Mick Leach: Hello and welcome to SOC Unlocked: Tales from the Cybersecurity Frontline. I'm Mick Leach, your host and guide on this exciting journey into the SOC universe. In each episode, I chat with various cybersecurity professionals about the latest industry news, emerging threats, practical strategies to keep your organization safe, and more. And this week, we're excited to have Aaron Rohn. Aaron, welcome to the podcast.
Aaron Roane: Thank you very much, I appreciate it. Pleasure to be here.
Mick Leach: Yeah, absolutely. Well, we are really glad that you are here. As our long time listeners know, we love to chat, learn a little bit more about our guests. We'll kind of dig into sort of this past, present, future of security operations space. And lastly, we'll get into some career guidance before we get into the final one last thing. with that, we'd love to, Aaron, just tell us a little bit about yourself, kind of your journey into cybersecurity and what you're up to these days.
Aaron Roane: Absolutely. So I started in law enforcement actually. It's kind of interesting. I'm sure you don't get a lot of that.
Mick Leach: Actually, that's the second time Joe South, dear friend, security unfiltered podcast host. He was on just a few weeks ago and that's exactly what he did too, right? He started in that law enforcement space and then made a transition over. it's actually, there's kind of a theme to that.
Aaron Roane: That is really cool. Well, for me at least, I noticed that I really enjoyed defending people, right? And I didn't so much enjoy the political scene. So I found myself backing out and getting into what I enjoyed most and what I did the best, IT. So, growing up, my mother always brought home old computers from the office, and I would tear them apart and rebuild them, making them faster. About middle school, I realized that I could make my own virus so that if I could communicate with the modem, I could get it to beep every few seconds. So I created a program that would do just that until you reboot the computer. I installed it on all of the school computers in the lab, changing the logo so it looked like it wasn't Inner Explorer at the time. If I recall correctly, it was Netscape.
Mick Leach: I love it. Yeah, boy, that's a throwback.
Aaron Roane: So when everyone opened that per the instructions, things got interesting.
Mick Leach: My gosh, this is fantastic. This is one of the best stories I've heard in my days of doing this podcast. This, I love everything about this largely because it's also, you know, it's good, harmless fun. It's annoying as all get out. I have a dear friend who, who got, like, it was almost like a little cricket, that, that was magnetic. You could put it inside the box of a computer and, and he did that and it would, it would, it would make a weird sound randomly. Sometimes it would be one minute, sometimes it would be 10 minutes, sometimes it be an hour. And they put it in a machine that was at one of their colleagues' desks. And he had a whole bunch of computers in his little cube. And they had it set to go randomly. it drove him absolutely mad. And they all pretended like they couldn't hear it. They had all gotten together and were like, what are you talking about? I don't hear anything. And it drove him absolutely bonkers. They finally did tell him, but he was not happy. I love it.
Aaron Roane: That's great. So, as a punishment for that, I was subjected to learning HTML and building computers. Absolutely, I thought so. I was beside myself. It was great.
Mick Leach: It's about the best punishment ever.
Mick Leach: My goodness. Here's some punishment. It's job training. Welcome aboard. This is going to make you a lot of money later. But for now, you're going to feel the wrath, I guess. my goodness.
Aaron Roane: Mm-hmm. So fast forwarding a little bit from there, after law enforcement, I started working for myself doing managed services, just kind of helping local businesses where I could and building computers. But one day I realized the risks that Red Hats posed and I wanted an out. I started panicking. So I found myself working for a managed service provider, Microsoft service provider where I actually ended up standing up there, Microsoft System Center Operations Manager or Microsoft Operations Manager network and server alerting, if you will. So anything that would happen on their network, they were now had visibility of. With that, there was a physical display in the support room where everybody could see it.
We used Alert Central through SolarWinds to push and aggregate alerts. Immediately after, I was moved over to 365 client migration, moving clients from their on-prem environment to their cloud or new cloud environment. It was a lot of fun, but there were also a lot of very complicated and interesting, unique builds.
Mick Leach: Woof a big move.
Mick Leach: As there always are in any big organization, there's a lot of really unusual things you find when you go to migrate like that. You're like, wait, how is this a depend... Whose idea was this? And that person's long gone, but here we are.
