Skip to main content

Knowledge Hub

New page title image

GovWare 2025 Security Operations Centre

5 min read
GovWare 2025 Security Operations Centre
Image Source: GovWare 2025

The GovWare Security Operations Centre is a collaborative initiative with Cisco for GovWare Conference and Exhibition 2025.
 

Following the successful Security Operations Centre (SOC) deployments at RSAC 2025, Black Hat Asia, and Cisco Live San Diego 2025, the Cisco ASEAN executive team approved the inaugural SOC for GovWare. This initiative required close collaboration with GovWare, Image Engine, and the Marina Bay Sands (MBS) Network Operations Center (NOC) to establish a secure conference network for attendees, with security provided by the SOC.

The SOC was founded on three primary missions:

  • To Protect: Ensure the security of the GovWare 2025 network by defending against all forms of threats and attacks, originating from both internal and external sources.

  • To Educate: Enhance attendee understanding and awareness through engaging SOC tours and insightful blog content.

  • To Innovate: Continuously advance security capabilities by developing and implementing new integrations, refining processes, optimising workflows, and deploying automations, working with AI.

Attendees were invited to join the complimentary, secure GovWare 2025 network, advised to follow best security practices and asked to accept the Terms & Conditions and Code of Conduct of GovWare Conference & Exhibition 2025 as well as the Data Protection and Privacy Notice.

 

GovWare 2025 Network Splashpage

 

Data Protection and Privacy is a paramount concern to the SOC team. At the conclusion of the conference, the data was destroyed and a certificate of destruction filed with GovWare management.

The SOC team diligently worked to identify, locate, and help remediate threats whenever an attendee's device or account was found to be compromised or insecure.

 

GovWare 2025 SOC Tour 21 Oct 2025 - 5

 

The GovWare SOC was successfully deployed in just two days, a testament to extensive prior planning and specialised expertise. This rapid setup was facilitated by:

  • The deployment of the "SOC in a Box," a custom hardware solution honed through years of experience at the RSAC Conference, enabling rapid connectivity with the MBS, Splunk Enterprise Security, and the Cisco Security Cloud.

  • Drawing upon proven expertise, workflows, and procedures from the RSAC 2025 and Cisco Live San Diego SOCs, with many veteran engineers providing both on-site deployment and dedicated remote support.

  • Integrating advanced innovations and security practices developed through 10 years of safeguarding the Black Hat network, recognised as the world's most hostile.

  • The partnership with Endace, a highly skilled full-packet capture provider, whose foundational experience at the RSAC Conference and Cisco Live San Diego in 2025 was critical and extended to their commitment for GovWare.

 

SOC in a Box Diagram and Photo

 

The SOC Architecture

The SOC team integrated with the NOC to connect the ‘SOC in the Box’ and Cisco Secure Access virtual appliances for DNS. They created a Switched Port Analyzer (SPAN) feed of network traffic from the inline Cisco Secure Firewall/Firepower protection and sent to the EndaceProbe packet capture platform to record all network traffic, facilitating the analysis of anomalous behavior. The EndaceProbe also generated and ingested metadata, including Zeek logs, into the Splunk Enterprise Security Platform. Endace reconstructed and filtered file content, streaming it to Splunk Attack Analyzer (and onward to Secure Malware Analytics) for sandboxing and analysis.

 

GovWare 2025 Architecture

 

The following screenshot demonstrates the ingestion of firewall syslog logs and SPAN data from the switch, then sending it to Flow Collector for logs to be stored in Cisco Secure Network analytics. A copy of the logs is also being sent to Cisco XDR cloud for analytics and detections.

 

GovWare 2025 CTB architecture

 

The SOC team used Duo Central for Single Sign-On access to the tools, both on-premises and in the cloud.

 

Duo SSO

 

The implementation of cloud-based solutions, specifically XDR and Splunk Cloud, proved instrumental in optimising efficiency and reducing labour within the limited setup window. Pre-configured data and settings, notably Splunk dashboards resulting the innovations of Ivan Berlinson, were seamlessly integrated from previous engagements.

 

GovWare 2025 Splunk XDR dashboard

 

Incidents were investigated by Tier 1 / Tier 2 analysts in Cisco XDR, with threat intelligence provided by Cisco Talos, and licenses donated by alphaMountainPulsedive, and StealthMole along with community sources.

 

GovWare 2025 XDR Incidents

When escalations to Tier 3 incident responders were required, the enriched Incident was sent from Cisco XDR to Splunk Enterprise Security.

AI Defense was deployed to secure the SOC cloud infrastructure, along with Cisco Identity Intelligence.

 

The Statistics

Statistics are always a popular part of the SOC Tours. Below are the stats from this year’s event.

Statistics

 

GovWare 2025 SOC Tour 21 Oct 2025 - 3

 

SOC Findings and Lessons Learned

Check out the blogs by the engineers who worked inside the SOC at GovWare: 

 

Acknowledgements

Our thanks to the engineers who made the first SOC at GovWare a success, by protecting the network and educating attendees (and you).

GovWare 2025 SOC Team

 

Marina Bay Sands Network Operations Center Liaison 

  • John Lee Kuo Yang 

 

GovWare / Image Engine Liaison 

  • Goh Choon Hua, Ivan Lim and Zoe Chin 

 

Cisco Singapore 

  • Sharon Koo, Peter Lye, Juan Huat Koo, David Ong and Ian Lim 

 

Cisco Security and Splunk SOC Team 

  • Innovation / AI Defense / Cloud Protection Suite: Ryan MacLennan 

  • Splunk Incident Response: Allison Gallo and Sumit Juyal 

  • Splunk Enterprise Security Integrations: Kenneth Bouchard 

  • Talos IR Threat Hunter: Yuri Kramarz 

  • XDR Integrations: Ivan Berlinson 

  • Breach Protection Suite / Agentic AI: Aditya Sankar, Ahmadreza Edalat and Robin Wei 

  • User Protection Suite: Claire Fulk 

  • Firewall and Security Cloud Control: Adam Kilgore and Carol Trincia Dsouza 

  • Splunk Remote support: Josh Wilson 

 

Endace SOC Team 

  • Co-SOC Leader: Steve Fink 

  • VP of Product: Cary Wright 

  • Integrations: Barry ‘Baz’ Shaw  

  • Engineering: Sundarram Paravata 

 

 

View All Articles
Loading
GW26_Early Bird Popup

SAVE on GovWare 2026 Passes!

Enjoy Early Bird rates from now until 31 July 2026
20% off Full Conference Passes
30% off group bookings of 3 or more

Secure Your Pass