SOC Engineer and Incident Response

Contract Type Location Apply
Contractor London and Remotely (2 to 5 days per week) here
The Role

Help us define, manage, and expand our day-to-day operations within our existing SOC. Handle Security incidents and help to fix root causes.

What will you do?
  • You will be responsible for initial analysis/investigation of data and the escalation and management of incidents on a day-to-day basis.
  • The role requires you to have previous experience of working in a SOC, along with hands-on experience in helping to define and build monitoring and detection capabilities.
  • Detect, respond and remediate security events and incidents across our infrastructure
  • Write and publish urgent advisories and periodic reports to provide situational awareness and communicate cyber threats in an actionable format to management
  • Support the implementation of the Photobox Threat Management strategy
  • Use of Security tooling and maintenance
  • Advise the Senior Threat Management Analyst around the cyber threat landscape
  • Work closely with compliance and architecture functions
Who are you?
  • Knowledge of AlertLogic and AlienVault or Elastic Stack/ELK
  • AWS Security
  • Experience of Security Information & Event Management (SIEM)
  • Experience in Akamai Kona (WAF), monitoring and writing rules
  • Experience in creating and deploying AWS WAF rules powered by Lambda(s)
  • Experience in creating network diagrams (ideally from code/data)
  • Programming experience (Python, JavaScript or Bash)
  • Creation of dashboards using Kibana, Grafana or Nagios
  • Calm under pressure
  • Experience with high performance security operations team
  • Experience of managing incidents end-to-end
  • Risk management and cyber threat resilience advisory experience
  • Experience around supporting advanced cyber solutions – SIEM, IPS, HIPS, NGFW, Sandboxing & Freeware tools
Tech Stack
  • AlertLogic and AlienVault or Elastic Stack/ELK
  • AWS, Akamai, WAF, Lambda
  • Risk Visualisation
  • Python, Javascript, Bash
  • Kibana, Grafana or Nagios
#1: Work with us in GitHub

In order to respond to the challenges in a scalable and collaborative way, we ask candidates to use a Hugo website, which is already set up for you.

  1. clone the repo https://github.com/project-cx/pbx-candidate-answers
    • if you are happy for your answers to be publicly available, you can just fork it
    • note that GitHub charges for private repos, but BitBucket doesn’t
  2. set-up dev/test environment (optional, but this helps when writing content or modifying the template)
    • if you are running locally, set up Go and Hugo to run the build (either on your host or using docker).
    • if you are running from GitHub, in your repo settings, set the master brach to host the GitHub pages site
  3. add your answers as an entry to _posts folder (see examples)
  4. push your changes to your repo
  5. send us an email to project-cx@photobox.com with a link to your repo
  6. we will reply with more details and a link to a Slack channel

Note that, depending on your CV, and how you rate against other candidates, we may ask you to submit a couple more challenges

Important: Don’t wait until you have all the answers to ping us (step #5). Part of the evaluation is to see how your work evolves and how we collaborate together.

#2: Lambda - Stop EC2 Instances

Create Lambda functions to:

  • Show a list of running instances (all regions and metadata)
  • Stop EC2 instances that have not been accessed for a period of time or have a low CPU usage
  • Setup an Elastic (ELK) Stack, feed logs and create a dashboard.
#3: Vulnerabilities Discovered

What kind of vulnerabilities have you discovered in real-word applications?

  • How did you find them?
  • How did you report them?
  • Did you write tests/PoCs that the developers could use to replicate the issue?
  • Did you received a bug-bounty payment for them?
#4: Programming Experience
  • How much programming experience do you have?
    • What languages can you program in?
    • What is your favorite language and why?
    • How do you use those skills in real-work (business) situations?
#5: Interesting Research

Describe something technology related that you’ve done recently that is cool and interesting:

  • Why did you do it?
  • What did you learn?
  • Draw a diagram or graph of the workflow (can be a screenshot of a paper based drawing)
#1: Log Analysis

You are given 5 GB, 50 GB or 500 GB of nginx server logs (pick the one you are most comfortable handling). These logs cover a period over which we know a high level vulnerability was exposed.

Your job is to:

  1. build an AWS-based infrastructure to consume, query, and visualise the data
  2. find evidence of that vulnerability being exploited (and if so, by whom)

You can use any technology or service required.

