Around RSA

Launching the Security Operations Center (SOC) at RSA Conference

Feb 13, 2017 | by Sean Griesheimer |

RSAC South Expo

Welcome to RSA Conference 2017! The RSA Conference SOC team set up the Security Operations Center over the weekend. We were here along with scores of construction crews re building huge booth displays for some of the largest security companies in the world. It was a long weekend of building, lighting - and of course racking and stacking! We are excited to kick off the first SOC in RSA Conference history! Throughout the week, RSA NetWitness® team members - along with representatives from Cisco AMP Threat Grid - will be monitoring all the traffic through the wireless network at Moscone Center. We will also be joined by members of RSA Research and the RSA Incident Response Practice.

The SOC concept started at Black Hat in 2016. At the Black Hat security conference most of the traffic was abnormal and interesting. We saw massive amounts of traffic tunneled over ICMP, and web shells galore. When ransomware was being downloaded, it was most likely intentional. As they say, the only way to use the Wi-Fi at Black Hat safely is to not use the Wi-Fi!


The traffic at RSA conference is expected to be similar to what our customers see. We expect a lot of email traffic, LinkedIn updates, and general browsing, but we are also anticipating surprises as well. The most important difference between the two conferences is that when we see ransomware being downloaded this week it will likely be followed by a call into a help desk.

For most of our hunting, we will leverage our latest Hunting Pack content. This gives analysts the ability to quickly sift through traffic to look through the mundane and legitimate to find the malicious. In addition, we are installing new content being developed for future releases. The team has been looking into traffic entropy and what variations can tell us about traffic. Our malware appliance will run every file that traverses the network through static, network, community, and sandbox analysis. Every file that so much as raises an eyebrow will be sent to Cisco's AMP Threat Grid for further evaluation. Threat Grid allows you to view modules running in a sandbox and interact with it.

RSAC SOC Servers

There are four large displays updated constantly with content from RSA and Cisco to give you a view into what we see. The front glass will rotate between those displays for those who want to take a closer look. For an even deeper look at what we're doing, there are still some spots open for a SOC tour. Be sure to sign up before they are gone!