Stephen Passen

Marlborough, CT

Phone: 508-816-8091

Email: sjpassen@gmail.com

Work Experience

FactSet

Associate Director, Cyber Command Center (CCC)

Jan 2024 - Present

  • Responsible for leading a team of engineers handling security event and incident investigations, threat detection, threat intelligence, threat hunting, internal penetration testing, and vulnerability management.
  • Successfully introduced and implemented playbooks for handling all threat events, enhancing incident response capabilities.
  • Conducted internal tabletop scenarios to evaluate team knowledge, identify gaps, and improve FactSet's security monitoring posture.
  • Championed the prioritization of log source ingestion using the MITRE ATT&CK framework, improving threat detection coverage.
  • Implemented an internal audit framework to improve consistency of security event and incident handling, identify opportunities for improvement in response playbooks, and ensure quality analysis and documentation.
  • Implemented Jira for tracking and organization of tasks and accomplishments, improving team awareness and reducing the time required to collect metrics and KPIs, which are presented to the CISO and Information Security Risk Committee.
  • Responsible for the team budget, overseeing allocations for tools, headcount, professional services, and training. This includes strategic planning, cost optimization and negotiation, ensuring effective utilization of resources to support the team's objectives.
  • Maintained ownership of SIC-related documentation and policies, working with GRC to update relevant global policy documentation.

Interim Head of Vulnerability Management

Jun 2024 - Present

  • Implemented a phased approach to overhauling vulnerability management and the vulnerability risk exception process, encouraging a risk-based approach, instituting risk assessments to evaluate risk based on host exposure, access to sensitive resources, and other relevant factors.
  • Proposed Director-level risk sign-off instead of system owner, reducing the number of stakeholders involved in vulnerability management, streamlining processes, and strengthening FactSet's position during external audits and regulatory reviews through improved documentation and mitigation strategies.

Flatiron Health

Security Engineering, Director - Security Operations and Intelligence

Oct 2019 - Oct 2023

  • Built and managed the Security Intelligence team at Flatiron, which comprises Threat Intelligence, Threat Hunting, and Detections Development.
  • Created reporting pipelines with relevant stakeholders for Security Intelligence’s functions, tailored for both operational and strategy-focused audiences.
  • Collaborated with other Security Directors to operate within the Security budget, perform build vs. buy cost-benefit analysis, and remove working silos to increase cross-team efficiency.
  • Reduced Splunk storage costs by 30%, while doubling searchable retention for Security-relevant logs by utilizing summary indexes.
  • Responsible for evaluating risks and gaps identified through Threat Hunting and the Threat Intelligence lifecycle, and identifying solutions such as new tooling, infrastructure changes, new detections, and policy changes.
  • Developed the Risk Management program to evaluate security risks and enable risk owners throughout the organization to strategically prioritize based on the risk landscape.
  • Reduced analyst workload by over 50% through automation of phishing response.

Staff Security Engineer, Manager - Incident Detection and Response

  • Developed Incident Detection and Response team roadmap, which includes use case prioritization, SOAR integrations, SIEM log source prioritization, and quarterly objective planning, metrics collection and reporting, and cross functional project planning.
  • Developed Incident Detection and Response requirements for international business expansion. This includes documentation of the security tooling stack, logging requirements, collaboration with the Legal team to ensure GDPR compliance, and security hiring market evaluation.
  • Built a new Threat Intelligence team. This includes building Threat Intelligence pipelines for ingestion and dissemination of intelligence, building business cases to budget for the competencies and resources, developing reporting templates, and engaging stakeholders through reports and tabletop scenarios.
  • Procured, onboarded, and managed an overseas MSSP, which is responsible for L1 triage of security incidents. Created a ticket audit workflow to ensure consistency of both analysts and our provided playbooks. Used metrics to prioritize alert tuning and inform use case prioritization.
  • Led and coordinated incidents by acting as primary investigator, delegating key tasks, and collaborating with and advising key stakeholders such as Legal, Privacy, Compliance, IT, and Executive Leadership.
  • Evaluated current tooling and vendor relationships and highlighted areas for improvement, including potential replacement opportunities. Evaluated new vendors based on identified gaps.
  • Used Splunk Enterprise Security to build 90% of the organization's Security alerts with mappings to the MITRE ATT&CK matrix. Ensured CIM compliance for all security log sources, and built data models for more efficient searching and alerting.
  • Continued hands-on technical work, such as building correlation searches, acting as Lead investigator during critical incidents, and assisting engineering teams with log and performance analysis via Splunk logging tool.

TJX Companies

Security Analyst - Content Engineer

Aug 2018 - Sep 2019

  • Responsible for building the TJX security content program, including creation of a use case library leveraging the Mitre ATT&CK Matrix and the Veris framework, as well as processes for creation, tuning, and knowledge transfer of new alerts to the SOC.
  • Performed threat intelligence driven and anomaly based threat hunt, leveraging findings to develop and tune real-time monitoring alerts in Splunk Enterprise Security.
  • Worked with cross-functional teams across the organization, including networking, digital, and cloud to determine and implement their monitoring needs.
  • Created a custom integration between Splunk ES and Request Tracker so incident context is maintained and shared across multiple ticketing platforms and teams.
  • Worked with the Security Monitoring lead to create runbooks for alert handling and perform knowledge transfers to the MSSP and level 2 SOC analysts.
  • Acted as a Subject Matter Expert in the evaluation of new security tools used to aid Security Monitoring.
  • Advised on security tooling policies (e.g., DLP, IDS) and collaborated with engineering teams on the security requirements of new technologies.
  • Acted as incident coordinator and Lead investigator during critical incidents.

Senior Security Analyst

Jun 2017 - Jul 2018

  • Introduced threat intelligence to the organization, demonstrating its use on Tactical, Operational, and Strategic levels.
  • Improved the incident response process by integrating threat intelligence and creating a feedback cycle between IR and intelligence processes.
  • Performed gap analysis on operational capabilities through threat hunting, feeding into strategic intelligence reporting.
  • Responded to major incidents, assisted T1 and T2 analysts, and mentored them in incident response techniques and procedures.
  • Automated detection and alerting via rules in QRadar, Splunk, Cybereason, and other tools.
  • Evaluated and prioritized various IT security tools, such as threat intelligence platforms and anomaly detection tools.

Verizon (Consultant to State Street Bank)

Senior Security Consultant

May 2015 - Jun 2017

  • Created and ran the bank's internal threat intelligence program, introducing the threat intelligence life cycle.
  • Implemented threat models such as the Diamond Model, turning threat data into actionable intelligence for operations and the business.
  • Created a feedback loop between threat intelligence and incident response teams.
  • Performed malware/forensic analysis, data loss analysis, root cause analysis, and incident remediation.
  • Assisted with MSSP integration, SIEM rule creation, and content creation in tools like NetWitness, ArcSight, and Tanium.
  • Advised on security posture based on observed threats and identified organizational risks.

Dell SecureWorks

Information Security Analyst

Jun 2013 - May 2015

  • Analyzed IDS/IPS events, firewall logs, NetFlow, and packet captures to determine threats and identify threat actors.
  • Advised clients on the best course of action regarding these threats.
  • Worked with Fortune 500, financial, healthcare, and public sector institutions.
  • Managed IDS signatures, IP tables, and device tuning for various platforms.
  • Advised clients on their security posture, provided updates on the latest threats, and answered general security-related questions.

Education

University of New Hampshire

Bachelor of Science in Computer Science

Graduated: 2013