VISION
An easy and visual way for cybersecurity analysts to scan through query results from different sources, and gather evidence.
Prototype made with Flinto - Example of interaction of cyber security analyst with the query results
My Role
UI & UX Design
UX Research
Deliverables
Low resolution screens for user testing
High resolution screens
Flinto prototypes
Insight report
Wireframes and user flows
Time and Place
IBM Security Design, Austin, TX
Summer 2019
Background
Cybersecurity analysts, as one of their daily tasks, run queries through different search engines, such as Splunk, Carbon Black or IBM’s QRadar. They do so in their corresponding environments, scanning through the results and usually summarizing in text editors by lots of copy-and-pasting.
IBM, through Security Pak, offers a way through which analysts can see the results from different sources altogether and gather evidence structured as cases.
Challenge #1: Scannability
Behind the scenes, the multiple sources of information are translated to a common language called STIX. The problem with STIX is that it’s very code-looking, and therefore hard to scan through.
How might we help analysts scan through query results in a faster and easier way for them to identify irregularities?
Prototyping and user testing
Once we materialized our different options into low-fi prototypes, we used them as artifacts for gathering more insights through further interviews. This gave us not only useful feedback on our ideas, but also new ideas that we weren’t thinking about.
Low resolution screen - Used for user testing interviews
Low resolution screen - Used for user testing interviews
Solution: Results page refactor
We proposed a visual way for analysts to quickly scan through the results, allowing them to expand these as a whole or selected ones. We also offered them a quick way to run queries pivoting in selected data points.
Before - Example of STIX formatted query result
After - Collapsed view of same result as left
After - Expanded view of same result as left
After - Expanded view of same result as left, including scrollable source code
Main page - Top, showing right button functionality
Main Page - Scanning through different results
Challenge #2: Evidence gathering
How might we help analysis save evidence from query results within a case in a more efficient way?
Needfinding
Through multiple qualitative interviews with analysts, and using a persona framework, we defined scenarios, user needs and requirements for Data Explorer to address them. Some of them were specific to our user stories, and some of them extended for future stories for the team to work on.
Solution: ‘Add to case’ feature
Based on user interviews, we defined 3 user flows of a new feature within the Data Explorer app through which in different scenarios the user could add the evidence to an existing or new case without leaving the app.
User scenario and corresponding user flow example
Conclusion
I was glad the team trusted me with such an important project, gave me the freedom to propose ideas and learn from such talented teammates. I also learnt a lot understanding such a technical user and product, to be able to propose such an improvement.
Tools: User interviews, brainstorming and feedback sessions, Sketch, Flinto, and Github Enterprise.
Methodologies: Design Thinking (user journey mapping, brainstorming, user interviews, low and high resolution prototyping, etc) and Agile methodology.