Responsible for handling escalated incidents of all severities using proper investigation techniques, processes, and procedures. Work with managed security service provider (MSSP) to tune rules for detection of threats while minimizing false positives/false negatives. Maintains the central knowledge base for all processes, procedures, and case documentation for accuracy and completeness. Mentors junior cyber associates to facilitate their development as incident analysts. Works with the Cyber Security Engineer on custom tool requirements to support incident analysis activities. Integrate threat intelligence into detection and prevention capabilities in order to respond to active threats in an agile manner.
Under limited supervision, investigatex incidents that are escalated per procedure. Communicates with customers as appropriate, keeping Cyber Security Operations Center (CSOC) management informed per incident severity requirements. Follows applicable processes and procedures while maintaining the flexibility to “think outside the box” during the investigation in order to find all affected systems including “patient zero”; perform root cause analysis; determine attribution if appropriate; complete documentation; and participate in lessons learned post mortem. For high severity level incidents function as a team member of the incident team, interfacing with outside incident response personnel as well as both senior and junior cyber associates.
Creates, revises, and maintains processes and procedures related to continuous monitoring, triage, incident analysis, and incident response activities. Consults with other cyber associates to continuously improve those processes and procedures, and ensure that when new tools or external inputs change that the documentation is adjusted accordingly.
Mentors and trains junior cyber associates on proper investigation techniques, documentation requirements, and evidence handling. Serves as a technical consultant to those associates. Functions as a technical contact for managed security service provider (MSSP) analysts when technical questions arise, consulting with senior analysts and management for guidance as appropriate.
Performs rule creation, system tuning, rule tuning, and threat intelligence integration in order to improve the detection capabilities of the security systems.
Communicates with CSOC management, cyber and information security staff members, and customers in written and verbal communication regarding investigations and status updates. Maintains need-to-know discretion for all investigations.
Interfaces regularly with the Cyber Security Engineer to test and improve custom tools, suggesting features and improvements in order to improve efficiency and productivity. During investigations communicates with the engineer in order to quickly gather the information needed in the most efficient manner possible, giving constructive feedback on custom tools provided in that process.
Performs knowledge sharing with team members through meetings, presentations, and written communications. Creates, revises and maintains documentation of incident response processes and procedures in the central knowledge base.
Participates in after incident lessons learned meetings to give input on recommendations for process or procedure improvoments, and to provide mitigation recommendations to reduce future incidents or minimize their impact.
Tracks performance metrics and provide timely updates to CSOC management.
Potential on-call support during nights and weekends.
Performs other duties as assigned by management.
Demonstrated experience in threat detection technologies including: intrusion detection and prevention systems (IDS/IPS), security incident and event management (SIEM) technology, and network packet analyzers. Experience with security data analytics, endpoint protection, malware analysis, and forensics tools are highly desired.
Provn SIEM utilization skills including the ability to review and analyze security events from various monitoring and logging sources to identify or confirm suspicious activity.
Demonstrated experience in incident analysis and response activities, including execution of response and analysis plans, processes and procedures and performing root cause analysis.
Experience in a SOC environment is preferred.
Proven ability to analyze large data sets and unstructured data for the purpose of identifying trends and anomalies indicative of malicious activity.
Demonstrated knowledge of current security trends, threats, and techniques. Demonstrated self-driven desire to continually learn and grow in knowledge related to the constantly evolving threat landscape.
Proven experience on both Linux-based and MS Windows-based system platforms with a strong IT technical understanding and aptitude for analytical problem-solving.
Demonstrated strong understanding of enterprise, network, system and application level security issues.
Proven understanding of the current vulnerabilities, response, and mitigation strategies used in cyber security.
Demonstrated strong team player – collaborate well with others to solve problems and actively incorporate input from various sources. Proven experience motivating fellow team members toward excellence and project completion.
Proven customers focus – evaluate decisions through the eyes of the customer; build strong customer relationships and create processes with customer viewpoint.
Demonstrated analytical skills – continuously defines problems, collect or interpret data, establish facts, anticipate obstacles, and develops plans to resolve; strong problem solving skills while communicating in a clear and succinct manner effectively evaluating information / data to make decisions.
Proven inherent passion for information security and service excellence.
Demonstrated excellent verbal and written communication skills; frequently expresses, exchanges, or prepares accurate information conveying information to internal and external customers in a clear, focused, and concise manner. Continuously conforms to proper rules of punctuation, grammar, diction, and style.
Proven self-starter with strong internal motivation. Proven ability to work with general supervision or direction.
Demonstrated ability to work under multiple deadlines with general supervision. Cite examples of successfully organizing and effectively completing projects where given minimal direction.
Proven ability to perform an activities such as: preparing and analyzing data and figures; transcribing; viewing a computer terminal; extensive reading.
Visual acuity is required to determine accuracy, neatness, and thoroughness of work assigned. Extensive reading and long periods of viewing a computer terminal.
Frequently remains in a stationary position (sitting or standing).
Occasionally make ssubstantial movements (motions) of the wrists, hands and/or fingers.
Occasionally moves about to accomplish tasks, particularly moving from one work station to another.
Bachelor’s Degree in Information Assurance, information systems, computer science, IT, or commensurate selection criteria experience.
Computer Skills and Knowledge of Hardware & Software Required:
Linux-based and MS Windows-based system platforms.
Strong understanding of enterprise, network, system and application level security issues.
Understanding of enterprise computing environments, distributed applications, and a strong understanding of TCP/IP networks.
Fundamental or greater understanding of encryption technologies.
Basic experience with one or more scripting languages (examples: Python, Perl, Java, or Ruby)
Knowledge of Identity & Access Management practices, systems and controls.
Experience with security tools including but not limited to IDS (snort or suricata preferred), IPS, data analytics software, SIEM solutions (QRadar preferred), web application firewall (WAF), malware analysis, knowledge base platforms, and live response/forensics tools.
Certifications & Licenses (i.e., Series 6 & 63, CPA, etc.):
Candidate encouraged to hold one or more of the following security certifications: Certified Information Systems Security Professional (CISSP), GIAC Certifications (GCIH, GCIA for example), Certified Ethical Hacker (CeH)
Extended hours required during peak workloads or special projects and off-hour support.
Occasional travel may be required.