Purpose of the role:
The Senior Security Operations Centre (SOC) Analyst assists in deploying, maintaining, tuning, monitoring, and managing security tools related to the Security Operations Centre. The Senior SOC analyst will function as a Level 2 analyst, and act as a mentor to other members of the team. The Tier 2 SOC analyst will review alerts from Level 1 analysts and Zinopy network security devices, security information and event management and other tools as needed, works with other analysts to collect, correlate, and analyse security-relevant data, and respond to threats in a timely manner. This position reports to the SOC manager.
Role and responsibilities :
- Work with alerts from the Tier 1 SOC Analysts, to perform in-depth analysis and triage of network security threat activity based on computer and media forensics, malicious code analysis, and protocol analysis.
- Assist with the development of incident response plans, workflows, and Standard Operating Procedures.
- Monitoring and management of SIEM infrastructure.
- Monitor the service ticket board and ensure the tickets are managed and responded in line with SLA.
- Review and fine tune the false positive incidents.
- Provide feedback and Automate the common recurring tasks.
- Develop and implement detection use cases.
- Be responsible to manage self Time and the tasks assigned.
- Regularly and promptly carry out the ticket management tasks.
- Run the weekly call with customers on the developed KPIs.
- Minute the notes and present to the team lead after meetings with the customers.
- Adhere to strict change management process.
- Create and review monthly reports with analysis.
- Continuously assess current state of security monitoring and recommend enhancements to SOC security process, procedures and policies.
- Reviews and collects asset data (configs, running processes, etc.) on these systems for further investigation with in the SLA timelines.
- Determine and direct remediation and recovery efforts.
- Participate in evaluating, recommending, implementing, and troubleshooting security incidents.
- Document and maintain customer build documents, security procedures and processes.
- Staying up-to-date with emerging security threats including applicable regulatory security requirements
- Participate in on-call rotation for after-hours security and/or engineering issues.
- Perform customer security assessments.
- Other responsibilities and additional duties as assigned by the security management team.
- Communicate effectively with customers, teammates, and management.
- Leverages emerging threat intelligence (IOCs, updated rules, etc.) to identify affected systems and the scope of the attack.
- troubleshooting scripts used for internal process.
- review vulnerability scans and send vulnerability assessment reports.
- Proactively conduct research of client network traffic and system activity looking for security anomalies and suspicious activities.
- Perform Advanced Persistent Threat correlation between multiple security event sources such as firewall logs, threat intelligence feeds, AV, IDS, IPS, and EDR solutions.
- Provide mentoring to other members of the Security Operations Centre team.
- Strong problem-solving skills, critical thinking, excellent analytical ability, strong judgment and the ability to deliver high performance and high levels of customer satisfaction in a matrix managed environment.
- Experience on SIEM technology, preferably on IBM QRadar
- Device Knowledge such as Firewall, IPS/IDS, Routers/Switches
- Security certifications (CISSP, CISM, GIAC certs) preferred
- ITIL V3 certified
Education and experience:
- 2+ years of experience working in Security Operations Centre with a Security Incident & Event Management (SIEM) to correlate events across several devices.
- Strong understanding of network devices such as Intrusion Detection Systems (IDS)/ Intrusion Prevent Systems (IPS), firewalls, network packet capture tools, and file integrity monitoring tools.
- Proficient knowledge in incident prevention, detection and response tools
- Knowledge of network and server security products, technologies, and protocols
- Requires background in at least 2 of the following domains: hacking and incident response; network forensics; security engineering, security analysis and investigations