State of Maryland

A State Retirement Agency (SRA) Cybersecurity Defense Analyst I is the intermediate level of work monitoring, analyzing, tracking and documenting cybersecurity related events, alarms, logs, reports and real-time message outputs from enterprise data security devices, SaaS platforms and other sources with the objective to identify high risk events or behaviors occurring within the network. Employees in this classification play a key role as the first layer of defense in maintaining a secure operating infrastructure and ensure the detective and preventative security controls are operational, properly managed and configured. Employees in this classification do not supervise other positions.

Employees in this classification receive moderate supervision from a Director of Cybersecurity Operations or other designated administrator.

Positions in this classification are evaluated using the classification job evaluation methodology, which involves comparing the assigned duties and responsibilities of a position to the job criteria found in the Nature of Work and Examples of Work sections of this classification specification.

The SRA Cybersecurity Defense Analyst I and the SRA Cybersecurity Defense Analyst II are differentiated based on the degree of supervisory control exercised by the supervisor over these employees. The SRA Cybersecurity Defense Analyst I performs the duties under close supervision at times, and under general supervision at other times, depending on the complexity of the specific duty being performed. The SRA Cybersecurity Defense Analyst II performs the full range of duties and responsibilities under general supervision.

Monitors data security events and indicators via generated alarms, log report output, dashboards, and/or acting on incidents reported through the help desk or other sources both internal & external to SRA;

Coordinates with SRA cyber defense staff to analyze network security alerts and escalate as necessary;

Ensures that cybersecurity-enabled products/devices/services or other compensating security control technologies are properly tuned and configured to manage risk to acceptable levels;

Reviews all daily, monthly or quarterly audit logs/reports and promptly closes out any help desk tickets associated with them;

Documents and escalates incidents (including the event’s timestamp, source, action details, and potential impact for further action) that may cause ongoing and immediate impact to the environment;

Performs event correlation using information gathered from a variety of sources within SRA to gain situational awareness and determine the effectiveness of an observed attack;

Performs security reviews and identifies security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy;

Plans and recommends modifications or adjustments based on exercise results or system environment;

Provide daily summary reports of network events and activity relevant to cyber defense practices;

Receives and analyzes network alerts from various sources within the enterprise and determine possible causes of such alerts and identifies/remediates the source of any reoccurring false positives;

Characterizes and analyzes network traffic to identify anomalous activity and potential threats to network resources;

Provides timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities;

Uses cyber defense tools for continual monitoring and analysis of on-prem and cloud-based security platforms to identify malicious activity;

Analyzes identified malicious activity to determine weaknesses exploited, exploitation methods, and effects on system and information;

Determines tactics, techniques, and procedures (TTPs) for intrusion sets;

Continually monitors and adjusts security policies/configuration settings of on-prem and cloud-based security platforms/products as needed to ensure all security services are tuned and optimally configured;

Recommends computing environment vulnerability corrections;

Conducts research, analysis, and correlation across a wide variety of all source data sets (indications and warnings);

Validates intrusion detection system (IDS) alerts against network traffic using packet analysis tools;

Isolates and removes malware;

Identifies applications and operating systems of a network device based on network traffic;

Reconstructs a malicious attack or activity based off network traffic;

Identifies network mapping and operating system (OS) fingerprinting activities;

Assists in the construction of signatures/rules/dashboards/workbooks/PowerShell scripts which can be implemented on cyber defense network tools in response to new or observed threats within the network environment;

Notifies the SRA Cybersecurity Systems Engineer and/or the SRA Cybersecurity Operations Director of suspected cyber incidents and record the event's timestamp, source, action details and potential impact for further action in accordance with the organization's cyber incident response plan;

Analyzes and reports organizational security posture trends;

Analyzes and reports system security posture trends;

Assesses adequate access controls based on principles of least privilege and need-to-know;

Monitors external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determines which security issues may have an impact on the enterprise;

Assesses and monitors cybersecurity related to system implementation and testing practices;

Provides cybersecurity recommendations to leadership based on significant threats and vulnerabilities;

Works with stakeholders to resolve computer security incidents and vulnerability compliance;

Provides advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans;

Performs other related duties.

