Senior Security Operations Engineer

Come work at a place where innovation and teamwork come together to support the most exciting missions in the world!

Job Overview:

As a Senior Security Operations Engineer, you will be an integral part of Qualys SOC (Security Operation Center) and CSIRT (Cyber Security Incident Response Team) contributing to the day-to-day activities aimed at governing entire incident management lifecycle from incident monitoring, triaging, analyzing, and responding to security incidents. This role requires a solid understanding of security technologies, incident triage/investigation & incident response, and a proactive approach to identifying and mitigating potential threats. You will leverage advanced cybersecurity tools and techniques to monitor and secure Qualys infrastructure/systems, Qualys Cloud Platforms, respond to alerts, investigate potential threats, and proactively work for mitigation of identified cyber threats/incidents. At the same time, you will be responsible for providing expert guidance to other SOC engineers in the team and working closely with SOC/CSIRT leadership to improve the organization’s security posture.

Key Responsibilities:

Security Monitoring and Analysis:

• Proactively monitor security systems, SIEM platforms, various security tools, analyze logs, network traffic, system events and incident alerts for signs of malicious activity or policy violation. 
• Conduct incident triage, build incident investigation hypothesis, incident response approach. 
• Investigate and respond to alerts, ensuring a timely and effective resolution.
• Review the triggered incident and analyze the incident tickets created by SOC level 1 engineers for correct incident classification, categorization, setting up security permission, false positive validation and finetuning etc.
• Must be familiar with various log sources and investigation approach depending on various kinds of incidents. Should understand the correlation between log sources as needed for investigation.
• Analyze network and host activities associated with both successful and unsuccessful intrusions by threat actor's basis perimeter security logs.
• Should have experience in correlating malware infections with attack vectors to determine the extent of security and data compromise.
• Monitor SIEM and other security tools alerts for anomalous or suspicious activity; research alerts and make recommendations to remediate concerns.
• Analyze, correlate and action on data from subscription and public cyber intelligence services, develop tactics to combat future threats, and follow the Incident Response Plan for required response.
• The ability to perform analysis of log files from multiple different devices and environments and identify indicators of security threats.
• You will be responsible for assisting all junior SOC engineers related to incident monitoring, investigation and response.

Incident Response:

• Participate in incident response activities, assisting in the identification, containment, eradication, and recovery from security incidents.
• Run incident response calls with help of CSIRT lead/manager via incident warroom and bridge call to other incident resolution teams.
• Document incident response activities along with entire incident timelines and contribute to post-incident reports.

Threat Detection & Analysis:

• Analyze logs, security events, and network traffic for anomalies and indicators of compromise (IOCs).
• Perform forensic analysis on potentially compromised systems using in-house digital forensic lab.
• Conduct sandbox analysis and obtain report for various malicious code/payloads identified in case of infected systems.

Security Tool Management:

• Configure and manage security tools such as Endpoint Detection and Response (EDR), Endpoint Protection Platforms (EPP), File Integrity Monitoring (FIM), Application Control (Whitelisting/Blacklisting) on endpoints etc.
• Identify different attack patterns (IOA - Indicator of Attacks) in security logs which can cause harm to our system. Work with SIEM detection team to convert these patterns into an automated detection logic on SIEM platform.

Threat Intelligence Support:

• Configure and manage the open source and in-house threat intelligence sharing platform.
• Assist in the integration of threat intelligence into security operations processes to enhance detection capabilities.
• Stay informed about the latest cybersecurity threats and vulnerabilities via various cyber security newsletters and security advisories. Notify SOC team about actionable for identified advisories. 

Threat Hunting:

• Conduct proactive threat-hunting activities to identify emerging threats and weaknesses in the organization’s security defenses.
• Follow organization threat hunting procedure to carry out our various threat hunting activities and work on remediation of identified misconfigurations/security issues during hunt.

Incident Response Documentation & SOAR Runbook Creation:

• Work with CSIRT lead/manager to build incident response runbooks for remediation of various cyber-attack scenarios.
• Identify unknown attack patterns by analyzing various log sources and work with SIEM administration team to convert them into automated usecases.
• Translate conceptual SOC/IR requirements into technical data and integration requirement for SOAR platform.
• Work with SIEM/SOAR admin team to convert the technical data into SOAR playbooks.
• Enhance existing incident response runbooks and work on fine tuning of existing usecases on SIEM platform.

Experience:

• 2-4 years of working experience in a Security Operations Center (SOC) or Incident Response role.

Education:

• Master/bachelor’s degree in computer science or equivalent degree.

Required Skills & Qualifications:

• Must have knowledge of SIEM platforms (e.g., Elastic, Azure Sentinel etc.). Experience performing security analysis utilizing SIEM technologies.
• Experience in analyzing security logs generated by SIEM, Intrusion Detection/Prevention Systems (IDS/IPS), firewalls, Web application firewalls (WAF), network flow systems, Anti-Virus, EDR/XDR and/or other security logging sources in correlation with vulnerability analysis
• Experience with network and host-based forensics, log analysis, and incident response.
• Strong knowledge about layer 3, layer 4 and layer 7 DDoS protection along with Web Application Firewall for incident response strategy.
• Understanding about network security solutions like IDS/IPS, Firewall etc. 
• Candidate should have deep understanding of OSI layers and network protocols (TCP/ IP, UDP, DHCP, FTP, SFTP, SNMP, SMTP, SSH, SSL, VPN, RDP, HTTP and HTTPS etc)
• Experience in threat intelligence enrichment (E.g. Passive DNS, WHOIS, Virus Total etc)
• Knowledge in Infrastructure vulnerability assessment and management of process to remediate identified vulnerabilities would be an added advantage.
• Familiarity with analytical models (E.g. MITRE ATT&CK), Cyber Kill Chain, Diamon Model etc. 
• Knowledge in Operating systems (Linux, Windows etc)
• Experience with scripting (Python, Bash, PowerShell) for automation and threat detection and incident response.
• Familiarity with security orchestration and automation platforms (SOAR).
• Hands-on experience with malware analysis or reverse engineering
• Ability to multi-task under strict deadlines and SLA for incident monitoring and response
• Foundation level Security Certification Security like CompTIA Security, EC-Council -CEG, CHFI, CIH, CTIA or any other SOC/IR related certifications.
• Advance Level Security Certification (ISC2, SANS) will be added advantage
• Should have understanding about UBA/UEBA and SOAR tools.
• Knowledge of common security frameworks (e.g., NIST, CIS, ISO 27001).
• Experience with cloud security tools (AWS, Azure, GCP).