S6:E3 - Tom Dejong - Inside the BHIS SOC: Triage, Curiosity, and Career Growth
Download MP3Speaker: Simply Defensive brings you
the industry's top practitioners,
innovators, and leaders to inform,
educate, and join us defensive.
Josh Mason: Hello and welcome to the
latest episode of Simply Defensive.
Uh, I'm Josh Mason, as always.
I've got my good friend, Wade Wells here.
What's up?
Happy whatever time it is that you're
listening to this podcast 'cause
we're recording super into the future.
Yep.
And, uh, today we've got with
us one of our good friends from
Black Hills Information Security.
Uh, Tom.
Tom, welcome to Simply Defensive.
Tom Dejong: Hey, thanks.
Happy to be here with you guys.
Josh Mason: uh, tell people
a little bit yourself.
I know you work at the soc there
and, uh, we've had Hayden on and
you all work together as well.
But yeah, introduce
yourself to the people.
Tom Dejong: Yep.
So,
uh, I work in the BHIS SOC here.
Uh, I'm, well, I'm the triage
lead, so mainly working tickets.
Uh, I have got pulled into some
IR engagements in the past.
Um, and let's see here.
I run some tabletop exercises
for some of the clients if they,
uh, contract that out from us.
And I'm also the mentor to
the new hires and interns.
Josh Mason: Nice, so.
You or how you've only been with
Black Hills for a couple years now.
Um, is it, how did you
get into cybersecurity?
Tom Dejong: Yep.
So I would've
Josh Mason: Yeah,
Tom Dejong: with
Josh Mason: nice.
Tom Dejong: I originally came on
as an intern, so, so how I got into
cybersecurity, um, let's see here.
Well, so South Dakota has this cool thing.
It's called the Build Dakota Scholarship.
Uh, so, so basically it kind of
works like an apprenticeship.
Uh, so you'll get a full ride
through an in demand trade.
So there would be like, it was
one of 'em, or, you know, uh.
HVAC electrician.
anyway, they'll give you a full
ride scholarship and then you work
in the state for three years after.
Uh, so I was just looking, uh, you
know, I was about 26 and thinking, uh, I
probably better figure out a career, and
it sounded like it would be the easiest
on my, uh, on my body in the long run.
So, so I ended up going through that.
And, uh, actually really
ended up enjoying computers.
Um, so I thought it was super
interesting and I was always gravitated
towards the cybersecurity, uh, topics.
And it was funny.
I was trying to, uh, was, I'd get so
frustrated about like not understanding
what DNS was or something like
that, uh, when I was starting out.
So I would listen to
Dark Net Diaries a lot.
And just podcasts in general.
But Darknet Diary specifically, I was
listening to it one morning, uh, while
I was getting ready to go to school,
and it was an episode with John Strand.
I heard him talking and saying, oh
yeah, I'm from Spearfish, South Dakota.
And in my mind I was like, no way.
I'm, I'm in Spearfish,
South Dakota right now.
This is crazy.
So, so anyway, I ended up going to,
uh, the, the teacher and talking about
maybe doing the internship with them.
And, uh, I think at that time
I didn't know if the SOC was
fully established back then.
So, uh, you know, they kind of
wanted to have more programming
experience for the testers.
Uh, but, but then in the second year, uh.
I ended up getting an opportunity
and, uh, my first day was at
Wild West Hacking Fest in 2022,
Josh Mason: Nice.
Tom Dejong: how I kind of got into it.
Josh Mason: That's a,
Wade Wells: I think it was established
by then, but it was like crew.
I'm trying to remember all
the people who worked it like.
I remember some names, but I don't
wanna like put 'em on blast or anything,
Tom Dejong: Yep.
Yep.
Wade Wells: because that, I don't
think they work there anymore.
Josh Mason: we got a lot
of good friends there.
Tom Dejong: who you're talking about.
Wade Wells: Yeah.
Tom Dejong: Oh yeah.
Josh Mason: That's awesome.
Uh.
So you started working at the soc.
Um, you've learned quite a bit.
You've been to a few Wild West
Fest because they're deadwood's
right in your backyard.
