Threat Detection Architect (US Remote)

Company Description:

Anomali, a world-renowned platform leader in Security Operations, supercharges SecOps by fusing Lightspeed Security Analytics, Industry-Leading Cyberthreat Intelligence (CTI), AI-based automated threat hunting, alert orchestration, automated threat detection and incident response (TDIR) blocking, community intelligence sharing, exposure management, and dark web protection. Transforming CISOs into superheroes and analysts into SOC terminators.

Anomali's Platform offers: “Match” Next-Gen SIEM, “Lens” AI Threat Hunter, “ThreatStream” TIP, Anomali Integrator, Anomali ISAC, Anomali Attack Surface Management, and Anomali Digital Risk Protection, infused with Anomali AI.

Anomali bridges the gap between point solutions (EDR, NDR, SSE, RMM, CAASM, etc.) and replaces legacy SIEMs at 50% the cost, giving analysts easy-to-use tools that enable lightspeed detection & response. Anomali addresses the global shortage in cyber talent by empowering analysts to contain, eradicate, and block threats in seconds without complex SIEM queries, manual blocks, or long investigations. 

Anomali delivers as a proprietary platform and disruptor to the security analytics world. Anomali can search billions of logs in seconds, correlating tens of millions of IoCs and IoAs across years of telemetry and logs often deleted or moved to cold storage. At every point across the cyber kill chain, Anomali supercharges the SOC to detect, contain, and eradicate threats before organizational impact. 

Job Description:

Anomali is looking for a skilled threat hunter, analyst, and detection engineer/architect to join our SOC. Previous experience as a T3 SOC analyst, threat hunter, and advanced SIEM detection engineer is preferred. This individual will be responsible for proactively detecting, isolating, and mitigating threats, while building new threat hunts and detections around system- and business-process-specific adversary threat models. This individual will work closely with our Advanced Threat Research (ATR) team, Cyber Fusion Content Development team, and Security Operations Team to leverage Anomali’s core capabilities along with other industry-leading cybersecurity products to build and implement novel threat detection and hunting capabilities. You will also leverage Anomali’s AI Copilot and provide direct input into Anomali Language Learning Models (LLMs) for building content related to threat hunting, incident response, adversary threat models, and detection methodology.

Key Responsibilities:

o Proactively build SOC detections to investigate, detect, isolate and mitigate endpoint-, identity-, network-, cloud-, email-, and data-based threats across enterprise systems and data stores

o Develop a periodic, triggered, and continuous threat hunting strategy

o Use a threat-model-based approach to develop detections and threat hunts

o Develop templated and repeatable processes for automated and manual security incident triage, response, and mitigation using Anomali’s market-leading Security Operations Platform

o Build Anomali Query Language (AQL) SIEM detections using a combination of currently existing detections (e.g. Sigma rules), newly developed detections, and UEBA analytics algorithms to streamline detection and response

o Properly orchestrate and configure existing tools and enterprise systems to generate detections for malicious behavior, insider threat, and LOL processes and procedures

o Map detections and threat hunts to MITRE ATT&CK methodology as-needed

o Utilize Attack Flow and IOAs to build incident detection blueprints and response playbooks

o Build data dashboards to provide insights, analytics, and holistic understanding of SOC operations, including the reduction in mean time to respond (MTTR)

o Build a security tools and data exploitation and optimization model and methodology that measures return on security investment and SOC operations effectiveness

o Serve as an expert advisor on SOC analyst incident response, detection engineering, and threat hunting to internal product teams, content-development teams, and customers 

o Provide direct input into AI language learning models and capabilities

o Manage and mentor SOC analysts and threat hunters in creating of automations, triage of detections, and execution of computer incident response processes

Qualifications

Required Skills/Experience:

o Minimum 5+ years of work experience as an advanced T3 SOC analyst, threat hunter, incident responder, or detection engineer

o In-depth technical knowledge concerning processes, procedures, and methodologies regarding preparedness, resilience, incident response, detection engineering, and threat hunting

o Technical knowledge on detection and alert orchestration across numerous security systems including but not limited to EDR, NDR, Firewalls, DNS, DHCP, IAM, IDaaS, ESG, SWG, SSE, DLP, VPN, CASB, Cloud Environments (e.g. AWS, GCP, Azure), and SaaS applications

o Technical knowledge of techniques, standards, and state-of-the-art capabilities for authentication and authorization, applied cryptography, network architecture, security vulnerabilities, and remediation strategies.

o Tactical knowledge of how to apply cyber threat intelligence (CTI) in SOC processes, procedures, and systems to prioritize and speed detection and response

o In-depth technical knowledge of Attack Flow, IoA/TTP-based and IoC-based threat hunting, log sources, SIEM investigations, Windows/Linux operating system event logs, and threat actor tactics, techniques, and procedures

o Experience using Sigma and YARA rules to perform threat hunts across live processes, databases, and systems

o Understanding of SaaS development environments including cloud data centers, CI/CD pipelines, web application development, OWASP, vulnerability scanning (DAST, SAST, RASP), system development life cycle (SDLC), web application monitoring, web application security (e.g. WAFs, log monitoring), web services, service-oriented architectures, remote access technologies (ZTNA, VDI, JIT)

Desired Skills/Experience:

o Experience conducting purple teaming, pentesting, sandbox testing, or development of honeypots/tokens for threat and vulnerability detection

o BS or MS in technical field, including but not limited to Computer Science, Engineering, Cybersecurity, Information Systems

Equal Opportunities Monitoring

It is our policy to ensure that all eligible persons have equal opportunity for employment and advancement on the basis of their ability, qualifications and aptitude. We select those suitable for appointment solely on the basis of merit without regard to an individual's disability, race, color, religion, sex, sexual orientation, gender identity, national origin, age, or status as a protected veteran. Monitoring is carried out to ensure that our equal opportunity policy is effectively implemented. 

If you are interested in applying for employment with Anomali and need special assistance or accommodation to apply for a posted position, contact our Recruiting team at [email protected].