Knowledge of computer networking concepts and protocols, and network security methodologies; Knowledge of risk management processes (e.g., methods for assessing and mitigating risk); Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy; Knowledge of specific operational impacts of cybersecurity lapses and risk exposure; Knowledge of authentication, authorization, and access control methods; Knowledge of cyber defense and vulnerability assessment tools and their capabilities (e.g., vulnerability scanning, PEN testing, web application security assessments, etc.); Knowledge of cyber-attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks) & the MITRE ATT&CK framework; Knowledge of Internet-based attack methods and techniques (e.g., password spraying/brute-force, phishing/vishing/smishing, DDoS/DoS, XSS/CSCF, MITM, ransomware, etc.); Knowledge of OWASP Foundation’s Top-10 web application security risks; their function, impact and remediation as they relate to SRA’s exposure to risk (e.g., broken access control, cryptographic failures, SQJ injection, insecure code/application design, etc.); Knowledge of penetration testing (PEN) tools and technologies (e.g., SAST [static analysis security testing] & DAST [dynamic analysis security testing]); Knowledge of cyber attackers (e.g., insider threat, non-nation/nation sponsored, DoS/DDoS attacks, social engineering-based - frauds/scams/phishing/vishing/smishing, hacktivist, terrorism, etc.); Knowledge of data encryption methodologies, technologies, algorithm types (AES, RSA, etc.) & key management; Knowledge of cryptography & cryptographic key systems (e.g., symmetric/asymmetric, padding, salting, etc.);
Knowledge of secure email concepts and protections (e.g., DKIM (Domain Keys Identified Mail), DMARC (Domain-based Message Authentication Reporting and Conformance), and SPF (Sender Policy Framework); Knowledge of database security/secure configurations, and DAM [Database Activity Monitoring} technology; Knowledge of data classification/data discovery; Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins, such as Common Vulnerabilities and Exposures (CVE), SANS NewsBites, FBI/InfraGard, CISA [Known Exploited Vulnerability Catalog], CERT, etc.); Knowledge of incident response and handling methodologies; Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation, separation of duties, least privilege, etc); Knowledge of security industry standards/governance bodies (e.g., NIST 800-53, CSF, State of MD/DoIT, etc.); Knowledge of Next Generation (NextGen) firewall administration, maintenance & operation; Knowledge of intrusion detection/prevention (IDS/IPS) methodologies and techniques for detecting and preventing host and network-based intrusions; Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML); Knowledge of network traffic analysis methods; Knowledge of new and emerging information technology (IT) and cybersecurity technologies; Knowledge of key concepts in security management (e.g., Configuration Management, Patch Management); Knowledge of Virtual Private Network (VPN) security; Knowledge of what constitutes a network attack and a network attack’s relationship to both threats and vulnerabilities; Knowledge of Insider Threat investigations, reporting, investigative tools and laws/regulations; Knowledge of adversarial tactics, techniques, and procedures (TTP’s);
Knowledge of network diagnostic/troubleshooting tools (e.g., ping, traceroute, nslookup, whois);
Knowledge of defense-in-depth principles and network security architecture; Knowledge of different types of network topologies (e.g., LAN, WAN, MAN, WLAN, WWAN, Wi-Fi, etc.); Knowledge of scripting languages (e.g., PowerShell); Knowledge of SRA cyber defense and information security policies, procedures, and regulations; Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks); Knowledge of server system administration, network, and operating system hardening techniques; Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth); Knowledge of CSF (Cybersecurity Framework - Identify, Protect, Detect, Respond & Recover) integration, compliance, and management; Knowledge of signature and behavioral-based technologies for virus, malware, and attack detection/prevention; Knowledge of data backup/restore methodologies/products, practices and configurations; Knowledge of system vulnerability scanning administration, practices, and techniques; Knowledge of Windows/Unix ports and services;
Knowledge of OSI model layers, underlying network protocols and applications (e.g., MAC addresses, TCP/IP, SMTP, HTTPS, DNS, LDAP, SNMP, SSH/Telnet, TLS, etc.); Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities; Knowledge of State of MD & SRA Personally Identifiable Information (PII) data security standards; Knowledge of Personal Health Information (PHI) data security standards; Knowledge of countermeasure design for identified security risks; Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump);
Knowledge of IP address sub-netting (Class A, B, C) & CIDR (Classless-Inter Domain Routing);
Knowledge of Network Address Translation (NAT) use, configuration and application; Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications; Knowledge of virtual technology & infrastructure (VMware, Hyper-V) management and operation;
Knowledge of how to use network analysis tools to identify vulnerabilities; Knowledge of data security risk management (e.g., risk exposure, risk calculations, risk management principles, etc.); Knowledge of Application Security Risks (e.g. Open Web Application Security Project (OWASP Top-10); Knowledge of physical security systems and controls (e.g., door security systems, card readers, etc.); Knowledge of data backup and recovery strategies; Knowledge of business continuity and disaster recovery continuity of operations plans;