Um, you just did a workshop this last
week, uh, when we're filming this.
Uh, how was that?
Kind of
Tom Dejong: So
Josh Mason: lot.
Wade Wells: So.
Tom Dejong: I, I guess
it was just a webcast.
I don't know if I'd say it was
the full workshop or not, but
Josh Mason: Yeah.
Tom Dejong: Uh, yeah, we just,
that just aired yesterday.
So, uh, it was about how
to triage alerts coming in.
Uh, I feel like.
The, the sock topics that
BHIS gets are in high demand.
So, uh, it's always fun to get to
put 'em out there and get, to get
to see what the community likes.
But, but yeah, it was, uh, I
definitely put a lot of work into it.
So it can be tough to do those
webcast while you're to also work
sock tickets in the background.
But I feel like it pays off.
I, I love hearing back from the community
about, uh, how it helped them or, you
know, even if it can help one person.
Uh, I'm happy with that.
Josh Mason: Yeah, it
Wade Wells: Yeah, I watched it.
it was good.
You had great points, right?
You're going back and forth
on all the different things.
uh.
hit me right at home from
what I used do all day too.
So.
Tom Dejong: I may be having
some technical issues on my end.
I can't hear anything right now.
Josh Mason: Okay.
Wade Wells: Uh, oh.
Josh Mason: check your headset.
I guess you can't hear me, so,
Wade Wells: He's, he is wearing
Josh Mason: yeah, right.
Um, is it like your, your headset.
Yeah.
Right.
We can text him.
Tom Dejong: Hmm.
What is happening?
Can you guys still hear me?
Okay?
Josh Mason: Yeah,
Tom Dejong: What is going on?
Oh,
Josh Mason: it happens.
Um.
Tom Dejong: yep.
I,
Josh Mason: I'll say things
Tom Dejong: what
Josh Mason: the off chance
that you can hear me.
Can you hear me now?
Okay.
Wade Wells: right.
Josh Mason: That's okay.
Uh, Wade, you were asking,
Wade Wells: No,
Josh Mason: oh, you were talking about
Wade Wells: it was more of a comment
you can keep you, you can go ask.
Yeah.
Josh Mason: the webinar?
Um,
Wade Wells: watched the webcast.
yeah.
Yeah.
It was good.
So it was a webcast because the,
the workshops are like four hours
long, which are a lot of work.
Tom Dejong: Yep, I get that.
Wade Wells: asked me to do one
recently, and I'm like, uh, I
don't know if I wanna do one.
Uh, but no.
All your points are good.
Like, like right, the, the
initial investigation on the
who, what, where, when, and why.
Right?
And knowing what to pivot off
of is half the battle, right?
Looking at a log and understanding
like, okay, an IP address
is something I can pivot.
A hash, a process name, whether it
be a network connection, or even
where the process location is, right?
All of that.
is something to then verify if that's
normal or not, and then keep moving and
Tom Dejong: I appreciate the kind words.
Wade Wells: to show that it's
Tom Dejong: I'm glad that
it turned out all right.
Wade Wells: or a false positive, so.
Tom Dejong: yeah, it can be hard
to do these soc webcasts because so
many of the things are, you know, it
varies so much and it can be such a
variable thing, um, that it's kind
of hard to cover all the bases.
Like I, I'm in the, in that one
section, it was just like, well.
I mean, all this stuff is
kind of geared towards process
execution and stuff like that.
I tried to cover my bases a little bit,
but uh, you know, it can, there's just
so much, so many different log sources
you're doing, and it, it can be a lot.
Wade Wells: Oh yeah.
Tom Dejong: I.
Wade Wells: definitely.
Josh Mason: Yeah, it's, uh, impressive
being able to pull it all together for
a, a, a presentation like that though.
Um, is this, was it your first
Tom Dejong: done a conference talk
Josh Mason: or have you
done conference talks?
Tom Dejong: uh, for BHIS and
that was about, uh, how to
do an email investigation.
So, so this was the second one?
Um, I got asked to do the Blue
Team Summit and I was like, uh, I
don't really have a talk in mind.
So I've
Josh Mason: Oh, cool.
Tom Dejong: out topics that I
could, could do for future talks.
