Vulnerability Management Analyst
At Fitch, we have an open culture where employees are able to exchange ideas and perspectives, throughout the organization, irrespective of their seniority. Your voice will be heard allowing you to have a real impact. We embrace diversity and appreciate authenticity, employees work in an environment where they can be their true selves. Our inclusive and progressive approach helps us to keep a balanced perspective.
With our expertise, we are not only creating data and information, but also producing timely insights from every angle to influence decision making in this ever changing and highly competitive market. We have a relentless hunger to innovate and unlock the power of human insights and to drive value for our customers. There has never been a better time to make an impact and we invite you to join us on this journey.
Fitch requires a Vulnerability Management Analyst to join the Technology Risk Group. The Vulnerability Management Analyst is an advanced, hands-on practitioner and will be responsible for Fitch's Tenable Nessus environment and the supporting processes and controls for the detection, assessment and, by partnering with business groups, for remediation or mitigation activities. The role is technical, and candidates must possess a solid understanding of information security and preferably have held positions in cybersecurity and systems administration. The role also requires an understanding of business and governance process. Vulnerability management analysts are responsible for the overall management lifecycle of the program. They must understand applications, operating systems, networking, cloud infrastructure and basic attacker tactics, techniques and procedures (TTPs). Additionally, analysts are expected to maintain a high level of rigor to stay up-to-date with advancements in technology, while also retaining knowledge of older systems and applications in use.
Vulnerability management analysts understand that legacy and present-day systems and applications may have weaknesses that can be exploited by external threat actors and potentially lead to a breach. Given that vulnerability management and risk exposure extend across all technical systems enterprise-wide, responsibilities of this position include identifying assets and vulnerabilities, reporting, remediation and continuous assessment. The position must collaborate with others on the team for remediation and additional validation, as well as contribute to other collaborative approaches driven by the security team strategy.
Vulnerability management analysts are expected to assist with strategic initiatives for short- as well as long-term plans to identify and reduce the attack surface across applications and systems. Use of automated tools to identify, assess and report is expected, with emphasis placed on effective communication to constituents relying on applications and systems that support their business. Vulnerability management analysts take an active lead to inform, advise and partner with business units to help better secure their operations. Job Responsibilities:
• Manage vulnerabilities across applications, endpoints, databases, networking devices, and mobile, cloud and third-party assets
• Conduct continuous discovery and vulnerability assessment of enterprise-wide assets
• Document, prioritize and formally report asset and vulnerability state, along with remediation recommendations and validation
• Communicate vulnerability results in a manner understood by technical and non-technical business units based on risk tolerance and threat to the business, and gain support through influential messaging
• Leverage vulnerability database sources to understand each weakness, its probability and remediation options, including vendor-supplied fixes and workarounds.
• Support internal and external auditors in their duties that focus on compliance and risk reduction
• Collaborate with security groups such as red teams, threat intelligence and risk management to form a holistic team dedicated to thwarting attackers and reducing attack surface
• Work closely with infrastructure teams to advise and support remediation efforts to close vulnerability exposure to new threats in the wild and verify the organization's security posture against them
• Regularly research and learn new TTPs in public and closed forums, and work with colleagues to assess risk and implement/validate controls as necessary
• Arrange and provide support to business units launching new technology applications and services to verify that new products/offerings are not at risk of misconfiguration, compromise or information leakage
• Partner with GRC to develop key performance indicators (KPIs) and metrics across business units to illustrate effectiveness with vulnerability management
• Understand breach and attack simulation solutions for known vulnerabilities and work with the team to validate controls effectiveness
• Liaise with the security engineering team to improve tool usage and workflow, as well as with the advanced threats and assessment team to mature monitoring and response capabilities
• Perform other duties as assigned Skills and experience:
• At least 5-7+ years' experience in information security administration, vulnerability management or security operations
• High level of proficiency with Tenable Nessus vulnerability management products, specifically Tenable.IO, Pre-Authorized Scanners, Agents, AWS connectors
• Understanding of Windows and *nix operating systems, endpoint applications, networking protocols and devices
• Experience with vulnerability management across Amazon Web Services (AWS) and preferably Microsoft Azure or Oracle Cloud Infrastructure
• Experience conducting organization-wide vulnerability scanning and remediation processes
• Ability to obtain and maintain technical team and business support to influence a collaborative effort to reduce attack surface.
• Capable of scripting in Python, Bash, Perl or PowerShell for the purposes of automating management of vulnerability data from Tenable platform
• Understanding of OWASP, CVSS, the MITRE ATT&CK framework and the software development lifecycle
If you're interested in applying for this role, please speak with Victor Gonzalez, Recuiter for more information.