Aaron Roane: Absolutely. And shortly after doing that, I again looked to shift companies I was working for. And I noticed that Microsoft had just pushed out their security scores, which was kind of the precursor to Microsoft Sentinel, in my opinion. From there, they started really delving into security. So I shifted gears and started working for a college where I again built out their network alerting or rather, I noticed that they had already had some of these tools in place, but they weren't properly deployed. They didn't have the proper visibility. So what I did was I configured everything so that, again, we had a display with an audible alert this time in our security room, or rather support room. I spent a lot of time reviewing our phishing program, or rather phishing simulation training. I actually ended up suggesting that originally and I was the reason it was rolled out.
Let's see. At that point in time, I had some side gigs where I was just making money on the side for repairing and building drones. I built out some pie holes for a few people and a lot of gaming computers. I ended up leaving after some time moving on to a hospital. I noticed that I spent a lot of time training new hires at both the college and the hospital. So, I quickly realized that I needed to make that process as easy as possible. I ended up using OneNote to build out all the processes and things that somebody might need to do or that are important. Something that they could go to and just search for and find the answers to any question they may need or have, how to fix whatever may break.
And that kind of became my staple everywhere I've gone. So after the college had moved on to a large hospital, as I was saying, we only had one or two analysts at that point in time. And I was one of those two analysts. So very quickly, I was trained, brought up to speed, and was running our on-call schedule where, after hours and weekends, I was receiving phone calls to log in and try to hunt down these alerts and figure out what needed to happen to push out remediation. So we ended up building out the SOC there shortly after hiring quite a few people. And I ended up having, of course, this OneNote document. So I ended up spending a lot of time training and providing access to this OneNote to these new hires so they had what they needed. I did that for a few years and then moved on. Started working for a revenue cycle management company here recently.
So with this company, are working revenue cycle management, as I was stating, in healthcare that refers to the financial process that healthcare providers use to track patient care episodes from registration all the way through to appointment scheduling to the final payment balance itself. it's kind of, you notice the pattern here going from the hospital, excuse me, from the college to the hospital, where suddenly there's a renewed interest in cybersecurity where before there didn't really seem to be a lot of interest in cybersecurity. It's just suddenly becoming a staple concern. That's about it. So I started working for Ensemble, excuse me, started working for a revenue cycle management company, and I've been working with their security operations center to help their analysts go through and review alerts where they may need help as well as to facilitate the tuning and balancing of our alerts themselves.
Mick Leach: That is awesome. I'll tell you what. So a couple of things I'd tease out of that, of your journey, right, is that one of the first things you talked about was the desire to sort of defend. And that resonates with me as well as a former army guy. I found my way into cybersecurity and realized that this was this sort of beautiful convergence of the ability to defend others and yet be digital and technical at the same time, which, like you, I really enjoyed. For me, when I got here, I just felt like this is what I was built for. This is what I was made to do. And so I haven't really worked a day since that day that I figured this out because this is just, it's my joy, it's my passion. So like you, I love hearing that. You'd be surprised how often I hear about folks finding their way, particularly into security operations, right? Blue teamers. Whether you're front liners as a SOC guy or maybe you're tuning in, adjust tuning and automation, that kind of stuff behind the scenes or even like forensics, digital forensics. We see so many folks that come to these sorts of blue team roles from either the military or law enforcement or whatever the case may be. But yeah, it's actually a very common theme.
The other thing that I heard you talk about was building out all his onboarding documents, and documentation. Man, you must be the most popular guy at any place you go because it's so painful. You know, man. And we look. I love to hunt, defend, and chase bad guys through logs, but what I hate doing more than just about anything else is documentation. And so having a guy like you that comes in and is good at it and enjoys it. Man, you are worth 10, 10 fold of whatever you weigh. I'm telling you that right now in any organization because you're right. That's that sort of documentation, such a force multiplier. You know, it allows everybody to be so much more effective in their role and really come up to speed and deliver value so much faster. So I love it.
Aaron Roane: Mm-hmm. What I found that really helps with that is that there's no better way to learn something than to teach it. So putting it on paper really helps.
