Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; App_Newsletter has a deprecated constructor in /home/u7743qhtmrbx/public_html/simpleastoast.com/wp-content/themes/elevation/inc/widgets/widget-newsletter.php on line 6
ArcSight ESM | Simple As Toast

Scope of Work


 Full-Scale Web Client

  Lead Designer

  Design strategy

  Interaction design

  Wireframing

  Content strategy

  Visual design




 Event Monitoring

  Data Visualizations

Case Management

Field Set Management

Query Management



Enterprise Security Management

The future vision for ArcSight ESM is to provide simplicity to all the complex problems it was designed to solve.

ArcSight ESM was developed in 2002 and has not changed since. ESM stands for Enterprise Security Management and ArcSights shifts through 40,000 events per second. An event is and packet or call that is distributed from one server to another. The re-design is well over do, and it was a challenge to get into the heads of the users. This project was a huge success.



ESM






My Team


Ever person on this team was the most talented in their field I had ever worked with.

Over the year, the team and I completed over 17 sprints, 20 readouts to EVPs +, and ran a Usability Testing Lab at a major Security Conference. Each sprint included Research, Concepting, validating, iterating and developing.

Team







Process & Design Thinking



Re-imagining an ancient, amazingly complex application, that funnels immense amounts of data into a list that is comprehendible and actionable was an undertaking. I lead a group of five brilliant creative professionals for a year in a team-created Agile Design Process.


Agile Process


agile_process



Research

User / Stakeholder Interviews
Synthesized Findings
Personas / Use Cases


Concept

Synthesize Further
Brainstorm Sessions
Sketch & Wireframe


Validate

User / Stakeholder Review
Usability Lab Sessions
Peer Review




Design Thinking

The approach we took was quite simple. Understand the users needs, find out their pain points, and understanding the business goals helped lay the groundwork for new product architecture.


In order to understand the users of one of the most complex applications known to man, we conducted countless user and stakeholder interviews. We gained possession over a space and called it our war room, used thousands of sticky’s to create everything from Affinity Diagrams to Mind Maps, brainstormed and more.


Synthesis






Identifying the Users


While learning Enterprise Security and getting to understand the users, it became clear which user our focus should be around, the Analysts.


Analyst

Analysts are responsible for catching threats that have penetrated security barriers and finding out the who, what, where, when and whys about the attack.

Screen Shot 2016-02-12 at 8.15.28 PM



Analyst Investigation Use Case

This is a generic workflow for an analyst investigating and actioning a security threat.

Analyst Use Case



Authors

Authors are a rare species of the advanced Analyst family. Authors are masters of their domain. Their main purpose is to keep content fresh by writing new rules based on new threats to protect the environment.




Screen Shot 2016-02-12 at 8.16.41 PM



Administrators

An Administrators main responsibilities are making sure the data is feeding correctly and monitoring the health of all systems. They also on-board third party business units and provides support for the analysts.






Goals & Challenges



These goals and challenges are associated with the main user type, an Analyst. The ratio of Analysts to all other Security Operation Center members is around 2/3. The design does accommodate for all users. And we can not loose sight of the Business needs.


User Goals

Investigate and explore security threats

Escalate identified security threats



Business Goal

Dropping the fat client and moving to ESM 7.0 on the Web.



Challenges

Low usage for majority of the resources

Selecting fields

Cut down the investigation time

Get incidents out of the system faster

Visibility into who is working on the event

Easier way to navigating between events from different servers

Expedite the remediation

Better ways to integrate with 3rd party tools

Missing out on Excel-like features






High-Level Problems


1. The user needs main channel visibility at all times.
2. The user needs to navigate within a task without losing context.
3. The user needs to locate specific files within a resource.
4. The user needs quick access to their most used resource types within a task.
5. The user needs access to other associated resources within a resource.





Outdated ArcSight ESM

Outdated Interface
& User Flows

Our mission was to bring this Fat Client you see on the left into today’s world.

Many of the problems are obvious, but there are many more hidden treasures… um rabbit holes in this design.







Solutions



Defining solutions to discovered problems is essential to acquiring a deep understanding of what the tool should be.



Problems

The user needs quick access to their most used resource types within a task.

The user needs to locate specific files within a resource.

Navigating within a task without losing context.

The user needs main channel visibility at all times.

Solutions

Have a main channel status widget.

Have a widget that contains task navigation (a timeline navigation of the current task).

Have a widget dedicated to files associates with the Main Navigation resource they are in.

Make the resource widgets searchable and have navigational file structures.

Give the user the ability to customize resource widgets on all pages.



solution2




Overall Navigation Solution

This navigation solution allows the user to work on multiple threats while waiting on the latency of the system. It features a unique multi-timeline system.


112

[/column]






Visual Experimentation



As you can see, finding a new look and feel for ArcSight was fun. The team and stakeholders went through several visual design iterations. Below are some of the better ones that just didn’t make it, along with an example of a piece of one of the mood boards.




3D Visualization

Screen Shot 2016-02-15 at 11.15.20 PM




Light vs. Dark

Light vs Dark




Flat vs Game

Flat vs Game




Mood Board

Mood Board






ArcSight Enterprise Security Management



ArcSight became Enterprise security management software that combines event correlation and security analytics to identify and prioritize threats in real time and remediate incidents early. Below you will see some final visuals. We choose the dark background because Security Operation Centers and dimly lit, and some SOC’s run 24×7.





IP Activity

The IP Profiler acts as a starting point dashboard and gives you an overview of IP activity.



IP Profiler







The Channel

The Channel

The Channel enables all users to filter down threats into actionable chunks. The user always keeps context, has powerful filters and visibility into activity via a smart spark line, among many other features.






Visualize the Channel

This Chord Diagram enables all users to get a quick glimpse into how mass amounts of threat IP’s relate to each other



Chord Diagram







Timeline

Timeline & Widgets

The Timeline acts very similarly to “recents.” It records everything the user does and even color codes the different paths the user takes. The widgets in the left sidebar are completely customizable and interchangeable.






Mattise Visualization

The Mattise Visualization gives the user the ability to quickly gain insight around an IP’s travels through the network. The longer the leaf, the more leafs it has. The thickness of the leaves indicate volume of traffic.



Mattise







cases

Case Management System

We designed a complete Case Management System within ArcSight. The challenge was to keep everything on one page and really prioritize the information. Users can click on the triangles in the corners of the cards to expand.






Final Thoughts

ArcSight ESM was my first exposure to any kind of Cyber Security. I am now knowledgeable enough to become an Analyst in a Security Operations Center. ArcSight was THE most complex application known to man. By empowering my team and organizing useful design activities, we did something no one has been able to do for over a decade. I am very proud of what we produced and of the team.