C002720 Cyber Security Data - Log Specialist (NS) - FRI 24 Feb

Deadline Date: Friday 24 February 2023

Requirement: Cyber Security Data – Log Specialist

Location: Mons, BE

Full time on-site: Yes

NATO Grade: A/97

Total Scope of the request (hours): 1100

Required Start Date: 1 May 2023

End Contract Date: 31 December 2023

Required Security Clearance: NATO SECRET

Duties & Role:

• Act as the Chief Technician and Subject Matter Expert (SME) for log collection systems within the Cyber Security Data team.
• The main area of responsibility is managing multiple types, formats and quantities of data feeds to ensure established events and alerts are ingested from various log sources across NATO networks into the NCSC central security logging platform.
• As the SME, you will provide advice and technical assistance to other stakeholders, maintain technical expertise, awareness, and developments in related new technologies, and provide technical contributions to any projects related to the log collection systems
• Management of data feeds, including but not limited to:
  • Ensuring proper receipt of events from different sources
  • Correction of data parsing issues
  • Keeping an inventory of all log sources from all monitored networks
  • Ensuring all data feeds are monitored in real time and issues are immediately identified and worked upon
• As the SME you will be required to coordinate activities with log source providers at remote sites to ensure that data and logs are received into the NCSC central logging platform. In support of this you will establish and maintain a defined list of contacts with CIS support personnel from remote sites.
• Following ITIL standards, provide support to Operations and Service Delivery management covering all stages of the log collection systems lifecycle with the emphasis on the log collection aspects (e.g. Service Design, Transition, Operations, Change Management and Continual Service Improvement).
• Ensure that log collection systems are installed, configured, and operating correctly and in line with dependencies with others systems or applications required.
• Ensure that all system components are continuously monitored and take appropriate technical and non-technical actions for solving detected issues.
• Ensure that the Log Source Monitoring (Solarwinds or Splunk) solution is operational and that alerts are generated and actioned upon for any major changes in service.
• Ensure that log collection systems operate within any KPI's, as defined in Service Level Agreements with NCSC customers.
• Support the integration with external tools and provide technical assistance for any associated activities.
• Proactively identify and propose system improvements to ensure an up-to-date and stable environment. Justify business needs, prepare documentation and implementation plan for the Change
• Management Board. Implement the approved changes following co-ordination with other stakeholders.
• Coordinate with service delivery managers, end users and other stakeholders in support of related services; communicate with other NATO entities as well as industry partners where required.
• Develop and maintain documentation guidelines, standard operating procedures, system and service design documents and other relevant documentation that support management of the log collection systems.
• Create technical level reports as required; organise and deliver presentations and briefings for various audience.
• Deputize for higher grade staff, if required.
• Perform other duties as may be required

Requirements

Skill, Knowledge & Experience:

• The candidate must have a currently active NATO SECRET security clearance
• At least 1 year of extensive practical experience as Splunk administrator (deployment, installation, configuration and maintenance).
• Extensive hands on experience in regular expressions.
• Extensive experience with on-boarding and managing data feeds within a SIEM environment. Practical experience in designing solutions to ingest new data feeds into SIEM.
• At least 2 years expert level experience related to SIEM/LogA management activities.
• Demonstrable experience of analysing and interpreting system, security and application logs in order to diagnose faults and spot abnormal behaviours.
• Practical hands-on experience in systems and tools administration, especially Linux environment.
• Comprehensive knowledge of the principles of computer and communication security, networking, and the vulnerabilities of modern operating systems and applications.
• Practical skills in writing Bash, Python or Ansible scripts to support repetitive tasks automation.
• Linux system and application administration and troubleshooting. • Ability to develop clear and concise technical documentation, including procedures.
• Demonstrable ability to work autonomously and proactively, to understand the chain of command and to follow internal processes.
• Good communication abilities, both written and verbal, with the ability to clearly and successfully articulate complex issues to a variety of audiences and teams.

Desirable Experience and Education:

• Extensive practical experience as Splunk administrator in large enterprise environment (deployment, installation, configuration and maintenance).
• Practical experience of Splunk Enterprise security, Phantom and UBA.
• Practical experience (as system administrator) with MicroFocus ArcSight.
• Experience in GIT
• Hands-on experience with Ansible as an automation technology
• Proficient with SIEM content creation – correlation rules, reports, dashboards
• Experience in creation/modification of custom parsers or flex connectors
• Understanding the Indicator of Compromise (IOC) concept and experience in integration of Threat Intel feeds and IOCs with SIEM platform
• Software engineering including programming and/or scripting knowledge (python, shell scripting, PowerShell).
• Prior experience automating interactions between systems using APIs.
• A solid understanding of Information Security Practices; relating to the Confidentiality, Integrity and Availability of information (CIA triad.)
• Prior experience as a user of SIEM and Log aggregation systems.
• ITIL Service Management certifications.
• Experience in developing Splunk Applications.
• Content management experience in Splunk, especially Enterprise Security and Advanced Search and Reporting.
• Hands-on experience with network infrastructure and virtualized environments (preferably VMWare).
• Industry leading certification in the area of Cyber Security such as CISSP, CISM, MCSE/S, CISA, GSNA, SANS GIAC and CFCE.
• Previous experience working for Cyber Security related organisations (CERTs, security offices).
• Previous experience working in an international environment comprising both military and civilian elements.