Senior Threat Analyst

Insider Threat Analyst (Cybersecurity)

Position Summary:

An Insider Threat Analyst identifies, assesses, and helps mitigate security risks posed by trusted insiders (employees, contractors, vendors, and partners) who may intentionally or unintentionally compromise the confidentiality, integrity, or availability of systems and data. They analyze user behavior and system/network activity, investigate suspicious events, and collaborate with Human Resources, Associate Relations, and Ethics to respond. They may help refine detection rules to prevent policy violations, data breaches, and intellectual property theft, strengthening internal security controls and protecting organizational assets.

Their goal is to enhance internal security measures and reduce the risk of insider threats.

• Monitor and triage insider threat signals from tools such as SIEM, UEBA, UAM, DLP, EDR, IAM logs, email security, CASB/SSE, and cloud audit logs.
• Provide input to engineering teams to develop or refine detection logic (use cases, correlation rules, alert thresholds) for insider‑risk scenarios (e.g., data exfiltration, privilege abuse, policy violations).
• Identify suspicious patterns such as unusual access times, abnormal download volumes, atypical cloud sharing, or role‑inconsistent system access.

• Conduct end‑to‑end investigations: scope events, gather evidence, reconstruct timelines, and document findings.
• Perform log and artifact analysis across endpoints, identity providers, SaaS platforms, and network sources.
• Perform or coordinate containment/response actions (e.g., account disablement, access restriction, endpoint isolation) while maintaining appropriate approvals and chain‑of‑custody.
• Produce clear incident case notes or summaries suitable for technical and non‑technical stakeholders.
• Participate in case management and maintain detailed, defensible documentation.

• Work with Ethics/HR/Legal/Privacy/Compliance/Physical Security to ensure investigations are appropriate, proportionate, and aligned to policy and applicable regulations.
• Partner with requisite teams to remediate root causes (misconfigurations, excessive entitlements, weak monitoring).
• Provide input to awareness initiatives (e.g., secure data handling, reporting mechanisms, acceptable use).
• Provide clear and articulate communications, both verbal and in writing.

• Help define insider threat playbooks, escalation criteria, and repeatable workflows (e.g., “patient record snooping,” “PHI exfiltration,” “privileged misuse,” “vendor access misuse”).
• Track and report program metrics (time‑to‑triage, time‑to‑close, recurrence, top sources, control gaps).
• Stay current on insider threat tactics, behavioral indicators, and relevant frameworks and best practices.

• Bachelor’s degree in Cybersecurity, Computer Science, Information Systems, or equivalent practical experience.
• Lead or support investigations from intake through closure: scope, collect artifacts, analyze activity, establish timelines, and document findings. 6–10+ years in security operations, incident response, threat detection, investigations, or insider risk—preferably within healthcare or other regulated environments.
• Demonstrated ability to independently investigate UAM‑derived alerts and reconstruct user activity across endpoints, applications and/or other logs or security tools.
• 2–5+ years of experience in cybersecurity operations, threat detection, incident response, or investigations.
• Experience analyzing logs/events from multiple sources (identity, endpoint, network, and cloud).
• Strong knowledge of:
• Insider threat scenarios (malicious, negligent, compromised insider)
• Incident handling and investigative methods
• Access control concepts (RBAC/ABAC), authentication, and privilege management
• Ability to write clear, defensible documentation and communicate findings to diverse stakeholders.
• High integrity and discretion when handling sensitive personnel and security matters.

• Experience with insider‑risk platforms and/or relevant tooling: UEBA,…