At a sprawling technology conference hosting thousands of attendees, the temporary network becomes a microcosm of the global internet—a dynamic, high-traffic environment teeming with both legitimate activity and significant cyber risk. The challenge of securing such an ephemeral digital ecosystem is immense, requiring a security posture that is as agile and potent as the threats it faces. For the Cisco Live Melbourne 2025 conference, this challenge was met by deploying a sophisticated, temporary Security Operations Center (SOC) on-site. This pop-up SOC was more than just a defensive line; it represented a culmination of years of experience from similar deployments at events like Cisco Live San Diego and the RSAC Conference. It was a multi-faceted operation, built on a foundation of meticulous planning, cutting-edge technology, and deep human expertise, designed not only to protect the event but also to serve as a live educational platform and a crucible for security innovation in a real-world, high-stakes setting.
A Three-Pronged Mission and Rapid Mobilization
The operational philosophy of the on-site security team was guided by three distinct yet interconnected missions that shaped every action taken throughout the conference. The foundational mission was to Protect, a mandate that involved safeguarding the entire conference network and its thousands of users from a diverse spectrum of cyber threats. This included defending against malicious external attacks as well as identifying and mitigating internal security risks, such as insecurely configured devices or compromised user accounts. The team was tasked with the continuous cycle of detection, investigation, and coordinated remediation of any security incident. Complementing this defensive posture was the Educate mission, which aimed to transform the SOC from a closed-off command center into a transparent learning environment. This was accomplished through organized tours that gave attendees a rare behind-the-scenes view of live security operations and through a series of detailed technical blogs written by the SOC engineers, sharing their firsthand experiences and insights with the wider cybersecurity community. The third pillar, Innovate, compelled the team to constantly push the boundaries of their capabilities by developing and implementing new security integrations, refining operational workflows, and introducing powerful automations to boost both detection accuracy and response efficiency, ensuring that each SOC deployment surpassed the last in sophistication and effectiveness.
A testament to the team’s preparation and strategic design was the SOC’s astonishingly rapid deployment, achieving full operational status in just 12 hours spread over a day and a half. This speed was the direct result of several key enabling factors, chief among them being the “SOC in a Box.” This custom-built, portable hardware solution, which has been iteratively refined over years of use at major industry events, is engineered for seamless integration with a host network’s infrastructure, facilitating swift connectivity to the Network Operations Center (NOC), Splunk Enterprise Security, and the Cisco Security Cloud. The operation also drew heavily upon the deep well of institutional knowledge, proven workflows, and established procedures from prior SOC deployments at RSAC 2025, Cisco Live San Diego, and GovWare 2025. The core team comprised many veteran engineers who provided both on-site leadership and dedicated remote support, ensuring continuity and expert oversight. This experienced group was augmented by new Tier 1 interns, creating an invaluable training ground for the next generation of security analysts. Furthermore, the SOC incorporated advanced security practices and innovations that were pressure-tested while securing the notoriously hostile network environment of the Black Hat conference, bringing battle-hardened tactics to the event.
Behind the Shield A Sophisticated Tech Stack
The technical foundation of the pop-up SOC was a sophisticated hybrid architecture, skillfully integrating on-premises hardware with cloud-based services to achieve comprehensive visibility and enable rapid, data-driven analysis. The entire process initiated with a tight collaboration with the NOC, which supplied a Switched Port Analyzer (SPAN) feed of all network traffic passing through the conference infrastructure. This complete data stream was funneled directly into the “SOC in a Box,” which was connected alongside Secure Access virtual appliances to ensure robust DNS security from the outset. At the heart of the data collection strategy was the EndaceProbe platform, which meticulously captured and recorded every single network packet. This full packet capture capability provided an immutable forensic record, allowing analysts to perform deep-dive investigations into any anomaly or security event. The platform performed two critical functions in real time: it generated a rich stream of metadata, including detailed Zeek logs, which were immediately ingested by the Splunk Enterprise Security platform for advanced correlation and analysis; and it actively reconstructed file content directly from the network traffic. These reconstructed files were then intelligently filtered and streamed to both Splunk Attack Analyzer and Cisco Secure Malware Analytics for advanced sandboxing and in-depth malware analysis, creating a multi-layered defense against malicious payloads.
