Mobile World Congress 2025: SOC in the Network Operations Center
Mobile World Congress 2025 in Barcelona delivered on every promise – a record-breaking event with 109,000 attendees from 205 countries, with over 2,900 exhibitors, sponsors, and partners showcasing an impressive array of cutting‐edge topics, from 5G and IoT to Unified Security for the AI-driven Future.
As always, Cisco’s presence showcased a suite of innovations, such as the latest secure connectivity solutions, demonstrated next‐gen wireless innovations, and made several high-profile media announcements that underscored our commitment to shaping the future of digital communications.
Cisco’s One Cisco strategy was on full display, integrating networking, security, observability, and Splunk solutions to deliver unparalleled outcomes. This holistic approach showcases how our customers can achieve AI-ready data centers, future-proofed workplaces, and digital resilience.
Cisco at MWC 2025: A Powerhouse of Innovation
In true Cisco fashion, our booth wasn’t just a space but rather a hub of innovation and collaboration. Live Demo Highlights included:
Lessons From Previous Events
Building on our experiences at Black Hat, NFL Super Bowl, RSA Conference and others the Team brought the same energy and technical rigor to MWC 2025. Our SNOC team leveraged the operational excellence honed at those events, blending state-of-the-art security tools with real-time network monitoring to ensure seamless event operations.
The Splunk Cloud was used as the data platform, adding Apps for data ingestion:
With these integrations, our SOC team was able to build a CISO level SNOC dashboard for critical telemetry from all network and security sources.
We also had SOC Manager level dashboards for XDR Incidents, Firewall Events and DNS Security.
We also connected the integrations with Cisco XDR, for Dashboard visibility and Incident investigation.
We had XDR Automate workflows to promote threat detections in Splunk to XDR Incidents, and the XDR integration back into Splunk.
The Incidents empowered the SNOC team to prioritize investigations.
Additionally, at this year’s Mobile World Congress in Barcelona, Cisco’s ThousandEyes dashboard was instrumental in providing robust network assurance. Attendees benefited from real-time monitoring and insights into network performance, ensuring a seamless experience from start to finish. With the capability to track critical components like the event homepage and login processes, ThousandEyes ensured that participants could access essential resources swiftly and without interruption. This level of detailed visibility and control helped maintain the integrity and reliability of the network throughout the event.
Day 1: A Test of Scale
Day 1 was all about handling massive network activity seamlessly. From only a few staff devices to thousands of devices connecting simultaneously, our firewall and network monitoring systems performed flawlessly, processing a high volume of traffic while maintaining pinpoint visibility. The robust performance of our Cisco security solutions reaffirmed that, whether in a controlled lab environment or amidst a vibrant conference, network resilience is not negotiable.
Day 2: When a Russian Threat Tried to Crash the Party
Just as you think the only surprises at MWC 2025 are the innovative tech and spontaneous demos, our firewall logs gave us an unexpected twist. On Day 2, our vigilant monitoring detected an anomalous event: a privilege escalation event coming from a Russian source.
Our technical maestro, Jorge Quintero, immediately flagged this as a potential high-risk event – a situation where an endpoint might be compromised. The logs showed a pattern consistent with C2 communications, prompting a rapid investigation and swift remediation measures. In true SNOC style, we ensured that any unwelcome guest was shown the door before it could wreak havoc. (It seems even at MWC, cyber adversaries can’t resist the allure of the party!)
What really stood out in this IDS event was a crafted plain-text script running on port 80 with Internet Explorer (yes – still in use).
The Snort signature that was triggered also highlighted two main techniques being used:
Using public generative AI tools, the analysis of the payload yielded the following results, revealing consistent patterns of malicious activity — including attempts to identify anti-malware tools (likely for removal to maintain persistence) and potentially escalate privileges further.
Finally, what confirmed our suspicions (if they weren’t already) came from Talos and AlienVault threat intelligence. This IP address (belonging to the Russian Federation) had already been flagged for malicious activity.