Um, and I would love to speak
at a conference someday in the
future, but need to get that
talk, uh, idea figured out first.
Josh Mason: Yeah.
Wade Wells: I, I got asked to do a
training on triage, so exactly what
you're talk about talking about.
And I built out the outline and then I
pretty much realized, I'm like, okay,
this is like a good 16 hour training.
And I'm like, I don't wanna
build out the labs for this.
That's where I stopped uh, I had
to go tell the person like, Hey,
I don't wanna do this anymore.
Like, I don't have enough time.
But it's honestly, like you said,
there isn't as much out there.
I remember like when I started out,
there was no blue team training.
It was all geared towards
red teamers, right?
Like OSCP, all that type of stuff.
And that was, hasn't really been since
like probably until like three, five
years, three to five years ago is when
all these blue team stuff, more blue team
oriented training started coming out.
I remember like boss of the
SOC was like one of the first.
like real blue team CTFs I
competed in, which is Splunk.
Yeah.
so it's a lot harder to do and
usually you have to build some type of
Tom Dejong: Yeah, no, putting
together a whole class sounds
Wade Wells: spin up two
Tom Dejong: very,
Wade Wells: and have one
Tom Dejong: labor intensive.
I was just listening to
Josh Mason: You need that.
Tom Dejong: Hayden last night,
and I was, he was talking, I think
he said that he had way too much
content and I was like, oh man.
I did not expect there
to be too much content,
but yeah.
Josh Mason: It's easy to, uh,
build your scope out a little
too big for building training.
Tom Dejong: makes
Josh Mason: I've, uh, been in
that situation before, but, um.
Where do you, uh, where do you
see yourself going in cyber now
that you've started down the path?
Is it one of those, you, you're at a
pen testing company, that's what Black
Hills is known for, but you're working
things in the SOC and, uh, working
alongside some of, I think some of the
best teachers in the industry there.
But you're still kind of new to
cyber and yet you're killing it.
Tom Dejong: yeah, man.
I always struggle with this question.
Same with like, what are, where
do you see yourself in five
year questions In my mind.
I just would take any cyber
position I could take and, you
know, it's all learning experiences.
Uh, man, who knows, maybe I
will go to the red team someday.
Uh, and all this blue team experience
will be useful when that day comes.
But, but for right now, um, yeah,
I'm just kind of taking it as, as.
Taking it as it comes.
Uh, the sock has been interesting.
Uh, being pulled in on those IR
engagements was really interesting too.
Uh, so, so, uh, you know, I'm,
I'm definitely open to helping
with those in the future.
Uh, I haven't really done very much
threat hunting, but threat hunting
does seem pretty interesting.
Um, but yeah, I don't know if I,
if somebody offered me a chance
to do a red team job, I mean it
would definitely be, uh, pretty
interesting to go in there and do that.
'cause I feel like the purple
team stuff seems really important.
Uh, so I mean, it would be awesome
to be able to build out on that more.
Hmm.
Wade Wells: What
Tom Dejong: Oh man, it's
gotta be being curious.
Wade Wells: like
Tom Dejong: I feel like you're
constantly, you just constantly
need to be learning stuff.
Uh, so, so I feel like that's a
very good skill for soc analysts to
have, uh, to just be wanting to know
and get to the bottom of things.
Uh, 'cause uh, you know, there can
be some resilience in that too.
Like, I, I'll get frustrated if
I can't figure it out, and I'll
just, I just will have that drive
to keep wanting to push and push.
Uh, so I'd say that's, that's gotta
be one of the more important ones.
Yep.
Wade Wells: Okay.
Uh, so you've, you've been analyst
for like three years now, pretty much.
What are your favorite
Tom Dejong: boy.
Wade Wells: to work then?
Like, what's your, what's
your niche you would say?
Tom Dejong: oh.
This is a hard question.
Oh, let's see here.
I do,
Josh Mason: Is it,
do you guys get the option of like
picking which tickets you're gonna
work or is it like auto assigned?
Tom Dejong: Yep.
We recently made a change
Josh Mason: Because that would
be like one of those things.
Tom Dejong: so, so
that's been newer for us.
