Cyber Security Analyst

To apply, please visit our career portal found at: https://waltonclerkfl.munisselfservice.com/employmentopportunities/default.aspx

 
Cyber Security Analyst
 
General Responsibilities:
The Cyber Security Analyst is responsible for owning the day-to-day security monitoring across SIEM, EDR/XDR, IDS/IPS, and vulnerability management. Triage and investigate alerts, convert true positives into cases, and handle incidents end-to-end per NIST SP 800-61 (prepare, detect/analyze, contain/eradicate, recover, lessons learned). Run authenticated vulnerability scans and drive remediation per NIST SP 800-40; publish weekly/monthly metrics aligned to CIS Controls v8.1; propose pragmatic coverage and detection improvements.
 
ESSENTIAL JOB FUNCTIONS:
SIEM: Source Selection, Onboarding, and Operations

• Own the intake roadmap: select and prioritize log sources based on risk, coverage (MITRE ATT&CK / CIS Controls / NIST 800-53), incident history, and compliance (e.g., CJIS); maintain a 6–12 month intake plan with business justification.
• Coordinate end-to-end onboarding: open/change tickets, schedule maintenance windows, and partner with system owners (AD, DNS/DHCP/IPAM, hypervisor/VDI, firewalls/VPN, EDR/XDR, M365/Azure, line-of-business apps) to enable secure collection (agent/API/syslog/collector).
• Validate data quality: confirm time sync, parsing, field mapping (e.g., common schema), host/app tagging, and completeness/accuracy (no sampling, acceptable EPS/GB/day variance, no dropped events); document success criteria and sign-off.
• Implement and maintain parsers/normalization: tune or request parser updates; ensure key entities (user, host, src/dst IP/port, action, disposition, device product) are normalized for detection and hunting.
• Manage ingestion scale/economics: track daily ingest and hot/cold retention by source; tune filtering/noise reduction at the source (facilities/severities), throttle safely, and avoid duplicate telemetry; forecast license/storage impact before onboarding.
• Security and privacy controls: ensure least-privilege collection scopes/keys, encrypted transport, and redaction where required (PII/CJIS); maintain access reviews and secrets rotation for collectors/connectors.
• Detection enablement: for each new source, attach baseline detections, dashboards, and health checks; update correlation rules/use-cases to leverage new fields; add runbooks/playbooks for Tier-1/Tier-2.
• Operational health: monitor connector status, backlog/queue depth, parse failure rates, and lag; remediate breaks quickly and drive root-cause; publish monthly coverage and data-quality KPIs.
• Documentation/runbooks: maintain source inventories (owner, contact, schema/version, connector method), onboarding guides, rollback procedures, and retention/RPO/RTO expectations.

• Monitor SIEM/EDR/M365 dashboards; review, triage, and investigate alerts (log pivots, correlations, basic host/network artifacts). Convert true positives into incidents, documenting timeline, impact, and actions. Follow NIST SP 800-61 phases (prepare, detect/analyze, contain/eradicate, recover, post-incident).
• In SIEM, tune content you use (enable/disable rules, thresholds, exceptions) and create incident rules/use cases as needed.
• For XDR, work within portal RBAC; open cases, take live response actions appropriate to your role, and link investigations to SIEM incident records.

• Plan and run authenticated scans (Windows/Linux/network), maintain scan windows, scanner/agent health, and scan credentials; troubleshoot scan failures. Use best practices guidance.
• Prioritize findings by risk/context; coordinate remediation with system owners; report on coverage, credentialed rate, and aging. Align patch/mitigation workflows to NIST SP 800-40r4 guidance.

• Review IPS events, tune signatures/exceptions, and keep sensors/policies appropriate to risk.

• Own tenant integration with the cloud email platform (e.g., Microsoft 365) via admin consent/OAuth; verify data ingestion health, RBAC, and retention settings.
• Configure protection policies for BEC, supplier impersonation, VIP targeting, account compromise, and graymail; manage approved sender/domain lists and time-boxed exceptions.
• Triage user-reported messages using the platform’s AI triage; perform similar-message searches and bulk remediation across affected mailboxes when appropriate.
• Operate the abuse/report mailbox workflow; enforce intake standards and end-user guidance; route high-risk submissions for expedited review.
• Connect platform events to the SIEM/ITSM; validate exported fields (e.g., attack score, folder/location, audit events) for detections, dashboards, and reporting.
• Implement “SOAR-lite” workflows available in the platform (auto-remediation, user notices, manager approvals) and integrate with your SOAR where beneficial.
• Maintain admin runbooks (quarantine/restore, exception lifecycle, staged rollouts with rollback); record changes per change-control policy.
• Track precision/recall (TP/FP), dwell time to remediation, user-report volume, auto-remediation success, and exception aging; publish monthly improvement actions.

• Produce weekly/monthly metrics mapped to CIS Controls (e.g., log collection/retention, detection KPIs, vulnerability remediation). Maintain evidence for audits.

• Propose pragmatic changes (new data sources, rule tuning, endpoint coverage, playbook steps, scan schedules) with clear cost/benefit.

• Participate in training, workshops, and technical events to stay current with relevant technologies and certifications.
• Perform additional duties aligned with departmental objectives and organizational initiatives as assigned by leadership.
• Comply with all Clerk and Comptroller policies and procedures.
• Maintain regular and punctual attendance.
• Work cooperatively with others.
• Perform all duties outlined within the job description and other job duties and special tasks as assigned.

