Home

Umair Zafar - Cybersecurity Engineer

[email protected]

Location: Woodbridge, New Jersey, USA

Relocation:

Visa: H1B

Resume file: Umair Zafar Resume_1759245337921.docx Please check the file(s) for viruses. Files are checked manually and then made available for download.

Skills Summary Experienced Cybersecurity Engineer with over 13 years of expertise in M&A integrations, security architecture, and incident response. Skilled in leading security transitions during mergers, acquisitions, and divestitures, with deep knowledge of the Microsoft Defender suite (Cloud, Office, Endpoint, Identity), Azure security solutions, and risk mitigation strategies. Proven ability to design and implement secure end-state architectures, conduct risk assessments, and collaborate with CISO, CTO, and M&A leadership to align cybersecurity initiatives with business goals. Adept at developing security playbooks, optimizing SOC operations, and deploying advanced detection and response capabilities across complex environments. Career Highlights Led security integrations and separations for multiple M&A projects, deploying and configuring Microsoft Defender suite, Azure Front Door, and Tenable to ensure secure transitions and regulatory compliance. Partnered with senior leadership during acquisitions to assess risks, design secure architectures, and deliver comprehensive security plans for platform migrations and divestitures. Developed and standardized M&A security playbooks and workflows, reducing integration timelines by 40% and improving cross-team coordination. Directed large-scale SOC operations for a 50,000-user healthcare client, transforming a 9-to-5 in-house SOC into a 24/7 MSSP, significantly improving threat detection and response. Built internal incident response and forensic capabilities from the ground up, enabling rapid response to advanced threats and reducing external DFIR dependency by 60%. Increased EPS capacity 5x (25,000 to 130,000) while maintaining high alert quality and optimizing analyst workload through automation, dashboards, and custom scripts. Led investigations of APT-level intrusions and critical cyber incidents, ensuring containment, remediation, and compliance alignment across both IT and OT environments. Designed cloud security controls to bring previously untracked assets under governance and improve overall security posture. Authored and published cybersecurity training and learning content with over 80,000 learners, covering topics such as incident response, malware analysis, and forensics. Experience Dell Technologies - April 2024 - Present Security Engineer / SOC & IR Project Lead M&A Integrations Leading security integration efforts for multiple M&A activities, supporting both platform consolidations and company separations for a healthcare client with ~50,000 users. Driving deployment and configuration of the Microsoft Defender suite (Defender for Endpoint, Cloud, Identity, and Office) and other tools such as Forescout, Trend Micro, and Tenable to secure new acquisitions and divested environments. Collaborating with CISO, CTO, and M&A leaders to perform risk assessments, define secure end-state architectures, and ensure smooth security transitions during mergers and separations. Built and standardized M&A security playbooks and workflows to streamline future integration activities, reducing onboarding time by 40%. Oversaw a 40-member global SOC team managing real-time threat monitoring, incident response, detection engineering, and threat hunting, leveraging IBM QRadar, CrowdStrike Falcon, and Microsoft Defender XDR. Enhanced detection engineering by integrating Microsoft Entra ID, Azure AppInsights, Microsoft Event Hub, and custom log parsers, enabling advanced monitoring for both on-prem and cloud systems. Improved incident triage and response automation by integrating SOAR platforms like IBM Resilient and PhishER with custom Python and PowerShell scripts, reducing mean time to respond (MTTR) by 35%. Led containment and forensic investigations for critical incidents related to newly integrated environments, ensuring rapid remediation and compliance alignment. Established key performance indicators (KPIs) and reporting mechanisms to track the security posture and integration progress during M&A activities. SABIC (via Saudi Business Machines) Consultant DFIR / April 2023 March 2024 Directed a team of six senior DFIR consultants to support security operations during company divestitures and infrastructure separations, ensuring business continuity and minimal disruption. Worked closely with executive leadership to assess risks, design security architecture, and implement controls aligned with M&A timelines and compliance requirements. Led the deployment of Microsoft Defender for Endpoint and Identity, Azure security solutions, and Tenable across newly separated environments to meet security and regulatory standards. Developed and maintained standardized DFIR and M&A playbooks using Cortex XSOAR, significantly improving consistency and reducing response time by 3x. Built a comprehensive internal forensic and incident response capability, deploying tools like Velociraptor, Plaso, KAPE, and AWS OpenSearch, reducing reliance on external IR vendors by 60%. Conducted full-spectrum incident investigations, including disk and memory forensics, to identify root causes of breaches and deliver actionable remediation plans. Coordinated closely with SOC and threat intelligence teams to ensure seamless handoffs during security events and to map threats to the MITRE ATT&CK framework for improved detection coverage. Delivered training and knowledge transfer to internal teams to strengthen forensic readiness and empower staff to handle future M&A-related incidents independently. Telenor Manager SOC / December 2021 March 2023 Directed end-to-end security operations for Telenor s