CTA Security Content Engineer

Job Description:

The cyber-attack surface has significantly expanded with continuous threats by sophisticated actors, threats from new and emerging technologies, and the expansion of CityNet the last few years into virtual private and public cloud providers, into third-party hosted applications and services, and coupled with the rapid shift to telework by the City’s workforce and remote learning initiatives due to the pandemic. Counter Threat Automation (CTA) team supports the increase in security alerts and incidents associated with these initiatives. Increased alerts drive the need to build a comprehensive, innovative, intelligence driven, and a risk informed cyber defense and response strategy.

The resource function is essential to defend systems from cyber threats including direct support of life-safety, revenue generating, and COVID response operations. The CTA Security Content Engineer will support key Threat Management teams (Counter Threat Automation, Security Operations Center, Computer Emergency Response Team, Counter Threat Intelligence) by proactively deploying security-driven content. Specifically, improve the quality of alerts and detection through fine-tuning of policies/rule-setting using log management and security incident platforms; collaborate with TM teams during investigations, and develop a comprehensive threat detection library.

Scope of Services:

The cyber threat landscape has further expanded across networks and services since the pandemic response: threats have increased the volume of alerts, detections, and investigations. The company requires a high energy and experienced CTA Security Content Engineer to perform many critical functions within the Threat Management discipline to improve the City’s cybersecurity posture, and uplift the company’s ability to respond to cyber-attack. The Engineer will collaborate with the company’s Counter Threat Automation, Security Operations Center, Computer Emergency Response Team, and Counter Threat Intelligence teams to proactively develop and deploy security-driven content that improves the quality of alerts and detections. Specifically, build new--and fine-tune existing--security rules and policies using log management and NextGen SIEM platforms, and develop/push customized scripts that aid in threat detection and alerting. The Engineer will also develop ad-hoc content to assist teams with incident response operations; develop and manage a comprehensive threat content library of adversarial behavioral rules and policies mapped to the MITRE ATT&CK framework.

Tasks:

• Develop correlation searches, dashboards, reports and alerts within the SIEM.
• Develop User Entity Behavioral Analytic (UEBA) policies and rules within the NextGen SIEM platform and tune alerts for accuracy.
• Map use cases and subsequent rules and policies to the MITRE ATT&CK framework.
• Integrate innovative and custom technology to improve accuracy of alerts and notifications received by teams within Threat Management.
• Create well documented and clearly articulated code, process and services documentation.
• Understand REST and GraphQL API usage and implement solutions utilizing APIs from utilized solutions that enhance detection and response capabilities.
• Collaborate with CTA, SOC, CERT and CTI teams to build robust, high fidelity detections and automated alerting workflows. 
• Demonstrate a deep understanding of the SIEM and SOAR tools used to detect and respond to security threats along with other security products and data that will be used for the goal of threat detection.
• Proactively build new threat detection content in alignment with cyber threat intelligence and in accordance with the cyber operations security strategy.
• Establish, update, and maintain the content and development for the SIEM and SOAR platforms in order to achieve the goals of the cyber security operations program.

Mandatory Skills/ Experience:

• Minimum 4 years of experience developing security rules, detections, and policies within Log Management platforms, NextGen SIEM’s (including UEBA) platforms
• Proficient in Python, and/or GoLang
• Experience building security driven content on key infrastructures such as log management platforms (Elastic, or Splunk or similar platforms), NextGen SIEM’s and UEBA platforms (Exabeam, Securonix)
• Experience using NextGen SIEM’s such as Splunk, Elastic to create rules and alerts
• Thorough knowledge of the MITRE ATT&CK framework, and working knowledge mapping security rules and policies for detection to the MITRE ATT&CK framework
• Experience building correlation rules and alerts on log management platforms
• Experience building policies and rules on email and network platforms
• Proficient in git version control and git lifecycle development
• Excellent verbal and written communication skills

Desirable Skills/Experience:

• Bachelor’s degree
• Basic understanding of Agile development model
• Basic understanding of malware analysis and building rules for to identify malware families and threat actor TTPs that can be applied to platforms where applicable
• Comprehensive understanding of building rules and alerts on multiple security-driven platforms, and understanding the end-to-end lifecycle of created rules and their corresponding alerts
• Experience in technologies and platforms such as: Splunk, Elastic, Humio, Securonix, Google Cloud