Constructing on the success of the twond annual Safety Operations Centre (SOC) at Cisco Stay Melbourne (Asia Pacific Japan) 2024, the manager staff supported the primary SOC for Cisco Stay San Diego (Americas) and invited the staff again for 20025. Planning a profitable SOC begins with a robust collaboration with the Community Operations Centre (NOC), which assigns a staff of engineers to assemble the community within the weeks main as much as the convention.
Take a look at the CiscoTV interview of Shaun outdoors the SOC.
The core missions of the SOC have been:
- Defend: Safeguard the community from threats and assaults, each inner and exterior
- Educate: Inform and have interaction attendees by means of SOC excursions and weblog content material
- Innovate: Develop and implement new integrations, processes, workflows, and automations
The SOC staff labored diligently to detect, pinpoint, and help within the remediation of threats at any time when an attendee’s system or account was recognized as compromised or insecure.
The SOC at Cisco Stay SOC was efficiently deployed in simply 12 hours over 1 ½ days, demonstrating intensive prior planning and specialised experience. This fast setup was enabled by a number of key elements
- The deployment of the “SOC in a Field,” a customized {hardware} resolution refined by means of years of expertise on the RSAC Convention, enabling fast connectivity with the Cisco Stay NOC, Splunk Enterprise Safety, and the Cisco Safety Cloud.
- Drawing upon confirmed experience, workflows, and procedures from the RSAC 2025, Cisco Stay San Diego, and GovWare 2025 SOCs, with many veteran engineers offering each on-site deployment and devoted distant assist. We additionally introduced in new SOC analysts for Tier 1 interns.
- Integrating superior improvements and safety practices developed whereas safeguarding the Black Hat community, acknowledged because the world’s most hostile atmosphere.
- The partnership with Endace, a extremely expert full-packet seize supplier, whose expertise within the 2025 SOC was essential and prolonged to their dedication for Cisco Stay Melbourne.
The SOC Structure
The SOC staff labored with the NOC to attach the ‘SOC within the Field’, Safe Entry digital home equipment for Area Identify Service (DNS), and acquired a Switched Port Analyzer (SPAN) of the community site visitors.
The SOC staff deployed the EndaceProbe packet seize platform to report all community site visitors, enabling full investigation of any anomalous conduct. The EndaceProbe platform additionally generated metadata (together with Zeek logs) into the Splunk Enterprise Safety Platform. File content material was reconstructed on the wire on the EndaceProbe, filtered, and streamed to Splunk Assault Analyzer (and on to Safe Malware Analytics) for sandboxing and evaluation.
The SOC staff used Duo Central for Single Signal-On entry to the instruments, each on-premises and within the cloud, executing from the primary buyer expertise at Black Hat.
By leveraging cloud-based options like XDR and Splunk Cloud, this additionally minimized the quantity of labor that was wanted in a really tight setup window.
With the profitable fast deployment, we had time for staff coaching on investigations and escalations to Tier 3 / incident responder and administration.
Configurations and different information have been already able to go from earlier occasions as properly, together with dashboards in Splunk, from the improvements of Ivan Berlinson.
Incidents have been investigated in XDR, with risk intelligence supplied by Cisco Talos, and licenses donated by alphaMountain, Pulsedive, and StealthMole, together with group sources.
Tier 3 specialists inside Splunk’s Risk Response staff, devoted to safeguarding Splunk Cloud’s infrastructure, leveraged Splunk Enterprise Safety, with Incidents escalated from Cisco XDR by our Tier 1 & 2 analysts.
The Cloud Safety Suite was deployed to safe the SOC cloud infrastructure, together with Cisco Identification Intelligence.
The Statistics
Statistics are at all times a well-liked a part of the SOC Excursions. Under are the stats from this yr’s occasion.
| Attendees (Cisco Stay) | 6,200 |
| Complete packets captured (Endace) | 30.2 billion |
| Complete logs captured (Splunk) | 1.26 billion |
| Complete periods (Endace) | 256.7 million |
| Complete distinctive gadgets (Firewall) | 7,539 |
| Complete packets written to disk (Endace) | 26.9 TBs |
| Complete logs written to cloud (Splunk) | 1.02 terabytes |
| Peak bandwidth utilization (Endace) | 3.76 Gbps |
| DNS Requests (Cisco) | 61.4 million / 938 blocked |
| Complete clear textual content username/passwords (Endace) | 1,525 |
| Distinctive gadgets / accounts with clear textual content usernames / passwords (Endace) | 34 |
| Recordsdata despatched for malware evaluation (Endace) | 378k file objects reconstructed by Endace. 13,763 despatched to Splunk Assault Analyzer 2,914 despatched to Safe Malware Analytics |
SOC Findings and Classes Discovered
The SOC staff focuses on steady innovation and takes time to doc their experiences for the edification and training of the group.
Take a look at the blogs under from the engineers who labored contained in the SOC in Melbourne. For instance, Ryan MacLennan created an AI mannequin to seek out area generated algorithms on the Cisco Stay AMER Safety SOC. It could run on the brand new ‘SOC in a Field’ GPUs on the UCS M8. Ryan gave the mannequin to Splunk Analysis, who printed for the group.
Acknowledgements
A heartfelt thanks to the engineers whose experience made the Cisco Stay Melbourne 2025 SOC an incredible success, successfully safeguarding the community and offering useful training to attendees.
Community Operations Middle Liaisons
- Freddy Bello, Andy Phillips, Chris Augulewicz and Scott Neuman
Cisco Safety and Splunk SOC Staff
- Innovation / Cloud Safety Suite: Ryan Maclennan
- Cisco Safety Integrations: Ivan Berlinson
- Splunk Integrations: Duane Waddle
- Splunk Incident Responder: Brendan Kuang
- Breach Safety Suite: Robin Wei, Cam Dunn, Hanna Jabbour and Pradnya Padaki
- Person Safety Suite: Justin Murphy and Jaki Hasan
- Firewall and Safety Cloud Management: Adam Kilgore and Apaar Sanghi
- Distant assist: Ben Greenbaum
Endace SOC Staff
- Co-SOC Chief: Steve Fink
- Endace VP Product: Cary Wright
- Endace Engineering: Caleb Millar, Daniel Lawson and Peter Watt
We’d love to listen to what you assume! Ask a query and keep linked with Cisco Safety on social media.
Cisco Safety Social Media
