuracy of insights (acceptable and
intelligent services)
• Intelligence is reliant on the quality of the
available data and log feeds
• Rule-based correlation engines are insufficient
to analyze large amounts of data in real time
to churn data into accurate intelligence
and actionable insights
1
EY Global Information Security Survey 2020 (www.ey.com/GISS)
of organizations reported that their
26% most significant breaches in the past
year were not discovered by their SOC.1
Consequently, the main reason is that security
monitoring controls and solutions enable
businesses to identify vulnerabilities and threats.
They, therefore, mitigate the overall threat
landscape in their environment by reacting and
responding proactively to potential attacks with
the correct measures.
Nevertheless, for executive leaders, the challenge
is not just selecting a security monitoring solution,
but also identifying which of the solutions in the
market have the capabilities to meet most of the
business needs and technical requirements with
questions, such as: Should we choose an on-site or
a cloud solution? And most importantly, do we have
the skills and capabilities to handle the challenges
of operating the solution or should we look for
a managed service?
However, these questions are not necessarily easy
to answer. In general, most of the existing solutions
have proven to be expensive with limited scalability,
a lack of skilled resources to operate them and
limited capabilities to handle incidents appropriately.
2
Introducing Microsoft Azure Sentinel

A leading cloud-native
security monitoring solution
Azure Sentinel is one of the first security Collect data at cloud scale across all users,
information and event management (SIEM) and
1 devices, applications and infrastructure
security orchestration automated response Detect previously undetected threats,
(SOAR) solutions in the market that leverages two 2 and minimizing false positives using artificial
of the biggest technology trends — big data and intelligence (AI) and ML analytics
cloud systems. It represents the next generation
Investigate threats with AI, user interface (UI)
for threat- and risk-based security monitoring and
management services, utilizing intelligent
3 and hunting for suspicious activities at scale, tapping
into years of cybersecurity work at Microsoft
security analytics for the entire enterprise.
Respond to incidents rapidly with built-in
Unlike traditional on-premise monitoring solutions, 4 orchestration and automation of common tasks
the cloud capability of Azure Sentinel makes the
solution a serverless technology, which allows
operators to integrate all enterprise applications
easily, regardless of the physical geographical Collect
location. Even mobile devices can be connected and
Security data
constantly monitored. The nature of cloud sytems across your
also allows for virtually unlimited scalability in terms enterprise
of computational power and storage capacity.

Similarly, Azure Sentinel uses machine learning (ML) Azure

Respond Detect
capabilities to integrate and analyze different data Sentinel
Rapidly and Threat with
sources, such as network traffic, identities and other
automate Cloud-native vast threat
log sources, in order to find relevant relationships
protection SIEM + SOAR intelligence
between them and provide an accurate insight to
potential threats. These ML capabilities enable
Azure Sentinel to be a futureproof solution due to
Investigate
its scalable data processing capacity which is not
regularly seen in traditional monitoring solutions. Critical incidents
guided
Azure Sentinel delivers intelligent security by AI
analytics and threat intelligence across the
enterprise, providing a single solution for alert
detection, threat visibility, proactive hunting and
threat response. Its capabilities help:
3
Why EY services can support you across the entire Azure Sentinel life cycle

EY Cybersecurity and Microsoft are expanding their
strategic alliance to develop, integrate and bring to
market enhanced cyber defense solutions to help
enable clients better detect, investigate and respond
to cyber threats.
Our service is to establish an advanced cyber
intelligence and automation platform for
innovation that can assist you to automatically
discover “advanced attack patterns” and
proactively strengthen your protection capability.
Our vision overlays on how to effectively drive your
EY’s cybersecurity mission is to provide clients with the
latest futureproof security capabilities and solutions that
enable them to boost trust in their systems, networks
and data flows while staying up to date with the emerging
cyber threats. EY provides a portfolio of cybersecurity
services as managed services as shown below:
Cloud
Analytics
Threat
Digital detection

Inf
detection and response capabilities in order to
identity and response

orm
organically strengthen your defense capability within

ation technolog
your organization. To realize our vision, we help with EY
the following measures:

IoT
Managed
Services

Autom
• Discover all security anomalies with high degree of

nce
accuracy while ensuring near-zero false positives Data Threat exposure

lige
atio protection management

y
• Evolve the detection and response capabilities in an

tel
n

In
agile manner through adaptive cyber analytics and
ML techniques to defend against ever-changing
threat environment
Op
erat s
• Respond to security alerts within seconds instead of ing technologie
days through security automation and orchestration

• Hunt for security anomalies with a hypothesis Benefits to you:

that the environment is compromised to pre-empt
the attackers
• Deliver efficient end-to-end detection and
response capabilities to proactively enhance the
protection capability, leveraging advanced
emerging technologies
• Performance: Activate a cloud-based approach
that propels and aligns every part of your business.
We will help you use the cloud and other digital
technologies to enable greater employee
collaboration, deliver tangible outcomes faster and
create programs that drive business performance