But in the past, I'd say for the majority
of the time I've been here, it's been just
kind of a sign yourself and, you know,
I'd always try and take ones that I didn't
know so I can figure out how to do it.
But I.
Oh man, I always like the easy ones,
like suspicious iso file downloads.
'cause you can just go to the event
log fifteens and see where it was
downloaded from most of the time.
But nowadays, I mean the high risk Azure
logins can be pretty interesting to do.
Uh, you
Wade Wells: Yep.
Tom Dejong: checking for
all of the login history.
I don't, there's part of me that hates
doing 'em, but it is nice because it has
so much of the data and you know, you
can go and kind of map out what happened.
Um, but you know, I kind of
take 'em all as they come.
It's hard to say the favorite.
Wade Wells: I think the majority of.
The majority of the socks that
I've worked in have all like,
exactly like alert comes in.
It's whoever grabs it, grabs it.
There's no particular rhyme or reason.
So usually what happens is the people
who have who, who know, have the
knowledge to do a particular alert
that's a little bit easier, almost
always gravitate towards those ones
so they can close them out real quick.
I remember like one of the last socks
I worked at, I was one of the only
guys who was heavy EDR experience.
So I would always be like, Hey
Wade, do you get all the EDR alerts?
And I'm like, I'm like, you guys
get some of these, like, you
guys need to figure this out.
Uh, but it's grabbing the wrong, or
grabbing the ones that you're weakest
against is usually pretty time consuming.
But do you like write
Tom Dejong: Oh yeah.
Yes, I do.
And,
Wade Wells: what you
Tom Dejong: just real quick on
that, so one of the interns,
Wade Wells: or the
Tom Dejong: that he's, he was recently
become a full-time, uh, employee, but
you know, he was, he was saying that
he's liking this round robin because.
You know, like you were saying,
they'd gravitate towards not doing
alerts that they didn't know about,
but now he's kind of forced to do it.
So, uh, you know, he says that he's
been learning a lot from kind of
having it forced upon him to do it.
But, uh, sorry, do you mind
repeating that question again?
I got sidetracked there.
Hmm.
Wade Wells: That was about
like, no, you're all good.
Like, do you, uh, do you
take notes or anything?
Like how, how do you like improve
the process as you're doing it?
Right?
Because if you're
Tom Dejong: Yes.
Okay.
Yes.
Wade Wells: and you don't
Tom Dejong: I feel like I'm
Wade Wells: usually
Tom Dejong: the BHIS SOC for
having really detailed, uh, notes.
So, so when I started, uh, you
know, there was a i'd, I'd try
and find tickets that, you know.
Explain why you came to these conclusions
and like what you did to go check.
Um, and, you know, there were some
analysts that had really good tickets.
There were some analysts that, you
know, they, they, they knew their
stuff, but they didn't necessarily
explain their thought process.
So, so in my head it was like,
I need to make sure that these
tickets I'm doing are detailed.
So that new analyst can come see my
work and say, okay, he went and checked
this, uh, to come to this conclusion.
Uh, so, so I've always been pretty big
proponent of trying to, uh, you know, make
my logic easy to follow and, uh, you know,
for the next analyst down in the line.
Um, and then, you know, the documentation,
I'm always trying to document things, you
know, did we get that customer saying.
Yeah, this software is approval
that's going automatically
right in the knowledge base.
Um, so, so I've always been big
on that type of stuff, for sure.
Mm-hmm.
Wade Wells: It's super important,
uh, especially with like writing
a description down of exactly
what you did and how you do it.
Uh, a lot of the times, so I know
traditional stems right back in the
day, like they would limit that you
couldn't throw images and stuff.
Now, but now today's when most
people are working in soars,
I know you guys work in tides.
I also work in tides.
Uh, throwing images in there of exactly
all the evidence you saw or where you,
where you went, uh, like that just helps
leaps and bounds, not just like the newer
people that have like, that are working
under you, but like to spin someone up,
that's someone that's brand new, even if
they are decently experienced, for you
to show the example is very important.
So I would highly, highly
suggest you, uh, continue
Tom Dejong: I could stop
myself at this point.
