Dieses Jobangebot ist archiviert und steht nicht mehr zur Verfügung.
Vakante Jobangebote finden Sie unter Projekte.
Vakante Jobangebote finden Sie unter Projekte.
Security Operations Center Analyst
Eingestellt von GCS
Gesuchte Skills: Support, Network, Oracle, Ip
Projektbeschreibung
SECURITY OPERATIONS CENTRE ANALYST
CONTEXT
The reference profile 'Security Operations Centre Analyst' is foreseen for services in the following
Cyber Security Area(s): Areas I and VII
- This reference profile constitutes the baseline for the following service requirements:
- Associate Level - Security Operations Centre Analyst in [domain/sub-domain]
- Confirmed Level - Security Operations Centre Analyst in [domain/sub-domain]
- Senior Level - Security Operations Centre Analyst in [domain/sub-domain]
NATURE OF SERVICES
The primary objective of this service is to act as the first line of response regarding the potential occurrence of a cyber attack or security incident. Supported by several automated tools such as intrusion detection systems, log correlation engines and SIEM, ticketing system, alerts and warning from internal and external sources, this service involves receiving, triaging and responding to alerts, requests and reports, and analysing events and potential incidents and to provide the primary support for incident responders. Triage involves assessing whether a security incident or the level of exposure of a vulnerability is a true or false positive, tagging the vulnerability or incident with an initial severity classification and to activate the corresponding incident response playbook entry. Another objective of this service is to follow pre-defined procedures to perform technical tasks related to identity and access management.
REFERENCE TASKS
- The following list of tasks applies to this reference profile. This list is not exhaustive and may evolve in time, also depending on the type of assignment:
- Real Time monitoring of cyber defence and intrusion detection systems
- Automatic-based processing (centralisation, filtering and correlation) of security events
- Human-based analysis of automatically correlated events
- Processing of incoming warnings, alerts and reports
- Triage based on verification, level of exposure and impact assessment
- Categorize events, incidents and vulnerabilities based on relevance, exposure and impact
- Open tickets and ensure case management
- Activate initial response plan based on standard playbook entries
- Maintain incident response address book
- Provide support to incident responders
- Advise affected users on appropriate course of action
- Monitor open tickets for incidents/vulnerabilities from start to resolution
- Escalate unresolved problems to higher levels of support, including the incident response and vulnerability mitigation teams
- Configure the SIEM components for an optimal performance
- Improve correlation rules to ensure that the monitoring policy allows an efficient detection of potential incidents. For a new component to be monitored, this encompasses
Contribute to the design of the overall monitoring architecture, in close relationship with the customers/system owners, on the one hand, and the security operations engineering team, on the other hand, by performing the following tasks:
- Assessment of security events detection solutions, development of solutions;
- Integration of these solutions within the security monitoring scheme (log collection architecture, interoperability, formats, network aspects, );
- Deployment and validation of the solutions;
- Draft documentation such as architecture design descriptions, assessment reports, configuration guides, security operating procedures
- Produce and maintain accurate and up-to-date technical documentation, including processes and procedures (so called playbook), related to security incidents and preventive maintenance procedures
- Management of identities and its related user accounts
- Management of groups, roles and other means of authorisation
- Solve incidents, requests and problem tickets from 1st Level Support or internal customers related to identity and access management
SPECIFIC REQUIREMENTS
SPECIFIC PRACTICE
- SOC Analyst and/or first line incident responder
- Associate Confirmed Senior
CERTIFICATIONS AT LEAST 1 CERTIFICATION IN THE FIELD OF INCIDENT HANDLING:
- GCIH (GIAC Certified Incident Handler)
- GCIA (GIAC Certified Intrusion Analyst)
- ECIH (EC-Council Certified Incident Handler)
- CSIH (SEI Certified Computer Security Incident Handler)
METHODOLOGIES
- Risk Assessment methodologies: EBIOS, CRAMM, PILAR or equivalent (subject to acceptance by the Contracting EU-I)
STANDARDS
STIX (Structured Threat Information Expression) with a particular focus on the following related standards:
- CybOX (Cyber Observables)
- CAPEC (Attack Patterns)
- MAEC (Malware)
- TAXII (Threat Information Exchange)
SPECIFIC SKILLS
- Networking (TCP/IP, SNMP, DNS, Syslog-ng, etc.)
- Experience in using, configuring and tuning a SIEM
KNOWLEDGE IN NETWORK SECURITY SOLUTION/TECHNOLOGIES
- Firewalls;
- Network IDS and IPS;
- Switches and Routers
- APT detection solutions such as FireEye;
- DNS, DHCP, VPN,
- Network forensics (full packet capture)
- Traffic baselining analysis
- Knowledge in Host based security solutions
- HIPS;
- Malware end-point protection
- OS logs
SPECIFIC SKILLS
- Strong knowledge in Windows security events analysis
- Strong knowledge in the security analysis of Firewall, Proxy,and IDS logs
- Writing and optimizing IDS signatures (preferably SNORT and/or SURICATA)
- Strong knowledge in the security analysis of Applicable or Middleware logs (Oracle, Apache, Weblogic)
- Writing and optimizing YARA rules
PRODUCTS/TOOLS
- SIEM (Arcsight ESM 6.x, Q-RADAR, or equivalent - subject to acceptance by the contracting EU-I)
- Log management solution (Arcsight Loggers and/or QRADAR and/or Splunk or equivalent - subject to acceptance of the contracting EU-I)
- SNORT or SourceFire NGIPS, FireSIGHT
- Suricata/StamusNetworks
- ELK (ElasticSearch, Logstash & Kibana)
- FireEye Ex, Nx, Ax, Fx, Hx, Ix
- CheckPoint and Juniper Firewalls
- BlueCoat proxies
CONTEXT
The reference profile 'Security Operations Centre Analyst' is foreseen for services in the following
Cyber Security Area(s): Areas I and VII
- This reference profile constitutes the baseline for the following service requirements:
- Associate Level - Security Operations Centre Analyst in [domain/sub-domain]
- Confirmed Level - Security Operations Centre Analyst in [domain/sub-domain]
- Senior Level - Security Operations Centre Analyst in [domain/sub-domain]
NATURE OF SERVICES
The primary objective of this service is to act as the first line of response regarding the potential occurrence of a cyber attack or security incident. Supported by several automated tools such as intrusion detection systems, log correlation engines and SIEM, ticketing system, alerts and warning from internal and external sources, this service involves receiving, triaging and responding to alerts, requests and reports, and analysing events and potential incidents and to provide the primary support for incident responders. Triage involves assessing whether a security incident or the level of exposure of a vulnerability is a true or false positive, tagging the vulnerability or incident with an initial severity classification and to activate the corresponding incident response playbook entry. Another objective of this service is to follow pre-defined procedures to perform technical tasks related to identity and access management.
