Threat Analyst

Job#: 3032934

Job Description:

Job Title:

Insider Threat Analyst (Cybersecurity)

Position Summary

An Insider Threat Analyst identifies, assesses, and helps mitigate security risks posed by trusted insiders (employees, contractors, vendors, and partners) who may intentionally or unintentionally compromise the confidentiality, integrity, or availability of systems and data. They analyze user behavior and system/network activity, investigate suspicious events, and collaborate with Human Resources, Associate Relations and Ethics to respond. They may help refine detection rules to prevent policy violations, data breaches, and intellectual property theft, strengthening internal security controls and protecting organizational assets.

Their goal is to enhance internal security measures and reduce the risk of insider threats.

Key Responsibilities

Detection & Monitoring

* Monitor and triage insider threat signals from tools such as SIEM, UEBA, UAM, DLP, EDR, IAM logs, email security, CASB/SSE, and cloud audit logs.

* Provide input to engineering teams to develop or refine detection logic (use cases, correlation rules, alert thresholds) for insider-risk scenarios (e.g., data exfiltration, privilege abuse, policy violations).

* Identify suspicious patterns such as unusual access times, abnormal download volumes, atypical cloud sharing, or role-inconsistent system access.

Investigation & Response

* Conduct end-to-end investigations: scope events, gather evidence, reconstruct timelines, and document findings.

* Perform log and artifact analysis across endpoints, identity providers, SaaS platforms, and network sources.

* Perform or coordinate containment/response actions (e.g., account disablement, access restriction, endpoint isolation) while maintaining appropriate approvals and chain-of-custody.

* Produce clear incident case notes or summaries suitable for technical and non-technical stakeholders.

* Participate in case management and maintain detailed, defensible documentation.

Collaboration & Enablement

* Work with Ethics/HR/Legal/Privacy/Compliance/Physical Security to ensure investigations are appropriate, proportionate, and aligned to policy and applicable regulations.

* Partner with requisite teams to remediate root causes (misconfigurations, excessive entitlements, weak monitoring).

* Provide input to awareness initiatives (e.g., secure data handling, reporting mechanisms, acceptable use).

* Provide clear and articulate communications, both verbal and in writing.

Program Development & Continuous Improvement

* Help define insider threat playbooks, escalation criteria, and repeatable workflows (e.g., "patient record snooping," "PHI exfiltration," "privileged misuse," "vendor access misuse").

* Track and report program metrics (time-to-triage, time-to-close, recurrence, top sources, control gaps)

* Stay current on insider threat tactics, behavioral indicators, and relevant frameworks and best practices.

Required Qualifications

* Bachelor's degree in Cybersecurity, Computer Science, Information Systems, or equivalent practical experience.

* Lead or support investigations from intake through closure: scope, collect artifacts, analyze activity, establish timelines, and document findings. 6-10+ years in security operations, incident response, threat detection, investigations, or insider risk-preferably within healthcare or other regulated environments.

* Demonstrated ability to independently investigate UAM-derived alerts and reconstruct user activity across endpoints, applications and/or other logs or security tools

* 2-5+ years of experience in cybersecurity operations, threat detection, incident response, or investigations.

* Experience analyzing logs/events from multiple sources (identity, endpoint, network, and cloud).

* Strong knowledge of:

* Insider threat scenarios (malicious, negligent, compromised insider)

* Incident handling and investigative methods

* Access control concepts (RBAC/ABAC), authentication, and privilege management

* Ability to write clear, defensible documentation and communicate findings to diverse stakeholders.

* High integrity and discretion when handling sensitive personnel and security matters.

Preferred Qualifications

* Experience with insider-risk platforms and/or relevant tooling: UEBA, DLP, UAM, SIEM (Splunk), EDR (Crowd Strike), IAM (Okta/Azure AD), M365/GWS audit logs, CASB/SSE.

* Familiarity with investigation/case management workflows and evidence preservation.

* Experience in regulated environments (finance, healthcare, government) and knowledge of privacy considerations.

* Scripting/automation skills (Python, Power Shell) and query languages (KQL, SPL, SQL, EQL).

* Relevant certifications (one or more):

* GCIA, GCIH, GCFA, GNFA

* Security+, CySA+, CASP+

* Splunk/SC-200 or equivalent detection-focused certifications

* CISSP, ITPM, or similar cybersecurity certifications.

Core Competencies

* Analytical thinking and hypothesis-driven investigation

* Behavior analytics and insider threat potential risk indicators

* Sound judgment…