Cisco and Endace have released the Findings Report from the Security Operations Center (SOC) at RSAC? 2025 Conference.

The partners used data from the Moscone Center Wireless Network to provide SOC services. Since 2017, the purpose of the SOC has been to monitor the network activity during the event and provide SOC tours and sessions during the conference. From the tours and sessions - and this Findings Report published by sponsors Cisco and Endace - you can learn about what happens on an open, unsecure wireless network. The network infrastructure at RSAC is managed by the Moscone Center. You can watch the replay of the 2025 session.

The SOC Team at RSAC 2025 deployed the EndaceProbe packet capture platform, integrated with the suite of Cisco tools. Also, SOC engineers used Cisco Security Cloud in the SOC, comprised of Cisco Breach Protection Suite and User Protection Suite, with the foundation of Secure Firewall.

The Cloud Protection Suite was deployed to secure the SOC cloud infrastructure, along with Cisco Identity Intelligence and AI Defense.

Incidents were investigated with threat intelligence, provided by Cisco Talos, and licenses donated by? alphaMountain & Pulsedive, along with community sources.

Endace, always on packet capture, was provisioned to record all Network traffic, enabling full investigation of any anomalous behavior. Endace is also generating Metadata (including Zeek logs) and NetFlow data into Cisco Secure Network Analytics (SNA) and Splunk Platform. File content was reconstructed on the fly by Endace, filtered, and streamed to Splunk Attack Analyzer and Cisco Secure Malware Analytics for sandboxing and analysis.

Workflow integrations to Endace from within Splunk Enterprise Security, Cisco XDR, SNA, and Secure Firewall, streamlined the work of the SOC team when investigating potential incidents. Endace packet data was used to understand activity before, during and after any alerts, identify lateral movement, potential C2 (command and control), search for IOCs (Indicators of Compromise), and investigate any serious threats that raised the team members' suspicions. No decryption was performed on any network data or connections.

The Findings Report includes sections about: 

• The Network
• Technology used in the SOC at RSAC Conference 
• The Statistics
• Security Incident and Event Management
• XDR Integration and Threat Hunting
• Secure Access
• Intrusion Detection with Cisco Secure Firewall
• Tales of Insecurity
• Protecting the SOC Infrastructure
• Conclusion

Download the Findings Report from the Security Operations Center (SOC) at RSAC 2025 Conference. You can also view the 2024 report. We look forward to seeing you in late March 2026!

Acknowledgements: Our appreciation to those who made the SOC at RSAC possible. Please see the Report for the engineering roles, thank you.

We'd love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram
X