To manage secure access to this complex and powerful toolset, the team implemented Duo Central for Single Sign-On (SSO), a practice that had been first implemented and perfected during the high-pressure environment of the Black Hat conference. Recognizing the constraints of the tight 12-hour deployment window, the operational strategy heavily emphasized the use of cloud-based solutions to minimize the on-site setup burden. This included leveraging Cisco XDR for streamlined incident investigation and Splunk Cloud for scalable log aggregation and analysis. This cloud-centric approach, combined with the use of pre-configured Splunk dashboards and other configurations carried over from previous events, freed up valuable time. This time was then strategically reallocated to intensive training sessions focused on investigation and escalation procedures for the Tier 1, Tier 2, and Tier 3 incident responders. Threat intelligence was woven into the architecture as a multi-layered component. Investigations within Cisco XDR were automatically enriched with the latest intelligence from Cisco Talos, while further contextual data was provided through donated licenses from esteemed partners like alphaMountain, Pulsedive, and StealthMole, supplemented by open-source community feeds. The SOC’s own cloud infrastructure was not overlooked and was rigorously secured using the Cloud Protection Suite and Cisco Identity Intelligence.
Statistical Insights and Knowledge Sharing
The statistics gathered during the event vividly illustrate the immense scale of the network and the comprehensive scope of the SOC’s monitoring efforts. For the 6,200 conference attendees, the security team monitored a total of 7,539 unique devices connecting to the network. This activity generated a staggering volume of data; the Endace platform captured 30.2 billion packets and monitored 256.7 million distinct sessions, ultimately writing 26.9 terabytes of raw packet data to disk for potential forensic analysis. In parallel, the Splunk platform ingested an impressive 1.26 billion logs, amounting to 1.02 terabytes of data stored securely in the cloud. The network itself was highly active, with traffic utilization peaking at 3.76 Gbps. From a security standpoint, the SOC processed 61.4 million DNS requests, successfully blocking 938 of them that were identified as malicious or non-compliant with security policies. A particularly concerning discovery was the detection of 1,525 separate instances of cleartext usernames and passwords being transmitted over the network, a vulnerability originating from 34 unique devices or user accounts. In terms of malware analysis, the Endace platform reconstructed 378,000 file objects from the network traffic, of which 13,763 were flagged for automated analysis in Splunk Attack Analyzer, and a further 2,914 were escalated to Cisco Secure Malware Analytics for more intensive, deeper inspection.
A core tenet of the pop-up SOC’s philosophy was to actively contribute its findings and experiences back to the broader cybersecurity community. This commitment was primarily fulfilled through the publication of a series of detailed technical blogs, authored by the very engineers who worked on the front lines within the SOC. These articles covered a wide array of relevant topics, from firewall and Splunk integrations to in-depth case studies on investigating sudden traffic spikes and distributed denial-of-service (DDoS) attacks, as well as advanced techniques for XDR forensics and hunting for compromised credentials. One standout example of the team’s dedication to innovation was the creation of an AI model by engineer Ryan MacLennan, specifically designed to detect domain generation algorithms (DGAs) often used by malware. This model was successfully run on the new GPUs integrated within the ‘SOC in a Box,’ demonstrating a tangible leap in on-site analytical capabilities. In the spirit of community contribution, this powerful new tool was subsequently shared with Splunk Research for publication, perfectly encapsulating the integrated missions to innovate and educate. The success of the entire operation rested on the collaborative expertise of key individuals and teams from the NOC, Cisco Security, Splunk, and Endace, whose combined efforts made the ambitious project a resounding success.
