Sample Page Title

Constructing on the teachings discovered within the Safety Operations Middle (SOC) at main occasions, we challenged ourselves to construct one thing new at Cisco Reside Amsterdam 2026, a closed-loop integration with Cisco XDR and Splunk Enterprise Safety.

Planning a profitable SOC begins with robust collaboration with the Community Operations Middle (NOC). It additionally started with a spotlight, utilizing the Splunk Safety Maturity Methodology (S2M2).

The core missions of the SOC stay:

• Shield: Safeguard the community from threats and assaults, each inside and exterior
• Educate: Inform and interact attendees by SOC excursions and weblog content material, and our white paper
• Innovate: Develop and implement new integrations, processes, workflows, and automations

Harnessing the Energy of Splunk Safety

A significant aim for EMEA 2026 was breaking down the silos between “triage / investigating” and “menace searching / incident response.”

By embedding Splunk Safety Integration Engineers straight into the SOC, we curated particular workflows that allowed Tier 1 interns and Tier 2 analysts to carry out complicated investigations that have been beforehand the area of Tier 3 responders.

Configurations and different information have been able to go from earlier occasions, together with dashboards in Splunk, from the improvements for the Nationwide Soccer League Tremendous Bowl LX SOC.

We refined the SOC Supervisor dashboard in Splunk from the expertise on the Tremendous Bowl SOC, exhibiting the Incidents generated from detections within the safety sources, and the standing of the incidents, together with escalations to Splunk Enterprise Safety (ES).

The Splunk Safety Product Labs group labored to make the most of the ability of the Cisco XDR correlation engine, to convey Splunk ES Danger index logs as Sources into the XDR Knowledge Analytics Platform. These logs have been correlated with different detections to provide Incidents for Triage and Investigation by Tier 1 /2 SOC analysts.

The combination between Cisco XDR and Splunk ES delivers a seamless expertise for safety operations groups by combining native XDR detections with Splunk’s intensive information backend and customized OCSF detections. Key improvements embrace:

• Fast Onboarding: New SOC analysts could be educated on XDR in underneath an hour, together with integration pivot factors with Splunk and Endace packet seize.
• Unified Incident Administration: Detections from each Cisco XDR and Splunk have been correlated inside XDR, permitting analysts to see the supply of detections in incidents, however sustaining a constant person expertise. This reduces the necessity for retraining earlier than effectiveness in a mature SOC.
• Environment friendly Analyst Workflow: Tier 1/2 analysts triaged and investigated incidents in XDR, with the power to pivot to Splunk logs and Endace packet information. When escalation is required, enriched incident information is routinely despatched to Splunk ES for Tier 3 analysts to proceed investigations in Mission Management.
• Closed-Loop Automation: Incident standing was routinely up to date in XDR when the case was resolved in Splunk ES, closing the loop and guaranteeing synchronized data.

• Studying & Collaboration: Tier 1/2 analysts had function primarily based entry to Splunk ES by way of Duo Listing, empowering them to view the Tier 3 investigation notes and findings, and upleveling their expertise.

• Openness & Customization: The combination leverages the open structure of each Cisco XDR and Splunk, supporting customized detections and versatile workflows, as confirmed in high-profile SOC deployments.

This innovation permits safety operations facilities to maximise detection protection, streamline incident response, cut back coaching overhead, and foster analyst development, by tightly built-in, automated workflows.

The Deployment: SOC in a Field

The SOC was efficiently deployed in simply 12 hours over 1 ½ days. This velocity was not unintended; it was architectural. We utilized our moveable “SOC in a Field”, a pre-configured {hardware} stack designed to be delivered prematurely to the venue, linked to the NOC and instantly started producing actionable telemetry.

Key components enabling this speedy setup included:

• Pre-validated Knowledge Paths: Immediate connectivity between the Cisco Reside NOC, Splunk Enterprise Safety and the Cisco Safety Cloud.
• Battle-Examined Innovation: We built-in superior safety practices developed whereas safeguarding the Black Hat community, acknowledged because the world’s most hostile surroundings.
• Confirmed Workflows: We drew upon experience and playbooks refined on the Tremendous Bowl LX, RSAC, GovWare and prior Cisco Reside SOCs.

The SOC Structure: A “System of Techniques”

The Amsterdam SOC was designed to beat particular occasion constraints, corresponding to the lack to put in endpoint brokers on attendee units (BYOD) and the necessity to detect malware in encrypted visitors.

The Visibility Layer: The SOC group labored with the NOC to attach the ‘SOC within the Field’ and Cisco Safe Entry for DNS safety. We acquired a Switched Port Analyzer (SPAN) feed of community visitors.

The Investigation Layer: We deployed the EndaceProbe packet seize platform to file all community visitors. This allowed us to pivot from a Splunk alert on to full packet seize (PCAP) to validate investigative hypotheses. Endace additionally generated Zeek logs for Splunk Enterprise Safety (ES), whereas file content material was reconstructed on the wire and streamed to Splunk Assault Analyzer and Cisco Safe Malware Analytics for sandboxing.

The Evaluation & Identification Layer:

• Splunk Cloud and Splunk ES served because the SOC platform, aggregating danger scores and normalizing information into the Widespread Info Mannequin (CIM).
• Cisco XDR acted as investigation visualization device, utilizing AI to verify threats quicker with Immediate Assault Verification, enriched with menace intelligence offered by Cisco Talos, and licenses donated by alphaMountain, Pulsedive, and StealthMole, together with group sources.

• Duo Listing and Identification Intelligence offered the id aircraft, securing entry to our instruments by way of Single Signal-On and guaranteeing our analysts have been authenticated and approved inside minutes of becoming a member of the shift.

The Statistics

Statistics are at all times a well-liked a part of the SOC Excursions. Beneath are the stats from this yr’s occasion.

SOC Findings and Classes Discovered

The SOC group focuses on steady innovation—the “OODA loop” of observing, orienting, deciding, and appearing. We take time to doc our experiences for the edification of the group.

Try the deep-dive technical blogs under from the engineers who labored contained in the SOC:

Acknowledgements

A heartfelt thanks to the engineers whose experience made the primary Cisco Reside Amsterdam 2026 SOC an incredible success.

Community Operations Middle Liaisons

• Remco Kamerman, Luke Hebditch, Mark Bremner and Scott Neuman

Cisco Safety and Splunk SOC Crew

• SOC in a Field: Adi Sankar
• Splunk Safety Integrations: Paul Pelletier and Kenneth Bouchard, with Josh Wilson and Duane Waddle
• Splunk Menace Researchers: Nasreddine Bencherchali and Paul Pang
• Breach Safety Suite: Mark Pleunes, Ibrahim Yusuf, Piotr Jarzynka, Matt Vander Horst, Yannis Steiakogiannakis and Eric Rennie, with Bilal Qamar
• Consumer Safety Suite: Aaron Woland
• Firewall and Safety Cloud Management: Adam Kilgore and Christopher Grabowski

Endace SOC Crew

• Co-SOC Chief: Cary Wright Endace Engineering: Owen Gallagher, Sundarram Paravastu and Sam Brockelsby

We’d love to listen to what you suppose! Ask a query and keep linked with Cisco Safety on social media.

Cisco Safety Social Media

LinkedIn
Fb
Instagram