Security Operations Center Analyst

Main objective is to cooperate with multiple departments, technical and managerial personnel for the improvement of the security posture of the organization on multiple levels/layers (Network, software, apps, on prem and cloud infra, user training etc).

Main tasks to be performed

• Real-time monitoring of cyber defence and intrusion detection systems
• Automatic-based processing (centralization, filtering and correlation) of security events
• Human-based analysis of automatically correlated events
• Processing of incoming warnings, alerts and reports
• Triage based on verification, level of exposure and impact assessment
• Categorize events, incidents and vulnerabilities based on relevance, exposure and impact • Open tickets and ensure case management
• Activate initial response plan based on standard playbook entries
• Maintain incident response address book
• Provide support to incident responders
• Advise affected users on appropriate course of action
• Monitor open tickets for incidents/vulnerabilities from start to resolution
• Escalate unresolved problems to higher levels of support, including the incident response and vulnerability mitigation teams
• Configure the SIEM components for an optimal performance
• Improve correlation rules to ensure that the monitoring policy allows an efficient detection of potential incidents. For a new component to be monitored, this encompasses
• Analyzing risks and security policy requirements
• Translating them into technical events targeting the system components
• Identifying the required logs/files/artefacts to collect from the monitored system and, if necessary, possible complementary devices to deploy
• Elaborating the relevant detection and correlation rules oImplementing these rules in the SIEM infrastructure oConfiguring and tuning cyber-defence solutions
• Reviewing and improving the monitoring policy on a regular basis
• Integrate cyber-defence solutions for efficient detection
• Define dashboards and reports for reporting on KPIs
• Produce qualified reports (including recommendations) or alerts to SOC customers and follow-up on actions
• Contribute to the design of the overall monitoring architecture, in close relationship with the customers/system owners, on the one hand, and the security operations engineering team, on the other hand, by performing the following tasks:
• Assessment of security events detection solutions, development of solutions;
• Integration of these solutions within the security monitoring scheme (log collection architecture, interoperability, formats, network aspects, …);
• Deployment and validation of the solutions
• Draft documentation such as architecture design descriptions, assessment reports, configuration guides, security operating procedures
• Produce and maintain accurate and up-to-date technical documentation, including processes and procedures (so called playbook), related to security incidents and preventive maintenance procedures
• Management of identities and its related user accounts
• Management of groups, roles and other means of authorization
• Solve incidents, requests and problem tickets from 1st Level Support or internal customers related to identity and access management
• Maintain accurate documentation
• During security incidents, implement detection means to monitor attacker activities in realtime
• During security incidents, support the incident response team in the review/analysis of security logs and visualize the attack.
• Integrate IOCs in security solutions
• Take an active part in developing and improving the maturity framework, and have it understood and implemented by the team, by:
• Designing and drafting SOC processes and procedures framework
• Implementing SOC processes and procedures, deploying collaborative tools and dashboards
• Coaching/training the team on the processes, procedures and tools
• Regularly auditing and reporting on maturity to the management
• Reviewing and improving the framework
• Provide activity reports to management to demonstrate service SLA and service quality

Main Tools / Technologies

Splunk, MS Sentinel, edr/xdr (HX fireye, O365/M365 defender / xdr), Malware Analysis / Reverse Engineering (RemnUx/FlareVM / multiple tools), digital forensics (magnet forensics, Autopsy, sleuth kit, FTK imager, Encase and many other open source tools), Incident Response (TheHive, MISP), Automation (Palo Alto XSOAR), FPC (Arkime/Moloch, Stamus IDS),Ticketing Systems (OTRS Storm, SNOW), Cloud (Azure, AWS), Vuln Assessment/management: Nexpose, Nessus, Burp Suite Pro