Job Description :
I have included a detail description of the roles and responsibilities for our ideal candidate. Our goal will be target individuals with the necessary experience and aptitude to be in line for consideration as a L2/L3. We are willing to consider L1 level candidate if they are driven and passionate about security. They will also need to demonstrate high level of attention and strong analytical ability.
References
NIST 800-61 Computer Security Incident Handling Guide []Looking for: this is one of the main drivers, and an L3 analyst should know this process, documentation, incident phases (detection/analysis, containment/eradication/recovery, etc.) – this is a SOC analyst’s bread-and-butter.
NIST 800-53 Security & Privacy Controls []Looking for: this is more security architecture, but we’ll need a general understanding of security controls, and monitoring, and defense-in-depth concepts (how a SOC deals with risk from the organization, coverage by controls, compensating controls, when a control fails, detection, response).
SANS Intrusion Analyst []Looking for: this is a base-level certification for SOC analysts. For an L3, concepts of analysis, TCP, etc. should be solid.
SANS Continuous Monitoring []Looking for: SOC analysts get their events and incidents from detections in the environment. For an L3, the majority of these topics should be solid.
SANS Incident Handler []Looking for: this is the primary certification showing the knowledge needed for an L3 incident handler. Understanding of this material is crucial.
Role Overview
·SOC Level 1 & 2 Security Analysts – Responsible for monitoring and initial triage of information security events and security toolset related service tickets. After initial triage if further investigation is warranted then escalation will be sent to a level 3. Other duties include working with level 3 for tuning of the security toolsets and collaboration of information for emerging threats for delivery to upper levels for threat level reporting. Increasingly familiar with healthcare and privacy regulations (HIPAA/HITECH, PHI/PII/PI, GDPR, etc.).
·SOC Level 3 – Level 3 Analysts are responsible for conducting intrusion analysis on security events collected from the various security data sources across the McKesson enterprise and researching potential avenues of attack vectors. Duties also include the escalation of actionable potential security incidents to the Incident Management team and/or another operational team and providing incident response tasks while working with Incident Management. In addition, Level 3 Analysts will be responsible for working very closely with the Security Engineering and Forensics Teams to develop and publish new content to the various information security tools and collaboration for all daily, weekly, monthly and quarterly reports. Knowledgeable about healthcare and privacy regulations as it pertains to security monitoring and incident response requirements.
Level 1 Key Operational Activities
·Responsible for consistent and accurate incident and event documentation
·Follow runbooks and recommend updates to runbooks for common incident scenarios
·Identification of repeatable tasks
·Daily Operational checklists and tasks:
·Provides initial triage of security events
·Escalate when necessary and invoke the incident response process
·Security Service Support
·Log and alert analysis and review
·Verifying that escalation follow-up activities have been accomplished
·Investigating suspicious security event activity
·Investigate for phishing campaigns
·Maintaining and enforcing adherence to corporate and SOC standards, policies and procedures
Level 1 Key Job Functions
·Analyst conduct initial review and response to events and alerts from the various toolsets as they are reported into the SIEM and from other security toolsets and escalate to Level 2 analysts as needed
·Analyst participates in log analysis and alert reviews to collaborate with Level 2 Analysts when defining security filters and rules for implementation within the SOC security monitoring tools
·Analyst assists in SOC product evaluations and recommendations
·Analyst must keep up to date on the latest security information (emerging threats, intelligence gathering and industry news) in order to validate their security analysis and identification capabilities of the monitoring technologies
·Analyst must have a good understanding of information security threat monitoring toolset (including but not limited to: SIEM, Endpoint Protection, Firewall, IDS/IPS, VPN, Malware Protection, VM, Active Directory, etc.)
·Analyst must have a good understanding of common operating systems (ex. Windows, MacOS, Linux)
·Analyst may work shifts in support of 24/7/365 monitoring of security alerts and threats.
·Analyst needs basic understanding of TCP/IP, Networking, Web Applications, Databases, and information security knowledge.
