Job Description
Ally and Your Career Ally Financial only succeeds when its people do - and that’s more than some cliché people put on job postings. We live this stuff! We see our people as, well, people - with interests, families, friends, dreams, and causes that are all important to them. Our focus is on the health and safety of our teammates as well as work-life balance and diversity and inclusion. From generous benefits to a variety of employee resource groups, we strive to build paths that encourage employees to stretch themselves professionally. We want to help you grow, develop, and learn new things. You’re constantly evolving, so shouldn’t your opportunities be, too? Work Schedule: Ally designates roles as (1) fully on-site, (2) hybrid, or (3) fully remote. Hybrid roles are generally expected to be in the office a certain number of days per week as indicated by your manager. Your hiring manager will discuss this role's specific work requirements with you during the hiring process. All work requirements are subject to change at any time based on leader discretion and/or business need. The Opportunity We are seeking a Principal Cyber Security Engineer with hands-on experience designing, deploying, and optimizing SIEM (Security Incident & Event Management) platforms at scale. The individual will own the end-to-end lifecycle of SIEM capability—from architecture and data onboarding to content engineering, automation, and continuous improvement. The individual will collaborate with SOC analysts, incident responders, threat hunters, IT operations, and application teams to ensure high-fidelity detections, actionable visibility, and reliable, compliant log management. At this time, Ally will not sponsor a new applicant for employment authorization for this position. The Work Itself SIEM Architecture & Ownership Design and maintain the SIEM architecture, including data ingestion pipelines, parsers, normalization schemas, storage tiers, and retention strategies. Evaluate and implement SIEM platform features and integrations; drive upgrades and migrations as needed. Data Onboarding & Normalization Onboard logs from diverse sources (EDR, firewalls, IDS/IPS, IAM, AD, DNS, proxies, email security, cloud platforms like AWS/Azure/GCP, SaaS apps, containers/Kubernetes, DBs, identity providers). Implement data quality monitoring and SLA-driven dashboards for ingestion health, parser accuracy, and data latency. Performance, Scale, and Reliability Optimize SIEM performance: indexing, search speed, hot/warm/cold storage, retention, and cost control. Implement role-based access control, multitenancy (if applicable), and data governance. Ensure high availability and disaster recovery; document and test failover procedures. Monitoring, Metrics, and Continuous Improvement Define KPIs/KRIs (e.g., MTTD, alert quality, data freshness, coverage, false positive rate). Lead purple-team exercises and detection gap assessments; drive remediation. Provide runbooks, knowledge base articles, and training to SOC and IT teams. Compliance & Governance Align SIEM data handling with regulatory and contractual requirements (e.g., SOC 2, ISO 27001, PCI-DSS, HIPAA, GDPR). Implement data minimization, masking, and retention policies, support audits and eDiscovery. Collaboration & Leadership Partner with IT/Cloud/Data teams to implement logging at source and ensure secure, reliable transport. Mentor junior engineers and analysts; perform code reviews and content validation. Contribute to security architecture reviews for new systems and applications. Skills The Skills You Bring Minimum Qualifications 7+ years of relevant experience Bachelor's degree or equivalent Preferred Qualifications Highly preferred: 5+ years of experience in SIEM engineering or closely related security engineering roles. Highly preferred: Proven expertise with at least one enterprise SIEM platform end-to-end, preferably Splunk and Cribl (e.g., Splunk, Microsoft Sentinel, QRadar, Elastic Security, Exabeam, Sumo Logic, LogRhythm, Chronicle). Strong proficiency in Data parsing and normalization (e.g., regex, grok, KQL, SPL, AQL, Lucene). Scripting/automation (e.g., Python, PowerShell, REST APIs, Terraform/Ansible preferred). Log source onboarding from Windows/Linux, AD, network devices, cloud services, EDR, and SaaS. Experience with cloud logging and security services (e.g., AWS CloudTrail/CloudWatc