Cybersecurity Detection Engineer

Job Description:

This is a hybrid position with occasional visits to client site in Washington, D.C.

AT&T Global Public Sector is a trusted provider of secure, IP enabled, cloud-based, network solutions and professional services to the Federal Government.   We are dedicated to recruiting, developing and empowering a diverse, high-performing workforce that is passionate about what they do, committed to our shared values and dedicated to our customers’ mission.

The detection engineer blends technical skills, threat research experience, and knowledge of adversary techniques to work with new and existing data sources to create high fidelity, actionable alerts the client SOC can use to quickly and effectively identify, analyze, and eradicate cybersecurity threats. This individual will be familiar with adversary Tactics, Techniques, and Procedures (TTPs), and will identify opportunities to improve the effectiveness of existing detection efforts. They will be responsible for developing methodologies to maintain and maximize the integrity and effectiveness of existing alerting through the creation, periodic review, testing, and validation of custom detection content. Additionally, they will leverage cybersecurity threat intelligence and collaborate with the SOC’s incident response teams to meet operational needs and defend against real-world threats.

Job Duties/Responsibilities:

1. A minimum of three years of experience working in detection engineering, threat hunting, security operations, or incident response using Splunk Enterprise Security or Microsoft Sentinel.

2. Experience with the processes to add/update/delete detection rules in Splunk Enterprise Security and Microsoft Sentinel.

3. Proficient in detection engineering methodologies including SNORT and YARA rules.

4. Proficient in Python programming, Bash, and PowerShell.

5. Proficient in Splunk’s Search Processing Language, React, Kusto Query Language, and the Common Information Model (CIM)

6. Knowledgeable and experienced in leveraging cybersecurity threat intelligence, indicators of compromise, STIX/TAXII data feeds, MITRE ATT&CK, and SIEM integrations.

7. Strong experience in networking principles, operating systems (Linux / Windows), and security tools such as IDS/IPS, firewalls, proxy servers and Endpoint Detection and Response (EDR).

8. Knowledge of Windows Sysinternal Suite (including Sysmon) Unix auditd, and how to tune configuration files for identification of malicious activity.

9. At least one of the following certifications: Splunk Enterprise Security Certified Admin credential or have passed the AZ-500 Microsoft Azure Security Technologies exam.

Key Responsibilities:

• Develop and refine detection techniques to identify malicious activities and security breaches.

• Analyze descriptions of IOCs and design effective searches to detect these activities in large data sets.

• Create and maintain detection content, ensuring it is up-to-date with the latest threat intelligence.

• Collaborate with threat hunters to continuously improve detection capabilities.

• Utilize advanced Splunk query skills to develop and run complex searches and analyze security data.

• Ensure the accuracy and efficiency of detection mechanisms to reduce false positives and improve response times.

Required Clearance:

Able to pass police background check.

Required Qualifications:

• Proven experience as a Detection Engineer, with a strong emphasis on detection engineering as a primary job function.

• In-depth knowledge of threat hunting methodologies and experience working as a threat hunter.

• Expertise in Splunk, including the ability to create and optimize complex queries independently.

• Demonstrated ability to analyze and interpret various data sets to identify suspicious activities.

• Strong understanding of cyber security threats, vulnerabilities, and attack vectors.

• Ability to work independently and collaboratively within a team environment.

Desired Qualifications:

• Certifications related to cyber security and detection engineering (e.g., GIAC Certified Detection Analyst, Splunk Certified User).

• Experience in a Security Operations Center (SOC) environment, specifically in a detection engineering role.

• Familiarity with other security information and event management (SIEM) tools and technologies.

Note: This position is not an entry-level role. We require candidates with substantial experience in detection engineering, not just occasional detection creation as part of a SOC analyst role. Candidates who have primarily worked as SOC analysts and only occasionally created detections will not be considered suitable for this role. We are looking for individuals who have demonstrated a consistent focus on detection engineering throughout their career.

Weekly Hours:

40

Time Type:

Regular

Location:

Oakton, Virginia

It is the policy of AT&T to provide equal employment opportunity (EEO) to all persons regardless of age, color, national origin, citizenship status, physical or mental disability, race, religion, creed, gender, sex, sexual orientation, gender identity and/or expression, genetic information, marital status, status with regard to public assistance, veteran status, or any other characteristic protected by federal, state or local law. In addition, AT&T will provide reasonable accommodations for qualified individuals with disabilities.