Keeping an organization secure is no easy task, especially with the explosion in cloud adoption and digital transformation against a backdrop of increasingly dangerous threats and threat actors. We can all recite the challenges that security teams struggle with — too many solutions, not enough people, not enough visibility. With the average organization deploying 25 point security solutions, it’s no wonder why 91 percent of security professionals express security complexity concerns.
When onboarding new securities operation center (SOC) capabilities, teams are often faced with having to balance ease of use with functionality. While this dynamic has been present in the security market for years, advances in user interface design have shifted the paradigm such that teams can now have the best of both worlds in terms of capabilities and usability.
A Swiss Army Knife
Security is a function that relies, more than anything else, on visibility. As the saying goes “…if I can’t see it, I can’t secure it.” Before SOCs even came into existence, IT teams were purchasing point solutions with a complete lack of integration and consistent workflows across tools. This made detecting and responding to threats extremely difficult as the proliferation of tools had compounded for years. In 2005, Gartner coined the term security information and event management (SIEM)
which ushered in a new wave of platform and aggregation capabilities to solve for some of this complexity. While initially designed as checkboxes for compliance mandates, SIEM evolved into an organization’s hub for security operations with more than 70 percent of SOCs running on SIEM.
As the years went on, SIEM vendors added new capabilities that extended into adjacent areas such as vulnerability management, risk management, and network monitoring, while adding advanced analytics for user behavioral modeling and artificial intelligence
. But with those new capabilities, complexity crept back in. As happens with Swiss Army knives, teams now had 50 tools in one place. However, they were lacking in meaningful workflows to help them use all of the capabilities to their fullest extent. If you needed a can opener, chances were it was in your pocket. You just had to know that it existed, which pocket it was in, how to unfold the tool, and how to use it. Learning to use all of the tools together created a high barrier of entry to new members of the team.
Demands of Modern Security Tools
In recent years, demands on security teams have grown exponentially, and, as a result, those teams are expecting their tools to evolve to keep pace. Vendors needed to take a holistic look at whether they were able to provide the perfect mix of functionality and usability. That represented a fundamental shift in thinking for design teams, which certainly was the case for our team at IBM.
For a long time, vendors designed their products for highly technical power users. Power users — who are well versed in networking, security, and the language of cybersecurity — don’t want to spend months learning to extract maximum value. Their expertise lies in understanding how breaches occur, identifying the root cause, and taking corrective action, not in tool administration. They demand effortless, integrated tools that don’t require weeks or months to learn and that provide the same level of depth in a more consumable fashion. Additionally, as teams grew over time, they needed to train new employees on how to use their collection of tools, which is difficult if tool features and their uses are not documented. Long story short, security tool users don’t want tools that stand in the way of doing the mission-critical work they’re tasked with.
Flattening The Learning Curve
At IBM, we knew we needed to design products that flatten the learning curve for new users. Our clients need tools that make them effective on day one while enabling a path for them to become power users. We needed to shift our thinking by focusing on how to unlock the power of our industry-leading capabilities while allowing users to start getting productive use in hours and days vs. weeks. As with a Swiss Army knife, our products had so many features that were incredibly powerful if only you knew how to use them. Our new mission was to bring the power of QRadar to the analyst in a way that enables the analyst to be more productive and effective than ever.
Over the last 12 months, we went back to the drawing board, bringing in world-class user research teams to help understand where the complexity was being created. Most importantly, we talked with dozens of clients and security analysts (thank you for your help, you know who you are!). In that process, we uncovered numerous pain points and areas of friction tied to performance and disconnected workflows. Armed with the qualitative and quantitative data, we engaged IBM Design
to apply design thinking and ensure we meet and exceed standards for consumability and accessibility.
- Hills: These are concise statements around the goals we aim to help our users accomplish.
- Playbacks: These are regular check-ins that bring users, stakeholders, and teams together.
- Sponsor Users: These are real-world clients who provided us with feedback to make sure we’re designing and building exactly what they need and nothing less.
As part of the design process, we applied the following user design principles:
- Designing for users and their tasks: The goal was to design the product to assist users in performing their daily tasks and workflows, and to provide a way to accomplish the same end goals users currently focus on, with a streamlined journey to get there.
- Using consistent design language: Unified and consistent frameworks make it easier for users to understand how to access functionality across the user interface.
- Reducing cognitive strain: The goal was to make the users’ experience with the product feel natural, and to ensure users know what the next step is and how to get there without unnecessary complexity.
- Maintaining context: Users shouldn’t be expected to remember information from screen to screen (IP addresses, etc). The goal is to surface the relevant information and make it accessible within one click.
Using our open-source design system, IBM Carbon
, our development team went to work to unify the experiences throughout not only QRadar but all IBM Security products. By standardizing on a uniform design language, we ensured that UI elements like menus, slideouts, theming, and buttons will all act and feel the same across the range of products. In this sense, we are beginning down the path of unified experiences that you can now experience in both IBM Security QRadar Analyst Workflow
, as well as IBM Cloud Pak for Security.
QRadar Analyst Workflow is a total reimagining of the QRadar experience for the security analyst that applies the principles discussed above. QRadar Analyst Workflow is a modern UI that leverages the underlying power of QRadar that is entirely built around the analyst’s core workflow in triaging and investigating potential threats.
Where We’re Going
So, what’s next? No product is ever perfect. We’re embarking on an exciting new chapter in the future of QRadar. Our goal is to apply the same agile principles from design to the release cycle to continually provide new and fresh experiences at a rapid pace. Packaged as an app on the IBM Security App Exchange
, QRadar Analyst Workflow will receive regular updates in the coming months as we provide additional integrations with other offerings such as User Behavior Analytics (UBA), network flows, and QRadar Advisor with Watson. The future of QRadar is finally here and we’re excited that you’re a part of it.
Learn more in the on-demand webinar: QRadar Analyst Workflow – Modernizing the security detection and investigation experience
User Experience Architect - Security Intelligence, IBM Security
Rick McCaskill is a contributor for SecurityIntelligence.