Explain the kind of dashboard that you would create, and how you would use it to understand the vulnerability impact (or exploitation).

#2: EC2 with Vulnerable Site

Create EC2 instance (or container), run a vulnerable website inside it, and:

  • Generate traffic (manually or with a tool)
  • Create cloudwatch alerts & cloudtrail dashboards that show alerts
#3: Dashboards

Use a free log service (loggly) or ELK stack (elastic) to create dashboards.

#4: Darktrace Alert

DarkTrace (AI-based network IDS) raises an alert caused by the download of an unknown executable by a user with administrator privileges. Further analysis of DarkTrace logs for the affected device shows unusual network activity.

Describe how you would proceed to achieve the same understanding in TechOps, DevOps, Business, and Management.

Bonus points for mapping what could be the possible malicious and non-malicious (benign) root cause of this incident

Objective: Understand and contain issue(s) without any pushes to production

You can use any technology you want (ideally ones you have experience with) and any Group Security team size * Describe what you would do and how you would act (ideally in diagram format) * Who would you talk to? * What actions would you take to contain and remediate the issue(s)?

Resources and Technologies available:

  • Techops, Webops, and Dev teams
  • Slack, Jira, Confluence, ELK, Grafana, Nagios, Akamai, AWS, Cisco Firewalls, Landeks, and DarkTrace
#5: AWS Root Key

A legacy SVN server is found to be exposed on the internet Review of the source code identifies a number of secrets:

  • Usernames and passwords of production DBs and Servers
  • AWS key Upon review, the AWS key is active and has root privileges

Objective: Understand and contain issue(s) without any pushes to production

  • You can use any technology you want (ideally ones you have experience with) and any Group Security team size
  • Describe what you would do and how you would act (ideally in diagram format)
  • Who would you talk to?
  • What actions would you take to contain and remediate the issue(s)?

Resources and Technologies available:

  • Techops, Webops, and Dev teams
  • Slack, Jira, Confluence, ELK, Grafana, Nagios, Akamai, AWS, Cisco Firewalls, Landeks, and DarkTrace

Why else should you be interested?

Quite simply, you don’t like standing still. You are passionate about working on different and ambitious projects from Day 1 - otherwise you’d be bored! You thrive on working with people from different nationalities, different cultures and languages. You want to work within a successful and recognised company, but you also want the freedom to bring forward your own solutions and to make your own impact. You want to work somewhere where people really do know each other by name and where they genuinely want to help and challenge each other to learn, be better and more innovative every day. Most importantly, you want to work in a business where spreading joy is the mission and where we all have fun making it happen.

Photobox Group Security mission and principles

Our mission is to secure the magic moments created by our customers, across all our brands. Our operating principles define what we focus on and how we make decisions. We hold ourselves accountable against these principles.

  1. We are enablers for the organisation, not blockers
  2. We drive transparency and accountability in risk management
  3. We minimise vulnerabilities
  4. We hack ourselves first
  5. We educate and empower our internal stakeholders and developers
  6. We contribute to adding financial value

Why join Photobox Group Security?

PhotoBox Group Security is a trusted, high-energy, empowered, and proactive team. If you are looking for a place to make a difference, learn a lot, be part of a highly productive team, and are able to work collaboratively with all parts of the business, this is the place for you.

We have a great culture, with a very horizonal structure. We expect you to be knowledgeable, trustworthy, empowered, friendly, focused, and responsible.

How to apply

In order to provide a fair and objective recruitment process, before we invite you for face-to-face interviews, we ask you to submit your answers to theoretical and practical challenges. This helps us to identify your suitability and experience level.

Each challenge should take no longer than 10 - 15 minutes to complete, however, in order to highlight your key skills, you may take longer than the suggested time if you wish.

Please see SOME OF THE CHALLENGES we might ask you to do (we customise these based on your experience and CV)

About us

Photobox Group is Europe’s leading digital consumer service for personalised products and gifts and parent of the Photobox, Moonpig, Hofmann and posterXXL brands.

Creative Commons License

© 2018, Photobox Group Security. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Contact

Photobox Group Security
Unit 7, Metal Box Factory
30 Great Guildford Street
London
SE1 0HS
England