Senior Security Operations Engineer

Role Overview

The Senior Security Operations Engineer will design, implement, and continuously improve Data Loss Prevention (DLP) protections across Included Health’s corporate and cloud environments. You will lead hands-on DLP deployment and tuning across endpoint, network, and SaaS, and investigate suspected data exfiltration events.

Responsibilities

• Lead response for DLP and data security incidents: investigate, contain, remediate, and perform root cause analysis for suspected data exfiltration or improper handling.
• Own the deployment, configuration, and continuous tuning of DLP controls across:
  • Endpoints
  • Network egress
  • SaaS applications
  • Cloud storage
  • Protect PHI, PII, PCI, and other sensitive data
• Develop and maintain DLP policies, rules, and classifications balancing security, usability, and regulatory/client requirements.
• Build and refine automated response playbooks/workflows to enrich, triage, and respond to DLP alerts and reduce manual effort and mean time to respond.
• Proactively hunt for anomalous data movement using DLP telemetry plus EDR, SIEM, and identity signals (e.g., unusual destinations/channels/volumes).
• Partner with Security Engineering, IT, Legal, Privacy, Compliance, and business stakeholders to define secure data-handling patterns and exception processes.
• Contribute to broader incident response activities where data exposure or regulatory impact is a concern (evidence handling and stakeholder communication).
• Define and track DLP metrics (coverage, detection quality, MTTD/MTTR, false positive rate) and report progress to security leadership and cross-functional partners.

Requirements

• Minimum 5+ years of hands-on experience in security operations, incident response, or security engineering with strong focus on data protection and DLP.
• Direct, hands-on experience deploying, tuning, and operating DLP tools in production (endpoint, network, SaaS and/or cloud).
• Experience implementing and operating Cloud Access Security Broker (CASB) or similar SaaS security controls.
• Deep experience integrating DLP signals into SIEM/SOAR workflows (e.g., CrowdStrike, Splunk, Sentinel).
• Advanced scripting/automation skills (Python, PowerShell, and/or KQL/SQL) for enrichment, tuning, and reporting at scale.
• Proven experience with EDR platforms (e.g., CrowdStrike, SentinelOne) used alongside DLP to investigate and contain data-focused incidents.
• Strong experience with cloud data protection in AWS, including identifying/remediating misconfigurations and leveraging native services and CSPM tooling (e.g., GuardDuty, Security Hub).
• Experience designing and maintaining data classification and policy frameworks for PHI/PII/PCI and other sensitive data types.

Nice-to-haves

• Experience contributing to adjacent security operations functions (incident response and vulnerability management) where data protection intersects.