Incident Analyst L2

Wiki > Incident Analyst L2

The Incident Analyst conducts secondary triage and analysis using security technologies, primary or low level remediation, is responsible for proactively searching and scanning the environment, and mentors or guides the Event Analysts. Someone in this role should also should be able to profile and trend events in the environment to determine if an incident needs to be created after searching. While the Incident Analyst will also spend time working off of a pre-documented playbook, security analytics should be a large portion of their work.


Responsibilities: This position is primarily responsible for incident triage, initial remediation, and further escalation of incidents that have been escalated by the Event Analysts.  Other responsibilities include the continuous improvement of processes used by the Event Analysts and the Security Operations Center, working with the security tool engineers to closely improve alerts and rules in the incident monitoring systems, proactively scanning assets for indicators, mentoring the Event Analysts, and are well versed in the various utilized technologies.


Skills Required: Individuals in this role must have a detailed technical understanding of security incidents, alerts, and tools. Basic command line experience with tools and operating systems used in the environment is required. Basic packet analysis and deep understanding of network protocols and traffic analysis will be necessary. Event Analysts must have excellent problems solving, collaboration, and communication skills.


Qualifications: A bachelor’s degree (or equivalent experience) with advanced certifications, such as SANS GCIH, GCFE, GCED, GCIA, CISSP, or MCSE, are required to complete this job.  Candidates must also have in-depth knowledge of security tools such as SIEM, IDS, IPS, and other vendor specific certifications.


Experience: Individuals with a minimum of two (4) years of incident analysis, security architecture, malware research, SOC/CIRC, or similar experience is required.  Candidates who have spent time as Incident Analysts in your organization should be considered as likely candidates for this role.  Diversifying specific security experiences across a team of multiple Incident Analysts is important to achieve the highest capability. The role requires individuals with experience analyzing and inspecting log information, packets, and other security tool information output from a variety of sources. Exposure to network devices, Microsoft Windows systems, UNIX systems and security products utilized in the specific environment is essential. The candidate should be familiar with reverse engineering and understanding malware, rootkits, TCP/UDP packets, SMTP, HTTP.


Technical Interview: This is a mid-level job for which a technical interview is required. A practical demonstration should be required in order to be considered for this this position.  The technical interview will consist of a three (3) part exercise. First, a series of Microsoft Windows event ID’s will be supplied to the candidate.  The candidate will be asked to describe host actions. In the second part of the technical interview the candidate will be given PCAP data, and using whatever tools the interviewer chooses to allow, asked to describe events derived from PCAP. The third exercise asks the candidate to describe detection capabilities, alerts, correlation, and reports that he/she would implement in today’s networking environment to detect the latest threats facing a financial institution.