Welcome to the sixth installment of the “Meet the Logician” blog series, where we highlight the people and users that form Anvilogic. 

This week we’re featuring one of our awesome customers: Sota Aoki, Security Engineer at Rakuten Mobile. Born in Japan and raised in the United States, Sota maintained a strong connection to his Japanese heritage while growing up. After completing high school, Sota returned to Japan for college, where he studied social sciences, with no plans to pursue a career in cybersecurity. When he joined Rakuten Mobile fresh out of college, he assumed he’d be assigned a sales or marketing position. But as luck would have it, Sota was unexpectedly assigned to the security operations center (SOC). Now four years later, he’s moved through a couple of SOC roles and continues to embrace the unexpected.

Cybersecurity has opened many doors for Sota, including speaking at this year’s .conf — Splunk’s annual user conference with our own Rohith Kondeti (check out their session here)! We sat down with Sota to discuss his journey, why Anvilogic is a big help to Splunk users like himself, and why being assigned to the SOC was the best thing to happen to him. 

It must have been a huge shift coming from a primarily social science background to tech and cybersecurity. How was your transition?

Everything was new to me. At first, it felt like a mistake because it was different from what I expected. But in hindsight, it ended up being one of the best decisions. Because I didn’t study any kind of tech or IT, my first year in cybersecurity was just studying the basics. And even today, I’m still studying. Even the most seasoned people still have to study, and that’s one of the reasons I enjoy this domain because you’ll never be at the point where you know everything, so you always have to keep pushing yourself. 

What type of SOC role did you have when your first started at Rakuten Mobile, and how did you transition into your current role as a detection engineer? 

My first role was just triaging and investigating alerts, and if an incident happened, I would do incident response to see what happened. When my department manager, Eric, joined, he saw the need for teams to have more specific tasks, so he separated the SOC into a number of teams, including a detection engineering team. Because Anvilogic was onboarded before he joined, and I had been on those calls with the Anvilogic team for about a year, Eric saw an opportunity for me to join this new detection engineering team. I saw it as a pretty comfortable transition for me, and that’s what I’m still doing today.

What does a typical day look like for you and your team? 

Most of our day is spent on making sure we’re filling our gaps to ensure our SOC has more visibility while testing our use cases and verifying our high-fidelity alerts. We work closely with other teams, especially our threat intelligence team, to see if any new attacks or threats are out there and deploy new use cases. We also work with our assurance team to address any gaps in our environment and make sure we get a detection in place to address it and increase our SOC maturity.  

Any challenges you face in your normal day-to-day?

Because cybersecurity is a domain that is ever-changing, you have to be flexible to focus on something new that may come up. You may be focusing on one project, but then a new zero-day vulnerability comes out. You have to be able to shift your focus or priority and respond quickly while still keeping the quality of your work high. It is sometimes challenging, but I think it’s the beauty of this domain. 

How has Anvilogic made your and your team’s lives easier?

Speed is extremely important, like being able to respond to new attacks. But at the same time, quality is equally as important. Anvilogic helps us to overcome both speed and quality. If there’s a new attack out there, I can already count on Anvilogic to have a use case on its platform. And deploying is extremely easy — a single push of a button, you can have your rule out there. And being able to test the quality of the detection is also not difficult to do. So Anvilogic helps us overcome the main challenge of being able to respond quickly but, at the same time, maintain that quality for high-fidelity alerting.   

This year will be your first time speaking at Splunk .conf – congratulations! What would you say is a benefit of Anvilogic that can really help out a fellow Splunk user?

Threat scenarios, the correlation of a singular detection, is something that is very helpful for our SOC in terms of alert fidelity. Before implementing Anvilogic, we had a lot of singular detections made with generic Splunk use cases, and it was causing a lot of alerts to trigger and causing alert fatigue for analysts. After implementing Anvilogic, we were able to take these singular detections and form a scenario based on sequential alerting. This decreased our false positives and painted a more specific picture for the analyst to understand the whole attack chain, which allowed them to triage alerts more promptly and solved their alert fatigue. 

In addition, we were having issues creating use cases. It’s very difficult to create your own logic from scratch. Although we did map our use cases to the MITRE ATT&CK framework, it’s still difficult to try to track all of that. Implementing Anvilogic made it easier for us to visualize which MITRE tactics were actually covered. And if not, we could just click into the platform to see what kind of use cases are available to cover that tactic. 

Were you or anyone on your team well-versed in Splunk’s Search Processing Language (SPL) to create the search logic for those use cases?

Splunk was very new to me, so SPL was something I had to learn from scratch. Some guys had a couple of years of SPL under their belt, but no one was really an SPL master if you will. So being able to work with Anvilogic, with guys that were more experienced in SPL, and in a platform where you can see the code has been really helpful.  

What advice would you give the Sota of four years ago? 😏

Cybersecurity is a huge domain, and it’s very intimidating at first, but sticking to it and finding that one thing that keeps you going will be the difference maker, and it’ll pay off at the end of the day. Being able to experience different roles in the SOC, I noticed that I’m more interested in detection engineering, and it was the one thing that kept me going. And obviously, Anvilogic has helped me get to where I am today. 

What about being a detection engineer has resonated with you and kept you going?

We call ourselves the Purple Team because we’re between the Red and Blue Teams. What I enjoy about it is knowing that to create a more mature blue team, you have to understand how an attack works, and that’s what's very interesting to me in this world. You get to understand both sides and how often do you get to see both? That’s what I find really intriguing about this role. 

To close out our interview, I’ve developed what I like to call “The Logician Disposition”: 10 rapid-fire questions to help us get to know you better beyond what you do for a living. 

1. iPhone or Android? iPhone.
2. What’s your drink order? Gin and tonic.
3. Where would you live if you could live anywhere else in the world? Edinburgh, Scotland.
4. What’s one thing you own that you really should get rid of? I’m really into basketball and have a bad habit of keeping my old shoes.
5. What’s your favorite sound? Rain. I don’t like rain, but I like the sound of it.
6. What’s your least favorite sound? Japan has a lot of earthquakes, so every time there’s an earthquake above a certain magnitude, everyone’s phone in the country makes a sound. It’s like an iPhone alarm going off at a very annoying frequency. 
7. What’s your go-to karaoke song? Eminem - Lose Yourself.
8. What’s an unpopular opinion you have? This is very specific to Japanese culture, but I prefer bread for breakfast over rice. 
9. What’s your last meal? Mexican food. They don’t really have it here, and if they do, it’s super expensive. I’ve been craving it for the longest time, so when I go to Vegas for .conf, I’m definitely going to get some Mexican food. 
10. What’s one thing you’re looking forward to this year? Vegas!

Are you attending .conf23 in Las Vegas? Come find us at our booth and check out Sota’s session with our Forward Deployed Engineer Rohith Kondeti: SEC1614A - Beat the Fatigue: Defend Against MFA Attack Techniques with Splunk Enterprise