Needless to say, GovWare 2025 was intense. Building an enterprise-grade Security Operations Centre (SOC) from scratch in less than 48 hours always is. It’s a high-wire act of logistics, engineering, and sheer willpower. But this year, the stakes were different. Our mission expanded beyond just defending the network; we were tasked to become the Network Operations Center (NOC) as well. We weren’t just passengers on the network; we were flying the plane while building it!
It felt less like a standard deployment and more like establishing a forward operating base in hostile territory. The pressure, the chaos, the absolute necessity of speed—it took me right back to my Army days some 30 years ago. We went in with a solid plan, cutting-edge gear, and high expectations. We had the blueprints for a state-of-the-art, cloud-managed infrastructure that would give us unprecedented, unified control over both networking and security layers.
Then, first contact happened. As usual, the plan didn’t survive.
The Fog of Deployment
In military terms, “friction” is the accumulation of untoward events that makes simple tasks difficult and difficult tasks impossible. At GovWare, our friction was technical, and it hit us fast.
We faced a perfect storm: an untested new architecture and hardware fresh out of the box that began throwing unforeseen compatibility curveballs. But the real kicker—the “critical threat” to our mission—was our cloud-based switch management platform. It simply couldn’t handle the complex configuration required for a dual SOC/NOC role. We needed granular control to tap and mirror traffic for our analysis tools, but the cloud management plane was fighting us every step of the way.
With less than 40 hours before go-live, we were effectively dead in the water. Without the proper packet data feeding our on-prem monitoring tools, we were blind. We couldn’t perform our primary mission: “Protect.” In that moment, standard operating procedures weren’t just useless; they were a liability. We had to lean on a mindset as old as warfare itself, but critical to modern cybersecurity: “Improvise, Adapt, and Overcome”
Resourcefulness is a Weapon
Waiting for support tickets to be escalated wasn’t an option—the show doors open whether you are ready or not. Sticking to the original architecture would have meant total mission failure.
In the field, when your supply line is cut, you don’t just sit there. You “acquire” what you need. I reverted to standard operating procedure from my past: beg, borrow, or steal to ensure mission success.
This time, it didn’t require stealing, but it did require rapid human networking. I reached out to our local contacts in Singapore, laying out exactly how dire our situation was. We didn’t need a software patch; we needed raw hardware that we could configure manually, bypassing the cloud limitations entirely.
One of their Sales Engineers immediately understood the urgency. He didn’t wait for approvals or paperwork. He raced across the city, navigating Singapore traffic to bring us exactly what we needed: a Catalyst 9500 capable of handling the throughput and complex SPAN configurations we required. It wasn’t in the original budget. It wasn’t in the original diagram. But it was exactly what was needed to win the fight.
Resilience Over Perfection
In a SOC, we often chase perfection—perfect visibility, perfectly parsed logs, perfect automated playbooks. We want the dashboard to look exactly like the brochure. But when things break under fire, you have to shift gears to “resilience”.
Resilience isn’t pretty. It’s about functional survival.
We had to accept that our “perfect,” unified cloud deployment was gone. The goal shifted from “deploy the target architecture” to “establish functional capability by any means necessary.”
We took that new Catalyst 9500 and integrated it directly into the core, bypassing the simplified cloud management layers that were causing the drag. It was a “brute force” solution—ugly, loud, and requiring manual configuration that broke our standardized templates—but the packets started flowing. The tools lit up. We had eyes on the network again.
- Adapting the Architecture: We simplified on the fly, cutting out the complex middle-layers and establishing direct connections.
- Overcoming the Mental Block: The hardest part is often letting go of how it was “supposed” to work. Once we did that, we found solutions that weren’t in any manual.
The Payoff: Empowering the Front Line
The true test of our improvised architecture wasn’t just seeing green lights on a dashboard; it was seeing our people execute the mission. Because we fought through the friction to get full packet visibility, we were able to fully empower our analysts from the moment the doors opened. This was best illustrated by one of our “Day 1” SOC analysts. Thrown into the deep end of a live-fire event, she didn’t just tread water—she had a rockstar breakout moment. Thanks to the data flow we painstakingly built, she successfully hunted down and analyzed a sophisticated Domain Generating Algorithm (DGA) beaconing out from the network. But here is where the dual SOC/NOC role pays off. In a standard environment, she might have just written a ticket and waited. Because we had direct control of the core, we could empower her further. Upon verifying her findings with management, she didn’t just report the threat; she was given the green light to push the block herself. Before Noon, she had not only found and investigated the DGA thoroughly but blocked it as well. Big kudos there! Seeing a junior analyst go from detection to active remediation in hours—on infrastructure we had cobbled together just hours before—was the ultimate validation of our efforts.
Lessons for the SOC
Our experience at GovWare 2025 reinforced a vital truth for any SOC analyst or engineer: your tools will eventually fail you. Your processes will eventually encounter a scenario they weren’t designed for.
When that happens, your team’s ability to resiliently adapt—to think like soldiers in a broken field rather than just engineers in a lab—is the only defense you have left. Don’t just train for the perfect days when the entire ecosystem is humming and the alerts are clear. Train for the days when the management plane is down, the architecture is crumbling, and you still have a mission to complete.
Improvise. Adapt. Overcome.
“Essayons!” [the Army Engineer Creed]
About GovWare
GovWare Conference and Exhibition is the region’s premier cyber information and connectivity platform, offering multi-channel touchpoints to drive community intel sharing, training, and strategic collaborations.
A trusted nexus for over three decades, GovWare unites policymakers, tech innovators, and end-users across Asia and beyond, driving pertinent dialogues on the latest trends and critical information flow. It empowers growth and innovation through collective insights and partnerships.
Its success lies in the trust and support from the cybersecurity and broader cyber community that it has had the privilege to serve over the years, as well as organisational partners who share the same values and mission to enrich the cyber ecosystem.
