Cybersecurity Incident Response Analyst I

Responsible for handling escalated incidents using proper investigation techniques, processes and procedures. Work in an agile manner to quickly respond to active threats. Works with managed security service provider (MSSP) to tune rules for detection of threats while minimizing false positives/false negatives. Maintains the central knowledge base for all processes, procedures and case documentation for accuracy and completeness. Assists in the mentoring of junior cyber associates to facilitate their development as incident analysts.

What you will do:

• Under broad supervision, investigates incidents that are escalated per procedure. Communicates with customers as appropriate, keeping Cybersecurity Operations Center (CSOC) management informed per incident severity requirements. Follows applicable processes and procedures while maintaining flexibility to “think outside the box” during the investigation in order to find all affected systems, including “patient zero”; performs root-cause analysis; determines attribution if appropriate; completes documentation; and participates in lessons learned post mortem. For high-severity level incidents, functions as a team member on the incident team, interfacing with outside incident response personnel as well as both senior and junior cyber associates. Serves as the SME for the incident response team for one area of incident response, including, but not limited to, endpoint detection and response, application security or network forensics.
• Provides supervision and backup for monitoring capabilities. Works with Cybersecurity Threat Analysts on automation recommendations. Evaluates and makes recommendations to Senior Cybersecurity Analysts. Leads project team to implement improvements.
• Ensures process, procedure and system documentation are complete and followed consistently. Assists senior cyber associates in creating, revising, and maintaining processes and procedures related to continuous monitoring, triage, incident analysis and incident response activities. Consults with other cyber associates to continuously improve those processes and procedures, and works with other associates to ensure that when new tools or external inputs change that the documentation is adjusted accordingly.
• Assists in the mentoring and training of junior cyber associates to learn proper investigation techniques, documentation requirements and evidence handling. Serves as a technical consultant to those associates. Functions as a technical contact for managed security service provider (MSSP) analysts when technical questions arise, consulting with senior analysts and management for guidance as appropriate.
• Assists more senior analysts and managed security service providers in documenting and implementing use case detections. Participates in periodic use case reviews and works with other analysts to adjust existing use cases under broad supervision.
• Communicates with CSOC management, cyber and information security staff members, and customers in written and verbal communication regarding investigations and status updates. Maintains need-to-know discretion for all investigations.
• Interfaces regularly with the Cybersecurity Engineer to test and improve custom tools, suggesting features and improvements in order to improve efficiency and productivity. During investigations, communicates with the engineer in order to quickly gather the information needed in the most efficient manner possible, giving constructive feedback on custom tools provided in that process.
• Performs knowledge sharing with team members through meetings, presentations and written communications. Creates, revises and maintains documentation of incident response processes and procedures in the central knowledge base.
• Participates in after incident lessons learned meetings to give input on recommendations for process or procedure improvements, and to provide mitigation recommendations to reduce future incidents or minimize their impact.
• Tracks performance metrics and provides timely updates to CSOC management.
• Performs other duties as assigned.
• Complies with all policies and standards.

• Bachelor's Degree In information assurance, information systems, computer science, IT, or commensurate selection criteria experience. (Required)
• Proven experience in threat detection technologies, including intrusion detection and prevention systems (IDS/IPS), security incident and event management (SIEM) technology, and network packet analyzers. Experience with security data analytics, endpoint protection, malware analysis and forensics tools are highly desired. (Required) and
• Demonstrated experience in incident analysis and response activities, including execution of response and analysis plans, processes and procedures, and performing root-cause analysis. Experience in a SOC environment is preferred. (Required) and
• Proven experience on both Linux-based and MS Windows-based system platforms with a strong IT technical understanding and aptitude for analytical problem-solving. (Required) and
• Basic experience with one or more scripting languages (examples: Python, Perl, Java or Ruby). (Required) and
• Experience with security tools, including, but not limited to, IDS (snort or suricata preferred), IPS, data analytics software, SIEM solutions (Sentinel preferred), web application firewall (WAF), malware analysis, knowledge base platforms and live response/forensics tools. (Required)
• Demonstrated ability to serve as a subject matter expert in one or more areas of incident response, including, but not limited to, endpoint detection and response, application security or network forensics.
• Proven SIEM utilization skills, including the ability to review and analyze security events from various monitoring and logging sources to identify or confirm suspicious activity.
• Proven basic working knowledge of each of the specialty areas of cybersecurity (Threat Intelligence, Threat Hunting, Digital Forensics).
• Demonstrated knowledge of current security trends, threats and techniques. Demonstrated self-driven desire to continually learn and grow in knowledge related to the constantly evolving threat landscape.
• Demonstrated strong understanding of enterprise, network, system and application level security issues.
• Proven understanding of the current vulnerabilities, response and mitigation strategies used in cyber security.
• Demonstrated strong team player - collaborate well with others to solve problems and actively incorporate input from various sources.
• Proven customer focus, evaluates decisions through the eyes of the customer; builds strong customer relationships and creates processes with customer viewpoint.
• Demonstrated analytical skills - continuously defines problems, collects or interprets data, establishes facts, anticipates obstacles and develops plans to resolve; strong problem solving skills while communicating in a clear and succinct manner effectively evaluating information/data to make decisions.
• Proven inherent passion for information security and service excellence.
• Demonstrated excellent verbal and written communication skills; frequently expresses exchanges or prepares accurate information conveying information to internal and external customers in a clear, focused and concise manner. Continuously conforms to proper rules of punctuation, grammar, diction and style.
• Proven self-starter with strong internal motivation. Proven ability to work with broad supervision or direction.
• Demonstrated ability to work under multiple deadlines with broad supervision. Cite examples of successfully organizing and effectively completing projects where given minimal direction.
• Proven ability to continuously perform an activity such as preparing and analyzing data and figures, and transcribing.
• Linux-based and MS Windows-based system platforms.
• Strong understanding of enterprise, network, system and application level security issues.
• Understanding of enterprise computing environments, distributed applications, and a strong understanding of TCP/IP networks.
• Fundamental or greater understanding of encryption technologies.
• Knowledge of Identity & Access Management practices, systems and controls.
• Candidate encouraged to hold one or more of the following security certifications: Certified Information Systems Security Professional (CISSP), GIAC Certifications (GCIH, GCIA for example), Certified Ethical Hacker (CeH).

Work Setting/Position Demands:

• Works in an office setting and remains in a stationary position for long periods of time while working at a desk, on a computer or with other standard office equipment, or while in meetings.
• Requires the ability to verbally communicate and exchange accurate information to customers and associates on a regular basis.
• Requires visual acuity to read and interpret a variety of correspondence, procedures, reports and forms via paper and electronic documents, visual inspection involving small defects; small parts, and/or operation of machinery (including inspection); using measurement devices continuously. Visual acuity is required to determine accuracy, neatness, and thoroughness of work assigned.
• Requires the ability to prepare written correspondence, reports and forms using prescribed formats and conforming to rules of punctuation, grammar, diction, and style on a regular basis.
• Requires the ability to apply principles of logical thinking to define problems, collect data, establish facts, and draw valid conclusions
• Performs substantial movement of wrists, hands, and fingers for continuous computer work.
• Extended hours required during peak workloads or special projects/events.

Travel Requirements:

• Occasional travel may be required.