Elastic Splunk Implementation & Migration Engineer
Our immediate priority is to assist, guide, and help architect the migration of GISA-PAC, GISA Europe and eventually GISA Liberty and INSCOM HQ off of Splunk with configuration and installation of the initial architecture.
This will include the following steps by Phase:
1. Phase 1 - Initiate
a. Define goals and objectives: Clearly define the goals and objectives for
implementing Elastic SIEM. This may include migration off Splunk, improving
security visibility, detecting and responding to threats, or meeting compliance
requirements.
b. Discover and review Splunk environment: identify current source types, sources,
knowledge objects, dashboards, and searches that need to be migrated to the
Elastic SIEM
2. Phase 2 - Plan and design
a. Review discovery artifacts and design the migration off Splunk. This includes
checkpoints, migration criteria, cutoff criterium and architectural best practices.
b. Identify data sources: Identify all data sources that will be used by Elastic SIEM,
including servers, applications, network devices, and security tools.
3. Phase 3 - Implement
a. Implement stack components consisting of 9 ElasticSearch nodes, 2 kibana
nodes, and 1 machine learning node.
b. Benchmark and tune. The cluster will be benchmarked, tested, and tuned to
ensure proper configuration and performance under load.
4. Phase 4 - Deliver
a. Configure data collection: Configure the data collection process to ensure that all
relevant data is being collected and forwarded to Elastic SIEM. This may involve
configuring data ingestion pipelines, setting up beats, or installing Elastic agents
on servers or devices.
b. Configure Elastic SIEM: Configure Elastic SIEM to meet the organization's
specific needs and requirements. This may include defining and refining rules
and alerts, creating custom dashboards, and configuring integrations with other
security tools.
c. Test and validate: Test and validate the Elastic SIEM configuration to ensure that
it is functioning properly and meeting the organization's goals and objectives.
d. Deploy and monitor: Deploy Elastic SIEM in the production environment and
begin monitoring for security events and alerts. Regularly review and update the
configuration as needed to ensure that it continues to meet the organization's
needs.
e. Train staff: Train staff on how to use Elastic SIEM and respond to alerts and
incidents. This may involve providing hands-on training or creating
documentation and resources for ongoing reference.
This time will also include the project management to coordinate with GISA and the other
vendors, to update on progress and tasks, as well as manage the architects on the Elastic side
and bring in specialists as needed for specific tasks to do them more efficiently.
GISA Enterprise FTE Technology Support
Once the initial builds are deployed, assist in the operation and maintenance of the
Elastic cluster. This consists of remote performance and tuning,
additional data on boarding, rule building, alert tuning, AI assistant and Attack Discovery
enablement, and other O&M tasks. The purpose is to offer all sites of GISA reach back sessions with an Elastic expert
Other Duties as Assigned:
1. provide Intelligence IT storage support, including planning, design, engineering, implementation, integration maintenance, monitoring, troubleshooting, and correction for INSCOM GISA-W core IT services up to the TS/SCI level. This also includes providing storage support to existing NetApp, and future, hardware and software technologies.
2. Provide Intelligence IT virtualization support including planning, design, engineering, implementation, integration, maintenance, monitoring, troubleshooting, and correction for GISA-W core IT services up to the TS/SCI level. We will provide virtualization support to existing (VMware and Citrix VDI, and future) technology, implementations and ensure capability is functional with DIA Next Generation Desktop Environment (NGDE) and future infrastructures. Our experienced personnel will ensure virtual infrastructure is maintained, patched, configured, and secured in accordance with IC and Army JWICS IT security standards and guidelines. We will ensure virtual infrastructure is monitored in accordance with IC and Army JWICS insider threat initiatives. We will also coordinate with external support as it pertains to GISA-W Intelligence IT virtualization components.