Exabeamโs Security investigation tool
AI-driven Cloud Security & Detection Management
The threat detection engine leverages machine learning and AI to predict risky users and devices by analyzing behavior patterns and assigning risk scores.
Role
UX Researcher, UX Architect, Product Designer
Company
Exabeam
Collaborations
Product Managers, Backend & Frontend Engineers, Sr. Product Designer, Data Scientist and Content team
Duration
4 months
About Exabeam
Exabeam is a cybersecurity company specializing in Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA). Its platform is designed to help organizations detect, investigate, and respond to security threats more efficiently using machine learning and Artificial Intelligence.
Key features:
Integrates data from multiple sources.
Uses machine learning for anomaly detection and risk scoring.
Automates threat detection, investigation, and response. Manages logs with over 9,500 pre-built parsers.
Provides customizable dashboards, timelines, and reports.
Enhances security operations with IT and security tool integrations.
Contributed to Exabeam's Recognition as a Leader in the 2024 Gartnerยฎ Magic Quadrant for SIEM
Contribution to impact:
Projectโs Business Impact:
Reducing manual work, improving response times, and minimizing false positives lead to significant cost savings for customers. Demonstrated ROI for customers, making Exabeam an attractive choice for potential clients.
The ability to process over 2 million events per second (EPS) allows for rapid data ingestion and analysis at scale, which is essential for large enterprises dealing with massive volumes of security data.
Minimizing false alarms through adjusted scoring contributions of triggered statistical rules reduces the number of false positives, making security teams more effective and reducing wasted efforts.
Offering pre-packaged detection content for various use cases ensures comprehensive threat coverage, addressing a wide range of security scenarios and enhancing overall threat detection capabilities.
Project Phases
Initial Planning with Product Management
1
Workshops and Wireframing MVP
2
Low-fidelity and High-fidelity Designs
3
User Testing with Design Partners
4
Handoff, Development Support, and Launch
5
Who are we desinging for?
Security Operation Center (SOC) teams operate within a structured workflow with distinct roles: three levels of security analysts, security engineers, and a manager. Some organizations also have specialized insider threat teams focusing on employee activity. Each role targets specific security aspects, but seamless communication and collaboration are critical to the teamโs success in detecting and responding to threats effectively.
Tim
Tier 1 Analysts are the frontline defenders, monitoring systems and alerts to detect potential security incidents. They perform initial assessments and escalate confirmed threats to Tier 2.
Esteban
Security Engineers design and implement the organization's security infrastructure. They develop security measures to protect systems against attacks, conduct regular security assessments, and are involved in the development and fine-tuning of automated security solutions.
Ivy
Tier 2 Analysts delve deeper into the escalated alerts, conducting thorough investigations to understand the scope and impact. They may also initiate containment measures.
Corri
The SOC Manager oversees the entire SOC team, ensuring that security procedures are followed, and goals are met. They coordinate incident response efforts, manage the team's budget and resources,
Hunter
Tier 3 Analysts are the most experienced and handle the most complex investigations. They develop threat hunting strategies to identify hidden threats and work on complex incident response and remediation.
Insider threat team, India
This specialized team focuses on identifying and mitigating risks posed by insiders. They monitor user behaviors, conduct risk assessments, and investigate suspicious activities to protect against internal threats.
Project overview
To enhance the Detection Management System by improving the user experience for Security Engineers. The goal is to streamline the process of retraining the system following changes to detection rules and events, ensure clear communication regarding system changes, and provide actionable insights into the status of retraining operations.
Challenges & Opportunities
Switching Rule Types:
The system only used one type of rule (correlation rules), but there was a need for a different type (fact-based rules) that worked better for specific conditions.
HMWs
Resource intensive task
The training and testing of the security engine is a resource-intensive task that consumes a lot of cloud computing costs
Understanding and Communicating Changes:
It was hard to see how changes to rules would affect the system, and there wasnโt clear communication about when retraining was needed.
How might we make the resource-intensive task of training the engine more efficient and cost-effective by enabling bulk actioning of rules?
How might we enhance our AI threat detection engine to more effectively use machine learning algorithms for analyzing and detecting security anomalies and correlations in customer data?
Reducing False Positives
It required advanced algorithms to distinguish real threats from benign activities, preventing alert fatigue, and ensuring genuine threats are addressed.
Discovery & workshops
We conducted various workshops to gather insights and create detailed user stories that align with the project vision.
