Cyber Security Analyst

Role Cyber Security Analyst
Reference 10524
Profile
RFQ: SC2023/002717

As a Cyber Security Analyst, the service provider will work on shifts to perform initial triage and analysis of security alerts. The CSA will collate information about both logs and network traffic in a clear, structured format, providing remediation recommendations and first response actions where applicable. The successful candidate should be capable of working without supervision to assess alert severity and escalate when required.

The main duties as CSA will focus on:

Triaging and investigating security alerts in Splunk Enterprise Security.
Providing in-depth analysis of firewall, IDS, anti-virus and other network sensor events to report findings clearly.
Enhancing investigations by leveraging the comprehensive extended toolset (e.g. Splunk, NIDS, FPC and SOAR).
Providing analyst expertise in response to ongoing cyber security incidents.
Supporting the end-to-end incident handling process.
Assisting in the management of internal block lists.
Proposing security content optimisations and enhancements that help maintain and improve NATO's Cyber Security posture.
Assisting in on boarding and training of new team members.
Assuming the role of security analyst shift lead, assisting with team management and prioritisation of analyst workload.
The main deliverables as CSA will be to:

Provide an average of 139 hours/month working in office as part of a predetermined 24/7 shift rota.
Triage, analyse and respond to alerts. On average 300 - 500 alerts per day are expected. All critical alerts will be responded to within three hours.
Deliver analysis and reports in response to tasks associated with ongoing investigations and incidents.
Propose no fewer than five security content optimisations and enhancements per week.
Oversee the production and release of bulletins for internal block lists, on average, three times per week.
Review existing block lists and add new indicators of compromise to block lists, on average 20 per day.
Create an average of two MISP events per week based on provided intelligence reports.
Respond to ad-hoc tasks given by the service delivery manager and cell head.
The service provider is expected to provide accurate and complete deliverables in accordance with internal processes.
The service provider shall be responsible for complying will all applicable local employment laws, in addition to following all SHAPE & NCIA on-boarding procedures. Delivery of the service cannot begin until these requirements are fulfilled.
Each provider of this service must pass an assessment to demonstrate proficiency before being approved to provide the service. The assessment will follow a brief familiarisation period.
For each individual delivering the service, the provider shall allocate 10 working days to the initial NCSC Ops familiarisation and assessment process. Delivery of the service cannot begin until this is complete.
Mandatory

Comprehensive knowledge of the principles of computer and communications security including knowledge of TCP/IP networking, Windows and Linux operating systems.
Broad understanding of common network security threats and mitigation techniques.
Experience in the following:
a. Security information and event management products (SIEM) – e.g. Splunk.
b. Analysis of network based intrusion detection systems (NIDS) events– e.g. FirePower, Palo Alto Network Threat Prevention.
c. Analysis of logs from a variety of sources (e.g. firewalls, proxies, routers, DNS and other security appliances).
d. Network traffic capture analysis using Wireshark.

Logical approach to analysis and ability to perform structured security investigations using large, complex datasets.
Knowledge of endpoint detection and analysis techniques.
Strong written and spoken communication skills.
Ability to work independently and as part of a team.
Desirable

Holding industry leading certifications in the area of cyber security such as GCIA, GNFA, GCIH.
Experience working in a security operations centre (SOC), Computer Incident Response Team (CIRT) or Computer Emergency Response Team (CERT).
Hands on experience with Splunk Enterprise Security and/or Splunk SOAR.
Experience in the following areas:
a. Full packet capture systems – e.g. Niksun, RSA/NetWitness.
b. Host based intrusion detection systems (HIDS)