Summary

Source Management

RSA NetWitness is a network monitoring platform with unsurpassed visibility that allows analysts to find threats lurking on their network that they wouldn't be able to find with most other tools. To get this unsurpassed visibility we have to be able to ingest the right data and that is where source management comes in. For this purpose we created a framework to make configuring collection from diverse sources easy, so that analysts get the data they need to find threats, and admins can ensure that expensive storage capacities are intelligently used and processing speeds are not impacted.

The Problem

Source management in NetWitness used to be very manual and convoluted. With the addition of a new Endpoint agent to the product, we were no longer just collecting data from tens of NetWitness devices whose sole purpose is data collection and aggregation, but potentially 100,000s of devices that could be anything from servers to employee laptops. Not only are Endpoint devices more numerous, they are also more dynamic. In big networks, 1000s of devices could be added to the network and decommissioned every single day. Further, devices often change IP address making them difficult to identify.

With a large dynamic network like this, it would be untenable to follow the manual source management patterns in NetWitness. We needed a framework that met the immediate need of configuring the Endpoint agents, but also could be leveraged later to improve log collection via NetWitness devices. Collection via Endpoint agents and with NetWitness devices are similar enough to be managed in the same framework, but they are also different enough to make this extremely challenging. Further, every customer and every network is different. The framework had to be capable enough to deal with the complexities of a network of 100,000s of devices, while being simple enough to not overwhelm the admin of a smaller network who is only an occasional NetWitness user.

My Role

I was lead and sole designer on this project for the work in this case study. Another designer, whom I mentored, joined the project later to work on adding other data sources to the established framework.

The Process

E-mail me to request access to full case study featuring details of process

• Discovery

• Wireframing

• Usability Testing Wireframes

• Visual Design

• Supporting the Scrum Team through the Build

• Usability Testing Product Build

The Solution

We created a framework that employs a system of Groups and Policies to allow users to set rules for source management. Groups tell NetWitness which sources apply a Policy, and Policies tells the sources what to do.

Instead of having an admin manually onboarding 1000s of new devices a day - which can represent a fulltime job on large networks - we used dynamic, rule-based Groups so that if new agents come online that meet the criteria of the Group, they simply join that Group and get the appropriate Policy. No company wants to spend money on admin and with this new framework they can re-allocate the money they save to hire, for example, another analyst. Analysts are always spread critically thin, and the more analysts you have the more threats you can detect.

Even with this framework there is still some set up. To help the admin through this process I designed stepped workflows for creating both Groups and Policies. And for when things get complicated, as they invariably do when creating rules to manage a dynamic network of devices without human intervention, I designed a simulator to show how the policies would actually get applied when combined together.