We invested effort in thoroughly evaluating the current system's workflows and interfaces to uncover core challenges. This process enabled us to identify critical usability issues and system patterns, leading to the creation of a focused list of areas for improvement. These insights were instrumental in shaping the information architecture and establishing guiding principles for the design of future solutions.
Insights from Brainstorming and Discovery
Goals & User Stories:
1. Security Engineer must be able to see all rule related to User analytics and behavior within an experience in Detection manager application.
2. Security Engineer must be able to group rules by variety of different dimensions, such as MITRE, use case, Family, Entity Type, etc
3. Security Engineer must have an experience where he can kick off retraining over past X days of data, given changes to detection have been implemented, and be notified when training is complete, in Detection Manager (historical).
4. Security Engineer must be able to author anomaly rules or various types of behavior rules.
The MVP had three main parts:
Main view
All the rules related to user analytics and behavior within an experience in Detection manager application.
2. Training events with historical data using anomaly rules
An experience where we can kick off retraining over the past 30 days of data, given changes to detection have been implemented, and be notified when training is complete, inside Detection Manager.
3. Designing the authoring experience
We collaborated with the engineers to understand various type of anomaly rules and divided them into three categories. And further depending on the type of rule we were able to design a rule builder.
Lo-fis to Hi-fis:
Main view:
Training the events using anomaly rules for first-time users
For first-time users:
1. Empty View Start and template views: Begin with an empty view and offer templates or a library of Exabeam-created rules.
2. Filtering: Allow users to filter rules by use cases, rule types, MITRE attacks, etc. and users select rules to be trained.
3. Queue Rules: Selected rules are queued and remain disabled until training is complete.
4. New View for Training: Display the queued rules with the steps needed for training.
5. Training Period: Rules train on 21 days of data starting from the current or a user-specified date.
6. Training Lock: Once training starts, rules cannot be edited or modified.
7. Publishing: After training, rules are published and enabled.
8. Rule Options: Users can disable rules, delete disabled rules, and view details of enabled rules.
Authoring experience under a microscope:
Design Exploration 2: Designing multiple flows for each type of rule
Three types of rule with explanation to choose from
Authoring dialog was divided into two steps : rule configuration and rule conditions
The first exploration of the designing the rule builder was close to the code itself where we wanted to check if end user used this feature. Here various fields for profile rule type was extracted from JSON format code. Since the format of the code was in JSON, it was easy to understand the values it held.
Other rule types included Fact based and Numeric profile rule.
Feedback : Combine the three rule dialogs into one flow since the difference on the inputs are very minor
Revised design: Adding a new tab in the first step where user can switch between the rules type.
Design system components
Various statuses of the fact-based rules while they are in stages of training.
Default state
Draft state
Queued state
Training/ In progress state
Design Partner Feedback:
Providing detailed logs of changes made to detection rules, including both old and new values, would help users understand what has been modified and why retraining is necessary.
Automated prompts for retraining when specific changes are made would help ensure that the system is always up-to-date without requiring manual checks by the users.
โTurns noise into actionable informationโ
โExabeamโs enhancements have streamlined our threat detection process, making it faster and more accurate.โ
โThe comprehensive data collection and visualization tools have provided us with deeper insights into our security landscape.โ
Conclusion
The project focuses on simplifying complex systems and enhancing user-friendliness. It addresses the resource-intensive nature of the security engine with innovative features such as bulk actioning and automated rule suggestions, making threat detection more efficient and effective.
The project contributed to Exabeam's recognition as a Leader in the Gartnerยฎ Magic Quadrant for SIEM for the 5th year. By processing over 2 million EPS, it enabled rapid data analysis for large enterprises, minimized false positives, and enhanced threat detection capabilities. These improvements reduced manual work, improved response times, and demonstrated significant ROI, making Exabeam an attractive choice for clients.
Some Gartner peer reviews over the years:
Future Scope
The teamโs working on additional features like automatically suggesting relevant rules based on the customer's data, and providing a dedicated section to communicate engine status and enable automatic updates.
Adding a feature to allow customers to easily accept updates to the security rules in the future, without manual intervention.
Implementing an engine status dashboard to provide customers with real-time information about the security engine's performance and health.
Exploring ways to further optimize the resource consumption and costs associated with running the security engine.
Other projects:
โStories are the most powerful way to put ideas into the world today.โ