Josh Kimmell

Design Principal | Designer | Experience Fanatic

Finding undetected threats

View all
Case study

Finding undetected threats

Threat hunting in Data Explorer

When research revealed that we were missing a key market segment, security analysts doing threat hunting, I simplified their experience by removing the need to learn proprietary query languages and by providing templates that guide analysts on their hunts. Reducing the complexity reduced the time it takes for users to find the necessary evidence to prove or disprove their hypotheses.

Skills used

Leadership, UX design, UI design, UX research, prototyping

Background

Security analysts can only spend 30% of their time proactively searching for unknown threats. That amount of time isn’t always enough to complete a threat hunt. In addition, threat hunting tools are often cumbersome and require analysts to learn complex query languages to sift through impossibly large amounts of raw data.

Generated and validated concepts

After collaborating with researchers and validating with threat hunters, my team gained a critical insight: that many businesses do not employ specialists who focus entirely on threat hunting. Rather, security analysts spend no more than 30% of their time threat hunting and the rest reacting to incidents that have already occurred.

Shifting our target users from threat hunting specialists to general security analysts, I led a series of workshops with stakeholders and included a threat hunter on the IBM MSS team to validate the concepts. Our goal was to reduce the complexity of analyzing large amounts of data and enable security analysts to proactively hunt for threats within their time constraints.

Threat hunting experience

After validating with the right users that we were solving the right problems, we delivered a threat hunting experience that allows analysts to effectively analyze data sets (access, join, enrich, group); write queries without needing to learn proprietary query languages; and access hunt templates that enable them to spend less time hunting and more efficiently find the evidence they need to prove, or disprove, their hypotheses.

Impact

Analysts can hunt for undetected threats more efficiently, giving them time to focus on reacting to more pressing alerts.

Analysts can build and run multi-step queries without learning complex query languages.

Analysts can use pre-defined hunt templates to help them perform their hunt.

Working with you is fantastic, and I feel like in many ways we would be lost without you. You contribute a lot to our team including: helping us make decisions on direction, as well as making suggestions on how we can work together to make those suggestions, delivering designs that we can all agree on and are always available to work with when the inevitable small detail question pops up. You are a fantastic voice that drives positivity throughout the team and gets people to open up. Overall I think you’re doing great and are someone I know I can rely on. Keep up the great work!


– Nathan Sherwood, Technical Product Owner, Data Explorer

Hide