ArcSight ESM

The future vision for ArcSight ESM is to provide simplicity to all the complex problems it was designed to solve.

Image alt tag
Scope of Work
  • Full-Scale Web Client

  • Information Architecture

  • Design Strategy

  • Content Strategy

  • Interaction Design

  • Wire framing

  • Case Management

  • Field Set Management

  • Visual Design

  • Event Monitoring

  • Data Visualization

  • Query Management

HP Archsight ESM

Interactive Timeline

Enterprise Security Management

The future vision for ArcSight ESM is to provide simplicity to all the complex problems it was designed to solve.

ArcSight ESM was developed in 2002 and has not changed since. ESM stands for Enterprise Security Management and ArcSights shifts through 40,000 events per second. An event is and packet or call that is distributed from one server to another. The re-design is well over do, and it was a challenge to get into the heads of the users. This project was a huge success.

My Team

Ever person on this team was the most talented in their field I had ever worked with.

Over the year, the team and I completed over 17 sprints, 20 readouts to EVPs +, and ran a Usability Testing Lab at a major Security Conference. Each sprint included Research, Concepting, validating, iterating and developing.

HP Archsight ESM

Process

Re-imagining an ancient, amazingly complex application, that funnels immense amounts of data into a list that is comprehendible and actionable was an undertaking. I lead a group of five brilliant creative professionals for a year in a team-created Agile Design Process.

HP Archsight ESM

Continual Design Process ( by Adam Heller)

HP Archsight ESM

Design Thinking

The approach we took was quite simple. Understand the users needs, find out their pain points, and understanding the business goals helped lay the groundwork for new product architecture.

In order to understand the users of one of the most complex applications known to man, we conducted countless user and stakeholder interviews. We gained possession over a space and called it our war room, used thousands of sticky’s to create everything from Affinity Diagrams to Mind Maps, brainstormed and more.

Identifying the User

While learning Enterprise Security and getting to understand the users, it became clear which user our focus should be around, the Analysts.

HP Archsight ESM

Analyst

Analysts are responsible for catching threats that have penetrated security barriers and finding out the who, what, where, when and whys about the attack.

HP Archsight ESM

This let us key in on pain points

Analyst Investigation Use Case

This is a generic workflow for an analyst investigating and actioning a security threat.

HP Archsight ESM

Authors

Authors are a rare species of the advanced Analyst family. Authors are masters of their domain. Their main purpose is to keep content fresh by writing new rules based on new threats to protect the environment.

Administrators

An Administrators main responsibilities are making sure the data is feeding correctly and monitoring the health of all systems. They also on-board third party business units and provides support for the analysts.

Goals & Challenges

These goals and challenges are associated with the main user type, an Analyst. The ratio of Analysts to all other Security Operation Center members is around 2/3. The design does accommodate for all users. And we can not loose sight of the Business needs.

User Goals

  •  Investigate and explore security threats

  •  Escalate identified security threats

Business Goal

  •  Dropping the fat client and moving to ESM 7.0 on the Web.

Challenges

  •  Low usage for majority of the resources

  •  Selecting fields

  •  Cut down the investigation time

  •  Get incidents out of the system faster

  •  Visibility into who is working on the event

  •  Easier way to navigating between events from different servers

  •  Expedite the remediation

  •  Better ways to integrate with 3rd party tools

  •  Missing out on Excel-like features

High-Level Problems

  • The user needs main channel visibility at all times.

  • The user needs to navigate within a task without losing context.

  • The user needs to locate specific files within a resource.

  • The user needs quick access to their most used resource types within a task.

  • The user needs access to other associated resources within a resource.

HP Archsight ESM

Original ArchSight Interface

Outdated Interface & User Flows

Our mission was to bring this Fat Client you see on the left into today’s world.

Many of the problems are obvious, but there are many more hidden treasures… um rabbit holes in this design.

Solutions

Defining solutions to discovered problems is essential to acquiring a deep understanding of what the tool should be.

  • Have a main channel status widget.

  •  Have a widget that contains task navigation (a timeline navigation of the current task).

  • Have a widget dedicated to files associates with the Main Navigation resource they are in.

  • Make the resource widgets searchable and have navigational file structures.

  • Give the user the ability to customize resource widgets on all pages.

HP Archsight ESM

KEY DECISION

Overall Navigation Solution

This navigation solution allows the user to work on multiple threats while waiting on the latency of the system. It features a unique multi-timeline system.

HP Archsight ESM

Widget Architecture Solution

The system has every feature they could think of, but exposing all of them at all times was too much for users to understand. This simple widget solution allows the users to pick and choose what they use the most, while still giving them access to all functionality.

Usability Testing

We took a prototype to the HP Protect Conference in Washington DC and tested 16 participants. We developed a script, flow and prototype to get everything we could out of this unique experience. Out learnings indicated we were on the right path.

HP Archsight ESM

HP Protect Conference in Washington DC and tested 16 participants.

Working Prototype

ArcSight Prototype

Visual Experimentation


As you can see, finding a new look and feel for ArcSight was fun. The team and stakeholders went through several visual design iterations. Below are some of the better ones that just didn’t make it, along with an example of a piece of one of the mood boards.

HP Archsight ESM

3D Visualization

HP Archsight ESM

Light vs Dark

HP Archsight ESM

Flat vs Gaming

HP Archsight ESM

Mood Board

ArcSight Enterprise Security Management


ArcSight became Enterprise security management software that combines event correlation and security analytics to identify and prioritize threats in real time and remediate incidents early. Below you will see some final visuals. We choose the dark background because Security Operation Centers and dimly lit, and some SOC’s run 24×7.

HP Archsight ESM

IP Activity

The IP Profiler acts as a starting point dashboard and gives you an overview of IP activity.

HP Archsight ESM

The Channel

The Channel enables all users to filter down threats into actionable chunks. The user always keeps context, has powerful filters and visibility into activity via a smart spark line, among many other features.

HP Archsight ESM

Visualize the Channel

This Chord Diagram enables all users to get a quick glimpse into how mass amounts of threat IP’s relate to each other

HP Archsight ESM

Timeline & Widgets

The Timeline acts very similarly to “recents.” It records everything the user does and even color codes the different paths the user takes. The widgets in the left sidebar are completely customizable and interchangeable.

HP Archsight ESM

Mattise Visualization

The Mattise Visualization gives the user the ability to quickly gain insight around an IP’s travels through the network. The longer the leaf, the more leafs it has. The thickness of the leaves indicate volume of traffic.

HP Archsight ESM

Case Management System

We designed a complete Case Management System within ArcSight. The challenge was to keep everything on one page and really prioritize the information. Users can click on the triangles in the corners of the cards to expand.

Final Thoughts

ArcSight ESM was my first exposure to any kind of Cyber Security. I am now knowledgeable enough to become an Analyst in a Security Operations Center. ArcSight was THE most complex application known to man. By empowering my team and organizing useful design activities, we did something no one has been able to do for over a decade. I am very proud of what we produced and of the team.