Under the general direction of the Associate Chief Information Security Officer (ACISO), the Information Security Incident Response Analyst serves as a technical lead and subject matter expert responsible for managing advanced security operations and incident response efforts that support the mission of the university and protect the confidentiality, integrity, and availability of information assets owned or entrusted to UC Davis.
This position is vital to the Security Operations Center’s (SOC) ability to conduct complex security incident investigations, gather and preserve digital evidence, and respond to advanced threats. This role central to our incident response lifecycle and also instrumental in threat hunting, post incident analysis, and improving security posture through investigative insights.
The Analyst leads the detection, analysis, and response to complex and high impact security incidents and threats against university assets and work closely with campus stakeholders and partners to ensure that incidents are resolved quickly and effectively.
The Analyst must stay abreast of evolving campus needs, technology capabilities, and threat intelligence from various sources to optimize data protection measures.
The Analyst tracks and reports on security risks and control effectiveness to the CISO and other campus stakeholders such as the Chief Information Officer, and security and IT professionals located at the Davis, Sacramento campuses, and other UC campuses.
The Analyst operates with a high degree of autonomy, exercises independent thinking to creatively solve problems and issues, makes independent decisions, and must maintain or preserve confidentiality when required to do so.
Candidates must already possess authorization to work in the United States to be considered.
To see IET job postings, please visit https://iet.ucdavis.edu/jobs

MINIMUM QUALIFICATIONS

• Bachelor’s degree in a related area and/or equivalent experience/training.
• Three or more years of experience in incident response or related, focusing on cyber-security threat detection, vulnerability analysis, and incident response using forensic analysis techniques such as file carving, timeline creation and memory capture.
• Experience in performing cyber threat hunting, including log analysis, and digital forensics using XDR and SEIM tools.
• Experience communicating and documenting complex technical subjects to both technical and non-technical audiences.
• Proficiency in conducting incident after-action reviews and recommending mitigation strategies to avoid recurrence.
• Strong collaboration skills, with the ability to work with technical and non-technical stakeholders and advance positive working relationships and a strong rapport with team members, stakeholders, and customers.
• Work effectively under pressure and within time constraints to solve problems and complete deliverables.

PREFERRED QUALIFICATIONS

• CISSP, CISM, CISA, or GIAC certifications.
• Experience in complex higher education environments, serving academic and administrative functions of a large public university.
• Experience with common security assessment and analysis tools such as Nmap, Tenable, Burp Suite, and FireEye.
• Experience with security technologies such as SIEM, web application firewalls, VPN infrastructure, Intrusion Detection and Prevention Systems, multi-factor authentication, DNS, SMTP, DHCP, 802.1x access control, Anti-malware, Data Leakage/Loss Prevention.
• Experience with Microsoft platforms, including Windows Event Log analysis, Active Directory and Group Policy.
• Experience with project management.
• Knowledge of mainstream Linux forensic investigation methods including system logs, file system formats and memory analysis.
• Knowledge of cloud security and zero-trust architectures.
• Demonstrated knowledge of incident response methodologies, techniques, and frameworks, including NIST and ISO 27001.
• Knowledge of the MITRE ATT&CK framework.

SPECIAL REQUIREMENTS

• This is a critical position, as defined by UC Policy and local procedures, and as such, employment is contingent upon clearing a criminal background check(s) and may include drug screening, medical evaluation clearance and functional capacity assessment
  Misconduct Disclosure Requirement: As a condition of employment, the final candidate who accepts a conditional offer of employment will be required to disclose if they have been subject to any final administrative or judicial decisions within the last seven years determining that they committed any misconduct; received notice of any allegations or are currently the subject of any administrative or disciplinary proceedings involving misconduct; have left a position after receiving notice of allegations or while under investigation in an administrative or disciplinary proceeding involving misconduct; or have filed an appeal of a finding of misconduct with a previous employer.

65% - Incident Response

• Serve as lead responder and technical resource on the incident response team.
• Respond to incidents and critical situations in a problem-solving manner and conduct an in-depth investigation of alerts. Provide advanced security analysis, technical security support and operational support using security systems and technologies, including, but not limited to:
• Monitor external data sources (e.g., computer network defense vendor sites, Computer Emergency Response Teams, SANS) to maintain awareness of network defense threat conditions and determine which security issues may impact the enterprise. Upon becoming aware of information security threats, assess and ensure departmental system administrators are aware manner of relevant threats to the associated systems they administer.
• Provide timely detection, identification, and alerts of possible attacks/intrusions, anomalous activities, and misuse activities, and distinguish these incidents and events from benign activities
• Analyze identified malicious activity to determine weaknesses exploited, exploitation methods effects on system and information
• Perform and support forensic data collection and analysis.
• Conduct thorough incident investigations, lead post incident reviews and provide recommendations for improving the incident response process to strengthen security posture.
• Draft detailed incident reports and contribute to executive summaries and briefings.
• Provide insights into the effectiveness of the incident response and recovery process through regular reports.
• Assist with the selection of cost-effective security controls to mitigate risk (e.g., protection of information, systems, & processes) by evaluating and recommending technical controls to mitigate risk to systems, data and operations.
• Identify trends and patterns in events to identify opportunities for process improvement and optimization and support proactive threat hunting activities.

20% - Security Governance, Standards Development, and Strategic Support

• Contribute to the development of UCD incident response policies, standards, guidelines, and communication materials and strategies.
• Develop and maintain playbooks and documentation for incident response processes and technical procedures, and provide direction and support to incident response teams on using these processes and procedures.
• Assist in the review of various UCD, UC, Federal, and State security standards, guidelines, and policies.
• Prepare and maintain measurement and reporting documentation, including incident and status reports, dashboards, and other security-related metrics or documents.
• Prepare corrective action responses to technology audit findings.
• Participate in research of IT security tools, techniques, methodologies, technologies, and architectures.
• Serve on committees and work groups related to security and technology operations, planning and strategy.
• Work on special projects.

15% - Information Security Consulting & Reporting

• Provide high level consulting and information security subject matter expertise on information security risks and best practices.
• Collaborate with internal and external partners to detect threats, analyze vulnerabilities, and respond to attacks.
• Review Unit incident response plans and provide guidance to ensure alignment with institutional frameworks.
• Conduct training and awareness programs for incident response teams on incident response best practices and tools.