Additional Post Contributors: Austin Pham, Tony Iacobelli
Cisco and Splunk, together, elevate the SOC’s Incident Detection and Response experience to the next level by combining technologies from both sides that provide an even greater single pane of glass view to threats in real time. Technologies such as Cisco XDR and Security Cloud and Splunk Enterprise Security, Splunk Attack Analyzer, and Splunk Cloud are the perfect pairing to reduce the Mean time to Detect, Respond, Contain, and Eradicate (MTTx) significantly.
Building out a SOC Triage Center Dashboard (originally created by Matthew Bellezza from the Splunk Center of Excellence) in Splunk Enterprise Security that aggregates millions of event data from Endace and Cisco network products allow the Cisco Live San Diego 2025 SOC analyst to feel more empowered to quickly triage and respond to security events to defend CLUS attendees and staff from threats – rapidly putting a stop to all malicious activity.
Splunk Attack Analyzer paired with Secure Malware Analytics, utilizing XDR and Endace, provides holistic static and dynamic analysis when it comes to phishing domains, file analysis, and malware sandbox detonation — streaming the events in real time to the Cisco Live floor.
We also created a Phished Brands dashboard to identify when attackers were attempting to use similar appearing domains to lure victims into providing their credentials.
Partnering with Endace and combining the power of Splunk Enterprise Security, we were able to create the ‘Packet Peekers Prize Board’ dashboard to provide a glimpse of all the unencrypted protocol traffic that contained attendees and exhibiters plain text credentials in the network traffic to help spread awareness and encourage utilizing more secure protocols for communication during the event. The output of these Dashboards can be further integrated within SOC workflows via webhooks and other automation playbooks such as in Splunk SOAR, including cycling the findings back into XDR worklogs or private incident communication channels. This is the modern SOC.
To carry the momentum forward and drive customer outcomes in regards of continued success, we reached out to the attendees, contractors, and exhibitors that were impacted, to inform them and make them aware of the discovery, which we received overwhelmingly positive feedback from. The outreach was automated via python scripting, which could easily be made into a Splunk SOAR playbook to execute with a push of a button.
An example of a solution we would suggest to customers and attendees alike is as simple as the following setting change:
The Splunk team is excited to continue the collaboration with our Cisco Security counterparts, to secure Cisco Live and other events from attackers.
Want to learn more abut what we saw at Cisco Live San Diego 2025? Check out our main blog post — Cisco Live San Diego 2025 SOC — and the rest of our Cisco Live SOC content.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
Share:
