Security Information and Event Management (SIEM) Engineer
SailPoint is seeking an experienced Lead SIEM Engineer with demonstrated competence and thought leadership capability to contribute toward the success of our cybersecurity initiatives. This critical role will be the technical lead and subject matter expert to provide full technology stack design, implementation, and tuning support for the Security Information and Event Management (SIEM) platform to include Logging and Monitoring service delivery. The ideal candidate for this role will have had experience with Splunk engineering and migration to a cloud-based SIEM to include the documentation of architectural designs. This role is responsible for creating and providing alerts to the Threat Detection and Response team with event logs from across the enterprise. The success of this role will depend on the engineer’s ability to work closely with the Threat Detection and Response team to carefully tune the platform to meet their real-time alerting and analysis requirements. This position will handle ingestion and extraction of log data, applying event logs to data models, generating logic to create and modify alerting, and tuning logic to increase fidelity. A Successful candidate would be one with experience with a wide array of security logging technologies and security use cases, an analytical and detail-oriented mind, and strong organizational practices.
Additional responsibilities include implementing organizational policies and standards for logging and monitoring, maintaining the health, performance, stability and ongoing support of the SIEM infrastructure, and partnering with other teams in integrating security solutions with the SIEM.
- Secure design of the SIEM architecture and documentation of the design, configurations and associated procedures for log ingestion and platform maintenance.
- Design, building, testing and implementation of security alerts and reports using knowledge of event source logs and network packet data.
- Partners with groups within the organization to ensure successful deployments of the SIEM and interact with end users to gather requirements, perform troubleshooting, and aid with the creation of Splunk search queries and dashboards as required.
- Actively seek to improve and develop new alerting and dashboarding based upon observed security activity.
- Improve the ability to build complex security alerts by making and implementing recommendations on event source coverage, log and packet meta-tagging, and log and packet filtering.
- Recognize and onboard new data sources into Splunk, analyzing the data for parsing, building dashboards to fulfill stakeholder requirements.
- Design and build dashboards in the SIEM and tune out false positives from alerts in partnership with Threat Detection and Response.
- Assist users of the SIEM in investigation and analysis as needed.
- Document and update the SIEM engineering processes and logging/ingestion procedures.
- Provide skillful knowledge within a Linux environment, editing and maintaining SIEM configuration files and applications.
- Evaluates and recommend new and emerging security products and technologies with careful documentation of technical requirements and collection of functional requirements from Threat Detection and Response.
- Research and document security best practices to continually improve the deployment and use of the SIEM.
- Stay abreast of current technologies, security compliance requirements, standards and industry trends in order to help achieve cybersecurity’s goals.
- Maintain the health, performance, stability, tuning and ongoing planning of the SIEM platform.
- Support the SIEM platform and participate in on-call rotation.
- Interact with senior management, as necessary.
- Advanced experience of the Splunk Platform. However advanced experience with other SIEM technologies, will be considered (SumoLogic, QRadar, AlienVault, LogRhythm)
- Develop advanced queries using the Splunk Query Language or other scripting tools.
- Advanced experience with process automation and/or Scripting (ie XML, C++, C#, VBA, Regular Expressions, python, Perl, etc).
- Experiencing developing and documenting secure design, configurations and associated procedures for log ingestion and SIEM platform maintenance.
- Ability to troubleshoot performance and issues as well as SIEM installation and upgrades.
- Strong experience in analyzing, troubleshooting and providing solutions for technical issues (problem management and issue triage).
- Experience in building Splunk Technology Add-ons and configuring field extractions for various data sources.
- Experience with Splunk Enterprise Security.
- Strong understanding of networking infrastructure concepts, technologies, and protocols.
- Strong understanding of enterprise application and service message logging standards.
- Experience in Syslog, Splunk HTTP Event collection (HEC).
- Experience in ingesting logs from DB Connect app.
- Creating alerts, dashboards and reports in Splunk Tool.
- Experience in requirement gathering and documentation.
- Experience in log parsing, lookups, calculated fields extractions using regular expression(regex).
- Experience in developing Splunk dashboards, report, alerts, visualizations and optimize searches.
- Hands-on experience in Splunk content development.
- Sound judgment skills and ability to manage escalations.
- Ability to determine methods and procedures on new assignments with minimal instruction.
- Excellent interpersonal and organizational skills.
- Bachelor’s degree in Computer Science, IT Security, Information Systems, Engineering, or related field and 12 years of related work experience, or a Master’s degree in Computer Science, IT Security, Information Systems, Engineering, or a related field and 8 years of related work experience.
- 3 to 5 years in Splunk Administration.
- Experience with migration to a cloud based SIEM.
- Relevant vendor certifications such as:
- Splunk Core User Certification
- Splunk Core Power User Certification
- Splunk Admin Certification
- Experience with Data Models and implementing rigor around logging.
- Experience with writing correlated searches.
- Writing Scripts and configure in Splunk Servers.
- Understanding of all Splunk backend components.
- Experience with Splunk integration with AWS, Azure, and GCP.
- Relevant security certifications such as:
- Certified Information Security Systems Security Professional (CISSP)
- IAC Certified Detection Analyst (GCDA)
- GIAC Continuous Monitoring Certification (GMON)
- GIAC Certified Incident Handler (GCIH)
- GIAC Python Coder (GPYC)
- GIAC Certified Windows Security Administrator (GCWN)
- GIAC Defensible Security Architecture (GDSA)
- GIAC Cloud Security Essentials (GCLD)
- Certified DevSecOps Professional (CDP)
- GIAC Cloud Security Automation (GCSA)