Researcher - Automated Detection
Arctic Wolf
Detection Developer, Detection Automation
ABOUT THE ROLE
The Detection Automation team is responsible for a detection automation pipeline to translate detection candidates from Threat Intelligence, Security, and Detection researchers into detection artifacts that ensure a timely release to our Security Services teams. As a detection researcher on our Detection Automation team, you will be responsible for researching & authoring detections in an automated flow, identifying opportunities to improve the automated detection flows, and enabling detection researchers from across the organization to author automated detections. The detection automation team ensures quality and scale of our automated detection base and presents actionable detections to our Security Services teams and customers.
Arctic Wolf Labs is the research-focused division at Arctic Wolf focused on advancing innovation in the field of security operations. The mission of Arctic Wolf Labs is to develop cutting-edge technology and tools that are designed to enhance the company’s core mission to end cyber risk, while also bringing comprehensive security intelligence to Arctic Wolf’s customer base and the security community-at-large. Leveraging the more than two trillion security events the Arctic Wolf Security Operations Cloud ingests, parses, enriches, and analyzes each week, Arctic Wolf Labs is responsible for performing threat research on new and emerging adversaries, developing advanced threat detection models, and driving improvement in the speed, scale, and detection abilities of Arctic Wolf’s solution offerings. The Arctic Wolf Labs team comprises security and threat intelligence researchers, data scientists, security development engineers with deep domain knowledge in artificial intelligence (AI), security R&D, as well as advanced threat offensive and defensive methods and technologies. Security Research Services Development partners with these groups to understand requirements, design & implement scalable, fault-tolerant solutions, and build the next generation of security capabilities for Arctic Wolf.
AS A SENIOR DETECTION RESEARCHER AT ARCTIC WOLF, YOU WILL:
· Provide mentorship and technical leadership to the team.
· Develop and maintain SQL, Python and YAML-based detections-as-code
· Research and develop expertise in the various threat surfaces and telemetry available for them
· Propose coverage and efficacy improvements to the detection surface
· Work with team members to develop novel detections and continuously tune existing ones
· Build runbooks, reports and supporting material for detection surfaces
· Collaborating with cross-functional teams to gather requirements and implement detections.
· Write clean, efficient, and reusable code in Python, Go, or Scala.
· Conduct code reviews and provide constructive feedback to ensure code quality and maintainability.
· Debug and fix issues in existing Python codebases.
· Optimize application and query performance to ensure scalability.
· Participate in the full software development life cycle, building well-designed, testable, efficient, secure code.
· Understand the product and how Security Services delivers the service.
· Develop professional expertise, apply company policies and procedures to resolve a variety of issues. Determine a course of action based on guidelines, and modify processes and methods as required.
· Continuously learn and adopt best practices for detections-as-code, code quality, software development methodologies, and programming principles to enhance coding skills and stay updated with industry advancements.
ABOUT YOU
You’re a talented detection developer who loves building things and cares deeply about code quality and reliability while optimizing performance. You enjoy coordinating with distributed cross-functional teams. You are constantly adapting to emerging technologies, trends, and best practices. You will build productive internal/external working relationships to resolve mutual problems by collaborating on procedures or transactions, with a focus on providing standard professional advice and creating initial reports/analyses for review by experienced team professionals.
Here are some of the core technologies we use and teach across our detections teams:
· Python
· SQL
· Sigma
· Suricata
· Wazuh
· Kibana
· Git
You are not required to be an expert in any of these, but you should be excited by the opportunity to learn new things and comfortable with coming up to speed quickly. Any
experience with detection development or full-stack development frameworks and practices is relevant and transferrable.
WE’RE LOOKING FOR SOMEONE WITH:
· 2 or more years of professional experience as a Detection Developer
· Experience consists of projects contributing in either Python or YAML
· OS Specific Telemetry (Windows Security/Sysmon logs, Linux)
· Expertise in Windows PowerShell Monitoring
· Understanding of the authoring lifecycle of SIEM Detections and Detection artifacts
o EDR detections/signatures
o Sigma and Yara Rules
o Streaming and batch-based detections
o Threat hunting & detection research
o Development of anomaly and behavioral based detections
· Demonstrated experience authoring and enabling Detections-as-Code
· Experience tuning and optimization of detections for all the above
· Professional certifications in Security and/or Cloud are required (i.e. CISSP, GNFA, GCFA, GCFE, GREM).
· Experience consists of working in a team of 3 or more Detection Developers while contributing code independently
· Experience working in Agile development teams, preferably with formal Agile training
· Nice to have: A clear history of technical influence (public conference talks, papers, etc)
· Nice to have: A clear history of learning and skills development. Regularly helps detection developers develop their skills in a variety of ways. · Nice to have: B.Sc. in Computer Science