Principal Information Security Specialist, Incident Response
NTT DATANTT DATA helps clients transform through consulting, industry solutions, business process services, IT modernization and managed services.
Want to be a part of our team?As a senior technical role the Level 3 security analyst provides an escalation path for Level 1 & 2 work flows for high risk incidents. In addition this function facilitates proactive security measures through analytics and threat hunting processes.
This role is responsible for detecting and monitoring escalated threats and suspicious activity affecting NTT Ltd’s technology domain (servers, networks, appliances and all infrastructure supporting production applications for the enterprise, as well as development environments).
The security analyst is a technical expert concerned with exceptions for Endpoint Security Detection and Protection, perimeter security logs, networking logs, operating system logs, anti-virus system logs/alerts, enterprise detection and response systems, intrusion prevention systems, message authentication code checking systems, file hash checking routines, public key certificate checking systems, content filtering systems, data loss prevention systems, virtualization monitoring systems, and other automated mechanisms that immediately detect unauthorised activity on NTT Ltd’s information assets. The analyst also advances automated integration and interoperability across multiple vendors’ security appliances.
The function is to perform a variety of real-time threat analysis activities. This includes applying analytical, reasoning & specialised technical security expertise to investigate, isolate network and security incidents, identify threats, vulnerabilities, risks, and apply incident management techniques to resolve challenges.
The role involves security incident handling and response from a number of vectors including End Point Protection and Enterprise Detection & response tools, attack analysis, malware analysis, network forensics, computer forensics, and a broad range of skills in LAN technologies, Windows and Linux O/S’s, and general security infrastructure.
The role of the level 3 Security Analyst is to manage critical and high risk exposures in the daily operation of our Real-time Threat Management activities. They are the most senior technical resource in the team who facilitate problem resolution and mentoring for the overall team. This includes operational security tasks such as performance and availability monitoring, log monitoring, security incident detection and response, security event reporting, and content maintenance (tuning).
Working at NTT
Responsibilities and Duties:
Acts as the technical first responder for the Computer Security Incident Response Team (CSIRT), supporting the work of technical staff from various departments, as well as the work of third party technical experts.
“Threat hunting” is an ongoing weekly activity performed by Level 3 Analysts. Using a Cyber Threat Kill chain model, identify all the potential attacker activities which are high risk to NTT Ltd. Each high level category will have multiple variations and options for an adversary to exploit. All vectors should be explored to determine high risk threats to proactively hunt for. For example:
- Malware Beaconing
- DNS Tunnelling
- Pass the Hash (PtH)
- DLL Injection
- Shared Webroot
Regularly reviews the current configurations of NTT Ltd production information systems and networks against compliance standards.
Reviews and fine-tunes custom software which analyses the vast amount of log, audit trail, and other recorded activity information that modern systems record, so as to be able to immediately detect unauthorised activity, most importantly intrusion by unauthorised parties and the execution of unauthorised software.
Fine-tunes the existing security monitoring systems so that false positives and false negatives are minimised, and so that both accurate and useful information is being passed to management and the CIRT.
Works with Computer Performance Analysts, Computer Operators, and other technical specialists who monitor information system activities, so as to be able to best utilise the information recorded on the systems that they monitor for information security purposes.
Performs post-mortem analyse with logs, network traffic flows, and other recorded information to identify intrusions by unauthorised parties, as well as unauthorised activities of authorised users [This work could be in support of an insurance claim, a disciplinary action, or a lawsuit.].
Manage security breaches
These individuals manage the prevention and resolution of security breaches and ensure that the required incident and problem management processes are initiated to ensure compliance to ISM policy. They present their findings to the business and advise on new measures required to prevent reoccurrence of similar breaches.
Prioritises and diagnoses incidents according to agreed procedures. Investigates causes of incidents and seeks resolution. Escalates unresolved incidents. Provides service recovery, following resolution of incidents. Documents and closes resolved incidents according to agreed procedures.
Maintains secure, accurate, complete and current configuration on Configuration Items (CIs). Applies tools, techniques and processes to track, log and correct information related to CIs, ensuring protection of assets and components from unauthorised change, diversion and inappropriate use.
Investigates and identifies root cause of incidents. Assists with the implementation of agreed remedies and preventative measures.
Ensures that access is logged and tracked and that access is removed and/or restricted as per policy.
Ensure that security service audit schedules are performed. They review access authorisation for compliance with policy, administration security controls for effectiveness, security on the operational systems and verify that security monitoring is working.
