This position is responsible for maintaining the security tool sets. Someone in this role is considered to be a system administrator with a deep understanding of security tools. When the SOC/CIRC requires a piece of information, the System Administrator will perform the integration, collection or configuration to receive those pieces of data. This role supports the SOC/CIRC incident response component during investigations, incidents, and general security operations.
Responsibilities: An individual in this role is responsible for the successful day-to-day operations related to security appliance capabilities within the SOC/CIRC infrastructure. This role interacts closely with Incident Analysts, Incident Responders, and intelligence personnel to fine tuning policies, update agents, and initiate classifications of observed web traffic. Other teams will instruct the tool support group to create connections to collect logs, implement new reports, alerts, and filters. This group takes instructions and work orders to facilitate enhanced detection and containment capabilities for the SOC/CIRC.
The following roles and responsibilities are performed regularly:
- Install, configure, and maintain security tools
- Administer two-factor authentication systems, provision users, add, and delete, users in vendor system tools
- Optimize service performance on Microsoft Windows and Unix based systems and Unix
- Troubleshoot system errors through logs, crash reports, and verbal descriptions
- Provide technical support to SOC/CIRC staff
- Configure VLAN’s and understand basic networking protocols for ACL modification
Skills required: Candidates for this position must have in-depth knowledge of operating systems and IT infrastructure, while possessing a detailed technical understanding of log collection, firewall rules, computer privileges, and databases. Basic operating system administration, knowledge of common network protocols, and overall familiarity with scripting are necessary skills to improve efficiency. The candidate should be a ‘jack-of-all-trades’.
Qualifications: Bachelor’s degree (or equivalent), with basic understanding of computing and security principles and concepts. A candidate should have experience operating active directory, databases, Unix systems and other various platforms used in the environment. Typical certifications obtained may include: MCSE, CompTIA A+, CompTIA Network +, or SANs GSEC.
Experience: Individuals with a minimum of two (2) years administrating networked environments should be considered for this position. The System Administrator should have experience in system administration on various platforms and in-depth understanding of system integrations. Knowledge of security tools utilized in the parent organization and their integration with Microsoft Windows, Unix systems, networking, and databases are all key criteria. A candidate with additional experience in security tools such as SIEM.
Technical Interview: This entry to mid-level role should have a basic technical interview in order to determine if the candidate can administer an environment. He/she should be presented with a basic Microsoft Windows Server 2003, 2008, 2012 and Unix Machine to determine if the candidate can configure a logging policy, create a user, escalate that user to administrator and log in remotely. Basic CLI tool abilities such as VI, grep, awk should be reviewed.