GitHub is changing the way the world builds software, and we want you to help change the way we secure GitHub. We are looking for an experienced Detection Engineering Lead to join our remote SIRT focused on detecting and responding to security threats against GitHubbers, GitHub users, and abuse of GitHub infrastructure.
Interested in leading efforts related to threat hunting, MITRE ATT&CK, building and tuning detection logic, alert enrichment, or response automation?
As a Detection Engineering Lead, you will, alongside peers within GitHub Security as well as GitHub's Engineering, Legal, and Support teams, lead efforts to design and build a comprehensive threat detection program. This includes work to improve telemetry, build and tune alerting and enrichment tools, and then use those tools for intrusion detection, incident response, and hunting. A successful applicant will have a desire to provide technical leadership for detecting and hunting a variety of adversaries in diverse environments at scale.
SIRT Detection Engineering Lead Responsibilities Provide day-to-day technical and process leadership for engineers designing and building a comprehensive, structured threat detection program. Identify active threats to GitHub system environments including GitHub.com, corporate networks, third party services, and individual user endpoints. Lead work with stakeholders throughout security and engineering to develop and improve threat detection logic, enhance response capabilities, and deploy new tools. Lead structured hunting for novel or anomalous activity indicative of bad actor tactics, techniques, and procedures (TTPs). Lead alert enrichment and detection response automation efforts. Create and maintain relevant team documentation and standards.
Required Skills & Experience 5+ years experience or demonstrable proficiency in threat detection or threat intelligence. Proven experience providing technical leadership to a team of security analysts or engineers. General experience in the following disciplines with deep experience in one or more: Log analysis: Large scale analysis of standard and custom log types using client and server side log analysis tools such as Splunk, ELK, and lnav. Familiarity with file system, memory, or live response on MacOS and/or Linux. Network traffic analysis: Analyze network telemetry from intrusion detection systems and flow monitoring systems. Detection development: Host and network level detection with tools such as osquery, yara, auditd, etc. Threat intelligence: Collection, analysis, production, or consumption of threat data and finished intelligence. Experience using or securing Linux day-to-day in a production environment. Basic scripting experience with Ruby, Python, Bash, or Powershell. Exceptional documentation and written communication skills.