Security Operations Centre Analyst

at  Vector Synergy

INTRODUCTION:

One of our clients is currently looking for a Splunk Expert to provide professional service acting as the 1st line of response regarding the potential occurrence of a cyber-attack or security incident.
Supported by several automated tools such as intrusion detection systems, log correlation engines and SIEM, ticketing system, alerts and warning from internal and external sources, this service involves receiving, triaging and responding to alerts, requests and reports, and analysing events and potential incidents and to provide the primary support for incident responders.

SKILLS, KNOWLEDGE, EXPERIENCE REQUIRED:

• Minimum 3 years’ experience with Splunk;
• Minimum 3 years’ professional experience as a Security Operations Centre (SOC) Analyst and/or 1st Line Incident Responder;
• At least 1 certification among the following:
• GPEN (GIAC Certified Penetration Tester);
• GCED (GIAC Certified Enterprise Defender);
• GPPA (GIAC Certified Perimeter Protection Analyst);
• GCFE (GIAC Certified Forensic Examiner);
• GCFA (GIAC Certified Forensic Analyst);
• GNFA (GIAC Certified Network Forensic Analyst);
• CFCE (IACIS Certified Forensic Computer Examiner);
• CCFP (Certified Cyber Forensics Professional);
• SCMO (SABSA Certified Security Operations and Service Management Specialist);
• An equivalent certification recognized internationally (subject to acceptance as a valid credential by the Contracting EU-I);
• Minimum 3 years’ experience in networking (TCP/IP, SNMP, DNS, Syslog-ng, etc.);
• Minimum 2 years’ experience in using, configuring and tuning a security information and event management (SIEM) tool;
• Knowledge on and minimum 2 years’ experience with the following network security solutions and technologies:
• Firewalls;
• Network intrusion detection systems (IDS) and intrusion prevention systems (IPS);
• Switches and routers;
• Advanced persistent threat (APT) detection solutions such as FireEye;

• Supervising and reporting on the SOC implementation based on configuration of Splunk as a SIEM;
• Providing real-time monitoring of cyber defence and intrusion detection systems;
• Performing automatic-based processing (centralisation, filtering, and correlation) of security events;
• Conducting human-based analysis of automatically correlated events;
• Processing incoming warnings, alerts, and reports;
• Performing triage based on verification, level of exposure and impact assessment;
• Categorizing events, incidents, and vulnerabilities based on relevance, exposure, and impact;
• Opening tickets and ensuring case management;
• Activating initial response plan based on standard playbook entries;
• Maintaining incident response address book;
• Providing support to Incident Responders;
• Advising affected users on appropriate course of action;
• Monitoring open tickets for incidents and vulnerabilities from start to resolution;
• Escalating unresolved problems to higher levels of support, including the Incident Response and Vulnerability Mitigation teams;
• Configuring the SIEM components for an optimal performance;
• Improving correlation rules to ensure that the monitoring policy allows an efficient detection of potential incidents;
• Analysing risks and security policy requirements, and translating them into technical events targeting the system components;
• Identifying the required logs, files or artefacts to collect from the monitored system and, if necessary, possible complementary devices to deploy;
• Elaborating the relevant detection and correlation rules, and implementing them in the SIEM infrastructure;
• Configuring and tuning cyber-defense solutions;
• Reviewing and improving the monitoring policy on a regular basis;
• Integrating cyber-defence solutions for efficient detection;
• Defining dashboards and reports for reporting on KPIs;
• Producing qualified reports (including recommendations) or alerts to SOC customers and following up on actions;
• Contributing to the design of the overall monitoring architecture, in close relationship with the customers and system owners on one hand, and the Security Operations Engineering team on the other hand, by performing the following tasks:
• Assessing security events detection solutions and developing new solutions;
• Integrating the solutions within the security monitoring scheme (log collection architecture, interoperability, formats, network aspects, etc.);
• Deploying and validating the solutions;
• Drafting documentation such as architecture design descriptions, assessment reports, configuration guides, and security operating procedures;
• Producing and maintaining accurate and up-to-date technical documentation, including processes and procedures (so-called playbook), related to security incidents and preventive maintenance procedures;
• Managing identities and their related user accounts;
• Managing groups, roles, and other means of authorization;
• Solving incidents, requests, and problem tickets from 1st Level Support or internal customers, related to identity and access management;
• Maintaining accurate documentation;
• Implementing detection means to monitor attacker activities in real-time during security incidents;
• Integrating IOCs in security solutions;
• Taking an active part in developing and improving the maturity framework, and having it understood and implemented by the team by:
• Designing and drafting SOC processes and procedures framework;
• Implementing SOC processes and procedures, deploying collaborative tools and dashboards;
• Coaching and training the team on the processes, procedures, and tools;
• Conducting regular audits and reporting on maturity to Management;
• Reviewing and improving the framework;
• Providing activity reports to Management to demonstrate SLA and service quality.