The future vision for ArcSight ESM is to provide simplicity to all the complex problems it was designed to solve.
ArcSight ESM was developed in 2002 and has not changed since. ESM stands for Enterprise Security Management and ArcSights shifts through 40,000 events per second. An event is and packet or call that is distributed from one server to another. The re-design is well over do, and it was a challenge to get into the heads of the users. This project was a huge success.
User / Stakeholder Interviews
Personas / Use Cases
Sketch & Wireframe
User / Stakeholder Review
Usability Lab Sessions
The approach we took was quite simple. Understand the users needs, find out their pain points, and understanding the business goals helped lay the groundwork for new product architecture.
Analysts are responsible for catching threats that have penetrated security barriers and finding out the who, what, where, when and whys about the attack.
This is a generic workflow for an analyst investigating and actioning a security threat.
Authors are a rare species of the advanced Analyst family. Authors are masters of their domain. Their main purpose is to keep content fresh by writing new rules based on new threats to protect the environment.
An Administrators main responsibilities are making sure the data is feeding correctly and monitoring the health of all systems. They also on-board third party business units and provides support for the analysts.
Investigate and explore security threats
Escalate identified security threats
Dropping the fat client and moving to ESM 7.0 on the Web.
Low usage for majority of the resources
Cut down the investigation time
Get incidents out of the system faster
Visibility into who is working on the event
Easier way to navigating between events from different servers
Expedite the remediation
Better ways to integrate with 3rd party tools
Missing out on Excel-like features
Our mission was to bring this Fat Client you see on the left into today’s world.
Many of the problems are obvious, but there are many more hidden treasures… um rabbit holes in this design.
The user needs quick access to their most used resource types within a task.
The user needs to locate specific files within a resource.
Navigating within a task without losing context.
The user needs main channel visibility at all times.
Have a main channel status widget.
Have a widget that contains task navigation (a timeline navigation of the current task).
Have a widget dedicated to files associates with the Main Navigation resource they are in.
Make the resource widgets searchable and have navigational file structures.
Give the user the ability to customize resource widgets on all pages.
This navigation solution allows the user to work on multiple threats while waiting on the latency of the system. It features a unique multi-timeline system.
The IP Profiler acts as a starting point dashboard and gives you an overview of IP activity.
The Channel enables all users to filter down threats into actionable chunks. The user always keeps context, has powerful filters and visibility into activity via a smart spark line, among many other features.
This Chord Diagram enables all users to get a quick glimpse into how mass amounts of threat IP’s relate to each other
The Timeline acts very similarly to “recents.” It records everything the user does and even color codes the different paths the user takes. The widgets in the left sidebar are completely customizable and interchangeable.
The Mattise Visualization gives the user the ability to quickly gain insight around an IP’s travels through the network. The longer the leaf, the more leafs it has. The thickness of the leaves indicate volume of traffic.
We designed a complete Case Management System within ArcSight. The challenge was to keep everything on one page and really prioritize the information. Users can click on the triangles in the corners of the cards to expand.
ArcSight ESM was my first exposure to any kind of Cyber Security. I am now knowledgeable enough to become an Analyst in a Security Operations Center. ArcSight was THE most complex application known to man. By empowering my team and organizing useful design activities, we did something no one has been able to do for over a decade. I am very proud of what we produced and of the team.