JOB SUMMARY

The Manager of Incident Response (IR) will be a member of IT Security Operations, a division of the Information Technology (IT) Organization.

The mission of IT Security Operations is to

• Support Priority Initiatives of the Information Security Office (ISO)
• Enforce Information Security Policy
• Support and Collaborate Across All Areas of Information Technology (IT) to Reduce Risk and Continuously Improve the Security Posture.

The IR Manager will be the Team Lead for the Incident Response Team, overseeing day-to-day operations of all Security Operations Center (SOC) Services and providing Level 3 (L3) operational support for all cybersecurity incidents. Subsequently, in the event of compromise, in which Client's cybersecurity response playbook is executed, the IR Manager holds the honorary position of Team Lead for the Detection and Response Team (DART). The DART Team Lead is responsible for determinations made by the DART team in responding to the cybersecurity incident and execution of the response playbook. The DART Team Lead manages all communications and coordination between the DART Team and MDRSOC.

Working in close collaboration with ISO and IT Security Operations leadership, the IR Manager will review current cyber threats and modify processes and procedures to improve Client Institute's cyberthreat detection, prevention and remediation capabilities and will lead and participate in cybersecurity-related activities that support the objectives of the ISO. The Incident Response team focuses on protecting Client's Institute from external and internal cybersecurity threats, and is responsible for monitoring, analyzing and triaging cybersecurity events of interest and incidents escalated by a Managed Security Service Provider (MSSP) and Security Information and Event Management (SIEM) service and is responsible for deciding if a particular security event or incident needs further investigation or can be resolved.

The Manager will define the incident response processes and procedures at Client's Institute and will guide the IR team to coordinate and respond to casework including but not limited to computer security vulnerabilities, malware, phishing, social engineering, and forensic investigations. The IR team responds to casework as it relates to the compromise of the Client's proprietary software, through monitoring of suspicious activity in databases, web applications, and infrastructure. The IR Manager will oversee all casework to ensure timely mitigation and remediation efforts are completed and will ensure that all undocumented cases of adverse security events, security incidents or casework are properly documented and incorporated in the Security Operations incident monitoring, analysis, and response playbook.

ESSENTIAL FUNCTIONS

This position is required one to handle highly confidential matters and materials with discretion. The responsibilities of this position include, but are not limited, to:

• Design and implement Incident Response processes and procedures in alignment with IT Operations tools and technologies.
  • Design and implement all monitoring, logging, alerting, and ticket intake.
  • Optimize work intake and continuously improve key performance indicators (KPI) such as mean time to detection (MTTD) and mean time to response (MTTR).
  • Continuously evolve processes and procedures to respond to shifts in business initiatives and technology operations.
• Oversee administration of Managed Security Service Provider (MSSP) Services. This is SIEM/SOC Services.
  • Lead management of the overall MSSP relationship including reviewing MSSP KPIs for monitoring coverage and metrics.
  • Continue to develop MSSP relationships.
  • Closely work with MSSP to identify and resolve security incidents when needed.
• Oversee Incident Response Team and SOC Managed Services
  • SOC Managed Services are responsible for triaging all security events from general monitoring and alerting or the MSSP.
  • Accountable for investigation of each security event and for deciding if the event is an incident or can be resolved.
  • Respond to incidents as defined by cybersecurity IR playbooks and/or escalate concerns when needed.
  • In the event of a compromise, Lead the DART Team and execute the cybersecurity incident response playbook.
• Partner with the Information Security Office to review new threats in the environment, and make determinations if current threat monitoring and responses need modification. Subsequently, in collaboration with IT Operations teams, modify any tools, logs or notifications to support changes needed.
• Responsible for collecting audit evidence at the request of the Information Security Office for various audit and compliance checks, for example, PCI Compliance and SOC 2 Assessment.
• Support IT Operations and the Information Security Office in efforts to educate the Client's Institute workforce on security threats.

PHYSICAL REQUIREMENTS

This role requires collaboration across all areas of Information Technology, including communication with Business and Executive Leadership.

• 
  Ability to communicate effectively in a crisis as Team Lead for the Detection and Response (DART) team.
  • Excellent interpersonal skills including a professional and diplomatic demeanour are required.
  • Ability to summarize and translate highly technical details into layman's terms when needed to communicate with Executive Leadership and non-technical individuals.
  • Ability to handle confidential and sensitive information with a high degree of professionalism.
• Must demonstrate outstanding stewardship and relationship-building/communication skills to support the objectives of IT Operations and the Information Security Office.
• This will be a remote working opportunity, but the individual must be able to report on-site in the Charlottesville office, within a reasonable amount of time, in the event that the cybersecurity incident and execution of the response playbook is executed, and the compromise requires physical presence in data centres to assist engineering teams.
• Must accommodate 24/7 On-Call responsibility as part of L3 operational support and DART Team Lead with backup rotational support from IT Security Operations Lead and ISO staff assistance.
  
• Must be highly skilled and proficient in problem-solving, with an aptitude and willingness to learn new technologies.

QUALIFICATIONS

EDUCATION

• 
  Bachelor's degree in Information Security, Computer Science or a directly related field is required.

• A minimum of 5 years of experience in Information Technology with a minimum of 2 years of professional IT Security Incident Responder/Forensics experience.
• Highly Recommended Certifications:
  • CompTIA Security+
  • GIAC Certified Incident Handler
  • CISSP, CFCE, GCFE, OSCP, CFE, or similar, preferred but not required.

EXPERIENCE

• Working experience with multiple platforms, operating systems, software, communications, and network protocols with a focus on security controls.
• Experience supporting Network Investigations
• Experience conducting forensic media analysis and log file analysis.
• Experience working with network monitoring, analysis, troubleshooting, and configuration.
• Experience working with Microsoft Threat Detection and Response technologies, such as Microsoft Defender.
• Experience with Microsoft Intune for Endpoint Management and Microsoft Group Policy Management (GPO).
• Strong IT Infrastructure background
• Working knowledge of Next Generation Firewalls, Web Application Firewalls and policy configuration, Cloud Hosted Infrastructure and Products (Azure, AWS, CloudFlare)
• Understanding TCP/IP communications & knowledge of how common protocols and applications work at the network level, including DNS, HTTP, and SMB
• Experience with host-centric tools for forensic collection and analysis
• Experience managing cases with enterprise SIEM, Logging and Ticketing Systems (JIRA Service Desk)
• Experience with host-based detection and prevention suites
• Detailed understanding of Advanced Persistent Threats, Cyber Crime and other associated tactics.
• High Level Understanding of System/Application Vulnerabilities and Exploitation (OWASP, SANS, CIS Controls)
• Some experience with malware analysis is preferred but not required (dynamic and static)

CULTURAL ELEMENTS AND GLOBAL COMPETENCIES

• Global Perspective – Understands business on a global scale, understands differences in people and cultures, and is effective across varied conditions.
• Agility – Responds quickly to opportunities, is flexible, and effectively embraces change.
• Effective Communication – Communicates clearly and succinctly in a variety of settings and styles, listens, and presents a professional image.
• Stakeholder Focus – Identifies and understands stakeholders and their needs, acts with their interests in mind, and gains their trust and engagement.