panther labs

data lake search

From Threat Hunting to Visual summary:
complete analysts Journey

CASE STUDY / OCT. 2023

Press Release:

https://panther.com/blog/introducing-panthers-security-data-lake-search/

search data vs.
hunting threat

search data vs.
hunting threat

search data vs.
hunting threat

Our project began with a well-defined scope aimed at improving the usability of a static data table interface. However, as we delved deeper, it became clear that our users wanted more than just simple UI improvements. They yearned for powerful, adaptable tools capable of facilitating threat hunting, alert investigations, and the validation of data from multiple data sources.

In response, we adjusted our strategy to more closely reflect the objectives of our users, developing an all-encompassing framework. This wasn't merely about initiating a search; it was about guiding users on a comprehensive path towards more effective threat hunting. The following framework we designed illustrates this approach, detailing an entire user journey from start to end.

We pinpointed crucial use cases and user flows, integrating users into the search process in ways that prioritize efficiency, highlighting that searches can be initiated from various entry points, not just the search interface.

Our strategy included devising several search modes to accommodate a range of scenarios, necessitating explorations in UI design to determine the most effective interaction patterns.

A key feature of this journey is data analysis, designed to provide users with immediate context and insights via a visual summary and a customizable grid table.

The journey concludes by seamlessly connecting users to various outcomes, from generating reports to creating new detections and saving searches for future reference.

These developments go beyond mere improvements; they signify a fundamental shift in our approach to navigating the search process within our SIEM data lake search tool. By adopting a comprehensive view of the user journey, we've introduced innovative solutions that surpass expectations, enhancing the efficiency of threat detection and analysis.

face-off panther

The search interface's redesign posed a twofold challenge: we were tasked with not only refreshing the layout but also adopting a new style guide to boost the user experience by improving usability. This involved increasing the density of data displayed and improving contrast for enhanced readability. Additionally, we recognized the need to implement a new grid system that offered full-screen responsiveness, necessitating a departure from our longstanding style guide. The transition from a design that users had become comfortable with over the past years to a new, unfamiliar aesthetic demanded careful planning to ensure it was well-received and met user expectations.

This substantial overhaul was critical for modernizing the look and feel of our product, elevating both its usability and our brand's image. The updated design aligns with the visual conventions familiar to our users from other data management and programming tools, making the Panther Data Lake Search a natural addition to their existing workflows, even outside the traditional SIEM environment.

The smooth transition to this new design and the ensuing high levels of user satisfaction were impressive. This warm reception not only validated our design decisions but also played a significant role in enhancing our brand's presence and reputation through exceptional design quality.

put security engineers first

At Panther, we prioritize the needs of security engineers, embodying the founding principle of 'Detections as Code' to ensure that our products resonate with and support the engineers' experience. We strive to exceed the high expectations of this key persona by tailoring our offerings to their specific requirements.

In our commitment to this user-centric approach, we conducted in-depth interviews with over ten security engineers. These discussions were pivotal in mapping out their primary workflow categories, which include:

  1. Data source configurations and ingestion management,

  2. Creation of detection mechanisms,

  3. Conducting threat hunts, and

  4. Performing advanced investigations.

These conversations revealed how integral the search function is across all facets of their workflow. More importantly, they uncovered gaps in the current search capabilities, providing us with invaluable insights into the enhancements needed.

Using this direct feedback from our discovery research, we've been able to pinpoint and address the missing elements in our search features. By truly listening to our users and understanding their day-to-day challenges, we're not just building a product; we're crafting an experience that empowers security engineers to perform their jobs with greater efficiency and impact.

highlights

threat hunting library

As a designer, I recognized the need for a more intuitive starting point within our security platform—something that would immediately engage and guide users of all experience levels. With this in mind, I proposed the concept of the Threat Hunting Library as a novel landing page feature. This library was meticulously crafted to serve not only as a welcoming interface for newcomers who might be initiating their very first search, but also as a jumpstart tool for less experienced analysts. The goal was to create a space where users could effortlessly begin their search journey, equipped with the necessary resources and educational support to effectively detect and respond to threats. The library concept was envisioned to streamline the transition into the platform, demystifying the initial steps of threat hunting and providing a foundation upon which users could build their expertise and confidence.

customizable grid

In the quest to design a new search experience, I placed customizability at the forefront, recognizing its significance for our users. The challenge lay in crafting a solution that was not just flexible, but also extremely intuitive and user-friendly. To inform my design, I conducted a comprehensive study of leading security search applications like Splunk, Data Dog, and Elastic, identifying a shared reliance on filter panels or facets for efficient data manipulation.

Drawing inspiration from these insights, I envisioned a grid table where customizability could be achieved with a single click. The aim was to streamline the process of adding or removing columns, focusing on simplicity rather than overwhelming users with a multitude of complicated features.

