Elasticsearch Lead Engineer - SIEM Platform

Global Risk and Security (GR&S) at Vanguard enables business strategy, protects client and Vanguard interests (e.g., assets and data), and stewards a strong risk culture. Our teams leverage enterprise-wide insights, deep expertise, and trusted advice so that across Vanguard leaders and crew drive faster, stronger, risk-informed decisions.

Within GR&S, the Enterprise Security and Fraud (ES&F) sub-division is responsible for the global protection of Vanguard crew, property, data, and client assets. We are the trusted advisors that protect the pride of Vanguard with state-of-the-art security and fraud capabilities.

We are a world-class destination of highly engaged, passionate, and diverse talent expected to continuously learn and develop in an ever-changing security landscape. Our crew are our greatest resource – by joining our team you will build collaborative long-term relationships and enjoy a suite of benefits that includes comprehensive health and wellness care, work-life balance, and an investment in your future at its core.

Elasticsearch Lead Engineer - SIEM Platform: Architect and maintain high-availability Elasticsearch clusters supporting large-scale security event ingestion Define and enforce Elastic Common Schema (ECS) field mappings across all data sources, ensuring consistent normalization for detection rules and analytics Design and develop custom data ingestion pipelines using Elasticsearch Integrate with AWS services including S3, Kinesis Data Streams, Lambda, and CloudWatch for log collection Manage AWS infrastructure: EC2, S3, IAM, and Secrets Manager - using AWS CloudFormation Implement data lifecycle management - hot/warm/cold/frozen tier strategies, ILM policies, and snapshot/restore to S3-based data lakes Partner with Detection Engineering and Threat Intelligence teams to optimize index strategies, queries, and dashboards in Kibana Establish and maintain cluster security controls: TLS/mTLS, role-based access control (RBAC), audit logging, and encryption at rest Build resilient, fault-tolerant architectures: cross-cluster replication, shard allocation awareness, and disaster recovery runbooks Perform activities related platform health monitoring and upgrade / patching Troubleshoot and manage production technical issues related to Elasticsearch cloud Define and enforce SLOs for ingestion latency, query performance, and cluster availability Mentor junior engineers and establish best practices, runbooks, and architectural standards Qualifications Minimum of six years related work experience.

Undergraduate degree in a related field or the equivalent combination of training and experience. 6+ years of Elasticsearch / Elastic Stack (ELK) experience in a production security or observability environment Deep understanding of Elastic Common Schema (ECS) and experience mapping diverse log sources (Windows, Linux, network, cloud, EDR) to ECS Hands-on experience operating Elasticsearch at scale (10TB+/day ingest, 100+ node clusters) Proficiency with AWS - Kinesis, S3, IAM, CloudTrail, and AWS-native log sources Experience with data streaming platforms - Apache Kafka, or Confluent Platform - for high-throughput event ingestion Experience integrating with data lake platforms - AWS S3 / Lake Formation, Data Lake, or Apache Iceberg for long-term retention and threat hunting Strong understanding of security principles: least privilege, network segmentation, secrets management, audit logging Experience building resilient systems: replication topologies, capacity planning, chaos engineering mindset, and documented DR procedures Proficiency with infrastructure-as-code tools (Terraform, Ansible, or CDK) (Optional) Preferred Qualifications Elastic Certified Engineer or Elastic Certified Analyst certification Experience with Elastic Security / SIEM detection rules, ML jobs, and Timeline investigations Familiarity with MITRE ATT&CK framework and how it informs index and detection design Experience with container-based deployments of Elastic (ECK / Kubernetes) Knowledge of compliance frameworks: SOC 2, PCI-DSS, HIPAA, or FedRAMP Special Factors Sponsorship Vanguard is not offering visa sponsorship for this position.

About Vanguard At Vanguard, we don't just have a mission—we're on a mission. To work for the long-term financial wellbeing of our clients. To lead through product and services that transform our clients' lives. To learn and develop our skills as individuals and as a team.

From Malvern to Melbourne, our mission drives us forward and inspires us to be our best. How We Work Vanguard has implemented a hybrid working model for the majority of our crew members, designed to capture the benefits of enhanced flexibility while enabling in-person learning, collaboration, and connection.

We believe our mission-driven and highly collaborative culture is a critical enabler to support long-term client outcomes and enrich the employee experience.