Mick Leach: Yeah, yeah, I mean, true words have never been said. I once had a mentor who told, who used that exact same phrase, you know, if you think you know something, try and teach it. And, and I, I, I didn't give it a lot of thought admittedly at the time, but then he was like, Hey, I'd love to hear, have you give, you know, the department, you know, a class on this thing. And I was like, sure. Yeah. I mean, it's something I really enjoy. I feel like I'm good at it. And as I went to you know, kind of develop my presentation, I realized there's a lot more to this that I really need to understand and sort of double click into and learn about to be able to really explain it well. So you're absolutely right. So that is awesome. Well, very cool. Okay, so let's let's dive into the exciting part of the discussion, sort of the past and present future of security operations. In terms of past, one thing we always love to hear, of story time, if you will, everybody pull up your carpet square like kindergarten and let's hear story time. Aaron, what is a, can you talk about a particular attack or something interesting that you've encountered over the years? Again, you can change the names to protect the innocent or the guilty as the case may be. We don't want anybody getting sued. I do not want to get sued. Emily, my producer does not want to get sued. So, keeping that in mind, do you have any good, fun stories that you can share from the old days?
Aaron Roane: Absolutely. One of the most exciting ones I can think of. Back at the hospital, we received an attack or, rather, a threat. Our threat team, responsible for hunting down deep web monitoring and going out on their own and doing their own threat hunting outside of alerts, they were made aware of a post on the deep web by a group called Killnet, who mentioned that they were going to attack our organization along with a bunch of other organizations. They, Killnet that is, relies heavily on DDoS as a service as their main form of attack. So we knew upfront that that was probably going to be the method they chose to hit us. So we preemptively deployed DDoS protection. And kind of interesting, since our threat team was monitoring the deep web posts where they were announcing their attacks and their successes as well.
The day after we did this, we got hit pretty heavy. We had some system degradation, but we largely stayed afloat. We noticed that the posting that followed that next day was rather frustrated in their tone. And they called out, quote unquote, an organization who had deployed DDoS protection as being a pain point and that they weren't going to end their attacks just yet and that that organization needs to watch their back. shortly after during this they had claimed association with the Anonymous group and I mean the Anonymous group well known for their masks. Anonymous didn't take kindly to that of course. They chose to retaliate by exposing Killnet's administrator passwords to the internet and ultimately put a stop to that DDoS.
Mick Leach: My gosh, that is hilarious. mean, when a hacker group pretends to be a different hacker group, that hacker group, that group gets offended and then hacks the hacker group. my gosh, is fantastic. I love it. What a crazy set of circumstances. I mean, great on you guys for having the breadth of Intel to understand what was being said about your organization. So often I find at least in my experience we're always reacting so you know thankfully we've had you know those kinds of protections in place as well experienced a number of DDoS attacks over the years thankfully never anything that overflowed what our protections allowed for but we have seen some pretty ugly ones so yep yep.
You know, being at abnormal security where we are constantly fighting, phishing and account takeovers. These, are the things that are near and dear to my heart. you know, and I'm so passionate about it because, you know, these are the things I see every day. You know, I see good companies trying to do the right things and, and good folks that are just trying to do their jobs well and are being convinced to click on something, open something, go to a QR code. I mean, whatever the case may be, you know, we have good folks trying to do their jobs well that are falling victim to these kinds of things. So they drive me crazy.
Aaron Roane: Absolutely. That's one of my biggest concerns phishing, smishing, anything you can imagine along those lines.
Mick Leach: Yeah. I've seen a lot of that as well. So yeah, there's, you know, threat actors just will never waste, waste a crisis. So, you know, we see things tied to the election, you know, back to the Ukraine war, the, the, the, the attack on Israel, right? We're all of these things that happen in, you know, in current events, even the CrowdStrike outage, you know, just a few weeks ago. You know, we saw threat actors immediately start spinning up fraudulent domains that resembled something akin to the CrowdStrike outage support system. And then immediately started launching out fraudulent or at least phishing emails that linked back to these fraudulent websites in hopes of, in most cases, in hopes of credential harvesting, right? That was the aim there. So yeah, there's some nasty stuff out there to be sure. Yeah. Well, enough about the past. Speaking of the current problems we're facing today, I mean, what, in your opinion, is the biggest challenge that faces SOCs these days?
Aaron Roane: There are several. One of my biggest ones is security operations as a whole, from an internal perspective when working with the company, if you will, from inside. One of the biggest issues is trying to maintain traction with IT operations—not the security operations side, but the IT operations side—to make sure that communication stays open and that they remain in sync. Things like re-imaging devices.
