Finding meaningful connections between threat data.

ThreatConnect's Threat Intelligence Platform is a centralized place for the aggregation and management of threat data. The platform gives security teams of fortune 500 companies a way to analyze and act on threat intelligence in real-time.

Research

I started conducting in-context interviews with customers and our research team which consisted of 9 full-time threat analysts. I was able to learn more about their investigation process and why the current graph feature wasn't meeting their needs.

My findings were placed in an affinity map. Key takeaways included:

1. Start of an investigation - Most analysts mentioned how they would prefer to start their investigation from the graph. We also found that analysts preferred to share and collaborate.

2. Missing key features - The current graph was missing key features such as bulk actions, exporting, relationship data, and third-party data.

3. No context - Data that's shown in the current graph lacked context, no way to search for data, and no way to see linked cases.

4. Lack of visual cues - Visually, analysts couldn't delineate between groups, indicators, or tags. Additionally, there was no way to tell indicators apart from each other.

5. Difficult to use - The current graph was "cumbersome, time-consuming, and not helpful" to many analysts

Ideate & Iterate

Working alongside PM and our CAL Data Scientists, we narrowed down the features for the first version of the graph.

Key features included an advanced search, graph export and save, a comprehensive legend to toggle off sources and types, a revamped icon set and colors, sort functionality, relationship types, and context for each indicator.

I worked closely with the CAL team to understand the data we’d be getting back and mapped out user flows based on the research I’d done.

Based on the structure of features I was able to create critical user flows and break down processes the user would use to achieve finding more information on an indicator. Once the user flow was created, I created a greyscale prototype. We ran click tests and feedback sessions with current customers and our research team.

Visual system for threat analysts

I held feedback sessions with threat analysts to create a visual system that made sense for each visual element such as color, icons, line distance, and node size.

While node size and line distance didn’t mean anything to analysts, line type, icons, and shapes helped provide the most information.

For example, a dashed line denotes a “potential connection” while a solid line means a higher probability of a connection based on CAL.

cohesive Icon set

Since we revamped the platform’s various icons with a cohesive icon set, I followed the styling for any extra icons needed for the graph. We continue to add new groups and indicator types.

The background shape helped analysts quickly tell which is an indicator and which is a group. This was particularly important when analysts expand out 100+ indicators or groups at a time.

Final Designs

We found that analysts used visual graphs for their investigation starting point, whether it be a miro board or a third-party web tool. With this in mind, it was important to think of the functionality needed to run a full investigation and how we could scale this in the future. The overall design met our primary goals:

1. Provide Meaningful Connections - Using CAL, ThreatConnect's predictive analytics, we were able to show hyper-enriched relationships with real-time data giving analysts the how and the why behind the data relationships. This was at the core of what they needed.

2. Cut down investigation time - Allow users to easily pivot through 500M+ indicators and 1B+ relationships and find the data they need faster. They were now able to drill down past the "noise" of indicators to see the true IOCs that are really related to the incident their working on.

3. Aesthetics - We created an accessible graph view that was easy to navigate, meets AA standards, and allows the user to quickly see types of data. This was also an opportunity to test our new design system.

4. Usability - The data we surfaced tied into the rest of the platform with relevant associated cases and intel that's easy to scan. We also provided core features such as advanced search, bulk actions, running playbook automation, reporting false positives, and exporting capabilities for reporting purposes.

Measuring Success  

The first version of the graph will be released at the end of 2021 and is currently under patent. We’ve given select customers access to the beta and the reception so far has been well received resulting in many customers upgrading their user license count.

Beta feedback quotes from our fortune 500 customers:

• "This actually has me excited and I'd prefer to use this to <competitor name>."

• "This looks really fantastic. Details seem minimal but focused so showing just the things that an analyst would need to see and not more. This is bang on what we would be hoping for. Great visuals."

• "You are on the right track, this is what I would want to use."

• "Fantastic and welcomed updates, you can search, and having this in the graph will be very powerful. The icon for each object is pure gold."

• "Much cleaner, it needed this differentiation."