Lead Analyst, Cyber Defense

About The Position

Requirements

• 5 years in key Cyber Defense areas (e.g., incident response, security monitoring, cyber threat intelligence, attack surface and vulnerability management).
• Bachelor's degree or combined experience/education as substitute for minimum education.
• Familiarity with security tools and solutions such as security information and event management (SIEM), intrusion detection/prevention systems (IDS/IPS), as well as endpoint protection solutions, network security zones, and firewall configurations.
• Significant experience in a SOC analyst or detection engineering role.
• Experience in a senior incident response role or threat hunting capacity.
• Ability to coordinate and work efficiently with cybersecurity monitoring and threat intelligence managed service teams.
• Ability to work closely with other cybersecurity teams (e.g., cyber threat intelligence, cybersecurity monitoring).
• Familiarity with detection tuning languages and tooling.
• Ability to develop and maintain incident response OT cybersecurity policies, standards, and related documentations.
• Knowledge of industrial control systems (ICS).
• Knowledge of digital forensics and incident response (DFIR), as well as digital forensic investigation processes related to OT/IoT systems.
• Demonstrated understanding of security threats, vulnerabilities, intrusion techniques, malware capabilities and system diagnostics.
• Demonstrated understanding of electronic investigation, forensic tools and methodologies (e.g., log correlation and analysis).
• Experience with computer security investigative processes and malware identification and analysis.
• Experience with incident response and digital forensics across IT and cloud platforms.
• Knowledge of network security zones, firewall configurations, and intrusion detection systems (IDS).
• Familiarity with various log protocols/formats (e.g., syslog, HTTP logs, database logs) and the ability to perform forensic traceability.
• Proficiency in packet capture and analysis, as well as experience with log management or security information management tools.
• Experience with security assessment tools (e.g., NMAP, Nessus, Metasploit, Netcat).
• Skill in log source validation and coverage assessment in a decentralized environment.
• Ability to guide playbook design and SOC process improvement without formal management.
• Demonstrated organizational, critical thinking and analytical skills; ability to assess cybersecurity risks and make informed decisions.
• Excellent written and oral communication skills, and an exemplary attention to detail.
• Ability to analyze complex data sets and logs to identify anomalies and potential threats.
• In-depth knowledge of industry standards and regulations (e.g., ISO 27001, NIST CSF).
• Ability to work evenings, weekends and holidays as the schedule dictates.

Nice To Haves

• 7 years of related experience.
• A bachelor’s degree in information science or computer science or computer engineering or in related field(s).
• GIAC Certified Incident Handler (GCIH), GIAC Security Essentials (GSEC), or equivalent.
• Cisco Certified CyberOps Associate or similar.
• MITRE ATT&CK Defender certifications preferred.

Responsibilities

• Coordinates and manages the response to actual and potential security breaches, engaging in the identification, triage, categorization of security incidents and events.
• Leads incident response efforts (e.g., investigation, remediation) during security breaches.
• Leads major incident investigations and complex forensic analysis of systems, logs, and artifacts inclusive of identifying, investigating, and responding to security incidents.
• Works with cyber defense team members to assign criticality and priority levels to security incidents and events.
• Actively reports on security incidents as they are escalated or identified to cyber leadership and management.
• Collaborates with SOC teams and MSSPs to support round-the-clock monitoring and triage.
• Assists in the development and implementation of incident response policies and procedures to ensure a structured approach to handling security incidents.
• Assists with development and implementation of SIRPs, as well as detection, containment, eradication, and recovery strategies.
• Develops and maintains incident response plans specific to OT and IoT environments.
• Applies risk analysis techniques and strategies when evaluating the impact of cyber threats and vulnerabilities, as well as recommended remediation steps.
• Assists with design and delivery of incident response exercises to test client SIRP.
• Supports purple team initiatives and adjusts detections based on red team findings.
• Communicates with university management and other cybersecurity teams during high-security events, following incident response guidelines and escalating issues when necessary.
• Works with information security officers (ISOs) and cyber governance to exchange information with IT directors and support departments, schools, or units (DSUs) in their recovery from incidents.
• Collaborates with the USC Office of Culture, Ethics and Compliance and Office of the General Counsel to build forensic case documentation, including chain-of-custody information, data categorization, and investigatory results.
• Provides executive communication, finished incident reports and forensics data, as appropriate, advising management on decisions that may significantly affect operations, policies, or procedures.
• Participates in and leads after-action reviews from tabletop exercises and major incidents.
• Works with senior cyber defense analysts to analyze security logs, network traffic, and other data sources to identify indicators of compromise (IOC) and malicious activity.
• Forensically analyzes end-user systems and servers found to have possible IOC, as well as artifacts collected during a security incidents.
• Reviews and addresses false positives, collaborating with other cyber teams (including pro and managed service teams) to refine and improve the accuracy of security tool configuration rules and policies.
• Documents security incidents and incident response activities; analyzes metrics and trends.
• Leads and conducts post-incident reviews and lessons learned sessions to identify areas for improvement.
• Produces and reviews related reports (e.g., incident reports, findings, impact assessments, remediation recommendations).
• Reviews analysis and conclusions of other analysts and/or consultants, when applicable.
• Supports digital forensic investigations on a variety of digital devices (e.g., computers, mobile devices, network systems).
• Ensures processes and procedures follow established standards, guidelines, and protocols.
• Maintains currency with legal, regulatory, and technological changes and/or advancements that may impact incident response operations; communicates changes to cyber defense leadership and staff.
• Collaborates with senior cyber defense analyst and cyber threat team to stay informed about the latest threats, vulnerabilities, and attack vectors to enhance the organization's incident response capabilities.
• Maintains currency with emerging OT security trends, technologies, and compliance requirements.
• Supports performance analysis of detection and response workflows through KPIs and SLA metrics.
• Encourages a workplace culture where all employees are valued, value others and have the opportunity to contribute through their ideas, words and actions, in accordance with the USC Code of Ethics.

Benefits

• Full-time exempt position, eligible for all of USC’s fantastic Benefits + Perks.