That would be, that would go against
Wade Wells: it will help
Tom Dejong: fiber in my body to
not be taking detailed notes.
Wade Wells: Oh, I don't know.
It's real, real easy to go down the,
uh, down the sarcastic, uh, beard
Tom Dejong: Yeah, I could
see exactly how that happens.
Wade Wells: Right.
Tom Dejong: I, see,
Wade Wells: I've seen the
best of 'em, but who knows.
Yeah.
Josh Mason: Yep.
Is there, was it something that, uh, you,
you had to teach yourself on how to take
your, the notes that you liked, or, uh,
was it part of the onboarding process?
Tom Dejong: naturally to me.
I didn't really necessarily need to do it.
Well, and you know, another part of it
is, and I tell this to all the interns,
I mentioned it in webcast, I've done.
It really helps me to
write everything out.
So, so when I'm trying to understand a
problem and I just write down, all right,
this user did this, this and this, I'll
try and like summarize it or something.
Um, so, and once I get it all out
there and write it into whatever
ticketing system I'm using I
feel like it just makes it click.
And one of the people that was, uh, one
of the senior analysts, you know, he'd
say, I'd, I'd be like, Hey, do you mind.
Doing like an internal escalation on this
and see, see if you agree with my logic.
And then he would be like, well.
And, uh, I guess this kind of sparked
the, me wanting to take, or like,
at least break down what I'm seeing.
He'd ask me like, well, what are you
seeing here that's actually malicious?
Because, you know, when you start out,
you think everything looks malicious.
Uh, so you kinda have to
take a step back from that.
So, so maybe, maybe a little
bit of guidance from him.
He helped.
Uh, but I, I do feel like it comes
naturally to me just to want to try and
break it down and put it all out there.
Wade Wells: So with that, where does your,
how do you start off your hypothesis when
you get an alert, do you automatically
Tom Dejong: Nowadays, I do
not think everything looks,
Wade Wells: that it isn't
Tom Dejong: right off the bat.
Um,
Wade Wells: Or do you do like competing?
Tom Dejong: I always try and go
to the detection logic at least,
and then see like, okay, so what,
what exactly triggered this alert?
And then I usually will build from there.
Um, or I'll pull up an a pass
ticket or something, see if this
has been encountered before.
So, I don't know, it's kind of hard.
I'll, I'll look at the executables
involved or you know, what, whatever
executable or file is involved, and
then I'll kind of go from there.
Uh, you know, nowadays with ai, I'll put
something like that in there and just be
like, Hey, what do you think about this?
Um, and I find that gives me a lot of.
Places to pivot to as well.
So, so, no, I wouldn't say I, I definitely
don't think everything's suspicious.
That's something, I mean, right in,
in the beginning I was, I was feeling
that way about everything, but now
I've seen so many false positives
and normal activity and, you know,
software that acts like malware, uh,
it, it's not really surprising to me.
So, so I feel like, uh, you know, just
after, during doing cursory research,
then I'll start kinda looking into it
and, you know, figure out does this
seem like something weird or whatnot?
Josh Mason: Interesting.
Wade Wells: I know there's a,
there's a project somewhere,
I can't remember where it is.
But it's a list of pro, it's a list of
processes that do things like malware.
Josh Mason: Ooh.
Wade Wells: Uh, like, like, uh,
one, the one I can remember off
the top of my head is like Global
Protect, which is Palo Alto's.
VPN runs.
Who Am I?
Constantly.
It's like, why, why are you running?
Who am I?
But, uh, so much of it out there.
Uh, you did allude to using ai.
What's your feelings on it right now,
Tom Dejong: so I will start
this by saying I'm not super
AI savvy or anything like that.
Uh, there's been, there's been a bit of
a push at BHIS to start using it more.
Uh, so, so I've really
been trying to use it.
Uh, I'm, I'm having to like force
myself to use it a lot of times,
but I, I guess it's kind of becoming
second nature at this point.
Uh, but you know, I use it mainly
for helping with investigations.
I'll use it for like polishing up.
Uh, messages I'm sending to clients, but
we're starting to get some cool, like, uh,
AI capabilities to make detection logic.
