IT Security Analyst II

T.D. Williamson, Inc.

At TDW we put people first - that means working everyday to ensure the pipelines that run through our communities are operating safely and reliably. What sets us apart is our expertise, experience and commitment.

Each day we dedicate ourselves to treating each other, our customers and our community with care and respect.

Overview

The IT Security Analyst II serves as a core contributor within TD Williamson’s Global Cybersecurity team, responsible for security monitoring, alert triage, incident response, and detection engineering across TDW’s global enterprise and industrial environment. TDW is a manufacturer and pipeline service provider whose products and field services are deployed directly into customers’ critical infrastructure operations. This role operates within a modern security operations function with exposure to OT/ICS-adjacent environments inherent to TDW’s manufacturing and pipeline services business.

Key Responsibilities

Primary duties may include, but are not limited to:

Security Monitoring & Alert Triage

  • Perform daily triage of security alerts generated by TDW cybersecurity solutions.
  • Investigate and disposition alerts with documented verdicts (true positive, false positive, benign true positive), rationale, and supporting evidence.
  • Manage alert queues and cybersecurity request tasks in TDW’s ticketing system, prioritize based on risk and context, and escalate confirmed or probable incidents per established runbooks.
  • Operate across overlapping telemetry sources and apply source-awareness when correlating events.


Incident Response

Participate in and lead (at tier) incident response activities following the cycle: Containment Evidence Preservation Root Cause Analysis Remediation
  • Post-Incident Review.
  • Conduct host-based, log-based, and identity-based investigation across available security tooling and data sources.
  • Document incident findings clearly, distinguishing confirmed findings from hypotheses, and produce post-incident summaries suitable for technical and non-technical audiences.
  • Support escalation to senior analysts, legal counsel, or external parties when incidents may constitute reportable breaches under applicable law (GDPR, PIPEDA, DPDP Act, etc.).


Identity & Cloud Security Support

  • Support investigation and response for identity-based threats including credential abuse, MFA bypass attempts, suspicious sign-in activity, and Conditional Access policy violations.
  • Work with identity and access management telemetry to identify anomalous authentication patterns and support policy enforcement decisions.
  • Ensure alignment with Zero Trust principles and applicable compliance requirements.


Threat Intelligence & Vulnerability Management

  • Leverage threat intelligence platforms and open-source resources to enrich investigations, contextualize IOCs, and identify emerging threats relevant to TDW’s industrial sector and technology footprint.
  • Support vulnerability management workflows; assist in prioritization of remediation based on exploitability, asset criticality, and threat context.
  • Defang and safely communicate IOCs (IPs, domains, hashes) per operational security standards.


Documentation, Policy & Security Awareness

  • Develop and maintain SOC runbooks, triage playbooks, and exception documentation to operational standards.
  • Contribute to the development and review of information security procedures, ensuring alignment with NIST CSF 2.0, ISO/IEC 27001:2022, and MITRE ATT&CK.
  • Provide consultation to IT engineering and business stakeholders on security best practices relevant to their operational context.
  • Support security awareness initiatives and participate in knowledge transfer with peers.


Experience

Required

  • Bachelor’s degree in Computer Science, Cybersecurity, Information Systems, or a related technical field, plus 2–5 years of hands-on experience in a security operations, detection engineering, or incident response role; or an equivalent combination of education and directly applicable experience.
  • Demonstrated experience working within a SIEM platform (Elastic, Splunk, Microsoft Sentinel, or comparable) including alert triage, query development, and rule management.
  • Practical experience with endpoint detection and response (EDR) platforms and log-based investigation.
  • Experience with ServiceNow or a comparable enterprise ticketing platform for incident tracking, request management, and documentation of security events.
  • Familiarity with firewall technologies and proficiency in analyzing network and firewall logs to support triage and documentation of security findings.

Preferred

  • Experience with Elastic Security (SIEM Serverless or self-managed), including KQL/EQL query authoring and Elastic ingest pipeline configuration.
  • Experience with Microsoft cybersecurity tooling including endpoint protection, identity, and device management platforms.
  • Familiarity with cloud environments (Microsoft Azure preferred) and cloud-native security telemetry.
  • Familiarity with Cisco Meraki and Palo Alto firewall platforms is preferred.
  • Exposure to industrial or OT/ICS environments; familiarity with the Purdue Model for ICS/SCADA architecture, IEC 62443, or equivalent OT security frameworks is a plus.
  • Familiarity with application allowlisting concepts and platforms is preferred.
  • Awareness of GDPR, PIPEDA, or other applicable privacy regulations as they relate to security monitoring, logging scope, and incident notification obligations.
  • Understanding that security telemetry involving EU/EEA employee data (Belgium, Germany, Norway) carries specific data handling and breach notification obligations.
  • Industry certifications such as CISSP, CompTIA Security+, CySA+, Elastic Certified Analyst, AZ-900 or equivalent cloud infrastructure certification (Azure, AWS, or GCP), ITIL Foundation, or equivalent.


Knowledge, Skills, and Abilities


Technical

  • Working knowledge of MITRE ATT&CK framework; ability to map observed behaviors to tactics and techniques and apply that context to detection and response decisions.
  • Proficiency in KQL or comparable query language for security investigation and detection rule development.
  • Understanding of Windows security event logging, authentication protocols, and common attacker techniques targeting Active Directory and Entra ID (e.g., credential theft, lateral movement, persistence).
  • Familiarity with network concepts, DNS, TLS inspection, and cloud access security broker (CASB) functions.
  • Ability to read and interpret process telemetry, command-line arguments, and file system events for behavioral analysis.
  • Familiarity with NIST CSF 2.0 and ISO/IEC 27001:2022 as operational frameworks.

Operational & Analytical

  • Strong analytical and investigative skills; ability to synthesize evidence from multiple sources into a coherent, defensible triage verdict.
  • Sound judgment in distinguishing true threats from false positives without over-relying on single indicators.
  • Ability to manage competing priorities in a fast-paced, globally distributed operational environment.
  • Attention to detail in documentation; all investigation findings, exceptions, and tuning decisions must be clearly recorded.

Communication & Collaboration

  • Strong written and verbal communication skills; ability to convey technical findings clearly to both technical peers and non-technical stakeholders.
  • Ability to work collaboratively with IT Engineering, legal, compliance, and HR functions, particularly in cross-functional incident scenarios.
  • Comfort operating in a globally distributed team across multiple time zones.

How to apply

To apply for this job you need to authorize on our website. If you don't have an account yet, please register.