A Cisco Systems Engineer shares 2.5 years of experience running live SOC deployments at events like Cisco Live, including standing up a full Security Operations Center in 48 hours. Using the Dutch Delta Works flood defense system as a metaphor for layered security, the post explains how Cisco SNA/NetFlow, Firepower Threat Defense, XDR, Splunk ES, and Endace packet capture work together as complementary defense layers. A real incident walkthrough demonstrates the workflow: an FTP anomaly alert triaged through XDR, investigated via Splunk SPL queries drafted with Cisco's AI assistant, and confirmed with Endace packet capture — ultimately revealing a security product updating itself over unencrypted FTP, which turned out to be benign but highlighted supply chain risk concerns.
Table of contents
The 48-Hour Challenge: Standing Up a SOCThe Delta Logic: Layered Defense in the LowlandsThe New Guard: Splunk and EndaceFalling Back on Experience: The Power of SNA FlowtablesThe Anatomy of a Catch: From Alert to Ground TruthThe Champagne TasteSort: