Matthew J. Spencer

Ashburn, VA 20148

Objective:

Cell

703-774-9913

mattspencerva@gmail.com

Seeking a challenging management position in the field of Cyber Security, Networking,

Telecommunication, and Information System Technology in a company that provides challenging

opportunities to enable me to utilize my experience, skills, and proven abilities in the high-tech field.

Work Experience:

2016 – Present FireEye, Inc.

Senior Security Engineer

§

§

Reston, VA

Leading the FireEye@FireEye initiative to expand visibility of network threats and close security

gaps in all data centers, regional hubs, and remote offices globally.

Leading the effort to implement a secure architecture between FireEye’s development and

engineering and its onshore and offshore partners

§ Co-Leader of the Network Trust Model initiative aimed at evolving FireEye’s network to cope with

the organization’s expansion efforts and improve the security architecture

§ Responsible for architectural review of various projects as part of the pre change advisory board

(CAB)

§ Establishing corporate hardening security standards for network and systems and working with

various teams to ensure buy-ins and adaptation of standards

§ Evaluating Cloud Service Providers (CSP) and Cloud Access Service Brokers (CASB) to support

FireEye’s cloud initiatives

§

Architecting and implementing RedSeal Security Analytics Platform, creating network models,

zones, and policies to assess and audit network access violations with security policy.

2014 – 2016 Pentagon Federal Credit Union

Senior Network Security Engineer

§

Chantilly, VA

Leading the Network Redesign effort from the security side and working with the network engineers

and third party vendor to discuss current infrastructure, security needs, and projected design.

§ Establishing Next Generation firewall requirements and leading the effort to transition from Cisco

firewalls to a Palo Alto Next Generation firewalls as part of the Network Redesign effort.

§ Establishing requirements to transition from a hub and spoke network to a zoned architecture

design (web, application, and database tier) with account to PCI regulations.

§ Managing Network Security Manager (NSM) (formerly Intrushield) and tuning false-positive events

while addressing legitimate events.

§ Continuing the transition from a promiscuous to an inline mode configuration.

§ Performed mass configuration initiative to analyze, test, and enable “blocking” of thousands of IPS

rules there were not set to block previously.

§

Architecting Fidelis Security solution as the Network Malware Defense solution for the organization.

§ Establishing Windows Server 2012 security hardening baseline for the organization.

§ Improving the vulnerability management infrastructure and coverage by placing scanners at various

points on the network to ensure full coverage from the inside as well as outside

§ Addressing organization challenges with scans and vulnerability management and help establish

new processes and improve existing ones

§

Planning on implementing an in-house penetration testing program to be proactive at identifying

and remediating weaknesses or misconfigurations within the web application

§ Working on establishing guidelines for introducing and implementing Microsoft EMET at the

workstation as well as server side to guard against zero-day attacks and other known attacks.

§ Assisting in establishing application security framework to ensure compliance with best practices

and to promote standardization within the organization.

2013 – 2014

Booz Allen Hamilton

Herndon, VA

Senior Information Security Engineer

§ Implementing single-site deployment of Microsoft Direct Access

§ Designing and implementing multi-site deployment of Microsoft Direct Access with Windows Server

2012 and Windows 7 support to provide resiliency and geographical failover capabilities

§ Performing security assessment of infrastructure designs to provide secure networking for various

teams within the enterprise

§ Establishing security hardening guidelines and security policies for the organization

§

Providing recommendations and security best practices and working with various teams to achieve

security objectives for the firm

Page 1 of 4

§ Re-architecting the secure web gateway to provide better redundancy, resiliency, and better

defense-in-depth security approach and the implementation of SSL intercept of all internet traffic

§ Re-architecting the firm’s security approach from the network level down to the system level to

include endpoint security and the segmentation of areas of the network that are deemed to be of

higher security score from the remaining of the network

§ Designing and architecting the security of cloud services and segmenting the network to provide

better security

§ Assisting the CIRT and Security Audit teams with vulnerability assessment and establishing

remediation plans to help guide the organization towards a dynamic and systematic remediation

approach

2010 – 2013 Navy Federal Credit Union

Vienna, VA

Lead Information Security Engineer

§ Conducting scheduled vulnerability scanning, open services scanning against internal and external

network devices and systems using various tools like McAfee Vulnerability Manager (Foundstone),

Nessus, Web Inspect, NTO Spider, and nmap

§ Conducting penetration testing against findings from the vulnerability scanning using BackTrack

and Kali-Linux, and SamuraiWTF frameworks to validate results of the scans and eliminate falsepositives,

generating reports for management, and coordinating remediation efforts with the

appropriate teams

§ Performing architectural reviews and security assessment of projects focusing on infrastructure

design, firewall rules, security hardening of network, system, services, databases, applications,

web servers.

§ Conducting a scheduled vulnerability scanning of systems and networks, validate results, report

findings to management, and work with various departments and teams to ensure remediation of

findings

§ Performing project based security assessment and penetration testing against targets as part of the

Software Development Life Cycle (SDLC)

§ Leading the Microsoft Enterprise Public Key Infrastructure (PKI) implementation and working with

various teams, including legal and compliance, to draft and finalize Certificate Policy (CP) and

Certification Practice Statement (CPS) for the various Certificate of Authority (CA) servers

§ Leading the effort to implement Thales Hardware Security Module (HSM) as part of Enterprise PKI

§ Drafting PKI and HSM “Roles and Responsibilities” document to ensure strict dual controls for

managing the PKI and HSM systems

§ Working with vendors and teams to draft and finalize documented procedures for the management

of the PKI solution and the renewal of the Certificate Revocation List (CRL), as well as Thales HSM

§ Leading the designing and implementation of Microsoft Direct Access (DA) solution in “Forced

Tunnel” mode to alleviate security concerns with “Split Tunnel”. Also, conducting pen-testing

against the Direct Access client and network to ensure security meets the required standards

§ Setting the organizational security standards for different Windows platforms based on systems

role and their location on the network (internet facing vs. internal)

§ Setting the organizational security standards for Cisco routers, switches, and firewalls and working

with our network and network security teams to ensure compliance and address any possible

issues

§ Leading the PCI Discovery project as part of the PCI compliance effort by identifying PCI data inmotion,

and data at-rest by leading the mainframe, databases, file systems and network share

scanning efforts

§ Leading the Patch Management effort and increased compliance from 1% to 99% by identifying

flaws in the patching process and implementing new criteria for identifying compliance based on

relevance and other criteria; implementing plan of action to increase the efficiency of patch

deployment and compliance

§ Ensuring compliance with SANS Top 20 Critical Security Controls and documenting procedures

§ Assessing the network design and establishing secure requirements for the VTC and SIP

Telephony projects to extend video conferencing to the DMZ for serving the organizational needs

for teleworkers to make VOIP calls, join, and establish video conferences remotely from mobile

devices

§ Leading a team of senior engineers, junior engineers, and interns

2006 – 2010 Navy Federal Credit Union

Sr. Network Security Engineer

§ Adapting a three-tiered architecture

§ Migrating and configuring Cisco PIX and ASA 5510/5520/5580 firewalls

Page 2 of 4

Vienna, VA

§

Standardizing all Cisco firewalls on a standard code and establishing standard global security

configurations of firewalls.

§ Auditing all firewall access control lists (ACL) to identify insecure ACL, and create the necessary

ACL to harden these rules

§

Planning, designing, testing, and implementing Cisco TACACS+ in DMZ and Internal network

§ Configuring and managing Cisco switches 3750/3550

§ Managing F5 Big IP load balancers in a complex environment and the use of SNAT

§ Managing and designing a complex F5 Firepass SSL VPN solution that’s integrated with Active

Directory, eDir, and RSA SecurID Authentication

§ Migrating RSA SecurID from 5.x to 6.1 and then 7.1 and the conversion of Radius authentication

method to SecurID

§

Architecting a geographically dispersed Active/Active implementation of Bluecoat Proxy SG, Proxy

AV, and Director with Cisco WCCP and the implementation of transparent authentication, SSL

decryption, protocol detection

§ Implementing Secure File Transfer Protocol (SFTP) solution

§ Designing and implementing McAfee Intrushield 5.1 and integrating it with ePolicy Orchestrator

(ePO) 4.5

§ Designing, testing, and implementing ePolicy Orchestrator 4.0/4.5 and automating many of the

tasks and reports.

§

Planning, testing, and implementing the migration of Domain Controllers from 2003 to 2008

§ Managing Active Directory, DNS, DHCP

§ Designing a new OU structure and the redesign and implementation of new Group Policy Objects

(GPO)

§ Hardening all of Windows Server 2003 family, as well as Windows XP Workstations via GPO and

Local Security.

§ Designing, testing and implementing Microsoft Operation Manager (MOM) 2005 and later

implementing the new System Center Operation Manager (SCOM) 2007.

§ Designing, testing, and implementing VMWare ESX 3.1 solution.

2005 – 2006

Department of Defense, Tricare Management Activity

Sr. System & Network Engineer Lead

§ Managing and administering five domains in a large DoD environment

§

§

§

Planning and Implementing PKI and Tumbleweed Certificate Validation

Planning, designing, testing, and implementing Tumbleweed OCSP Responders and Repeaters

across multiple geographical sites

Troubleshooting and resolving various certificate revocation errors during the pilot stage of the PKI

project

§ Working with the security team to initiate internal DITSCAP audit scans using Retina and Gold

Disk.

§ Ensuring compliance with the Defense Information Systems Agency (DISA) DITSCAP requirement

through mitigation of any findings.

