Summary
Overview
Work History
Education
Skills
Operating Systems
Training
Certification
Work Availability
Timeline

BRYON BOWMAN

Jackson,WY
“In my walks, every man I meet is my superior in some way, and in that I learn from him.”
― Ralph Waldo Emerson

Summary

Detail-oriented, organized and meticulous employee. Works at fast pace to meet tight deadlines. Enthusiastic team player ready to contribute to company success. Experience in DFIR (Digital Forensics and incident response), analyzing intrusions, threat hunting, and building threat detection

Overview

12
12
years of professional experience
1
1
Certification

Work History

Principal Threat Detection Engineer

Zendesk
12.2021 - Current
  • Lead threat detection department developing processes and procedures to mature the threat detection operations team with a global organization
  • Has respect for diverse cultures and staff with deep empathy for others
  • Develop training plans for Jr
  • Analysts
  • Cross-train detection analysts to understand threat monitoring and triage so they can better understand detection and build high fidelity alerts
  • Manage projects for new tooling to ensure that thorough testing criteria are met
  • Build high fidelity threat detection for emerging threats, APT IOC’s, and Zendesk specific threat actors
  • Assist with building threat intelligence, threat monitoring, and threat-prevention teams
  • Develop playbooks for threat detection operations and develop high quality documentation for alerts created by threat detection alerts
  • Utilize MITRE ATT&CK matrix for building detections and identifying detection gaps.

Principal Threat Monitoring and Response Engineer

Zendesk
12.2021 - 01.2022
  • Lead and manage technical incident response investigations, triage, containment, and serve as an escalation point for complex intrusions
  • Lead regular incident postmortem exercises, with a focus on deficiencies requiring additional attention
  • Lead the development and operation of automation and orchestration tools to increase operational excellence and reduce risk to Zendesk and our customers
  • Identify patterns of common malware characteristics in Mac OS
  • Identify patterns of common malware characteristics in Cloud Environments
  • Identify patterns of common malware characteristics at the Windows API level (DLL injection, function hooking, keylogging, communicating over HTTP, etc.)
  • Parse artifacts of IR value out of memory capture (e.g
  • Injected code, VAD analysis, recently opened files)
  • Perform memory and disk forensics to determine what is occurred on Windows, Linux, and Mac hosts
  • Perform forensics in a cloud environment
  • Analyze network flow logs to identify malicious traffic
  • Effectively apply and direct others in the application of structured analytical techniques
  • Create training classes and materials
  • Define the technical roadmap and assist with the design of Threat Monitoring & Response operations
  • Partner with the security engineering team to mature monitoring and response capabilities
  • Develop and implement technology to drive CSOC threat monitoring and response capabilities
  • Review and refine existing key security processes, including response playbooks, threat hunting, security monitoring, threat analysis, security tools, and our security incident response lifecycle
  • Develop and mentor junior staff through open communication, training and development opportunities and celebrate success
  • Assist with maturing other teams in Zendesk Information Security Department.

Lead Cybersecurity Analyst

MassLight
02.2021 - 11.2021
  • Identify misuse and abuse in custom web software
  • Build detection to catch misuse and abuse of custom software
  • Investigate hits on detection in efforts to tune or to work the incident until completion
  • Assess current Splunk framework and prepare a clean matrix for upcoming detections using MLTK
  • Build anomaly detection with Splunk Machine Leaning Toolkit (MLTK)
  • Create data models, field extractions, and other structures in Splunk Data
  • Develop detection using machine learning and anomaly detection
  • Provide leadership and cross-training for Jr
  • Analysts.

Security Analyst (Detection Efficacy)

CrowdStrike
02.2020 - 01.2021
  • Proactively tune noisy detection at high-value customers
  • Assist Technical Account Managers (TAM’s) with understanding why detections fired and help them understand the definition of the detection
  • Screen allowlist requests for mistakes in security practices or allows listing of vulnerable files
  • Create allowlists that will safely remove false positives from the customers UI
  • Troubleshoot why detections didn’t fire a true positive and give feedback to the detection creation team
  • Analyze alerts for true and false positives before the creation of allowlists
  • Identify new TTP’s for which CS doesn’t have coverage.

Security Analyst/Threat Hunter (OverWatch Team)

CrowdStrike
07.2018 - 01.2020
  • DFIR - Conduct threat hunting in thousands of customers EDR based environments
  • Create requests for templates for detection creation via templates when detection doesn’t exist
  • Provide customers emails with details of intrusion, malware, hands-on, or phishing campaigns
  • Identify indicators that are in the CrowdStrike knowledge base but not alerting
  • Apply machine learning (ML) tags to the database to assure ML learning is finding and classifying malware and threats correctly
  • Identify malware campaigns that may have reached multiple customers
  • Work projects as assigned to make CS’s work environment more efficient
  • Create suppression rules for false-positive and noisy detections.

Information Security Incident Handler

Ernst & Young
04.2017 - 07.2018
  • DFIR - Lead incident response efforts for 350,000 user community
  • Perform malware analysis using static and dynamic analysis
  • Configured new EDR installation detection ruleset and tuned detections that needed to be tuned
  • Artifact collection using custom scripts and open-source tools
  • Network and host-based forensic analysis to determine date/time of compromise, attack vector, and any malware used
  • Publish documentation for current processes and procedures to internal wiki and suggestions on how to improve the process
  • Suggest signatures to cyber threat intelligence (CTI) for signature creation or tuning
  • Lead weekly calls covering current incidents and give direction on solutions to problems that are impeding investigations
  • Memory analysis to identify malware running on the system
  • Threat Hunting - Proactively monitor network and host-based logs to detect and isolate threats.

