Threat Detection Architect
The Threat Detection Architect is responsible for establishing and maintaining the detection targets / roadmaps and overseeing process / execution of detection content and use cases through collaboration with Operational and Engineering teams. The architect will perform analysis on and recommend solutions for detection gaps to build an ecosystem of robust detection rules across multiple security tools to address Cyber threats. The architect will provide subject matter expertise, mentorship, and leadership in the utilization of tools across the environment to complete and resolve the most complex security investigations. When needed, the architect will provide the highest level of technical capabilities and support across security tools in the environment to investigate, contain, and mitigate the impact of complex/critical security incidents. This role reports directly to the Director of Cyber Defense Operations.
The Cyber Defense Operations team is responsible for the protection, monitoring, detection, response, and recovery from security incidents across Comerica's environment. The team includes, amongst others, the Security Operations Center (SOC) and Threat Operations. The Threat Detection Architect role resides at the epicenter of the Cyber Defense Operations team, providing support to operations teams in the identification and creation of detection content and is ultimately responsible for the lifecycle of the threat-informed defense program. The ideal candidate will have Cybersecurity / IT certifications (e.g. CompTIA Network+, CompTIA Security+, GCIA, GCIH, GREM, or GPEN)
Position Responsibilities:
Threat Detection Architecture
Threat Detection Development
Participate in the testing and rollout of proposed rules across the environment to ensure that the quality of the implemented rule is appropriate for operationalization by the SOC. Upkeep and maintain the system of record for detection use cases, ensuring that it provides a live, up-to-date view of detection capabilities across the environment. Update MITRE ATT&CK mapping within the system of record, both to maintain alignment with updates to the MITRE ATT&CK framework and to provide an accurate depiction of detection coverage across the framework. Support response to major incidents by developing custom rules to detect anomalies, interfacing with the Threat Hunting and Threat Intelligence teams to do so. Collaborate with other Engineering and Operations teams within Comerica to troubleshoot, respond, and improve detection capabilities.Incident Response
Perform advanced technical and forensic analysis for payloads used by threat actors. Provide recommendations on remediation plans for critical incidents to minimize business impact and ensure continuity. Provide advanced subject matter expertise across malware, phishing, cloud access security brokers (CASB), network, and configuration compliance domains to investigate, contain, and mitigate the impact of complex/critical security incidents.Documentation and Support
Provide clear direction and documentation to Cyber Engineering teams to facilitate the development and implementation of detection rules into security tools. Maintain and provide accurate executive/compliance reporting on detection coverage, both against specific threats or techniques, as well as on the detection program as a whole. Participate in the development / enhancement of processes and technologies impacting the Cyber Defense Operations function. Handle sensitive information in accordance with the Corporate Information Protection Policy.Other duties as assigned
Positions Qualifications:
Bachelor's Degree from an accredited University in Computer Science, Engineering, Information Systems, or Cyber Security -- OR -- High School/GED with 12 years Progressive Relevant Experience 6 years of Information security / technology experience, preferably in a SOC, NOC, Threat Intelligence, or Threat Hunting 5 years of experience using various operating systems and industry standard monitoring, logging, alerting and investigation processes 5 years of incident response experience. 3 years of experience with scripting skills in common languages (e.g. PowerShell, Python, Java, Bash). 3 years of experience performing forensics on payloads across multiple attack vectors. 3 years of experience in designing detection rules for SIEM and other supplemental platforms. This position is not eligible for sponsorship. Must have indefinite employment authorization. Auburn Hills Operations Center8:00am - 5:00pm Monday - Friday