Security Researcher

Overview

With over 18,000 employees worldwide, the Microsoft Customer Experience & Success (CE&S) organization is responsible for the strategy, design, and implementation of Microsoft’s end-to-end customer experience. Come join CE&S and help us build a future where customers come to us not only because we provide industry-leading products and services, but also because we provide a differentiated and connected customer experience.

The Global Customer Success (GCS) organization is leading the effort to create the desired customer experience through support offer creation, driving digital transformation across our tools, and delivering operational excellence across CE&S.

The Microsoft Detection and Response Team (DART) is looking for a Principal Security Response Engineer, Infrastructure to join their collaborative team. This position will be a vital individual contributor role on the DART team in taking the lead in threat hunting and forensics in delivery of cybersecurity investigations for our customers. You will work in a fast-paced, intellectually intense, service-oriented environment where collaboration and speed are key to our investigations.

The role is flexible in that you can work up to 100% from home however short notice travel to work onsite alongside customers will likely be 40% or higher as is demanded by the needs of our customers and business. This position may require you to work a rotational On-Call schedule, evenings, weekends or holiday shift. Though schedule changes are not frequent, you will need to have flexibility to accommodate changes as needed.

This role is flexible in that you can work up to 100% from home.

Microsoft’s mission is to empower every person and every organization on the planet to achieve more. As employees we come together with a growth mindset, innovate to empower others and collaborate to realize our shared goals. Each day we build on our values of respect, integrity, and accountability to create a culture of inclusion where everyone can thrive at work and beyond.

Qualifications

Required/Minimum Qualifications

5+ years experience in software development lifecycle, large-scale computing, modeling, cybersecurity, systems administration, and/or anomaly detection

OR Master's Degree in Statistics, Mathematics, Computer Science or related field.

Must be fluent in English

Prefered Qualifications:

Solid understanding of Active Directory and associated components (Kerberos, NTLM, Group Policy, Backup and Disaster Recovery, DNS, AD tiering models, gMSAs)

Solid understanding of Entra ID and associated components (Conditional Access, Multifactor Authentication, Passwordless Authentication, Privileged Identity Management, Identity Protection, Entra ID Connect)

Strong knowledge of cloud authenticaiton protocols such as OAuth, OpenID Connect, SAML and WS-Fed

Strong knowledge of Azure Resource Management, Azure Infrastructure as a Service (IaaS), Tole Based Access Controls (RBAC), Subscriptions, Resource Groups, Management Groups

Proficiency in one or more query languages (KQL, SPL, SQL, etc.)

Experience in PowerShell and bash scripting

Background in, and understanding of the modern attacker kill-chain, MITRE ATT&CK, and emerging enterprise threats including attacks against SaaS Apps and AI Apps, and Oauth Apps

Strong knowledge of at least two or more of the following products in the Microsoft Defender suite

Microsoft Defender for Endpoint

Attack Surface Reduction (ASR), Attack Disruption, Live Response

Microsoft Defender for Identity

Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud

Microsoft Defender Antivirus

Active and Passive Mode, coexistence with third party AV products

Additional or Preferred Qualifications

Experience with large scale software deployment using Microsoft Intune, Microsoft Configuration Manager

Experience with Microsoft Public Key Infrastructure (PKI) implementations, Active Directory Federation Services (AD FS)

Understanding and working knowledge of the Linux and MacOS platforms.

Experience with two or more of Microsoft’s portfolio of Artificial Intelligence (AI) products such as Security Copilot, Bing Copilot, Github Copilot, Office Copilot and Windows Copilot

Experience with large scale orchestration and deployment of software using Linux deployment tools such as Ansible, Chef, Puppet, etc.

Experience with SIEM and SOAR platforms such as Microsoft Sentinel, Splunk, IBM QRadar

Understanding of DevOps, concepts such as Version Control, Infrastructure as code, CI/CD Pipelines, Frameworks, Configuration Management and Continuous Monitoring.

Experience with management of virtualization platforms such as Hyper-V, VMware, etc.

Experience with IP network management including routing, firewalls, access control lists, DHCP, packet analysis, and troubleshooting network traffic flow

Experience presenting and filtering through data in Excel, Power BI

Ability to meet Microsoft, customer and / or government security screening requirements are required for this role. These requirements include, but are not limited to the following specialized security screenings: Microsoft Cloud Background Check: This position will be required to pass the Microsoft Cloud Background Check upon hire / transfer and every two years thereafter.

Responsibilities

Conducting Research

Identifies, conducts, and supports others in conducting research into critical security areas, such as competitor products, current attacks, adversary tracking, and academic literature. Partners cross-functionally (e.g., across disciplines, teams, or security versus non-security) to design solutions to prevent attacks. Designs lead to engineering projects. Investigates business critical security issues (e.g., root cause, motivation, and impact). Advocates priorities. Elevates findings appropriately to address and mitigate issues. Solicits feedback and evaluates results to incorporate into future research. Demonstrates judgment in identifying projects and priorities (e.g., what to test and pursue). Understands interplay across Microsoft technologies and how they give rise to attacker opportunities.

