Advanced Analytics & Threat Hunting Automation Technical Lead

Advanced Analytics & Threat Hunting Automation Technical Lead

• Full-time threat hunter as a member of the Advanced Cyber Defense team primarily focused on full network capture threat analysis via NetWitness and Splunk.• NetWitness SME responsible for developing Citi’s content baseline (160+ Parsers, 300+ Application Rules, 40 Threat Feeds), network and asset inventories, all custom content creation, Splunk integration (App & API), and SOC training.• Developed a custom hunting engine to automate the analysis of 2 billion sessions per day for activity from 400,000 employees and 200 million customers spanning 3 continents. Automation architecture leverages NetWitness REST API, Splunk statistical and behavioral analysis capabilities, Elasticsearch clusters, pre and post-processing scripts, proxy logs, EPO logs, and API integration with various free and commercial 3rd party tools.• Developed custom content to augment traditional security product detection shortcomings with a focus on Citi specific threats, vulnerabilities, and detection gaps: DGA detection, DNS exfiltration, covert data exfiltration, credit card leakage prevention, malware beaconing, employee data exfiltration, phishing domain detection, phishing VBA macro analysis, PE analysis, and domain registration interrogation.• Session Speaker at RSA Charge 2016: “Threat Hunting: Filling in the Gaps”• Develop rules, reports, alerts, and ad-hoc queries to detect the presence of insider threats, targeted campaigns, and advanced TTPs.• Responsible for developing advanced threat use cases for implementation by the content delivery team, formulating threat detection frameworks, and hunting for threat and fraud IOCs.• Develop rules in RSA Web Threat Detection (SilverTail) to analyze online banking web sessions for instances of fraud, customer credential abuse, and other suspicious account activity.

• Functioned in two simultaneous roles: (1) Responsible for building the security division for a small IT integrator and (2) leading a team of security engineers to secure TSA’s classified network.• Responsible for establishing the organization's overall cyber security direction and strategy, evaluating and developing end-to-end solutions and methodologies to enhance the company’s cyber security service offerings, and maintaining expert knowledge of the evolving federal IT landscape.• Leveraging balanced scorecard, PEST analysis and corporate planning frameworks, delivered a 4 dimensional strategic analysis including the development of a federal legislative and technological landscape study, industry/competitor matrices, internal capability SWOT analysis, and customer budget evaluation. This four-month effort produced 5 formal documents spanning over 100 pages in information for evaluation by the C-level suite.• Responsible for leading an insider threat focused mission with tasks including business requirements mapping, use case development, threat analysis development, and system administration for a classified environment within DHS.

• Security engineering team lead responsible for contract staff management, technical oversight, and governance of customer's security technology portfolio.• Proposal development, project management, solution engineering, and client liaison.• Design and deployment of ArcSight 6.0c (CORR) solution, advanced ArcSight content development, shell scripting, OS hardening (CIS benchmark), and capability expansion. Advanced content included advanced persistent threat detection, rogue device discovery, and anomalous activity determination.

• Selected as RSA Security Conference 2011 (world’s largest security conference) Session Speaker on SIEM implementation best practices and content evolution.• Selected as ArcSight Protect 2010 Session Speaker on best practices in SIEM architecture and deployment.• Entrusted as technical lead over staff of 10 responsible for green field enterprise scale deployment of multiple security technologies (including Identity & Access Management, Database Activity Monitoring, Operating System hardening, Strong (multi-factor) Authentication, SOA Security, Remote Access, and SIEM solutions).• Project management, client briefings, executive presentations, budgeting, and integration of security engineering portfolio into the enterprise.• Appointed as a founding member of the ArcSight Federal User Board alongside prominent leaders in the federal security community.• Responsible for developing and managing security engineering roadmap, architecture, deployment strategies, use case development, business requirements mapping, threat analysis content, client demos, FISMA compliance reporting, release/project management, interoperability, SDLC deliverables, and expansion & management of engineering team.

• Selected from over 3000 submissions as a Session Speaker at RSA Conference 2009 (world’s largest security conference) on advancements in SIEM architecture and correlation logic.• Appointed to Georgia Tech’s GTISC Advisory board alongside leaders in the Fortune 500 and security community. Engaged in weekly meetings with doctoral candidates to discuss research regarding industry best practices and emerging threats.• Engineered and successfully implemented a large scale enterprise SIEM delivering alerting, reporting, log aggregation, event correlation, and retention for over 2,000 systems and 30,000 users at an event rate of 1+ billion events per week.• Laddered top 10% (exceeds expectations) amongst senior team members in 3 consecutive performance reviews.• Developed executive business cases, performed product evaluation/selection, and successfully implemented an enterprise mobile encryption strategy for laptops, mobile phones, and removable media.• Architected and successfully deployed company’s first honeynet solution for < $1k.• Consulted on Critical Infrastructure Protection (CIP) security and regulatory compliance initiatives regarding high value power plants.

• Obtained 4 certifications within first 6 months of employment resulting in out of cycle promotion.• Lead several strategic initiatives including building mobile VPN implementation methodologies, creating client advisories, firewall maintenance and auditing, and DLP offerings.• Formulated SIEM threat logic and reporting for management based on events from over 2000 devices.

• Received patent for flow design architecture, which automated the processing of customer service orders for AT&T POTS service.• Received numerous promotions for results-based achievements above and beyond job description. Laddered #1 out of recruiting class for 3 consecutive reviews.• Led team of 7 in following tasks: ensuring application integrity (14 HP UNIX servers/ 4 NT servers, top 20 critical application), monitoring application processes, release management coordination, troubleshooting, architectural reviews, and served as configuration control board meeting lead.