PDS Tech Inc SOC Analyst in Marietta, Georgia
As a member of the Cyber Security Incident Response Team (CSIRT), the Tier 2 Incident Analyst will coordinate the response activities for cyber security incidents across the Global company environment. The successful candidate will focus on reviewing, triaging, analyzing, and remediating cyber security incidents. The Tier 2 analyst is the escalation point for level one event analysts, and as such, will handle validated cyber security incidents, in accordance with the cyber security incident response process. The successful candidate will perform functions such as log analysis, conduct in-depth technical analysis of network traffic and endpoint systems, enrich data using multiple sources, and will be responsible for rapid handling and mitigation of cyber security incidents.
The candidate will join a team of event analysts and incident res ponders and will have an opportunity to participate in a number of Global cyber security initiatives. Successful candidates should be familiar with incident response processes, network investigative techniques, network intrusion patterns, malware analysis, and cyber security trends and issues.
This position requires that the candidate be a US Citizen.
- MUST HAVE - 3-6 years’ experience working in incident response and/or other IT related fields tied to networking and enterprise information system environments.
a. Preference is true Incident Response experience, where the candidate has worked investigations related to enterprise network compromise.
b. *This is the most important experience IMO. True IR, not glorified SOC work, not someone fielding phone calls and having help desk show up. By changing a title to “Incident Response”, that is not going to cut it. The fact that the word IR/CSIRT/Incident Response exists in the resume does not equal a match in my mind
- MUST HAVE – Hands on experience with security tools
a. Splunk – advanced Splunk query language, ability to create dashboards, does not need oversight in performing Splunk searches to support an investigation
b. EDR Experience (Crowdstrike or Carbon Black) including scripting, live host analysis, extracting artifacts
c. Ability to analyze PCAPs commonly pulled for Network Defense tools
d. *This is hands on experience using these tools to accomplish above investigations. I think people drop tool names because they have used them. These people need to be fully comfortable as end users of these technologies.
- MUST HAVE - Good written and verbal communications skills. Tier 2 analysts have to write investigation reports which are often shared with auditors, regulators, and executive management MUST HAVE – In depth knowledge of network protocols, enterprise architecture, and common network logging functions.
a. I am a grouchy old teacher. If there are grammatical errors or misspellings in the resume, I drop it immediately. If their verbal skills make me think of talking to teenager who is really into My Chemical Romance, then I’ll pass. These Tier 2’s are writing and speaking with SVps and higher on a regular basis. They need to be able to get to the point, not bumble with words, and not talk like they are still in middle school. I can’t say this any other way.
- MUST HAVE – Experience with log analysis, malware analysis, forensic analysis.
a. This is subjective and hard to determine in a resume. I ask about this during the interview
- MUST HAVE – Functional knowledge of the MITRE ATT&CK framework
a. To me this is a black and white issue…they are familiar with MITRE ATT&CK and reference it in their defense strategy or they don’t. I won’t accept “well I’ve read about it”
• NICE TO HAVE – Threat hunting experience using long tail analysis, least frequency of occurrence, anomalies using large sets of data
• NICE TO HAVE – Scripting experience (Perl, Python, Powershell, bash, etc)
• NICE TO HAVE – Attacker Methodology, Red Team, Pen Testing
• NICE TO HAVE - Bachelor’s degree in a technology field preferred.
• NICE TO HAVE – SIEM experience, specifically with Splunk ES and/or QRadar
• NICE TO HAVE – In depth malware analysis and working knowledge of Windows assembly code (artifact collection, disassembly, identifying execution, persistence, and network connections)
All qualified applicants will receive consideration for employment without regard to race, color, sex, sexual orientation, gender identity, religion, national origin, disability, veteran status, age, marital status, pregnancy, genetic information, or other legally protected status.