SIEM Content Developer

Primary Responsibilities:  

• Experience with creating and implementing custom IOCs and IOAs in Crowdstrike 

• Experience with triaging and investigating hosts using Crowdstrike 

• Experienced with updating McAfee AV signatures 

• Experience with creating and maintain custom Tanium packages for collecting artifacts for continuous monitoring 

• Provide recommendations for tuning and/or triaging notable events 

• Perform critical thinking and analysis to investigate cyber security alerts 

• Analyze network traffic using enterprise tools (e.g. Full PCAP, Firewall, Proxy logs, IDS logs, etc) 

• Collaborate with team members to analyze an alert or a threat 

• Stay up to date with latest threats and familiar with APT and common TTPs 

• Utilize OSINT to extrapolate data to pivot and identify malicious activity 

• Have experience with dynamic malware analysis 

• Have experience performing analysis of network traffic and correlating diverse security logs to perform recommendations for response 

• Utilize the Cyber Kill Chain and synthesize the entire attack life cycle 

• Review and provide feedback to junior analysts’ investigation 

• participate in discussions to make recommendations on improving SOC visibility or process

• Contribute to SOP development and updating 

• Provide expert guidance and mentorship to junior analysts 

Basic Qualifications:  

Candidates must have extensive experience working with various security methodologies and processes, advanced knowledge of TCP/IP protocols, experience configuring and implementing various technical security solutions, extensive experience providing analysis and trending of security log data from a large number of heterogeneous security devices, and must possess expert knowledge in two or more of the following areas related to cybersecurity: 

• Vulnerability Assessment 
• Intrusion Prevention and Detection 
• Access Control and Authorization 

• Policy Enforcement 
• Application Security 
• Protocol Analysis 
• Firewall Management 
• Incident Response 

• Encryption 
• Web-filtering 
• Advanced Threat Protection 

Must have at least one of the following certifications:  

SANS GIAC: GCIA, GCIH, GCFA, GPEN, GWAPT, GCFE, GREM, GXPN, GMON, GISF, or GCIH 

EC Council: CEH, CHFI, LPT, ECSA 

ISC2: CCFP, CCSP, CISSP CERT CSIH 

Offensive Security: OSCP, OSCE, OSWP and OSEE 

• Must have TS/SCI. In addition to specific security clearance requirements, all Department of Homeland Security SOC employees are required to obtain an Entry on Duty (EOD) clearance to support this program.

• The ideal candidate is a self-motivated individual in pursuit of a career in cyber security.

• Experienced with developing advanced correlation rules utilizing tstats and datamodels for cyber threat detection 

• Experienced with creating and maintaining Splunk knowledge objects 

• Experienced managing and maintaining Splunk data models 

• Expertise in developing custom SPL using macros, lookups, etc and network security signatures such as SNORT and YARA 

• Experience creating regex for pattern matching 

• Implemented security methodologies and SOC processes 

• Extensive knowledge about network ports and protocols (e.g. TCP/UDP, HTTP, ICMP, DNS, SMTP, etc) 

• Experienced with network topologies and network security devices (e.g. Firewall, IDS/IPS, Proxy, DNS, WAF, etc).

• Hands-on experience utilizing network security tools (e.g. Sourcefire, Suricata, Netwitness, o365, FireEye, etc) and SIEM 

• Experience in a scripting language (e.g. Python, Powershell, etc) and automating SOC processes/workflow 

• Experience training and mentoring junior analysts 

• Extensive knowledge of common end user and web application attacks and countermeasures against attacks 

• Experience developing custom workflows within Splunk to streamline SOC processes 

• Experience creating SOPs and providing guidance to junior analysts 

• Ability to analyze new attacks and provide guidance to watch floor analysts on detection and response 

• Knowledgeable of the various Intel Frameworks (e.g. Cyber Kill Chain, Diamond Model, MITRE ATT&CK, etc) and able to utilize it in their analysis workflow 

• Experience with cloud (e.g. o365, Azure, AWS, etc) security monitoring and familiar with cloud threat landscape 

• Knowledgeable of APT capabilities and be able to implement appropriate countermeasures 

Required Education/Experience: All Tier 2 analyst candidates shall have a minimum a bachelor’s degree in Computer Science, Engineering, Information Technology, Cybersecurity, or related field PLUS eight (8) years of experience in incident detection and response, malware analysis, or cy