Sign in

Manager Security

Fort Washington, Maryland, United States
May 19, 2017

Contact this candidate

Markus Shelton

***** Ridge Brook Court Fort Washington, MD 20744

• Cell 202-***-**** •


Markus has over twenty years of experience in the design, deployment, testing, and operations of large-scale integrated cyber security and enterprise management systems. Mr. Shelton has a diverse background that includes data center security operations, leadership, security architecture, and operations of global IT, security, compliance, and risk management solutions. Markus has served as Security Lead, Security Tower Lead, Security Intelligence Analyst, Information Systems Security Officer (ISSO), Technical Team Lead, and Subject Matter Expert for service providers and consulting firms’ cyber security projects. Markus has experience working with HP ArcSight, IBM Q Radar, Tripwire, Nessus Tenable, Tenable Security Center and PVS, Solarwinds NCM, McAfee ePolicy Orchestrator, McAfee Sidewinder Firewalls, VM Ware ESXi, and Net IQ Security Manager. Presently, Mr. Shelton serves as an independent security consultant at the Defense Information Systems Agency (DISA) as an ArcSight Design and Operations engineer.


To obtain a position in the area of cyber security that will afford me the opportunity to introduce creative energy and fully utilize my relevant education, training, certifications, and experience.


University of Maryland at College Park--B.S. Electrical Engineering, Data Communications, May 1997 College Park, MD

Loyola University Maryland--MBA, Management Information Systems, May 2002 Baltimore, MD

The Johns Hopkins University--M.S. Computer Science, Networking and Telecommunications, December 2005 Baltimore, MD Walden University--Ph.D. Applied Management and Decision Science, August 2013 Minneapolis, MN


ArcSight ArcSight Certified Security Analyst (ACSA), April 2009

ArcSight ArcSight Certified Integrator/Administrator (ACIA), December 2008

CompTIA Security+ CompTIA, November 2011 (Active)

(ISC)2 Certified Information Systems Security Professional (CISSP), April 2012 (Active)

McAfee/Secure Computing Sidewinder Firewall System Administration, June 2008

McAfee/Secure Computing Sidewinder Firewall Advanced Administration, June 2008

Villanova University Applied Project Management, July 2002


Department of Homeland Security Clearance--Eligibility of Determination (EOD) 2012

Department of Defense (DoD) Top Secret Security Clearance 2013 (Active)

Treasury Department Minimum Background Investigation (MBI) 2002


October 2016- Present Defense Information Systems Agency (DISA) Ft. Meade, MD

Sr. HP ArcSight Design and Operations SME

Responsible for designing, improving, and maintaining the hardware and software baseline of ArcSight ESM systems on HP DL 580 G9 servers with four Sandisk Fusion IO cards running Red Hat 6.8 and ArcSight ESM 6.9.1c Patch 2.

Lead an ArcSight ESM upgrade from version 6.5.1 P2 to version 6.9.1 P2.

Responsible for providing Tier 3 support of 7 ArcSight ESM servers.

Developed and executed test plans to perform functionality and stress testing on an ArcSight 6.9.1 Patch 2 system.

Created Installation Guides, Upgrade Guides, and Standard Operating Procedure (SOP) documentation.

Utilized Linux shell scripts and Python and Red Hat Kickstart DVD to automate the installation of ArcSight ESM version 6.9.1 c Patch 2.

Execute SCAP and Tenable Security Center security scans to identify vulnerabilities. Apply STIG fixes, update Red Hat packages, and apply patches to remediate vulnerabilities.

September 2015– October 2016 Raytheon Abu Dhabi, UAE

Sr. HP ArcSight Security Architect

Responsible for the design and operations and maintenance of an ArcSight system including ArcSight ESM 6.8c and Command Center, ArcSight Logger Appliances version 6.1, ArcSight Connector Appliances, SmartConnectors, and FlexConnectors.

Performed content development of ArcSight ESM 6.8c resources, including but not limited to, reports, templates, query viewers, queries, filters, trends, active channels, field sets, rules, active lists, session lists, dashboards, data monitors, active channels, local variables, and users.

Responsible for deploying an ArcSight asset model. Utilized Network Model Wizard to import assets, asset ranges, and zones.

Developed an ArcSight test environment to mirror the operational environment.

Defended proposed changes at the Discrepancy Review Board (DRB) and the Change Control Board (CCB).

