Cyber SOC Incident Response Specialist
Cyber SOC Incident Response Specialist
Position Snapshot
Location: Petaling Jaya, Malaysia
Company: Nestlé Regional Service Centre
Full-time - Hybrid
6+ years experience
Position Summary
Joining Nestlé means becoming part of the world's largest Food and Beverage company. At our core, we are a people-driven organisation committed to enhancing quality of life and contributing to a healthier future. We empower our employees to grow professionally while making a meaningful impact both locally and globally.
We are looking for a CyberSOC Incident Response Specialist to lead the investigation and response to complex cybersecurity incidents across our global enterprise environment. You will play a key role in protecting Nestlé's digital assets by driving incident response, threat hunting, forensic investigations and continuous security improvements in collaboration with global security and business teams.
A day in the life of a CyberSOC Incident Response Specialist
- Lead end-to-end technical investigations across endpoint (EDR/XDR), identity (cloud and on-premises directory services), email, network (proxy, DNS, firewall), public cloud, and SaaS environments, driving hypothesis-based analysis from initial detection to full attack chain reconstruction.
- Perform deep-dive investigation using enterprise SIEM platforms, EDR/XDR telemetry, cloud audit and control-plane logs, unified email and collaboration audit trails, identity sign-in and authentication logs, and network flow/packet data to establish scope, root cause, dwell time, and attacker objectives.
- Investigate advanced attack scenarios including Adversary-in-the-Middle (AiTM) phishing, Business Email Compromise (BEC), OAuth consent grant abuse, session token theft and replay, Kerberoasting, Golden/Silver Ticket attacks, ransomware pre-encryption activity, DCSync, lateral movement via SMB/RDP/WMI/PsExec, cloud privilege escalation, insider data exfiltration, and third-party/supply-chain compromise.
- Drive containment, eradication, and recovery through concrete actions such as active session and refresh token revocation, conditional access policy hardening, credential rotation, domain-level key material reset, endpoint host isolation, malicious OAuth application disablement, cloud IAM credential rotation, and audit log integrity restoration — coordinating with Security Engineering, Cloud, Identity, Legal, and Privacy teams.
- Execute forensically sound evidence acquisition and preservation — memory captures, disk imaging, browser artefacts, prefetch, registry hives, mailbox exports, and cloud audit-log snapshots — with strict chain-of-custody discipline aligned to audit and legal requirements.
- Build timeline-based attack chain reconstructions, mapping adversary behaviours to MITRE ATT&CK tactics, techniques, and sub-techniques, and correlating IOCs, IOAs, and TTPs against threat intelligence feeds to attribute activity and inform response.
- Act as Incident Commander during P1/P2 major incidents — running the bridge, orchestrating parallel investigation streams, delivering 30-minute cadence updates, and making evidence-based containment decisions under time pressure across global time zones.
- Produce executive-ready deliverables — CISO briefings, root cause analyses, MITRE-mapped attack narratives, dwell-time and impact metrics, prioritized remediation roadmaps, and post-incident lessons learned that translate into process, detection, or control improvements.
- Drive proactive threat hunting using hypothesis-driven methodology, develop and tune detection analytics and orchestration/response playbooks, translate hunt findings into production-grade detections with defined precision/recall metrics, and contribute to detection engineering pipelines and ATT&CK coverage maturity.
- Mentor L1/L2 analysts on investigation methodology, tool proficiency, and adversary tradecraft; participate in rotational on-call coverage supporting the 24×7 CyberSOC operational model, and represent CSIRT in cross-functional forums and purple-teaming exercises.
Job requirements
- Bachelor's Degree in Cybersecurity, Computer Science, Information Security, Digital Forensics or a related discipline.
- 6–8 years of experience in Cybersecurity, Security Operations, Incident Response or Digital Forensics.
- Proven experience managing enterprise-scale cybersecurity incidents from investigation through recovery.
- Strong knowledge of incident response, threat hunting, digital forensics and attacker tactics.
- Hands-on experience with SIEM, EDR/XDR, cloud security, identity security and threat intelligence platforms.
- Experience investigating endpoint, network, email, identity and cloud security incidents.
- Proficiency in security query languages or scripting such as KQL, SPL, SQL, Python or PowerShell.
- Strong analytical, stakeholder management and communication skills.
- Relevant cybersecurity certifications such as CISSP, GCIH, GCFA, GCFE, security operations analyst certifications, or cloud security engineer certifications are preferred.
- Proficiency in Mandarin (spoken and written) at a business communication level is an advantage.
- Experience in a multinational or enterprise-scale environment is preferred.
