Center for Internet Security, Inc.

Principal SIEM Engineer - Remote

Job Locations US
Cybersecurity Operations
Regular Full-Time


The Principal Security Information & Event Management (SIEM) Engineer will be a senior technical individual contributor position within CIS’s Operations & Security Services (OSS) Department. The Principal SIEM Engineer will provide overall strategic and tactical direction of the SIEM and related security analytic and automation tools and focus on architecting, planning, implementing, and operationalizing the SIEM platform used by OSS to monitor thousands of State, Local, Tribal, and Territorial (SLTT) organizations through the Multi-State Information Sharing & Analysis Center (MS-ISAC) and Elections Infrastructure Information Sharing & Analysis Center (EI-ISAC).


The Center for Internet Security (CIS) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. We are a community-driven nonprofit responsible for industry leading best practices for securing IT systems and data. We lead a global community of IT professionals to continuously evolve these standards and provide products and services to proactively safeguard against emerging threats.

What You'll Do

  • Develop advanced SIEM correlation rules, content, data models, connectors, reports, and dashboards based upon internal and customer requirements to detect emerging threats
  • Monitor the health and performance of the SIEM and related infrastructure and verify disaster recovery and continuity of operation plans are operational
  • Manage, develop, and tune alerts, inputs, scripts, and APIs that integrate with the SIEM including log sources and troubleshooting of log sources or systems
  • Perform system and platform upgrades and updates in coordination with the vendor, CIS IT, and stakeholders
  • Make recommendations to OSS executive leadership on product capabilities, direction, investments, and divestments of technologies, products, and services
  • Serve as the most senior technical expert on deployed SIEM and Security Orchestration, Automation, and Response (SOAR) products and maintain the strategic roadmap for the OSS SIEM/SOAR and security analytics products
  • Create custom queries and alerts for emerging threats that can be rapidly deployed to all SIEM monitored data sources.
  • Oversee the change control process and quality assurance standards for SIEM/SOAR systems to ensure changes are tested, rollback plans created, and alerts/queries have a low chance of causing negative performance impacts on the SIEM or overwhelm SOC analysts with false positives
  • Assist internal support teams with troubleshooting highly technical issues that cannot be resolved by lower tiered support staff
  • Provide briefings and trainings to SLTT members, MS-ISAC and EI-ISAC executive committees, and internal stakeholders on security analytics and the SIEM/SOAR capabilities. This position will closely align with the sales, marketing, and communications teams to assist with pre and post-sales support and providing input to develop materials for members
  • Other tasks and responsibilities as assigned

What You'll Need

  • Bachelor’s degree in information technology, cybersecurity or a related field*
  • 8+ years’ experience in deploying and managing security monitoring and logging solutions including SIEM, syslog, and other log correlation, aggregation, and analytic platforms and experience tuning SIEM platforms that operate on events-per-second (EPS) cost models
  • 5+ years’ experience in SOAR and information automation
  • Expert level knowledge of integrating security tools such as firewall, intrusion detection and prevention systems, data loss prevention, endpoint security tools, host-based logs, network logs, syslog, and other data sources into an overall SIEM solution
  • Significant experience with Snowflake, Kafka, Apache technologies, Hadoop, and other data and analytics platforms and connectors
  • Significant experience with development of custom rules, alerts, reports, and dashboards for SIEM platforms
  • Significant experience at log enrichment, both process and sources and in using and writing regular expressions (RegEx)
  • Experience using and managing the Securonix SaaS SIEM environment, including SIEM, User Entity Behavior Analytics (UEBA), and SOAR, and Cloud RINs.
  • Experience with network forensics and toolsets such as Wireshark, PCAP, and tcpdump and with the MITRE ATT&CK framework
  • Experience with cloud technologies and providers such as Amazon, Azure, and Google
  • Excellent client-facing and internal communication skills
  • Solid organizational skills including attention to detail and multi-tasking skills
  • Candidate must be eligible to obtain National Security Clearance
  • Must be authorized to work in the United States

It's a Plus if You Have: 

  • Advanced degree in Computer Science, Business or related field
  • Strong presentation capabilities
  • Relevant industry certifications such as CISSP, GCIH, GCIA, GMON
  • Experience in incident response, vulnerability management, and security operations
  • Experience in vendor management and relationships
  • Familiarity with Agile DevOps and project management
  • Strong knowledge of scripting languages such as Python and Powershell

*Additional years of relevant experience or a combination of an Associate’s degree or equivalent and relevant experience may be substituted for the Bachelor’s degree.


**Factors that may cause a negative Fitness Review decision include:

  • Criminal Conduct
  • Dishonest Conduct
  • Employment Misconduct
  • Alcohol Abuse
  • Drug Use (illegal drug use or use of a legal drug in a manner that deviates from approved medical direction) Additionally, illegal drug use includes the use of drugs that are illegal for federal purposes despite being legal in select states and countries, such as marijuana.)
  • False Statements
  • Financial Issues
  • Have not resided in the US for three (3) of the past five (5) years

At CIS, we are committed to providing an inclusive environment in which the diverse backgrounds, experiences, and views of our employees, members, and customers are valued and respected. It is through this commitment that we are able to work together towards our common mission: to make the connected world a safer place.


Sorry the Share function is not working properly at this moment. Please refresh the page and try again later.
Share on your newsfeed