The Metropolitan Transportation Authority (MTA) is seeking a qualified consultant who is a Splunk subject matter expert (SME). This SME will work closely with MTA IT Security to further develop, document and implement the MTA Splunk system architecture, and provide assistance in implementation of various best practices and use cases on MTA Splunk System.
The SME will work with MTA IT Staff members to operationalize and optimize the uses of Splunk, transfer knowledge, and Integrate Splunk with all MTA IT Security Tools including but not limited to RSA, EPO, and Palo Alto across all MTA IT Environments, especially PeopleSoftc, PCI etc.
Splunk SME Requirement, Roles, and Responsibilities:
The SME will work with various functional team in identifying, coordinating various data sources and bring configure them into Splunk with appropriate used cases as required by NY State Cyber Security Policy standards and guide line.
Where needed, the SME will implement additional hardware components to the existing Splunk Architecture including (but not limited to) Deployment Servers, Indexers, Forwarders, and Search Heads.
The SME will deploy software updates, include Splunk Apps, and all operating systems including Linux and Microsoft Windows. Knowledge of Third Party tools such as Syslog-NG is also required.
This SME will provide knowledge transfer to the MTA IT Security project teams for all Splunk endeavors.
The SME consultant will have experience in Splunk platform, search language, GUI interface, and a knowledge of other Security and Compliance tools and how they integrate with Splunk.
SME will be required to create various dashboards, alerts and automate integration of splunk with various security controls.
Develop uses cases for authentication tracking and account compromise detection; admin and user tracking.
Develop uses cases compromised- and infected-system tracking; malware detection by using outbound firewall logs, NIPS alerts and Web proxy logs, as well as internal connectivity logs, network flows, etc.
Validating intrusion detection system/intrusion prevention system (IDS/IPS) alerts by using vulnerability data and other context data about the assets collected in Splunk.
Monitoring for suspicious outbound connectivity and data transfers by using firewall logs, Web proxy logs and network flows; detecting exfiltration and other suspicious external connectivity.
Tracking system changes and other administrative actions across internal systems and matching them to allowed policy; detecting violations of various internal policies, etc. [and, yes, even the classic “root access from an unknown IP in a foreign country at 3AM, leading to system changes” sits here as well]
Tracking of Web application attacks and their consequences by using Web server, WAF and application server logs; detecting attempts to compromise and abuse web applications by combining logs from different components.
Integrate various security controls with Splunk to automate protection and or block further threat.
Assist with threat investigation
Document all Splunk related implementation, used cases, process and procudures.