HeartFlow, Inc. is dedicated to making our products and technologies as secure as possible. Reporting to the Senior Manager, Information Security Operations, the Threat Response and Investigations Manager will lead all aspects of the Cyber Emergency Response Team (CERT), Threat Detection, Analysis and Response, Insider Threat Investigations and manage the Security Operations Center (SOC) team. The Threat Response and Investigations Manager will provide leadership and mentorship to an Information Security Engineer, matrix-managed crisis response team and an outsourced managed detection and response services team. The manager is expected to be a hands-on manager with overall responsibility for the team's performance and duties.
The manager is responsible for advising senior leadership on all applicable threat response and investigatory matters as well the prevailing and emerging threat landscape. The manager leads an expanded response team (IT, Legal, Human Resources and other business stakeholders) to assure effective threat response, communication and mitigation strategies are tested and in place. The manager will be a strong manager/leader who is exceptionally imaginative, collaborative, and truly excited about enabling the achievement of our mission.
This position may require weekend and evening work as well as availability during off-hours for participation in scheduled and unscheduled activities.
The manager will be responsible for three primary sub-programs: Threat Detection and Response, Insider Threat Investigations, Predictive Threat Analytics and Intelligence and other pertinent duties as assigned:
Threat Detection and Response
- Leads the CERT and manages incidents through to conclusion, including but not limited to conducting post mortem analysis and developing preventative actions
- Ensures appropriate tools and services are in place to rapidly detect and respond to threats to HeartFlow and our trusted partners
- Organize and conduct incident response table top exercises, incorporating resources both internal and external to the Information Security department and improve response effectiveness
- Analyzes network, system, and security events to determine whether an incident has occurred and leads appropriate response actions
- Creates detailed reports on incidents within the enterprise to include trends, remediation steps taken, and feedback on how to prevent future incidents
- Manages and directs the efforts of the outsourced SOC
- Ensures threat response plans are in place and regularly exercised
- Develops, documents and manages containment strategies recommending actions to mitigate the risk associated with intrusion attempts
- Researches, implements and maintains proficiency in response and detection tools, countermeasures and attack method trends
- May work with Federal and/or state and local law enforcement agencies
Insider Threat Investigations
- Conducts cyber-forensic investigations of digital evidence/relevant information in response to pre/post attacks, to reconstruct events from and develop an understanding of intent, objectives and activities employed by threat actors
- Provides unbiased digital evidence to appropriate parties in support of active investigations
- Ensures appropriate tools are in place to identify potential insider threat to HeartFlow
Predictive Threat Analytics and Intelligence
- Identifies advanced persistent threats by performing relevant research and data analysis
- Assesses threats to the environment and provides applicable feedback into the design of our security architecture
- Reviews cyber intelligence and threat data from both internal and external sources to develop in-depth analysis and threat assessments for company networks.
Leadership and Management
- Develop, train and mentor others and grow their technical and professional capabilities
- Define and manage a set of interconnected processes
- Define clear roles and responsibilities and establish accountability and measure and report on operational effectiveness and efficiency; set goals and measure performance
- Communicate regularly and clearly to a wide variety of technical and non-technical audiences
- Develop vision and strategy for a team.
- Resolve disputes within the team and across the larger functional teams
- Perform other duties as assigned
Technical Skills Needed:
- 5+ years or more experience in Information Security (8+ years preferred) with 5+ years in an incident response, SOC lead, or penetration tester role
- Advanced knowledge of the threat landscape and threat intelligence methodologies
- A proven track record in digital forensics, tool management, and electronic evidence collection
- Experience conducting digital forensics examinations on Microsoft Windows operating systems and Apple iOS devices using industry standard tools – e.g., Nuix, Oxygen, Magnet Forensics, EnCase, data loss prevention (DLP), open source
- Demonstrated ability to make decisions on remediation and counter measures
- Thorough understanding of network defense technologies, TCP/IP networking, Active Directory, DHCP, DNS, network security monitoring tools, secure engineering principles and technical security testing methodologies
- Working knowledge of threats to cyber security and understanding of the tools and tactics utilized by threat actors
- Experience with one or more scripting languages (Perl, Python, or other) in an incident response environment
- Extensive Windows, Mac, Linux and Unix experience including deep knowledge of file system layout, log file analysis, timeline creation, web browser forensics and file carving
- Desktop, server, application, database, and network security hardening principles and practices for threat prevention
Soft Skills Needed
- Strong analytical and problem-solving skills. Ability to effectively adapt to rapidly changing technology and apply it to business needs.
- Strong knowledge and understanding of business needs.
- Solid project management skills, especially in a cross-functional environment.
- Strong team-oriented interpersonal and communication skills; ability to present technical information in a way that establishes rapport, persuades others and gains understanding.
- Ability to effectively interface with a wide variety of audiences, up to executive management.
- Knowledge of common attack methodologies; common types of security vulnerabilities;
- Proficiency in the use of manual and automated techniques for scanning, vulnerability, and penetration testing of networks, applications, operating systems, databases, and email systems
- Effective communication and presentation skills with demonstrated ability to prepare documentation and presentations for technical and non-technical audiences.
- Excellent written and verbal communication skills, interpersonal and collaborative skills
- High level of personal integrity, as well as the ability to professionally handle confidential matters, and show an appropriate level of judgment and maturity
- Self-starter, positive attitude, ability to work independently, enjoys learning and staying current with industry developments, regulations and best practices.
Preferred Skills and Experience:
- Encase Certified Examiner, Certified Ethical Hacker, Certificated Incident Handler, or Certified Forensic Examiner preferred but not required
- Knowledge of common information security management frameworks, such as NIST
- Knowledge and demonstrated experience of relevant legal and regulatory requirements, such as HITRUST, SOC-2, HITECH, HIPAA Privacy & Security and other CMS regulations and guidelines.
- Experience with a cloud service spanning multiple countries.