Works with others to synthesize research findings into recommendations for mitigation of security issues. Shares across teams. Drives change within team based on research findings. Contributes to professional community through publications.

Analyzes complex issues using multiple data sources to develop insights and identify security problems and threats. Creates new solutions to mitigate security issues. Makes tradeoffs to balance security and operational needs. Identifies and recommends process improvements and adopts best practices. Leverages the work of others to improve existing processes. Helps to drive resolution to systemic security issues through cross-team collaboration. Anticipates previously unknown potential artifacts that could be present in data as indicators of attacker activity. Drives cross-team collaboration. May contribute to professional community through conference and forum presentations.

Recommends prioritization and validation methods for technical indicators. Synthesizes threat data to generate trends, patterns and insights that align to intelligence requirements or customer requests. Reviews findings and identifies nuanced variants. Develops tools to automate analyses.

Leads efforts to clean, structure, and standardize data and data sources. Leads data quality efforts to ensure timely and consistent access to data sources. Curates sources of data and partners to develop and sustain data access across teams. Incorporates new data sources consistent with corporate data privacy standard.

Takes product schedules, dependencies and risk assessments into consideration in performing security design and analysis. Creates a schedule for analysis of large feature areas that accounts for dependencies and meets milestones. Creates schedule for a security analysis that involves several stakeholders and that optimizes their time and effort. Conducts Security Research of Microsoft and competitor products. Researches, analyzes, and summarizes security threats and shares with security assurance and security tooling teams as enhancements to security compliance program.

Identifies, prioritizes, and targets complex security issues that cause negative impact to customers. Creates and drives adoption of relevant mitigations. Suggests and drives appropriate guidance, models, response, and remediation for issues. Drives program and process of mitigation (e.g., automation).

Solution Generation

Identifies, prioritizes, and targets complex security issues that cause negative impact to customers. Creates and drives adoption of relevant mitigations. Suggests and drives appropriate guidance, models, response, and remediation for issues. Drives program and process of mitigation (e.g., automation).

Solves classes of issues systematically and with transparency to customers in technical implementation and automation of solutions related to specific kinds of security issues (e.g., signature detection, malware, threat analysis, reverse engineering). Begins to develop substantial skills in other kinds of security issues outside areas of expertise. Works across disciplines to build improvements in solutions and methods. Uses results from research and experimentation to drive architecture or product direction for Microsoft.

Engages with customers and partners to improve security issues. Analyzes security issues or patterns. Advocates for customers and partners. Develops feedback channels and translates feedback into better security practices. Escalates issues as needed. Fosters adoption of security features (e.g., multi-factor authentication [MFA]). Develops and provides guidance and education that result from resolution of security issues.

Orchestration

Helps to make connections and assist in developing agreements between groups to clarify priorities and identify dependencies. Provides coordination across groups. Articulates key security issues to teams and to upper management. Autonomously drives coordination and collaboration across teams. Participates in internal or external collaboration in representing Microsoft's interests.

Protects tools, techniques, information, and results of security practices. Assesses efficacy of operational security (e.g., red-on-red pen testing). Develops new techniques to evaluate operational security. Teaches others to master techniques.

Effectively manages multiple workstreams and resources during incidents, applies diagnostic expertise, provides guidance to other engineers working to mitigate and resolve issues, and maintains a commitment to the quality of products and services throughout the lifecycle. Ensures proper notes from incidents are documented and drives the execution of quality postmortem and root cause analysis processes across teams. Performs analysis of historical incident data to identify trends, patterns, and issues that should be addressed at high priority.

Leads large-scale security reviews. Leads work on architectural and design security reviews for feature areas. Where appropriate, ensures best practices for security architecture, design and development are in place. Measures return on investment (ROI). Determines value of investment. Measures customer satisfaction. Evaluates security risks and their impact to the affected services and works with Dev. Ops leads, engineering leads and researchers to mitigate risks. Monitors and responds to security events, potential vulnerabilities, exposures, and policy compliance issues.

Industry Leadership

Uses subject matter expertise to identify potential security issues, tools, mitigations, and processes (e.g., architecture, failure modes, attack chain, threat modeling, vulnerabilities). Stays current in knowledge and expertise as security landscape evolves. Makes expertise available to others and drives change through sharing, coaching, conferences, and other means. Coaches and mentors others in area of expertise. Models appropriate risk taking and ethical behavior.

Uses business knowledge and technical expertise to assist with analyzing the work of the team to identify potential tools to assist future vulnerability analyses. Helps define deployment best practices and security configuration standards to ensure technologies are deployed in a secure fashion. Researches and maintains deep knowledge of industry trends, technologies, tools, securities, and advances.

Other

Embody our culture and values

Benefits/perks listed below may vary depending on the nature of your employment with Microsoft and the country where you work.Industry leading healthcareEducational resourcesDiscounts on products and servicesSavings and investmentsMaternity and paternity leaveGenerous time awayGiving programsOpportunities to network and connect

---