Security Response Engineer, Infrastructure

With over 17,000 employees worldwide, the mission of the Customer Experience & Success (CE&S) organization is to empower customers to accelerate business value through differentiated customer experiences that leverage Microsoft’s products and services, ignited by our people and culture. Come join CE&S and help us build a future where customers achieve their business outcomes faster with technology that does more.

The Global Customer Success (GCS) organization, an organization within CE&S, is leading the effort to enable customer success on the Microsoft Cloud by harnessing leading, AI-powered capabilities and human expertise to deliver innovation solutions that accelerate business value, drive operational excellence and nurture long term loyalty.

This role is a crucial part of a collaborative team that works together to serve as infrastructure specialists and assist our customers collect data critical to the success of an investigation, containment and recovery in the midst of a cyber-attack. You will also implement containment measures, and proactively address threats while also ensuring large-scale infrastructure recovery.

This role is flexible in that you can work up to 100% from home.

Microsoft’s mission is to empower every person and every organization on the planet to achieve more. As employees we come together with a growth mindset, innovate to empower others and collaborate to realize our shared goals. Each day we build on our values of respect, integrity, and accountability to create a culture of inclusion where everyone can thrive at work and beyond.

5+ years of relevant work experience 
• Excellent oral and written communication skills
• Ability to work with the team in a customer environment.
• 3 to 5 years of experience with security fundamentals across Microsoft platforms (Client, Server, Cloud).
• 3 to 5 years of experience deploying advanced Windows client security technologies and technologies such as Intune, MECM, Ansible, Puppet.
• 3 to 5 years of expertise in Kusto Query Language or equivalent, and scripting skills in PowerShell or Python.
• 3 to 5 years of advanced understanding of Windows authentications (NTLM, Kerberos, LDAP) and supporting technologies such as Active Directory Federation Services and Active Directory Certificate Services.
• 3 to 5 years of experience with understanding and troubleshooting Hybrid Identity, including Active Directory, Azure AD, and technologies such as Azure AD Connect and Azure AD Password Protection.
• 3 to 5 years of extensive Cybersecurity knowledge and understanding within the Identity plane, such as Azure Active Directory Logging, Risk Events, Multi-Factor Authentication, Microsoft Defender for Identity, Privileged Identity Management (PIM), and other Microsoft 365 Defender technologies.
• Expertise in cloud authentication technologies (OAuth, OpenID, SAML, WS-Fed)
• Solid understanding of Conditional Access, Privileged Identity Management, Just in Time access
• Demonstrated expertise in understanding and countering common attack vectors and tools, including but not limited to Pass-the-Hash (PtH), Pass-the-Ticket (PtT), Golden Ticket, Golden SAML, and Ransomware.
• 3 to 5 years of extensive experience in Active Directory recovery and implementation.
• 3 to 5 years of expertise in Multifactor and passwordless authentication.
• 3 to 5 years of expertise in at least two, preferably three products from the Microsoft Defender suite (Defender for Endpoint, Defender for Cloud Apps, Defender for Cloud, Defender AV).
• 3 to 5 years of expertise in SIEM and SOAR platforms such as Microsoft Sentinel, Splunk, QRadar, etc.
• 3 to 5 years of knowledge of Linux internals.
Additional Qualifications
• 3-5 years+ experience with effective operational management processes to ensure effective tasking amongst your internal team members when managing customer infrastructure actions in a limited window of time.
• Security Certifications in any of the following preferred: OSCP, CISSP, SANs Certifications. Or SC Certifications from Microsoft
• Ability to operate effectively in high pressure incident response environments where customers are experiencing a potentially business-ending event and your evidence-driven plans of action dictate their next steps.
• Ability to communicate complex and technical considerations effectively to customer representatives of varying levels - from deep environment and platform technical considerations, through to communicating the effective impact and outcome of your infrastructure recommendations to the C-suite level.
• Effective communication with your fellow team members ensuring effective sharing of your current workload, most importantly in a follow-the-sun format when working with fellow team members from across the globe.
• Ability to translate requests from customers and from your fellow analysts through to other teams within Microsoft for effective product feedback.

