Security Analyst

Our client is an MSSP local to Phoenix. They're looking for a Cybersecurity Analyst to add to their growing team. This person must have at least 3+ years of experience in cyber incident response, ideally handling black box environments between multiple external companies. This person also needs to have experience handling complex security cases, such as ransomware. The ideal candidate also needs to have 3+ years of experience with proactive threat hunting, ideally within network traffic and EDR tools. In general, candidates that only have experience with SIEM environments and/or only SOC experience will not be ideal. 

Required experience:
- 3+ years' experience with proactive threat hunting
- 3+ years' experience with cyber IR
- 3+ years' experience within network traffic and EDR tools

Bonus experience/nice to have:
- Sys admin backgrounds (Windows, Linux, and/or network environments)
- Having a home lab to demonstrate your passion for cybersecurity


Applicants must be authorized to work in the US now and in the future.

1. 3+ years’ experience in cyber incident response, ideally handling external companies (not just internal) with experience of handling complex cases, such as ransomware.
2. 3+ years’ experience with proactive cyber threat hunting, ideally within network traffic and EDR tools. We are not keen on analysts who have only lived within SIEM environments.
3. In general, analysts with only SOC experience don’t work out well within PacketWatch.
4. We like analysts who started out as sys admins (e.g. Windows, Linux, network), as this tends to give them a deeper understanding of the environments they are securing.
5. We are looking for candidates for whom cyber security is a passion, not just a paycheck. You can screen for this through questions such as:
6. Do you have a home lab so you can learn and develop your skills outside of work?
7. Do you have a ‘continual learning’ mindset, e.g. watching security videos, reading articles, keeping up with the latest cyber threat intelligence?

For these candidates, we’ll be willing to forego some of the more stringent ‘incident response’ requirements we’ve had before. These analysts will be more focused on our client-facing Managed Detection & Response (MDR) services.

In this role, they will be dedicated to around six clients; providing daily threat hunting duties within our own proprietary Network Detection & Response (NDR) technology, PacketWatch, plus whatever Endpoint Detection & Response (EDR) product the client has (such as CrowdStrike, SentinelOne, FireEye, Sophos, etc.). They essentially become an extension of the client’s team – familiarizing themselves with the client’s environment, using the tools to track down anomalous behaviors, constantly communicating with the client, and generally acting as a security consultant to help the client with continuous security improvements.

Team: 7 Engineers - 2 leads (Jon and Don) 
Most are strong in IR 
Person they are backfilling did not have IR (Engineer left as he is pursuing Security that PacketWatch doesnt offer)
Then they are also expanding due to onboarding more clients


Aspects about the role:

• Largely a client facing role. Analysts have clients 4-5 operating at any given time.
•  You're going to interfacing with clients that you are assigned to on a bi-weekly basis. Most of this interfacing will be with senior or executive level. This role will be working with each client for at least and hour a day for threat hunting.
• MDR side - they need to be able to act very independently. They do have quite a well built out IR team that they can lean on.
• Once a week - all teammates come together to discuss themes, new tools and round-robin problems or new themes in client networks. Very collaborative and non-competitive.
• They have their own opensource SOAR (Security Orchestration, Automation, and Response) platform
• During an IR, they normally try and implement CrowdStrike if not already in the environment. Most of the technology on the backend is open source - they want people with exposure to those. The front end is proprietary to PacketWatch.

Packet Capture, Network and Forensic analysis. 

Who Fits the Profile:

These are people who are actively seeking out more knowledge and challenge in their own personal time. These are people who are challenged by puzzles and make it point to immerse themselves in the community of threat hunting.

 

Screening Questions:

*Tell me about your home network - looking for people who actually set these up, build labs, set up virtual servers and sand box environments.

What is you knowledge of:

• Solar Winds Hack
• Cont-e ransomware

What is your exposure to IDS

What is your exposure to packet capture using opensource tools.

Where are windows event logs?

 

They DON’T need SOC people. It can be helpful in their experience but it's really a small piece. They don't need someone who JUST triages, the need to move beyond that and be actually remediating. Most of this role will be threat hunting and looking for anomalies. You will not be responding to a check engine light.

 

Needs

• Scripting/ Automation
• *Automation with Python or Powershell - as they are growing as a company - the size of their Irs is demanding more automation to keep up. Most of the automation is done in Python

Network Forensics

Threat intelligence and how to act on it

MDR (Managed Detection and Response)

Everything is black box - they dive into networks that they have never seen on a regular basis

Business acumen and continuity - how to we identify vulnerabilities and blend it into their approach with clients - this will require some handholding/ emotional intelligence.

Being able to dive into Windows and Firewall logs OUTside of what's being provided by a SIEM.

Someone who came from a VERY strong windows admin environment

 

Recruiter Notes ONLY

*Can be a remote position but not foreign.

*No H1b/Sponsorship candidates

*Certs- can be important, but misleading in judging a persons – SANS GSE guy

*CISSPs- not impressed

 

Interview Process:

• Send to Simon
• Video Interview (John OR Don and Simon) *This will be technical right off the bat.
• Panel interview with John, Simon, Michael and CEO (formality.culture)

Extras:
On call - There is no specific on-call requirement or schedule for our Analysts. However, as they have dedicated clients, they are typically included in the distribution lists for EDR alerts and PacketWatch detections related to their clients. Although we are not a SOC, it is expected that an Analyst will stay vigilant for these alerts both within and outside office hours, and be prepared to quickly review and adjudicate such alerts as necessary and in their judgement. In practice, this is not a very common occurrence.

Contiued Education:
PacketWatch encourages all Analysts to undertake continued education that is for the benefit of both the Analyst and PacketWatch. In particular, we encourage our Analysts to undertake SANS training for at least one role-related certification. PacketWatch will pay for such training and successful certification, but has a claw-back provision that requires Analysts to stay with the company for at least a year afterwards (on a ramp-down basis).

Tooling:
PacketWatch has a development team that builds our own proprietary network capture, monitoring, and investigative tool, called PacketWatch. We also make use of multiple open-source tools as appropriate. Our Analysts also leverage their clients’ EDR tools as part of their daily Threat Hunting and investigation processes.