The Next Generation of Security Operations Centre (SOC)
Updated Senior Cyber Intel security analyst
1. Tiffany Dawn Doby
7603 Sam Hall Road Oxford, N.C. 27565
Telephone: (919) 892-4846 E-mail: alchemy2588@gmail.com
Summary of Qualifications
Senior Information Technology, Network Security/Information System Security Specialist, Intel, and Cyber Threat
with progressively responsible experience in:
Security Clearance: Secret
Professional Experience
Centers for Medicare & Medicaid Services with 1901 Group LLC. (Prior Company Triple-I),
Columbia, Maryland
September 2014 – Present
• Information Assurance Technologies • Information Assurance Assessments and Methodology
• Computer Information Customer Service • Enterprise Installation and Upgrades
• Computer Hardware and Software Maint., Support • Network Architecture and Fundamentals
• UNIX, WIN NT, 2K, XP, Vista TCPIP • Network Security and traffic Analysis
• Forensics Investigations and Analysis
• Daily network security traffic Analysis
• Team Lead in providing recommendations for all Cyber
Threat Incident Handling and Incident Response.
• Government Sales /Logistics Distribution
• Excellent Interpersonal Communications and Team
Building Skills
• Intelligence gathering to conduct further Analysis
• Senior Administrative support to include phone,
presentation, and correspondence
• Vulnerability Scanning (NIKTO, NESSUS, NMAP,
PERL, NCircle)
• Packet Analyzing (Net Witness, Wireshark, Etheral,
IDS, IPS)
• Foundstone Administrator
• Websense Administrator
• Symantec Information Manager Console + NAC
experience
• Incident reporting, response, Incident analysis, and
Incident management as well as Severity management
• Sustainment of the Enterprise
• Detect activities on or against the Enterprise
• Procedures for creating and disturbing warnings for
threats and intrusions from DoD and Intelligence
community organization on a need-to-know basis
• Arcsight, Sourcefire, and Solera SME
• AvayaGov Team Lead in construction and development
of U.S. Senate Sergeant At Arms Vulnerability Analysis
program.
• Protect the Enterprise
• Vulnerability assessment and management, and
Vulnerability assessments to include red and blue team
assessments and as a part of C&A preparation
• Network engineering monitoring and mitigation of
enterprise network device issues
• Attack Sensing and Warning (AS&W)
• Monitoring of web sites of DoD and commercial cyber
security centers and of non-government websites for
information on known and potential threats to ensure a
proactive approach to CND
2. Incident Management Respondent / Senior Cyber Threat Analyst
● Lead security communication and coordination in support of Healthcare.gov at the eXchange
Operations Center (XOC).
● Ensured that critical security weaknesses are addressed in a timely manner according CMS
information security guidance.
● Led the effort to reduced Heathcare.gov infrastructure DHS Cyber Hygiene findings by 77%.
● Developed reporting process with Marketplace datacenters and entities to ensure proper
communication to senior leadership.
● Reduced coordination times by an average of 3 hours by developing a list of security POCs to
contact during incidents.
● Closed 100+ Department level RiskVision tickets for Marketplace incidents in 60 days.
● Streamlined processes to reduced reporting and alerting efforts by an average of 4 hours during
major incidents.
● Provided a daily executive brief to CMS leadership in regards to the security status of the XOC,
Healthcare.gov, and supporting infrastructure.
● Detects and Continuously Perform network traffic analysis utilizing raw packet data, net flow,
IDS, IPS and custom sensor output, as it pertains to the cyber security of communications
networks. Detect and Continuously Correlate actionable security events from various sources,
including Security Information Management System (SIMS) data.
● Coordinated with HHS, DHS, CMS SOC, States, and datacenters to ensure pertinent information
is shared and exceeding all requirements.
● Managed projects including an Open Source Intelligence, Data Analytics, and Database migration
projects.
● Lead Incident Management meeting in the event of security investigations, maintains a written
summary of actions items, and findings.
