CISCO Information Security Analysts (Tier 1)
Objective
The Cisco Computer Security Incident response team (CSIRT) at Sykes is part of the Cisco Corporate
Security office (CSPO) at Cisco, which is part of the Research Office and Cyber Science Computer
Forensics. Their mission is to preserve the security of the information hosted in the Cisco.com network
domain, through risk assessment, vulnerability assessment and defense planning. The Tier-1 team at
SYKES is responsible for detecting and preventing threads to the network (intranet, extranet, internet),
which may include but are not limited to: virus infections, hacking attacks and incorrect use of confidential
information and acting effective actions to protect the information.
Responsabilities
- Proactive network monitoring: The position is responsible for running the different plays (processes)
detailed in the Playbook This includes downloading the adequate set of data from the security
devices, manipulating and analyzing such data based on defined parameters and on experience to
proactively detect potential threads and taking prompt action.
- Research and analysis: Upon detection of a positive (real) thread the analyst must perform a
thorough investigation, which includes consulting several sources of data (which include HTTP, DNS,
SSH, Telnet, Active Directory, syslog, 3rd party websites and databases, etc.) to determine category
and impact.
- Effective actions: After thorough investigation the analyst must escalate true positives to next level for
further research and remediation actions, following the escalation procedures for specific case types;
including a thorough report with his findings and recommendations.
- Playbook evaluation: The Playbook must be a live document, which needs constant revision and
updates to ensure that the different plays are effective to detect threads. Due to this the CSIRT
analyst is expected to be critical of the plays and to provide feedback on their effectiveness and
detecting and communicating tuning opportunities; considering the fidelity and value of report.
- Monitoring and on demand support: The analyst is also responsible for monitoring the network
security through several tools (Remedy, InfoSec queue, CLIP, RMS) and for providing first level on-
demand support, by interacting with different parties to ensure that the reported threads are
effectively remediated, complying with security policies and legal requirements; this includes
interacting with Cisco IT and with users.
- Proactive vulnerability scans: Use tools (DLP, Qualys) to scan the network and detect security
vulnerabilities and work with system administrators/users in order to fix gaps that could potentially
result in threads to the security of information; ensure that data is handled in compliance with
government and legal requirements. Analyst is responsible for proactively suggest adjustment of tools
filters to ensure effectiveness of detections.
- Devices Administrator: Responsible for ensuring that the different security monitoring devices
deployed through the Cisco network worldwide are functioning correctly. This includes performing
configuration changes (optimization), firmware and software upgrades, general maintenance,
managing deployment and decommission for IDS, WSA, SF, AMP, UCS and other devices.
- Given the dynamic environment of cyber security, the analyst is responsible for continuously studying
and investigating about network threads and malicious software to ensure that his knowledge is
updated. This can be achieved through personal learning and through effective collaboration with
other analysts and engineers within the global team.