Cyber Defense Principal Security Engineer at Citizens

About the position

The Cyber Defense Principal Security Engineer is a senior individual contributor role focused on the development, maintenance, troubleshooting, tuning, and documentation of security tool detections and rules aimed at identifying cyber-attacks, intrusions, and data loss incidents. This position requires an expert-level understanding of security use cases and the ability to apply them effectively to event data, supporting the Security Operations Center's (SOC) monitoring and response efforts. The Principal Security Engineer will engage with multiple technology platforms, with specific responsibilities for Cisco Firepower and Palo Alto IDS/IPS policies and rules, while also collaborating with various groups within the bank's Enterprise Technology & Security division. In this role, the engineer will be responsible for developing and maintaining IDS/IPS policies and rules for Cisco Firepower and Palo Alto systems. This includes regularly reviewing and updating these policies to ensure their effectiveness and developing new detection rules based on emerging threats and intelligence. Continuous optimization of IDS/IPS configurations is essential to minimize false positives and enhance detection accuracy, which involves conducting regular performance assessments and making necessary adjustments. The engineer will also be tasked with developing detections for SIEM and other SOC tools, implementing security use cases, and transforming them into correlation queries, templates, rules, and alerts across various cloud environments and on-premises technologies. Technical documentation for deployed content is crucial, as the engineer must document IDS/IPS configurations, tuning procedures, and any changes made to policies and rules, ensuring that this documentation is current and accessible to the team. Monitoring the health and performance of security tools is another key responsibility, ensuring that IDS/IPS systems function properly and addressing any performance issues in coordination with teams or vendors for support. The integration of cyber threat intelligence into defensive systems is vital for enhancing IDS/IPS capabilities, which includes integrating relevant threat intelligence feeds and indicators of compromise (IOCs). The engineer will also develop reports, dashboards, workflows, and metrics to provide visibility into IDS/IPS activity and effectiveness. Collaboration with the SIEM team is necessary to ensure effective logging, event collection, normalization, correlation, reporting, and customization that supports IDS/IPS data. The engineer will support the Security Engineering team with SOC-related technical issues and incidents, assisting in resolving complex technical issues related to IDS/IPS systems. Additionally, mentoring and training junior team members on IDS/IPS best practices, rule creation, and tuning will be part of the role, along with being available to address critical IDS/IPS issues and incidents outside of regular business hours as needed.