On any given Tuesday, Mark Hamilton wakes up his laptop to a software-scape of a dozen tools he uses for work. As a security analyst at a large company, he’s tasked with protecting a massive network from intrusion, data breaches, and other malicious activity.
Tooling in the industry is broken down in segments of the market, some tools focused on provided email security to protect employees from phishing attempts, some focus on protecting individual assets like company laptops, and some focus on cloud security, some on hardware, figure 1 gives you an idea of the ecosystem of software and hardware tooling that goes into a typical enterprise-grade attempt to secure an entire network.
But if there is one truth in the field, it is that a network cannot possibly be 100% secure. Vulnerabilities in software updates, operating systems, physical hardware, and most of all, human behavior, ensure that no matter how much coverage Matt has set up, the offensive team will be consistently finding chinks in the armor.
So If you ask Mark about the tools he’s given, maybe a few questions like : how effective is your current toolset? Do you enjoy using it? What kind of user interfaces work well in your daily job, you’ll get a few different answers, primarily driven by the types of analysts in the world… The first is,
Let’s look at some primary users of a secure network:
The power user: This is an analyst who came from the IT world back when “network security” was a single piece of the pie, not a Billion dollar industry. 9/10 times you’ll find that these analysts don’t care for limited user interfaces, and lean towards CLI tools and software & scripts they’ve built themselves that work well for their company, their tools, their data. Interacting with tooling is more of an arranged marriage organized at an executive level.
The V.2 Analyst. This is someone who’s new to the industry, maybe a college grad, or a career switch from a neighboring IT roll, etc. This is someone who’s will begin to make up the new guard of the secure network.
The Security Leader in a company. At an enterprise this can be a chief security officer, CTO or the like. But at a budding start up, this can be the sole cloud developer tasked with keeping a new app safe from danger. Whoever it is, this person is less interested in the day to day operations of a network and more concerned with the bigger questions:
What are the biggest threats to my company?
Where are the weaknesses in my network?
Are we at risk? And how to I solve that.
Cybersecurity Ventures’ prediction that there will be 3.5 million unfilled cybersecurity jobs globally by 2021, up from one million positions in 2014.
- Cyber Security Magazine
These analysts have a much more day-to-day relationship with the tools they use to get the job done. Instead of diving through lakes of log data trying to sniff out an offender, there are tasked with more mundane items that are necessary to network defense, mainly centered around responding to the alerts generated by a large, highly monitored system. But there’s a general impression that many of these tools fall short, and exist in a vacuum a decade behind the experiences you would get from a consumer application.
Now we can start to see a clearer picture of the players in this game, at the top, a leader tasked with strategy like a commander at the helm. Take a step back and you’ll see their primary line of defense, highly skilled analysts capable of countering advanced strategies. And a step back further, a highly sought after group of proverbial foot soldiers necessary to handling day - day battles against adversaries using antquated tools.
So how does UX practice stand to improve the network security of the worlds largest organizations? How can UX’ers look to change the industry?
I answer this question with a statement, or a hypothesis that is meant to challenge the security tooling status-quo as a whole, and something I’m confident will become evident in the next decade of security org’s everywhere.
Cyber Security tools, are simply the worlds greatest challenge in using progressive disclosure of information.
This is a concept, familiar to the UX community, but maybe not so much to the SIEM crowd. Initially developed by Neilson, it is defined as the cascading divulgence of data points as a user asks questions of a system, looks into finding details on a subject, automatically served by a system at the right place, right time, right granularity.
There does not exist on the market today, a solution that efficiently offers insightful network overview, day to day alerting & response, and advanced deep dive analytics all in one place.
Not to say that people haven’t tried: in recent years there has become a focus on SIEM and SOAR security solutions, SIEM’s looking to aggregate network data into one place to make it searchable and analyzable, and SOAR solutions to cut down on analysts daily workload by automatic response, and making more robust response techniques by orchestrating dozens of tools into one toolbox.
But even a combination of these tools lacks one, simple principle that has yet to be achieved:
All of my network exists in one space, and is legible at every level.
And I truly believe that the barrier to a solution like this does not like in the technological limitations in 2020, as companies like Phantom Cyber have proved that pulling elements of network defense into one place is not only possible, but an extreme productivity booster, and the way analysts will work in the future.
No… this problem is and will continue to be, a UX problem. Because designing an elegant solution for ONE of these areas is difficult, much less them all simultaneously. Yes, every step in the layering of a solution bears a challenge in itself:
Insights and threat aggregation & communication is difficult to design.
Alerting and response is difficult to design.
Investigation and advanced analytics are difficult experiences to design.
The reality is, that elegant user experiences are only beginning to be developed in each of these respected areas, much less beginning to be strung together in one master-experience that caters to a secure systems users as a whole, and not as individuals.