Symantec jobs - Security Response Engineer & Security Response Manager

Gavin

Hi,

Symantec (Blanchardstown) have some job openings which might appeal to some of the people here. The jobs are Security Response Manager (SRM) and Security Response Engineer (SRE). I'll describe the SRE job in this post and SRM in the second post.

Security Response are an operational team responsible for analyzing and putting in detections for new threats/malware. It's 24x7 with offices in Dublin, Culver City and Tokyo. This means that Dublin works 9 to 5:30 and hands over to Culver at 5:00. If you are working on something, you pass it onto one of the engineers in the next region.

Before anyone asks, pay levels in Symantec are internally confidential, so I don't know exactly what sort of money is offered for the positions. I know that's annoying, but if you are interested in this sort of work, it's certainly worth applying and asking HR what sort of money is on offer. It is mostly going to depend on your own experience and ability anyway.

The official blurb for the SRE is below. An SRE is a malware reverse engineer. You'll need to be familiar with Olly & IDA and some sort of scripting will make your life easier. Day to day work for a junior engineer consists of reversing suspicious samples submitted by customers and writing detections for samples that are malicious. As you get better you are assigned tougher samples to analyse and assist the threat intelligence officer to investigate threats in more detail. I.e. Instead of just describing exactly what the threat does, try to find out more about who's behind it, the purpose etc.

Feel free to PM me with questions, or preferably post them here for everyone to see the answers.

Responsibilities
 The Security Response Engineer will be responsible for analyzing threat samples in order to identify its malicious functionalities such as information theft, detection evasion and infection routines; network propagation and attack; command-and-control communications and other malicious payload.
 The Security Response Engineer will be responsible for creating heuristic detections and remediation signatures for threats (worm, trojan, virus)
 The Security Response Engineer will be tasked to create comprehensive technical reports and blog articles to be published to the web.
 The Security Response Engineer will lead research efforts to understand the latest threats and how it relates to the overall threat landscape
 The Security Response Engineer will be required to create automation scripts and tools in aid of threat analysis

Qualifications
 BS Degree preferably in a computer science-related field, or equivalent industry experience. MS degree is a plus.
 Must possess at least 2 years experience using debugger tools such as SoftICE, OllyDbg, IDA Pro
 Must possess good knowledge and hands-on experience with 80x86 assembly language
 Must possess good knowledge of Windows Operating System internals
 Must possess good knowledge of TCP/IP protocol
 Experience in programming in C/C++, Perl, or Python is an advantage.
 A broad understanding of current Internet security threats and networking essentials is mandatory.

Other Information
 Interpersonal skills: Must be able to interact comfortably with members of the worldwide Response Team and employees in other departments in Symantec.
 Planning and organization: The ability to plan and organize multiple tasks in an efficient manner to completion.
 Communication: The ability to communicate complex issues in a simple manner, both written and verbal. Many of the people the role comes into contact with are located in different countries and may have differing abilities speaking English.
 Team player: The role requires the ability to work in a close-knit worldwide team to achieve project goals.
 Innovation: Not only the solution, but in many cases even the question, may not be obvious when faced with potential security incidents. The ability to innovate solutions to get them to customers more quickly or safely is mandatory.

Gavin

There are two aspect to the job. The first is SRM - Security Response Manager and the second is TIO - Threat Intelligence Officer. At the moment between the roles are rotated each week. One week you're on SRM duty, the next TIO.

As SRM you are essentially a liaison between Security Response and the rest of Symantec. Usually it's only tech support you deal with. They come to the SRM with some issue that a customer is having e.g. a virus outbreak. The SRM then allocates the work to engineers and monitors the work. It's up to the SRM to decide what's to be worked on and make any decisions - Should we be doing as much work on this threat, is there an alternative approach etc. The SRM also is the point of contact if something breaks or goes wrong. Virus definitions aren't published etc. It's actually quite a straightforward role, not technical and as long as you are able to make a decision, not hard. Shifts end at 5:00 each day, you hand over your work to the next region (America) and as soon as that's done, you walk out the door and forget about work.

The second role, TIO, is (what I find) the more interesting and gives you a chance to be creative. The basic job is to know what's going on, on the Internet, with respect to security and viruses. It's a lot of reading and can be as technical as you want it to be. The standard day to day work is reading various blogs, keeping an eye on Twitter, looking for new threats and blogging about them, both internally and externally. You need to be able to write good. If you are more technically inclined, there are a number of internal databases and with some SQL you can mine our own data looking for new trends and threats. If you find something interesting, you can analyze it yourself if you want and know how, or hand it to an engineer to analyze (A few engineers are allocated to analysis each day). The TIO responds to hacking incidents, so if someone is hacked and wants help, the TIO handles getting the samples analyzed and finding as much about the attack as possible. The attack is written up and published internally. If it's a serious one, it might be published externally (e.g. Nitro attacks) Occasionally we get in images for informal forensic analysis which is good fun.

