After the success of the Security Operations Center (SOC) at Cisco Live Melbourne (Asia Pacific Japan) 2024, the executive team green lit the first SOC for Cisco Live San Diego (Americas). Like any successful SOC, planning starts with a close partnership with the Network Operations Center (NOC), which deploys a team of engineers to build the network in the weeks ahead of the conference.
The core missions of the SOC were:
- Protect: The network from threats and attacks, both within and without
- Educate: Attendees with SOC Tours and blogs
- Innovate: New integrations, processes, workflows and automations
Watch the recording of the live interview at the SOC on Cisco TV.
When an attendee’s device or accounts were found to be compromised or unsecure, the SOC team made every effort to identify, locate and help remediate the threat.
The SOC at Cisco Live was set up in just two days, thanks to a lot of prior planning and expertise, including:
- Shipping and deploying the ‘SOC in a Box’, refined from several years’ experience at the RSAC Conference, containing the essential hardware to connect with the NOC, Splunk Enterprise Security, and the Cisco Security Cloud
- Expertise, workflows and procedures gleaned from the RSAC 2025 SOC just one month earlier, with many of the veteran SOC engineers redeploying and others dedicated to remote support
- Innovation and integrations accelerated protecting the Black Hat network, known as ‘the most hostile network in the world’
- Skilled and professional full-packet capture partner Endace, who cut their teeth at the RSAC Conference in 2025, and agreed to do another week in San Diego
The SOC Architecture
The SOC team worked with the NOC to connect the ‘SOC in the Box’, Secure Access virtual appliances for Domain Name Service (DNS), and received a Switched Port Analyzer (SPAN) of the network traffic.
The SOC team deployed the EndaceProbe packet capture platform to record all network traffic, enabling full investigation of any anomalous behavior. The EndaceProbe platform also generated metadata (including Zeek logs) into the Splunk Enterprise Security Platform. File content was reconstructed on the fly on the EndaceProbe, filtered, and streamed to Splunk Attack Analyzer (and on to Secure Malware Analytics) for sandboxing and analysis.
The SOC team used Duo Central for Single Sign-On access to the tools, both on-premises and in the cloud, executing from the first customer experience at Black Hat.
By leveraging cloud-based solutions like XDR and Splunk Cloud, this also minimized the amount of work that was needed in a very tight setup window. Configurations and other data were already ready to go from previous events as well, including dashboards in Splunk, from the innovations of Ivan Berlinson.
Incidents were investigated in XDR, with threat intelligence provided by Cisco Talos, and licenses donated by alphaMountain and Pulsedive, along with community sources.
Splunk Enterprise Security was utilized by experts from the Splunk’s Threat Response team, which protects Splunk Cloud’s infrastructure.
The Cloud Protection Suite was deployed to secure the SOC cloud infrastructure, along with Cisco Identity Intelligence.
The Statistics
Statistics are always a popular part of the SOC Tours. Below are the stats from this year’s event.
| Attendees (Cisco Live) | 22,000+ |
| Total Packets Captured (Endace) | 99.5 billion |
| Total Logs Captured (Splunk) | 4.5 billion |
| Total Sessions (Endace) | 1.49 billion |
| Total Unique Devices (Cisco Umbrella) | 37,052 |
| Total Packets Written to Disk (Endace) | 78.9 terabytes |
| Total Logs Written to Cloud (Splunk) | 1.99 terabytes |
| Peak Bandwidth Utilization (Endace) | 4.85 Gbps |
| DNS Requests (Cisco) | 261.3 million requests, 28.3K blocked |
| Total Clear Username/Passwords (Endace) | 2,256 |
| Unique Devices/Accounts With Clear Text Usernames/Passwords (Endace) | 97 |
| Files Sent for Malware Analysis (Endace) | 740,172 file objects reconstructed by Endace 42,813* sent to Splunk Attack Analyzer 13.05K sent to Secure Malware Analytics |
*De-duplication started afternoon of June 11, 2025 as part of tuning
SOC Findings and Lessons Learned
Check out the blogs by the engineers who worked inside the SOC at San Diego:
Acknowledgements
Our thanks to the engineers who made the first SOC at Cisco Live San Diego a success, by protecting the network and educating attendees (and you).
Network Operations Center Liasons
- Freddy Bello
- Andy Phillips
- Scott Neuman
Cisco Security and Splunk SOC Team
- Innovation/Cloud Protection Suite: Ryan Maclennan
- Integrations: Ivan Berlinson
- Splunk: Tony Iacobelli and Austin Pham
- Breach Protection Suite: Aditya Sankar, Ahmadreza Edalat, Mindy Schueter, Dave Bush, Darryl Hicks, and Kevin Mast
- User Protection Suite: Christian Clasen and Justin Murphy
- Firewall and Security Cloud Control: Adam Kilgore and Patrick Whyte
- Remote Support: Aditya Raghavan, Ben Greenbaum, and Shaun Coulter
Endace SOC Team
- Michael Morris
- Steve Fink
- Barry ‘Baz’ Shaw
- Anantha Srinivasan
- Tom Leahy
- Philip Kennedy
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
Share:
