Insider Threat Signature Developer

Job Description

Job Description

OVERVIEW:

A specialized security professional responsible for designing, implementing, and maintaining behavioral and rule-based signatures to detect insider threats. Collaborates with threat intelligence, security operations, and engineering teams to translate risk insights into actionable rules and automated responses. Works closely with business and IT stakeholders to identify critical assets and potential threat vectors and evaluate and recommend security technologies to improve the organization's insider threat posture.

GENERAL DUTIES:

• Design, implement, and maintain insider threat detection signatures tailored to organization data, user behavior, and access patterns.
• Translate threat intelligence and incident learnings into practical, testable signatures; continuously refine signals to reduce false positives.
• Collaborate with Insider Threat Program (ITP) stakeholders to align signatures with policies, acceptable use, and incident response playbooks.
• Validate and test signatures in controlled environments, document detection logic, data sources, and tuning parameters.
• Monitor performance and effectiveness of signatures; propose and implement improvements.
• Contribute to threat modeling exercises by mapping insider risk scenarios to measurable signals.
• Maintain versioned signature libraries, track changes and rollback plans.
• Participate in incident response, providing signature-based evidence and analytics to support investigations.
• Ensure signatures comply with privacy, legal, and data protection requirements.
• Regulatory Adherence: Ensure that all insider threat detection activities comply with relevant regulations, such as CNSS, ICDs, and industry-specific standards.
• Audits and Reviews: Participate in internal and external audits, providing evidence of compliance and effectiveness of insider threat triggers.
• Incident Investigation: Assist in the investigation of incidents related to insider threats, providing insights derived from triggers and alert analysis.
• Root Cause Analysis: Conduct root cause analysis to identify underlying issues and recommend corrective actions to prevent future occurrences.
• Remediation: Support the implementation of remediation measures based on the findings of incident investigations.
• Regular Reporting: Generate regular reports on the performance and effectiveness of insider threat triggers, highlighting key trends and insights.
• Metrics Development: Develop and track key performance indicators (KPIs) to measure the success of insider threat detection efforts.

REQUIRED QUALIFICATIONS:

• 8 years of experience in DoD/IC insider threat programs developing and testing signatures and rules to detect anomalous user and entity behaviors and validating those detections against real or simulated insider‑risk scenarios.
• Demonstrated application of ICS 500‑27 and CNSSD 504 requirements in the design and operation of insider threat capabilities.
• Proven program building experience, advanced detection strategies (including behavior analytics), and enterprise‑level governance of insider threat detection and response activities.
• Degree Requirements Masters Degree in related field or an additional 6 years of experience
• Certification Requirements: Must be DoD 8570 IAT Level III Certified
• Highly Desired: Certified Counter Insider Threat Professional (CCITPF/CCITPA)

CLEARANCE:

• TS/SCI