Job Information
SanDisk Security Operations Center Analyst L2 in Batu Kawan, Malaysia
Company Description
Sandisk understands how people and businesses consume data and we relentlessly innovate to deliver solutions that enable today’s needs and tomorrow’s next big ideas. With a rich history of groundbreaking innovations in Flash and advanced memory technologies, our solutions have become the beating heart of the digital world we’re living in and that we have the power to shape.
Sandisk meets people and businesses at the intersection of their aspirations and the moment, enabling them to keep moving and pushing possibility forward. We do this through the balance of our powerhouse manufacturing capabilities and our industry-leading portfolio of products that are recognized globally for innovation, performance and quality.
Sandisk has two facilities recognized by the World Economic Forum as part of the Global Lighthouse Network for advanced 4IR innovations. These facilities were also recognized as Sustainability Lighthouses for breakthroughs in efficient operations. With our global reach, we ensure the global supply chain has access to the Flash memory it needs to keep our world moving forward.
Job Description
The Security Operations Center (SOC) Analyst L2 is a critical member of the Information Security team responsible for monitoring, detecting, analyzing, and responding to cybersecurity threats across the organization's environment. This role serves as the frontline defense against adversarial activity, operating within a 24×7 detection-first SOC model.
The primary responsibility of this position is the security alert workflow — the continuous triage, investigation, and disposition of security alerts and events generated across our security tooling ecosystem. Beyond queue operations, this role offers structured growth into threat hunting, detection engineering, incident response, vulnerability management, insider risk management and cross-functional InfoSec support.
ESSENTIAL DUTIES AND RESPONSIBILITIES:
DETECTION & MONITORING (PRIMARY FOCUS)
Monitor detection queues and prioritize alerts based on risk, impact, and context, ensuring SLA compliance across the shift
Perform in-depth analysis and correlation of alerts across SIEM, EDR, email, cloud, network, and identity security tools to validate incidents
Investigate suspicious or malicious activity end-to-end across endpoints, identities, network, and cloud environments
Accurately classify, scope, and disposition incidents, producing evidence-based documentation suitable for audits and metrics
Own incident records in the case management platform through investigation, containment coordination, and closure
Escalate confirmed or high-impact incidents to L3 or Incident Response leads
Ensure high-quality shift handoffs, including investigative context, hypotheses, and pending actions
Contribute to SOC documentation by updating playbooks, SOPs, runbooks, and training materials based on observed gaps or lessons learned
Provide guidance and mentoring to L1 analysts during investigations and triage
INCIDENT RESPONSE (AS NEEDED)
Support incident response efforts during active security events, including evidence gathering, containment actions, and timeline construction
Assist in the preparation of incident summaries, post-incident reports, and lessons-learned documentation
Execute containment and remediation actions under the guidance of IR leads (e.g., endpoint isolation, account disablement)
Participate in tabletop exercises and IR simulations to develop and validate response readiness
THREAT HUNTING (STRUCTURED OPPORTUNITIES)
Participate in threat hunting missions derived from threat intelligence reporting, new TTPs, or internal hypotheses
Query SIEM, EDR, and log sources proactively to identify undetected malicious activity or policy gaps
Document hunting findings and translate confirmed gaps into detection use cases or tuning recommendations
Leverage frameworks such as MITRE ATT&CK to structure hunting hypotheses and report on coverage gaps
DETECTION ENGINEERING (COLLABORATIVE SUPPORT)
Contribute to the development, testing, and refinement of detection rules and correlation logic in the SIEM
Analyze emerging threats and map indicators and behaviors to proposed detection logic
Validate new detections in a test environment and provide real-world feedback from queue experience
Assist with SIEM content library management including periodic rule review and retirement of stale logic
VULNERABILITY MANAGEMENT (SUPPORTING ROLE)
Review vulnerability scan results and assist in triaging findings based on severity, exploitability, and asset criticality
Support the coordination of remediation activities with IT asset owners, tracking tickets through to closure
Cross-reference active vulnerabilities with threat intelligence to identify weaponized CVEs that require prioritization
Assist in producing vulnerability reporting for team leads and stakeholders on a periodic basis
INSIDER RISK MANAGEMENT (SUPPORTING ROLE)
Support the review and triage of alerts generated by User and Entity Behavior Analytics (UEBA) platforms, Data Loss Prevention (DLP) tools, and insider threat-specific monitoring solutions
Correlate insider risk indicators across identity, endpoint, email, and cloud data sources to build a complete picture of potential policy violations or malicious intent
