Threat Detection Architect
The Threat Detection Architect is responsible for establishing and maintaining the detection targets / roadmaps and overseeing process / execution of detection content and use cases through collaboration with Operational and Engineering teams. The architect will perform analysis on and recommend solutions for detection gaps to build an ecosystem of robust detection rules across multiple security tools to address Cyber threats. The architect will provide subject matter expertise, mentorship, and leadership in the utilization of tools across the environment to complete and resolve the most complex security investigations. When needed, the architect will provide the highest level of technical capabilities and support across security tools in the environment to investigate, contain, and mitigate the impact of complex/critical security incidents. This role reports directly to the Director of Cyber Defense Operations.

 

The Cyber Defense Operations team is responsible for the protection, monitoring, detection, response, and recovery from security incidents across Comerica's environment. The team includes, amongst others, the Security Operations Center (SOC) and Threat Operations. The Threat Detection Architect role resides at the epicenter of the Cyber Defense Operations team, providing support to operations teams in the identification and creation of detection content and is ultimately responsible for the lifecycle of the threat-informed defense program. The ideal candidate will have Cybersecurity / IT certifications (e.g. CompTIA Network+, CompTIA Security+, GCIA, GCIH, GREM, or GPEN)

Position Responsibilities:

Threat Detection Architecture

Establish and maintain threat detection coverage targets. Collaborate closely with the Threat Intelligence team to perform research on current threats and adversaries that target institutions similar to Comerica, to gain an understanding of current tactics, techniques, and procedures utilized. Conduct regular analysis of the current state of detection rules within Comerica's security suite of tools against the threat landscape to identify coverage gaps and areas for improvement. Perform innovative detection development through hypothesis and supporting research. Propose and ensure validation of detection rules, in collaboration with the SOC and TVM teams, to address coverage gaps and improve threat detection capability across the environment. Identify & evaluate vendors, products, and solutions to enhance threat detection.

Threat Detection Development

Participate in the testing and rollout of proposed rules across the environment to ensure that the quality of the implemented rule is appropriate for operationalization by the SOC. Upkeep and maintain the system of record for detection use cases, ensuring that it provides a live, up-to-date view of detection capabilities across the environment. Update MITRE ATT&CK mapping within the system of record, both to maintain alignment with updates to the MITRE ATT&CK framework and to provide an accurate depiction of detection coverage across the framework. Support response to major incidents by developing custom rules to detect anomalies, interfacing with the Threat Hunting and Threat Intelligence teams to do so. Collaborate with other Engineering and Operations teams within Comerica to troubleshoot, respond, and improve detection capabilities.

Incident Response

Perform advanced technical and forensic analysis for payloads used by threat actors. Provide recommendations on remediation plans for critical incidents to minimize business impact and ensure continuity. Provide advanced subject matter expertise across malware, phishing, cloud access security brokers (CASB), network, and configuration compliance domains to investigate, contain, and mitigate the impact of complex/critical security incidents.

Documentation and Support

Provide clear direction and documentation to Cyber Engineering teams to facilitate the development and implementation of detection rules into security tools. Maintain and provide accurate executive/compliance reporting on detection coverage, both against specific threats or techniques, as well as on the detection program as a whole. Participate in the development / enhancement of processes and technologies impacting the Cyber Defense Operations function. Handle sensitive information in accordance with the Corporate Information Protection Policy.

Other duties as assigned

Positions Qualifications:

Bachelor's Degree from an accredited University in Computer Science, Engineering, Information Systems, or Cyber Security -- OR -- High School/GED with 12 years Progressive Relevant Experience 6 years of Information security / technology experience, preferably in a SOC, NOC, Threat Intelligence, or Threat Hunting 5 years of experience using various operating systems and industry standard monitoring, logging, alerting and investigation processes 5 years of incident response experience. 3 years of experience with scripting skills in common languages (e.g. PowerShell, Python, Java, Bash). 3 years of experience performing forensics on payloads across multiple attack vectors. 3 years of experience in designing detection rules for SIEM and other supplemental platforms. This position is not eligible for sponsorship. Must have indefinite employment authorization. Auburn Hills Operations Center
8:00am - 5:00pm Monday - Friday