● Created a relationship between the XOC team and the Office of Communications to share security
information with consumers.
● Implemented new and innovative ideas to improve the security posture of the Healthcare.gov
environment.
February 2013 – Lead Cyber Intelligence Analyst . with Lockheed Martin for Defense Threat
Reduction Agency
• Continuously Detect and Employ advanced forensic tools and techniques for network attack
reconstruction.
• Successful and performed outstanding in the DISA ESM Audit process and was directly involved
in the main Work Instructions and Live demonstration on all required CNDSP DETECT Controls.
• Detects and Continuously Perform network traffic analysis utilizing raw packet data, net flow,
IDS, IPS and custom sensor output, as it pertains to the cyber security of communications
networks. Detect and Continuously Correlate actionable security events from various sources,
including Security Information Management System (SIMS) data and develop unique correlation
techniques. Detect and Continuously Utilize knowledge of attack signatures, tactics, techniques
and procedures to aid in the detection of Zero-Day attacks.
• Detects and Participates in the coordination of resources during enterprise incident response
efforts. Interface with external entities including law enforcement organizations, intelligence
community organizations and other government agencies, e.g., the Department of Defense.
• Reviews threat data from various sources and aid in the development of custom signatures for
Open Source and COTs IDS. Responsible for maintaining the integrity and security of enterprise-
wide cyber systems and networks.
3. • Supports daily cyber security initiatives through both predictive and reactive analysis, articulating
emerging trends to leadership and staff. Coordinates daily resources during enterprise incident
response efforts, driving incidents to timely and complete resolution.
• Employs advanced forensic tools and techniques for attack reconstruction, including dead system
analysis and volatile data collection and analysis.
• Daily performs network traffic analysis utilizing raw packet data, net flow, IDS, and custom
sensor output as it pertains to the cyber security of communications networks. Reviews threat data
from various sources and develops custom signatures for Open Source IDS or other custom
detection capabilities.
• Correlates actionable security events from various sources including Security Information
Management System (SIMS) data and develops unique correlation techniques. Utilizes
understanding of attack signatures, tactics, techniques and procedures associated with advanced
threats.
• Continuously conducts malware analysis and is aware of the latest attacker tools providing
indicators for enterprise defensive measures, and reverse engineer attacker encoding protocols.
Interfaces with external entities including law enforcement organizations, intelligence community
organizations and other government agencies such as the Department of Defense.
September 2011-February 2013 – Senior Security Specialist for Department of Defense Office of
the Inspector General
• Responsible Websense administration of all policies and filters.
• Airtight monitoring of rogue machines that communicate with private access point.
• NIKSUN : Analyzing packets within packet captures. Monitor and monitor excellent
communication with end users when troubleshooting network connectivity issues related to
Network Security.
• Responsible for all Incident Response on all PENTCIRT alerts and reporting or all malicious
activity.
• Conduct incident response and follow through for threat mitigation on all hosts and devices.
• In charge of Incident Response- Incident handling.
• Receive and analyze network alerts from various sources and determine possible causes of such
alerts.
• Perform analysis of log files from a variety of sources with the network environment or enclave,
• to include individual host logs, network traffic logs, firewall logs, and intrusion detection system
logs.
• Characterize and analyze network traffic to identify anomalous activity and potential threats to
network resources.
• Monitor external data sources to maintain currency of CND threat condition and determine which
security issues may have an impact on the environment or enclave. Assist in the construction of
signatures which can be implemented on CND network tools in response to new or observed
threats within the environment or enclave. Perform event correlation using information gathered
from a variety of sources with the environment or
• enclave to gain situational awareness and determine the effectiveness of an observed attack.
Notify CND managers, CND incident responders, and other CND-SP team members of suspected
CND incidents and articulate the event’s history, status, and potential impact for further action.
