The Company

FireEye is a world leader in supplying cyber security solutions to businesses and governments across the globe. Modern networks require a huge set of hardware and software to protect, monitor and defend critical infrastructure that we rely on everyday, from banking to healthcare and everywhere in between.

The Challenge

Advanced analysis of the logs, events and meta data around a security alert is usually reserved for highly skilled and senior members of a security team, the FireEye Threat Explorer project was initiated to rethink the way analysts look at these elements on screen, and to provide an intuitive and hands on system that allows them to traverse hundreds of data points quickly and efficiently.

The Role

My role as the UX team lead was to guide our teams exploration and execution through the project, as well as hands on contributions to wire-framing, testing and prototyping.

Chris Befeld - UX Team Lead
Grant Poock - Sr. UX Designer
Sakura Lim - UX Designer
Cristian Benavides - UX Designer

Project Quote:

“We’re trying to make exploring security alerts as easy as using Google Maps”

Pulled from an early exploration session

Discovery
—

Figuring out what analysts really need to see.

Our research began by talking to internal analysts from across FireEye who work in the internal SOC as well as on customer accounts managing a lot of types of alerts from across a wide array of environments.

Our goal was to understand and distill the needs they have for visualizing their alert data, and begin to translate that into visual solutions.

Research
—

Talking to users outside of FireEye

Leveraging our usertesting.com engagement, we had the opportunity to speak to dozens of analysts from across the globe, from across many different industries and roles, which helped us round out our discovery of user needs.

Day 1: Convergence
After opening up conversations with internal and external analysts, the team converged our research into a big list of needs and detailed accounts of alert response that we could sort and categorize into major areas, this gave us a starting place to begin prioritizing and focusing on solution areas.

Day 2: Prioritization & Lean UX Canvas
Once we grouped and labeled each area, we brought those groups into a prioritization matrix exercise where we measured the impact that solving each user need could have on the business and how feasible and urgent each area was to help identify where we wanted to begin developing.

Solution Development

As we landed on a few key areas we saw the product design team could have an impact, hands took to sketchbooks and keyboards as we began to draw and refine initial ideas around threat visualization and response.

Graph Views

The more we sketched out solutions for threat stories and visualization, the further we leaned towards a custom network graph solution that would support some key areas like timeline, grouping, and details on demand as a user clicks and explores the threat.

Actionability from Visualization

Another must have for our interactive solution was the users ability to quickly take action on a threat element, such as quarantining a host or black listing a URL on the fly as they made their way through the threat story graph.

Getting the Schema Right

A big aspect of this project was going back and forth with analysts exploring and identifying the right way to “draw the objects” what to label nodes, how to label edges, and finding a parallel for our visual story to the way analysts mentally pictured relationships and object groups.

Advanced security threats often times contain dozens of alerts, each with hundreds of data points, and to analyze and understand the threats, our users typically have to have dozens of tabs, charts and tables pulled up simultaneously to get a full view of what has happened.

Our solution starts to approach this problem by allowing the user to see the entire threat on screen, intelligently grouping data into large nodes that can be drilled down upon on demand, allowing the user the ability to control what data they are seeing on the fly, but maintain the visual connection between other related alerts etc.

Our project is ongoing, but so far has received amazing feedback from our internal analysts and is currently under development using Keylines to make our ideas come to life, and will eventually be integrated into the FireEye alert view ecosystem to gives analysts across the globe a simplified and intuitive view in their alert data.