Interactive Timeline
ArcSight ESM
The future vision for ArcSight ESM is to provide simplicity to all the complex problems it was designed to solve.

Full-Scale Web Client
Information Architecture
Design Strategy
Content Strategy
Interaction Design
Wire framing
Case Management
Field Set Management
Visual Design
Event Monitoring
Data Visualization
Query Management

Enterprise Security Management
The future vision for ArcSight ESM is to provide simplicity to all the complex problems it was designed to solve.
ArcSight ESM was developed in 2002 and has not changed since. ESM stands for Enterprise Security Management and ArcSights shifts through 40,000 events per second. An event is and packet or call that is distributed from one server to another. The re-design is well over do, and it was a challenge to get into the heads of the users. This project was a huge success.
My Team
Ever person on this team was the most talented in their field I had ever worked with.
Over the year, the team and I completed over 17 sprints, 20 readouts to EVPs +, and ran a Usability Testing Lab at a major Security Conference. Each sprint included Research, Concepting, validating, iterating and developing.

Process
Re-imagining an ancient, amazingly complex application, that funnels immense amounts of data into a list that is comprehendible and actionable was an undertaking. I lead a group of five brilliant creative professionals for a year in a team-created Agile Design Process.

Continual Design Process ( by Adam Heller)

Design Thinking
The approach we took was quite simple. Understand the users needs, find out their pain points, and understanding the business goals helped lay the groundwork for new product architecture.
In order to understand the users of one of the most complex applications known to man, we conducted countless user and stakeholder interviews. We gained possession over a space and called it our war room, used thousands of sticky’s to create everything from Affinity Diagrams to Mind Maps, brainstormed and more.
Identifying the User
While learning Enterprise Security and getting to understand the users, it became clear which user our focus should be around, the Analysts.

Analyst
Analysts are responsible for catching threats that have penetrated security barriers and finding out the who, what, where, when and whys about the attack.

This let us key in on pain points
Analyst Investigation Use Case
This is a generic workflow for an analyst investigating and actioning a security threat.

Authors
Authors are a rare species of the advanced Analyst family. Authors are masters of their domain. Their main purpose is to keep content fresh by writing new rules based on new threats to protect the environment.
Administrators
An Administrators main responsibilities are making sure the data is feeding correctly and monitoring the health of all systems. They also on-board third party business units and provides support for the analysts.
Goals & Challenges
These goals and challenges are associated with the main user type, an Analyst. The ratio of Analysts to all other Security Operation Center members is around 2/3. The design does accommodate for all users. And we can not loose sight of the Business needs.
User Goals
Investigate and explore security threats
Escalate identified security threats
Business Goal
Dropping the fat client and moving to ESM 7.0 on the Web.
Challenges
Low usage for majority of the resources
Selecting fields
Cut down the investigation time
Get incidents out of the system faster
Visibility into who is working on the event
Easier way to navigating between events from different servers
Expedite the remediation
Better ways to integrate with 3rd party tools
Missing out on Excel-like features
High-Level Problems
The user needs main channel visibility at all times.
The user needs to navigate within a task without losing context.
The user needs to locate specific files within a resource.
The user needs quick access to their most used resource types within a task.
The user needs access to other associated resources within a resource.

Original ArchSight Interface
Outdated Interface & User Flows
Our mission was to bring this Fat Client you see on the left into today’s world.
Many of the problems are obvious, but there are many more hidden treasures… um rabbit holes in this design.
Solutions
Defining solutions to discovered problems is essential to acquiring a deep understanding of what the tool should be.
Have a main channel status widget.
Have a widget that contains task navigation (a timeline navigation of the current task).
Have a widget dedicated to files associates with the Main Navigation resource they are in.
Make the resource widgets searchable and have navigational file structures.
Give the user the ability to customize resource widgets on all pages.

KEY DECISION
Overall Navigation Solution
This navigation solution allows the user to work on multiple threats while waiting on the latency of the system. It features a unique multi-timeline system.

Widget Architecture Solution
The system has every feature they could think of, but exposing all of them at all times was too much for users to understand. This simple widget solution allows the users to pick and choose what they use the most, while still giving them access to all functionality.
Usability Testing
We took a prototype to the HP Protect Conference in Washington DC and tested 16 participants. We developed a script, flow and prototype to get everything we could out of this unique experience. Out learnings indicated we were on the right path.

HP Protect Conference in Washington DC and tested 16 participants.
Working Prototype
Visual Experimentation
As you can see, finding a new look and feel for ArcSight was fun. The team and stakeholders went through several visual design iterations. Below are some of the better ones that just didn’t make it, along with an example of a piece of one of the mood boards.

3D Visualization

Light vs Dark

Flat vs Gaming

Mood Board
ArcSight Enterprise Security Management
ArcSight became Enterprise security management software that combines event correlation and security analytics to identify and prioritize threats in real time and remediate incidents early. Below you will see some final visuals. We choose the dark background because Security Operation Centers and dimly lit, and some SOC’s run 24×7.

IP Activity
The IP Profiler acts as a starting point dashboard and gives you an overview of IP activity.

The Channel
The Channel enables all users to filter down threats into actionable chunks. The user always keeps context, has powerful filters and visibility into activity via a smart spark line, among many other features.

Visualize the Channel
This Chord Diagram enables all users to get a quick glimpse into how mass amounts of threat IP’s relate to each other

Timeline & Widgets
The Timeline acts very similarly to “recents.” It records everything the user does and even color codes the different paths the user takes. The widgets in the left sidebar are completely customizable and interchangeable.

Mattise Visualization
The Mattise Visualization gives the user the ability to quickly gain insight around an IP’s travels through the network. The longer the leaf, the more leafs it has. The thickness of the leaves indicate volume of traffic.

Case Management System
We designed a complete Case Management System within ArcSight. The challenge was to keep everything on one page and really prioritize the information. Users can click on the triangles in the corners of the cards to expand.
Final Thoughts
ArcSight ESM was my first exposure to any kind of Cyber Security. I am now knowledgeable enough to become an Analyst in a Security Operations Center. ArcSight was THE most complex application known to man. By empowering my team and organizing useful design activities, we did something no one has been able to do for over a decade. I am very proud of what we produced and of the team.