If the security ops team is unable to pull a ticket that shows that this device was re-imaged, it means that they then need to call the support team and validate that that device has been re -imaged. And that definitely leads to a large waste of time. And I can go further. From there, you've got the company as a whole taking cybersecurity seriously. If the leaders, the upper leaders don't regurgitate or duplicate the cybersecurity team's efforts in training and awareness within the organization as a whole, and the organization as a whole then does not have a good understanding of what social engineering is, what phishing is, they are not able to appropriately avoid those attacks. You just need to be careful about what somebody says is in your best interest and validate those facts before you act.
Mick Leach: Yeah, absolutely. I mean, communication is absolutely critical in any organization, in any part of any organization. But I think it's, it's most highlighted, at least in my experience, in the security space is in the SOC, right? Their ability to understand what's going on across the different silos, if you will, of any organization, IT marketing, right? Finance, all of these different, organizations have different processes and things.
So yeah, that's absolutely huge. I love the emphasis from the top down in terms of, you know, really setting a security-first culture is absolutely critical. Otherwise, every SOC will be undermined, right? They don't have any, there are no teeth to any of the policies. If the, if the top leadership just says, well, this is, mean, we're forced to have these policies, but I mean, nobody's going to really get in any trouble if they violate them, or maybe we won't, as the senior leadership, adhere to these same policies. It really just undercuts and undermines the value of what the security folks are doing. So could not agree more.
Aaron Roane: Well said.
Mick Leach: Yeah, so you had mentioned there were a couple of things. Is there anything else on that list?
Aaron Roane: A lot of our analysts would rather take the time to review alerts and try to get through the queue. But at the end of the day, if they're not able to take some time for themselves to dip into cyber ranges or review their research around certain malware, new findings, what have you, they're not careful. The world of cybersecurity will evolve around them and they will stay stagnant.
Mick Leach: Yeah, and I've seen it time and again: We let our day work or our today work kind of limit our ability to understand what tomorrow's work is going to look like. So I've seen that at every organization I've been in, we have been very intentional about carving out time for the analyst to work on something else.
Whether you want to go and read reports on, you know, bleeping computer or whatever the case, you know, whatever your favorite threat Intel site is and go just read stuff, learn stuff, you know, do the SANS holiday hack challenge is one of my favorite things to do every December. We would usually carve out lunchtime for like two weeks lunchtime. would go into a big conference room. And we would have the SANS holiday hack challenge going on like from 11 to one every day for two weeks. And, and just, that was a place to come in and, cut your teeth, try stuff. It was also a great place to figure out who's really good at certain areas. You really learn your team's strengths in a cyber range to your point, Aaron. And I think that's what, I loved most about doing that because what I learned is, this
This guy is really great at this, and this young lady over here is fantastic at this. If we ever are in a situation—a real live situation—where I'm like, man, I just need the best Python person on our team right now, I'll know exactly who to reach out to, right? That's also really, really important. So I love that.
Aaron Roane: Absolutely. And not just that, but to me, I found the most interest or the most value from zero days. One of my favorite cyber ranges, Blue Team Labs Online, actually released a lab or a challenge for Folina back when that was first active. And within the first week, I was able to finish that lab and learned a lot from it. So I was able to bring that knowledge back to the team and have them aware of this zero day and what it looks like, how to stop it prior to us actually having seen it in the wild.
Mick Leach: That is awesome. Yeah. And that ability is so critical to have in a SOC, right? Is the ability not to necessarily wait for the vendors to produce the detections that we're all waiting on. Having that ability internally to say, OK, look, let's pick this apart. Let's see what it looks like. It's great that our vendors do turn things out pretty quickly. But in some cases, I would love to get something, even a stopgap. It may not be great, but at least it's something we can get turned on. Maybe it's not preventative. Fine. At least detective so that we can see this kind of behavior is occurring in our environment. We can create some detections and at least we've got something in place while we're waiting for the vendors to deliver something better. So I love that. Cool. Sorry, go ahead.
Aaron Roane: Absolutely. Further from that, I would say that alert tuning is another big challenge. if you receive too many alerts, you get to a point where, especially false positive alerts, is specifically what I mean. But you get to a point where you can't see the fire through the smoke. You need to make sure that you're constantly reviewing your false positives and updating those alerts so that you're receiving fewer false positives and more true positives.
