Machines whirr and whizz behind the partitioned wall within the RSAC 2026 Convention expo corridor. 5 side-by-side displays flash colourful alerts, charts and statistics. A dozen analysts sit round two tables, their eyes glued to sticker-covered laptops.
It is a glimpse contained in the safety operations heart (SOC) defending the world’s largest cybersecurity occasion reside and in motion, monitoring north-south and east-west site visitors throughout the Moscone Heart in San Francisco.
The SOC group, made up of Cisco, Splunk and Endace members, is investigating incidents on the community the place practically 44,000 attendees have gathered to study and chat about cybersecurity and, greater than possible, hook up with the occasion’s free Wi-Fi.
“We’re recording the whole lot that goes throughout the community. We have now about 240 TB of storage right here, so we’ll document each packet from the beginning of the present, proper to the top,” mentioned Cary Wright, vice chairman of merchandise at Endace. “These analysts can dig in and examine any occasion or incident and take a look at precisely what occurred earlier than, throughout and after it.”
The analysts are on the hunt for zero days, insecurities, superior threats and another suspicious exercise that may not set off the safety stack.
The expertise
The preconfigured SOC in a field, developed for RSAC, was designed to be rolled right into a venue, linked to the community operations heart, and up and operating in fewer than 4 hours.
Two Cisco Unified Computing Techniques with embedded AI and GPUs present native compute for occasion providers and virtualization wants. A pair of Cisco Safe Firewalls with Firewall Menace Protection run in detection mode on the community edge, and Endace home equipment carry out always-on — not triggered — full packet seize and generate metadata, together with Zeek logs.
Telemetry is fed into the safety stack via Splunk Enterprise Safety, and Splunk Assault Analyzer conducts detonation and evaluation. Pivots allow analysts to quickly transfer throughout instruments and workflows.
“If a firewall detected a menace, for instance, the analyst may pivot to see what community packets had been associated to the menace, if there was lateral motion, if any information was downloaded or exfiltrated, or if any malware was popping out of the community,” Wright mentioned.
Extra instruments embody Cisco XDR (prolonged detection and response); Cisco Safe Community Analytics; Cisco Safety Cloud; Splunk Cloud Platform; Cisco Duo; Cisco ThousandEyes; Cisco Safe Malware Analytics; Splunk Assault Analyzer; Cisco Safe Entry and Splunk SOAR (safety orchestration, automation and response); and menace intelligence from Cisco Talos, alphaMountain, Pulsedive and StealthMole.
The dashboards
One display shows a illustration of site visitors over the previous three days — a spider chart reveals who was speaking to whom, with the thickness of the traces indicating site visitors quantity.
One other display reveals site visitors being analyzed by Splunk. Twenty p.c of the site visitors is encrypted, and the dashboard reveals encryption strengths, together with which TLS variations are in use.
A display flashes password counts and password occasions, revealing that 11 hosts on the community are broadcasting their passwords within the clear. There are a complete of 217 occasions, that means every host confirmed their password about 20 occasions.
Throughout earlier occasions, Wright defined, they’d examine, discover the related consumer and inform them that their password was insecure. This time-consuming course of was not too long ago automated, with hosts now receiving an e mail from RSAC informing them that their passwords had been discovered within the clear.
RSAC attendees demonstrated higher password hygiene than these at Cisco Dwell in Amsterdam — Jessica Oppenheimer, director of SOC integrations at Splunk, mentioned 400 hosts there had passwords in cleartext.
One other display shows which AI fashions persons are utilizing. “Are they ones we have licensed? Ones that must be licensed? Are they utilizing their very own?” Oppenheimer mentioned. “We are able to determine fashions on the community, and if one had been to adversely have an effect on this convention, we’ve the power to dam it.”
AI is an enormous element of the SOC itself. For instance, it helps tier-one analysts course of information, perceive threats and map information. “That is why previously 24 hours solely two of 35 alerts have been escalated as much as tier-two or three analysts,” she mentioned.
SOC in a field across the globe
The SOC in a field rolled into RSAC 2026 from Cisco Dwell 2026 in Amsterdam, after remotely defending the NFL Tremendous Bowl in Santa Clara in February. It has additionally been used on the Olympics, Black Hat, Cell World Congress and GovWare occasions. In April, it’ll shield the community through the NFL Draft in Pittsburgh.
The SOC in a field constantly evolves. Earlier iterations of the mission took incident responders three days to achieve entry, given the assorted instruments from Palo Alto, Corelight, Arista Networks and Jamf, Oppenheimer defined. In response, the group created a single sign-on portal and carried out role-based entry management to offer day-one entry to all analysts.
For the 2028 LA Olympics, Oppenheimer mentioned, the group is wanting so as to add further AI capabilities into the SOC.
Sharon Shea is government editor of TechTarget Safety.
