Tier 1 - Security Monitoring
- Alert Monitoring to detect potentially-malicious or anomalous activity based on event data (log files and data outputs) from a wide range of IT systems and network components (see Miscellaneous).
- Alert, performance and threshold tuning and analysis across the tool sets, based on traffic patterns and other data.
- Develop & maintain monitoring and reporting dashboards.
- Produce and review periodic metrics with regards to security monitoring.
Tier 2 - Alert Qualification
- Investigate security alerts leveraging a wide range of IT systems and network components (see Miscellaneous), as well as threat intelligence to qualify potential incidents.
- Escalate confirmed incident to the incident responder on duty.
- Develop & maintain automation scripts and tools.
- Feedback to Security Monitoring / Engineering to improve detection and protection controls.
Tier 3 - Incident Response
- During your duty of incident responder (on call 24/7, one week out of six) you will respond to escalated security alerts / incidents.
- Perform and/or facilitate digital forensics on workstations, servers, network components, Mobile devices and applications.
- Develop and maintain incident response plan and procedures.
- Test the Incident Response capability through regular exercises.
- Proactively look for potential incidents through threat hunting activities.
- Stay up-to-date with trends in the information security community including new vulnerabilities, methodologies and products.
- Leverage a wide range of IT systems and network components: IDS/IPS, Firewalls, Web Access Security, SIEM, EDR and DLP systems, Honeypots and other sources.
- Good understanding of IT security technology and processes (secure networking, Web infrastructure, Wintel, Unix, Linux, etc.);
- Knowledge of different key protocols and services throughout the seven layers of the OSI model (IP, ICMP, TCP, UDP, Telnet, SSH, SMTP, POP3, HTTP(S), FTP, DNS, ...).
- Familiarity with common cyber threat modus operandi, tools and techniques (TTP: tools, techniques and procedures)
- Familiarity with deterministic detection schemes and use of observables (IoC: indicators of compromise)
- Past experience in an incident response context.
- Knowledge of various IDS/IPS, NetFlow, and protocol collection and analysis tools such as Snort, Suricata, Bro, Argus, Silk, TCPdump, and WireShark.
- Knowledge of log aggregation, SIEM solutions and search and analytics engines such as QRadar, Splunk, ArcSight, ELK...
- Experience with programming and scripting languages: most notably Perl, Ruby, and Python.
- Experience with text manipulation tools, such as SED, AWK and grep.
- Experience with penetration testing tools such as Metasploit, Core Impact, or Kali Linux.
- Web Application Security Development. (OWASP);
- Knowledge of popular cryptography algorithms and protocols: AES, RSA, MD5, SHA, Kerberos, SSL/TLS, Diffie Hellman.
- Knowledge of some NIDS/NIPS or HIDS/HIPS tools.
- Knowledge of media forensics and analysis tools.
- Knowledge of automation of data interfacing and machine to machine communication.