CareFirst Careers

CyberSec Intrusion Ld Analyst

Resp & Qualifications


The Lead Cyber Security Intrusion Analyst leads cloud security event monitoring and correlation within the Cybersecurity Operations Center. The selected candidate should have proven experience and the ability to leverage computer network defense (CND) analyst toolsets to detect and respond to Cyber security incidents. This role conducts research and documents threats and their behavior; provides recommendations for threat mitigation strategies; employs effective communication to clearly manage security incident response procedures; and performs routine event reporting including trend reporting and analysis.

PRINCIPLE ACCOUNTABILITIES: Under the direction of the Manager, CyberSecurity Monitoring, Digital Forensics and Incident Response, the incumbent is responsible for, but is not limited to, the following:

Duties and Responsibilities:

  • Serve as escalation point for cybersecurity analysts and managed service provider.
  • Provide Tier 2 and Tier 3 level analysis related to the investigation of cybersecurity events and remediation.
  • Evaluate new methodologies to support investigating cyber security incidents and provide reviews and recommendations.
  • Analyzes malware, spam, phishing, or any other malicious content, and components and end-to-end systems for security at the embedded-system, mobile, host, network, and enterprise level.
  • Perform system analysis, reverse engineering, and static, dynamic, and best-practice malware analytics methodologies and analysis.
  • Develop use-cases for monitoring various aspects of security infrastructure and applications.
  • Develop new capabilities to enhance the analysis of ingested data.
  • Drive the hunting of threats within the internal network.
  • Provide mentorship and guidance to cybersecurity analysts, to help them develop in their ability to recognize security incidents.
  • Clearly and accurately document observations. Process incident communications to include initial reporting, follow-ups, requests for information and resolution activity.
  • Follow standard operating procedures for detecting, classifying, and reporting incidents.
  • Research vulnerabilities in applications and systems.  Provide recommendations for resolution and track remediation activities.
  • Traffic analysis (at the packet level) and reconstruction of network traffic to discover anomalies, trends, and patterns affecting the customer's networks.
  • Analyze firewall logs, Full Packet Capture (PCAP), IDS alerts, Anti-malware alerts, Host Intrusion Prevent System (HIPS), and server and application logs to investigate events and incidents for anomalous activity and produce reports of findings.



Required Education and Experience: Degree or equivalent experience: BA/BS in Information Technology, CyberSecurity, Networking, Security, MIS, Computer Science or related field

Years of experience: minimum 8 years of demonstrated work experience.  (Additional experience may be substituted for educational requirement.)

Along with the basic qualifications, the candidate will need to have experience in the following areas:

  • Cloud Security, Computing and Storage
  • Forensics and Incident Response
  • E-mail security, DLP, ATP, SEP, McAfee
  • Cybersecurity threat detection, monitoring and reporting
  • Cyber Intelligence and Threat Hunting
  • Capable of Python scripting to automate analysis and reverse engineering tasks

Specialized training (preferred, but not required): Static and dynamic malware analysis, network anomaly detection and analysis, host and network-based forensics, and user and entity behavioral analytics.  Incident response principles or related technical domain that is applied in the context of a broader understanding of CSIRT and related systems and processes.

Certification requirements (preferred, but not required):

  • GCIA (GIAC Certified Intrusion Analyst)
  • GCIH (GIAC Certified Incident Handler) Or the ability to obtain one certification within 6 months
  • AWS Certified Security

Required Skills and Abilities:

Must be able to effectively work in a fast-paced environment with frequently changing priorities, deadlines, and workloads that can be variable for long periods of time.  Must be able to effectively communicate. 

Incumbent must have a firm understanding of Information and/or Cyber Security principles.  Must be able to adapt quickly to understand rapidly changing threat landscape in order to correctly scope and prioritize security events.  The incumbent must also be able to achieve certification across multiple domains such as networking, security, development languages, etc.

Required skills:

  • Experience with scripting, automation and/or programming: Python, Powershell, Ansible, other orchestration tools, or equivalent.
  • Thorough understanding of tactics, techniques, and procedures (TTPs), the technology behind them, and indicators of compromise.
  • Analyze malware to create detection based upon network behaviors.
  • Expert ability to recognize potential intrusion attempts and compromises through analyses of relevant event logs.
  • Experience with the usage of the following tool: FireEye, Carbon Black, ArcSight, Symantec Endpoint Protection, Symantec Data Loss Prevention, EnCase or similar Network Security Monitoring, Endpoint Detection and Response tools.
  • Experience with using critical thinking and analytical skills to develop enhanced work flows and use cases for next generation platforms and cloud technology. 
  • Experience with the ability to analyze large data sets and log files to find correlations and anomalies.
  • Experience with designing and developing data acquisition pipelines; use of Kafka, ELK, SPLUNK and Big Data solutions highly preferential.
  • Ability to utilize native cloud security tools in AWS and Azure to design and implement continuous monitoring solutions.
  • Must have the ability to script in multiple languages include Python and AWS.


  • Cloud Security Detection and Response
  • SOAR technology
  • ELK stack
  • Hands-on experience in a hybrid (AWS/Azure) cloud environment developing and implementing security monitoring solutions.


Department: InfoSec - CyberSecurity Engine

Equal Employment Opportunity

CareFirst BlueCross BlueShield is an Equal Opportunity (EEO) employer.  It is the policy of the Company to provide equal employment opportunities to all qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, protected veteran or disabled status, or genetic information.

Hire Range Disclaimer

Actual salary will be based on relevant job experience and work history.

Where To Apply

Please visit our website to apply:

Closing Date

Please apply before: 5/12/2020

Federal Disc/Physical Demand

Note:  The incumbent is required to immediately disclose any debarment, exclusion, or other event that makes him/her ineligible to perform work directly or indirectly on federal health care programs.


The physical demands described here are representative of those that must be met by an associate to perform the essential duties and responsibilities of the position successfully.  Requirements may be modified to accommodate individuals with disabilities.

The associate is primarily seated while performing the duties of the position.  Occasional walking or standing is required.  The hands are regularly used to write, type, key and handle or feel small controls and objects.  The associate must frequently talk and hear.  Weights of up to 10 pounds are occasionally lifted.

Sponsorship in US

Must be eligible to work in the U.S. without Sponsorship

Learn more about Information Technology