LAS VEGAS — In a dark room on level 2 of the Mandalay Bay Convention Center lies Black Hat’s operational epicenter: the Network Operations Center (NOC). There was only the dim glow of a large Black Hat logo, several laptop screens and large dashboards displaying real-time network and security metrics. Music and popular hacker movies were playing, setting a thematic ambiance. Here, a dedicated team of experts from a number of security and networking vendors diligently monitored the proceedings, ensuring that the conference network remained stable and protected.

As one of the largest security conferences, Black Hat can be a testbed for attendees or trainees to try new attack techniques and vulnerabilities, which it’s also an alluring target for threat actors to attack its infrastructure or steal personally identifiable information (PII) from attendees, according to Jason Reverri, senior technical product engineer and Palo Alto Networks NOC lead at Black Hat.

“We do fairly commonly see somebody learning a technique in a class, and then trying it out on the guest wireless,” Reverri told SDxCentral. “If they're actually doing something illegal, we'll actually intercede with that.”

Over the years, the Black Hat NOC team has seen cases ranging from the concerning, such as an attendee logging into a dating service with unencrypted network traffic, exposing PII and user activity; to the alarming, such as a threat actor attempting to attack their hometown police department.

To address these threats and protect the attendees, the Black Hat team every year selected several leading networking and security vendors to form the NOC. This year, the collaboration was among Arista Networks, Cisco, Corelight, Lumen, Netwitness and Palo Alto Networks.

The NOC team integrates technologies, products and intelligence from all these partners. For example, the internet service provider Lumen offers two 10 Gb/s circuits routed through geo-divers locations, which feeds information into Palo Alto Networks firewalls. And the security vendor provides network segmentation through hardware from Arista, which is the internal core switch provider, Reverri said.

For Black Hat NOC, Palo Alto Networks deployed a suite of its services, including Cortex XDR, PA-5280 next-generation firewalls, Panorama Network Security Management M-300 and Cortex XSOAR.

Reverri touted “XSOAR is key to the NOC automation workflows and integrations with the other products supporting the Black Hat,” which also paired with threat intelligence from other vendors such as Cisco Talos.

“It's about an 80-20 split this year: about 80% of the initial investigations are all handled through this automation piece so that we're boiling up like that 20% and this is really important that the threat hunters are digging into,” he noted.

The NOC’s top priority is to make sure Black Hat’s infrastructure is available and from the firewall provider’s perspective, the core is to protect the registration services, “because that is an Internet-facing service that we bring in house here and have our firewalls in front of them,” Reverri explained.

And the Palo Alto Networks team’s other responsibilities involve providing data to the threat-hunting groups for the NOC. “They receive a full feed of the network, both outside and inside our firewalls. They pull that into their respective tools, and they're doing forensics on that,” he said.

To respect privacy on Black Hat’s network, when the event ends, the NOC will delete all the data. “Once everything's done, we tear it all down, and none of the data leaves here on, so all that packet captures, all that network data is burned on site,” Reverri said.