• Enable and implement a number of use cases,
with minimum changes required in the current
IT landscape
• Integrate with existing SOC — generally, there is
no need for a change in the existing SOC function
as Azure Sentinel can be integrated at any level
The capabilities of Azure Sentinel go beyond what is
stated above. As the importance of operational
technology (OT) security and the usage of IoT devices
and their integration with cloud solutions continue
to grow, Azure Sentinel’s integration capabilities also
cover that by leveraging the Azure IoT hub and
Azure Defender for IoT.
• Trusted capabilities: Confidently grow your business
around sound digital capabilities and a trusted,
compliant cloud platform as you adapt to today’s
highly regulated world. We will help you predict,
monitor and manage risks while also advancing
business growth and transformation on the
Microsoft Azure cloud platform
• Sustainable results: Stay agile and adaptable for
long-term success with scalable programs and cloud
technologies. Our strong, strategic consultation and
flexible digital technologies can help drive repeatable
enterprise programs that can scale with your goals
and sustain your business for years to come

4
What’s next? Accelerate a unique blend of cybersecurity and intelligent solutions

EY and Microsoft are merging strengths to • Providing sector-specific resources

increase the added value by helping clients:
• Overcome the challenge of shortage of
resources and know-how required for the
configuration and management of the solution
with the required knowledge and
multidisciplinary experience
• Developing a tailored delivery model in
order to meet each client-specific need

• Reduce the total cost of ownership
and technology simplification
• Increase the return on investment on
security controls in upcoming years
• And most importantly, supporting clients in
futureproofing and helping them securely
navigate this transformative age

EY can expand your IT SOC by analyzing security events generated by Microsoft security
solutions and platforms as well as third-party sources. In addition, it can complement such
an analysis with Microsoft Global Threat Intelligence insights to prioritize SOC actions.

Data sources Azure Sentinel Security Operations Center

• Office 365 • Security events analytics • Traditional SIEM

• OneDrive • Threat intelligence • Vulnerability identification

• Cloud infrastructure • Incident response

• Domain Name System (DNS) • Sandbox

• Cloud app • AI behavior analytics

• Endpoints Collect | Detect | Investigate | Respond L1 SOC analysts | l 2–3 SOC analysts

5
What’s next? Accelerate a unique blend of cybersecurity and intelligent solutions

We have created an effective approach to fulfill the security challenges of

each of our clients with Azure Sentinel as explained in the below schema.

Architecture and Automating Optimizing

Enablement Detecting threats
configuration threat responses and stabilizing

• Onboard Azure • Design security • Create custom • Set up automated • Fine-tune policy
Sentinel from architecture analytic rules to threat responses in and governance
Azure portal detect suspicious Azure Sentinel, needs as required
• Leverage built-in
threats, backed by backed by an
• Connect to data workbooks or create • Review additional
an experienced experienced
sources either new ones to provide security
EY team EY Team
through Azure, you with analytics considerations
on-premise or for data logs and • Search for the types • Select the alert for
• Address business
third-party queries as well as of threats and which you want to
continuity and
software dashboard anomalies that are automate the
backup or recovery
implementation suspicious in your response (e.g., play-
considerations
environment book runtime block
user and block ip) • Monitor usages
• Get notified right
and identify
away, so that you
opportunities
can triage,
to improve
investigate and
remediate
the threats

In our view, an effective SOC needs to understand your
business, your digital road map, your existing and future
technology environment as well as the business risks
associated with it. We understand your business risks and
the link to your digital agenda. With the unique teaming
among EY‘s regional teams, our own SOC delivery centers
and Microsoft, we can focus on understanding your
business, your business risk and your IT environment to
provide you a holistic SOC service. This will enable you to
make informed strategic and executive decisions on the
basis of inherently linking cyber threats and security
monitoring to your business services and processes.
With the new threats induced by the adoption of cloud,
mobility and digitalization, transition smoothly from your
existing capability by bringing the strength of EY managed
services and Microsoft services to your SOC transformation
journey. This will accelerate the go-live of strong SOC
capabilities that meet your expectations and deliver an
operating model allowing to:
1. Provide a complete set of advanced services through
Microsoft Defender suite, enhancing your detection and
response capabilities and bringing a 360-degree view of
your assets wherever located, covering:
• Network behavior anomaly detection (NBAD)
• Logs from main security components
• Critical chains or applications logs
2. Enhance standard library of use cases with
specific business risk-centric use cases to cover:
• New technical threats
• Critical business chains or applications
• Sectorial threats
3. Implement advanced services aiming at:
• Faster detection and containment of attacks
• High touch service linked to business context
• Reduced false positive and more insight
(increased visibility)
• Reduced risk of attacks, with quality outcome
4. Provide full managed service or hybrid collaborative
operating model, leveraging Microsoft Cloud-native SOC
infrastructure accessible to all teams involved anywhere,
with the ability to tailor the level of visibility supported by
strong processes and highly skilled teams