• Significant knowledge of particular CND tools, tactics, techniques, and procedures which support
the tracking, management, analysis, and resolution of incidents. Works under supervision and
typically reports to CND-SPM. Actions are usually authorized and controlled by policies and
established procedures.
• Certification required within 6 months of assignment to position and mandatory for unsupervised
access.
4. • Collect and analyze intrusion artifacts (e.g., source code, malware, and Trojans) and use
discovered data to enable mitigation potential CND incidents within the enclave. Perform initial,
forensically sound collection of images and inspect to discern possible mitigation/remediation on
enclave systems. Coordinate with and provide expert technical support to enclave CND
technicians to resolve CND incidents. Track and document CND incidents from initial detection
through final resolution. Perform CND incident triage to include determining scope, urgency, and
potential impact; identify the specific vulnerability and make recommendations which enable
expeditious remediation. Correlate incident data and perform CND trend analysis and reporting.
Coordinate with intelligence analysts data and perform CND trend analysis and reporting.
• Coordinate with intelligence analysts to correlate threat assessment data.
• Perform real-time CND Incident Handling (e.g., forensic collections. Intrusion
correlation/tracking, threat analysis, and direct system remediation) tasks to support deployable
Incident Response Teams (IRT). Maintain deployable CND toolkit (e.g., specialized CND
software/hardware) to support IRT missions. Write and publish CND guidance and reports on
incident findings to appropriate constituencies.
October 2008 – September 2011 Watch Officer for Primary Security Operations Center/
Vulnerability Analysis Lead for Avaya Government Solutions - U.S. Senate Sergeant At Arms
program / Senior Network Security System Analyst for Avaya Government Solutions
Senior Cyber Intelligence Analyst for US Senate Sergeant at Arms.
• Conduct preliminary investigations of incidents and accurately document and report them to the
Sergeant at Arms for the US Senate.
• Leads a team of three Cyber Security Analysts in analyzing and investigating suspicious network
trends in Arcsight Enterprise Security 4.0 and McAfee Intrushield Alert Manager for the U.S.
Senate.
• Creates filters and monitors active channels in Arcsight on hostile intelligence threats network,
and communications vulnerabilities.
• Identifies the immediate action needed and recommends viable countermeasures and corrective
actions to the Watch Standers regarding vulnerabilities, malicious code and attacks.
• Authors, proofreads, edits and disseminates daily and time sensitive incident reports; synthesizes,
organizes, and analyzes information under tight deadlines with no impact on quality while staying
up to date with the latest activity and status updates.
• Supervises/Mentors and assists in the training of junior analysts and newly hire personnel.
• Participates in Daily Tag up with Senate Watch Standers.
• Configures nCircle scan profiles and prepares monthly Vulnerability Assessment documents
• Attends weekly and monthly Classified Cyber Security meetings with numerous agencies to
include DHS, JTF-GNO, and US Cert to collect, and gather intelligence on the latest malicious
threats.
• Pass on all intelligence gathered to use for further analysis to the US Senate SAA IT Security
Staff, and within our Security Operation Centers to prevent, analyze, and mitigate the latest
emerging threats and suspicious activity from all Classifed meetings conducted by DHS, US Cert,
and Cyber Command.
• Continuously gather open source intelligence from sources such as Malware Domain List,
Malware URL, Trusted Source, Threat Expert and Zeus tracker.
• Monitor real time network traffic, discovered security events and vulnerabilities, analyze the
event, and provide recommendations to the US Senate SAA Staff on how the Incident Response
should be conducted with recommendations.
• Conduct event correlation and analysis for events of interest using tools such as Arcsight,
5. Intrushield, Wireshark, CISCO IDS Sensors, SNORT, and NetWitness.
• Complete Investigative alert reports on machines that could potentially become infected, or is
actually infected with malware, hack tools, and vulnerabilities that are used to compromise
machines that can infect the US Senate network.
• Conduct daily meetings with the SAA in support of the US Senate with the daily incident reports
that are pending, and the latest emerging threats.
