Each day we dedicate ourselves to treating each other, our customers and our community with care and respect.
Overview
The IT Security Analyst II serves as a core contributor within TD Williamson’s Global Cybersecurity team, responsible for security monitoring, alert triage, incident response, and detection engineering across TDW’s global enterprise and industrial environment. TDW is a manufacturer and pipeline service provider whose products and field services are deployed directly into customers’ critical infrastructure operations. This role operates within a modern security operations function with exposure to OT/ICS-adjacent environments inherent to TDW’s manufacturing and pipeline services business.
Key Responsibilities
Primary duties may include, but are not limited to:
-
Perform daily triage of security alerts generated by TDW cybersecurity solutions.
-
Investigate and disposition alerts with documented verdicts (true positive, false positive, benign true positive), rationale, and supporting evidence.
-
Manage alert queues and cybersecurity request tasks in TDW’s ticketing system, prioritize based on risk and context, and escalate confirmed or probable incidents per established runbooks.
-
Operate across overlapping telemetry sources and apply source-awareness when correlating events.
Incident Response
Participate in and lead (at tier) incident response activities following the cycle: Containment Evidence Preservation Root Cause Analysis Remediation
- Post-Incident Review.
-
Conduct host-based, log-based, and identity-based investigation across available security tooling and data sources.
-
Document incident findings clearly, distinguishing confirmed findings from hypotheses, and produce post-incident summaries suitable for technical and non-technical audiences.
-
Support escalation to senior analysts, legal counsel, or external parties when incidents may constitute reportable breaches under applicable law (GDPR, PIPEDA, DPDP Act, etc.).
Identity & Cloud Security Support
-
Support investigation and response for identity-based threats including credential abuse, MFA bypass attempts, suspicious sign-in activity, and Conditional Access policy violations.
-
Work with identity and access management telemetry to identify anomalous authentication patterns and support policy enforcement decisions.
-
Ensure alignment with Zero Trust principles and applicable compliance requirements.
Threat Intelligence & Vulnerability Management
-
Leverage threat intelligence platforms and open-source resources to enrich investigations, contextualize IOCs, and identify emerging threats relevant to TDW’s industrial sector and technology footprint.
-
Support vulnerability management workflows; assist in prioritization of remediation based on exploitability, asset criticality, and threat context.
-
Defang and safely communicate IOCs (IPs, domains, hashes) per operational security standards.
Documentation, Policy & Security Awareness
-
Develop and maintain SOC runbooks, triage playbooks, and exception documentation to operational standards.
-
Contribute to the development and review of information security procedures, ensuring alignment with NIST CSF 2.0, ISO/IEC 27001:2022, and MITRE ATT&CK.
-
Provide consultation to IT engineering and business stakeholders on security best practices relevant to their operational context.
-
Support security awareness initiatives and participate in knowledge transfer with peers.
Experience
-
Bachelor’s degree in Computer Science, Cybersecurity, Information Systems, or a related technical field, plus 2–5 years of hands-on experience in a security operations, detection engineering, or incident response role; or an equivalent combination of education and directly applicable experience.
-
Demonstrated experience working within a SIEM platform (Elastic, Splunk, Microsoft Sentinel, or comparable) including alert triage, query development, and rule management.
-
Practical experience with endpoint detection and response (EDR) platforms and log-based investigation.
-
Experience with ServiceNow or a comparable enterprise ticketing platform for incident tracking, request management, and documentation of security events.
-
Familiarity with firewall technologies and proficiency in analyzing network and firewall logs to support triage and documentation of security findings.
-
Experience with Elastic Security (SIEM Serverless or self-managed), including KQL/EQL query authoring and Elastic ingest pipeline configuration.
-
Experience with Microsoft cybersecurity tooling including endpoint protection, identity, and device management platforms.
-
Familiarity with cloud environments (Microsoft Azure preferred) and cloud-native security telemetry.
-
Familiarity with Cisco Meraki and Palo Alto firewall platforms is preferred.
-
Exposure to industrial or OT/ICS environments; familiarity with the Purdue Model for ICS/SCADA architecture, IEC 62443, or equivalent OT security frameworks is a plus.
-
Familiarity with application allowlisting concepts and platforms is preferred.
-
Awareness of GDPR, PIPEDA, or other applicable privacy regulations as they relate to security monitoring, logging scope, and incident notification obligations.
-
Understanding that security telemetry involving EU/EEA employee data (Belgium, Germany, Norway) carries specific data handling and breach notification obligations.
-
Industry certifications such as CISSP, CompTIA Security+, CySA+, Elastic Certified Analyst, AZ-900 or equivalent cloud infrastructure certification (Azure, AWS, or GCP), ITIL Foundation, or equivalent.
Knowledge, Skills, and Abilities
-
Working knowledge of MITRE ATT&CK framework; ability to map observed behaviors to tactics and techniques and apply that context to detection and response decisions.
-
Proficiency in KQL or comparable query language for security investigation and detection rule development.
-
Understanding of Windows security event logging, authentication protocols, and common attacker techniques targeting Active Directory and Entra ID (e.g., credential theft, lateral movement, persistence).
-
Familiarity with network concepts, DNS, TLS inspection, and cloud access security broker (CASB) functions.
-
Ability to read and interpret process telemetry, command-line arguments, and file system events for behavioral analysis.
-
Familiarity with NIST CSF 2.0 and ISO/IEC 27001:2022 as operational frameworks.
-
Strong analytical and investigative skills; ability to synthesize evidence from multiple sources into a coherent, defensible triage verdict.
-
Sound judgment in distinguishing true threats from false positives without over-relying on single indicators.
-
Ability to manage competing priorities in a fast-paced, globally distributed operational environment.
-
Attention to detail in documentation; all investigation findings, exceptions, and tuning decisions must be clearly recorded.
-
Strong written and verbal communication skills; ability to convey technical findings clearly to both technical peers and non-technical stakeholders.
-
Ability to work collaboratively with IT Engineering, legal, compliance, and HR functions, particularly in cross-functional incident scenarios.
-
Comfort operating in a globally distributed team across multiple time zones.