Proposed new changes to the Engineering Review Board (ERB).

Developed ArcSight Design Document and ArcSight Sysconfigs describing how all ArcSight systems were built.

Developed backup solution for ArcSight System utilizing EMC Avamar. Developed a Work Instruction (WI) describing how to implement this backup solution.

Performed ArcSight daily health checks and developed daily health check reports.

Trained NOC/SOC staff on ArcSight architecture, creating data monitors, dashboards, active channels, filters, user administration and performing daily health checks.

Integrated Tenable Security Center, Sourcefire IDSs, Tripwire, McAfee ePO, Symantec Endpoint Protection, Microsoft WUCs, EMC VNXe, and Syslog Daemon SmartConnectors with ArcSight.

Integrated Big IP F5 load balancer with ArcSight to increase the event volume the syslog connector could support.

Utilized filtering and aggregation on SmartConnectors to reduce event volume received by the ArcSight ESM server.

December 2014– September 2015 Deloitte Philadelphia, PA

Sr. HP ArcSight Security Architect

Responsible for the content development of ArcSight ESM 6.8c resources, including but not limited to, reports, templates, query viewers, queries, filters, trends, active channels, field sets, rules, active lists, session lists, dashboards, data monitors, active channels, local variables, and users.

Responsible for installing, configuring, and troubleshooting performance issues on ArcSight ESM 6.8c servers.

Responsible for migrating content from ArcSight ESM 5.2 servers to ArcSight ESM 6.8c servers.

Responsible for deploying an ArcSight asset model. Utilized Network Model Wizard to import assets, asset ranges, and zones.

Utilized content management feature in ArcSight Command Center to synchronize packages by pushing them from an ESM publisher to ESM peers activated as subscribers.

Installed and configured HP ArcSight Management Center (Arc MC) to provide centralized management for Connector Appliances, Loggers, software connectors, and other ArcSight Management Centers.

Integrated threat intelligence feeds with ArcSight to provide contextual relevance for security events.

February 2015 – March 2015 IBM/Walgreens Chicago, IL

Security Intelligence Analyst/Managed Security Services Tower Lead

Responsible for analyzing threats in the general threat landscape and specific threats targeting the client’s environment.

Responsible for monitoring and researching information security threats and identifying indicators of compromise (IOCs).

Responsible for assessing the client’s security data from Intrusion Detection System (IDS)/Intrusion Protection System (IPS), OS logs, firewall logs, anti-virus logs, and IBM Q Radar Security Incident and Event Management (SIEM).

Analyzed security data for repeating trends, attacks, malicious Internet Protocols (IP), and anomaly type events.

Conduct scan reviews and provide recommendations to client with regards to SIEM rules, policy tuning, blocking recommendations, incident handling, and vulnerability remediation.

Provided trend reporting to client on a weekly basis.

August 2013– December 2014 Accenture/Ohio Administrative Knowledge System (OAKS) Columbus, OH

Managed Services Security Lead

Refined the overall security architecture and processes to improve the organization’s overall security posture for the Ohio Administrative Knowledge System (OAKS) PeopleSoft ERP system which provides Financial Management, Human Capital Management, and Enterprise Learning Management.

Served as lead technical security expert in a client-facing role responsible for refining and maintaining security architecture and defining the security processes, policies, frameworks, and standards.

Assessed security threats and implemented security controls. Tracked, coordinated, prioritized, and reported on all security related tasks to ensure defense in depth. Directed Application, Infrastructure, and SOC organizations.

Reviewed firewall rule sets, IDS and web proxy configurations, ArcSight reports, and access control lists for accuracy.

Created and presented weekly Security Operations and Operational Leadership briefings to the Client’s senior level executives. Explained complex security topics in a very simple business-oriented language that both subject matter experts and senior level leadership could easily understand.

Developed and tested disaster recovery and business continuity plans.

Coordinated all vulnerability remediation and patching efforts; Served as primary point of contact for security audits.

Performed forensic security investigations using ArcSight Logger Appliance and Imperva SecureSphere.

Formatted and analyzed Nessus Tenable credentialed scans; Utilized Tenable Security Center to report on vulnerabilities.

Lead ArcSight ESM 6.0 internal working sessions to prioritize and track status of the development of use cases.

Utilized BMC ADDM and Tenable PVS to monitor automated asset inventory discovery.