§ Ensuring all systems are compliant with DITSCAP requirements by enforcing strong security

settings using Group Policy Objects (GPO)

§ Implementing Systems Management Server (SMS), as a patch management system to ensure

compliance with IAVA

§ Implementing Split DNS in accordance with the JTF-GNO requirements

§ Implementing, configuring and deploying DoD Common Access Card (CAC)

§ Restructuring Active Directory OU structure to better manage the environment

§

§

Falls Church, VA

Planning, testing, and implementing the migration of domain controllers to a new hardware.

Troubleshooting and properly configuring Site Replicate Service among eight sites.

§ Managing and administering Group Policy Objects (GPO)

§ Managing, troubleshooting, and maintaining Exchange 2003 server

§ Working with JTF-GNO to ensure all systems are protected against unauthorized access by

implementing preventive procedures and emergency incident response procedures

Planning, testing, and implementing a SAN/Blade solution

§

§ Implementing a backup solution and tape library solution as a replacement of the existing solution

§ Managing Arc Serve and SQL database backup

2000 – 2005

Treasury Department, Bureau of Engraving & Printing

Sr. System & Network Engineer

§

Washington, DC

Planning, testing and implementing the migration of domain controllers, Microsoft Exchange

servers, member servers, file servers, and print servers from 2000 to 2003

Page 3 of 4

§ Designing the Active Directory OU structure to best suit the agency

§ Managing Exchange 2000/2003 and Active Directory on a daily basis

§ Implementing group policies to enforce standard security policies

§ Working side-by-side with Dell Professionals to design, plan, and implement EMC CX500 SAN

Copy between DC and TX as a disaster recovery plan

§ Managing the Storage Area Network (SAN)

§ Migrating file, print, SQL, and Oracle servers from Windows NT 4.0 server to Windows 2000 server

§ Migration of database servers from SQL 7.0 and Oracle 8i to SQL 2000 and Oracle 9i

§ Managing sites backup using Galaxy CommVault and Backup Exec

§ Managing online and cold backups of Oracle and SQL databases on Windows and Solaris systems

using Galaxy CommVault 5.0

§ Implementing, administering and managing Cisco IPTV

§ Managing over 3000 clients and servers across states using Microsoft Systems Management

Server 2003 (SMS) – (Previously SMS 2.0)

§ Managing software distribution across the network and creating custom scripts to custom install

software and to perform various administrative tasks

§ Managing and administering Symantec Mail Security 4.x for Microsoft Exchange

§ Managing HP OpenView, NetIQ, and Ecora reporting systems

§ Managing Web Servers

§ Managing and administering over 3000 Symantec Antivirus clients and ensuring proper

functionality of all clients

§ Implementing and managing a Patch Management system and ensuring that all servers and

workstations are in compliance with Inspector General (IG) and National Security Agency (NSA)

requirements.

§ Managing Acronis True Image Enterprise Server as an enterprise imaging solution for SCSI and

RAID servers

§ Managing Norton Ghost Server 7.0

§ Building and securing a Windows XP Professional and Windows 2000 Professional image using

Norton Ghost and automating the process using Microsoft System Preparation Tool (SysPrep)

§ Resolving complex network and server/workstations problems

§

Skills

§ Operating Systems: Windows Server 2012/2008/2003/2000/NT 4.0 Family, Windows XP,

Windows ME, Windows 9x Family, DOS, MAC OS X.

§ Security: Cisco ASA 5500 series firewalls, Cisco TACACS+, nmap, BackTrack, Kali-Linux,

Samurai-WTF, Nessus, NTO Spider, HP Web Inspect, McAfee Vulnerability Management

(Foundstone), NIKTO Web Scanner, Burp Suite, Web Application Penetration Testing, Network

Penetration Testing, Bluecoat Proxy SG, F5 Firepass SSL VPN.

§ Networking: Cisco Pix and ASA 5510, 5520, 5580 Firewalls, Cisco 3750 Switches, Cisco 3550

Switches, F5 BIG-IP LTM, Bluecoat Proxy SG, Active Directory, Exchange, DNS, DHCP, SCCM,

SMS, SCOM, MOM, TCP/IP, IPX/SPX protocols

§ Database: SQL 2008/2005/2000/7.0, Oracle 9i/8i DB2, Access

§ Web Servers: Microsoft Information Services (IIS), Apache Web Server

Certification & Courses:

Certified Cloud Security Professional (CCSP)

Web Application Penetration Testing (GIAC/GWAPT)

Microsoft Certified Professional (MCP)

Systems Management Server (SMS) 2.0 Certification

A+ Certification

Education:

B.S. in Business Management (with honor)

Leading the Trinity Smart Card system (testing phase) and working side by side with other IT

individuals to resolve any issues related to the Smart Cards system

George Mason University

Clearance: High Risk – Treasury Public Trust / DoD Secret Clearance

Citizenship: U.S. Citizen

References: Will be furnished upon request

Page 4 of 4

Fairfax, VA