The GovWare Security Operations Centre is a collaborative initiative with Cisco for GovWare Conference and Exhibition 2025 — GovWare 2025 Security Operations Centre
Following the successful Security Operations Centre (SOC) deployments at RSAC 2025, Black Hat Asia, and Cisco Live San Diego 2025, the Cisco ASEAN executive team approved the inaugural SOC for GovWare. This initiative required close collaboration with GovWare, Image Engine, and the Marina Bay Sands (MBS) Network Operations Center (NOC) to establish a secure conference network for attendees, with security provided by the SOC.
The SOC was founded on three primary missions:
- To Protect — Ensure the security of the GovWare 2025 network by defending against all forms of threats and attacks, originating from both internal and external sources.
- To Educate — Enhance attendee understanding and awareness through engaging SOC tours and insightful blog content.
- To Innovate — Continuously advance security capabilities by developing and implementing new integrations, refining processes, optimizing workflows, and deploying automations, working with AI.
Attendees were invited to join the complimentary, secure GovWare 2025 network, advised to follow best security practices and asked to accept the Terms & Conditions and Code of Conduct of GovWare Conference & Exhibition 2025 as well as the Data Protection and Privacy Notice.
Data Protection and Privacy is a paramount concern to the SOC team. At the conclusion of the conference, the data was destroyed and a certificate of destruction filed with GovWare management.
The SOC team diligently worked to identify, locate, and help remediate threats whenever an attendee’s device or account was found to be compromised or insecure.
The GovWare SOC was successfully deployed in just two days, a testament to extensive prior planning and specialized expertise. This rapid setup was facilitated by:
- The deployment of the “SOC in a Box,” a custom hardware solution honed through years of experience at the RSAC Conference, enabling rapid connectivity with the MBS, Splunk Enterprise Security, and the Cisco Security Cloud.
- Drawing upon proven expertise, workflows, and procedures from the RSAC 2025 and Cisco Live San Diego SOCs, with many veteran engineers providing both on-site deployment and dedicated remote support.
- Integrating advanced innovations and security practices developed through 10 years of safeguarding the Black Hat network, recognized as the world’s most hostile.
- The partnership with Endace, a highly skilled full-packet capture provider, whose foundational experience at the RSAC Conference and Cisco Live San Diego in 2025 was critical and extended to their commitment for GovWare.
The SOC Architecture
The SOC team integrated with the NOC to connect the ‘SOC in the Box’ and Cisco Secure Access virtual appliances for DNS. They created a Switched Port Analyzer (SPAN) feed of network traffic from the inline Cisco Secure Firewall/Firepower protection and sent to the EndaceProbe packet capture platform to record all network traffic, facilitating the analysis of anomalous behavior. The EndaceProbe also generated and ingested metadata, including Zeek logs, into the Splunk Enterprise Security Platform. Endace reconstructed and filtered file content, streaming it to Splunk Attack Analyzer (and onward to Secure Malware Analytics) for sandboxing and analysis.
The following screenshot demonstrates the ingestion of firewall syslog logs and SPAN data from the switch, then sending it to Flow Collector for logs to be stored in Cisco Secure Network analytics. A copy of the logs is also being sent to Cisco XDR cloud for analytics and detections.
The SOC team used Duo Central for Single Sign-On access to the tools, both on-premises and in the cloud.
The implementation of cloud-based solutions, specifically XDR and Splunk Cloud, proved instrumental in optimizing efficiency and reducing labor within the limited setup window. Pre-configured data and settings, notably Splunk dashboards resulting the innovations of Ivan Berlinson, were seamlessly integrated from previous engagements.
Incidents were investigated by Tier 1 / Tier 2 analysts in Cisco XDR, with threat intelligence provided by Cisco Talos, and licenses donated by alphaMountain, Pulsedive, and StealthMole along with community sources.
When escalations to Tier 3 incident responders were required, the enriched Incident was sent from Cisco XDR to Splunk Enterprise Security.
AI Defense was deployed to secure the SOC cloud infrastructure, along with Cisco Identity Intelligence.
The Statistics
Statistics are always a popular part of the SOC Tours. Below are the stats from this year’s event.
| Attendees (GovWare) | 14,000+ |
| Total Packets Captured (Endace) | 1.5 Billion |
| Total Logs Captured (Splunk) | 59.2 Million Events |
| Total Sessions (Endace) | 34.9 Million |
| Total Unique Devices (by MAC address, DHCP) | 1,600+ |
| Total Packets Written to Disk (Endace) | 1.4 Terabytes |
| Total Logs Written to Cloud (Splunk) | 59.2 Million Events |
| Peak Bandwidth Utilization (Endace) | 200 Mbps |
| DNS Requests (Cisco Secure Access) | 4.2 Million (162 Blocked) |
| Total Clear Text Usernames/Passwords (Endace) | 35 |
| Unique Devices/Accounts With Clear Text Usernames/Passwords (Endace) | 5 |
| Files Sent for Malware Analysis (Endace) | 34,705 file objects reconstructed by Endace
2,581 sent to Splunk Attack Analyzer 1,382 sent to Secure Malware Analytics |
SOC Findings and Lessons Learned
Check out the blogs by the engineers who worked inside the SOC at GovWare:
Acknowledgements
Our thanks to the engineers who made the first SOC at GovWare a success, by protecting the network and educating attendees (and you).
Marina Bay Sands Network Operations Center Liaison
GovWare/Image Engine Liaison
- Goh Choon Hua, Ivan Lim and Zoe Chin
Cisco Singapore
- Sharon Koo, Peter Lye, Juan Huat Koo, David Ong and Ian Lim
Cisco Security and Splunk SOC Team
- Innovation, AI Defense, Cloud Protection Suite: Ryan MacLennan
- Splunk Incident Response: Allison Gallo and Sumit Juyal
- Splunk Enterprise Security Integrations: Kenneth Bouchard
- Talos IR Threat Hunter: Yuri Kramarz
- XDR Integrations: Ivan Berlinson
- Breach Protection Suite, Agentic AI: Aditya Sankar, Ahmadreza Edalat and Robin Wei
- User Protection Suite: Claire Fulk
- Firewall and Security Cloud Control: Adam Kilgore and Carol Trincia Dsouza
- Splunk Remote Support: Josh Wilson
Endace SOC Team
- Co-SOC Leader: Steve Fink
- VP of Product: Cary Wright
- Integrations: Barry ‘Baz’ Shaw
- Engineering: Sundarram Paravata
About GovWare
GovWare Conference and Exhibition is the region’s premier cyber information and connectivity platform, offering multi-channel touchpoints to drive community intel sharing, training, and strategic collaborations.
A trusted nexus for over three decades, GovWare unites policymakers, tech innovators, and end-users across Asia and beyond, driving pertinent dialogues on the latest trends and critical information flow. It empowers growth and innovation through collective insights and partnerships.
Its success lies in the trust and support from the cybersecurity and broader cyber community that it has had the privilege to serve over the years, as well as organisational partners who share the same values and mission to enrich the cyber ecosystem.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media