IT Security Analyst II
Job Description
The IT Security Analyst II serves as a core contributor within TD Williamson’s Global Cybersecurity team, responsible for security monitoring, alert triage, incident response, and detection engineering across TDW’s global enterprise and industrial environment. TDW is a manufacturer and pipeline service provider whose products and field services are deployed directly into customers’ critical infrastructure operations. This role operates within a modern security operations function with exposure to OT/ICS-adjacent environments inherent to TDW’s manufacturing and pipeline services business.
\nKey Responsibilities
\nPrimary duties may include, but are not limited to:
Security Monitoring & Alert Triage \n- \n
- Perform daily triage of security alerts generated by TDW cybersecurity solutions. \n
- Investigate and disposition alerts with documented verdicts (true positive, false positive, benign true positive), rationale, and supporting evidence. \n
- Manage alert queues and cybersecurity request tasks in TDW’s ticketing system, prioritize based on risk and context, and escalate confirmed or probable incidents per established runbooks. \n
- Operate across overlapping telemetry sources and apply source-awareness when correlating events.
\n \n
Incident Response
\n- \n
- Participate in and lead (at tier) incident response activities following the cycle: Containment → Evidence Preservation → Root Cause Analysis → Remediation → Post-Incident Review. \n
- Conduct host-based, log-based, and identity-based investigation across available security tooling and data sources. \n
- Document incident findings clearly, distinguishing confirmed findings from hypotheses, and produce post-incident summaries suitable for technical and non-technical audiences. \n
- Support escalation to senior analysts, legal counsel, or external parties when incidents may constitute reportable breaches under applicable law (GDPR, PIPEDA, DPDP Act, etc.).
\n \n
Identity & Cloud Security Support
\n- \n
- Support investigation and response for identity-based threats including credential abuse, MFA bypass attempts, suspicious sign-in activity, and Conditional Access policy violations. \n
- Work with identity and access management telemetry to identify anomalous authentication patterns and support policy enforcement decisions. \n
- Ensure alignment with Zero Trust principles and applicable compliance requirements.
\n \n
Threat Intelligence & Vulnerability Management
\n- \n
- Leverage threat intelligence platforms and open-source resources to enrich investigations, contextualize IOCs, and identify emerging threats relevant to TDW’s industrial sector and technology footprint. \n
- Support vulnerability management workflows; assist in prioritization of remediation based on exploitability, asset criticality, and threat context. \n
- Defang and safely communicate IOCs (IPs, domains, hashes) per operational security standards.
\n \n
Documentation, Policy & Security Awareness
\n- \n
- Develop and maintain SOC runbooks, triage playbooks, and exception documentation to operational standards. \n
- Contribute to the development and review of information security procedures, ensuring alignment with NIST CSF 2.0, ISO/IEC 27001:2022, and MITRE ATT&CK. \n
- Provide consultation to IT engineering and business stakeholders on security best practices relevant to their operational context. \n
- Support security awareness initiatives and participate in knowledge transfer with peers.
\n \n
Experience
Required \n- \n
- Bachelor’s degree in Computer Science, Cybersecurity, Information Systems, or a related technical field, plus 2–5 years of hands-on experience in a security operations, detection engineering, or incident response role; or an equivalent combination of education and directly applicable experience. \n
- Demonstrated experience working within a SIEM platform (Elastic, Splunk, Microsoft Sentinel, or comparable) including alert triage, query development, and rule management. \n
- Practical experience with endpoint detection and response (EDR) platforms and log-based investigation. \n
- Experience with ServiceNow or a comparable enterprise ticketing platform for incident tracking, request management, and documentation of security events. \n
- Familiarity with firewall technologies and proficiency in analyzing network and firewall logs to support triage and documentation of security findings. \n
- \n
- Experience with Elastic Security (SIEM Serverless or self-managed), including KQL/EQL query authoring and Elastic ingest pipeline configuration. \n
- Experience with Microsoft cybersecurity tooling including endpoint protection, identity, and device management platforms. \n
- Familiarity with cloud environments (Microsoft Azure preferred) and cloud-native security telemetry. \n
- Familiarity with Cisco Meraki and Palo Alto firewall platforms is preferred. \n
- Exposure to industrial or OT/ICS environments; familiarity with the Purdue Model for ICS/SCADA architecture, IEC 62443, or equivalent OT security frameworks is a plus. \n
- Familiarity with application allowlisting concepts and platforms is preferred. \n
- Awareness of GDPR, PIPEDA, or other applicable privacy regulations as they relate to security monitoring, logging scope, and incident notification obligations. \n
- Understanding that security telemetry involving EU/EEA employee data (Belgium, Germany, Norway) carries specific data handling and breach notification obligations. \n
- Industry certifications such as CISSP, CompTIA Security+, CySA+, Elastic Certified Analyst, AZ-900 or equivalent cloud infrastructure certification (Azure, AWS, or GCP), ITIL Foundation, or equivalent.
\n \n
Knowledge, Skills, and Abilities
\n\nTechnical \n
- \n
- Working knowledge of MITRE ATT&CK framework; ability to map observed behaviors to tactics and techniques and apply that context to detection and response decisions. \n
- Proficiency in KQL or comparable query language for security investigation and detection rule development. \n
- Understanding of Windows security event logging, authentication protocols, and common attacker techniques targeting Active Directory and Entra ID (e.g., credential theft, lateral movement, persistence). \n
- Familiarity with network concepts, DNS, TLS inspection, and cloud access security broker (CASB) functions. \n
- Ability to read and interpret process telemetry, command-line arguments, and file system events for behavioral analysis. \n
- Familiarity with NIST CSF 2.0 and ISO/IEC 27001:2022 as operational frameworks. \n
- \n
- Strong analytical and investigative skills; ability to synthesize evidence from multiple sources into a coherent, defensible triage verdict. \n
- Sound judgment in distinguishing true threats from false positives without over-relying on single indicators. \n
- Ability to manage competing priorities in a fast-paced, globally distributed operational environment. \n
- Attention to detail in documentation; all investigation findings, exceptions, and tuning decisions must be clearly recorded. \n
- \n
- Strong written and verbal communication skills; ability to convey technical findings clearly to both technical peers and non-technical stakeholders. \n
- Ability to work collaboratively with IT Engineering, legal, compliance, and HR functions, particularly in cross-functional incident scenarios. \n
- Comfort operating in a globally distributed team across multiple time zones. \n