Job Description
Role: SOC Tier II resource functioning in a dual capacity as:
• SOC Analyst
• SIEM Engineer
Tools used at in environments are currently widely used by the industry like FireEye, SentinelOne, FortiClient, Netwitness, MS Sentinel, Splunk, Tenable, Qualys, Zscaler, Microsoft O365, Microsoft Exchange and Entra audit log and mail flow logreviews, Microsoft Defender for Endpoint, KnowBe4 PhishER, RSA Archer, ServiceNow, BMC Helix, and Blackite.
Responsibilities:
Active security monitoring and analysis of alerts
• Incident triage, investigation, and escalation per CSOC playbooks
• SIEM rule tuning and alert optimization
• Support detection engineering activities (e.g., creating and refining detection logic)
• Document actions taken and maintain shift logs for handoff
2.2 Shift changeover and handoff procedures
• To maintain operational continuity, a mandatory handoff procedure will be conducted at each shift change.
• Following each shift, the on-duty team will submit a detailed report summarizing all activities, including a chronological summary for each ticket handled.
2.4 Additional Responsibilities
In addition to the responsibilities related to core monitoring and alerting responsibilities, the following tasks are expected from the Contractor.
2.4.1 Proactive Security and Threat Management Vulnerability Management and Tracking:
During non-business hours, staff may review and track vulnerabilities identified by scanning tools. Staff can assess and prioritize these vulnerabilities based on factors such as severity, exploitability, and asset criticality. This process includes updating tickets, coordinating with system owners to facilitate patching, and verifying remediation measures.
2.4.2 Threat Hunting:
Non-business hours are optimal for conducting proactive threat hunting activities, as network traffic generally decreases, and analysts have fewer high-priority alerts to address. This involves using the SIEM and other security tools to for and identify signs and indicators of malicious activity that may not have triggered an alert. Respond to cyber threat intelligence notifications and conduct threat hunting activities as needed.
2.4.3 Security Tool Tuning:
Review and optimize security tool configurations (e.g., SIEM, EDR, and IPS) to reduce false positives and improve the accuracy of threat detection. This process includes updating detection rules, correlation logic, and lists based on new intelligence and analysis of alerts.
2.4.4 Process and Documentation Enhancement Playbook Development and Refinement:
• Create new security incident response playbooks for different types of threats (e.g., phishing, malware, and data exfiltration).
• Review and update existing playbooks to ensure they are current, accurate, and effective.
2.4.5 Documentation Creation and Maintenance:
• Document common incident types, investigation steps, and resolution procedures.
• Maintain a knowledge base of security incidents, lessons learned, and best practices.
2.4.6 Disaster Recovery (DR) Planning and Testing:
• Assist in the creation and maintenance of the SOC's disaster recovery and business continuity plans.
• Participate in and help to coordinate DR tests and exercises.
2.4.7 Automation and Tool Development Automation of Workflows:
Develop and implement automation scripts and playbooks to handle routine tasks, such as initial alert triage, data enrichment, and containment actions. This frees up analyst time for more complex and critical tasks.
2.4.8 Dashboard and Reporting Creation:
• Create and customize dashboards within the SIEM platform to provide better visibility into security events, network health, and threat trends.
• Develop custom reports for leadership and other stakeholders to communicate security posture and incident statistics.
2.4.9 Infrastructure and Security Improvement Recommendations for Improving Infrastructure:
Based on their experience with the tools and monitoring, non-business hours staff can provide valuable recommendations for improving the security infrastructure. This can include suggestions for new tools, log source integration, or architectural changes to enhance security posture.
2.4.10 Job Duties for the SOC:
• Propose and define new or refined job duties and responsibilities for the SOC team to adapt to evolving threats and technologies.
• Suggest training and professional development opportunities for the team to enhance skills.
• Coordinate with the IT providers to ensure the Service Management Manuals (SMM) accurately reflect comprehensive procedures followed to implement and manage the relationship between each department.
2.4.14 Data Security
Ensure all HHS Data must reside on HHS-owned or provided systems within the United States unless prior written authorization is obtained by an HHS representative with the authority to grant an exception.
2.4.15 Reports
Reports will be delivered via e-mail or SharePoint provided by HHS and must comply with all applicable HHS policies and procedures.
Never miss an opportunity! Create an alert based on the job you applied for.
