DLP & CASB Engineer

Who We Are

At Kyndryl, we run and reimagine the mission-critical technology systems that drive advantage for the world's leading businesses. We are at the heart of progress; with proven expertise and a continuous flow of AI-powered insight, enabling smarter decisions, faster innovation, and a lasting competitive edge. For our people-Kyndryls-that means doing purposeful work that powers human progress. Join us and experience a flexible, supportive environment where your well-being is prioritized and your potential can thrive.

The Role

Key Responsibilities

1. Incident Review & Investigation

• Review, analyze, and validate DLP and CASB alerts escalated by L1 analysts, ensuring accurate triage and risk classification.
• Investigate potential cases of data exfiltration, misuse, or policy violations across multiple channels:
  
  
  • Email (O365, Exchange Online Protection, Gmail)
  • Endpoint (Device Agents, Removable Media)
  • Web/Cloud Applications (Box, OneDrive, SharePoint, Google Drive, Salesforce, etc.)
• Correlate events across systems (DLP, CASB, SIEM, and EDR) to identify multi-vector data leakage attempts.
• Escalate confirmed incidents with detailed context, evidence, and recommended containment actions to L3 SMEs or Incident Response teams.
• Participate in Root Cause Analysis (RCA) for confirmed data leakage incidents and propose preventive actions.

• Collaborate with DLP/CASB SMEs to fine-tune detection rules, thresholds, and patterns to reduce false positives while maintaining high detection fidelity.
• Implement rule and policy changes based on evolving business and regulatory requirements (typically 10-50 changes per month for CASB).
• Manage policy lifecycle processes, including testing, deployment, rollback, and documentation.
• Contribute to the development of custom detection patterns, data classifiers, and policy templates aligned with organizational data categories (PII, PCI, IP, etc.).
• Maintain synchronization and policy consistency across cloud and endpoint channels.

• Monitor and ensure operational health and performance of DLP and CASB platforms (e.g., Forcepoint, Netskope, Microsoft Defender for Cloud Apps, Symantec, McAfee, or Palo Alto Prisma Access).
• Validate integration with SIEM and ITSM tools (e.g., ServiceNow, Microsoft Sentinel, Splunk) for alert ingestion, incident tracking, and reporting.
• Coordinate with OEM vendors and internal platform teams for:
  
  
  • Product patching and upgrades
  • Rule deployment validation
  • Performance tuning and incident troubleshooting
• Maintain system hygiene, ensuring agents, connectors, and sensors are active and updated across all endpoints and applications.
• Conduct periodic configuration reviews to validate coverage, data patterns, and rule logic.

• Maintain comprehensive incident logs, RCA records, and policy change documentation.
• Support creation of monthly dashboards, SLA reports, and KPI summaries related to DLP/CASB operations.
• Participate in governance forums, audit reviews, and client-facing reporting sessions to present performance trends, risk metrics, and improvement plans.
• Ensure data protection configurations align with compliance frameworks (e.g., GDPR, HIPAA, PCI DSS, ISO 27001).
• Collaborate with risk and compliance teams to align detection and response strategies with corporate data handling policies.

• Work closely with L1 monitoring teams, providing guidance on triage, escalation, and classification best practices.
• Support cross-skilling initiatives and assist in developing and updating SOPs, knowledge base articles, and training materials.
• Participate in threat modelling and data exfiltration use case development to enhance proactive detection and prevention capabilities.
• Identify and recommend automation opportunities for incident enrichment, false-positive suppression, and report generation.

• 6-10 years of hands-on experience in DLP/CASB engineering, administration, or operations.
• Strong technical expertise in at least one enterprise DLP platform:
  
  
  • Forcepoint DLP
  • Symantec DLP
  • Microsoft Purview (formerly MIP/DLP)
  • McAfee DLP
• Proficiency in CASB technologies, such as:
  
  
  • Netskope
  • Microsoft Defender for Cloud Apps
  • McAfee MVISION Cloud
  • Palo Alto Prisma Cloud Access Security Broker
• Good understanding of data classification, content inspection, encryption, and endpoint agents.
• Familiarity with SIEM platforms (e.g., Sentinel, Splunk, QRadar) and ITSM workflows (ServiceNow, Jira).
• Experience integrating DLP and CASB with email, endpoint, and SaaS ecosystems.
• Strong analytical, investigation, and documentation skills for incident triage and RCA.
• Working knowledge of network protocols, APIs, and cloud security architecture (SaaS/IaaS/PaaS).