Overview
The Secureworks cybersecurity platform helps organizations prevent, detect, triage and contain huge amounts of cybersecurity alerts in real time. While much of the detection and escalation is automated, any alert surfaced as critical requires manual review by a threat investigator.
Prioritization was based on incomplete or inaccurate data, creating a lot of predictable false positives. This left investigators burning a lot of time reviewing and documenting non-critical items, and meant many critical security threats were lost in the noise.
Sector
Cybersecurity
Project time
12 weeks
My role
Product designer & strategist
Objective & scope
The project's objective was to reduce the time it took threat investigators to triage security alerts, improve the quality and consistency of the investigation process, and reduce the time it took to complete analysis and contain verified threats.
During the project, I:
• Identified opportunities for improvement and envisioned a future experience
• Created a low fidelity prototype that captured the vision
• Validated the experience with real threat investigators
• And incorporated the learnings from research into a high-fidelity product design
What I learned
Research confirmed that the most important objective for investigators was to reduce the time to triage incoming alerts, and that improving the prioritization and categorization of of alerts in the triage queue would help.
Participants felt very strongly that correct prioritization and classification required alert enrichment prior to hitting the triage queue. Enrichment data provided additional event and non-event contextual information that greatly enhances accuracy.
Even though the activity was happening before reaching the user, this enrichment piece had significant impacts on engineering and hardware infrastructure that would require buy-in from the Secureworks executive team before proceeding.
Based on this need, the project team adjusted the future journey to outline this enrichment activity and its impacts on the remaining workflow and opportunities. I designed and built a working prototype of the future vision to serve as both a product demo and design assets for development planning.
Outcome
With the detailed prototype, Secureworks was able to shop the demo around to prospects and gain critical validation that their orchestration features would reduce triage times and improve investigation quality.
Secureworks integrated the enrichment and workflow opportunities outlined in our project into a major update of the Taegis platform released in early 2022.
The work
The project started with a 5 day, on site collaborative workshop with the project stakeholders and representatives from threat investigation. The workshops helped the project team align on the problem space and objectives. Through different activities, the team visualized the challenges in the current experience, then imagined a future state.
Mapping the current journey for a threat investigator to align on the problems, challenges and needs.
Drafting a to-be journey with the tools and features to achieve improved containment timelines.
Once the team aligned on a future vision, the rough journey was represented as scenarios and user flows to help the client team visualize the user's workflow while performing their day-to-day tasks.
One of the scenarios, with activities shown as steps in a flow.
Adding detail to the user flows to demonstrate critical interactions.
It was important to validate the vision with threat investigators before moving to detailed design. To demonstrate the new experience and highlight the opportunities without going deep into detailed design, I generated storyboards and paired it with a brief narrative to describe the activities in research sessions.
Thumbnails and brief narrative descriptions gave research participants a sense of the future experience.
Important insights from user validation were drafted into concise takeaways, helping project stakeholders identify how the product's design and requirements would need to adapt to fully meet user needs.
During research, the participants emphasized that speeding up triage was heavily dependent on automating some of the analysis before alerts hit their queue. This automation - called "enrichment" was added as a new step in our journey. Data enrichment turned out to be very complex, requiring a lot of infrastructure and analysis before it even reaches the user.
Updated journey map with a new Detection step to handle enrichment.
I broke the scenarios into detailed outlines to help the team prioritize the engineering impacts of enrichment, and prioritize the activities and capabilities to showcase in their MVP.
I developed a clickable prototype for the prioritized activities and capabilities in the scenarios. The prototype was used as both an interim demo for prospects, and a way to secure funding and resources for the project.
High-fidelity wireframes were used to focus the team on the flow, layout and interactions.
Once the wireframes were complete, the screens were updated to reflect Securework's high-fidelity visual design.