<p>Machines whirr and whizz behind the partitioned wall in the RSAC 2026 Conference expo hall. Five side-by-side monitors flash colorful alerts, charts and statistics. A dozen analysts sit around two tables, their eyes glued to sticker-covered laptops.</p>
<p>It’s a glimpse inside the security operations center (<a href=”https://www.techtarget.com/searchsecurity/definition/Security-Operations-Center-SOC”>SOC</a>) protecting the world’s largest cybersecurity event live and in action, monitoring north-south and east-west traffic across the Moscone Center in San Francisco.</p>
<p>The SOC team, made up of Cisco, Splunk and Endace members, is investigating incidents on the network where nearly 44,000 attendees have gathered to <a href=”https://www.techtarget.com/searchsecurity/conference/RSA-Conference-news-and-analysis”>learn and chat about cybersecurity</a> and, more than likely, connect to the event’s free Wi-Fi.</p>
<p>”We’re recording everything that goes across the network. We have about 240 TB of storage here, so we’ll record every packet from the start of the show, right to the end,” said Cary Wright, vice president of products at Endace. “These analysts can dig in and investigate any event or incident and look at exactly what happened before, during and after it.”</p>
<p>The analysts are on the hunt for zero days, insecurities, advanced threats and any other suspicious activity that might not trigger the security stack.</p>
<figure class=”main-article-image full-col” data-img-fullsize=”https://www.techtarget.com/rms/onlineimages/soc_in_a_box-image1-f.jpg”>
<img data-src=”https://www.techtarget.com/rms/onlineimages/soc_in_a_box-image1-f_mobile.jpg” class=”lazy” data-srcset=”https://www.techtarget.com/rms/onlineimages/soc_in_a_box-image1-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/soc_in_a_box-image1-f.jpg 1280w” alt=”Photo of the RSAC 2026 Conference SOC-in-a-box setup” data-credit=”Sharon Shea” height=”420″ width=”560″>
<figcaption>
<i class=”icon pictures” data-icon=”z”></i>Analysts used a suite of tools and dashboards to investigate alerts and protect the RSAC network.
</figcaption>
<div class=”main-article-image-enlarge”>
<i class=”icon” data-icon=”w”></i>
</div>
</figure>
<section class=”section main-article-chapter” data-menu-title=”The technology”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>The technology</h2>
<p>The preconfigured SOC in a box, developed for RSAC, was designed to be rolled into a venue, connected to the network operations center, and up and running in fewer than four hours.</p>
<p>Two Cisco Unified Computing Systems with embedded AI and GPUs provide local compute for event services and virtualization needs. A pair of Cisco Secure Firewalls with Firewall Threat Defense run in detection mode at the network edge, and Endace appliances perform always-on — not triggered — full packet capture and generate metadata, including Zeek logs.</p>
<p>Telemetry is fed into the security stack through Splunk Enterprise Security, and Splunk Attack Analyzer conducts detonation and analysis. Pivots enable analysts to rapidly move across tools and workflows.</p>
<p>”If a firewall detected a threat, for example, the analyst could pivot to see what network packets were related to the threat, if there was lateral movement, if any data was downloaded or exfiltrated, or if any malware was coming out of the network,” Wright said.</p>
<p>Additional tools include Cisco XDR (<a href=”https://www.techtarget.com/searchsecurity/definition/extended-detection-and-response-XDR”>extended detection and response</a>); Cisco Secure Network Analytics; Cisco Security Cloud; Splunk Cloud Platform; Cisco Duo; Cisco ThousandEyes; Cisco Secure Malware Analytics; Splunk Attack Analyzer; Cisco Secure Access and Splunk SOAR (security orchestration, automation and response); and <a href=”https://www.techtarget.com/searchsecurity/tip/Top-open-source-and-commercial-threat-intelligence-feeds”>threat intelligence</a> from Cisco Talos, alphaMountain, Pulsedive and StealthMole.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”The dashboards”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>The dashboards</h2>
<figure class=”main-article-image half-col” data-img-fullsize=”https://www.techtarget.com/rms/onlineimages/soc_in_a_box-image2-h.jpg”>
<img data-src=”https://www.techtarget.com/rms/onlineimages/soc_in_a_box-image2-h_half_column_mobile.jpg” class=”lazy” data-srcset=”https://www.techtarget.com/rms/onlineimages/soc_in_a_box-image2-h_half_column_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/soc_in_a_box-imag
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: