Key skills
CrowdStrike FalconEndpoint Detection and Response (EDR)Detection TuningCustom IOAs/IOCsReal Time ResponseThreatLockerApplication AllowlistingRingfencingIsland Enterprise BrowserBrowser Policy DesignGoogle Workspace SecurityAdmin Console ControlsContext-Aware AccessOAuth GovernanceData Loss Prevention (DLP)Incident InvestigationPhishing InvestigationMalware InvestigationAccount Compromise InvestigationInsider Risk InvestigationIdentity and Access ManagementEndpoint HardeningMobile Device Management (MDM)JamfIntuneLoggingSecurity Information and Event Management (SIEM)PythonBashSecurity Orchestration PlatformsTinesTorqXSOARSecurity FrameworksISO 27001SOC 2PCI-DSSNIST CSFCIS BenchmarksAIIAMOAuthSaaSCommunication
About this role
Branch is a fintech company on a mission to empower workers with financial freedom. They are seeking a Corporate Security Engineer responsible for managing endpoint security and insider risk programs, ensuring the safety of corporate identities and data across a remote workforce.
Responsibilities:
- Own the day-to-day administration of CrowdStrike Falcon — prevention policies, detection tuning, custom IOAs, USB device control, and Real Time Response runbooks across the entire Branch endpoint fleet
- Operate and mature ThreatLocker — build and maintain application allowlisting, ringfencing, storage control, and elevation policies; reduce learning-mode exceptions over time and drive measurable hardening progress
- Administer Island Enterprise Browser — define and enforce browser-level policies for SaaS access, copy/paste, downloads, screenshot, and extension governance; align browser controls with insider risk and DLP objectives
- Drive endpoint hardening and configuration baselines for macOS and Windows. MDM (Jamf / Intune), patch SLAs, FileVault/BitLocker, and CIS-aligned benchmarks
- Maintain a defensible inventory of endpoints, agents, and coverage gaps, and drive remediation when devices fall out of compliance
- Own corporate-side incident response for endpoint, identity, email, and insider events — from initial triage through containment, eradication, recovery, and post-incident review
- Build and run Branch’s insider risk program — from defining risk indicators (data exfiltration, anomalous access, departing employee behavior) to building detections and response playbooks across endpoint, browser, and SaaS telemetry
- Operate Data Loss Prevention controls across Google Workspace (Drive, Gmail), Island Browser, and endpoint channels; investigate DLP events end-to-end, balancing user friction against data-protection outcomes
- Lead onboarding, offboarding, transitions security workflows in partnership with People Operations — enforce least-privilege access, data return at offboarding, and time-bounded monitoring of high-risk departures, ultimately skilling up our IAM team
- Triage and investigate insider risk cases with discretion, partnering with Legal, HR, and GRC on documentation, evidence handling, and outcomes; preserve chain-of-custody on every case
- Develop user-facing guidance and training that reduces accidental risk — phishing reporting, secure handling of customer data, and acceptable use of AI and SaaS tools
- Harden Google Workspace — admin role hygiene, context-aware access, OAuth third-party app governance, advanced phishing/malware protection, and audit logging into the SIEM
- Automate repetitive corporate security work using Python or Bash and orchestration platforms (e.g., Tines, Torq, XSOAR) — alert enrichment, user notifications, evidence collection, and offboarding checks
- Contribute to the corporate vulnerability management program for endpoints and SaaS — prioritization, SLA tracking, and cross-functional remediation
- Serve as a security consultant and escalation point for the broader business on secure configurations, patching, exception requests, and acceptable-use questions
Requirements:
- 3–5 years of experience in a corporate security, endpoint security, security operations, or insider risk role with increasing responsibility
- Hands-on experience with EDR — ideally CrowdStrike Falcon — including detection tuning, custom IOAs/IOCs, and Real Time Response investigations
- Working experience with application control or zero-trust endpoint tooling (ThreatLocker, Airlock, AppLocker, or equivalents) — you understand the operational reality of allowlisting at scale
- Familiarity with enterprise / managed browsers (Island, Talon, Chrome Enterprise) and the data-egress and SaaS access controls they enable; comfort designing browser policy is a strong plus
- Strong Google Workspace security background — admin console controls, context-aware access, OAuth governance, and DLP
- Demonstrated ability to investigate incidents end-to-end — phishing, malware, account compromise, DLP events, and insider risk cases — with disciplined documentation
- Solid fundamentals in identity and access management, endpoint hardening, MDM, logging, and SIEM-based detection
- Scripting proficiency in Python and/or Bash for automation and tooling; experience with security orchestration platforms (Tines, Torq, XSOAR) is a plus
- Strong written and verbal communication — able to explain endpoint and insider risk concepts to non-security partners in HR, Legal, and the executive team
- Strong ethics and discretion — this role regularly handles confidential personnel and investigative information
- Familiarity with security frameworks such as ISO 27001, SOC 2, PCI-DSS, NIST CSF, and CIS Benchmarks