Sr Intrusion Detection (15 Positions) - s Work Location: N.E. Washington DCInterview: Phone & Webex / CamCertifications: Any security related active cert will work. Clearance: Public Trust background check with finger-printing and drug screeningskills: ID/IPS, SIEM (splunk or Arcsight), Soc or Security Operations, NIST 800-53 OR 800-181 Intrusion detection support includes monitoring and responding to alerts triggered in the Security Information Event Management (SIEM) system tool or requests for assistance from customers. The Contractor shall use a variety of tools to investigate incidents and taking immediate action or recommend a course of action to safeguard the client systems.In support of Intrusion Detection, the Contractor shall perform the following:a. Document all incidents and create a clear narrative that supports their conclusions. Providing Tier 1 support and escalating all events to Technical Leads for review before completing event notation to ensure accuracy and completeness. All events requiring High Urgency handling shall be escalated to the Shift Technical Lead and Federal Watch Officer. Events requiring over 30 minutes of analysis shall be escalated to Incident Responders for further investigation.b. Accurately review, annotate, and resolve events identified for review by our sensors, customers, vendors or partners 24 hours a day, 7 days a week. The Contractor shall ensure that all incidents are supported with evidence and artifacts derived from analysis. The Contractor shall draft an email notification to Client and its customers for review and release by Tier 2 incident responders.c. Provide clear and actionable event notifications to customers. Notifications to customers must provide sufficient detail for a mid-level system or network administrator to understand what has occurred and what needs to take place to remediate the event.d. Immediately respond to all events identified and provide clearly documented analysis. Identification of events may come from, but is not limited to, the current SIEM system, Security Sensor Management Consoles, Security Operations Center (SOC) Email Accounts, Tasks assigned through the Current Incident Ticketing System or SOC phone line. The Contractors will document all findings within the current SIEM and ticketing system in use and follow annotation procedures and documentation standards provided in the IDT Operations Guide and the SOCIRP.e. Create a ticket in the AO SOC ticketing system for tracking and escalation purposes where a specific action is required for an event. Specific actions for events will be taken in accordance with the guidelines outlined in the “IDT Operations Guide”, The SOCIRP or other published Standard Operating Procedures.f. Perform ad-hoc analysis of events in the current SIEM and other SOC tools looking for malicious activity and other security related events that were not identified by the automated processes.g. Provide an immediate response to all customer inquiries and information requests. For tracking and metrics purposes, all interactions with customers will be recorded in the current ticketing system as soon as the incident is reported. All communications will take place in accordance with the guidelines as set out in the outside communication section of the “IDT Operations Guide” and the SOCIRP, which will be provided upon task order award.h. Perform appropriate escalations for events, notifications, and non-responsiveness from customers. Contractors shall track all notifications and escalate tickets to Watch Officers or SOC management in cases where the customer is non-responsive or requires clarification that is outside the scope of the normal operations. Contractors shall be familiar with the SOCIRP escalation and reporting procedures.i. Intrusion Detection Analysts must be able to perform the tasks and meet the skills, knowledge and abilities as described in NIST Special Publication 800-181 / 800 -53