Mick Leach: Yeah, yeah, we always had a rule that I never want to investigate the same thing twice. So if you come to the end of an investigation and realize this was a false positive, right? And what, really what I mean is this, this didn't pull back. This didn't detect the actual circumstance we really wanted. Well, then we need to tune it. And so if that's a separate team, fine, open a ticket to that team. so that we can chart that we can, you know track the progress of that. If it's internally, then maybe that's something we just need to do here. So certainly something we need to look for.
Mick Leach: All right, so we've talked a little bit about the past, the present. Aaron, what I really want to know about now is the future. What is coming down the pike? What's going to change the way we look at security operations in the future?
Aaron Roane: You'll hear this a lot, but AI, absolutely AI. From being able to, from a Red Hat perspective, being able to go out to certain sites to view, to easily ask how to compromise a computer. And then you run into a brick wall and turn around and just tell it, hey, I hit this wall, what do I do next? And it just tells you in plain text, do this until you get it right. And vice versa, the Blue Hat side, of course, they can use that, leverage that to do just the same, be able to go out. I don't understand what this log is. What does this mean? And have the computer tell you in plain text.
Mick Leach: Yeah, yeah, for sure. mean, you know, I'm hearing AI has been sort of the watchword, the phrase that pays for the last two years now. So and I agree, we are starting to see some new capabilities both in terms of offense and defense that are really changing the game for both sides.
Aaron Roane: And what happens when you couple that with quantum computing? Suddenly you have passwords getting cracked instantly.
Mick Leach: Yes, yes, this and this is actually something that, know, I talking with Dave Kennedy from from TrustedSec, man, I just lost my brain there for a second. TrustedSec and Binary Defense, he's the CEO and Chief Hacking Officer there. We were talking about this the other day about how that's really gonna change that convergence of AI and quantum computing is really going to present a big problem going forward, I think. But at the same time, it'll also, if harnessed properly, I think, empower the defenders in the same way. At the end of the day, both of these are simply tools to be used. Just as a bad guy can use a gun, a good guy can use a gun; the gun is just a tool. I would argue the same for AI and quantum computing. So yeah, really interesting thoughts there. So, jumping forward now, talk to me about career guidance, right? You have an interesting journey into cybersecurity.
Aaron Roane: Exactly. Well said.
Mick Leach: If someone is listening to our podcast here and they're like, you know, Mick, Aaron, I want to get into it, or maybe I'm in, and I really want to arc into another area, another specialty in cybersecurity. What should I do? What's the best way in? What would you tell that person?
Aaron Roane: I actually get a lot of people reaching out to me over LinkedIn for mentorship advice. And I noticed that a lot of those folks are coming from the support, desktop support side. And with that, I typically tell them to get interested in cyber ranges. Get your hands on some tools that you can actually manipulate these malicious files and understand what's going on, not just from the textbook side. mean, some of these people have...degrees and certifications but don't have any hands-on experience. From that, networking. Make sure that you're reaching out to as many people as possible and connecting with them. Just get interested.
Mick Leach: Real quickly, let me double-click into that just a sec before you go on. In terms of networking, how do I do this? I hear this a lot. People all say you gotta get to know other folks, right? Rub shoulders with other security professionals. Where do you do this? What are your favorite places? How do you do this networking?
Aaron Roane: LinkedIn is the easiest place to go virtually, but for conferences, go to things like B-Sides or Defcon. Get out there at some cybersecurity conferences and wear your best face. Dress up and make sure that you talk to as many people as possible. Bump elbows. Thank you.
Mick Leach: I love it. Yeah, agree wholeheartedly. Well said. Sorry, I didn't mean to get in there, but it did help folks understand where we can do those things. But go ahead with the rest of your guidance.
Aaron Roane: So finally with that, I guess I kind of already touched on the BTLO stuff, but home labs, you can roll out some of this stuff in your own environment. Security Blue Team, I absolutely love Security Blue Team because they provide quite a few free good resources. If you're not familiar with the dark web, how to connect, how to explore, they've got a lab on that and it's free and they show you all the pitfalls, what to be careful of, what to be aware of, what not to do, and how to stay safe, stay in your legal bounds. But other than that, post what you're doing. Post this stuff to LinkedIn. Make sure people see that you're doing these home labs, that you're doing these free courses, and that you've got your hands on security, Blue Team, BTLO, and Blue Team Labs Online.
