Sr. Security Information Event Management Engineer (SIEM)
SailPoint is seeking an experienced Senior Security Information Event Management (SIEM) Engineer with demonstrated competencies and thought leadership to contribute toward the success of our cybersecurity initiatives. This critical role will be the technical lead and subject matter expert to provide full technology stack design, implementation, and tuning support for the SIEM platform to include logging and monitoring service delivery. The ideal candidate for this role will have hands-on experience with Splunk or another leading platform (Sumo Logic, Devo, InsightIDR, etc.), engineering and migrating to a cloud based SIEM to include requirements and design artifacts. This role is responsible for creating and providing alerts to the Threat Detection and Response team with event logs from across the enterprise. The success of this role will depend on the engineer's ability to work closely with the Threat Detection and Response team to carefully tune the platform to meet their real-time alerting and analysis requirements. This position will handle ingestion and extraction of log data, applying event logs to data models, generating logic to create and modify alerting, and tuning logic to increase fidelity. A Successful candidate would be one with experience with a wide array of security logging technologies and security use cases, an analytical and detail-oriented mind, and strong organizational practices.
Additional responsibilities include implementing organizational policies and standards for logging and monitoring, maintaining the health, performance, stability, and ongoing support of the SIEM infrastructure, and partnering with other teams in integrating security solutions with the SIEM.
Responsibilities:
- Establish and maintain a secure SIEM solution architecture with documentation of the design, requirements, configurations and associated procedures for log ingestion and platform maintenance.
- Design, building, testing and implementation of security alerts and reports using knowledge of event source logs and network packet data.
- Partner with groups within the organization to ensure successful deployments of the SIEM and interact with end users to gather requirements, perform troubleshooting, and aid with the creation of search queries and dashboards as required.
- Present and articulate the value of the SIEM, the rationale behind the design and ensure partners and customers within the organization are supported.
- Create and maintain logging standards for reuse across the organization and ensure appropriate governance aligned with other security policies and standards.
- Actively seek to improve and develop new alerting and dashboards based upon observed indicators of attack and compromise.
- Optimize security alerts by designing and implementing recommendations on event source coverage, log and packet meta-tagging, and log and packet filtering.
- Recognize and onboard new data sources into the SIEM, analyzing the data for parsing, to fulfill stakeholder requirements.
- Tune and optimize false positives from alerts in partnership with Threat Detection and Response.
- Document and update the SIEM engineering processes and logging/ingestion procedures.
- Provide skillful knowledge within a Linux environment, editing and maintaining SIEM configuration files and applications.
- Evaluates and recommend new and emerging security products and technologies with careful documentation of technical requirements and collection of functional requirements from Threat Detection and Response.
- Research and document security best practices to continually improve the deployment and use of the SIEM.
- Stay abreast of current technologies, security compliance requirements, standards, and industry trends to help achieve cybersecurity's goals.
- Maintain the health, performance, stability, tuning and ongoing planning of the SIEM platform.
Requirements:
- 2-4 years of direct responsibilities over an Enterprise SIEM in a corporate environment.
- Must be US Citizen and reside in United States (supporting FedRAMP )
- Advanced engineering experience of industry leading SIEM platforms (Splunk, QRadar, Sumo Logic, Devo, etc.)
- Ability to develop advanced queries using the query languages or other scripting techniques.
- Advanced experience with process automation and/or Scripting (bash, php, Perl, JavaScript, etc.)
- Experience with Cloud Service Providers (AWS, GCP, Azure).
- Experience developing and documenting secure design, configurations, and associated procedures for log ingestion and SIEM platform maintenance.
- Extensive experience working with Syslog and understanding patterns/architecture for log forwarding.
- Ability to troubleshoot performance and issues as well as SIEM installation and upgrades.
- Strong experience in analyzing, troubleshooting, and providing solutions for technical issues (problem management and issue triage).
- Experience in building marketplace connectors for integration into a SIEM outside of Syslog
- Strong understanding of networking infrastructure concepts, technologies, and protocols.
- Strong understanding of enterprise application architecture and service message logging standards.
- Experience in ingesting logs from API driven sources.
- Creating alerts, dashboards, and reports in Splunk, QRadar or equivalent.
- Experience in log parsing, lookups, calculated fields extractions using regular expression(regex).
- Experience in developing alerts for indicators of attack and indicators of compromise to provide to the SOC.
- Experience presenting complex topics to both business and technical partners.
- Ability to determine methods and procedures on new assignments with minimal instruction.
- Experience creating conceptual, logical, and physical security artifacts (process diagrams, topologies, UML, etc.).
- Experience with technical evaluations and rationalization processes.
Preferred:
- 5-10 years of hands-on experience maintaining, patching and administration of workstations, servers, and network devices.
- Experience with Atlassian suite of products for defect management and ticketing.
- Experience working with a value-added reseller (VAR) and/or direct with solution providers.
- Experience working with VPC Flow Logging, CloudTrail and CloudWatch.
- Experience contributing to open-source security projects.
- Attendee and/or contributor to public security consortium (e.g. OWASP, Security Alliance).
- ITIL and/or Six-Sigma certifications and training pertaining to efficiency in operations for cybersecurity.
- Experience with migration from on-premises to cloud based SIEM.
- Relevant vendor certifications such as:
- Certified Information Security Systems Security Professional (CISSP)
- IAC Certified Detection Analyst (GCDA)
- GIAC Continuous Monitoring Certification (GMON)
- GIAC Certified Incident Handler (GCIH)
- GIAC Python Coder (GPYC)
- GIAC Certified Windows Security Administrator (GCWN)
- GIAC Defensible Security Architecture (GDSA)
- GIAC Cloud Security Essentials (GCLD)
- Certified DevSecOps Professional (CDP)
- GIAC Cloud Security Automation (GCSA)
SailPoint is an equal opportunity employer and we welcome everyone to our team. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or veteran status.