Day 3: Cryptomining — The Tale of the Good and the Evil
Day 3 brought an interesting topic to our attention — cryptomining. From its humble beginnings to the multi-billion-dollar industry, it is today, we have witnessed the rise of crypto — now extending beyond just cryptocurrency to innovative uses in the fintech space, including NFTs and more.
However, we have also seen how this technology has been leveraged by malicious actors, specifically to compromise endpoints and hijack computing resources for cryptomining.
Using public generative AI tools to decode plain text, we identified mining software (XMRig) making RPC calls to the Monero cryptocurrency network. Now, it’s worth highlighting that, although suspicious, this could still be a legitimate case of an endpoint running mining software.
However, the illegitimate nature of this activity was confirmed again through Talos and AlienVault intelligence. The public IP address in use had already been flagged for involvement in malicious cryptomining operations.
Day 4: Slowdown and Event Wrap-Up!
Day 4 showed a slowdown in activity, making it a threat-free day and giving us time to analyze and aggregate the entire dataset from the event. Here are a couple of key takeaways from the firewall analysis:
1. EVE (Encrypted Visibility Engine): Paving the way for encrypted traffic analysis.
Cisco’s Encrypted Visibility Engine (EVE) has proven that the innovation of recent years is significant. Monitoring at Fira was conducted entirely using IDS (Intrusion Detection System) with passive analysis. Even without decryption capabilities, we were able to identify threats within encrypted traffic, as well as the processes generating those traffic flow.
2. Event-driven analytics, powered by Splunk
The Cisco + Splunk story is a match made in heaven. With Cisco’s depth and breadth in security and a strong portfolio, combined with Splunk’s world-class observability and flexibility, we were able to build powerful, actionable dashboards for easy consumption by the SNOC team.
Below is the aggregated data for the entire event — covering everything from connection events, file events, and intrusion events to a prioritized set of incidents identified throughout the convention.
This included DNS security blocks, protecting Fira’s Network attendees at MWC, from malicious websites. Over 14,400 apps were seen on the MWC network.
Looking Ahead
The unexpected incident on Day 2 only reinforced one vital lesson: in today’s hyper-connected world, innovation must always be matched with rigorous security. As we reflect on the successes of MWC 2025, we’re already planning enhancements to our threat detection and incident response capabilities, drawing on both our MWC, Black Hat, and NFL experiences.
Cisco’s SNOC Team remains committed to staying one step ahead, turning every challenge into an opportunity to innovate and protect. Whether it’s managing tens of thousands of connections or intercepting a rogue C2 signal, we’re ready to ensure that the digital future is as secure as it is brilliant.
While technology was on full display, the real stars of the Security Booth were the dedicated individuals who brought these demos and operations to life. A heartfelt thank you to: Alberto Torralba, Filipe Lopes, Jorge Quintero, Jervis Hui, Nirav Shah, John Cardani-Trollinger, and Emile Antone. Their expertise and dedication ensured that every demo ran flawlessly and captured the attention of every attendee. Special appreciation to Ivan Padilla Ojeda, who was our liaison with the network team to connect everything in the SNOC.
Also, thank you to those who helped us prepare for the SNOC: Ivan Berlinson, Ryan Maclennan, Aditya Sankar, Seyed Khadem, Tony Iacobelli, Dallas Williams, Nicholas Carrieri and Jessica Oppenheimer.
Wrapping Up
Mobile World Congress 2025 was not just about showcasing the next wave of technological innovation; it was also a powerful demonstration of how integrated, resilient security measures can safeguard even the most bustling, high-stakes environments. The comparative insights from Day 1 and Day 2 underscore the importance of staying one step ahead, constantly adapting, and continuously improving our defense strategies.
Thank you for joining us on this journey through MWC 2025 and stay tuned for more insights and behind-the-scenes stories from MWC 2025. After all, in the world of tech, it’s never just another day at the office!
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Security Social Channels
Share:
