- Location: 400 7th St., SW Washington, DC 20024
- Salary: Dependent upon experience
- Security Clearance: Public Trust
- Available: ASAP
- Monitor the Security tools at the OCC CDC CEM, including but not limited to, SIEM, Proxy, IPS/IDS, Firewall, Active Directory, Vulnerability Scanner, Anti-Malware, Endpoint Security, Web Application Firewall, NetFlow, Packet Capture, computer log files, etc., to maintain situational awareness to satisfy the CEM 24x7 monitoring requirement
- Proactively protect the OCC. The CEM analyst will look for unusual activity by reviewing all available information including but not limited to the above referenced tools and investigate any unusual activity that is detected.
- Investigate all security alerts received by the CEM. The investigation will make use of all tools and log files possible. The investigation will determine if the alert is a false positive, a security event, an actual attack, and/or a security incident. The investigation will answer and report on the who, what, where, when, and how of the occurrence. The investigation will report on any actions taken to contain and/or remediate the situation and any recommendations for further action. The investigation will include a historical summary of previous investigations of the same alert.
- Investigate anything requested by management or the CSO at their discretion. The investigation will be performed as described above
- Provide cybersecurity root-cause analysis in support of any tickets for which it fails to meet the Acceptable Quality Levels (AQLs) specified in the PRS. This root-cause analysis will include documenting recommendations for corrective action.
- Escalate any security incident (the confidentiality, integrity, or availability of any information or information asset is negatively impacted) to Incident Response (IR). Further, the CEM analyst will enlist the assistance of IR for any situation which require skills that exceed the skills of the CEM analyst/team, or that require more manpower than is available to the CEM team.
- Perform a shift handoff at the end of every shift. The shift handoff will provide situational awareness to the incoming shift. The shift handoff will also instruct the incoming shift to finish investigations, reports and other work which was not completed by the outgoing shift, and provide all details required for the incoming shift to easily pick up the work where it was left off. The shift handoff information will be recorded in the shift report in the format described in the shift report SOP.
- Will write and distribute reports, including but not limited to the Shift Report, the Daily Virus Report, the Daily Activities Report, Daily Shift Tracker, the Weekly Activities Report, the Blue Coat Report, Investigation Reports, etc., as described in their respective SOP, ad hoc as the need arises, or as directed by management.
- Will write reports on investigations, other reports, emails or any other communications that use proper grammar, are easily understood, logically constructed, and complete to the point that no likely questions remain unanswered.
- Will process and complete tickets received from ServiceNow such as Non Standard Software Require, Unblock Request, Lost and Stolen, etc., in the manner described in their respective SOPs. Any ServiceNow tickets not completed and closed by the end of the shift must be handed off to the next shift for completion.
- Will process and complete tickets received from CDC Tracker. Any CDC Tracker tickets not completed and closed by the end of the shift must be handed off to the next shift for completion.
- Will investigate all reported suspicious emails and determine whether the email is malicious, non-malicious or legitimate. The CEM Analyst will categorize and file the reported email to support tracking and reporting activities. The CEM analyst will reply to the user who reported the suspicious email with a message reporting the determination and any recommendations.
- Will maintain their Laptop and all software therein in a state of readiness necessary to support all activities required of the CEM analyst.
- Will read all Emails they receive and handle each as required by either responding, investigating, reporting, acknowledging, filing and categorizing for future reference, etc.
- Will attend all meetings and conference calls that may be required. The CEM analyst will take notes as appropriate and report pertinent information to the rest of the CDC as appropriate.
- Will update their Timesheet every day and keep it current as of the close of that day.
- Will assist coworkers where necessary, including but not limited to onboarding, training, investigations, reports, etc.
- Required to complete periodic training such as Security Awareness Training, Privacy Training, Sexual Harassment Training, etc.
- Will perform other duties as assigned by management. Other duties can even include duties normally assigned to different teams, such as Indicator Bulletins, Weekly reports, etc.
- Working knowledge of policies, procedures, and protocols of a government Security Operations Center
- Knowledge of numerous security tools and technologies to include some of the following and/or closely comparable security technologies: McAfee Nitro SIEM, McAfee IDS/IPS, Imperva web application firewalls, McAfee Enterprise Antivirus, BlueCoat, Symantec DLP, FireEye, Guardium, Firewalls, QualysGuard, AppScan and others
- ServiceNow experience
- Preferred: 1 year of experience in SOC, exceptions may apply
- Optional: 1 year of experience in NOC
- Experience at the U.S. Department of Treasury
- Previous SOC management experience at a federal agency similar in size, scope, and complexity.
- Preferred: Security+ or Network+
- Nice to Have: Splunk