• In charge of the Avaya Government Solutions Vulnerability Assessment team, created and
developed all Standard Operating Procedures for this program and all vulnerability scan’s reports
that are performed along with the analysis report generation within The U.S. Senate network. Also
performing Quality Assurance process on all scans conducted by the Avaya Government Solutions
Vulnerability Assessment team/Vulnerability Management team before they are delivered to the
US Senate Sergeant At Arms Vulnerability Management team.
• Conduct, and Configure Vulnerability Scans that are conducted using NCircle.
• Utilize Symantec Security Information Manager, Symantec Reporting System, and Symantec
System Center Console to investigate and analyze any activity of suspicion on internal hosts to
include the best remediation procedure if needed.
• I was in Charge and successfully maintained the entire U. S. Senate Sergeant At Arms
Vulnerability Analysis program while instructing the Avaya Government Solutions Vulnerability
Analysis Team and working in communication directly with the U. S. Senate Security Staff on all
requests and recommendations.
August 2007 – October 2008 Forensics and Incident Management Analyst/Incident Handling Analyst
Northrup Grumman at Marine Corps Network Operations and Security Center (MCNOSC)
• Performed network analysis at the MCNOSC that entailed providing to senior management
detailed reports on the traffic analysis and traffic flow for the entire Marine Corp grid
• Conducted in-depth forensic analysis on DoD systems to determine the extent of intrusion related
damage
• Provided detailed forensic analysis reports on intrusion related hosts to senior management
• Conducted forensic investigations that included multiple workstations
• Using state-of-art forensic analysis tools to analyze incidents pertaining to network intrusions,
insider threats, and misuse of government information systems.
• Conduct preliminary investigations of incidents and accurately document and report them in the
Marine Corps. Computer Emergency Response team (MARCERT) Collection Database which is
directly reported to the (JTF-GNO)..
• Provide around the clock support for all subscriber networks pertaining to network defense
matters. Provide the detection portion of the MarCERT mission by providing 24x7 monitoring of
the MCEN.
• Conduct event correlation and analysis for events of interest, which may lead to a reportable
incident through Sitepro IDS, Intrushield IPS, and Arcsight.
• Provided Infrastructure support assistance with the IDS Sensors, and consoles which use signature
based network intrusion detection system.
• Work extensively with the Network Operations Center and the JTF-GNO to provide global
network operations and computer network systems in support of Marine and Joint forces
operating worldwide..
• Complete investigations on machines that are infected with many different types of malware, hack
tools, and vulnerabilities that are used to compromise machines that can infect the enterprise
network.
• Work constantly with IAMs that are responsible for hosts USMC Worldwide to make sure all
threats are scanned , and cleaned and to submit reports on the cause of the infection and the
incident.
6. • Work extensively with running vulnerability scans with network tools such as NIKTO, Retina,
Nessus, NMAP
• Analyze Packet captures, Retina scans, First Response Data, and RIPPER Scan results.
• Analyze network traffic from Cyberguard firewalls, and Secure Shell.
Sept.2005-Aug.2007 Aviation Info.SystemSecurity Specialist/ Customer Service Manager
• Orchestrated the movement of over $500 thousand dollars in computer assets transported forward to
achieve mission requirements that supported heavy helicopter squadrons’ forward operations.
• Administered over 1,000 Naval Tactical Command Support System (NTCSS) user accounts aboard
MAG 24.
• Assisted in diagnosing internal and external server connectivity for MAG 24.
• Managed Helpdesk which was critical first echelon problem solver for countless trouble calls for the
MAG 24.
• Managed 4 Marines on a daily basis to fulfill assigned tasks issued by the Department Chief in a timely
manner.
• Maintained the Information Assurance Program For the Marine Corps. Regarding the overall functions
and responsibilities to include IA inspections.
• Design and manipulate database systems and generate reports as necessary.
• Order, track, and manage replacement parts and necessary supplies for computer suites within the unit.