Uh, so I'll try and do it too
for like making sure I have
the right syntax and things.
I feel like AI is.
It's gonna be here to say I'm
not worried about it taking
my job or anything like that.
Uh, you know, it's another
tool in the tool belt.
I am kind of sick of hearing about
it, but what can you do about that?
Uh, it is a very cool tool overall though,
and I am excited to see where it goes.
I think there was a, oh, there was some
webcast where they were talking about.
I thought it was like a, a soc
analyst agent something where they
kind of had it solving some issues.
So, uh, that webcast
made it seem very cool.
Uh, and I'm, I'm curious
to see where it goes to.
Um, I think it's gonna, I think it's
really gonna help us in the long run.
Wade Wells: Totally agree.
Totally agree.
I, I find it kind of interesting
right now how there's all these
big sock companies or all these big
sock AI companies that are out there
and they like, they bolt onto you.
I think it's only a matter of
time to pretty much what happens
to them happens to source where,
uh, all the swords would bolt on.
But then all of a sudden the bigger
companies that own the Splunks,
the CrowdStrike, all these,
they buy out all the source and
then just have the motto attach.
I think the same thing is either gonna
happen to the AI or they're gonna
build the AI functionality into it,
uh, which we're, which we're already
seeing with all the big security tools.
They all say they got it on the roadmap.
Josh Mason: Yep.
Wade Wells: You would know
more about that, Josh.
Josh Mason: Yeah.
Uh, you're, you're right.
Everyone is trying to work
it into every single product.
Um, and I'm, I actually worry that,
uh, at the end of like, whatever season
this is, uh, that our listeners are
gonna be like, we're tired of hearing
about AI in blue teaming, but, um.
Wade Wells: It does so well in
the, so well in the algorithm.
I think it's, it's more important
to talk about, especially with
people like Tom, I feel because.
Everyone's saying the AI's
gonna take Tom's job like that.
Like that's that.
Josh Mason: Yeah.
Wade Wells: to say it, but like, that's
like they're already gonna take, like
as me as a detection engineer, right?
Like I've seen great ones that
are doing exactly the same thing.
It's, uh, but it's important.
I don't think we blast about
too much about it, but I,
Tom Dejong: No,
Wade Wells: people's boots on the
Tom Dejong: a good point.
Wade Wells: uh, opinion
on it is a little better.
Josh Mason: Yeah.
Tom Dejong: go on.
Josh Mason: We've just been
asking a lot of people.
Yeah.
It's cool to hear that, like, you're
not worried about it because I, I don't
think we should be worried about it.
Um, but a lot of people will point at,
oh, it's gonna take like the lowest jobs.
Um,
and in my opinion, that's where
you really need people to do stuff.
Uh, triage on its own is, uh.
It's difficult to do with automation.
It's up there with like pen testing and,
uh, triaging vulnerabilities and, uh,
you know, wearing the synex shirt today.
Uh, they're working on it.
Here's a product, but
there's not a lot of 'em.
And, uh, you definitely still
need humans to do the pen testing.
So.
Or validation of what the agents find.
So, yeah, uh, having an AI that leads into
a SOAR and just automates, uh, actions,
um, it will be an interesting world
when people say, yeah, let's just do it,
Tom Dejong: because they're
Josh Mason: in my opinion.
Tom Dejong: trying to replace
jobs with AI necessarily.
Uh, you know, but I, I, I feel for
analysts that are at companies where,
you know, the company is trying
to replace 'em with ai and I, I, I
have similar feelings towards you.
You know, we do need it down.
Uh.
In the soc.
Um, it's, it's very useful.
Um, but yeah, I've, and I
haven't ever been too worried
about it taking jobs in general.
Um, I feel like there's a lot of hype
around it and I, I, I, just don't
see it t fully taken over the job.
Um, you know, the triage is difficult
and yeah, I, from, from what I've
seen, it does seem like it'll have
some great impacts on us, bud.
Yeah, I'm curious to see where it goes.
And I, myself am trying to be more
creative with it too, because I've
always felt I'm a very analytical person.
Not as much creativity, but uh,
you know, just seeing these, seeing
these things people are doing.
