Elasticsearch Lead Engineer - SIEM Platform

Global Risk and Security (GR&S) at Vanguard enables business strategy, protects client and Vanguard interests (e.g., assets and data), and stewards a strong risk culture. Our teams leverage enterprise-wide insights, deep expertise, and trusted advice so that across Vanguard leaders and crew drive faster, stronger, risk-informed decisions.

Within GR&S, the Enterprise Security and Fraud (ES&F) sub-division is responsible for the global protection of Vanguard crew, property, data, and client assets. We are the trusted advisors that protect the pride of Vanguard with state-of-the-art security and fraud capabilities. We are a world-class destination of highly engaged, passionate, and diverse talent expected to continuously learn and develop in an ever-changing security landscape.

Our crew are our greatest resource - by joining our team you will build collaborative long-term relationships and enjoy a suite of benefits that includes comprehensive health and wellness care, work-life balance, and an investment in your future at its core.

Elasticsearch Lead Engineer - SIEM Platform:

• Architect and maintain high-availability Elasticsearch clusters supporting large-scale security event ingestion
• Define and enforce Elastic Common Schema (ECS) field mappings across all data sources, ensuring consistent normalization for detection rules and analytics
• Design and develop custom data ingestion pipelines using Elasticsearch
• Integrate with AWS services including S3, Kinesis Data Streams, Lambda, and CloudWatch for log collection
• Manage AWS infrastructure: EC2, S3, IAM, and Secrets Manager - using AWS CloudFormation
• Implement data lifecycle management - hot/warm/cold/frozen tier strategies, ILM policies, and snapshot/restore to S3-based data lakes
• Partner with Detection Engineering and Threat Intelligence teams to optimize index strategies, queries, and dashboards in Kibana
• Establish and maintain cluster security controls: TLS/mTLS, role-based access control (RBAC), audit logging, and encryption at rest
• Build resilient, fault-tolerant architectures: cross-cluster replication, shard allocation awareness, and disaster recovery runbooks
• Perform activities related platform health monitoring and upgrade / patching
• Troubleshoot and manage production technical issues related to Elasticsearch cloud
• Define and enforce SLOs for ingestion latency, query performance, and cluster availability
• Mentor junior engineers and establish best practices, runbooks, and architectural standards

• Minimum of six years related work experience.
• Undergraduate degree in a related field or the equivalent combination of training and experience.
• 6+ years of Elasticsearch / Elastic Stack (ELK) experience in a production security or observability environment
• Deep understanding of Elastic Common Schema (ECS) and experience mapping diverse log sources (Windows, Linux, network, cloud, EDR) to ECS
• Hands-on experience operating Elasticsearch at scale (10TB+/day ingest, 100+ node clusters)
• Proficiency with AWS - Kinesis, S3, IAM, CloudTrail, and AWS-native log sources
• Experience with data streaming platforms - Apache Kafka, or Confluent Platform - for high-throughput event ingestion
• Experience integrating with data lake platforms - AWS S3 / Lake Formation, Data Lake, or Apache Iceberg for long-term retention and threat hunting
• Strong understanding of security principles: least privilege, network segmentation, secrets management, audit logging
• Experience building resilient systems: replication topologies, capacity planning, chaos engineering mindset, and documented DR procedures
• Proficiency with infrastructure-as-code tools (Terraform, Ansible, or CDK) (Optional)

• Elastic Certified Engineer or Elastic Certified Analyst certification
• Experience with Elastic Security / SIEM detection rules, ML jobs, and Timeline investigations
• Familiarity with MITRE ATT&CK framework and how it informs index and detection design
• Experience with container-based deployments of Elastic (ECK / Kubernetes)
• Knowledge of compliance frameworks: SOC 2, PCI-DSS, HIPAA, or FedRAMP