CareFirst Careers

Lead Intrusion Analyst

Resp & Qualifications

The Lead Intrusion Analyst is responsible for  analizing various alerts and alarms within the CyberSecurity Infrastructure.  This position is also responsible for review and appropriate disposition of security tickets generated from the enterprise.  The incumbent will monitor data from various sources including, firewalls, intrusion prevention systems and other security infrastructure components.  The incumbent will research security events to determine severity and perform incident triage as necessary, while engaging appropriate CSIRT members to resolve the security incident.

PRINCIPLE ACCOUNTABILITIES: Under the direction of the Manager, CyberSecurity Operations, the incumbent is responsible for, but is not limited to, the following:

Duties And Responsibilities

  • Analyze security event data from multiple sources to identify potentially malicious behavior within the environment.
  • Triage (determine scope, severity and priority) of offenses and events in Security Information and Event Management (SIEM) tool or within other security monitoring tools directly.
  • Serve as a Tier II escalation point for security events.
  • Develop automation between security monitoring tools to reduce the time to prevent.
  • Research vulnerabilities in applications and systems.  Provide recommendations for resolution and track remediation activities.
  • Respond to incident tickets within the specified period of time.
  • Prepare and monitor reports on the security posture of the organization.


Required Education and Experience:

Degree or equivalent experience: BA/BS or higher in CyberSecurity, Information Technology, Networking, Computer Science, MIS or related field

Years of experience: minimum 5 years of demonstrated work experience.  (Additional experience may be substituted for educational requirement.)

Specialized training (preferred, but not required): Security Information and Event Management platforms such as ArcSight, QRadar or Nitro.  Commercial or Open Source Intrusion Prevention Systems. Malware analysis tool.  Linux or Unix administration. Forensic analysis and Penetration Testing.

Other requirements (preferred, but not required):
GCIA (GIAC Certified Intrusion Analyst), GCIH (GIAC Certified Incident Handler)
GPEN (GIAC Certified Penetration Tester)
OSCP (Offensive Security Certified Professional)
CISSP (Certified Information Systems Security Professional)
Fornesic certifications highly desirable

Required Skills and Abilities:

Must be able to effectively work in a fast paced environment with frequently changing priorities, deadlines, and workloads that can be variable for long periods of time.  Must be able to effectively communicate with both technical and non-technical individuals. 

Incumbent must have a firm understanding of Information and/or Cyber Security principles.  The incumbent must also be able to achieve certification across multiple domains such as networking, security, development languages, etc.

Required skills:
• Hands-on experience with Sourcefire/Cisco IPS, Snort, Suricata or similar
• Ability to write IPS signatures for Sourcefire/Snort IPS
• Thorough  understanding of networking at the packet level
• Familiarity with Wireshark/Tshark, tcpdump, and BPF filters
• Understanding of binary protocols such as DCE/RPC2
• Understanding of anomaly-based detection schemes
• Experience with advanced malware defenses (FireEye, FireAMP, etc.)
• Knowledge of common languages used in exploit kits and malware delivery systems (i.e., javascript)
• OSINT collection and analysis
• Familiarity with one or more popular scripting languages (Perl, Python, Ruby, PowerShell.)  Preferrably Python.
• Familiarity with Bro NSM or similar
• Knowledge of standard incident response frameworks
• Vulnerability triage and assessment

• Basic/intermediate level malware reverse engineering (binaries, malicious documents, etc.)
• Exploit development experience
• Write complex queries and triggers for QRadar, Sourcefire/Cisco (correlation rules), etc. in order to automate alerting
• Experience deploying, maintaining and monitoring honeypots and honeynets
• Active defense and cyber deception
• Understanding of APT attack patterns and methodologies
• Familiarity with QRadar, Splunk or other SEIM
• Experience with database security such as Guardium, Imperva or native Oracle tools.
• Familiarity with commercial Network-Based Anomaly Detection systems (Stealthwatch, etc)
• Familiarity with advanced malware protection (FireEye, FireAMP, etc.)
• Tune and configure sensor policies
• OSINT collection and analysis

Equal Employment Opportunity

CareFirst BlueCross BlueShield is an Equal Opportunity (EEO) employer.  It is the policy of the Company to provide equal employment opportunities to all qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, protected veteran or disabled status, or genetic information.

Hire Range Disclaimer

Actual salary will be based on relevant job experience and work history.

Where To Apply

Please visit our website to apply:

Closing Date

Please apply before: 12/9/2020

Federal Disc/Physical Demand

Note:  The incumbent is required to immediately disclose any debarment, exclusion, or other event that makes him/her ineligible to perform work directly or indirectly on Federal health care programs.


The associate is primarily seated while performing the duties of the position.  Occasional walking or standing is required.  The hands are regularly used to write, type, key and handle or feel small controls and objects.  The associate must frequently talk and hear.  Weights up to 25 pounds are occasionally lifted.

Sponsorship in US

Must be eligible to work in the U.S. without Sponsorship

Learn more about Information Technology