·Analyst will field tickets from direct input, SOC systems, SIEM, SOC line (phone system), and other sources
Level 2 SOC Security Analyst
Level 2 Analyst have typically been working in the information technology or security field for approximately 3+ years, and are more experienced in terms of threat/vulnerability analysis in the context of security operations. It is expected that Level 2 Analysts will have good communication skills and work well on a team of analysts covering a revolving 24/7 shift rotation and weekend rotation/on-call availability.
Level 2 Detailed Responsibilities
Level 2 analyst is expected to perform all Level 1 job functions. Level 2 Analysts are experienced analysts that can prioritize multiple security incidents and daily operational tasks. The Level 2 Analysts partner with the Level 3 Analysts to refine and publish new or modified monitoring tool content to promote efficiency and efficacy within the SOC team. The Level 2 Analysts may work multiple shifts, providing coverage for Level 1 Analysts on vacation or out sick, and are available for contact in the event of an escalation off-hours, maintenance, upgrades or incidents.
Level 2 Key Operational Activities
·Review and modify the information security threat monitoring toolset content to better detect and prevent security incidents
·Identify False Positives and work with Level 3 Analysts for alert tuning.
·Accept escalations from Level 1 Analysts for triage and identification of threat events for escalation to potential security incident
·Responsible for consistent and accurate incident and event documentation
·Review Level 1 tickets for documentation accuracy and consistency
·Follow formal change control processes and create appropriate documentation for changes to prevent or minimize outages
·Implementation of automation and orchestration scenarios
·Develop tools or scripts to automate repeatable tasks
·Collaborate with Level 3 Analysts to keep SOC tools and applications in good health and hygiene
·Maintain and enforce adherence to corporate and SOC standards, processes and procedures
·The Level 2 Analyst gathers technical information pertaining to current threat posture for the BUs and Corporate environment, new security threats, visible exploit trends, and creates a daily threat report for review by Level 3 Analysts
Level 2 Key Job Functions
·Analyst will accept escalated events from Level 1 analysts for analysis, triage, and investigation.
·Analyst will be responsible for updating timeline of events, and escalate security events to Level 3. Triage and closure of the event, and identifying potential False positive.
·As a member of the SOC, the Analyst will be available to participate during escalated security incidents for incident response.
·Analyst collaborates with Level 3 analysts to document and review filters, rules, and security applications within the information security threat monitoring toolset.
·Analyst will assist the Level 1 Analysts in presenting the solutions that were developed, designed and implemented to Security Operations and non-security operations personnel
·Analyst is responsible for advanced investigations that involve further outside or auxiliary research, or extensive collaboration with other teams.
·Analyst is responsible for handling or assisting in forensic or IR process, procedures, and acquisitions.
·Analyst must track the latest security information pertaining to the deployed information security threat monitoring toolset
·Analyst participates in improvement efforts to gather, analyze, and define security operations
·Analyst must follow the published documentation of the SOC role. Any changes to the existing procedures must be acknowledged as read and understood for the normal job functions of the SOC. Analyst will escalate to Level 3 Analyst any documentation that is out-of-date or irrelevant.
·Generate, validate, and disseminate Playbooks/Runbooks to endure Security Best Practices and procedures
·Train and Mentor Junior Analysts
Level 3 SOC Security Analyst
A Level 3 Analyst is an experienced security professional within the SOC with 4+ years of experience and has a solid understanding of the information security threat landscape and potential impact to business functions. A Level 3 analyst has the broad knowledge of the business units and interfaces with ITRLs to improve the security posture of the enterprise and enhance monitoring activities.
Level 3 Analyst Detailed Responsibilities
Level 3 Analyst must be capable of performing all L1, L2 job functions. A Level 3 Analyst is responsible for the optimal operation of the security tool content and other identification mechanisms of the threat and vulnerability management technologies. The Level 3 Analysts are subject matter experts that can work simultaneously on multiple security incidents and daily operational problems. The Level 3 Analysts are continually working with the Security Engineering and Forensics team to refine and publish new or modified monitoring tool content as to make the SOC team more efficient and effective.
