Last year, Black Hat asked Cisco Security if we could be the Single Sign-On (SSO) provider for all the partners in the Black Hat NOC. The idea is to centralize our user base, make access to products easier, provide easier user management, and to show role-based access. We started the proof-of-value at Black Hat Asia 2024 and partially deployed at Black Hat Europe 2024. We have successfully integrated with the partners in the Black Hat NOC to enable this idea started a year ago. Below is a screenshot of all the products we have integrated with from our partners and from Cisco.
In this screenshot above, we have the idea of the product owners having administrative access to their own products and everyone else being a viewer or analyst for that product. Allowing each partner to access each other’s tools for threat hunting. Below, you can see the logins of various users to different products.
As a part of this, we also provide Identity Intelligence, we use Identity Intelligence to determine the trust worthiness of our users and notify us when there is an issue. We do have a problem though. Most of the users are not at every Black Hat conference and the location of the conference changes each time. This affects our users’ trust scores as you can see below.
Looking at the screenshot below, we can see some of the reasons for the trust score differences. As the administrators of the products start to get ready for the conference, we can see the logins start to rise in February, March, and finally April. Many of the February and March logins are done from countries not in Singapore.
Below, we can see users with their trust level, how many checks are failing, last login, and many other details. This is a quick glance at a user’s posture to see if we need to take any action. Luckily most of these are the same issue mentioned before.
At the end of each show and after the partners can get the data, they need from their products, we move all non admin users from an active state to a disabled group, ensuring the Black Hat standard of zero-trust.
Want to learn more about what we saw at Black Hat Asia 2025? Check out our main blog post — Black Hat Asia 2025: Innovation in the SOC — and our other Black Hat 2025 content.
Acknowledgements
Thank you to the Cisco NOC team:
- Cisco Security: Christian Clasen, Shaun Coulter, Aditya Raghavan, Justin Murphy, Ivan Berlinson, and Ryan Maclennan
- Meraki Systems Manager: Paul Fidler, with Connor Loughlin supporting
- ThousandEyes: Shimei Cridlig and Patrick Yong
- Additional Support and Expertise: Tony Iaconbelli and Adi Sankar
Also, to our NOC partners Palo Alto Networks (especially James Holland and Jason Reverri), Corelight (especially Mark Overholser and Eldon Koyle), Arista Networks (especially Jonathan Smith), MyRepublic and the entire Black Hat / Informa Tech staff (especially Grifter ‘Neil Wyler’, Bart Stump, Steve Fink, James Pope, Michael Spicer, Jess Jung and Steve Oldenbourg).
About Black Hat
Black Hat is the cybersecurity industry’s most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia.
For more information, please visit the Black Hat website.
We’d love to hear what you think. Ask a question, comment below, and stay connected with Cisco Security on social media!
Cisco Security Social Channels
