Job Title: Senior Identity & Privileged Access Security Analyst - Ransomware Focus
Purpose / Objective:
The Senior Identity & Privileged Access Security Analyst will drive the assessment, configuration, and monitoring of identity and privileged access controls specifically to inhibit ransomware attacks. This role is tightly scoped to Tier-0 systems, Entra ID (Azure AD), Conditional Access, MFA, and privileged access mechanisms, ensuring that security controls prevent ransomware escalation, persistence, and lateral movement. All activities will feed directly into actionable remediation plans aligned with the Deep Dive framework and RMG Technical Baseline.
Key Responsibilities:
1. Entra ID, Conditional Access & MFA (Ransomware-Critical Controls Only)
Assess and validate MFA enforcement for all privileged roles.
Review Conditional Access (CA) policies for exclusions, bypasses, legacy authentication risks, and risk-based CA (sign-in risk, user risk).
Evaluate break-glass governance processes.
Monitor Identity Protection for high-risk events.
Assess synchronization configurations (PTA/PHS/Cloud Sync) for potential risk vectors.
Review app registrations and service principal permissions that could allow persistence.
Ensure alignment with Deep Dive MFA, CA, and Identity Protection configuration controls, limited to ransomware-relevant scenarios.
2. Identity Segmentation & Tiering (Tier-0 Focus Only)
Define and enforce Tier-0 boundary controls.
Validate isolation of Tier-1/2 accounts to prevent lateral movement.
Implement identity-driven segmentation strategies.
Ensure privileged access follows Bastion-only pathways and PAW → Bastion → Tier-0 enforcement.
Align segmentation controls with RMG Technical Baseline and Deep Dive standards, strictly limited to ransomware risk mitigation.
3. Privileged Access Management (Tier-0 Only)
Assess Tier-0 systems including ESXi/VMware root accounts, AD/DC backbone, PKI, and federation control plane.
Validate vaulting, automated rotation, and session brokering/recording for privileged accounts.
Ensure PIM eligibility (no standing privileges), mandatory Bastion usage, and PAW-only access for Tier-0.
Exclude non-critical PAM areas and document scope boundaries.
4. Monitoring, SIEM & Detection (Identity + Tier-0 Only)
Ensure minimal telemetry collection to detect ransomware escalation:
AD and Entra logs
PIM/PAM activation events
Bastion session logs
EDR telemetry on Tier-0 servers
Detection of DCSync, DCShadow, and token theft
Correlate identity, privilege, network, and endpoint data to identify ransomware activity.
Align monitoring with Deep Dive framework but limit focus to Tier-0 and identity-led detection.
Key Principles / Scope:
Tightly Scoped: Activities strictly focus on ransomware inhibition.
Framework-Aligned: Aligned with Deep Dive and RMG Technical Baseline controls.
Actionable Outputs: Findings and assessments directly feed into remediation plans.
Exclusions: Broad segmentation, general PAM deployment, and non-Tier-0 monitoring are out of scope.
Qualifications / Requirements:
Strong experience in Entra ID / Azure AD, Conditional Access, and MFA.
Deep knowledge of Tier-0 identity and privileged access models.
Experience with PIM/PAM, Bastion, PAW, and vaulting solutions.
Expertise in monitoring, SIEM, and detection focused on identity and Tier-0 systems.
Solid understanding of ransomware attack vectors, privilege escalation, and lateral movement.
Familiarity with Deep Dive framework, RMG Technical Baseline, or equivalent identity security frameworks.
