Group Manager, Threat Detection Engineering

Company Overview

Intuit is the global financial technology platform that powers prosperity for the people and communities we serve. With approximately 100 million customers worldwide using products such as TurboTax, Credit Karma, QuickBooks, and Mailchimp, we believe that everyone should have the opportunity to prosper. We never stop working to find new, innovative ways to make that possible.

Job Overview

Build and lead a new detection engineering team. This is a technical leadership role that involves detection engineering, data engineering and analytics, attack path analysis, and security orchestration and automation (SOAR). This is a key role that will define and influence Intuit's nextgen Security Operations Center (SOC) initiatives. You will own and implement the strategy of the detection engineering program as well as establish metrics that demonstrate continuous maturity towards target state objectives. The ideal candidate for the role should have a strong background in SIEM implementation and log ingestion, incident response, high interpersonal and leadership skills, be highly analytical and data driven, and have strong verbal and written communication skills.

Responsibilities

• Define detection engineering strategy, roadmap, and objectives
• Build and mature detection engineering processes and standard patterns
• Build new detection capabilities based on research of new attack techniques
• Evaluate, validate, tune, and sunset where necessary detection capabilities
• Identify and close gaps in detection coverage
• Build runbooks and playbooks for SOC analysts to operationalize new detections
• Work with system owners, SIEM team, and Detection Operations to onboard and operationalize new data sources
• Define and manage coverage and efficacy metrics, reporting them on a regular cadence to leadership
• Lead root cause analysis for detection quality issues and directing next steps to address and prevent recurrence
• Participate in Cyber Incident Response Team (CIRT) rotation that may involve non-traditional working hours

Qualifications

• Proven track record of building scalable organizations that have world class threat detection capabilities
• Technical proficiency performing security investigations at scale; including endpoint, cloud, identity, network, and email threats
• Practical experience with Detection & Response tools for network, endpoints, cloud, and identity as well as SOAR platforms
• Hands-on experience with SIEM and Data Lake solutions (e.g., Splunk, Snowflake, S3)
• Expertise with query languages (SQL, SPL, BigQuery)
• Strong fundamentals of Linux, MacOS, and Windows operating system internals
• Deep understanding of attacker techniques, tools and procedures
• Understanding of cloud environments such as AWS, Google Cloud Platform, and/or Azure
• Proficiency creating and managing operational metrics that increase team efficiency and quality
• Experience with coding languages to build/automate (e.g., Python, Go)
• Experience working with security frameworks like MITRE ATT&CK or Lockheed Martin's Cyber Kill Chain; ability to track and discuss an attack through the cyber killchain
• Ability to manage effective relationships with organizational leaders, build a roadmap, and drive broad initiatives to completion
• Understanding of Machine Learning concepts as related to predictive analytics
• Experience with forensic data capture, analysis, and preservation
• Comprehensive understanding of the detection engineering field
• Enthusiastic about managing and mentoring individuals pursuing careers in detection engineering.

Preferred Skills

• Admin or Architect level knowledge of a SIEM (Splunk, Azure Sentinel, QRadar, etc)
• In-depth knowledge of security standard processes in large-scale environments
• Ability to navigate hard conversations and disseminate information to team members.
• Willingness and ability to accept responsibility and provide guidance to team members
• Effective organizational and planning skills, with the ability to successfully guide projects through to completion
• Experience with software development or security automation highly preferred
• CISSP or CISM certification preferred
• Hand on experience with AWS Cloud (AWS Solutions Architect level of knowledge)

Required Education / Experience

• BA/BS degree or higher in Computer Science, Cybersecurity or equivalent work experience
• 5+ years' industry experience in Incident Response or Security Operations activities
• 3+ years leadership experience in a SOC or similar role