Insider Threat Engineer

Description

Leidos is seeking a highly skilled and experienced Insider Threat Engineer to support and maintain an enterprise-wide insider threat detection and response program at the Social Security Administration (SSA). This position focuses on advancing the agency's capabilities in user activity monitoring (UAM), automation, data loss prevention (DLP-Trellix), automation, and technical threat detection to prevent unauthorized disclosures, fraud, and abuse.. The candidate will be instrumental in delivering analytical and engineering support to the Insider Threat Program Management Office (PMO) and may be required to deliver and receive sensitive briefings within SSA secured spaces such as the SCIF or approved alternate secure locations.

• Are you looking for a company that puts employees first, with a focus on career, flexibility, and well-being?
• Do you enjoy collaborating with colleagues and teammates and believe that the best ideas are fostered in an inclusive environment?
• Are you searching for a team with a strong sense of ownership, urgency, and drive for daily mission success?
• Are you comfortable with proactive outward communication and technical leadership?
• Do you enjoy being a catalyst, solving complex problems, and providing innovative solutions?
• Do you have the flexibility, creativity, and resilience to pivot the mission for success?
• Do you have the courage to make tough ethical decisions with pride, transparency, and respect?

• Engineer, implement, and maintain User Activity Monitoring (UAM) and Data Loss Prevention (DLP) solutions, ensuring continuous visibility into user behavior and sensitive data usage.
• Configure, maintain, and optimize Trellix endpoint security and DLP capabilities for insider threat use cases.
• Experience leveraging Trellix DLP to detect and investigate insider threat behaviors, including sensitive data exfiltration, unauthorized file transfers, and anomalous user activity.
• Automate detection, alerting, and reporting processes using Python, Ansible, or JSON to increase efficiency and accuracy.
• Integrate UAM and DLP solutions with other enterprise cybersecurity tools (e.g., SIEM, SOAR, EDR, Trellix platform).
• Develop dashboards and reports that highlight key insider threat indicators, anomalous activity, and program performance metrics.
• Perform SOC related activities including monitoring, triaging, and investigating insider threat and DLP alerts to support timely detection and response.
• Basic understanding in networking, cybersecurity principles, and experience with common security tools (e.g., firewalls, SIEM, DLP, endpoint security, vulnerability scanners).
• Experience with Splunk for log analysis and developing use cases to support insider threat detection and reporting.
• Demonstrated adaptability with an open mind toward learning new technologies and taking on challenging responsibilities in a dynamic environment.

• Develop and refine methods to extract, analyze, and correlate data from SSA IT systems to proactively detect potential insider threats.
• Monitor and analyze trends in cyber activity and anomalous behavior to assess risks to SSA's confidentiality, availability, and integrity.
• Leverage feeds, incident reports, and threat briefs to assess relevance to SSA's environment and enhance the program's threat modeling capability.

• Prepare and present insider threat briefings to program leadership and executives, following agency writing and presentation standards.
• Contribute to Insider Threat Work Status Reports with detailed analytics, visuals (charts/dashboards), and recommendations.

• Bachelor's degree in Cybersecurity, Information Technology, Computer Science, or a related field.
• Proven experience in cybersecurity, DLP - Trellix or Palo altos, or a related area.
• Hands-on experience with Trellix Data Loss Prevention (DLP) for monitoring, detecting, and controlling sensitive data movement across endpoints, email, and network channels.
• Good understanding of networking and firewall fundamentals, including how monitoring tools interact across segmented architectures.
• Familiarity with Palo Alto Networks firewalls and their logging capabilities (useful for correlating user activity across layers).
• Strong analytical and problem-solving skills; ability to make data-driven recommendations.
• Excellent written and verbal communication skills, particularly in conveying technical insights to leadership.
• Must be able to obtain and maintain a Public Trust. Contract requirement.

• Experience in using Splunk ES or enterprise Splunk is a plus.
• Ability to make decisions based upon analysis of documentation.
• Experience with endpoint monitoring tools, SIEM/SOAR integrations, and identity-based risk scoring.
• Working knowledge of DLP, EDR, or behavioral analytics platforms in support of insider threat detection.
• Experience working in a classified environment and delivering briefings in SCIF settings.
• Understanding of NIST 800-53 and related to Insider Threat Programs.

• Experience with federal regulatory requirements and compliance standards related to cybersecurity.
• Knowledge of programing, Splunk automation, network and firewall operations.
• Familiarity with security tools and technologies used for threat detection and analysis.
• Security certifications (e.g., CISSP, CISM, CEH, CompTIA Security+) are a plus.