Security Operation Center Lead Analyst

Location: Bucharest, Romania

The people we all rely on to make the world go round – they rely on Thales.  Thales rely on its employees to invent the future: right here, right now.

Present in Romania for over 40 years, Thales is expanding its presence in the country by growing its Digital capabilities and by developing a Group Engineering Competence Centre (ECC). Operating from Bucharest, Thales delivers solutions in a number of core businesses, from ground transportation, space and defence, to security and aeronautics.
Several professional opportunities have arisen. If you are looking for the solidity of a Global Group that is at the forefront of innovation, but with the agility of a human structure that tailors to the personal development of its employees and allows opportunities for evolution in an international environment, then this is the place for you!

Integrated in TDF SOC team, the SOC Lead Analyst will be responsible of incident handling activities, under the supervision of a SOC Leader. The SOC Lead analyst is responsible for technically driving the team of SOC analysts (~10 people with international footprint) during incident handling, forensics investigations and continuous improvement.

TDF SOC relies on Microsoft Azure technologies and is mainly used to monitor a digital platform hosted on the public cloud Microsoft Azure.

Main activities:

• Incident handling (from detection to closure): Use implemented tools to monitor events, identify suspicious activities, implement detection rules, analyze alerts and communicate with asset owners to handle incidents.
  • Crisis management: SOC lead analyst will be part of “crisis phone book” and should be available with on-call duties.
• Reporting: Provide visibility on incident statuses and redact incident detailed reports and communicate them with stakeholders.
• Monitor security controls: Monitor security controls implementation, in particular security configurations and antivirus protection deployed on systems.
• Vulnerability management: Contribute to known vulnerability management within the monitored perimeter.
• CTI and Threat Hunting: gathering and analyzing intelligence about threats, adversaries, and vulnerabilities to enhance organizational defenses. Involves proactively detecting anomalies in network traffic, system logs, and user behaviors, using SIEM to investigate and EDR or other security tools to neutralize hidden malicious activities.
• Continuous improvement: Lead incident handling continuous improvement (from detection to closure), contribute to SOC continuous improvement and contribute to global security continuous improvement of Thales Digital Factory.
• Delivery management: Participate to delivery management processes and cross team alignment processes.
• Training and awareness: Be a technical referent for the team, by staying updated with threats and technological evolutions. Contribute to security awareness of users.
• On-call for crisis

Required skills :

• Technical (MUST)
  • Security logs and event analysis
  • SIEM tools, in particular (SHOULD) Microsoft Sentinel
  • Network and information system security
• Soft Skills :
  • Attention to detail and rigor
  • Capacity for multitasking and to work in crisis environment
  • Communication and vulgarization of technical subjects with non-experts

Education and experience :

•  (MUST) Experience: 5 years in information system cybersecurity, with at least 2 years in incident management.
• (SHOULD) Education: Master 2 in computer science, cybersecurity or related domain.
• (SHOULD) certifications: CISSP, SC-200, SC-100

Technical Skills details:

• Scripting Languages: Proficiency in PowerShell, Python, or other scripting languages to automate security tasks. Proficiency in detection rules languages
• Protocols and Standards: Knowledge of security protocols (SSL/TLS, IPsec) and standards (ISO 27001, NIST).
• Virtualization and Cloud: Experience with virtualized environments (VMware, Hyper-V) and cloud platforms (Azure, AWS). Azure certification (AZ series).
• Azure Defender: Advanced usage to protect resources against specific threats (VMs, databases, Kubernetes, etc.).
• Identity Access Management (IAM): Implementation and monitoring of roles, permissions, and RBAC policies.
• Knowledge of BAS Tools: Proficiency in tools like Caldera, SafeTitan, or AttackIQ to simulate realistic attacks.
• Analysis of Complex Cyber Attacks: In-depth understanding of tactics, techniques, and procedures (TTPs) used by attackers, based on frameworks such as MITRE ATT&CK.
• Threat Hunting: Implementation of proactive searches to identify threats that evade traditional detection tools. Use of frameworks like MITRE ATT&CK to guide investigations.
  • Behavioral Analysis: Identify anomalies or suspicious patterns in logs and events.
  • Use of KQL: Build complex queries to analyze data in Azure Sentinel and Log Analytics.

• Analysis of Security Advisories:
  • Identify and assess alerts and security advisories published by organizations (e.g., Microsoft, CISA, CERT).
  • Prioritize critical advisories based on their potential impact on Azure cloud environments.
  • Coordinate with internal teams to implement patches or workarounds.

Technical Details on activities

Monitoring and Analysis:

• SIEM Sentinel :
  • Configuration and Management: Configure and manage detection rules, alerts, and dashboards in Microsoft Sentinel.
  • Data Source Integration: Integrate various data sources (system logs, network streams, etc.) into Sentinel for comprehensive monitoring.
  • Alert Analysis: Utilize Sentinel's advanced analytical capabilities to identify and prioritize potential threats.

• Supplementary Tools :
  • EDR (Endpoint Detection and Response): Use tools like Microsoft Defender for Endpoint to monitor and respond to threats on endpoints.
  • NDR (Network Detection and Response): Implement solutions like Darktrace or Vectra for network anomaly detection.

Incident Management :

• Incident Response:
  • Automated Playbooks: Create and use automated playbooks in Sentinel for rapid incident response.
  • Forensic Analysis: Conduct forensic analyses to understand the origin and impact of security incidents.
  • Coordination: Collaborate with IT teams and stakeholders to coordinate incident responses.

• Incident Management Tools :
  • SOAR (Security Orchestration, Automation, and Response): Utilize tools like Palo Alto Cortex XSOAR to automate and orchestrate incident responses.
  • Ticketing System: Integrate with ticket management systems like ServiceNow to track and document incidents.

Prevention and Continuous Improvement:

• Threat Intelligence :
  • Intelligence Sources : Leverage threat intelligence sources to anticipate attacks.
  • IOC (Indicators of Compromise): Regularly update IOCs in Sentinel to enhance detection capabilities.

YOUR CAREER AT THALES

Joining Thales, you will integrate into a tight-knit team working in an international and friendly environment. Thanks to various teams working on multiple fields and domains, all located in Bucharest, you will be able to evolve and grow your competences in different areas.

• Room for and attention to personal development
• The opportunity to grow within the organization, for instance on a technical, managerial or international level, within the various markets Thales is working in

Your immediate benefits

• 24 holiday days a year
• A good work-life balance which includes flexible working hours and work from home options
• A comprehensive compensation and benefit package including medical coverage

At Thales we provide CAREERS and not only jobs. With Thales employing 80,000 employees in 68 countries our mobility policy enables thousands of employees each year to develop their careers at home and abroad, in their existing areas of expertise or by branching out into new fields. Together we believe that embracing flexibility is a smarter way of working. Great journeys start here, apply now!