Utilize Solarwinds Network Configuration Manager (NCM) to compare firewall, router, and switch configurations against standard secure configurations defined for each type of network device in the organization

Lead Infrastructure, Application and SOC organizations to ensure that SANS 20 Critical Security Controls were effectively implemented.

January 2012 – August 2013 CSC/Transportation Security Administration (TSA) Pentagon City, VA

Cyber Security Lead Architect/ArcSight Design Engineer

Installed, configured and provided Tier 3 operational support for HP ArcSight, Cisco NIDS, Sourcefire IPS, IBM Site Protector IPS, Checkpoint and ASA firewalls, McAfee Web Gateway, Microsoft Forefront web gateway, Big IP F5 load balancers, Cisco TACACS, and Symantec Endpoint Protection (SEP) Manager.

Provided Tier 3 operations and support, architectural oversight, and leadership in the planning and designing of an ArcSight SIEM system, including ArcSight ESM, ArcSight Logger Appliances, ArcSight Connector Appliances, ArcSight SmartConnectors, and ArcSight FlexConnectors

Integrated Cisco ASA NIDs, IBM Site Protector and Sourcefire IDSs, Microsoft ISA and McAfee Web Gateway web proxies, Symantec Endpoint Protection (SEP) Manager, Net IQ Security Manager, and Linux and Windows OS logs with ArcSight.

Optimized security event data flow using aggregations and filters, map and categorization files, and Big IP F5 load balancers.

Modified Logger architecture, including peering loggers and Connector and Logger Appliance filters’ to prevent caching.

Logger and Connector Appliance system administration, license updates, storage configuration, SSL certificates, and user/group administration.

Installed, configured, and upgraded Connector Appliances, Logger Appliances, SmartConnectors, and FlexConnectors

Upgraded code on ArcSight Logger Appliances to version 5.3 Patch 1 and on ArcSight Connector Appliances to version 6.4

Added/modified ArcSight forwarding filters using regular expressions (regex) and unified expressions to ensure all security events were delivered from Logger Appliances to ESM.

Developed filters, rules, and customized reports for ArcSight Logger Appliances.

Conducted daily checks of all ArcSight components to identify potential problems or outages.

Utilized ArcSight dashboard to monitor hourly, daily, and weekly CPU utilization and EPS for all receivers and forwarders.

Troubleshot Cisco VPN SmartConnector parsing, IBM Site Protector IDS SmartConnector hanging, Logger caching, and Connector and Logger Appliance web-enabled management GUI issues.

Developed Concept of Operations (CONOP) document and Standard Operating Procedures (SOPs).

Evaluated Splunk Enterprise SIEM to determine its feasibility for implementation.

Initiated Request for Changes (RFCs); Defended the proposed solutions’ impact to the TSA Configuration Control Board.

December 2011 – February 2012 Deloitte/US Army (ALTESS) Radford, VA

ArcSight Architect

Provided Tier 3 operational support and day-to-day administration of an ArcSight SEIM system, including ArcSight ESM and SmartConnectors.

Performed daily health checks of all ArcSight components to ensure proper throughput, CPU utilization, free database space, and free archived partition space.

Monitored alerts and notifications

Troubleshot connector parsing and caching issues

Responsible for installation, upgrading, maintenance, and troubleshooting of SmartConnectors

Maintained whitelist of all authorized ArcSight users

Performed content development for use cases (business logic defining correlation, prioritization, and categorization of data from sensors) using filters, rules, queries, dashboards, active lists, session lists, data monitors, trends, and reports

Applied the latest AUP categorization file to the ESM Manager

Lead weekly calls with all ArcSight stakeholders to set priorities and to communicate the latest status on projects and issues

September 2003 – December 2011 Lockheed Martin/Missile Defense Agency (MDA) Crystal City, VA

Senior Network Security Design Engineer

Performed architecture, design, configuration, and Tier 3 and above operational support of ArcSight Enterprise Security Manager (ESM) 5.0, including the Manager, Database, Web, and Console components

Configuration and deployment of ArcSight Connector Appliance and Logger Appliance v5

Installed and configure ArcSight SmartConnectors on IBM Real Secure/Proventia IDS and Red Hat 5 Linux Syslog Servers.

Developed ArcSight filters and rules to perform weekly monitoring of important security events

Lead upgrade of all ArcSight components from version 4.0 to version 5.0 throughout the MDA worldwide network.

