Keeping an organization secure is no easy task, especially with the explosion in cloud adoption and digital transformation against a backdrop of increasingly dangerous threats and threat actors. We can all recite the challenges that security teams struggle with — too many solutions, not enough people, not enough visibility. With the average organization deploying 25 point security solutions, it’s no wonder why 91 percent of security professionals express security complexity concerns.

When onboarding new securities operation center (SOC) capabilities, teams are often faced with having to balance ease of use with functionality. While this dynamic has been present in the security market for years, advances in user interface design have shifted the paradigm such that teams can now have the best of both worlds in terms of capabilities and usability.


A Swiss Army Knife

Security is a function that relies, more than anything else, on visibility. As the saying goes “…if I can’t see it, I can’t secure it.” Before SOCs even came into existence, IT teams were purchasing point solutions with a complete lack of integration and consistent workflows across tools. This made detecting and responding to threats extremely difficult as the proliferation of tools had compounded for years. In 2005, Gartner coined the term security information and event management (SIEM) which ushered in a new wave of platform and aggregation capabilities to solve for some of this complexity. While initially designed as checkboxes for compliance mandates, SIEM evolved into an organization’s hub for security operations with more than 70 percent of SOCs running on SIEM.


As the years went on, SIEM vendors added new capabilities that extended into adjacent areas such as vulnerability management, risk management, and network monitoring, while adding advanced analytics for user behavioral modeling and artificial intelligence. But with those new capabilities, complexity crept back in. As happens with Swiss Army knives, teams now had 50 tools in one place. However, they were lacking in meaningful workflows to help them use all of the capabilities to their fullest extent. If you needed a can opener, chances were it was in your pocket. You just had to know that it existed, which pocket it was in, how to unfold the tool, and how to use it. Learning to use all of the tools together created a high barrier of entry to new members of the team.


Demands of Modern Security Tools

In recent years, demands on security teams have grown exponentially, and, as a result, those teams are expecting their tools to evolve to keep pace. Vendors needed to take a holistic look at whether they were able to provide the perfect mix of functionality and usability. That represented a fundamental shift in thinking for design teams, which certainly was the case for our team at IBM.


For a long time, vendors designed their products for highly technical power users. Power users — who are well versed in networking, security, and the language of cybersecurity — don’t want to spend months learning to extract maximum value. Their expertise lies in understanding how breaches occur, identifying the root cause, and taking corrective action, not in tool administration. They demand effortless, integrated tools that don’t require weeks or months to learn and that provide the same level of depth in a more consumable fashion. Additionally, as teams grew over time, they needed to train new employees on how to use their collection of tools, which is difficult if tool features and their uses are not documented. Long story short, security tool users don’t want tools that stand in the way of doing the mission-critical work they’re tasked with.


Flattening The Learning Curve

At IBM, we knew we needed to design products that flatten the learning curve for new users. Our clients need tools that make them effective on day one while enabling a path for them to become power users. We needed to shift our thinking by focusing on how to unlock the power of our industry-leading capabilities while allowing users to start getting productive use in hours and days vs. weeks. As with a Swiss Army knife, our products had so many features that were incredibly powerful if only you knew how to use them. Our new mission was to bring the power of QRadar to the analyst in a way that enables the analyst to be more productive and effective than ever.


User-Led Design

Over the last 12 months, we went back to the drawing board, bringing in world-class user research teams to help understand where the complexity was being created. Most importantly, we talked with dozens of clients and security analysts (thank you for your help, you know who you are!). In that process, we uncovered numerous pain points and areas of friction tied to performance and disconnected workflows. Armed with the qualitative and quantitative data, we engaged IBM Design to apply design thinking and ensure we meet and exceed standards for consumability and accessibility.


We used the following key tactics from Enterprise Design Thinking to maintain alignment across our users and offering teams:
  • Hills: These are concise statements around the goals we aim to help our users accomplish.
  • Playbacks: These are regular check-ins that bring users, stakeholders, and teams together.
  • Sponsor Users: These are real-world clients who provided us with feedback to make sure we’re designing and building exactly what they need and nothing less.
As part of the design process, we applied the following user design principles:
  • Designing for users and their tasks: The goal was to design the product to assist users in performing their daily tasks and workflows, and to provide a way to accomplish the same end goals users currently focus on, with a streamlined journey to get there.
  • Using consistent design language: Unified and consistent frameworks make it easier for users to understand how to access functionality across the user interface.
  • Reducing cognitive strain: The goal was to make the users’ experience with the product feel natural, and to ensure users know what the next step is and how to get there without unnecessary complexity.
  • Maintaining context: Users shouldn’t be expected to remember information from screen to screen (IP addresses, etc). The goal is to surface the relevant information and make it accessible within one click.
Using our open-source design system, IBM Carbon, our development team went to work to unify the experiences throughout not only QRadar but all IBM Security products. By standardizing on a uniform design language, we ensured that UI elements like menus, slideouts, theming, and buttons will all act and feel the same across the range of products. In this sense, we are beginning down the path of unified experiences that you can now experience in both IBM Security QRadar Analyst Workflow, as well as IBM Cloud Pak for Security.


QRadar Analyst Workflow is a total reimagining of the QRadar experience for the security analyst that applies the principles discussed above. QRadar Analyst Workflow is a modern UI that leverages the underlying power of QRadar that is entirely built around the analyst’s core workflow in triaging and investigating potential threats.


Where We’re Going

So, what’s next? No product is ever perfect. We’re embarking on an exciting new chapter in the future of QRadar. Our goal is to apply the same agile principles from design to the release cycle to continually provide new and fresh experiences at a rapid pace. Packaged as an app on the IBM Security App Exchange, QRadar Analyst Workflow will receive regular updates in the coming months as we provide additional integrations with other offerings such as User Behavior Analytics (UBA), network flows, and QRadar Advisor with Watson. The future of QRadar is finally here and we’re excited that you’re a part of it.

Learn more in the on-demand webinar: QRadar Analyst Workflow – Modernizing the security detection and investigation experience

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…