SIEM Content Developer

Primary Responsibilities:

• Experience with creating and implementing custom IOCs and IOAs in Crowdstrike

• Experience with triaging and investigating hosts using Crowdstrike

• Experienced with updating McAfee AV signatures

• Experience with creating and maintain custom Tanium packages for collecting artifacts for continuous monitoring

• Provide recommendations for tuning and/or triaging notable events

• Perform critical thinking and analysis to investigate cyber security alerts

• Analyze network traffic using enterprise tools (e.g. Full PCAP, Firewall, Proxy logs, IDS logs, etc)

• Collaborate with team members to analyze an alert or a threat

• Stay up to date with latest threats and familiar with APT and common TTPs

• Utilize OSINT to extrapolate data to pivot and identify malicious activity

• Have experience with dynamic malware analysis

• Have experience performing analysis of network traffic and correlating diverse security logs to perform recommendations for response

• Utilize the Cyber Kill Chain and synthesize the entire attack life cycle

• Review and provide feedback to junior analysts’ investigation

• participate in discussions to make recommendations on improving SOC visibility or process

• Contribute to SOP development and updating

• Provide expert guidance and mentorship to junior analysts

Basic Qualifications:

Candidates must have extensive experience working with various security methodologies and processes, advanced knowledge of TCP/IP protocols, experience configuring and implementing various technical security solutions, extensive experience providing analysis and trending of security log data from a large number of heterogeneous security devices, and must possess expert knowledge in two or more of the following areas related to cybersecurity:

• Vulnerability Assessment
• Intrusion Prevention and Detection
• Access Control and Authorization

• Policy Enforcement
• Application Security
• Protocol Analysis
• Firewall Management
• Incident Response

• Encryption
• Web-filtering
• Advanced Threat Protection

Must have at least one of the following certifications:

SANS GIAC: GCIA, GCIH, GCFA, GPEN, GWAPT, GCFE, GREM, GXPN, GMON, GISF, or GCIH

EC Council: CEH, CHFI, LPT, ECSA

ISC2: CCFP, CCSP, CISSP CERT CSIH

Offensive Security: OSCP, OSCE, OSWP and OSEE

• Must have TS/SCI. In addition to specific security clearance requirements, all Department of Homeland Security SOC employees are required to obtain an Entry on Duty (EOD) clearance to support this program.

• The ideal candidate is a self-motivated individual in pursuit of a career in cyber security.

• Experienced with developing advanced correlation rules utilizing tstats and datamodels for cyber threat detection

• Experienced with creating and maintaining Splunk knowledge objects

• Experienced managing and maintaining Splunk data models

• Expertise in developing custom SPL using macros, lookups, etc and network security signatures such as SNORT and YARA

• Experience creating regex for pattern matching

• Implemented security methodologies and SOC processes

• Extensive knowledge about network ports and protocols (e.g. TCP/UDP, HTTP, ICMP, DNS, SMTP, etc)

• Experienced with network topologies and network security devices (e.g. Firewall, IDS/IPS, Proxy, DNS, WAF, etc).

• Hands-on experience utilizing network security tools (e.g. Sourcefire, Suricata, Netwitness, o365, FireEye, etc) and SIEM

• Experience in a scripting language (e.g. Python, Powershell, etc) and automating SOC processes/workflow

• Experience training and mentoring junior analysts

• Extensive knowledge of common end user and web application attacks and countermeasures against attacks

• Experience developing custom workflows within Splunk to streamline SOC processes

• Experience creating SOPs and providing guidance to junior analysts

• Ability to analyze new attacks and provide guidance to watch floor analysts on detection and response

• Knowledgeable of the various Intel Frameworks (e.g. Cyber Kill Chain, Diamond Model, MITRE ATT&CK, etc) and able to utilize it in their analysis workflow

• Experience with cloud (e.g. o365, Azure, AWS, etc) security monitoring and familiar with cloud threat landscape

• Knowledgeable of APT capabilities and be able to implement appropriate countermeasures

Required Education/Experience: All Tier 2 analyst candidates shall have a minimum a bachelor’s degree in Computer Science, Engineering, Information Technology, Cybersecurity, or related field PLUS eight (8) years of experience in incident detection and response, malware analysis, or cy