Machines whirr and whizz behind the partitioned wall within the RSAC 2026 Convention expo corridor. 5 side-by-side displays flash colourful alerts, charts and statistics. A dozen analysts sit round two tables, their eyes glued to sticker-covered laptops.
It is a glimpse contained in the safety operations heart (SOC) defending the world’s largest cybersecurity occasion dwell and in motion, monitoring north-south and east-west visitors throughout the Moscone Middle in San Francisco.
The SOC workforce, made up of Cisco, Splunk and Endace members, is investigating incidents on the community the place practically 44,000 attendees have gathered to study and chat about cybersecurity and, greater than doubtless, connect with the occasion’s free Wi-Fi.
“We’re recording all the things that goes throughout the community. We’ve about 240 TB of storage right here, so we’ll document each packet from the beginning of the present, proper to the top,” mentioned Cary Wright, vp of merchandise at Endace. “These analysts can dig in and examine any occasion or incident and have a look at precisely what occurred earlier than, throughout and after it.”
The analysts are on the hunt for zero days, insecurities, superior threats and some other suspicious exercise that may not set off the safety stack.
The expertise
The preconfigured SOC in a field, developed for RSAC, was designed to be rolled right into a venue, linked to the community operations heart, and up and working in fewer than 4 hours.
Two Cisco Unified Computing Programs with embedded AI and GPUs present native compute for occasion providers and virtualization wants. A pair of Cisco Safe Firewalls with Firewall Menace Protection run in detection mode on the community edge, and Endace home equipment carry out always-on — not triggered — full packet seize and generate metadata, together with Zeek logs.
Telemetry is fed into the safety stack by Splunk Enterprise Safety, and Splunk Assault Analyzer conducts detonation and evaluation. Pivots allow analysts to quickly transfer throughout instruments and workflows.
“If a firewall detected a menace, for instance, the analyst may pivot to see what community packets had been associated to the menace, if there was lateral motion, if any information was downloaded or exfiltrated, or if any malware was popping out of the community,” Wright mentioned.
Extra instruments embrace Cisco XDR (prolonged detection and response); Cisco Safe Community Analytics; Cisco Safety Cloud; Splunk Cloud Platform; Cisco Duo; Cisco ThousandEyes; Cisco Safe Malware Analytics; Splunk Assault Analyzer; Cisco Safe Entry and Splunk SOAR (safety orchestration, automation and response); and menace intelligence from Cisco Talos, alphaMountain, Pulsedive and StealthMole.
The dashboards
One display shows a illustration of visitors over the previous three days — a spider chart exhibits who was speaking to whom, with the thickness of the strains indicating visitors quantity.
One other display exhibits visitors being analyzed by Splunk. Twenty % of the visitors is encrypted, and the dashboard exhibits encryption strengths, together with which TLS variations are in use.
A display flashes password counts and password occasions, revealing that 11 hosts on the community are broadcasting their passwords within the clear. There are a complete of 217 occasions, which means every host confirmed their password about 20 instances.
Throughout earlier occasions, Wright defined, they’d examine, discover the related consumer and inform them that their password was insecure. This time-consuming course of was not too long ago automated, with hosts now receiving an electronic mail from RSAC informing them that their passwords had been discovered within the clear.
RSAC attendees demonstrated higher password hygiene than these at Cisco Dwell in Amsterdam — Jessica Oppenheimer, director of SOC integrations at Splunk, mentioned 400 hosts there had passwords in cleartext.
One other display shows which AI fashions persons are utilizing. “Are they ones we have licensed? Ones that ought to be licensed? Are they utilizing their very own?” Oppenheimer mentioned. “We are able to determine fashions on the community, and if one had been to adversely have an effect on this convention, we’ve got the power to dam it.”
AI is an enormous part of the SOC itself. For instance, it helps tier-one analysts course of information, perceive threats and map information. “That is why up to now 24 hours solely two of 35 alerts have been escalated as much as tier-two or three analysts,” she mentioned.
SOC in a field across the globe
The SOC in a field rolled into RSAC 2026 from Cisco Dwell 2026 in Amsterdam, after remotely defending the NFL Tremendous Bowl in Santa Clara in February. It has additionally been used on the Olympics, Black Hat, Cell World Congress and GovWare occasions. In April, it is going to defend the community in the course of the NFL Draft in Pittsburgh.
The SOC in a field repeatedly evolves. Earlier iterations of the challenge took incident responders three days to realize entry, given the varied instruments from Palo Alto, Corelight, Arista Networks and Jamf, Oppenheimer defined. In response, the workforce created a single sign-on portal and carried out role-based entry management to offer day-one entry to all analysts.
For the 2028 LA Olympics, Oppenheimer mentioned, the workforce is trying so as to add further AI capabilities into the SOC.
Sharon Shea is govt editor of TechTarget Safety.