Assist in the investigation of data exfiltration attempts, unauthorized access to sensitive systems, and anomalous after-hours or off-network activity
Maintain strict confidentiality and chain-of-custody standards when handling insider risk cases, ensuring investigations are properly documented and legally defensible
Contribute to the ongoing refinement of the Insider Threat Program by surfacing patterns, gaps, and lessons learned from completed investigations
CROSS-FUNCTIONAL INFOSEC SUPPORT (AD HOC/STRUCTURED)
Serve as an available resource to other InfoSec teams, lending hands-on support for security-related tasks, reviews, and initiatives on an as-needed basis
Assist with security awareness initiatives, phishing simulations, and education campaigns
Support access reviews, security tool deployments, and policy compliance assessments as directed
Qualifications
Required:
Bachelor's degree in Cybersecurity, Computer Science, Information Systems, or equivalent practical experience
1-3+ years of experience in a SOC, IT security, or related technical role depending on level applied for
Familiarity with enterprise IT environments including Windows/Linux systems, Active Directory, and cloud platforms (Azure, AWS, GCP)
Experience with security tools such as SIEM (Sentinel, Splunk), EDR (CrowdStrike, SentinelOne, Defender), or email security platforms
Preferred:
CompTIA Security+, CySA+, or equivalent foundational security certification
Microsoft SC-200 (Security Operations Analyst) or AZ-900/AZ-500
Skills:
TECHNICAL SKILLS
Proficiency in analyzing and correlating logs across multiple security and data sources to validate incidents
Working knowledge of attacker tactics, techniques, and procedures (TTPs) mapped to the MITRE ATT&CK framework
Demonstrated understanding of network protocols, traffic analysis, and common attack vectors to support investigations
Familiarity with basic scripting or query languages (e.g., Python, PowerShell, KQL, SPL) to assist with investigations and efficiency
Experience managing and investigating cases end-to-end using ITSM or case management platforms
Demonstrated understanding of the incident response lifecycle, NIST CSF concepts, and the cyber kill chain, with the ability to apply them during investigations
SOFT SKILLS & WORK STYLE
Analytical and critical-thinking skills with high attention to detail
Clear and concise written and verbal communication, including to non-technical stakeholders
Ability to remain composed and effective under pressure during active security incidents
Team-oriented and collaborative with a proactive, security-first mindset
Ability to approach security challenges with genuine curiosity and a questioning attitude, consistently digging deeper to understand the "why" behind alerts, behaviors, and anomalies rather than accepting surface-level conclusions
Career Progression
Analyst I
PRIMARY FOCUS
First-pass alert triage
Alert classification and basic investigation
Data collection and alert enrichment
Following established playbooks and SOPs
Accurate case documentation in case management platform
Escalation to L2/L3 where appropriate
KEY COMPETENCIES
Understand common attack vectors
Navigate security tooling proficiently
Apply MITRE ATT&CK conceptually
Analyst II
PRIMARY FOCUS
Deep-dive investigation of escalated and notable alerts
Lead coordination of remediation and containment for single asset incidents
Active threat hunting participation
Detection rule feedback and tuning
Mentoring L1 analysts
KEY COMPETENCIES
Root cause analysis across multi-source evidence
Write/contribute to detection use cases
Operate independently across all alert types
Analyst III
PRIMARY FOCUS
Co-lead and orchestrate complex incidents
Design and author detection content
Act as SME for escalated issues
Influence SOC strategy and process improvement
Mentoring L1/L2 analysts
KEY COMPETENCIES
Expert SIEM query and detection authoring
Malware analysis and forensic investigation
Own SOC runbooks and playbooks
Additional Information
Sandisk thrives on the power and potential of diversity. As a global company, we believe the most effective way to embrace the diversity of our customers and communities is to mirror it from within. We believe the fusion of various perspectives results in the best outcomes for our employees, our company, our customers, and the world around us. We are committed to an inclusive environment where every individual can thrive through a sense of belonging, respect and contribution.
Sandisk is committed to offering opportunities to applicants with disabilities and ensuring all candidates can successfully navigate our careers website and our hiring process. Please contact us at jobs.accommodations@sandisk.com (staffingsupport@wdc.com) to advise us of your accommodation request. In your email, please include a description of the specific accommodation you are requesting as well as the job title and requisition number of the position for which you are applying.
NOTICE TO CANDIDATES: Sandisk has received reports of scams where a payment is requested on Sandisk’s behalf as a condition for receiving an offer of employment. Please be aware that Sandisk and its subsidiaries will never request payment as a condition for applying for a position or receiving an offer of employment. Should you encounter any such requests, please report it immediately to Sandisk Ethics Helpline (https://secure.ethicspoint.com/domain/media/en/gui/95737/index.html) or email compliance@sandisk.com.