Kafka Streaming Analyst

Job Details :

• Job Title: Incident Response, Logging & SIEM Engineer
• Location: Phoenix, AZ (Hybrid 3 Days a Week Onsite)
• Duration: 12 Months Contract

Description : We're looking for an Incident Response (IR) specialist with deep expertise in logging, telemetry, and SIEM engineering who can detect, investigate, and eradicate threats across cloud and endpoint environments. You will own end-to-end detection engineering and response workflows - building high-fidelity detections, orchestrating data flows, tuning SIEM pipelines, leading incident investigations, and strengthening controls across AWS, Google Cloud Platform, and endpoint security platforms.

Key Responsibilities :

• Incident Response Lead triage, investigation, containment, eradication, and recovery for security incidents across cloud, endpoint, identity, and network layers. Perform root cause analysis, draft incident timelines, and produce clear post-incident reports with corrective and preventive action plans (CAPA). Coordinate with IT, Cloud, Networking, Legal, and Compliance to drive rapid, well-documented response. Develop and run tabletop exercises, purple-team drills, and lessons-learned cycles; convert outcomes into detections and control hardening.
• Logging, Telemetry & SIEM Engineering Design and maintain scalable logging pipelines and data flows (collection, normalization, enrichment, retention) for on-prem, AWS, and Google Cloud Platform sources. Engineer SIEM use cases, correlation rules, threat hunting queries, dashboards, and alerts with a strong focus on precision and low false-positive rates. Integrate endpoint, identity, network, and cloud telemetry (e.g., EDR/EPP, DNS, proxy, firewall, VPC Flow Logs, CloudTrail, Google Cloud Platform Audit Logs, Auth logs). Continuously tune parsers, field mappings (e.g., ECS/OCSF), and normalization to improve signal quality and response time.
• Threat Detection & Malware Analysis Conduct static and dynamic malware analysis (strings, headers, PE/ELF artifacts, sandbox detonation, behavior profiling, memory forensics). Implement IOC/IOA-driven detections and behavior-based analytics; maintain threat intel feeds and detection pipelines. Hunt for adversary behaviors mapped to MITRE ATT&CK; document hypotheses, methods, and outcomes.
• Cloud Security (AWS & Google Cloud Platform) Build and maintain detections for cloud control plane and data plane misuse (privilege escalation, data exfiltration, anomalous IAM, persistence). Validate logging coverage and guardrails (e.g., AWS CloudTrail, GuardDuty, VPC Flow Logs; Google Cloud Platform Audit Logs, VPC Flow, Security Command Center). Partner with cloud engineering to harden identity, networking, storage, and workload protections.
• Endpoint Protection & Troubleshooting Administer and tune EPP/EDR policies, response playbooks (isolation, kill process, quarantine, registry/network artifact cleanup). Troubleshoot logging gaps, sensor health, agent conflicts, and performance issues across Windows, macOS, and Linux.
• Governance, Risk & Compliance Apply core information security principles (least privilege, defense-in-depth, segmentation, secure defaults, logging by design). Support regulatory and customer audits (e.g., SOC 2, ISO 27001, HIPAA, PCI DSS) by providing evidence and IR documentation.

Required Qualifications : Experience: 3 7+ years in Incident Response, SOC, or Threat Detection/Response with hands-on SIEM engineering. Cloud: Practical security operations in AWS and Google Cloud Platform (logging coverage, detections, IAM, network controls, data protection). Malware Analysis: Proficiency with both static (e.g., strings, disassembly triage) and dynamic (sandboxing/behavioral) techniques. Networking & Data Flows: Strong grasp of TCP/IP, DNS, HTTP(S), proxying, TLS, common lateral movement patterns; able to diagram and optimize telemetry flows. SIEM: Engineering and operating at least one enterprise SIEM (e.g., Splunk, Elastic, Microsoft Sentinel, Chronicle) with query/correlation rule creation. Endpoint Protection: Experience with EPP/EDR tools (e.g., CrowdStrike, Microsoft Defender for Endpoint, SentinelOne, Carbon Black) and response workflows. Incident Handling: Proven ability to lead incidents, communicate clearly under pressure, and produce executive-ready reports. Scripting: Proficiency in at least one: Python, PowerShell, or Bash for automation and enrichment. Information Security Principles: Demonstrated application of CIA triad, zero trust concepts, hardening, and secure operations practices.

Preferred Qualifications : Certifications: GCIH, GCIA, GCFA, GNFA, GCTI, GMON, OSCP, AWS Security Specialty, Google Professional Cloud Security Engineer, CISSP. Forensics: Memory/disk triage (Volatility, KAPE), PCAP analysis (Wireshark), YARA/Sigma rule authoring. Threat Intel & CTI: Consuming and operationalizing TI (MISP, TAXII/STIX), enriching detections with context. Automation: SOAR playbook design (e.g., Cortex XSOAR, Swimlane, Splunk SOAR, Sentinel automation). Data Engineering: Familiarity with schema mapping (ECS/OCSF), parsing (Grok/regex), and streaming (Kafka/Kinesis/Pub/Sub).

For applications and inquiries, contact: hirings@openkyber.com