Ability to meet Microsoft, customer and / or government security screening requirements are required for this role. These requirements include, but are not limited to the following specialized security screenings: Microsoft Cloud Background Check: This position will be required to pass the Microsoft Cloud Background Check upon hire / transfer and every two years thereafter.

Microsoft is an equal opportunity employer. All qualified applicants will receive consideration for employment without regard to age, ancestry, color, family or medical care leave, gender identity or expression, genetic information, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran status, race, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable laws, regulations and ordinances.  We also consider qualified applicants regardless of criminal histories, consistent with legal requirements. If you need assistance and/or a reasonable accommodation due to a disability during the application or the recruiting process, please send a request via the Accommodation request form.

Benefits/perks listed below may vary depending on the nature of your employment with Microsoft and the country where you work.

Security Software Deployment:
o Lead the deployment and configuration of security tooling at scale across the Microsoft Defender suite of products.
o Provide expert-level support for various identity platforms as well as identity management (IdM) solutions.
o Provide direct feedback to both development teams and product groups for continued product improvements.
Troubleshoot issues related to the deployment of security tooling.
• Threat Containment
o Develop and implement threat containment strategies to prevent the escalation of security incidents within the Active Directory, network, and client environments.
o Work in coordination with the larger incident response team to contain and mitigate security threats promptly.
o Implement security measures following both Microsoft and industry standards to contain threats both on-premises and in the cloud.
• Recovery
o Recovery of Active Directory Forests from destructive based cyber-attacks.
o Recovery of key Infrastructure components across the Microsoft technologies both on-premises and cloud
o Recovery of authentication services such as Active Directory Federation Services and Active Directory Certificate Services.
• Threat Hunting
o Conduct threat hunting across customer’s networks with indicators of compromise, hunting for evidence of a compromise
o Conduct incident response within various Cloud platforms
o Identify attacker tools, tactics, and procedures to develop indicators of compromise
o Identify and investigate intrusions to determine the cause and extent of the breach, by leveraging EDR solutions and threat intelligence sources
• Troubleshooting Active Directory L300/400: Replication, Group Policy, DFSR
o Able to understand complex Active Directory environments and resolve issues relating to AD health.
o Experience of supporting complex multi-forest AD topologies
o Experience in authoring and triaging Group Policies in large, regulated environments
o Ability to identify defects or misconfiguration in AD services
• Troubleshooting Windows Server OS Roles (DNS, DFS, Clustering, Storage, Networking)
o Experience triaging Server roles to restore systems to production state
o Understanding of core networking technologies (DNS, Routing/Switching, Firewalls)
• Troubleshooting Virtualization Platforms (VMware, Hyper-V etc)
o Experience administering virtual platforms
o Experience in backup/recovery of virtual platforms
• Managing and Configuring Endpoint Security Platforms
o Experience administering Endpoint Security Platforms: (Microsoft Defender Suite, CS, Falcon etc)
o Experience configuring Endpoint Security Platforms: (IOCs, Agent settings, deployment methods)
o Analyzing endpoint security telemetry using (KQL, Python, Jupyter etc)
• Exhaust all investigative leads in the expectation of discovering novel attacker techniques. Investigate and research these techniques, and partner with threat intelligence and security engineering to drive security tooling and product enhancements.
• Synthesize threat data (telemetry) and evaluate the impact of current security trends, advisories, publications, and academic research, cascading learnings as necessary across partner teams and customers alike, and drive change in our approach to better combat these threats.
• Leverage input from Threat Intelligence team, including strategic, operational, and tactical intelligence to benefit containment and hardening of customer environments, while keeping knowledge and skills current with the rapidly changing threat landscape.
o Similarly, share threat data with threat intelligence and engineering teams and drive research of threat actors and threat activity.
• Participating in a follow-the-sun on-call rotation.
• Short-notice travel will likely be 40% or higher as is demanded by the needs of our customers and our business. This is a global position. Off-time zone hours and weekend work are highly likely. The location of the position is flexible.