Skill in diagnosing TCP/IP, sFTP, and proprietary application connectivity problems; Skill in maintaining directory services. (e.g., Microsoft Active Directory, Azure AD, LDAP, etc.); Skill in configuring/administering virtual machine technology. (e.g., Microsoft Hyper-V, VMWare vSphere, etc.); Skill in administering both Microsoft Windows-based and Open Source/Linux server operating systems; Skill in administering Next-Generation firewalls (building firewall policies/rules, NAT rules, VPN connectivity, IDS’, URL filtering, log repository management, etc.); Skill in administering web application firewalls (WAF), Skill in administering the physical security environment (e.g., door security systems, card readers, etc.); Skill in administering cloud-based security services and technology platforms (Azure AD, Office365, MS Dynamics/ CRM, etc.); Skill in administering cloud-based & on-prem Security Information Event Management systems (SIEM); Skill in leading and managing successful (Proof-Of-Concept) projects to evaluate and recommend security products & services; Skill in collaborating with internal team members/staff, employing effective oral & written communication skills; Skill in conducting system/server hardware & software planning, management, and maintenance; Skill in correcting physical and technical problems that impact system/server performance; Skill in identifying and anticipating system/server performance, availability, capacity, or configuration problems; Skill in installing or upgrading systems and/or components (i.e., virtual machines, memory, disk arrays, etc.); Skill in monitoring and optimizing system/server performance;
Skill in developing and deploying signatures/playbooks/intelligence responses for security devices (SIEM’s) and services; Skill in using incident handling methodologies; Skill in using protocol and traffic analyzers; Skill in assimilating, categorizing and distributing intelligence from various cyber defense resources (e.g., CERT, CVE (Common Vulnerabilities & Exposures), SANS, CISA, NIST, etc.); Skill in recognizing and categorizing types of vulnerabilities and associated attacks; Skill in assessing security controls based on cybersecurity principles and tenets. (e.g., NIST SP 800-53, Cybersecurity Framework, etc.); Skill in recognizing vulnerabilities in security systems. (e.g., vulnerability and compliance scanning); Skill in applying cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation, separation of duties, least privilege, etc.); Skill in identifying, capturing, containing, and reporting malware; Skill in preserving evidence integrity according to standard operating procedures or national standards; Skill in collecting, preserving and formatting/presenting forensic evidence & artifacts;
Skill in using security event correlation tools; Skill in designing incident response for cloud service models;

Ability to detect, isolate, and analyze malware; Ability to conduct vulnerability scans and recognize vulnerabilities in security systems; Ability to accurately and completely source all data used in intelligence, assessment and/or planning products; Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation, separation of duties, least privilege, etc); Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies; Ability to interpret the information collected by network tools (e.g. Nslookup, Ping, and Traceroute); Ability to design incident response for cloud service models; Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies.

Education: Graduation from an accredited high school or possession of a high school equivalency certificate.

Experience: Two years of experience in threat hunting network security analysis, network traffic analysis, information security, information systems, information assurance, trouble shooting, security operations, cryptography, and cyber threat modeling.

Notes:

1. Candidates may substitute the possession of a Bachelor’s degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field from an accredited college or university for the required experience.

2. Candidates may substitute the possession an Associate’s degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field from an accredited college or university for the one-year of the required experience.

3. Candidates may substitute the “Experience” requirement listed above for a graduate level degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field from an accredited college or university.

4. Candidates may substitute U.S. Armed Forces military service experience as a non-commissioned officer in Cybersecurity Analyst classifications and Management specialty codes in Information Technology field of work on a year-to-year basis for the required experience.

Employees in this classification may be subject to call-in 24 hours a day and be required to work evenings, weekends, and holidays when systems are down or to work on systems that need to be repaired or replaced during non-business hours and, therefore, may be required to provide the employing agency with a telephone number where the employee can be reached. Employees may be furnished with a pager or cell phone.

Applicants for this classification may handle sensitive data. This will require a full scope background investigation prior to appointment. A criminal conviction may be grounds for rejection of the applicant.

Employees may occasionally be required to travel to the main office during off hours, or field locations, and must have access to an automobile in the event a state vehicle cannot be provided. Standard mileage allowance will be paid for use of a privately owned vehicle.

The work may require moving computers, printers and other IT related equipment weighing up to 80 pounds.

Class specifications are broad descriptions covering groups of positions used by various State departments and agencies. Position descriptions maintained by the using department or agency specifically address the essential job functions of each position.

This is a Skilled Service classification in the State Personnel Management System. All positions in this classification are Skilled Service positions. Some positions in Skilled Service classifications may be designated Special Appointment in accordance with the State Personnel and Pensions Article, Section 6-405, Annotated Code of Maryland.

This classification is not assigned to a bargaining unit, as indicated by the designation of S (Supervisor), M (Manager), T (Agency Head), U (Board or Commission Member), W (Student), X (Used by Agency or Excluded by Executive Order), or Z (Confidential). As provided by State Personnel and Pensions Article, Section 3-102, special appointment, temporary, contractual, supervisory, managerial and confidential employees are excluded collective bargaining. Additionally, certain executive branch agencies are exempt from collective bargaining and all positions in those agencies are excluded from collective bargaining.

This classification is one level in a Non-Competitive Promotion (NCP) series. NCP promotions are promotions by which employees may advance in grade and class level from trainee to full performance level in a classification series. In order to be non-competitively promoted to the next level in a NCP series, an employee must: 1) perform the main purpose of the class, as defined by the Nature of Work section of the class specification; 2) receive the type of supervision defined in the class specification and 3) meet the minimum qualifications of the classification.