SC2023-002718 Sr Incident Detection Analyst - Cloud Security (NS) WED 27 SEP

Total Scope of the request (hours): 750

Required Start Date: 6 November 2023

End Contract Date: 31 December 2023

Required Security Clearance: NATO SECRET

As a Senior Incident Detection Analyst (Cloud Security), the service provider will provide detailed analysis of logs and network traffic with a focus on cloud infrastructure. The successful candidate will be responsible for managing and maintaining the organisation's cloud security operations, including monitoring for and responding to security incidents.

Duties

• Provide subject matter expertise in the area of cyber security monitoring and detection within cloud infrastructure environments.
• Triage, analyse and respond to alerts originating from complex cloud infrastructure deployments and on-premise networks and security devices.
• Identify security gaps in NATO cloud security infrastructure, in addition to developing and maintaining new and existing use cases, using our on-premise SIEM solution (i.e., Splunk Enterprise Security).
• Develop processes for cloud security monitoring, including documentation of all use cases.
• Review current log collection state for NATO cloud environments, identify gaps and suggest improvements.
• Analyse threat intelligence pertinent to cloud environments to identify any new and developing security risks.
• Propose and work towards automating repetitive tasks related to cloud security monitoring and detection.
• Provide training and support to other members of the organisation on the subject of cloud security best practices and incident response procedures.
• Be flexible and support your colleagues in securing NATO networks through ad hoc tasks.
• Ensure that the organisation's cloud infrastructure and security practices comply with applicable laws, regulations, and industry standards.

Deliverables

• Provide an average of 139 hours/month working on-site, embedded in the NCSC Ops Branch located in SHAPE, Casteau, Belgium.
• Develop new alerts, searches, reports and dashboards for security monitoring and detection specific to cloud environments. Each use case must reference the MITRE attack framework.
• Triage, analyse and respond to alerts. All critical alerts will be responded to within three hours.
• The service provider is expected to take the initiative to identify detection gaps, monitor the latest threats and offer suggestions for new content to the management team. Where possible full coverage of the MITRE attack framework is required. In some cases, it may be necessary to leverage solutions provided within the cloud environment itself.
• Provide and maintain full documentation for all cloud use cases, detailing the purpose of the use cases, how the logic functions and the actions that should be taken during an investigation.
• Develop dashboards that can provide situational awareness related to the security of the organisation's cloud security infrastructure. Including service KPIs and incident response metrics.
• Respond to ad hoc tasks given by the service delivery manager and cell head.
• Propose at least five security content optimisations and enhancements per week within cloud environment.
• The service provider is expected to provide accurate and complete deliverables in accordance with internal processes.
• The service provider shall be responsible for complying will all applicable local employment laws, in addition to following all SHAPE & NCIA on-boarding procedures. Delivery of the service cannot begin until these requirements are fulfilled.
• Each provider of this service must pass an assessment to demonstrate proficiency before being approved to provide the service. The assessment will follow a brief familiarisation period.
• For each individual delivering the service, the provider shall allocate 10 working days to the initial NCSC Ops familiarization and assessment process. Delivery of the service cannot begin until this is complete.

Requirements

Skill, Knowledge & Experience:

• The candidate must have a currently active NATO SECRET security clearance
• At least two years of demonstrable experience in security monitoring and analysis of enterprise level cloud environments (AWS and/or Azure).
• Comprehensive knowledge of the principles of computer and communications security, networking, and the vulnerabilities of modern operating systems and applications.
• Expertise in at least three of the following areas and a high level of experience in several of the other areas:
• Security monitoring and analysis using a variety of Security Event generating sources (e.g. Firewalls, IDS, Routers, EDR and AV).
• Cloud architectures and technologies (AWS and/or Azure).
• Managing security operations in public cloud services (AWS and/or Azure).
• Microsoft Sentinel.
• AWS cloud security tools.
• Splunk ES suite and Splunk Search Processing Language (SPL).
• Phantom SOAR playbook development.
• Security use case development aligned to the MITRE ATT&CK Framework.

Desirable

• Industry leading certification in the area of Cybersecurity, such as GCIA, GPCS, GCLD, GNFA, GCIH, CCSP, GSFE, GCFA, GCED, OSCP.
• A solid understanding of Information Security Practices relating to the Confidentiality, Integrity and Availability of information (CIA triad).
• Experience working with Full Packet Capture Systems e.g. Niksun, RSA/NetWitness.
• Experience working with Host Based Intrusion Detection systems (HIDS).
• Experience with Network Based Intrusion Detection Systems (NIDS) – e.g. FirePower, Palo Alto Network Threat Prevention.
• Strong knowledge of malware families and network attack vectors.
• Knowledge and experience in analysis of various threat actor groups, attack patterns and tactics, techniques, and procedures (TTPs), in-depth analysis of threats across enterprise environments by combining security rules, content, policy and relevant datasets.
• Ability to analyse attack vectors against a particular system to determine attack surface.