2024-0272, Support in SIEM (Splunk) infrastructure management and log collection

Duties

Overall Aim:
Provide technical expertise in operating and maintaining Cyber Security (SIEM – Splunk) infrastructure for the NCSC, focusing on log collection, system availability, change management, reporting, and customer support. This will be done under the direction of the CSDE Cell Head or SDM within a deliverable-based contract in 2025.

1. Log Collection

• Onboard and manage new data log sources into the SIEM (Splunk) system.

• Perform data ingestion, mapping to Splunk CIM, integration with existing data models, and quality validation.

• Document processes in Confluence following CSDE standards.

• Coordinate with CSDE team and Tier 3 customers.

• Outcome: Tasks completed within allocated time and validated by Security Analysts.

2. Service Availability & Monitoring

• Act as SME for SIEM and log collection services.

• Monitor performance and availability of the SIEM environment.

• Detect, report, and resolve service degradation issues promptly.

• Maintain Splunk stability and reliability using best practices.

• Ensure data security systems are correctly configured, operational, and meet SLA KPIs.

• Outcome: Detect service issues within 2 hours, maintain 99.8% uptime, inform SDM within 2 hours of problems.

3. Change Management

• Implement changes such as upgrades, deployments, new data sources, and configuration modifications.

• Follow NCSC Change Management processes (create/follow-up change requests, impact assessments, CAB participation).

• Coordinate with CSDE and external teams.

• Maintain SOPs, design docs, and other technical documentation.

• Outcome: Tasks completed within assigned time and fully documented.

4. Reporting & Advisory Role

• Attend meetings to represent the cell, provide technical advice, and report updates.

• Communicate meeting minutes and action points within 1 working day.

• Outcome: High-quality reporting evaluated by SDM or Cell Head.

5. Customer Support

• Provide technical assistance to security analysts and other customers.

• Resolve and close support tickets within allocated timeframes.

• Outcome: Resolution confirmed by requestors in tickets.

Required Profile & Skills

• Solid understanding of IT security principles.

• At least 2 years of hands-on experience in large, distributed Splunk Enterprise environments (administering, deploying, configuring, and maintaining).

• Scripting/programming skills in Ansible, Python, or Bash.

• Knowledge of networking protocols (TCP/IP, HTTP(S), DNS).

• Strong experience in Linux administration and troubleshooting.

• Ability to work autonomously with accuracy and attention to detail.

• Strong reporting and communication skills, able to address senior stakeholders.

• Fluent in English (written and spoken).

• Professional appearance for meetings with high-level officials.

• Must comply with local employment laws and SHAPE & NCIA onboarding procedures.

• Available to work on NCIA working days.