Information Security Incident Analyst

General Electric Corporate
04.2015 - 04.2017
  • Detailed understanding of advanced persistent threat (APT) and cybercrime adversarial tools, tactics, and procedures
  • DFIR - Work technical aspects of digital security incident detection and response, focusing on highly unstructured incidents and high-risk events
  • Specialized in network-centric analysis (NSM), host-centric analysis (live response, memory forensics, digital forensics), malware analysis, and log-centric analysis (SIEM)
  • Identify issues with standard operating procedures and creates/proposes solutions
  • Documentation of standard operating procedures (SOP) on the incident wiki
  • Serve as an escalation point for security incidents and intrusions
  • Develop, implement, and tune IDS signatures for APT malware and other indicators of compromise
  • Develop, implement, and tune McAfee HIPS, Yara, and Splunk signatures.

Lead Analyst – Security Operations Center

General Electric Corporate
09.2013 - 04.2015
  • Provide leadership to event analysts and serve as an escalation point for security events in GE’s computer incident response team (GE-CIRT)
  • Develop and refine processes and procedures for day-to-day operations
  • Develop shift handover documentation for the next shift
  • Identify compromised computers using SIEM, packet capture (PCAP), logs, live response, and related computer and network-centric evidence sources
  • Tune Snort detection signatures to reduce false positives
  • Identify errors in cyber intelligence and update a database containing indicators of compromise
  • Provide mentoring and training to event analysts
  • Provide QA for alerts previously analyzed by event analysts
  • Analyze malware carved from network PCAP and obtained through phishing attempts to GE users
  • Worked on various projects to improve security to GE network and user environment
  • Experience with writing Yara and Snort signatures to detect malware and network IOC’s.

Senior Information Security Analyst

CBTS On Assignment At GE
03.2013 - 08.2013
  • Provide network and host-centric event-driven analysis
  • Identify compromised computers using network PCAP, logs, and related computer-centric evidence sources
  • Identify phishing attempts and determine if phishing emails resulted in the delivery of a malicious payload
  • Remediate compromised hosts.

EC Vault Governance Project Manager

Consilium1 on assignment at General Electric Aviation
05.2012 - 02.2013
  • Assist with leading the network infrastructure security teams for the Aviation Export Control Vault
  • The EC Vault project required the build-out of over 50 de-centralized security zones with two-actor authenticated network access control
  • Sit on Vault Security Review board to handle firewall rule lifecycle management
  • Work with GE Aviation application owners to ensure closure of temporary security exceptions and assure applications meet security standards
  • Track application remediation’s for export control vault firewalls
  • Track, consolidate, categorize, audit, and maintain a list of temporary firewall rule exceptions
  • Develop controls to manage and audit firewalls
  • Inspect and refine current processes and develop new techniques to assure proper tracking of temporary and permanent security exceptions
  • Sit on Vault Control board to approve or deny any exceptions in security standards.

Education

Bachelor of Science - Information Assurance

Davenport University
06.2012

Skills

Leader of new Idaho Falls Splunk User group

Member of Gartner Research Circle

Leadership

Employee Development

Volatility framework

Plaso

Sleuthkit

Wireshark

Snort/Surricata

CarbonBlack EDR

CrowdStrike Falcon EDR

Spunk ES

ZeroFox

X-Soar

Yara

Inetsim

Zeek (formerly Bro)

NMap

Nessus

Scalpel

Foremost

Sift Workstation

NetWitness

Winpmem

  • Project Management
  • Web Security
  • Data Analysis
  • Project Planning
  • Conflict Mediation

Operating Systems

Windows Server, Windows XP, Vista, 7, 8, & 10, 11, Linux all distros, Unix, MacOS

Training

Volatility Malware and memory forensics, SEC503 Intrusion Detection In-Depth, FOR578 Cyber Threat Intelligence, RITx: CYBER502x Computer Forensics, FOR509 Enterprise Cloud Forensics and Incident Response, FOR518 Mac and iOS Forensic Analysis and Incident Response, Leader of new Idaho Falls Splunk User group, and member of Gartner Research Circle

Certification

Splunk Power User

Work Availability

monday
tuesday
wednesday
thursday
friday
saturday
sunday
morning
afternoon
evening
swipe to browse

Timeline

Principal Threat Detection Engineer - Zendesk
12.2021 - Current
Principal Threat Monitoring and Response Engineer - Zendesk
12.2021 - 01.2022
Lead Cybersecurity Analyst - MassLight
02.2021 - 11.2021
Security Analyst (Detection Efficacy) - CrowdStrike
02.2020 - 01.2021
Security Analyst/Threat Hunter (OverWatch Team) - CrowdStrike
07.2018 - 01.2020
Information Security Incident Handler - Ernst & Young
04.2017 - 07.2018
Information Security Incident Analyst - General Electric Corporate
04.2015 - 04.2017
Lead Analyst – Security Operations Center - General Electric Corporate
09.2013 - 04.2015
Senior Information Security Analyst - CBTS On Assignment At GE
03.2013 - 08.2013
EC Vault Governance Project Manager - Consilium1 on assignment at General Electric Aviation
05.2012 - 02.2013
Davenport University - Bachelor of Science, Information Assurance

Similar Profiles

CREATE PROFILE
BRYON BOWMAN