REFERENCE TASKS
- The following list of tasks applies to this reference profile. This list is not exhaustive and may evolve in time, also depending on the type of assignment:
- Real Time monitoring of cyber defence and intrusion detection systems
- Automatic-based processing (centralisation, filtering and correlation) of security events
- Human-based analysis of automatically correlated events
- Processing of incoming warnings, alerts and reports
- Triage based on verification, level of exposure and impact assessment
- Categorize events, incidents and vulnerabilities based on relevance, exposure and impact
- Open tickets and ensure case management
- Activate initial response plan based on standard playbook entries
- Maintain incident response address book
- Provide support to incident responders
- Advise affected users on appropriate course of action
- Monitor open tickets for incidents/vulnerabilities from start to resolution
- Escalate unresolved problems to higher levels of support, including the incident response and vulnerability mitigation teams
- Configure the SIEM components for an optimal performance
- Improve correlation rules to ensure that the monitoring policy allows an efficient detection of potential incidents. For a new component to be monitored, this encompasses
Contribute to the design of the overall monitoring architecture, in close relationship with the customers/system owners, on the one hand, and the security operations engineering team, on the other hand, by performing the following tasks:
- Assessment of security events detection solutions, development of solutions;
- Integration of these solutions within the security monitoring scheme (log collection architecture, interoperability, formats, network aspects, );
- Deployment and validation of the solutions;
- Draft documentation such as architecture design descriptions, assessment reports, configuration guides, security operating procedures
- Produce and maintain accurate and up-to-date technical documentation, including processes and procedures (so called playbook), related to security incidents and preventive maintenance procedures
- Management of identities and its related user accounts
- Management of groups, roles and other means of authorisation
- Solve incidents, requests and problem tickets from 1st Level Support or internal customers related to identity and access management
SPECIFIC REQUIREMENTS
SPECIFIC PRACTICE
- SOC Analyst and/or first line incident responder
- Associate Confirmed Senior
CERTIFICATIONS AT LEAST 1 CERTIFICATION IN THE FIELD OF INCIDENT HANDLING:
- GCIH (GIAC Certified Incident Handler)
- GCIA (GIAC Certified Intrusion Analyst)
- ECIH (EC-Council Certified Incident Handler)
- CSIH (SEI Certified Computer Security Incident Handler)
METHODOLOGIES
- Risk Assessment methodologies: EBIOS, CRAMM, PILAR or equivalent (subject to acceptance by the Contracting EU-I)
STANDARDS
STIX (Structured Threat Information Expression) with a particular focus on the following related standards:
- CybOX (Cyber Observables)
- CAPEC (Attack Patterns)
- MAEC (Malware)
- TAXII (Threat Information Exchange)
SPECIFIC SKILLS
- Networking (TCP/IP, SNMP, DNS, Syslog-ng, etc.)
- Experience in using, configuring and tuning a SIEM
KNOWLEDGE IN NETWORK SECURITY SOLUTION/TECHNOLOGIES
- Firewalls;
- Network IDS and IPS;
- Switches and Routers
- APT detection solutions such as FireEye;
- DNS, DHCP, VPN,
- Network forensics (full packet capture)
- Traffic baselining analysis
- Knowledge in Host based security solutions
- HIPS;
- Malware end-point protection
- OS logs
SPECIFIC SKILLS
- Strong knowledge in Windows security events analysis
- Strong knowledge in the security analysis of Firewall, Proxy,and IDS logs
- Writing and optimizing IDS signatures (preferably SNORT and/or SURICATA)
- Strong knowledge in the security analysis of Applicable or Middleware logs (Oracle, Apache, Weblogic)
- Writing and optimizing YARA rules
PRODUCTS/TOOLS
- SIEM (Arcsight ESM 6.x, Q-RADAR, or equivalent - subject to acceptance by the contracting EU-I)
- Log management solution (Arcsight Loggers and/or QRADAR and/or Splunk or equivalent - subject to acceptance of the contracting EU-I)
- SNORT or SourceFire NGIPS, FireSIGHT
- Suricata/StamusNetworks
- ELK (ElasticSearch, Logstash & Kibana)
- FireEye Ex, Nx, Ax, Fx, Hx, Ix
- CheckPoint and Juniper Firewalls
- BlueCoat proxies
Projektdetails
Geforderte Qualifikationen
-
Kategorie:
IT Entwicklung, Sonstiges