Menu
Email Address:
Alternate Email Address:
Phone:
+919686197299
location:
Bangalore, India
Cyber Security

RSA Extended
Detection & Response

Build NetWitness' XDR by re-defining the Admin experience from scratch as cloud native, SaaS solution with a focus on the small to medium sized customers and improve the overall experience of using NetWitness.
01
background

Users

Admins responsible for setting NetWitness up, including instances where the admin may also be a threat analyst, especially in small to medium sized companies.

The new experience would also need to account for MSPs in the future, where day to day activities of the account may be outsourced, a common characteristic of customers with limited security budget.

Objective

During the early months of 2020, I was assigned take on NetWitness' XDR Admin journey to fruition. 

NetWitness is an On-Premise solution focussed mostly on large customers, however our goal was to move towards being a cloud native SaaS based solution in the coming years, to capture small - medium customers.

To get NetWitness up and running there were complicated steps including installing physical devices (Log and Endpoint Decoders) to capture data from network environment for analysis.

These complicated, expensive setup and management procedures made NetWitness an impractical choice among customers especially the small to medium businesses.

My Role

Began as the lead and sole designer, later led a team of 3 as project matured.

Ownership of admin experience vision and strategy, setting up patterns and standards for cloud admin features that can scale and be re-used by other designers and scrum teams.

Collaborate with product management and engineering architects on defining and refining features for admin experience.

Co-ordinate with scrum teams during implementation and to prioritise UI backlogs and groom features for next releases.

Co-ordinate with content developers on defining and standardising interface messaging.

0
Releases
0
Product Managers
0
Content Writers
0
Designers
0
Scrum Teams
0
Developers
0
Design Iterations
0
Coffee Cups

Challenges

NetWitness’ On-Prem admin experience wasn’t well received by customers because of its complicated workflows and Product leadership’s lack of involvement and investment into it, since the the primary focus was spent on the Analyst’s workflows.

This lack of focus and interest led to gradual degradation of Admin experiences and increased amount of support calls from users, thereby reducing the overall appeal of NetWitness and branding it as a complicated solution to maintain.

"How do we remove the impression that it takes a PHD to use this product!"
SANS Institute
Cybersecurity training institute using NetWitness

‘A Tale of Two UI Frameworks’

 

Given that we traditionally prioritised the analyst experience over administration and never holistically, an earlier effort to modernise the design ended up in us using Ember.js (newer framework) in analyst flows while adminstration was left as is on the much older Ext.js framework.

We ended up with two distinct UI frameworks within the same product!

findings

NW admins spends a lot of time setting up and managing the product due to in-efficient, confusing and often dead-end workflows.  As an admin...

  • ...there is data overload and no high level visibility into what is happening with my NetWitness installation and all the services that are running on it

 

  • ...they have to rely on complicated external pdf documentation that RSA provides which aren't easy to understand nor relevant to the context of their workflow

 

  • ...there is no coherent information layout / architecture of how all the different services are related to each other, especially since new verticals and services were acquired and bolted on  NW

 

  • ...they have no indication of my immediate tasks or issues that needs my attention without going through multiple tabs and dead - end workflows

 

  • ..the current on-prem NetWitness split administrative tasks into two separate, convoluted flows - Admin and Configure

 

  • ...key admin management tasks like creating Groups & Policies, Detection and Enrichment files, Sensor deployment & management etc. were scattered across various tabs with no learnable patterns and confusing workflows 
02
strategy & approach

How do I build a vision that scales for the future while still delivering today?

Challenge with designing a vision is that it's usually based on perfect & ideal scenarios set way into the future. But changing market dynamics and user expectations meant that by the time the vision is realized (due to various delays) its already stale and market has moved on to new problems.

To avoid getting immediately into a solution mode, trying to fix all the problems at once, I needed a framework to follow that gives me insights on how to design an achievable vision and how that flowed into our backlog. The initial items on the backlog were mostly architecture driven and once the vision and design took shape, their requirements were also added in.

03
research

Comparison & Analysis

Research and feedback from existing users were limited because existing customers were not open to the idea of moving to cloud without understanding all its implications. Without a working P.O.C we realised it would be tough to convince them of the benefits of our cloud journey.

Analysis deck on other products in similar space:

Scribbles

Contextual Inquiry

A security operations center (SOC) is a facility that houses an information security team responsible for monitoring and analyzing an organization’s security posture on an ongoing basis. The SOC team’s goal is to detect, analyze, and respond to cybersecurity incidents using a combination of technology solutions and a strong set of processes.

