Principal Cyber Security Engineer

General information

# 21642

Remote? No

Ally Financial only succeeds when its people do - and that’s more than some cliché people put on job postings. We live this stuff! We see our people as, well, people - with interests, families, friends, dreams, and causes that are all important to them. Our focus is on the health and safety of our teammates as well as work-life balance and diversity and inclusion.

From generous benefits to a variety of employee resource groups, we strive to build paths that encourage employees to stretch themselves professionally. We want to help you grow, develop, and learn new things. You’re constantly evolving, so shouldn’t your opportunities be, too?

We are seeking a Principal Cyber Security Engineer with hands‑on experience designing, deploying, and optimizing SIEM (Security Incident & Event Management) platforms  individual will own the end‑to‑end lifecycle of SIEM capability—from architecture and data onboarding to content engineering, automation, and continuous improvement. The individual will collaborate with SOC analysts, incident responders, threat hunters, IT operations, and application teams to ensure high‑fidelity detections, actionable visibility, and reliable, compliant log management.

At this time, Ally will not sponsor a new applicant for employment authorization for this position.

• Design and maintain the SIEM architecture, including data ingestion pipelines, parsers, normalization schemas, storage tiers, and retention strategies.
• Evaluate and implement SIEM platform features and integrations; drive upgrades and migrations as needed.

• Onboard logs from diverse sources (EDR, firewalls, IDS/IPS, IAM, AD, DNS, proxies, email security, cloud platforms like AWS/Azure/GCP, SaaS apps, containers/Kubernetes, DBs, identity providers).
• Implement data quality monitoring and SLA‑driven dashboards for ingestion health, parser accuracy, and data latency.

• Optimize SIEM performance: indexing, search speed, hot/warm/cold storage, retention, and cost control.
• Implement role‑based access control, multitenancy (if applicable), and data governance.
• Ensure high availability and disaster recovery; document and test failover procedures.

• Define KPIs/KRIs (e.g., MTTD, alert quality, data freshness, coverage, false positive rate).
• Lead purple‑team exercises and detection gap assessments; drive remediation.
• Provide runbooks, knowledge base articles, and training to SOC and IT teams.

• Align SIEM data handling with regulatory and contractual requirements (e.g., SOC 2, ISO 27001, PCI‑DSS, HIPAA, GDPR).
• Implement data minimization, masking, and retention policies, support audits and eDiscovery.

• Partner with IT/Cloud/Data teams to implement logging at source and ensure secure, reliable transport.
• Mentor junior engineers and analysts; perform code reviews and content validation.
• Contribute to security architecture reviews for new systems and applications.

• 7+ years of relevant experience
• Bachelor's degree or equivalent

• Highly preferred: 5+ years of experience in SIEM engineering or closely related security engineering roles.
• Highly preferred:
  Proven expertise with at least one enterprise SIEM platform end‑to‑end, preferably Splunk and Cribl (e.g., Splunk, Microsoft Sentinel, QRadar, Elastic Security, Exabeam, Sumo Logic, Log Rhythm, Chronicle).
• Strong proficiency in:
• Data parsing and normalization (e.g., regex, grok, KQL, SPL, AQL, Lucene).
• Scripting/automation (e.g., Python, Power Shell, REST APIs, Terraform/Ansible preferred).
• Log source onboarding from Windows/Linux, AD, network devices, cloud services, EDR, and SaaS.
• Experience with cloud logging and security services (e.g., AWS Cloud Trail/Cloud Watch/Guard Duty, Azure Defender/M365, GCP Audit Logs).
• Experience with Agile methodologies and collaborative work environments.
• Familiarity with identity and access management, network security, endpoint…