mobile and digital ecosystem, protecting over 50 million mobile subscribers, 20 million digital service users, and 1,000+ internal users, while leading a 15-member SOC team. Managed 24/7 SOC operations using tools such as Splunk, Microsoft Defender for Endpoint, Cisco FTD, F5 WAF, Cisco StealthWatch NDR, and Prisma Cloud (Cloud Security Posture Management) ensuring continuous threat monitoring, incident response, and threat intelligence analysis. Identified and onboarded previously unmonitored shadow IT assets (5% of total cloud infrastructure) into the security stack using Cloud Security Posture Management (CSPM) tools like Prisma Cloud and AWS Security Hub, enhancing visibility and control. Conducted third-party risk assessments leveraging NIST 800-53, ISO 27001, and SIG questionnaires, identifying high-risk vendors and implementing mitigation plans; collaborated with procurement and legal teams to enforce security clauses in vendor contracts. Led internal security audits and readiness assessments using GRC platforms (Archer) preparing systems and processes for upcoming external audits and regulatory inspections. Participated in the Architecture Review Board (ARB) to ensure secure-by-design principles in all IT initiatives, offering guidance aligned with Zero Trust Architecture, OWASP, and CIS Benchmarks. Facilitated cross-functional collaboration between SOC, cloud, infrastructure, and DevOps teams to align detection rules, response workflows, and architecture controls. Ebryx Principal Security Engineer Project Lead/ Jan 2018 Dec 2021 Delivered comprehensive Digital Forensics & Incident Response (DFIR) services to clients across finance, telecom, and critical infrastructure sectors utilized tools like Velociraptor, FTK, KAPE, Volatility, and Plaso for in-depth investigations and forensic analysis. Led and supported investigations of advanced cyber threats including malware outbreaks, ransomware attacks, insider threats, and unauthorized access incidents mapped adversary behavior using the MITRE ATT&CK framework. Conducted testing, evaluation, and benchmarking of EDR and security products such as CrowdStrike, Carbon Black, FireEye HX, and Microsoft Defender, providing actionable feedback for product feature enhancements and false positive reduction. Automated recurring security tasks using Python, Bash, and PowerShell, streamlining log analysis, case documentation, and threat feed ingestion into internal platforms significantly reduced analyst workload and improved turnaround time. Researched emerging threat actor TTPs, zero-days, and APT campaigns using platforms like VirusTotal Intelligence, MISP, Shodan, and ThreatMiner; incorporated findings into internal threat intel platforms and detection pipelines. Collaborated with detection engineering teams to convert threat research into usable detection logic (e.g., YARA, Sigma, Snort rules), strengthening in-house detection coverage and real-time alerting. Mentored junior analysts and engineers in IR playbooks, forensic methodologies, and scripting best practices, helping build internal capability across the security operations and R&D teams. FireEye Inc. (via Ebryx) Security Researcher Team Lead / July 2012 Dec 2017 Led detection engineering efforts for FireEye s core sandbox-based detection platform (MVX engine), ensuring high-fidelity coverage against evolving malware threats, including APT campaigns, zero-day exploits, and evasive malware. Conducted extensive research into sandbox evasion and anti-analysis techniques used by advanced malware strains; developed robust detection logic using YARA, custom heuristics, and static/dynamic analysis methods improved malicious document and script detection by 35%. Performed large-scale malware dataset analysis using tools like IDA Pro, Cuckoo Sandbox, Ghidra, PEStudio, and Python-based automation, identifying common behavioral patterns and reverse-engineering complex evasion strategies. Improved detection effectiveness by profiling malware families (e.g., Dridex, Emotet, PlugX, APT28, etc.) and integrating TTPs into detection modules mapped to the MITRE ATT&CK matrix. Diagnosed performance bottlenecks in the MVX engine, suggesting architectural and rule optimization changes that increased overall processing throughput by 15%, reducing latency in real-time detection environments. Identified an emerging social engineering campaign involving cryptojacking malware before its public launch; documented the TTPs, IOCs, and attribution indicators in a detailed threat research blog, contributing to the proactive protection of enterprise customers. Mentored junior researchers and collaborated with cross-functional engineering teams to translate threat intelligence into production-grade detection features. Certifications Certified Information Systems Security Professional (CISSP) ISC2, 2025 GIAC Enterprise Incident Responder (GEIR) GIAC, In Progress (Exam Scheduled) Community Contributions Contributed to a threat research blog for FireEye, identifying a coin-miner campaign entitled 'Resurrection of the Evil Miner. Recently, I have been developing training content on TryHackMe for various subjects. Some of these trainings have enrolled more than 80,000 people. A selection of these is listed below, although a more exhaustive list can be found on my LinkedIn profile: Windows Forensics 1 and 2 Linux Forensics macOS Forensics Basics and Artefacts Static and Dynamic Malware Analysis Developed the curriculum for the Security Analyst Level 1 (SAL1) certification for TryHackMe. Founded a grassroots tech skills initiative for underserved youth in Pakistan, helping 26 students (including 13 females) gain employable skills in video editing and UI/UX design, with zero prior experience. Education B.E. Electrical Engineering / 2008-2012 Keywords: user interface user experience rlang information technology ffive Idaho