• Endpoint detection and response (EDR)

6
What’s next? Accelerate a unique blend of cybersecurity and intelligent solutions

EY and Microsoft ecosystems will support your SOC • SOAR capabilities bringing playbooks automation,
transformation by bringing detection and response collaborative workspace and workflow, response
capabilities over your global security posture by: automation, and relying on analytics capabilities

• Relying on your existing capabilities enhanced • Proactive threat hunting

with a coverage of all your cloud assets
• Consolidating your SOC landscape even if
heterogeneous solutions are used
• Bringing all the strength of Microsoft Azure Sentinel
with a very proactive approach
Our services cover a full process scope from
monitoring, identifying, analyzing, responding, and
conducting research and development of potential
and actual threats. Key areas will include:
• Round-the-clock security monitoring and analytics
• Cyber threat intelligence
• Incident response and remediation
• Forensic and investigation
• Strong and clear governance model
• Dynamic online dashboards and reporting
• Continuous improvement of detection
capability and the overall service
Figure 2 further explains EY’s effective approach
at tackling our clients’ most pressing security
challenges, with Azure Sentinel.

Figure 2: EY’s effective approach to provide Managed Services to clients

SOC program Design and architecture Implementation and tuning SOC Managed Services

• Understand the IT • Design log collection and • Configure users and • Conduct real time event
landscape including deployment architecture user roles analysis and correlation
security devices, servers
• Finalize the server, • Collect and integrate • Identify potential
and network devices
storage and bandwidth threat intelligence feed security incidents
• Understand the network requirements for efficient from various external
• Conduct incident
and security architecture log collection and reliable sources
validation and
Of the application architecture
• Configure threat notification
infrastructure
• Identify additional apps intelligence sources
• Understand preliminary
• Understand regulatory, that may be required for (Internet Protocols (IPs),
incident response
compliance and log meeting regulatory and Domains, Indicators of
retention requirements compliance requirements compromise (IOCs)) • Provide round-the-clock
host and asset
• Understand additional • Finalize correlation rules • Configure and customize
monitoring (on-site and
IT-enabled controls and required, considering the real-time event severity,
cloud), including IoT
other policies that would regulator, compliance and asset priority and
and OT monitoring
be monitored threat landscape correlation rules
• Reporting
• Identify potential • Review alerts generated
blackspots in the and false positives from • Use case reviews
environment the generated alerts and updates

4 weeks 6 weeks 10 weeks 4 weeks

7
Contacts
EMEIA
Mike Maddison
EY EMEIA Cybersecurity Leader
mike.maddison@uk.ey.com
Christian Franzen
EY EMEIA Cybersecurity Sector Leader
Consumer Products & Retail
christian.m.franzen@de.ey.com
Andy Saunders
EY EMEIA Cybersecurity Alliances Leader
asaunders4@uk.ey.com
Panagiotis Papagiannakopoulos
EY EMEIA Cybersecurity Microsoft Alliance Leader
panagiotis.papagiannakopoulos@gr.ey.com
Fabrice Groseil
EY EMEIA Cybersecurity SOC Hub Leader
fabrice.groseil@fr.ey.com
EY | Building a better working world
EY exists to build a better working world, helping to
create long-term value for clients, people and society
and build trust in the capital markets.
Enabled by data and technology, diverse EY teams in
over 150 countries provide trust through assurance and
help clients grow, transform and operate.
Working across assurance, consulting, law, strategy, tax
and transactions, EY teams ask better questions to find
new answers for the complex issues facing our world today.
EY refers to the global organization, and may refer to one or more,
of the member firms of Ernst & Young Global Limited, each of
which is a separate legal entity. Ernst & Young Global Limited, a UK
company limited by guarantee, does not provide services to clients.
Information about how EY collects and uses personal data and a
description of the rights individuals have under data protection
legislation are available via ey.com/privacy. EY member firms do
not practice law where prohibited by local laws. For more information
about our organization, please visit ey.com.
© 2021 EYGM Limited.
All Rights Reserved.
EYG no. 001828-21Gbl.
GSA Agency
ED None
In line with EY’s commitment to minimize its environmental impact this document
has been printed on FSC® -certified paper that consists of 60% recycled fibers.
This material has been prepared for general informational purposes only and is not
intended to be relied upon as accounting, tax, legal or other professional advice.
Please refer to your advisors for specific advice.
ey.com