Senior Cyber Security Analyst

Resp & Qualifications

• Women make up around 70% of CareFirst’s employee population, and over 50% identify as BIPOC (Black, Indigenous, and people of color).
• We have 9 resource groups that connect employees over shared identities (LGBTQ, veteran status, race, etc.) and passions (climate change, healthy living, leadership development).
• Employees are encouraged to give back and volunteer in their communities with their civic engagement hours.

• Dedicated monitoring and analysis of CyberSecurity events.
• Audit and review system reports and security logs for unauthorized access, noncompliant activity, or access misuse.
• Monitor and escalate incoming security requests and events of interest from different external and internal sources.
• Develop use-cases for monitoring various aspects of security infrastructure and applications.
• Clearly and accurately document observations. Process incident communications to include initial reporting, follow-ups, requests for information and resolution activity.
• Follow standard operating procedures for detecting, classifying, and reporting incidents.
• Triage (determine scope, severity, and priority) of offenses and events in Security Information and Event Management (SIEM) tool or within other security monitoring tools directly.
• Research vulnerabilities in applications and systems. Provide recommendations for resolution and track remediation activities.
• Traffic analysis (at the packet level) and reconstruction of network traffic to discover anomalies, trends, and patterns affecting the customer's networks
• Monitor mailboxes to detect and analyze phishing attacks as well as any suspicious outbound messages.
• Analyze firewall logs, Full Packet Capture (PCAP), IDS alerts, Anti-malware alerts, Host Intrusion Prevent System (HIPS), and server and application logs to investigate events and incidents for anomalous activity and produce reports of findings.

• Minimum 5 years of demonstrated work experience. (Additional experience may be required).
• Specialized training (preferred, but not required): Transitioning, maintaining, or using security technologies such as Security Incident and Event Management (SIEM), Endpoint protection, Data Loss Prevention, Forensic tools, Network Anomaly Detection, Packet Capture Analysis; Incident response principles or related technical domain that is applied in the context of a broader understanding of CSIRT and related systems and processes.

• GCIA (GIAC Certified Intrusion Analyst).
• GCIH (GIAC Certified Incident Handler) Or the ability to obtain one certification within 6 months.

• Must be able to effectively work in a fast-paced environment with frequently changing priorities, deadlines, and workloads that can be variable for long periods of time. Must be able to effectively communicate.
• Incumbent must have a firm understanding of Information and/or CyberSecurity principles. Must be able to adapt quickly to understand rapidly changing threat landscape to correctly scope and prioritize security events. The incumbent must also be able to achieve certification across multiple domains such as incident handling, web application security, etc.

• Ability to analyze security events and threats.
• Ability to document clearly and concisely the investigative, containment and resolution process for each event.
• Perform event triage to include scoping, urgency, and potential impact, identification of the exposure and recommendations for remediation.
• Lead investigation and remediation processes with stakeholders, technical and non-technical.
• Experience configuring, monitoring, and responding to alerts from EDR tools.
• Experience with analyzing large data sets and log files to find correlations and anomalies.
• Working knowledge of multiple operating systems and system administration skills.
• Strong knowledge of client-server applications, multi-tier web applications, relational databases, firewalls, VPNs, etc.
• Experience with security monitoring and reporting tools and conducting security investigations of incidents and events.
• Ability to utilize native cloud security tools to design and implement continuous monitoring solutions.
• Advanced knowledge and use of Splunk to create complex queries for event investigations.
• In depth understanding of MS Defender for M365 security, Defender for Endpoint, Defender for Cloud, etc.
• Advanced knowledge and use of Linux.

• Cloud Security Detection and Response.
• SOAR/Automation technology.
• Experience with scripting, automation and/or programming: Python, PowerShell, Ansible, other orchestration tools, or equivalent.