Overall it's a very good job. Being able to handover work at the end of the day means you very rarely need to stay late and don't have to think about it when you get home. We work weekends, so every sixth week, you have to work three weekends. During the weekends you work Thursday to Sunday and have Monday to Wednesday off. The three days are handy. Everyone is very nice, and some of the engineers are, literally, probably the best in the world at what they do, which is great to work with.

Responsibilities
• Symantec Security Response is a 24x7x365 organization responsible for addressing new and emerging security threats.
• The Security Response Manager will be responsible for analysis and research of security threats and incidents.
• The candidate will be required to manage the progress of security incidents through the Security Response process and coordinates and tracks the activities of the various functions within Security Response (Engineering, QA and Information Development) to ensure that all deliverables are completed on time.
• The ability to co-ordinate a number of dependencies simultaneously across the team to ensure a security incident is resolved is a must.
• The applicant must be able to make quick decisions, sometimes on minimal information, and be able to communicate those decisions in a clear and concise manner to other members of the worldwide Security Response team and to upper management when required.
• The Security Response Manager position will also require the applicant to produce detailed technical descriptions of network and host based threats, produce and edit social media content such as blogs, tweets, etc., and collaborate in multimedia productions such as videos, podcasts and interactive animations.
• Part of the role involves working with peers worldwide on projects and ensuring consistency and accuracy of security information being provided by Symantec Security Response.
• Day-to-day, the candidate will work closely with the Security Response Engineering and Threat Intelligence teams to investigate and understand the technical background of security issues and incidents.
• This will follow up with compiling, creating and editing information from multiple sources to in-house guidelines.
• As Symantec Security Response operates 7x24x365, the candidate may be required to work as part of a shift rotation that includes weekends and public holidays.

Qualifications
• BA in Computer Science or equivalent industry experience.
• 3+ years experience in an internet security-related field.
• Experience with Symantec Security products is a distinct advantage.
• Strong written and verbal communication skills.
• Experience in malware analysis is a distinct advantage.
• The successful candidate will have proven experience in incident handling and response and a general interest in the area of internet security.

Gavin

To follow up on this, we've (Symantec Security Response) setup a new team, the Attack Investigations Team. This team handles high priority attacks against customers, investigating e-crime (e.g. Ransomware, financial trojans), and major threats (think Stuxnet/Duqu/Flame etc).

The team is expanding. We need intelligence analysts. It's not an engineer role, reversing malware, although that is useful to know as you'll have to understand what an engineer explains to you. The analysts job is to take all the data available on a threat (which is a _lot_, from Symantec/Open Source), make sense of the data and attempt to answer questions about the threat. Who is behind it, why are they doing it etc. You then have to present that work, in the form of papers or presentations/lectures to customers/management and the public. If you are familiar with malware in general, have some research experience, like the idea of investigating cybercrime, can write well and don't mind talking to people, drop me a pm.

syklops

Are you a recruiter for Symantec? Or are you a Symantec employee who is hoping to up his referral bonus?

Gavin

syklops wrote: »

Are you a recruiter for Symantec? Or are you a Symantec employee who is hoping to up his referral bonus?

I'm not a recruiter. I'm trying to fill out my team with quality people. I contacted the moderators about posting the previous jobs and they approved it. I'm advertising the jobs here as the standard of people posting on the forum is, usually, good.

I'm happy to answer any questions you have about the job.

syklops

Gavin wrote: »

I'm not a recruiter. I'm trying to fill out my team with quality people. I contacted the moderators about posting the previous jobs and they approved it. I'm advertising the jobs here as the standard of people posting on the forum is, usually, good.

I'm happy to answer any questions you have about the job.

I apologise if my post came off as abrupt, or even rude, though can I suggest you introduce yourself in future posts so that people on this list reading the job description know that you are on the team that is advertising the jobs.

When you said that pay levels are internally confidential and therefore you could not disclose the ranges, it sounded like you were further removed from the team than you are.

Also, when there weren't any posts for almost a year and you added the news about the creation of the Attack Investigations Team, it looked like a bump.

Apologies again.

Gavin

syklops wrote: »

I apologise if my post came off as abrupt, or even rude, though can I suggest you introduce yourself in future posts so that people on this list reading the job description know that you are on the team that is advertising the jobs.

When you said that pay levels are internally confidential and therefore you could not disclose the ranges, it sounded like you were further removed from the team than you are.

Also, when there weren't any posts for almost a year and you added the news about the creation of the Attack Investigations Team, it looked like a bump.

Apologies again.

No problem, thanks for the reply. You are right, I should have clarified that I work on the team as a senior analyst.