Mick Leach: I love it. I love it. No, this is great. Great advice. Many of our guests have had similar thoughts in terms of getting their hands on. You know, I have not heard of security blue team, so that's a new one for me. So I will definitely be checking them out myself after this.
Aaron Roane: They do both the Blue Team Labs online, which is their Cyber Range side. And they're really cool because they provide you with both investigations. They give you some free ones you can test with. The investigations are labs at standard Cyber Range that you're familiar with. And they do challenges, which are potentially malicious files that you download in your own environment and obviously stick to sandboxes. But break those apart yourselves with your own tools.
Then they also do the SBT or Security Blue Team side, which is focused on certifications. Those certifications are all hands-on and similar to their labs, they use cyber ranges as a backbone to their tests. So you need to get hands-on. You need to know what you're doing in order to do those tests. They're definitely stressful going into them. They give you about 24 hours for the BTL one, but they also give you all the information you need to know upfront.
It's an open internet test. So if you don't remember something right then in the moment, go to Google. then realistically, just like in real life, if you don't know something right in there, don't be afraid to go to Google. Don't be afraid to ask questions. That is one of the biggest things that people get wrong is that they think they need to know everything. No, you just need to know where to find it.
Mick Leach: Amen. Well said. Reminds me of offensive security. I'm a little more familiar with offensive securities, certs and also very similar, right? It's because they give you a big span of time. You just have to compromise systems and get the flags. Otherwise, you know, just try harder. That's one of their their mottos, right? Try harder. So no, I love it. Aaron, this was awesome. We've had a great conversation so far here. If somebody can only take one thing away from it, right? They've listened to all this, but they can really only pull one piece and take it home with them. What would you have that be?
Aaron Roane: Don't be afraid to ask questions. I think that's one of the most important things because so many people, like I said, feel that they need to know everything. And if you look into it, it's really a sign of imposter syndrome. And imposter syndrome impacts so many people, especially in this field, where they feel they need to be the know-all because they can't fail. And truly it boils down to the shame monsters or shame goblins that if you feel shame for not knowing something there's a solution to it and just to understand that you know where to look that you have people that you can rely on and the solution to shame is empathy is to find somebody a mentor who is empathetic to your struggle to lean on those people. Know your gaps and find the people that you can lean on.
Mick Leach: Yeah, that's a great, great point. You know, for our security leaders out there who are listening, my challenge to you would be if your if your shop in your shop, folks are uncomfortable exposing the weakness of ignorance, just simply not knowing something. If they're too afraid to ask, they're too afraid to be seen as not knowing something. You're doing something wrong. You need to you need to change the culture. Right. It's In those places, in my experience, when I've encountered those kinds of cultures, what you run the risk of is someone trying to fake it till they can make it. And in an incident, that is not going to work.
That is detrimental because somebody is just going to be too afraid to say, don't know how to do that. And we could go find the right person or the person with that skill set. And they're going to either make something up or they're going to you know, just claim that there was nothing there to be found and we can actually get ourselves in much, much deeper trouble in terms of an investigation. you know, make sure that you create a culture leaders. I'm talking to you guys, create a culture where, you know, we reward folks for asking questions. You know, that that's really the only cure to ignorance is is knowledge. So, you know, I'll get off my my very small soapbox from saying that, but passionate about that. because I, like you, Aaron agree, that this is something that we need as security professionals to embrace and empower in this knowledge-seeking, you know, a world that's, what we want. That culture is what we're after.
Aaron Roane: Well said. Thank you.
Mick Leach: Awesome. Well, Aaron, thank you so much for your time. I appreciate this has been a fantastic conversation. Folks, if you have any questions, please feel free to reach out to Aaron Rohn. You can find him on LinkedIn. He's out there. So Aaron, thanks again for being here. Of course. And friends, this has been SOC Unlocked, Tales from the Cybersecurity Frontline. I am Mick Leach, your host, reminding all you cyber defenders out there to keep fighting the good fight. You are the tip of the spear, so stay sharp. Thanks for tuning in. Don't forget to like and subscribe and check out our other SOC Unlocked episodes. We'll see you all next time. Thank you.