IT Senior Security Consultant and Auditor

7/2011 – 7/2016

Develop data graphs based on audit log records and defined how the log records are mapped into a visual representation. Calculated statistical upper and lower probability boundaries of specific administrator actions. Created charts relating to Perimeter threats - visualizing service traffic flow of destination ports vs. time, service anomalies using tree maps, worm outbreaks visualized in link graphs, large email delays using a box plot graph of sender vs delay. Successfully created Insider Threat visualizations measuring documents accessed vs. username, date charts measuring the number of added or deleted cron jobs by user.
Implemented workflows for Security Operations Center Tier 1 and Tier 2 staff though a process of event annotation and escalation procedures based on specific tiered threshold levels within the console. Developed metric dashboards for security operations center managers that show personalized grids where each analyst can add a sub-tab that shows their events only. Created a semi-automated process where a tiered-triage methodology suppressed incoming events to limit noise. Developed reports and metrics that provide a way to measure events received versus events reviewed and subsequently helped meet audit review requirements. Established a process for reviewing events that need to be filtered from the console which also helped eliminate noise. Accurately modeled network IP address space information. Incorporated vulnerability scan data into the SIEM for a higher model confidence calculation. These actions have tuned incoming events to focus specifically on interesting threat traffic.
Applied methodology to the chaos of reviewing hundreds of events per second. Defined responsibilities for each of the security operations tiers which shared event review responsibilities.

Incident Management, Prelude Live Logger, Security Operations Center (SOC)

3/2010 – 6/2011

Responsibilities included tier 3 security engineering services for the European Command Security Operations Center (SOC). Installed operated and maintained consolidated logging solution (ArcSight Logger/Connector appliances) for all network, and server devices. Engineered open-source threat intelligence lists into ArcSight logger (-Hyperlink entfernt-) to provide SOC staff automated alerts on potential security threats. Delivered daily intelligence reports based on Ad-Hoc Logger reports. Delivered to network administrators daily reports on problem areas in the network based on router and switch logs. Provided data leak prevention solutions, enabled Denial of Service (DoS) thresholds, Intrusion Prevention Services, Spam detection and rejection, Greyware/Malware checking and Anti-Virus services. Trained Tier 1 & 2 SOC staff in incident response procedures, firewall debugging, trace flows and interface dumps. Engineered data leak stops for classified information in Fortinet appliances.

Fortigate Firewalls, McAfee AntiVirus Plus, Security Operations Center (SOC)

8/2008 – 2/2010

Cyber Security Engineer supporting various aspects of security operations including SAIC's MSSP, by solving complex challenges across the Cyber Security spectrum. Primary role includes assisting in advanced incident response, resolving engineering challenges, assessing, enhancing, and developing operational capabilities, technical writing and marketing demonstrations, assessing new technologies, developing new operational concepts, security event management and correlation content development, first to deploy new services, providing technical demonstrations of MSS capabilities.
Commercial Managed Security Services branch out of San Diego California. Lead representative for six major commercial accounts generating revenues totaling $1.3 million annually. As Tier 3 lead engineer my responsibilities included event collection, log management, event management, using ArcSight Enterprise Security Management 4.0. Created filters, trends, asset modeling etc based on my customers’ network traffic flows. Ensured events flowed 24x7 into the ESM. Additional responsibilities included: handling architecture changes (VPN, New Virtual IPs for terminating IPSEC, device monitoring, performance trending, graphing, firewall changes, content filtering), policy and procedure, documentation, high profile incidents (event monitoring, zero-day attacks, policy violations, vendor bug issues), be the last engineer of tier escalation in all contract matters and overall customer satisfaction. Special project to install EMC Clariion CX4-480 model storage area network to archive security events. Configured two fibre channels to ESM ArcSight server at secondary warm site. Provided help was needed but also directed/delegated once assistance has been provided. FortiGate 300A, 1000A and Cisco ASA administration experience. ArcSight Certified Security Analyst 4.0.

Cisco Firewalls, Security Operations Center (SOC), VPN (Virtual Private Network)

4/2007 – 5/2008

Operated and maintained Multinational Forces-West Iraq (MNF-W) for II MEF, G6 network security architecture throughout the Al Anbar province to include Cisco PIX ASA firewalls and IDS systems, Content Engines, routers and switches. Developed, maintained and updated network diagrams for NIPR, SIPR, and CENTRIXS networks. Operationally assisted the MNF-W IA Commander in managing a team of network security professionals throughout the Al Anbar Province. Assisted the Theater Information Assurance Manager (TIAM) in gathering the data necessary to Certify and Accredit Department of Defense Information Systems (DIACAP/DITSCAP). Scanned US Marine networks with eye Digital Security Retina scanner and managed the central repository server eEye Digital Security REM from other MNF-W subordinate scanners.

Security Operations Center (SOC)

5/2005 – 4/2007

Perform technical security reviews of United States Department of Agriculture Web Farm security initiatives. Manage and execute vulnerability scans of Web Farm environments and perform ad-hoc vulnerability scans for certification and accreditation of new and existing server application deployments. Worked with application hosting staff to address remediation for vulnerabilities found. Tools used were ISS Site Protector, Cisco IDS/IPS and Cisco PIX ASA firewalls.
Serve as lead security contact for ongoing XML appliance deployment and ISS Site protector, Real Secure host-based agent administration and Proventia Intrusion Prevention operations.
Produce documentation deliverables including security waiver requests, architecture documents, and weekly status reports. Mentor junior OpSec staff and share knowledge of assessment, remediation, and
IT security best practices. I also ensured the security plans, risk assessments, System Test and Evaluation (ST&E), and completed Certification and Accreditation process (C&A) using NIST 800-53 as the basis and structure for USDA C&A Policy. Ensured Plan of Action and Milestones (POA&M) have been completed.

Cisco Firewalls, Cisco Router, Cisco Switch

2/2002 – 4/2005

Contracted to enforce Joint Task Force (JTF) security policies at the Standardized Tactical Entry Points (STEP) in Europe. Remotely managed sixteen routers and four firewalls in geographically separate
locations. Lead JTF Information Assurance personnel in developing security policy for deployed networks. Administered Lucent Brick 201 packet filtering firewalls and Cisco 3620 firewall feature-set routers. This program saves 20-30% bandwidth by implementing security policy at the earth-terminal satellite site. Solid troubleshooting methodology efforts on congested IP network traffic flows improved deployed network services. Established baselines and documented bastion hosts for statistical anomaly detection. Coordinated a distributed security policy between satellite downlinks in two geographically separate theatres. Perform technical security reviews of USDA Web Farm security initiatives. Manage and execute vulnerability scans of Web Farm environments and perform ad-hoc vulnerability scans for certification and accreditation of new and existing server application deployments. Worked with application hosting staff to address remediation for vulnerabilities found. Tools used were ISS Site Protector, Cisco IDS/IPS and Cisco PIX ASA firewalls.

Cisco Firewalls