I had the opportunity to visit and interact with the Dell’s SOC team situated within the same building as ours, where I was greeted by a similar sight to the image above. Some interesting insights I gathered :

04
design

Findings & Vision

As an admin, provide a smooth onboarding to the NetWitness platform with minimal contact to RSA Operations team along with a cohesive, focussed approach to managing all the services within the platform through efficient and intuitive workflows.

 

  • Collect & displays data and statuses from all services both at deployment level and individual service level 

 

  • Guide the admin to services or issues that need immediate attention while providing additional context and help to remediate them

 

  • Provide one unified Administrative experience that combines installation and management activities

 

  • Collaborate with the Documentation team, provide friendly, contextual help for all processes through out the interface to limit the number of times user has to resort to Help documentation

 

  • Through progressive disclosure and smarter information handling, reduce the data overload while still highlighting critical aspects

 

Providing a high level view of NW administration also helps MSSPs or third party admins that maybe managing NW for small-medium companies.
 
Based on my insights I categorised administrative tasks into these sections -

Task Flow

Information Architecture

Sensor is a device or software (agent) that collects data from individual hosts about its activity and user behaviour and sends the data to cloud for risk analysis. A sensor could be a Network Decoder or an Endpoint Agent, thus making it one of the most important pieces within NetWitness' architecture.

Sensors have configurations that cover the entire gamut of administration and analysis, e.g - sensor deployments, assigning Groups & Policies, setting Device Trends etc. I realised that without a well defined structure, this could get very complicated.

To understand how deep and wide the hierarchy is, I created an I.A diagram that would inform and guide the current and future features / functionalities and provide a framework for the interface design.

Admin Navigation Ideas

The independent navigation was selected over Option 1 and Option 2 because it fit very well with our long term goals for customers where Administration could be managed by a 3rd party entity (MSP) instead of being in-house.

Secondly, per my contextual enquiry, given that customers use various security products in their environment, it will be a lot more seamless to handoff between workflows of different security products and NW.

 

Wireframes

Frontend Framework Decisions

Admin Experience Design System

I defined the page specs and design system guidelines and then worked with the front end team to build and establish them as foundational framework for the overall Admin experience.

User Interface

05
usability testing & feedback

“Love the dark theme! It seems very straight forward. Everything is easily accessible and understandable. I think by just quickly looking at the page I was able to understand what it is meant for, it looks very intuitive to me!

 

“Oh! Very fancy! I love the contextuals descriptions, its helps to have these instructions.” 

“I love the nice dark theme and the consistency in this UI, overall definitely a positive change!”

“I think its becoming very good, it’s fluid, I don’t see any lag in the UI, object sizing is good. Its very promising!”

Functional feedback
  • “I don’t see an option to add a custom sensor here. I can delete one, disable, enable
  • “I want to take control of my updations but where do I update a sensor manually?
  • “If I have a sensor in Dubai and another one in the US, I might want to do updates in both outside business hours for the respective country.
  • “RBAC is very important for a platform like NetWitness
  • “No no no no…. no SMS for MFA please! It’s way too insecure to be use in a security platform

Other projects

Slider Navigation
Cyber Security
RSA User Behaviour Analytics

RSA User Behaviour Analytics

Integrate Fortscale's UEBA into NetWitness and help cyber threat analysts find and mitigate risky users within their corporate environment using machine learning algorithms.
Cyber Security
RSA Endpoint Detection & Response

RSA Endpoint Detection & Response

Integrate EDR (ECAT) into NetWitness and help cyber threat analysts find and mitigate risky machines and files within their corporate network and enhance overall threat analyst experience.
Cyber Security
SSL/TLS Certificate Lifecycle

SSL/TLS Certificate Lifecycle

Design end to end lifecycle management workflows for TLS/SSL and Codesigning certificates through Symantec's cert management tool (CWS or Complete Website Security).
HRMS
Letter Request Tool

Letter Request Tool

Help employees apply for specific letters like employment proof letters, visit letters etc. without needing to approach their HR Generalists and eliminate need for HRGs to provide physical letters.
HRMS
Variable Pay Tool

Variable Pay Tool

Help employees, managers and payroll team file & approve variable pay requests like overtime, one off payment requests etc. across different geographies and business units with fewer errors.
HRMS
Manager’s Interview Guide

Manager’s Interview Guide

Help managers reduce preliminary interview time by creating guides based on Honeywell's top performing employees' behaviours.

0