At RSAC, SOC Sees User Behaviors

Instruments at the RSA Security Operations Center give analysts insight into attendee behavior on an open network.

RSA CONFERENCE 2018 – San Francisco – At RSAC 2018 the SOC is a demonstration site. It has some hard limits — no visibility to the external IP interfaces being the most significant — but it has tremendous visibility into what happens on the wireless network that supports the tens of thousands of attendees using the open system. And that network visibility translates into great visibility into the behavior of network security professionals in the wild.
A team of network security specialists including Ciscos
Jessica Bair
staff the SOC, watching traffic of various sorts flow to and from the devices carried by attendees, exhibitors, and staff. Because the SOC isnt blocking any traffic, theres great interest in the monitoring, which happens courtesy of RSA NetWitness Packets; potentially malicious traffic is further given static analysis by Threat Grid.
One of the things visitors notice in the SOC fishbowl is a screen filled with a rolling list of partially obfuscated passwords. Thats when they see two important things about conference attendees, one of them good, one of them not so much.
Almost all of the passwords are either strong or very strong. Thats great, and shows that security professionals, at least, have acted on the need for stronger passwords.
The problem comes in the fact that the passwords can be
seen
to be strong; theyre being sent in clear text. Its a sign of a lesson half-learned and indicative of problems likely to plague all levels of the computer-using population of companies.
And passwords arent the only data being sent in the clear. Other examples of documents analysts have seen traversing the network include business plans, resumes, and information on competitors, according to one of the engineers staffing the SOC.
While the passwords and documents traversing the network represent a significant security risk, Bair quickly points out that there is no threat of long-term information release; the hard disks from the monitoring and analysis appliances are crushed at the end of the conference.
Of course, the monitoring infrastructure established in the SOC sees more that just potentially embarrassing clear text documents. Malware and possible malware were identified and analyzed through Ciscos Advanced Malware Protection (AMP) Anywhere with its Threat Intelligence Cloud. Information on potential malware seen was communicated among all nodes of the security network and other security networks related to the RSA Conference infrastructure for more rapid identification and (potential) remediation.
Ultimately, Bair likened the activity of the SOC to the basic instruction given to fighting women and men of the U.S. Army. You have to do three things: Shoot, move, and communicate. If youre not doing all three three, youre [redacted] dead.
In cybersecurity terms, the system must actively defend the organizations assets, be agile in shifting its activities to meet evolving threats, and share information and commands with other networks looking for malware and malicious behavior. With all three, an organization has a chance to practice effective behavior. Without the three, then sooner or later your organization is truly [redacted] dead.
Related content:
CISO Conundrum: Multiple Solutions Harden Posture but Create Alert Fatigue
SOC in Translation: 4 Common Phrases & Why They Raise Flags
One in Three SOC Analysts Now Job-Hunting
Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda
here
. Register with Promo Code DR200 and save $200.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
At RSAC, SOC Sees User Behaviors