I'm, I, I really am trying to change
my mindset about it and say, well, how
can I use AI to perform at this task?
Uh, you know.
Josh Mason: One thing I've been
wondering about as someone new, uh, to
cyber working at Black Hills, I know.
You got access to the Antis
Siphon courses, but is there
other training, um, that you felt
has been valuable for, uh, your
Tom Dejong: interesting question.
Josh Mason: these past couple years?
Tom Dejong: to be completely honest with
you, I haven't done, I've mainly only
been doing the antis safe in training.
Uh, since I've been at BHIS,
it's, it's hard to, uh, refute it
because it's, because it's free.
Josh Mason: Yeah.
Tom Dejong: yeah.
Yep.
No, I've learned some good stuff
Josh Mason: There's plenty
of it and it's good stuff.
Yeah.
Tom Dejong: I was taking a training,
I definitely would want to start
learning more about cloud stuff.
I mean, that seems, that seems to
be where the industry is going.
And, uh, yeah.
I got, I, I, I, I think that if you could
find some good cloud courses, that would
be very good for SOC analysts now because.
I can, I can look around at the
logs in AWS and Azure, uh, and, you
know, kind of know what's going on.
But, uh, I definitely don't feel as
comfortable with it as I would, uh, uh,
looking at a Windows host or whatnot.
So, so that's something that I
definitely would like to take
more of is some cloud courses.
But I, I can't say I have any
recommendations for courses I've taken.
Josh Mason: So that's
really, uh, useful insight.
Um, I, I figure if someone has
found simply defensive, there's
a good chance that they know
that like Wade's got a class on.
Antis Siphon.
And a lot of our guests,
especially those for Black Hills,
Tom Dejong: Siphon
Josh Mason: have courses on Antis Siphon.
Tom Dejong: on there.
Uh, you know, I've, I've
Josh Mason: not sponsored by the way.
Tom Dejong: Team one, so
they're good at my job.
But, sorry, I was thinking
Josh Mason: Yeah,
Tom Dejong: anything that's not antis.
No, there's some great ones on there.
People should definitely, oh.
Josh Mason: right, right.
No, that's what I was asking for.
Yeah.
Yeah.
So you're good.
You're good.
Um, one of the things we like to ask
folks, uh, at the end of the episodes,
what's like one piece of advice
you would have for any blue team?
Tom Dejong: Um, I think, think, you know,
just, uh, just know that you're gonna
make mistakes out there and that's okay.
We all make mistakes, uh, and, you know,
try and use them as learning experiences.
Uh, I've, I, you know, I get
nervous that, oh, I'm gonna miss.
Uh, threat and you know, it,
I, it'll sit with me for the
rest of the day or whatnot.
So, so just trying to be able to take
mistakes as they come and move along
and, you know, nobody knows everything.
This is such a, a vast field.
Um, you know, it's important.
it it's important to be able to
utilize the people around you.
Like, you know, you could say, Wade,
Wade knows a lot about EDR stuff.
Well, while I'm doing this
ticket, let's go to him.
Um, and you know, I'd say, I'd say
that when you feel, if you feel like
you're making a mistake, you know,
run it by a teammate that knows more
about it and try and learn from them.
Um, and you'll, I feel like I learn
something new every single day.
Uh, so I try and come at
it from that perspective.
But alright to make mistakes.
Yep.
Yep.
Wade Wells: a good one.
You're not gonna catch everything, right?
Every now and then
something's gonna slip by.
Yeah,
Josh Mason: I recently read
somewhere, uh, someone saying, uh,
I'm continually surprised that the.
Process of trial and error
Tom Dejong: It can be
Josh Mason: requires error.
Tom Dejong: it happens.
I,
Josh Mason: So,
Tom Dejong: that
Josh Mason: yeah.
Tom Dejong: it bothers me when I mess
up, but you know, it's, you just gotta
take a step back and That's funny.
I'll have to look more into that.
Josh Mason: Well, Tom, thank
you so much for joining us.
Uh.
Folks, if you, uh, like the episode,
uh, like share, subscribe, do all those
things and we'll see you on the next one.
Wade Wells: See ya.
Josh Mason: Yeah.
Cool.