To execute this vision, we took a bold step by paring down to just two primary functions: filtering and summary. These capabilities are synchronized, providing users with a potent analytical tool that enables them to quickly dissect and discern patterns in vast data sets. By doing so, we empowered users to conduct powerful analyses and gain insights within seconds, significantly reducing the time and effort required for data pattern recognition.

threat enrichment

In cybersecurity, context is important—it's what turns mere data into actionable intelligence. To truly understand the data, it must be enriched with detailed information, particularly insights drawn from an organization's own datasets. Questions like "Is this entity a bad actor or a victim?" or "What kind of information is contained within these systems?" are crucial. They demand rich context to inform the response.

To address this need, the design I developed emphasizes progressive disclosure, a strategy that presents only the necessary layers of data as and when required. This approach is centered on the principle of cognitive load management—ensuring that analysts are not overwhelmed with information but are provided with just the right amount of data at the precise time it's needed.

The progressive disclosure technique in our design helps the analyst to stay focused and informed, enabling them to make swift, accurate decisions with ease. By strategically revealing layers of enriched data, the design supports analysts in quickly piecing together the cybersecurity puzzle, ensuring that every decision is informed by a rich tapestry of context.

summary visualization


When it comes to data analysis, we wanted to empower our users to feel like they have a superpower at their fingertips. That's where the idea for summary visualization comes into play. Unlike most other applications that offer a single visualization panel, we decided to kick things up a notch. Panther provides users with the capability to display multiple visualization panels simultaneously. This is a game-changer and one of the unique features that sets Panther apart.

The setup is designed to be incredibly user-friendly, with just one click needed to organize any field's data and display them all together. This allows users to effortlessly connect different data points without having to switch views. It’s about keeping the workflow smooth and uninterrupted.

But we didn’t stop there. We know that flexibility in data interpretation is key, so we made it easy for users to switch up visualization types. With minimal effort, they can toggle between maps, day charts, and more, transforming raw data into meaningful insights in a way that best suits their needs. This feature is all about making data analysis not just powerful, but intuitive and seamlessly integrated into the user's investigative process.

actor dashboard

In crafting the actor dashboard feature, we leveraged the robust search components already familiar to our users, creating a pre-loaded, comprehensive dashboard specifically tailored for actor analysis. This innovative approach allows the actor dashboard to serve as a pivotal destination for links associated with actors across various products, facilitating a seamless integration within the user's workflow.

This dashboard isn't just an add-on; it's a strategic synthesis of our search functionality, designed to maximize usability and efficiency. By reusing search components such as the date picker, query builder, and facet filtering, we've ensured that users can dive deep into actor-specific data without the need to learn new tools or navigate away from their current workflow. The result is a dynamic, interactive dashboard that not only enhances the overall user experience but also provides a focused lens through which to view and analyze actor behavior and patterns.

The introduction of the actor dashboard exemplifies our commitment to innovation and user-centric design. It's a testament to our goal of streamlining the threat detection and analysis process, making it more intuitive and effective. By creating a destination within our product that draws directly from cross-product actor links, we've opened up new avenues for analysis and insight, ensuring that users have the information they need at their fingertips, ready to be explored in depth. This strategic reuse of search components not only elevates the utility of the actor dashboard but also reinforces our product's position as a leader in the SIEM market.

retro

Reflecting on our project's journey, it's clear that allowing design to lead the way, unshackled by traditional requirements, has been instrumental in reshaping the user experience and perception. The debut of our redesigned features didn't just introduce new functionalities; it boldly reenvisioned the user journey, enhancing engagement, efficiency, and overall satisfaction significantly. This approach of design-driven innovation was pivotal, setting a new benchmark for how we develop and refine our product.


Design-Driven Product Development: By prioritizing user goals over strict product requirements, we were able to explore innovative solutions that truly resonated with our users. This freedom allowed us to craft an experience that was not just functional but also intuitive and delightful, marking a departure from the traditional development process.


Engagement with Unhappy Customers: Proactively reaching out to dissatisfied customers turned out to be a golden opportunity. Not only did this engagement provide us with invaluable insights, but it also helped us forge stronger relationships. Through open dialogue and genuine concern for their experiences, we transformed challenges into testimonies of our commitment to user satisfaction.


Innovative Breakthroughs: Our journey underscored that innovation doesn't stem from merely replicating what exists but from daring to break the mold, even in small, impactful ways. Our streamlined workflow, seamlessly integrating search with visual analysis, exemplifies this principle. This breakthrough significantly improved the user experience, proving that thoughtful deviations from the norm can lead to substantial enhancements.


Moving forward, the insights gained from this project will continue to influence our strategy. The tangible benefits we've seen, from heightened user satisfaction to stronger retention rates, highlight the value of a design-first approach. Our dedication to incorporating user feedback and fostering a community around our product is unwavering. This project marks not an end but the beginning of a journey towards a more inclusive, innovative, and user-centered future.


Previous

Next