Internet Storm Center

Job Description

The Threat Detection Engineering team within the global security operations center (GSOC) is responsible for developing and maintaining high-quality threat detection rules informed by the most critical threats targeting Experian. The Cyber Threat Detection Engineer role is primarily responsible for:

1. Maintaining and tuning high fidelity, low noise alerts to effectively identify and prioritize critical issues, minimizing false positives, and enhancing the overall security posture of Experian.

2. Coordinate new Use Cases entering the ecosystem to detect against threats within the MITRE ATT&CK Framework, prioritized by cyber threat intelligence and situational awareness.

Duties include:
Develop and maintain high-quality threat detection rules, queries, and alerts based on identified use cases, threat scenarios, and structured threat intelligence, including MITRE ATT&CK™ Tactics, Techniques and Procedures (TTPs).
Leverage the MITRE ATT&CK™ Framework and other forms of structured threat intelligence to enhance detection capabilities, develop contextualized alerts, and improve overall security posture.
Create and implement automated workflows and playbooks in tools such as Swimlane to enhance incident response capabilities and streamline security operation.
Collaborate closely with cross-functional teams, including Security Operations Center (SOC) analysts, Incident Responders and Threat Intelligence researchers to understand and respond to emerging threats.
Continuously research and stay up to date with the latest cyber threats, attack vectors, and methodologies to improve detection capabilities.
Evaluate and recommend new security tools, techniques, and process to enhance the organization threat detection and response capabilities.
Conduct regular reviews and assessments of detection rules and automated workflows to ensure optimal performance, effectiveness, and accuracy.
Participate in incident response activates and provide subject matter expertise when required.
Develop and maintain documentation related to threat detection and automation processes and procedures aligning to leading practices.
Provide training and guidance to team members to enhance their understanding of threat detection methodologies, automation techniques, and structured threat intelligence.

Qualifications
Demonstrates expert technical skills that are needed to defend the enterprise environment, such as:
3+ years of information security related experience, in areas such as: security operations, incident analysis, incident handling, vulnerability management or testing, system patching, log analysis, intrusion detection, or security device administration.
Proficiency in Splunk or other SIEM tools, including rule creation, query writing, and alert management.
Experience with Swimlane or other SOAR platforms and implementing automated workflows and playbooks.
In-depth packet analysis skills, core forensic familiarity, incident response skills, and data fusion skills based on multiple security data sources.
Scripting and automation.
System administration on Unix, Linux, or Windows.
Network forensics, logging, and event management.
Defensive network infrastructure (operations or engineering).
Vulnerability assessment and penetration testing concepts.
Malware analysis concepts, techniques, and reverse engineering.
In-depth knowledge of network and host security technologies and products (such as firewalls, network IDS, scanners) and continuously improve these skills.
Security monitoring technologies, such as WAF, Web Proxies, UEBA, DLP, among others.
Strong understanding of MITRE ATT&CK™ framework, cyber threat landscapes, attack vectors and threat actors.
Familiarity with common cybersecurity frameworks such as NIST, or other leading practices, and industry standards.
Relevant security certifications such as CISSP, GCIH, GCIA, or similar are highly desirable.

Demonstrates behavioral skills, such as:
Strong analytical and problem-solving skills, with the ability to identify and prioritize critical issues.
Excellent written and verbal communication skills, with the ability to clearly explain complex security concepts to both technical and non-technical audiences.
Ability to lead content discussion around incident investigation efforts and effectively coordinate communications.
Demonstrated ability to work in a team environment, able to train and coach other team members.
Strong logical thinking abilities, especially with content logic.
Excellent analytical and problem-solving abilities.
Excellent organizational and attention to details in tracking activities within various Security Operation workflows.
Well established client-focused communication skills that requires to read, review, investigate, and summarize reports on complex issues, in a manner that can be understood by non-technical readers.
Ability to lead content discussion around incident investigation efforts and effectively coordinate communications.

Education
A bachelor’s degree is not required, but a degree program with an emphasis on the technical aspects of cybersecurity is very beneficial.