Incident Handler, SOC

Role Overview

The Incident Handler reports to the SOC Incident Handling Manager as part of the Incident Handling team to help support eSentire SOC operations during incident/breach situations. This role is the resource who takes part directly in IH activities and directly interfaces with eSentire’s Incident Response (IR) team. The primary focus of this role will be to get to resolution of incidents when a customer is handling a confirmed security incident and is in general alignment with the SOC and IR departments and company goals.

This individual is expected to be able to effectively manage highly technical investigations and support the delivery of meaningful, accurate results for both internal and external customers in a dependable and targeted manner. Time management and in-depth knowledge of all internal and many external products and services are imperative to success. Attention to detail is critical during incidents and post-incident discussions.

The successful candidate will be relied upon to identify threats and handle any security incident or advanced investigation in the SOC. Duties when incidents are slow will overlap with those of SOC Cyber Security Specialists and/or supporting other internal teams as needed.

Responsibilities

• Be part of a team of incident handler experts during active incidents and help to coordinate efforts with internal or external IR teams.
• Take ownership of active customer incidents, digital forensics (network, endpoint, log), and customer requests, conveying results to clients by e-mail and phone as needed.
• Apply investigative tactics, techniques, and procedures (TTPs) using your understanding of the security threats associated with threat signals during security incident handling activities.
• Block/disrupt malicious network traffic, isolate infected hosts on customer networks, and perform other remediation actions using internal and third-party tools.
• Assist with coordinating resources during a customer incident to ensure proper handling.
• Serve as a dedicated technical point of contact during an incident to offer a consistent experience for customers during high-stress events.
• Provide high level summaries of incidents that can be tailored for multiple non-technical audiences.
• Handle complex security incidents to deliver incident reports and/or after-action reviews.
• Prioritize criticality of internal and external requests based on potential impact to customer environments or satisfaction.
• Join internal projects and initiatives to increase SOC efficiency and improve SOC tooling, working cross functionally with other internal teams as a stakeholder for the Service Delivery Organisation.
• Review and audit various SOC investigations and processes, following up with analysts and customers, as necessary.
• Support and mentor analysts in advanced investigations.
• Delegate resources during incidents that affect a large portion of the customer base to reduce overhead and coordinate team efforts.
• Ability to convey customer requirements to Product and Account Management.
• Represent the SOC in various stages of development of products and services, ensuring internal accountability and visibility.
• Identify gaps in processes and procedures, defining solutions, escalating to appropriate teams, and supporting implementation to promote consistency in service delivery.
• Attend or lead periodic security reviews with customers as required.
• Apply investigative tactics, techniques, and procedures (TTPs), using your understanding of the security threats associated with the incoming signals to guide the creation of Runbooks.
• Provide technical input on Security Advisories on behalf of the organization.

Requirements
 

• Relevant degree in Computer Science, IT Security, IT Management, IT Support, or related discipline. Completed course must include a strong focus on networking and security.
• 5+ years’ full-time experience in a Security Operations Centre or similar Cyber Security Analysis role excluding time spent on an intern or work experience program.
• Hands on experience in at least two of the following Security domains:
  • Network Security including Intrusion Detection Systems (IDS)
  • Windows Endpoint Security, using EDR products such as VMware Carbon Black Response/Threat Hunter, CrowdStrike Falcon, SentinelOne or Microsoft Defender for Endpoint.
  • SIEM/Log Management, using products such as SumoLogic, Splunk or similar
• Knowledge and experience of network and endpoint security technologies including:
  • Snort and Suricata rules
  • Packet Capture (PCAP) analysis using Wireshark.
  • Windows Sysinternals tools
  • Usage of Linux and navigating a terminal
  • Basic scripting (Bash/Python/PowerShell) knowledge
• Be familiar with Incident Response Lifecycles (NIST/SANS) and be able to apply them to Incident Handling scenarios
• Analytical mind with strong attention to detail and a commitment to quality of service
• Strong customer facing written and verbal communication skills with the ability to effectively communicate complex security concepts with end customers.
• Demonstrated experience to confidently handle escalated customer issues, diffuse challenging situations and deliver an optimal customer experience.
• Natural ability to thrive in a fast-paced and time sensitive environment.
• Ability to work in an operational/shift-based environment with flexible working hours to include evenings and weekends.
• Industry Certificates such as CompTIA Network/Security+, OSCP, CCNA CyberOps, CASP or other similar industry standard certifications.
• Confident decision-making ability during critical situations

#LI-SJ1
#LI-Hybrid