Mobile World Congress 2025: SOC in the Network Operations Center


Mobile World Congress 2025 in Barcelona delivered on every promise – a record-breaking event with 109,000 attendees from 205 countries, with over 2,900 exhibitors, sponsors, and partners showcasing an impressive array of cutting‐edge topics, from 5G and IoT to Unified Security for the AI-driven Future.

As always, Cisco’s presence showcased a suite of innovations, such as the latest secure connectivity solutions, demonstrated next‐gen wireless innovations, and made several high-profile media announcements that underscored our commitment to shaping the future of digital communications.

Cisco’s One Cisco strategy was on full display, integrating networking, security, observability, and Splunk solutions to deliver unparalleled outcomes. This holistic approach showcases how our customers can achieve AI-ready data centers, future-proofed workplaces, and digital resilience.

Cisco at MWC 2025: A Powerhouse of Innovation

In true Cisco fashion, our booth wasn’t just a space but rather a hub of innovation and collaboration. Live Demo Highlights included:

Fig. 1: Alberto Torralba, Cisco, Presenting to Alberto Núñez Feijóo, Member of the Congress of Deputies of Spain

Lessons From Previous Events

Building on our experiences at Black Hat, NFL Super Bowl, RSA Conference and others the Team brought the same energy and technical rigor to MWC 2025. Our SNOC team leveraged the operational excellence honed at those events, blending state-of-the-art security tools with real-time network monitoring to ensure seamless event operations.

The Splunk Cloud was used as the data platform, adding Apps for data ingestion:

With these integrations, our SOC team was able to build a CISO level SNOC dashboard for critical telemetry from all network and security sources.

CISO-level SNOC dashboard
Fig. 2: CISO-level SNOC dashboard

We also had SOC Manager level dashboards for XDR Incidents, Firewall Events and DNS Security.

SOC manager-level dashboard
Fig. 3: SOC manager-level dashboard

We also connected the integrations with Cisco XDR, for Dashboard visibility and Incident investigation.

Dashboard view of integrations connected to Cisco XDR
Fig. 4: Dashboard view of integrations connected to Cisco XDR

We had XDR Automate workflows to promote threat detections in Splunk to XDR Incidents, and the XDR integration back into Splunk.

Automated XDR workflows
Fig. 5: Automated XDR workflows

The Incidents empowered the SNOC team to prioritize investigations.

Cisco XDR incident list
Fig. 6: Cisco XDR incident list

Additionally, at this year’s Mobile World Congress in Barcelona, Cisco’s ThousandEyes dashboard was instrumental in providing robust network assurance. Attendees benefited from real-time monitoring and insights into network performance, ensuring a seamless experience from start to finish. With the capability to track critical components like the event homepage and login processes, ThousandEyes ensured that participants could access essential resources swiftly and without interruption. This level of detailed visibility and control helped maintain the integrity and reliability of the network throughout the event.

Cisco ThousandEyes dashboard
Fig. 7: Cisco ThousandEyes dashboard

Day 1: A Test of Scale

Day 1 was all about handling massive network activity seamlessly. From only a few staff devices to thousands of devices connecting simultaneously, our firewall and network monitoring systems performed flawlessly, processing a high volume of traffic while maintaining pinpoint visibility. The robust performance of our Cisco security solutions reaffirmed that, whether in a controlled lab environment or amidst a vibrant conference, network resilience is not negotiable.

Fira Network Security architecture
Fig. 8: Fira Network Security architecture

Day 2: When a Russian Threat Tried to Crash the Party

Just as you think the only surprises at MWC 2025 are the innovative tech and spontaneous demos, our firewall logs gave us an unexpected twist. On Day 2, our vigilant monitoring detected an anomalous event: a privilege escalation event coming from a Russian source.

Firewall Management Center (FMC) Intrusion Events
Fig. 9: Firewall Management Center (FMC) Intrusion Events

 

Firewall Management Center (FMC) Intrusion Events, detailed view
Fig. 10: Firewall Management Center (FMC) Intrusion Events, detailed view

Our technical maestro, Jorge Quintero, immediately flagged this as a potential high-risk event – a situation where an endpoint might be compromised. The logs showed a pattern consistent with C2 communications, prompting a rapid investigation and swift remediation measures. In true SNOC style, we ensured that any unwelcome guest was shown the door before it could wreak havoc. (It seems even at MWC, cyber adversaries can’t resist the allure of the party!)

Firewall Management Center (FMC) Intrusion Event, event packet capture
Fig. 11: Firewall Management Center (FMC) Intrusion Event, event packet capture

What really stood out in this IDS event was a crafted plain-text script running on port 80 with Internet Explorer (yes – still in use).

Intrusion Event Packet Capture, details
Fig. 12: Intrusion Event Packet Capture, details

The Snort signature that was triggered also highlighted two main techniques being used:

Firewall Management Center (FMC) Intrusion Event, MITRE ATT&CK mappings
Fig. 13: Firewall Management Center (FMC) Intrusion Event, MITRE ATT&CK mappings

Using public generative AI tools, the analysis of the payload yielded the following results, revealing consistent patterns of malicious activity — including attempts to identify anti-malware tools (likely for removal to maintain persistence) and potentially escalate privileges further.

