Eating an Elephant: How the ESM 10 UX Team Reenergized SecOps (Part 2)

This blog was written by Barbara Kay.

The second of a two-part series.

In the previous post in this series, we described how re-creating the user experience for overburdened SOC analysts was a task like “eating an elephant.” To help analysts who are constrained by time and cognitive overload, we needed a vision, a strategy and a plan to “save time and save mental energy.”

After extensive, in-depth interviews with users, we realized that the majority of user time is spent in analysis and research. This finding drove our plan. We focused first on the analysts and the workflows and workspaces where they spend the majority of their time.

Now you can see the results in ESM 10.0. The user experience team recommends these 3 things to appreciate first:

  • Quick start: you will find that the organization simplifies building and navigating relationships, so you can create views and get started without reading manuals (although we still recommend looking at the ESM expert center!). The most commonly used views appear together by default, and help you make use of associated content packs and their views, dashboards, rules, and alerts (including correct placement of related updates to keep you organized). While the donut visualizations will help you identify trends and pursue relationships, the right clicks help you navigate to next steps. And, if you are a current user, you can import existing views from within the console to bring forward your preferred processes and organizational knowledge.
Analysts can manage several tabs active at once, enabling them to toggle back and forth to pursue different tasks. This means less holding of information in your memory and less repetition, including defining complex searches.
  • Centralized, dynamic workspaces: Multiple tabs within the same dashboard pane organize parallel exploration of ideas. The analyst can simultaneously drill down and filter through different lenses of the data without losing context and state or re-applying searches and filters. With several tabs active at once, you can toggle back and forth to pursue different tasks, or within a task, collect and guide analysis or research hypotheses. This means less holding of information in your memory and less repetition, including defining complex searches. Further, a majority of our configuration, advanced settings, and set up tools now live in panels that slide in to the side of the dashboard instead of popping up in a window in front of the dashboard. This allows users to stay in context with their current investigation (stay in the same mental “room”) while they adjust settings in the various tools. In addition, the context menus mean that right clicking on a specific item—such as a field on a record within a table chart—will provide the user with quick access to actions specific to that field.
ESM 10.0 features directed search to help users quickly navigate to desired content without remembering folder structures or even the exact names of things.
  • Directed search: Detecting signal from the noise means filtering and searching through alerts and events, and avoiding the distraction of unneeded data. The new advanced search and filter organization includes auto-complete to help guide users to find or choose from relevant associations quickly, rather than needing to know what choices are appropriate to the data or investigation type. Auto-complete simplifies device selection, view management, queries, and filters, to name a few, as the user quickly navigates to the content they desire, without having to remember exactly where it resides within the folder structure of these tools. For example, we prompt for the best visualization options for each search result type to quickly filter and customize data. As you navigate, the process creates bindings that you can save for later. You can then take quick actions on data points, such as creating watchlists and case management, by accessing right-click contextual menus. Synthesizing all these workflow steps into a single place helps the right thing happen, consistently, with less effort, repetition, and time. Our improved search also means you do not need to be a software developer to extract insights quickly.

Each of the above examples reduces clock time and conserves mental energy. They are small steps in our larger plan to help you conquer that other elephant, the elephant in the room: security operations efficiency. See for yourself by downloading the new version now.

Leave a Comment

one × three =