Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; App_Newsletter has a deprecated constructor in /home/u7743qhtmrbx/public_html/ on line 6
ArcSight ESM | Simple As Toast

Scope of Work

 Full-Scale Web Client

  Lead Designer

  Design strategy

  Interaction design


  Content strategy

  Visual design

 Event Monitoring

  Data Visualizations

Case Management

Field Set Management

Query Management

Enterprise Security Management

The future vision for ArcSight ESM is to provide simplicity to all the complex problems it was designed to solve.

ArcSight ESM was developed in 2002 and has not changed since. ESM stands for Enterprise Security Management and ArcSights shifts through 40,000 events per second. An event is and packet or call that is distributed from one server to another. The re-design is well over do, and it was a challenge to get into the heads of the users. This project was a huge success.


My Team

Ever person on this team was the most talented in their field I had ever worked with.

Over the year, the team and I completed over 17 sprints, 20 readouts to EVPs +, and ran a Usability Testing Lab at a major Security Conference. Each sprint included Research, Concepting, validating, iterating and developing.


Process & Design Thinking

Re-imagining an ancient, amazingly complex application, that funnels immense amounts of data into a list that is comprehendible and actionable was an undertaking. I lead a group of five brilliant creative professionals for a year in a team-created Agile Design Process.

Agile Process



User / Stakeholder Interviews
Synthesized Findings
Personas / Use Cases


Synthesize Further
Brainstorm Sessions
Sketch & Wireframe


User / Stakeholder Review
Usability Lab Sessions
Peer Review

Design Thinking

The approach we took was quite simple. Understand the users needs, find out their pain points, and understanding the business goals helped lay the groundwork for new product architecture.

In order to understand the users of one of the most complex applications known to man, we conducted countless user and stakeholder interviews. We gained possession over a space and called it our war room, used thousands of sticky’s to create everything from Affinity Diagrams to Mind Maps, brainstormed and more.


Identifying the Users

While learning Enterprise Security and getting to understand the users, it became clear which user our focus should be around, the Analysts.


Analysts are responsible for catching threats that have penetrated security barriers and finding out the who, what, where, when and whys about the attack.

Screen Shot 2016-02-12 at 8.15.28 PM

Analyst Investigation Use Case

This is a generic workflow for an analyst investigating and actioning a security threat.

Analyst Use Case


Authors are a rare species of the advanced Analyst family. Authors are masters of their domain. Their main purpose is to keep content fresh by writing new rules based on new threats to protect the environment.

Screen Shot 2016-02-12 at 8.16.41 PM


An Administrators main responsibilities are making sure the data is feeding correctly and monitoring the health of all systems. They also on-board third party business units and provides support for the analysts.

Goals & Challenges

These goals and challenges are associated with the main user type, an Analyst. The ratio of Analysts to all other Security Operation Center members is around 2/3. The design does accommodate for all users. And we can not loose sight of the Business needs.

User Goals

Investigate and explore security threats

Escalate identified security threats

Business Goal

Dropping the fat client and moving to ESM 7.0 on the Web.


Low usage for majority of the resources

Selecting fields

Cut down the investigation time

Get incidents out of the system faster

Visibility into who is working on the event

Easier way to navigating between events from different servers

Expedite the remediation

Better ways to integrate with 3rd party tools

Missing out on Excel-like features

High-Level Problems

1. The user needs main channel visibility at all times.
2. The user needs to navigate within a task without losing context.
3. The user needs to locate specific files within a resource.
4. The user needs quick access to their most used resource types within a task.
5. The user needs access to other associated resources within a resource.

Outdated ArcSight ESM

Outdated Interface
& User Flows

Our mission was to bring this Fat Client you see on the left into today’s world.

Many of the problems are obvious, but there are many more hidden treasures… um rabbit holes in this design.


Defining solutions to discovered problems is essential to acquiring a deep understanding of what the tool should be.


The user needs quick access to their most used resource types within a task.

The user needs to locate specific files within a resource.

Navigating within a task without losing context.

The user needs main channel visibility at all times.


Have a main channel status widget.

Have a widget that contains task navigation (a timeline navigation of the current task).

Have a widget dedicated to files associates with the Main Navigation resource they are in.

Make the resource widgets searchable and have navigational file structures.

Give the user the ability to customize resource widgets on all pages.


Overall Navigation Solution

This navigation solution allows the user to work on multiple threats while waiting on the latency of the system. It features a unique multi-timeline system.



Visual Experimentation

As you can see, finding a new look and feel for ArcSight was fun. The team and stakeholders went through several visual design iterations. Below are some of the better ones that just didn’t make it, along with an example of a piece of one of the mood boards.

3D Visualization

Screen Shot 2016-02-15 at 11.15.20 PM

Light vs. Dark

Light vs Dark

Flat vs Game

Flat vs Game

Mood Board

Mood Board

ArcSight Enterprise Security Management

ArcSight became Enterprise security management software that combines event correlation and security analytics to identify and prioritize threats in real time and remediate incidents early. Below you will see some final visuals. We choose the dark background because Security Operation Centers and dimly lit, and some SOC’s run 24×7.

IP Activity

The IP Profiler acts as a starting point dashboard and gives you an overview of IP activity.

IP Profiler

The Channel

The Channel

The Channel enables all users to filter down threats into actionable chunks. The user always keeps context, has powerful filters and visibility into activity via a smart spark line, among many other features.

Visualize the Channel

This Chord Diagram enables all users to get a quick glimpse into how mass amounts of threat IP’s relate to each other

Chord Diagram


Timeline & Widgets

The Timeline acts very similarly to “recents.” It records everything the user does and even color codes the different paths the user takes. The widgets in the left sidebar are completely customizable and interchangeable.

Mattise Visualization

The Mattise Visualization gives the user the ability to quickly gain insight around an IP’s travels through the network. The longer the leaf, the more leafs it has. The thickness of the leaves indicate volume of traffic.



Case Management System

We designed a complete Case Management System within ArcSight. The challenge was to keep everything on one page and really prioritize the information. Users can click on the triangles in the corners of the cards to expand.

Final Thoughts

ArcSight ESM was my first exposure to any kind of Cyber Security. I am now knowledgeable enough to become an Analyst in a Security Operations Center. ArcSight was THE most complex application known to man. By empowering my team and organizing useful design activities, we did something no one has been able to do for over a decade. I am very proud of what we produced and of the team.