Users
Tier 1, Tier 2 and Tier 3 threat analysts.
Objective
Build a cohesive and consistent experience for the user who might be using both Endpoint and UEBA solutions and integrate it to NetWitness while maximising re-usable patterns to reduce cycle time to develop. Define and set scalable design patterns for UEBA, design a better user experience while building rapport with Israeli product team.
After assessing the current UI I realised there was a lot of room for improvements especially around structure, visual and interaction design and also aligning with how Endpoint screens were designed. Leading the design on both verticals, this was an ideal opportunity for me to bring both of them similar in experience and design and integrate it better with Netwitness. As I created a backlog of list of changes I collaborated with the team in Israel (including PM, engineering, leadership) while also working on new features.
My Role
Design Lead including building patterns and standards for the interfaces that can scale and be re-used. Designed for over 3 major successful releases.
Collaborate with product management and engineering architect on refining features to focus on usability, experience and simpler workflows.
Co-ordinate with scrum teams to prioritise UI backlogs and groom stories for next releases.
Co-ordinate with QE to test built features and collaborated with content developers to redefine interface messaging to be more user and context focussed.
Product Information
NetWitness finalised the acquisition of Israeli based Fortscale Security Ltd, a machine learning based behavioural analytics solution during 2018. Using its machine learning algorithms, it can quickly pinpoint risks such as malicious traffic or odd insider behaviour thus automating threat response on enterprise networks.
UEBA’s platform defines user’s behaviours based on their risk types and categorises them as Alerts. An analyst can then drill down into those Alerts and see what Indicators contributed to it and assess the risk based on the overall risk score.
An example of malicious activity could be:
An attacker who uses stolen credentials might trigger suspicious network events while accessing resources. Detecting illicit credential use is possible, but requires the separation of attacker activity from the high volume of legitimate events.
Challenges
Apart from being a completely new, fairly complex vertical that had to be integrated into NW, the biggest challenge was that all the stakeholders were in Israel. The PM, Architect and senior leadership were based out of Israel with one UI developer in Bangalore. This meant that velocity of work was drastically reduced and I had to be on multiple calls, sometimes multiple times everyday, to understand the product and requirements and work collaboratively with the extended team.
Existing screens
Information Architecture
I laid out all the pieces related to the main entities (hosts, files and users) in a threat investigation and created a structure and hierarchy between them. This helped me in understanding and building new workflows for the analyst and define the user interface that helped the user complete their task and achieve their goal.
It also integrated two totally separate and acquired solutions (Endpoint and UEBA) together and inline with the overall Netwitness product even though I worked with two sets of engineering, PMs and architecture teams situated in Bangalore and Israel.
Design changes after I took over...
Trending Entities
The risk score that UEBA assigned to an entity is accumulation of all alerts over a period of time (3 months). This brings up a scenario where the information shown is stale or isn’t dynamic enough to show the entity’s behaviour.
A trending score was introduced to show the variation in risk score for an entity within a given period. Analyst could filter between score change over a 24 hour period or 7 day period, this made the scoring mechanism dynamic and useful.
I also introduced the segmentation of Critical, High, Medium and Low risk scores at the Overview Level to help analysts judge the criticality of the discovered entity and make better decisions.
Trending entities - worflow
User’s Historical Behaviours
One of the challenges customers faced while installing UEBA in their environment was that the machine learning algorithm takes around 30 days to create a baseline of their users behaviours. Once the 30 day period is over, the algorithm begins to show alerts based on the patterns learned. During this time period, the interface shows no alerts or any details for that user and this is a concerning issue for the customer as the user would still be performing their actions but there are no details of it tracked.
The solution was to track and show the user’s regular behaviour as part of the historical data, on which once the 30 day period is over, alerting would begin.
While PM and leadership liked Option 3, we had to reserve the changes due to the new focus on NetWitness Cloud.
