IBM QRadar - MITRE ATT&CK Redesign
IBM QRadar Security Suite is an industry leading cybersecurity product. As a product designer on the team, I’m tasked with improving complex tasks and experiences on the platform. One of those experiences in 2024 was improving the platform’s MITRE ATT&CK coverage.
Length: 4 sprints (2 months)
My impact: (1) Lead the research, UX and UI redesign around the MITRE ATT&CK threat coverage experience (2) Addressed usability pain points through redesign of the MITRE Matrix (3) Proposed a new home page experience for Detection & Response Center. These updates were delivered and will be fully integrated in the QRadar product in Q3 2024.
Programs: Figma, Mural
My Roles: UX Researcher, UX Designer, UI Designer
Before and after experience shown. Clickable Figma prototype can be accessed here.
Usability testing & research (2 sprints)
MITRE ATT&CK is a threat detection framework standard in cybersecurity. It’s focused on the behavior of the attacker, breaking up actions into tactics and techniques. A Security Operations Center (SOC) analyst would utilize this framework along with a visual Matrix to see gaps in defense coverage for their organization. For instance, a financial institution would want to have coverage around ransomeware and MITRE can help showcase this. In IBM QRadar Suite, this framework lives in Detection & Response Center (DRC), my team’s product.
Our user testing in Q4 2023 revealed that users struggled with utilizing aspects of our MITRE ATT&CK interface in DRC. Specifically, when tasked to utilize the framework:
0/6 of users were not able to find the MITRE ATT&CK heat map (Matrix)
Multiple users were confused on the different shades of blue
Users didn’t think it was usable on opening
Problem: Users aren’t finding the MITRE ATT&CK heat map, struggling to utilize the Matrix effectively and have a hard time understanding the information shown in the Matrix.
My steps of user research were: (1) Find what research has been completed on MITRE ATT&CKs already in IBM Security (2) Create AS-IS flow of our product (3) Complete a competitive analysis (4) Interview experts in IBM Security that were familiar with MITRE ATT&CK (5) Analyze usability testing and our user persona.
My research phase concluded with a playback to stakeholders of my recommendations which lead to design explorations. After 2 sprints of research, I had a much clearer understanding of how MITRE ATT&CK needed to be utilized. From my research I found that the MITRE ATT&CK Matrix was a core part of finding defense gaps. I concluded that: The advanced analyst (our user persona) needs to deep dive into her company’s MITRE coverage, parse through complex data, and know what gaps need to be filled, with speed and accuracy.
Exploration (Low + Mid-fi, 1 sprint)
Rolling into the exploration phase from research, our user personas needs were identified. This included the MITRE coverage UI needed to be:
Easily accessible
Easy to understand the matrix
Quickly understandable
I explored variations of accessibility (shown on left) in Low fidelity. This included a third tab for MITRE coverage, a GenAI influenced exploration, a new dashboard view, data visualizations. This all was iterated based on daily feedback from my team and stakeholders.
Delivery (Hifi, 1 sprint)
The best user experience for MITRE ATT&CK coverage was decided through collaborating with my team and experienced stakeholders. This experience was also presented to our IBM Security Sales Tech team. The final experience includes:
Dashboard in Detection and Response Center to quickly understand your rule and MITRE coverage
Dashboard can be expanded (clicking ‘more info’ button) to see data visualizations of the MITRE coverage
3 separate content sections:
Rule list for data table view of rules
MITRE Matrix (redesigned), easily filtered, legend added
Triggered events to identify certain techniques that were triggered in the system within a timeframe
