Admins responsible for setting NetWitness up, including instances where the admin may also be a threat analyst, especially in small to medium sized companies.
The new experience would also need to account for MSPs in the future, where day to day activities of the account may be outsourced, a common characteristic of customers with limited security budget.
During the early months of 2020, I was assigned take on NetWitness' XDR Admin journey to fruition.
NetWitness is an On-Premise solution focussed mostly on large customers, however our goal was to move towards being a cloud native SaaS based solution in the coming years, to capture small - medium customers.
To get NetWitness up and running there were complicated steps including installing physical devices (Log and Endpoint Decoders) to capture data from network environment for analysis.
These complicated, expensive setup and management procedures made NetWitness an impractical choice among customers especially the small to medium businesses.
Began as the lead and sole designer, later led a team of 3 as project matured.
Ownership of admin experience vision and strategy, setting up patterns and standards for cloud admin features that can scale and be re-used by other designers and scrum teams.
Collaborate with product management and engineering architects on defining and refining features for admin experience.
Co-ordinate with scrum teams during implementation and to prioritise UI backlogs and groom features for next releases.
Co-ordinate with content developers on defining and standardising interface messaging.
NetWitness’ On-Prem admin experience wasn’t well received by customers because of its complicated workflows and Product leadership’s lack of involvement and investment into it, since the the primary focus was spent on the Analyst’s workflows.
This lack of focus and interest led to gradual degradation of Admin experiences and increased amount of support calls from users, thereby reducing the overall appeal of NetWitness and branding it as a complicated solution to maintain.
Given that we traditionally prioritised the analyst experience over administration and never holistically, an earlier effort to modernise the design ended up in us using Ember.js (newer framework) in analyst flows while adminstration was left as is on the much older Ext.js framework.
We ended up with two distinct UI frameworks within the same product!
Challenge with designing a vision is that it's usually based on perfect & ideal scenarios set way into the future. But changing market dynamics and user expectations meant that by the time the vision is realized (due to various delays) its already stale and market has moved on to new problems.
To avoid getting immediately into a solution mode, trying to fix all the problems at once, I needed a framework to follow that gives me insights on how to design an achievable vision and how that flowed into our backlog. The initial items on the backlog were mostly architecture driven and once the vision and design took shape, their requirements were also added in.
Research and feedback from existing users were limited because existing customers were not open to the idea of moving to cloud without understanding all its implications. Without a working P.O.C we realised it would be tough to convince them of the benefits of our cloud journey.
Analysis deck on other products in similar space:
A security operations center (SOC) is a facility that houses an information security team responsible for monitoring and analyzing an organization’s security posture on an ongoing basis. The SOC team’s goal is to detect, analyze, and respond to cybersecurity incidents using a combination of technology solutions and a strong set of processes.
I had the opportunity to visit and interact with the Dell’s SOC team situated within the same building as ours, where I was greeted by a similar sight to the image above. Some interesting insights I gathered :
Performance was one of the key areas that an analyst / admin measured the experience of our product. For a data and resource heavy solution like NetWitness that runs on the browser, being able to query & sift through large amounts of meta data and take mitigation actions in bulk meant that analysts could simplify their workflows and take corrective actions much faster than depending on Command Line interfaces.
Often NetWitness (and other security products) are used in conjunction with other popular security products to form a chain of workflows with handoffs through integrations depending on the contractual agreements of the customer. As designers, apart from end to end experience of a feature we also have to factor in scenarios where our product / feature could be part of bigger workflows.
I also realised why providing dark & light themes for our interface was important to their experience because often analysts / admins sit in low light conditions with 3 – 6 monitors and providing dark theme greatly reduced the glare and made it easy on their eyes. At the same time, they would also project their screens on to a large monitor or wall for collaboration, and here the light theme did a great job of highlighting the details that usually a dark theme screen would lose out on. Providing both gave them best of both worlds.
While reviewing features with them, I realised NetWitness product was geared to the more experienced Analysts / Admins even though in reality there are fewer of them and the industry itself was moving towards a more generalised role, especially in the small / medium companies. This meant reviewing these features with L1 & L2 analysts would often lead to confusing feedback where they weren’t able to understand the importance of the features or perceived the overall interface to be complex.
All features related to installation, setting up and managing of Endpoint, Network and Context sensors
Managing contextual data, rules that feed into how risky an entity is, provided by RSA or 3rd party sources
Managing users and assigning their roles and permissions for accessing NetWitness
Account management options like Multi-Factor Authentication, Licensing and Data Usage settings
Group large number or sensors/devices with common policies and settings to be deployed on them
Sensor is a device or software (agent) that collects data from individual hosts about its activity and user behaviour and sends the data to cloud for risk analysis. A sensor could be a Network Decoder or an Endpoint Agent, thus making it one of the most important pieces within NetWitness' architecture.
Sensors have configurations that cover the entire gamut of administration and analysis, e.g - sensor deployments, assigning Groups & Policies, setting Device Trends etc. I realised that without a well defined structure, this could get very complicated.
To understand how deep and wide the hierarchy is, I created an I.A diagram that would inform and guide the current and future features / functionalities and provide a framework for the interface design.
The independent navigation was selected over Option 1 and Option 2 because it fit very well with our long term goals for customers where Administration could be managed by a 3rd party entity (MSP) instead of being in-house.
Secondly, per my contextual enquiry, given that customers use various security products in their environment, it will be a lot more seamless to handoff between workflows of different security products and NW.
On-Prem NetWitness used Ember.js but our experience with Ember was troublesome with designers and developers spending more time fixing issues on our existing components library and developers having to go through steep learning curves to get used to the framework that was also less supported among the developer communities.
Having learnt our lessons, for NetWitness Cloud, the front-end team decided to go with React.js, which came as a huge relief for the entire product team.
Our On-Prem component library was severely limited and only covered basic functionality, of which some were implemented in a confusing manner. So, along with the complications of Ember, working on NetWitness UI wasn’t a pleasant experience for the designer and developer. We had huge inconsistencies across the product, sometimes even for the same component used.
For NetWitness Cloud, we decided to go with Ant Design’s library that gave us a host of robust and pre-built components out of the box.
I defined the page specs and design system guidelines and then worked with the front end team to build and establish them as foundational framework for the overall Admin experience.
Using contextual inquiry I knew the need for light+dark theme. But instead of the usual White or Dark Grey b/g, I used Steel Blue. This was a welcome change as Steel Blue lent itself as a design element instead of being just a background. (Brian, my team mate, expanded the palette & library components)
I wanted to define sections which can host further features within it. Sections would also have descriptions describing what the user could expect within it. This proved to be very intuitive when tested because users could glance at the section and know what to expect within it.
Along with the section header, I also wanted a separate admin navigation with each of the sections expanded to show their inner functionalities and make it accessible.
When tested, this was instantly loved due to the ease with which users could jump from one section details to another.
I wanted make the distinction between the background and foreground, especially when important information needs to be highlighted to grab the user’s attention.
To facilitate this, I used a card design that elevated itself from the background to highlight itself.
“Love the dark theme! It seems very straight forward. Everything is easily accessible and understandable. I think by just quickly looking at the page I was able to understand what it is meant for, it looks very intuitive to me!
“Oh! Very fancy! I love the contextuals descriptions, its helps to have these instructions.”
“I love the nice dark theme and the consistency in this UI, overall definitely a positive change!”
“I think its becoming very good, it’s fluid, I don’t see any lag in the UI, object sizing is good. Its very promising!”
0