Position Snapshot
Location: Petaling Jaya, Malaysia
Company: Nestlé Regional Service Centre
Full-time - Hybrid
6+ years experience
Position Summary
Joining Nestlé means becoming part of the world's largest Food and Beverage company. At our core, we are a people-driven organisation committed to enhancing quality of life and contributing to a healthier future. We empower our employees to grow professionally while making a meaningful impact both locally and globally.
We are looking for a CyberSOC Incident Response Specialist to lead the investigation and response to complex cybersecurity incidents across our global enterprise environment. You will play a key role in protecting Nestlé's digital assets by driving incident response, threat hunting, forensic investigations and continuous security improvements in collaboration with global security and business teams.
A day in the life of a CyberSOC Incident Response Specialist
- Lead end-to-end technical investigations across endpoint (EDR/XDR), identity (cloud and on-premises directory services), email, network (proxy, DNS, firewall), public cloud, and SaaS environments, driving hypothesis-based analysis from initial detection to full attack chain reconstruction.
- Perform deep-dive investigation using enterprise SIEM platforms, EDR/XDR telemetry, cloud audit and control-plane logs, unified email and collaboration audit trails, identity sign-in and authentication logs, and network flow/packet data to establish scope, root cause, dwell time, and attacker objectives.
- Investigate advanced attack scenarios including Adversary-in-the-Middle (AiTM) phishing, Business Email Compromise (BEC), OAuth consent grant abuse, session token theft and replay, Kerberoasting, Golden/Silver Ticket attacks, ransomware pre-encryption activity, DCSync, lateral movement via SMB/RDP/WMI/PsExec, cloud privilege escalation, insider data exfiltration, and third-party/supply-chain compromise.
- Drive containment, eradication, and recovery through concrete actions such as active session and refresh token revocation, conditional access policy hardening, credential rotation, domain-level key material reset, endpoint host isolation, malicious OAuth application disablement, cloud IAM credential rotation, and audit log integrity restoration — coordinating with Security Engineering, Cloud, Identity, Legal, and Privacy teams.
- Execute forensically sound evidence acquisition and preservation — memory captures, disk imaging, browser artefacts, prefetch, registry hives, mailbox exports, and cloud audit-log snapshots — with strict chain-of-custody discipline aligned to audit and legal requirements.
- Build timeline-based attack chain reconstructions, mapping adversary behaviours to MITRE ATT&CK tactics, techniques, and sub-techniques, and correlating IOCs, IOAs, and TTPs against threat intelligence feeds to attribute activity and inform response.
- Act as Incident Commander during P1/P2 major incidents — running the bridge, orchestrating parallel investigation streams, delivering 30-minute cadence updates, and making evidence-based containment decisions under time pressure across global time zones.
- Produce executive-ready deliverables — CISO briefings, root cause analyses, MITRE-mapped attack narratives, dwell-time and impact metrics, prioritized remediation roadmaps, and post-incident lessons learned that translate into process, detection, or control improvements.
- Drive proactive threat hunting using hypothesis-driven methodology, develop and tune detection analytics and orchestration/response playbooks, translate hunt findings into production-grade detections with defined precision/recall metrics, and contribute to detection engineering pipelines and ATT&CK coverage maturity.
- Mentor L1/L2 analysts on investigation methodology, tool proficiency, and adversary tradecraft; participate in rotational on-call coverage supporting the 24×7 CyberSOC operational model, and represent CSIRT in cross-functional forums and purple-teaming exercises.
Job requirements
- Bachelor's Degree in Cybersecurity, Computer Science, Information Security, Digital Forensics or a related discipline.
- 6–8 years of experience in Cybersecurity, Security Operations, Incident Response or Digital Forensics.
- Proven experience managing enterprise-scale cybersecurity incidents from investigation through recovery.
- Strong knowledge of incident response, threat hunting, digital forensics and attacker tactics.
- Hands-on experience with SIEM, EDR/XDR, cloud security, identity security and threat intelligence platforms.
- Experience investigating endpoint, network, email, identity and cloud security incidents.
- Proficiency in security query languages or scripting such as KQL, SPL, SQL, Python or PowerShell.
- Strong analytical, stakeholder management and communication skills.
- Relevant cybersecurity certifications such as CISSP, GCIH, GCFA, GCFE, security operations analyst certifications, or cloud security engineer certifications are preferred.
- Proficiency in Mandarin (spoken and written) at a business communication level is an advantage.
- Experience in a multinational or enterprise-scale environment is preferred.
KUALA LUMPUR, MY, 60000
KUALA LUMPUR, MY, 60000