Example from Public Generative AI Application Prompt Response
Fig. 14: Example from Public Generative AI Application Prompt Response

Finally, what confirmed our suspicions (if they weren’t already) came from Talos and AlienVault threat intelligence. This IP address (belonging to the Russian Federation) had already been flagged for malicious activity.

Threat Intelligence Information
Fig. 15: Threat Intelligence Information

Day 3: Cryptomining — The Tale of the Good and the Evil

Day 3 brought an interesting topic to our attention — cryptomining. From its humble beginnings to the multi-billion-dollar industry, it is today, we have witnessed the rise of crypto — now extending beyond just cryptocurrency to innovative uses in the fintech space, including NFTs and more.

However, we have also seen how this technology has been leveraged by malicious actors, specifically to compromise endpoints and hijack computing resources for cryptomining.

Firewall Management Center (FMC), intrusion event details
Fig. 16: Firewall Management Center (FMC), intrusion event details

 

Intrusion event packet capture details
Fig. 17: Intrusion event packet capture details

Using public generative AI tools to decode plain text, we identified mining software (XMRig) making RPC calls to the Monero cryptocurrency network. Now, it’s worth highlighting that, although suspicious, this could still be a legitimate case of an endpoint running mining software.

Example from Public Generative AI Application Prompt Response
Fig. 18: Example from Public Generative AI Application Prompt Response

However, the illegitimate nature of this activity was confirmed again through Talos and AlienVault intelligence. The public IP address in use had already been flagged for involvement in malicious cryptomining operations.

Threat intelligence information
Fig. 19: Threat intelligence information

Day 4: Slowdown and Event Wrap-Up!

Day 4 showed a slowdown in activity, making it a threat-free day and giving us time to analyze and aggregate the entire dataset from the event. Here are a couple of key takeaways from the firewall analysis:

1. EVE (Encrypted Visibility Engine): Paving the way for encrypted traffic analysis.

Cisco’s Encrypted Visibility Engine (EVE) has proven that the innovation of recent years is significant. Monitoring at Fira was conducted entirely using IDS (Intrusion Detection System) with passive analysis. Even without decryption capabilities, we were able to identify threats within encrypted traffic, as well as the processes generating those traffic flow.

Firewall Management Center (FMC) dashboard, Encrypted Visibility Engine statistics
Fig. 20: Firewall Management Center (FMC) dashboard, Encrypted Visibility Engine statistics

2. Event-driven analytics, powered by Splunk

The Cisco + Splunk story is a match made in heaven. With Cisco’s depth and breadth in security and a strong portfolio, combined with Splunk’s world-class observability and flexibility, we were able to build powerful, actionable dashboards for easy consumption by the SNOC team.

Below is the aggregated data for the entire event — covering everything from connection events, file events, and intrusion events to a prioritized set of incidents identified throughout the convention.

Secure Firewall Splunk app in Splunk
Fig. 20: Secure Firewall Splunk app in Splunk

This included DNS security blocks, protecting Fira’s Network attendees at MWC, from malicious websites. Over 14,400 apps were seen on the MWC network.

Umbrella DNS in Splunk dashboard
Fig. 22: Umbrella DNS in Splunk dashboard

Looking Ahead

The unexpected incident on Day 2 only reinforced one vital lesson: in today’s hyper-connected world, innovation must always be matched with rigorous security. As we reflect on the successes of MWC 2025, we’re already planning enhancements to our threat detection and incident response capabilities, drawing on both our MWC, Black Hat, and NFL experiences.

Cisco’s SNOC Team remains committed to staying one step ahead, turning every challenge into an opportunity to innovate and protect. Whether it’s managing tens of thousands of connections or intercepting a rogue C2 signal, we’re ready to ensure that the digital future is as secure as it is brilliant.

While technology was on full display, the real stars of the Security Booth were the dedicated individuals who brought these demos and operations to life. A heartfelt thank you to: Alberto Torralba, Filipe Lopes, Jorge Quintero, Jervis Hui, Nirav Shah, John Cardani-Trollinger, and Emile Antone. Their expertise and dedication ensured that every demo ran flawlessly and captured the attention of every attendee. Special appreciation to Ivan Padilla Ojeda, who was our liaison with the network team to connect everything in the SNOC.

Also, thank you to those who helped us prepare for the SNOC: Ivan Berlinson, Ryan Maclennan, Aditya Sankar, Seyed Khadem, Tony Iacobelli, Dallas Williams, Nicholas Carrieri and Jessica Oppenheimer.

Wrapping Up

Mobile World Congress 2025 was not just about showcasing the next wave of technological innovation; it was also a powerful demonstration of how integrated, resilient security measures can safeguard even the most bustling, high-stakes environments. The comparative insights from Day 1 and Day 2 underscore the importance of staying one step ahead, constantly adapting, and continuously improving our defense strategies.

Mobile World Congress 2025 team photo

Thank you for joining us on this journey through MWC 2025 and stay tuned for more insights and behind-the-scenes stories from MWC 2025. After all, in the world of tech, it’s never just another day at the office!  


 

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Security Social Channels

Instagram 

Facebook 

Twitter 

LinkedIn

Share:





Source link

Leave a Comment