Becoming a member of the Safety Operations Centre (SOC) group in Cisco Dwell Melbourne was a brand new expertise for me as a Cisco Technical Advertising and marketing Engineer (TME). I primarily watched the SOC in operation in a number of earlier events Cisco Dwell, Black Hat and others and it was sufficient to look at the thrill from outdoors, becoming a member of them this time was an ideal expertise, and I don’t suppose watching will fulfill my pleasure anymore. I had the position to be a part of the Tier1 (Triage) /Tier 2 (Investigator) analyst group taking a look at incidents at first hand, on this weblog I’ll deal with few factors throughout this expertise:
- Onboarding: Getting onboard, accessing the instruments, verifying knowledge, fixing integration
- Means of Escalation: SOC escalation course of
- Innovation: Develop and implement new integrations, processes, workflows, and automations
Getting onboarded in a SOC for any organisation is a giant activity, however not with the Cisco SOC group. Having access to the instruments took lower than 20 minutes, leveraging the one portal of Duo Listing to login to a lot of the cloud-based (and even on-prem) portals, XDR, Splunk and others made the onboarding expertise fast, straightforward and straight ahead.
The second section of the Onboarding was to get to know the instruments and the method to make use of when escalating.
- As a Tier1 / Tier 2 analyst the primary display screen to take a look at is Cisco XDR, that may deliver incidents from the totally different knowledge sources together with Splunk Core. The incidents are enriched menace intel and findings utilizing both native integrations or custom-made workflows.
- Investigating begins inside the XDR Interface with the examine characteristic and pivots onto public instruments or personal instruments comparable to VirusTotal (for repute) or Endace (for community packet investigation and connection evaluation) relying on the suspected menace.
The important thing to that is how straightforward it was to learn the way these instruments are leveraged and how briskly we acquired educated in lower than an hour on a typical incident response dealing with and course of. From the start of the onboarding to the tip it took lower than one hour and half earlier than we have been all set.
Escalation course of could be very properly outlined and comply with a particular construction and collection of actions briefly summarized beneath:
- Investigated the incident in XDR, collect the knowledge from all the opposite instruments that present further context and visibility.
- Doc the incident and discovering in a structured predefined incident doc format for administration, publish it to a monitored Webex group room.
- Launch an automation workflow in XDR to escalate the incident to the Tier 3 analyst group, who have been utilizing Splunk Enterprise Safety.
That course of could be very properly outlined and structured in a approach that makes anybody who walks into the SOC discover it straightforward to fill within the boots of a Tier 1/ Tier2 analyst very quickly, however most significantly present worth and be a productive member of this skilled group.
Day 1 at Cisco Dwell and guess what? Distributed Deniel of Service (DDoS) exercise was detected concentrating on Cisco TV gadgets related to Cisco Dwell community. Who would have thought that won’t occur?
- DDoS exercise detected: Discovering a DDoS Exercise concentrating on Cisco TV gadgets
- Confirmed origin of site visitors: investigating the origin and the affect of this DDos
- Escalation and Remediation: Escalation to NOC and remediation
Detecting DDoS at Cisco Dwell
Found on the primary day at Cisco Dwell, a repetitive variety of connections makes an attempt on port 443 for 3 property utilized by Cisco TV.
Wanting on the firewall knowledge, all these requests have been blocked each few seconds.
Wanting additional forward we seen that the general public IPs concentrating on these techniques come from nations everywhere in the world: India, Germany, Bulgaria, Indonesia and plenty of others.
Investigating this additional to see if these three inner gadgets havd any profitable connections from outdoors, from related IPs. Utilizing Endace, we found a lot of the site visitors was DDoS associated and solely half open connections.
Every one in all these IPs had a nasty repute from 4 or extra menace intelligence sources.
We adopted the escalation course of to establish the affect of such exercise. As soon as we knowledgeable the NOC group, we have been advised that these gadgets belong to the Cisco TV group.
Cisco TV group made the choice to close down these gadgets, and shortly in spite of everything DoS exercise stopped. Joyful days!
Whereas my focus on this engagement was to take a look at the SOC analyst expertise utilizing the Cisco and threerd occasion instruments and discover the gaps that we will reduce by suggestions to engineering and product enhancements, I skilled first-hand the innovation that this group is all the time exploring and producing from these engagement by making an attempt the “new” and exploring prospects to facilitate the SOC work.
My largest discovering on this involvement is how the expertise worth of this group continues to prevail shouldn’t be within the instruments and never in working a SOC; however in how they embrace and empower the brand new SOC members and get them as much as a stage the place they’re environment friendly contributors of this success story, which retains on repeating and elevating with every step ahead.
You can even be a contributing member of a SOC group!
Try the opposite blogs by my colleagues within the Cisco Dwell APJC 2026 SOC.
We’d love to listen to what you suppose! Ask a query and keep related with Cisco Safety on social media.
Cisco Safety Social Media