Level 3 Analyst Operational Activities
·Accept escalations from Level 2 Analysts for remediation, and identify threat events for potential security incidents, escalating security incidents to Security Incident Management team and providing Security Response support as needed.
·Providing data from the information security threat monitoring toolset, or directing Level 1/2 analysts to retrieve data in support of the Incident triage and for analysis of attack vectors
·Level 3 Analysts provide remediation and mitigation recommendations and/or actions against compromised or vulnerable endpoints from threat actors or attack vectors
·Planning, design, and implementation of automation and orchestration scenarios
·Collaborate with Security Engineering and Security Architecture to keep the SOC tools and applications up and running as designed. Developing and implementing automation and application logic for security correlation purposes
·Maintain and enforce adherence to corporate and SOC standards, processes and procedures.
·Responsible for consistent and accurate incident documentation for all analyst levels
·Develop tools or scripts to automate repeatable tasks
·The Level 3 Analysts support Threat Intelligence Analysts by gathering technical information pertaining to current threat posture for the BUs and Corporate environment, new security threats, visible exploit trends, Indicators of Compromise and Indicators of Attack updates and sharing
·Level 3 Analysts will approve or modify the weekly threat report to be delivered to appropriate recipients
·Review and modify the security monitoring tool content to better detect and prevent security incidents
·Tracking and dissemination of program operational metrics
·Follow formal change control processes and create appropriate documentation for changes to prevent or minimize outages
·Identification and formal review of redundant monitoring tasks, redundant security event analysis or data duplication on collection tasks to streamline and minimize use of system resources
·Reviewing security application errors to correct day-to-day technology problems that negatively impact technology infrastructure
·Develop, review, document, and implement complex filters, rules, and event identification routines that will make the security operations technology more effective
·Malware and threat analysis from memory, system images, direct access to systems, applications, or databases depending on the situation or request.
·Level 3 will interface directly with ISRM Incident Response Team to escalate high confidence suspected incident for review and declaration by Incidents team
Level 3 Analyst Key Job Functions
·When leading a remediation team, L3 Analyst will be responsible for all closure activities for the SOC team and escalated security incidents including the Post Review by ISRM Incident Team
·As member of the SOC, the Analyst will ensure that during escalated security incidents they will be available to participate in Incident Response when called upon
·Analyst collaborates with other SOC analysts to document and review the interactions of the filters, rules, and security applications within the deployed security technologies of the Counter Threat Operations
·Analysts will assist the Level 2 Analysts in explaining the solutions that were developed, designed and implemented to security operations and non-security operations personnel
·Analyst must track the latest security information pertaining to the SOC technology
·Analyst will track changes to internal SOC technologies, procedures, and security feeds (firewall, SIEM, VPN, etc…) for device upgrades and patches for remediation and mitigation procedures
·Analyst will collaborate with the Security Engineering, Forensics, Security Architecture, and Network Security teams on the installation, operation, and management of approved security tools
·Analyst may be asked to perform product evaluations, and recommend products based on industry best-practices or procedures in relationship to the SOC role
·Analyst may provide security consulting and developmental assistance of general & customized security configurations for the integration of business units and external customers into the Counter Threat Operations
·Analyst may participate in the external security auditing of the SOC and the assessment of the SOC processes and procedures
·Analyst develops, documents, and presents general and technical presentations on security operations to business units and Information Security Risk Management personnel
·Analyst will provide metrics reports to management demonstrating the current status of the BUs and the overall corporate security posture. The Level 3 Analyst may need to present the metrics to the BUSLs, ITRLs and Upper Management
·Analyst will be responsible for submitting information security requests for change to the environment for protecting McKesson Global assets as information is received proactively, during attacks or incidents, and remove changes if warranted.
·Train and Mentor Level 1 and Level 2 Analysts
Source link
