Position Description -
AIG is seeking a highly capable individual to support the operation of the AIG Cyber Insider Threat Program. This individual will help build the program, including influencing definition of the program framework, strategy, technology and program governance standards and procedures. This individual will perform day to day case management and investigative operations in AIG’s efforts to predict, detect and respond to cyber insider threats. This position will report to the Information Security Cyber Insider Threat Director within the Threat Detection and Response organization. The Cyber Insider Threat team will work closely with the Global Cyber-risk Defense Center, eDiscovery, Legal, Human Resources, and various business units and IT security experts. The cyber insider threat team, as a whole will be responsible for the ongoing development of insider threat use cases and analytics of data from IT infrastructure and security controls.
- A Cyber-risk Defense Splunk Use Case and Content Developer is responsible for creating the logic in Splunk to enable actions by the teams of Cyber-risk Defense Analysts during all phases of the threat detection and incident response lifecycle. The Splunk logic should prioritize incoming events to minimize risk exposure, ensure the timely identification of threats, and provide adherence to AIG’s threat severity model. The successful candidate will report to the Director of Cyber-risk Operations and will regularly liaise with other Cyber-risk Defense Teams to foster an intelligence driven operations capability across the organization.
• Must be able to support team case management by working with customers to quickly understand and document their requirements to ensure rapid completion of tasks.
• Assist the Detect and Response groups with the evidence intake and chain-of-custody process.
• Decrypt and perform forensic acquisitions of digital media while assisting with the shipment and receipt of digital evidence and other items.
• Able to collect, correlate, and display complex metrics depicting notable Insider Threat activities and suggest actionable items to reduce risk for the business.
• Utilize data mining tools to collect, search, sort, and organize large amounts of electronic information.
• Analyze insider events and data feeds for event detection and correlation from monitoring solutions.
• Triage and classify the output using automated systems for further investigation.
• Collect, preserve, and analyze electronic data according to the firm’s policies and practices.
• Perform response to confirmed incidents, coordinating appropriate resources to mitigate the threat.
• Produce high quality reports presenting complex technical matters clearly and concisely.
• Examine the timeline of notable incidents and identify precursors for data leakage.
• Review all available data to further develop and improve the threat scenario’s and use cases.
• Recommend changes to detection platform data sources, policies, filters and rules to improve event analysis.
• Recommend improvements and assist in the setup of detection processes, protocols, skills and tools.
• Work closely with Information Security architecture and engineering to develop new tools and techniques for predicting, detecting and preventing insider threats
• Continually evaluate changes to actor tactics, techniques and procedures to ensure technology strategy maintains pace with a changing cyber insider threat landscape.
• Maintain the strong working relationship with stakeholders, working across multiple lines of business and service providers to pull together and respond to actionable information.
Minimum Requirements (Knowledge, Skills, and Abilities):
• At least 3-5 years of relevant insider threat, intelligence, or investigative experience
• Demonstrated success in close working collaboration with cyber security, intelligence, HR, and Legal.
• Demonstrated expertise in both working in and handling extremely sensitive areas/materials, respectively.
• Experience handling investigations, leveraging legally sound practices (including chain of custody), the results of which are prosecutable case files
• Experience developing and communicating findings to non-technical business areas
• Experience using analytical skills and an ability to interpret established standards and guidelines to solve problems.
• Proven ability to innovate, develop, implement, and effectively document complex technical systems and approaches.
• Good understanding of possible methods of internal and external data movement.
• Ability to navigate a complex global network to identify intelligence and detection sources.
• Excellent analytical ability, sharp attention to detail, creative problem solving, consultative skills, and innovation.
• Self-starter with a sense of urgency who takes ownership and responsibility for service delivery.
• Project and case management skills.
• Works independently with minimal guidance to drive projects to completion, while also working collaboratively with the team to achieve strategic goals
• Professional, clear, and concise communication to both technical and non-technical audiences.
• Analytical ability, attention to detail, problem solving , and consultative skills.
• Proven organizational skills (time management and prioritization), and also employ a rigorous process for all follow-up / coordination activities.
• Position requires access to highly sensitive confidential material, integrity and discretion are mandatory.
Minimum of three (3) years of experience in eDiscovery, computer forensics, investigations, or similar Information Security discipline.
Formal Education & Certification
• Bachelor of Science in Computer Science, Information Systems, Software Engineering, or relevant military or law enforcementexperience.
• Active or previously held Security Clearance preferred.
• Preferred Certifications:
o Certified Information Systems Security Professional – CISSP
o Insider Threat Program Manager – ITPM
o Project management certifications
** NOTE: An equivalent combination of experience, education and/or training may be substituted for the listed minimum requirements.
Occasional travel may be required, but less than 10% of the time.