Ensure that continuous service improvements are documented in service designs and that the required security remediation plan is developed and reviewed.
Information Security Analysts display the ability to plan and prioritise their workload. They have good decision making ability and are process driven and analytical individuals who are proactive in their approach. They demonstrate the ability to keep up to date with technological advances within the information security arena and display a solid understanding of business. These individuals have good interpersonal, verbal and written communication skills and use these to interact professionally with a variety of internal and external stakeholders.
In this position you will be required to:
- Weekly sprints in Threat Hunting analytics
- Processing of security alerts, events, and notifications (e.g. via email, ticketing, virus warning, intelligence feeds, workflow, etc.)
- Notification of internal and/or external teams according to agreed alert priority levels, and escalation trees
- Monitor events for suspicious events, investigation, and escalate where applicable.
- Maintain an understanding of current and emerging threats, vulnerabilities, and trends.
- Prioritise threat analysis based on risks associated with each threat and working with the appropriate teams to ensure related communications are in line with company best practice and recommendations.
- Good understanding of malware forensics, network forensics, and computer forensics also highly desirable.
- Ability to statically and dynamically analyse malware to determine target and intention.
- Ability to uncover and document tools, techniques, procedures used by cyber adversaries in attacking managed infrastructure.
- Acts as the primary technical lead for the Computer Incident Response Team (CIRT), coordinating the work of technical staff from various departments, as well as the work of third party technical experts
- Ties third party attack monitoring services and threat reporting services, into internal CIRT communications systems, so as to better alert CIRT team members about what’s coming, and what preparations to undertake before production systems at NTT Ltd are damaged (and what remedial actions to take after damage has taken place)
- Regularly reviews the current configurations of NTT Ltd production information systems and networks, with an eye towards the steps that attackers must take to break through existing defences, and recommends configuration changes, system setting changes, network topology changes, and other modifications that would enhance the overall level of security.
- Designs, specifies, programs, deploys, and fine-tunes custom software which analyses the vast amount of log, audit trail, and other recorded activity information that modern systems record, so as to be able to immediately detect unauthorised activity, most importantly intrusion by unauthorised parties and the execution of unauthorised software.
- Acknowledging that manual responses to automated attacks are no longer sufficient protection, the Analyst designs automated scripts, automated contingency plans, and other programmed responses which are launched when an attack against NTT Ltd systems has been detected.
- Designs, specifies, programs, debugs, and oversees the work of others related to middleware, and other system integration tools, which tie multiple security monitoring systems together so as to better meet NTT Ltd ’s information security needs.
- Works with Security Architects and Security DevOps, and others who are building and modifying software and hardware for NTT Ltd , so as to better take advantage of the security monitoring tools deployed at NTT Ltd.
- Fine-tunes the existing security monitoring systems so that false positives and false negatives are minimised, and so that both accurate and useful information is being passed to management and the CIRT.
- Builds, updates, and maintains a separate computer lab where intrusion detection related information security appliances, e.g., firewalls, can be tested and shown to meet NTT Ltd needs, prior to being deployed on production systems.
- Performs product evaluations for those information security monitoring systems that are being seriously considered for use on NTT Ltd production information systems.
- Performs post-mortem analyse with logs, network traffic flows, and other recorded information to identify intrusions by unauthorised parties, as well as unauthorized activities of authorised users.
- Manage the prevention and resolution of security breaches and ensure that the required incident and problem management processes are initiated to ensure compliance to policy. They present their findings to the business and advise on new measures required to prevent reoccurrence of similar breaches.
- review incident and problem management reports to identify potential security weaknesses and perform an impact and risk analysis, developing recommendations for highlighted risks, ensuring that these risks and solutions are presented to the relevant stakeholders.
- ensure that security service audit schedules are developed, scoped, discussed and agreed with the business. They review access authorisation for compliance with policy, administration security controls for effectiveness, security on the operational systems and verify that security monitoring is working.
What will make you a good fit for the role?
