Cyber Security Service Delivery
Research
UX Design
Service Design
Visual Design
Project Management
2021-2022
Project Summary
What
Field Effect is a Managed Detection and Response company delivering cyber security service and solutions.
Our flagship hardware product's graphical interface, Covalence, displayed the raw data that powered our service and our client-facing product, the Portal (now Field Effect MDR). After years with no product team, it was in need of an overhaul, modernization, and integration of new data sources.
Improving the UI was also broadly seen as a way to improve the operator and client experience. However, my research led us to a very different conclusion - although these experiences could be improved, these users didn't want to use Covalence at all!
My role
Solo research, service, UX, and UI designer on an agile product development team
Outcomes
A successful redesign that integrated new data sources, improved clarity and usefulness, and eliminated the risks from using an out-of-support code framework.
A proven demo and trust-building tool that is used to showcase our service, which has contributed to Field Effect's exceptional software, service, and experience scores and reviews.
Systems thinking and strategy that unblocked key UX opportunities in users' preferred tools and products, supporting Field Effect's key value proposition as the go-to solution for low-noise, low-effort, high-value cyber security.
The Research Stage: "uh oh, no one wants to use this"
To start, I conducted research using interviews and contextual inquiry with both our team of analysts, managers, leadership and our internal users, our own IT team. Unfortunately access to external clients was not possible, so I worked closely with service operators, help request tickets, and usage data.
My research questions included:
How did this UI fit into workflows today?
What were the hopes for the future of the UI?
What information was missing from the Portal that meant clients needed to use Covalence?
Surprisingly, I discovered that most of our assumed user goals were met by other products and systems. Analysts preferred the speed and power of custom-built tools. Clients (including our own internal IT team) often needed information that was not displayed in the Portal, but instead of hopping over to Covalence to find it, they simply asked our analyst team to find it and bring it to the Portal.
The issue wasn't the clunky UI, it was information not being available in the tools and products operators and clients actually used. This disconnect was adding extra work for service operators and slowing down threat mitigation.
Models of service and experience (blurred for security reasons)
Early in discovery, it became clear that there were different perspectives on the way the service truly worked, leading to a gap between the roadmap and user needs. To remedy this, I compiled notes on the various types of data, phases, tools, and services, and created a model that shows how raw data became an alert, which became a client-facing ticket and eventually a mitigation. This model gave us a shared understanding and place to point to to discuss what was really happening, bridging the gap between service operators and leaders.
And it worked - a senior analyst founding team member declared, "I didn't know it worked like that!" Leaders also became aware of all the advanced tools and automations analysts had built that far outpaced what a GUI could do.
Ecosystem Map
User journey maps
These journeys highlighted just how rarely analysts and clients used Covalence, and how switching tools was seen as an unnecessary barrier to their goal.
Service Blueprints
This blueprint shows how a suspicious activity is picked up by Covalence, how analysts respond, and how clients mitigate the threat. Once again, this highlights what users are doing instead of using Covalence, such as using the "request help" feature to ask an analyst to list which laptops need an update.
So, if we can solve the data access issue, does anyone actually need Covalence?
After building a shared understanding with leadership, we got moving right away:
Leadership no longer saw the Covalence UI as the solution to usability problems
Analysts were greenlit to continue building their incredible custom tools, including a collaboration tool that allowed them to operate 24/7 and at scale.
Strategic decisions were made to bring the useful data right into the PortaI
So, what was left? Aside from modernizing the product to make it future-proof, the original reasons for the redesign had vanished.
Luckily, it was my new persona, Ron, who helped us discover a vital new reason. Ron is a skeptic. He has worked as a cyber security analyst in the past, and thinks Field Effect is too good to be true. Luckily our service really is that good, and Ron is happily convinced of this after seeing behind the curtain.
In addition, our sales engineers would show the UI to prospective clients, and an outdated, clunky product is not a great first impression.
Our new goal was to create a product that sales engineers can demo, and Ron can use to check our capabilities. Covalence would become a storyteller, not a detective.
This meant that even though the UI wasn't being used for threat hunting or mitigation anymore, it needed to be capable of it.
From here, I worked
Design deep dive: a UI that showcases the value and workflow of our analyst team
When I was briefed with this project, leadership believed that:
Analysts were directly accessing the hardware UI to do threat hunting and mitigation, and that improving the UI would help them do their work.
Clients needed to use this interface to access raw data that would allow them to mitigate issues, such as looking up all devices impacted by the same issue.
However, my research revealed a very different story.
The design phase
Luckily, this has a lot in common with how analysts work, so I co-designed an interface with analysts that would allow them to do their job… if they had no other tools. The result was a demo-ready interface that was immediately put to work for all our prospective clients, and for any advanced user who wanted to check if our service really could live up to its claims.
During this phase, we also switched code frameworks, which I supported by building a platform-wide design system in a new "professional neutral" visual style that anticipated an upcoming rebranding effort.
Solution deep dive: de-siloing data to support detective work
When a cyber security alert is triggered - such as a device logging in from an unexpected location - cyber security analysts investigate to see if it's malicious or merely unusual. They spot clues in the raw data to understand what happened, how this compares to historic data, if it looks like an attack, and if this is reasonable for the user and company context. By reviewing alerts in this way, we cut down on the noise clients received.
Analysts needed to be able to follow clues quickly and intuitively, jumping from historic data to live data to device or user data to build a complete picture.
However, the old UI siloed this data, forcing analysts to navigate and repeat queries
In addition, Covalence had gotten smarter since the last UI update, and there were types of data that weren't currently represented.
Working with the analyst team, I built a view that showed everything the sensor knew, no matter if it was a historic summary, a recent log, or even something happening right now (this is gold for analysts as it allows them to stop or mitigate an attack.) Analysts could then simply click to follow a lead, something that lends itself exceptionally well to sales demos and Ron's self-guided explorations.
The outcomes
The results speak for themselves. Field Effect has been the dominant industry leader for managed Detection and Response for 4 years running, with an exceptional 98/100 net emotional footprint, 99/100 service experience, 98 product experience by InfoTech's Software Reviews. Trust and reliability are also listed as top "pros" based on client reviews. This shows that when prospects and clients have doubts about the service's abilities, they can get the answers they need to have full trust in the service.
To see an early version of this UI in its role as a demo tool (plus many other features I designed and collaborated on across other products) take a peek at a recorded live demo. Here, you can see how Ted uses the UI to showcase how our analyst work. You can also hear Ted reassure the audience that this UI is not something they'll need to use "you don't have to live into that interface, you understand." This is something I love to hear, as it shows the product working exactly as I expected it to.
Our senior sales engineer reassures the audience that they don't need to be using this tool, after sharing a brief example of how analysts use raw data to deliver value.
My takeaway
This is the project that led me towards service design, as the key findings that guided the entire project went well beyond the UI.