GovWare 2025 Security Operations Centre
|
The GovWare Security Operations Centre is a collaborative initiative with Cisco for GovWare Conference and Exhibition 2025. Following the successful Security Operations Centre (SOC) deployments at RSAC 2025, Black Hat Asia, and Cisco Live San Diego 2025, the Cisco ASEAN executive team approved the inaugural SOC for GovWare. This initiative required close collaboration with GovWare, Image Engine, and the Marina Bay Sands (MBS) Network Operations Center (NOC) to establish a secure conference network for attendees, with security provided by the SOC. The SOC was founded on three primary missions:
Attendees were invited to join the complimentary, secure GovWare 2025 network, advised to follow best security practices and asked to accept the Terms & Conditions and Code of Conduct of GovWare Conference & Exhibition 2025 as well as the Data Protection and Privacy Notice.
Data Protection and Privacy is a paramount concern to the SOC team. At the conclusion of the conference, the data was destroyed and a certificate of destruction filed with GovWare management. The SOC team diligently worked to identify, locate, and help remediate threats whenever an attendee's device or account was found to be compromised or insecure.
The GovWare SOC was successfully deployed in just two days, a testament to extensive prior planning and specialised expertise. This rapid setup was facilitated by:
The SOC Architecture The SOC team integrated with the NOC to connect the ‘SOC in the Box’ and Cisco Secure Access virtual appliances for DNS. They created a Switched Port Analyzer (SPAN) feed of network traffic from the inline Cisco Secure Firewall/Firepower protection and sent to the EndaceProbe packet capture platform to record all network traffic, facilitating the analysis of anomalous behavior. The EndaceProbe also generated and ingested metadata, including Zeek logs, into the Splunk Enterprise Security Platform. Endace reconstructed and filtered file content, streaming it to Splunk Attack Analyzer (and onward to Secure Malware Analytics) for sandboxing and analysis.
The following screenshot demonstrates the ingestion of firewall syslog logs and SPAN data from the switch, then sending it to Flow Collector for logs to be stored in Cisco Secure Network analytics. A copy of the logs is also being sent to Cisco XDR cloud for analytics and detections.
The SOC team used Duo Central for Single Sign-On access to the tools, both on-premises and in the cloud.
The implementation of cloud-based solutions, specifically XDR and Splunk Cloud, proved instrumental in optimising efficiency and reducing labour within the limited setup window. Pre-configured data and settings, notably Splunk dashboards resulting the innovations of Ivan Berlinson, were seamlessly integrated from previous engagements.
Incidents were investigated by Tier 1 / Tier 2 analysts in Cisco XDR, with threat intelligence provided by Cisco Talos, and licenses donated by alphaMountain, Pulsedive, and StealthMole along with community sources.
When escalations to Tier 3 incident responders were required, the enriched Incident was sent from Cisco XDR to Splunk Enterprise Security. AI Defense was deployed to secure the SOC cloud infrastructure, along with Cisco Identity Intelligence.
The Statistics Statistics are always a popular part of the SOC Tours. Below are the stats from this year’s event.
SOC Findings and Lessons Learned Check out the blogs by the engineers who worked inside the SOC at GovWare:
Acknowledgements Our thanks to the engineers who made the first SOC at GovWare a success, by protecting the network and educating attendees (and you).
Marina Bay Sands Network Operations Center Liaison
GovWare / Image Engine Liaison
Cisco Singapore
Cisco Security and Splunk SOC Team
Endace SOC Team
|