Maintenance of ArcSight ESM 11G Oracle database

Performed analysis of new technologies to provide cost effective security solutions that met design requirements.

Designed and documented Tripwire Manager and Tripwire for Servers (TFS) solution. Developed schedule, policy, and configuration files for Linux and Windows servers

Designed McAfee ePolicy Orchestrator (ePO) and Tripwire Enterprise solution running in a VMWare ESXi /Blade Server environment

Developed Syslog Server solution using syslog-ng application running on Linux Red Hat 5 Enterprise Server in virtualized VMWare ESXi Server environment.

Served as Information Systems Security Officer (ISSO); Helped organization obtain a high commendable DSS security rating. Created Master System Security Plan (MSSP), Network Security Plan (NSP), and Information System Profile (ISP). Developed a Hardware and Software Security Baseline and issued User Brief forms to all users. Cultivated an office-wide culture of security awareness.

Applied IA Fixes and Patches to Linux Red Hat and Windows servers; Deployed security template and latest virus definition files to lab servers; Utilized Acronis to image Windows and Linux servers.

Configured KG-175 Type 1 encryptors; Utilized GEM to manage KG-175 encryptors.

Performed technical evaluation of several security information and event management (SIEM) tools including HP ArcSight, RSA Envision, LogRhythm, Splunk, and IBM/Q1 Labs Q Radar to determine which tool mapped best to design requirements.

Utilized DISA Gold Disk, SAINT, and Tenable Nessus to perform server vulnerability scanning and to remediate findings.

Utilized McAfee Sidewinder firewall and IBM/ISS IDS to secure the network.

Senior Network Management Design Subject Matter Expert

Responsible for the design, documentation, installation, configuration, testing, training, and maintenance of the Missile Defense National Team’s (MDNT) operational, high-availability, mission-critical network management and performance monitoring system utilizing Ai Metrix NeuralStar, DopplerVue, HP Network Node Manager, HP Operations Manager, CA eHealth, CA Spectrum, CA SystemEDGE agents, BMC Server Monitoring and Analytics, and BMC Performance Management

Compiled MIBs and configured trap definitions for each network device in the environment including Cisco and Juniper routers and switches, APC Power Distribution Units and Environmental Monitoring Units, Avocent KVM switches, McAfee Sidewinder Firewalls, IBM Real Secure IDSs, Concord SytemEDGE agents, Tripwire, and Omnitron media converters

Installed, configured, and upgraded HP Network Node Manager v 9.0 and CA eHealth on a Windows 2008 Advanced Server.

Created a Design Specification Document to capture the network management design architecture and strategy

Executed network management verification and validation testing; Created a Network Management Verification and Validation Test Report

Network IPT Project Manager

Attended Software Control Board and Program Engineering Review Board meetings. Assigned tasks to responsible engineers in order to correct deficiencies in the network and follow-up with engineers to ensure task completion. Managed the Spiral Development Cycle baseline for the Network Integrated Product Team (IPT). Ensured deliverables are submitted in a timely manner and tracked project progress. Created Capabilities and Limitation documents for each spiral development release. Tracked software baseline for each Network server. Coordinated schedules, tasks, resources, and dependencies for network design projects. Created detailed installation procedure documents with expected results.

February 2003 – September 2003 AnviCom/Contractor to DISA (Defense Information Systems Agency) Falls Church, VA

Tivoli Technical Team Lead

Design, installation, configuration, and day to day operations of the Department of Defense’s DISANet enterprise management system including Tivoli TME Framework, Enterprise Console, User Administration, Software Distribution, Distributed Monitoring, Remote Control, HP OpenView Network Node Manager (NNM), Remedy Action Request Server and Concord eHealth.

Evaluated Net IQ AppManager and HP OpenView Operations Smart plug-In for Exchange to determine which E-mail monitoring tool mapped best to the established design requirements.

Installation and configuration of production classified HP OpenView NNM system.

Planned Network Management System (NMS) SNMP Version 3 migration.

Visited Worldwide Unclassified DISANet sites to deploy Tivoli Endpoints and provide Tivoli training to site administrators.

June 2001 – February 2003 The MITRE Corporation McLean, VA

Senior Network and Distributed Systems Engineer

Installed and configured Tivoli Framework 3.7.1, Enterprise Console 3.7.1, NetView 7.1, Distributed Monitoring 3.7, Inventory 4.0, and Software Distribution 4.1 to mirror the IRS’ Enterprise Systems Management (ESM) Modernization environment.

