Bungie is currently seeking an Information Security Engineer with a focus on Threat & Vulnerability Management to help secure the data, assets, and systems that enable us to make world class games. Do you enjoy tackling unique challenges and creating solutions to empower your team's workflow while reducing risk? Are you looking for an opportunity to leave your mark on the world around you? If so, we may be looking for you!
Our Information Security team partners with departments across the Studio to provide architectural and security assessments, analyze systems and workflows, maintain and deploy new information security systems, and respond to security incidents. As the threat & vulnerability management product owner you'll work with asset and service owners to ensure that we can provide up to date information about our hardware and software assets, enabling collection of vulnerabilities for review and remediation. Through cross-team collaboration and our Security Awareness Training program you'll help equip Bungie with the information needed to protect themselves and Bungie's assets from loss or harm. You will build and grow key relationships across teams and with leadership to drive implementation, define metrics, and continuously improve our ability to protect, educate, and respond to vulnerabilities and threats. Join our team and help build solutions and systems that will protect the availability and integrity of our team, our assets, and our customers.
- Owning and maturing our vulnerability management and security awareness programs.
- Strive to continuously improve current vulnerability assessment coverage, quality, and capabilities through new services or processes, and use results to refine program strategy.
- Work across teams to identify and prioritize security weaknesses and ensure reasonable resolution timelines.
- Maintain scan inventories for dept and asset owners, compliance, business critical, external and internal assets for scanning and testing.
- Coordinate vulnerability reporting, analyze and document findings, and prioritize and recommend remediation actions.
- Communicate with technical experts, stakeholders and executive leadership to clearly explain risks, controls, remediation plans and mitigations.
- Partner with IT and Product teams who implement systems and technology, aligning hardened configurations and security standards to their processes and reducing vulnerabilities.
- Responsible for conducting enterprise-wide periodic cybersecurity awareness campaigns and maintains metrics on those results.
- Develops enterprise-wide cybersecurity awareness content to educate employees and promote security awareness.
- Experience in vulnerability management, information assurance, and security operations.
- Experience delivering threat intelligence processes, methodologies, technology, products, or tools; extensive experience with core vulnerability management scanners (e.g. Rapid7, Tenable, Qualys etc.); experience with web application scanners (e.g. InsightAppSec, Burp, etc.).
- Ability to clearly articulate risk and provide actionable remediation guidance.
- Fundamental understanding of vulnerability, threat, and risk.
- Understanding of enterprise, network, system/endpoint, and application-level security issues and risks.
- Experience with Threat Modeling, security assessments, and evaluating mitigating controls.
- Experience configuring, hardening, and maintaining Windows, Linux, and MacOS endpoints.
- Experience with securing Microsoft Windows environments, Active Directory controls and permissions, and group policies.
- Understand how to assess and prioritize risks specific to environments (cloud, subsidiaries, enterprise network, labs, factories) based on the controls in place.
- The ability to perform deep dive analysis of threats and techniques, tactics and procedures (TTPs) and produce high-quality written, actionable intelligence on current and developing threats, particularly those faced by the Gaming industry.
- Familiar with compliance control and risk management frameworks, creation of reports and dashboards to monitor the effectiveness of technical controls and risks.
- Experience with network-based detective controls like IDS, IPS and various SIEMs.
- Experience evaluating and implementing security solutions including installation, configuration, and automation of processes.
- Experience in securing Cloud platforms including AWS, GCP, and Azure, implementing and maintaining both native and 3rd party security services and tools across those environments.
- Knowledge of Red Team Tools such as Kali, Nmap, Cobalt Strike, PowerShell Empire, Mimikatz, Metasploit, SQLMap.
- Knowledge of the OWASP Top 10
- Demonstrated knowledge and skill in exploitation tactics including, but not limited to, buffer overflows, heap overflows, format string attacks, cross-site scripting, SQL injection, LFI and RFI, cross-site request forgery, server-side request forgery, XXE, pass-the-hash, ARP poisoning, wi-fi injection, phishing, credential harvesting, MiTM, AP spoofing, brute forcing, etc.
- Able to demonstrate risk with post-exploitation tactics such as pivoting, data scavenging, privilege escalation, etc.
- Familiarity of the NIST CSF and MITRE ATT&CK frameworks
- One or more of following certifications a plus: OSCP, OSCE, GPEN, or CISSP
In 2022, most Bungie employees will adopt a flexible schedule working from home part time (outside of positions identified as either 100% onsite or fully remote in CA, FL, IL, NC, TX, and WA). Currently only a select range of positions are available for full-time remote work in CA, FL, IL, NC, TX, and WA (please review location for details). Prospective employees located outside of CA, FL, IL, NC, TX, and WA will need to establish residency in one of the states we are compliant in within 45 days of a start date. Bungie’s work from home, flexible work schedule, and remote policy is subject to change at the company’s discretion.
Bungie provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws.
This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation and training.
Please be aware that fictitious job openings, consulting engagements, solicitations, or employment offers may be circulated on the Internet in an attempt to obtain privileged information, or to induce you to pay a fee for services related to recruitment or training. Bungie does NOT charge any application, processing, or training fee at any stage of the recruitment or hiring process. All genuine job openings will be posted here on our careers page and all communications from the Bungie recruiting team and/or hiring managers will be initiated from an @bungie.com email address.