• Complete assigning administrative assignment letters, and correspondence for the entire unit to
include EDS, Navy Marine Corps Intranet assets.
• Receive and effectively managed over 3,500 trouble calls for the entire Marine Aircraft Group
which include over 1300 users and 2,500 workstations.
• Provide outstanding customer service which directly impacted the operational readiness of the
command. Inventoried over 3000 assets with 100% accountability for 3 years.
• Received 2,500 assets from EDS, NMCI and coordinated the deployment of assets with minimal
downtime to users.
• Responsible for the receipt, inventory, management and issue of all Information Technology (IT)
assets.
• Trained on all EDS, NMCI aspects such as the Navy Marine Corps Intranet Project, Base CTR,
and Information System coordinator.
• Trained in Analyst, Information System Coordinators (ISC), new user account setup, Service
Request forms, Information Awareness training.
• Responsible for Government sales purchases for different units through Supply, and other civilian
contracts.
USMC Marine Aviation Air Group 24 Marine Corps. Base Hawaii
• Achieved network connectivity for two civilian contracted teams that are aboard MAG 24 to
support OMA level squadron requirements.
Nov. 2003-Sept. 2005Aviation Info.System SpecialistMaintenance Support Manager
USMC Marine Aviation Logistics Squadron-24 Marine Corps. Base Hawaii
• Responsible for a broad spectrum of digital network and information systems operation, installation, and
maintenance in support of Marine Corps and Naval Aviation.
• Assisted in preparing network integration of three external Squadron Warehouse facilities
and the MALS Van complex that supported base operations.
7. • Accountable for the deployment of tactical local and wide area networks to any theater of operation;
from company headquarters to shipboard to forward deployed joint-service environments.
• Maintain and repair data communication links, fiber-optic and tactical fiber-optic cabling.
• Support a myriad of computer and network operating systems including UNIX, WINDOWS NT,
WIINDOWS 2000, WINDOWS XP, and TCP/IP.
• Transitioned 1300 Unit users from legacy network to Navy and Marine Corps. Intranet, and assisted in
cutover of 2,500 computer assets.
• Performed Object Creation Module (OCM) Data call for 1300 MAG-24 users
• Use applications and software programs to access and manage data stored in the computer’s memory
and database files.
Nov.2002-Oct. 2003 Aviation Logistics Tactical Info. System Rep. USMC Aviation Info. System
Training Athens, GA
• Learn to provide technical, operational, and logistical support for all aviation information systems
within the Mag-24.
June 2002-Oct. 2002 USMC Marine Training
Basic TrainingMarine Combat Traning Parris Island S.C. Camp Lejeune, N.C.
Marine Information Technology Network Operations Center - Quantico, Virginia
• Learn Martial arts training, Land Navigation, Basic Warrior training, rifle Training, and discipline.
• Learn Basic skills of being a Marine
• Learn field operations, while accomplishing the mission in an accurate and precise manner.
• Learn different types of weapons such as grenades, rifles, and military artillery.
Education
Computer Programming for Business Applications
B.S.B.A. Bachelor Of Science Business Administration; Major: Computer Information Systems
1164 Bishop St, Suite 911, Honolulu, Hawaii 96813
(808) 544-0200
High School Diploma
JF WEBB High School, Oxford, North Carolina
Professional Certifications
• Class leader within the training Aviation Logistics Tactical Systems
• Learn to provide Maintenance support for Mals-24 supply and maintenance departments by
supporting NTCSS platforms.
8. Personal Awards
• Security Plus Certified 2008
• GCIA Trained
• Defense Threat Reduction Agency Lead Cyber
Intel Certified
• MCNOSC MarCERT Intrusion Analyst
Certified
• CEH Certified 2012
• Department of Defense Office of the Inspector
General Network Security Engineer Certified
• U. S. Marine Sergeant
• Meritorious Service Medal
• Good Conduct Medal
• Navy Achievement Medal • Global War on Terrorism Medal