What you'll do
Lead Insider Threat Digital Investigations:
- Conduct comprehensive technical investigations individually and partnering with our incident response teams into potential insider threat incidents, including data exfiltration, intellectual property theft, unauthorized access, and other malicious activities.
- Knowledge and execution experience in collecting, preserving, and analyzing digital evidence from a variety of sources (e.g., endpoints, network logs, cloud services, email, etc.).
- Document all investigative steps and findings in a clear, concise, and defensible manner.
- Present findings to senior leadership and cross-functional partners (Legal, HR, Privacy) in a professional and objective manner.
- Ensuring regulatory, legal and privacy requirements are met through all.
Insider Threat Hunting:
- Proactively hunt for insider threats using a variety of security tools and data sources (e.g., SIEM, DLP, EDR, UEBA).
- Develop and execute threat hunting hypotheses based on emerging threats, attack techniques, and an understanding of our company's unique environment.
- Correlate disparate data points to identify anomalous or suspicious user behaviors.
Detection & Response Improvement:
- Collaborate closely with the Security Incident Response Team (SIRT) and Threat Detection teams to continuously enhance our insider threat detection capabilities.
- Design, develop, and implement new rules, alerts, and use cases in our security tools to identify insider threat indicators.
- Evaluate and recommend new technologies and processes to mature our Insider Threat program.
- Develop and refine response playbooks for various insider threat scenarios.
Cross-Functional Collaboration:
- Serve as the primary technical liaison for the Insider Threat program, building strong, trusted relationships with Legal, HR, and Privacy teams.
- Work in lockstep with these teams to ensure that investigations are conducted with sensitivity, respect for employee privacy, and within legal and ethical guidelines.
- Provide technical expertise and guidance during policy development and incident response planning.
Required Qualifications
- 5+ years of experience in a technical security role, with at least 2+ years focused on insider threat, digital forensics, or security investigations.
- Proven experience in conducting and leading complex technical investigations, including the use of forensic tools (e.g., EnCase, FTK, X-Ways, or open-source alternatives).
- Deep understanding of security technologies such as SIEM (e.g., Splunk, Elastic), EDR (e.g., CrowdStrike, SentinelOne), and UEBA like data sources.
- Strong scripting and programming skills (e.g., Python, PowerShell) to automate tasks and analyze large datasets.
- Excellent communication skills, both written and verbal, with the ability to explain complex technical concepts to non-technical audiences.
- Experience working with legal and HR teams on sensitive employee-related matters.
Preferred Qualifications
- Certifications such as GCIH, GCFA, GCTI, or similar.
- Experience with cloud-based security and investigations (e.g., AWS, GCP, Azure).
- Prior experience in a tech product or fast-paced startup environment.
- Knowledge of legal and regulatory frameworks related to data privacy and digital evidence (e.g., GDPR, CCPA).
- Legal/Court evidence handling, presentation and implementation of procedures