Job Description:

Currently seeking a Security Orchestration Automation and Response (SOAR) and Incident Response Quality Control Lead on the DISA GSMO-II program supporting the Cyber Security Service Provider (CSSP) team.

The candidate will have responsibility for the migration and implementation of a SOAR for the DISA CSSP program. They will also support and manage the migration of the existing incident knowledgebase, develop, and implement SOAR use cases, facilitate integration with security tools across the organization and report on effectiveness of the Analyst Collaboration Environment. This candidate will perform Quality Assurance and Quality Control activities and serve as a technical liaison between DISA Headquarters and the multiple field sites that perform Cyber Security monitoring and incident response. The QA Lead will audit the analysis associated with individual security incidents to ensure compliance with established processes and procedures, identify opportunities for analysis and process improvement and to identify and report on QA trends to the Government representative. The QA Lead will notify responsible parties to implement corrective actions following identification of deficiencies. This role will be responsible for reporting performance metrics and QA/QC results. Work location is flexible (must be a DISA CSSP Site) and telework is authorized up to 50%, however approximately 50% of the role is conducted on SIPR. Travel is limited to 10%.

Primary Responsibilities

· Coordinate and develop Incident Response use cases

· Build new rules for existing data to enhance monitoring and alerting based on security relevant data

· Lead the strategic direction of the agency’s Analyst Collaboration Environment (ACE) and migrate from the legacy Analyst Collaboration Tool (ACT) to a SOAR based capability

· Design / build scripts, tools, methodologies to enhance detection and response to cyber security threats

· Perform as technical Subject Matter Expert (SME) for the Legacy DISA Cyber Security Service Provider (CSSP) Program Management Office (PMO) Analyst Collaboration Tool (ACT)

· Performs reviews of Cyber Security Analyst’s analysis tickets to identify trends, compliance, and opportunities for improvement

· Develop whitepapers, briefs, SOPs, TTPs, and QRGs to allow for a better, more reliable DCO process

· Manage the ACT document development process, updating, when necessary, to reflect improvements

· Research and Develop Defensive Cyber Operations (DCO) security recommendations across multiple Areas of Responsibility (AOR)

· Conduct and deliver weekly and monthly status updates to government representatives

Basic Qualifications:

· DoD 8570 IAT level II or higher certification such as CompTIA Security CE, CySA CE, ISC2 SSCP, SANS GSEC prior to starting

· Bachelor’s Degree with 8 years of experience (experience may be used in lieu of a degree)

· Senior experience as a Cyber Security Analyst conducting security incident investigations and security incident handling

· Knowledge of at least one programming / scripting language (Python or PowerShell)

· Experience with Splunk, Elastic, Kibana, Palo Alto CORTEX SOAR and/or other SOAR technologies

· Experience with security frameworks such as MITRE ATT&CK, NIST, etc

· Motivated self-starter with strong written and verbal communication skills

· Knowledge of Linux, scripting, Request Tracker Incident Response (RT-IR)

Preferred Qualifications:

· Active TS clearance with SCI access eligibility

· Experience w/ DoD and DISA Networks

· Knowledge of SOAR platforms, SIEM technologies, other security tools

· Knowledge of DoDI 8530 Cybersecurity Activities Support to DoDIN Operations

· CISSP / CISM / CRISC Certification