Architecture design, implementation, configuration, and 24x7 support for the DoD’s Joint Defense Information Infrastructure Control System Deployed (JDIICS-D) enterprise management system utilizing Microsoft Terminal Server OS, Cisco Works 2000, HP OpenView 6.1, Remedy Action Request 4.5.2, Remedy Web 4.1, HP/Agilent NetMetrix Performance Center 1.0.4, Netscape Enterprise Server 3.5.1 web server, and Microsoft SQL Server 7.0 database.

Served as Project Lead and Subject Matter Expert (SME) supporting the FAA’s National Airspace System (NAS) Infrastructure Management System (NIMS) project. Installed, configured and maintained Tivoli Enterprise Console (TEC) 3.7.1, Framework 3.7.1, NetView 7.1.2, and Peregrine’ ServiceCenter 5.1. Integrated these Tivoli products with Peregrine ServiceCenter using the Peregrine SC Automate tool. Integrated SNMP Research tool with Tivoli NetView in order to make NetView SNMP v3 compliant.

January 2001 – May 2001 Business Edge Solutions/(EMC, Inc.) Edison, NJ

Senior Solutions Engineer (Consultant)

CBeyond Communications Atlanta, GA

Implemented and configured Micromuse NetCool Omnibus, Reporter, Visionary, Impact, ISM, Precision, and Firewall Probe.

Implemented and configured development, staging, and production HP OpenView NNM network management system.

Implemented and configured Infovista in order to monitor performance and report on Cisco routers, Cisco switches, Cisco IADs, Cisco Optical Cell devices, Network Appliance servers, and Sun servers.

Implemented and configured InfoVista’s VistaMart including Gateway, Repository, Notifier, and Console.

Lead product demonstrations to senior level management; Created Discovery, As-Built, Design, and Administration documents.

October 2000 – January 2001 Seven Space Reston, VA

Performance Monitoring Systems, Manager

Utilized InfoVista, NetCool ISM, and MRTG to monitor performance and report on Cisco routers and switches, ArrowPoint load balancers, NetScreen firewalls, Compaq and Dell Windows 2000 servers, Sun Netra and Enterprise class Solaris servers, RedHat Linux servers, SQL Server 2000 and Oracle 8i databases, Microsoft Exchange 2000, Apache, Netscape iPlanet, Microsoft IIS web servers, BEA WebLogic web application servers, IBM WebSphere web application servers, and Veritas NetBackup.

Implemented, configured and maintained NetCool Omnibus event management system in support of NOC.

August 1998 – September 2000 USinternetworking, Inc./(AT&T) Annapolis, MD

Senior Enterprise Management Engineer, EMS Operations

Implementation, maintenance, and 24X7 on-call support for production enterprise management system for a mission critical ASP’s network including Tivoli TME 10 Framework, NetView, Enterprise Console, Distributed Monitoring, User Administration, Inventory, Manager for MQ Series, Manager for Oracle, Manager for SQL Server, Software Artistry, Concord Network Health, MOS Formula, Micromuse NetCool/OMNIbus, Mercury Topaz, Lucent VitalSigns, and Siebel.

Performed an Alternative Trade-Off Analysis comparing Tivoli’s TEC to Micromuse’s NetCool OmniBus.

Enterprise Management Engineer, Research and Development

Implemented replica of UsiView, the Tivoli enterprise management system including Framework 3.6, NetView 5.1, Distributed Monitoring, Enterprise Console, Global Enterprise Manager, Software Artistry, User Administration, Inventory, Oracle event database server, and OmniBack tape back-up system in the R&D environment.

Designed, installed, and configured system test bed that mirrors USi Cisco Powered production network, including Cisco 7500, 4000, 2500 series routers, Catalyst 5500, 2900 switches, PIX and Nokia Checkpoint firewalls, Cisco LS 1010 ATM switches, etc.

June 1997 – August 1998 ARINC (Aeronautical Radio, Inc.) Annapolis, MD

Network Management Engineer, Acceptance Test

Tested IP based network management system using HP OpenView NNM

Performed acceptance testing on Micromuse’s NetCool Omnibus event management system to ensure system met established design requirements. Performed acceptance, stress, and regression testing on NetScout performance management tool.

Contact this candidate