• Incident handling doctrine: Understand end-to-end incident lifecycle (prepare → detect/analyze → contain/eradicate → recover → post-incident), incident severity classification, evidence handling, and lessons-learned facilitation.
• Vulnerability management fundamentals: Risk-based prioritization (exposure/context, exploitability), credentialed vs. non-credentialed scanning, scan windows, agent vs. scanner trade-offs, exception processes, and remediation SLAs.
• SIEM concepts & detection engineering: Log onboarding/normalization, parsing/field extraction, correlation logic and thresholds, detection tuning to reduce false positives, use-case lifecycle, dashboards, and reporting.
• SOAR & workflow thinking: Playbook design (trigger → conditions → actions), automation vs. human-in-the-loop, safe-guardrails, and error handling/rollback.
• EDR/XDR operations: Alert taxonomy, investigation workflow (process tree, timeline, IOA/IOC triage), live response basics, containment actions (isolate, kill process, quarantine), policy/rule tuning, and RBAC in the security portal.
• IDS/IPS concepts: Signature vs. behavior-based detection, sensor/policy architecture, inline vs. TAP/SPAN placement, exception/override tuning, balancing prevention with false-positive control. (Sources: Fortinet FortiGate IPS admin guidance; general IDS/IPS references)
• Credentialed scanning execution: Windows (domain/local) and Linux/Unix credential models, least-privilege for scanning, stored credential hygiene, scan troubleshooting (auth failures, timeouts), and proof of authentication checks.
• Log & telemetry coverage strategy: Identify and prioritize high-value sources (AD, endpoint, network security, DNS, proxy, cloud control plane), retention targets, and integrity protections for auditability.
• Asset & exposure context: Asset inventory significance, OS/application fingerprinting, business criticality mapping, and tagging/grouping to drive scan scope, detection logic, and reporting.
• Threat frameworks & adversary thinking: Use MITRE ATT&CK for hypothesis-driven detections and incident timelines; map findings to ATT&CK techniques for reporting and gap analysis.
• Windows security & admin basics: Event log channels, common security events, services/scheduled tasks, PowerShell execution policy basics, local/network authentication flows (Kerberos/NTLM), and patching/GPO concepts.
• Linux security & admin basics: Syslog/journald, auth logs, package/patching managers, common artifacts (processes, services, cron), and SSH hardening fundamentals.
• Network fundamentals: TCP/IP, DHCP/DNS, common ports/protocols, TLS handshake basics, NetFlow/packet captures, and how these surface in SIEM/IDS/IPS/EDR telemetry.
• Identity & access governance: RBAC/least-privilege construction in security platforms, periodic entitlement review, break-glass accounts, and audit evidence generation.
• Risk & control frameworks literacy: Ability to map work to CIS Controls, NIST CSF functions (Identify/Protect/Detect/Respond/Recover), and produce evidence for audits.
• Case management discipline: Clear ticket narratives, timeline/build-of-materials of artifacts, severity/impact statements, and measurable closure criteria.
• Metrics & reporting: Define/track MTTD/MTTR, alert volumes/true-positive rate, scan coverage/authenticated rate, and vulnerability aging; create exec-level and technical reports.
• Change & exception hygiene: Safely implement SIEM/EDR/IPS rule changes (test → staged rollout → monitor), document exceptions/compensating controls, and schedule reviews. 
• Scripting/automation familiarity: Read/modify simple scripts (PowerShell, Python) to extract logs, call APIs, or bulk-update platform objects; understand API tokens and rate limits conceptually. 
• Communication & stakeholder skills: Translate technical findings into business risk and clear remediation guidance; run post-incident reviews and coach system owners on patch/mitigation steps. 
• Security ethics & judgment: Respect privacy boundaries, handle sensitive data appropriately, and make risk-informed decisions when actions (e.g., host isolation) affect availability. 
• Thorough knowledge of the structure and content of the English language including the meaning and spelling of words, rules of composition, and grammar. 
• Knowledge of applicable laws and policies. 
• Ability to prepare and maintain a variety of moderately complex to complex records, compile data, and prepare reports. 
• Ability to communicate clearly and effectively in a prompt, courteous, and professional manner. 
• Ability to make sound judgments. 
• Ability to develop and maintain good working relationships.

• Graduation from an accredited college or university with a bachelor’s degree in information technology, computer science, or a related field; supplemented with at least three (3) years of experience in security operations with hands-on SIEM/EDR/IDS-IPS and vulnerability scanning; or
• Graduation from an accredited college or university with an associate’s degree or certificate in information technology, computer science, or a related field; supplemented with at least five (5) years of experience in security operations with hands-on SIEM/EDR/IDS-IPS and vulnerability scanning; or
• An equivalent combination of training and experience, which provides the required knowledge skills and abilities to perform the job, may be considered.

• Demonstrated end-to-end incident handling aligned to NIST SP 800-61
• Practical experience running credentialed vulnerability scans and driving remediation in line with NIST SP 800-40r4
• Familiarity with CIS Controls v8.1 for reporting and control hygiene.

• Possession of a valid driver’s license.
• Must be eligible to earn, and maintain, CJIS certification with FDLE.

• ISC² SSCP Systems Security Certified Practitioner Certification
• ISC² CISSP Certified Information Systems Security Professional
• Microsoft Certified: Security Operations Analyst Associate (SC-200)
• FCP - Security Operations
• FCSS