Security Operations Centre Analyst

**Location**:
Luxembourg, Luxembourg

**Security Clearance**:
EU Confidential

**Introduction**:
**Skills, knowledge, experience required**:

- At least 1 certification among the following:

- GPEN (GIAC Certified Penetration Tester);
- GCED (GIAC Certified Enterprise Defender);
- GPPA (GIAC Certified Perimeter Protection Analyst);
- GCFE (GIAC Certified Forensic Examiner);
- GCFA (GIAC Certified Forensic Analyst);
- GNFA (GIAC Certified Network Forensic Analyst);
- CFCE (IACIS Certified Forensic Computer Examiner);
- CCFP (Certified Cyber Forensics Professional);
- SCMO (SABSA Certified Security Operations and Service Management Specialist);
- Minimum 5 years’ experience in networking (TCP/IP, SNMP, DNS, Syslog-ng, etc.);
- Strong knowledge on and minimum 5 years’ experience in:

- MS Windows security events analysis;
- Security analysis of firewall, proxy, and intrusion detection system (IDS) logs;
- Security analysis of applicable or middleware logs (Oracle HTTP Server, Apache HTTP Server, Oracle WebLogic Server);
- Minimum 4 years’ experience with:

- Security information and event management (SIEM) tools such as:

- HP ArcSight Enterprise Security Manager (ESM) 6.x;
- IBM QRadar SIEM;
- Log management solutions such as:

- HP ArcSight Logger;
- IBM QRadar Log Manager;
- Splunk;
- Knowledge on and minimum 4 years’ experience with:

- Network security solutions and technologies such as:

- Firewalls;
- Network-based intrusion detection systems (NIDS) and intrusion prevention systems (NIPS);
- Switches and routers;
- Advanced persistent threat (APT) detection solutions such as FireEye;
- DNS, DHCP, VPN;
- Network forensics (full packet capture collection and processing);
- Traffic baselining analysis;
- Host-based security solutions such as:

- Host-based intrusion prevention systems (HIPS);
- Malware end-point protection;
- Operating system logs;
- Minimum 3 years’ experience in:

- Using, configuring and tuning a SIEM tool;
- Writing and optimizing:

- IDS signatures (Suricata);
- YARA rules;
- Minimum 3 years’ experience with:

- Check Point and Juniper firewalls;
- Blue Coat proxies.
- Minimum 2 years’ experience with:

- Snort or Cisco Sourcefire Next-Generation IPS (NGIPS);
- Cisco FireSIGHT.

**Desirable**:

- Minimum 1 year of experience with risk assessment methodologies such as:

- EBIOS;
- CRAMM;
- PILAR;
- Minimum 3 year of experience with STIX (Structured Threat Information Expression) with a particular focus on the following related standards:

- CybOX (cyber observables);
- CAPEC (attack patterns);
- MAEC (malware);
- TAXII (threat information exchange);
- Minimum 1 year of experience with:

- Suricata/Stamus Networks;
- ELK Stack (Elasticsearch, Logstash, Kibana);
- FireEye (EX, NX, AX, FX, HX, IX).

**Duties/role**:

- Performing real-time monitoring of cyber defence and IDS;
- Performing automatic-based processing (centralisation, filtering, and correlation) of security events;
- Conducting human-based analysis of automatically correlated events;
- Processing incoming warnings, alerts, and reports;
- Performing triage based on verification, level of exposure, and impact assessment;
- Categorizing events, incidents, and vulnerabilities based on relevance, exposure, and impact;
- Opening tickets and ensuring case management;
- Activating initial response plan based on standard playbook entries;
- Maintaining incident response address book;
- Advising affected users on appropriate course of action;
- Monitoring open tickets for incidents and vulnerabilities from start to resolution;
- Escalating unresolved problems to higher levels of support, including the Incident Response and Vulnerability Mitigation teams;
- Configuring SIEM components for an optimal performance;
- Improving correlation rules to ensure that the monitoring policy allows an efficient detection of potential incidents;
- Analysing risks and security policy requirements, and translating them into technical events targeting the system components;
- Identifying the required logs, files or artefacts to collect from the monitored system and, if necessary, possible complementary devices to deploy;
- Elaborating the relevant detection and correlation rules, and implementing them in the SIEM infrastructure;
- Configuring and tuning cyber-defense solutions;
- Reviewing and improving the monitoring policy on a regular basis;
- Integrating cyber-defence solutions for efficient detection;
- Defining dashboards and reports for reporting on KPIs;
- Producing qualified reports (including recommendations) or alerts to SOC customers and following up on actions;
- Contributing to the design of the overall monitoring architecture, in close relationship with the customers and system owners on one hand, and the Security Operations Engineering team on the other hand, by performing the following tasks:

- Assessing security events detection solutions and developing new solutions;
- Integrating the solutions within the security monit