Requirements: Education, Training and Experience
- Degree / Certifications
- SANS GIAC Security Essentials (GSEC) or equivalent
- SANS GIAC Certified Intrusion Analyst (GCIA) or equivalent
- SANS GIAC Certified Incident Handler (GCIH) or equivalent
- Industry Certifications: CISSP, CISM, CISA, CEH, CHFI
- Information Technology / ITILSM / ICT Security / ITIL v3
- Fluent English - spoken and written essential
- At least 8 years’ experience in a Technology Information Security Industry
- Prior experience working in a SOC/CSIRT for at least 3-5 years
- Comprehension and practical knowledge of the “Cyber Threat Kill Chains”
- Strong knowledge of Tools, Techniques and Processes (TTP) used by threat actors
- Practical knowledge of “indicators of compromise” (IOC’s)
- Tertiary qualifications or a passionate ethical hacker
- End Point Protection Software
- Enterprise Detection & Response software
- Experience or knowledge of SIEM and IPS technologies
- Experience with Wireshark, tcpdump, Remnux, decoders for conducting payload analysis.
- Knowledge of malware analysis, hacking techniques, latest vulnerabilities, and security trends.
- Preferably an interest, or knowledge of, or experience with SIEM and IPS technologies.
- Understanding and experience in building SIEM rules and/or indicators of compromise for threat detection.
- Knowledge of network technologies including Routers, Switches, Firewalls.
Personal Attributes and Skills Required
Skills and knowledge
- Knowledge of information security management and policies
- Demonstrate an understanding of complex inter-relationships in an overall system or process
- Sound knowledge of technological advances within the information security arena
- Demonstrate analytical thinking and a proactive approach
- Display consistent client focus and orientation
- Display interpersonal skills and good verbal and written communication ability
- Demonstrate teamwork and collaboration skills
- Demonstrate sound decision making ability
- Display good planning and organizing ability
Next career steps
- Team Leader Incident Response
- Global Information Security Services:
- GRC Manager
- Regional InfoSec Manager.
Equal Opportunity Employer
NTT is proud to be an Equal Opportunity Employer with a global culture that embraces diversity. We are committed to providing an environment free of unfair discrimination and harassment. We do not discriminate based on age, race, color, sex, religion, national origin, disability, pregnancy, marital status, sexual orientation, gender reassignment, veteran status, or other protected category
* Salary range is an estimate based on our InfoSec / Cybersecurity Salary Index 💰
Tags: Analytics CEH CHFI CISA CISM CISSP Compliance CSIRT DevOps DNS Endpoint security Exploit Firewalls Forensics GCIA GCIH GIAC GSEC Incident response Intrusion detection Intrusion prevention IPS ITIL Linux Malware Monitoring Risk analysis SANS SIEM SOC Threat detection Vulnerabilities Windows
More jobs like this
Explore more InfoSec / Cybersecurity career opportunities
Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.
- Open Information Security Specialist jobs
- Open Consultant infrastructure sécurité H/F jobs
- Open Senior Information Security Analyst jobs
- Open IT Security Analyst jobs
- Open Consultant SOC / CERT H/F jobs
- Open Senior Information Security Engineer jobs
- Open Information Security Officer jobs
- Open Chief Information Security Officer jobs
- Open Security Operations Engineer jobs
- Open Ingénieur DevSecops H/F jobs
- Open Staff Security Engineer jobs
- Open Analyste CERT / Incident Responder junior (H/F) jobs
- Open Senior Security Architect jobs
- Open Analyste CERT / Incident Responder senior (H/F) jobs
- Open Information Systems Security Officer (ISSO) jobs
- Open Cybersecurity Consultant jobs
- Open Senior Security Analyst jobs
- Open o365 Security Architect jobs
- Open Principal Security Engineer jobs
- Open Senior Cyber Security Engineer jobs
- Open Staff Product Security Engineer jobs
- Open Cyber Security Architect jobs
- Open Electronic Warfare Advanced Tactical Trainer jobs
- Open Security Researcher jobs
- Open Product Security Engineer jobs
- Open Application security-related jobs
- Open GCP-related jobs
- Open Governance-related jobs
- Open Risk assessment-related jobs
- Open Network security-related jobs
- Open Pentesting-related jobs
- Open Analytics-related jobs
- Open ISO 27001-related jobs
- Open CISM-related jobs
- Open IAM-related jobs
- Open SaaS-related jobs
- Open Threat intelligence-related jobs
- Open Security Clearance-related jobs
- Open Malware-related jobs
- Open Vulnerability management-related jobs
- Open CISA-related jobs
- Open Java-related jobs
- Open DevOps-related jobs
- Open Kubernetes-related jobs
- Open Security assessment-related jobs
- Open DoD-related jobs
- Open APIs-related jobs
- Open Forensics-related jobs
- Open Splunk-related jobs
- Open EDR-related jobs