Job Description

About the Organization:

Security Assurance (SA) organization ensures JPMC's most systemic security risks are identified, understood, reported, and clearly connected to our existing controls, new business initiatives and the evolving technology landscape. Through continuous data gathering and technical assessments, identify and measure systemic risk across the firm to drive control uplift requirements where needed and ensure secure architectural patterns are useable, modern and implemented.

Controls Threat Assessments (CTA) team is an integral part of the SA organization. CTA team partners with Blue team, Threat Intelligence and product/engineering teams to develop and run a program to continuously test firm's defensive controls based on prioritized threats to the company. Results from CTA exercise help in enhancement, maintenance and governance of firm's defense controls.

Offensive Security Specialist:

As a Offensive Security Specialist within the CTA team, you will be hands-on in conducting threat-driven assessments for JPMC's technical controls to objectively measure our ability to prevent and detect consequential attack patterns. You will partner with the Blue team, Cyber Intelligence, Threat Modeling, Breach and Attack Simulation teams to understand our attack surface, coverage of controls, monitoring rules and use prioritized TTPs to systematically test controls against real-world threat actor techniques. This team requires thinking like an attacker while understand the various capabilities and limitations of defensive technologies. The CTA team does not perform red teaming, blue teaming, threat hunting, penetration testing or vulnerability assessments but uses similar tools and techniques to evaluate the efficacy of controls against prioritized threats. You will be working with some of the best experts in the industry and faced with complex problem-solving opportunities, causing you to develop new skills as you progress through your career.

Responsibilities:

• Test key threat scenarios against the firm's defense system using prioritized adversarial Tactics, Techniques and Procedures.
• Define the attack surface and map controls that help defend it
• Work closely with Cyber Operations to perform deep-dive technical controls effectiveness testing using both manual and automated means
• Partner with the Breach and Attack Simulation team to create new actions/sequences/monitors to test controls, identify where a control cannot be tested due to context, environment issues, tooling limitations etc, write new bespoke actions based on research into new techniques
• Work with product security and other security partners to align remediation efforts that best protect the firm
• Collaborate with product and engineering teams to feed evidence for tracking/visualization, help mature products based on testing outcomes and industry advances
• Develop, maintain and improve documentation and processes to ensure robust resilience and auditability

Requirements:

• Bachelor's degree in Computer Science/Information Technology related field
• Minimum 7 years of relevant work experience
• Solid experience working in offensive/defensive security teams like Pentest, Redteam or Blue team
• Foundational knowledge of cybersecurity organization practices, operations, risk management processes, principles, architectural requirements, engineering and threats and vulnerabilities
• Ability to collaborate with high-performing Agile teams and individuals throughout the firm to accomplish goals
• Ability to analyze vulnerabilities, threats, designs, procedures and architectural design, producing reports and sharing intelligence
• Thorough knowledge of network protocols
• Good understanding of security architecture and controls
• Solid understanding of MITRE ATT&CK framework
• Proficient in at least one programming language (e.g. Python) to facilitate technical testing
• Experience with usage of SIEM tools is beneficial
• Well recognized advanced offensive/defensive security certifications from reputed bodies like SANS, Offsec and CREST would be an added advantage
• Adept at explaining technical jargon to non-technical parties
• Excellent report writing and presentation skills
• Willingness to learn and drive to excel is a must

J.P. Morgan is a global leader in financial services, providing strategic advice and products to the world's most prominent corporations, governments, wealthy individuals and institutional investors. Our first-class business in a first-class way approach to serving clients drives everything we do. We strive to build trusted, long-term partnerships to help our clients achieve their business objectives. We recognize that our people are our strength and the diverse talents they bring to our global workforce are directly linked to our success. We are an equal opportunity employer and place a high value on diversity and inclusion at our company. We do not discriminate on the basis of any protected attribute, including race, religion, color, national origin, gender, sexual orientation, gender identity, gender expression, age, marital or veteran status, pregnancy or disability, or any other basis protected under applicable law. In accordance with applicable law, we make reasonable accommodations for applicants' and employees' religious practices and beliefs, as well as any mental health or physical disability needs.