Lead Cyber Security Analyst (Remote)

PURPOSE:

The Lead CyberSecurity Analyst is responsible for the monitoring, detection, and analysis of security threats against the distributed enterprise network. The selected candidate should have proven experience and the ability to leverage Computer Network Defense/Blue Team (CND) analyst toolsets to detect and respond to Cyber security incidents. This role conducts research and documents threats and their behavior; provides recommendations for threat mitigation strategies; employs effective communications to clearly manage security incident response procedures; and performs routine event reporting including trend reporting and analysis.

PRINCIPLE ACCOUNTABILITIES: Under the direction of the Manager, CyberSecurity Monitoring, the incumbent is responsible for, but is not limited to, the following:

Duties and Responsibilities:

• Monitor consoles and telemetry directly from a variety of security toolsets and from the SIEM.
• Thoroughly investigate and document security events.
• Audit and review system reports and security logs for unauthorized access, noncompliant activity, or access misuse.
• Monitor and escalate incoming security requests and events of interest from different external and internal sources.
• Follow standard operating procedures for detecting, classifying, and reporting incidents.
• Develop or improve use cases to increase efficacy, performance, or outcomes for security monitoring.
• Participate in incident response activities as necessary.
• Triage (determine scope, severity, and priority) of events in Security Information and Event Management (SIEM) tool or within other security monitoring tools directly.
• Research vulnerabilities in applications and systems. Provide recommendations for resolution and track remediation activities.
• Traffic analysis (at the packet level) and reconstruction of network traffic to discover anomalies, trends, and patterns affecting the customer's networks.
• Analyze firewall logs, Full Packet Capture (PCAP), IDS alerts, Anti-malware alerts, Host Intrusion Prevent System (HIPS), and server and application logs to investigate events and incidents for anomalous activity and produce reports of findings.
• Coordinate with third party providers to ensure appropriate detections are built and deployed.
• Coordinate with Threat Intelligence and Response Operations to enhance time to detection and response.

QUALIFICATION:

Required Education and Experience: Degree or equivalent experience: BA/BS in Information Technology, CyberSecurity, Networking, Information Security, MIS, Computer Science or related field.

Experience Level: Minimum 5 years of demonstrated work experience. (Additional experience may be substituted for educational requirement.)

Along with the basic qualifications, the candidate will need to have experience in the following areas:

• Deployment, configuration and management of Endpoint Detection and Response (EDR/XDR) tools, such as CrowdStrike.
• Experience managing Microsoft Defender for Endpoint.
• Experience in a hybrid multi-cloud environment – Azure highly preferred.
• Experienced in the application and usage of threat analysis models/frameworks such as the Cyber Kill Chain, MITRE ATT&CK, etc.
• Advanced knowledge of threat Tactics, Techniques and Procedures (TTPs), especially in cloud environments and including SaaS services like M365.

Specialized training (preferred, but not required): Transitioning, maintaining, or using security technologies such as Security Incident and Event Management (SIEM), Endpoint protection, Data Loss Prevention, Forensic tools, Network Anomaly Detection, Packet Capture Analysis; Incident response principles or related technical domain that is applied in the context of a broader understanding of CSIRT and related systems and processes.

Licenses/Certifications: One or more of the following certifications are preferred but not required OR the ability to obtain one certification within 6 months.

GCIA (GIAC Certified Intrusion Analyst)

GMON (GIAC Continuous Monitoring)

GCIH (GIAC Certified Incident Handler)

CCFA (CrowdStrike Certified Falcon Administrator)

GSOC (GIAC Security Operations Certified

CCFR (CrowdStrike Certified Falcon Responder)

Microsoft Certified: Security Operations Analyst Associate

CCFH (CrowdStrike Certified Falcon Hunter)

Knowledge, Skills and Abilities (KSAs)

• Must be able to effectively work in a fast-paced environment with frequently changing priorities, deadlines, and workloads that can be variable for long periods of time. Must be able to effectively communicate.
• Incumbent must have a firm understanding of Information and/or Cyber Security principles. Must be able to adapt quickly to understand rapidly changing threat landscape in order to correctly scope and prioritize security events. The incumbent must also be able to achieve certification across multiple domains such as networking, security, development languages, etc.

Required skills:

• Experience preventing, detecting, analyzing and responding to threats against sensitive information.
• Experience triaging security, network and endpoint forensic analysis, threat hunting and vulnerability escalation.
• Experience with security monitoring and reporting tools and conducting security investigations of incidents and events.
• Critical thinking and analytical skills to develop enhanced workflows and use cases for next generation platforms and cloud technology.
• Experience with analyzing large data sets and log files to find correlations and anomalies.
• Ability to utilize native cloud security tools in Azure to design and implement continuous monitoring solutions.
• Advanced knowledge and use of Splunk.

Preferred Skills:

• Ability to script proficiently in either Python or PowerShell
• Advanced knowledge and use of Linux
• OSINT collection and analysis.

Department

Department:

Equal Employment Opportunity

CareFirst BlueCross BlueShield is an Equal Opportunity (EEO) employer. It is the policy of the Company to provide equal employment opportunities to all qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, protected veteran or disabled status, or genetic information.