×

BLueEyes - Cybersecurity tickets management system

In this case study:

Overview

This desktop application aims to provide efficient way to handle many cybersecurity incident ticket. It will help security analyst team to better organize, prioritize, and collaborate on resolving these incidents quickly. The key features are:



With this app, analyst team can work together more effectively to triage, investigate, and resolve high volumes of cybersecurity incidents in timely manner.

Problem Statement

Currently, security operations center face two main challenge when managing cybersecurity incidents:


Information Overload:

Too many tickets, unclear details, and poor prioritization hinder efficient analysis.

Collaboration Challenges:

Limited visibility into teammate activity, inefficient communication channels, and unclear escalation paths slow down collaboration.


These issues create bottlenecks and delays in responding to and resolving cybersecurity threats effectively. This new desktop application will solve these key problems.

Solution

Information Overload:

  • Prioritize tickets: Risk scoring, visual cues for critical issues.
  • Consolidate tickets: Merge related tickets for cleaner view.
  • Clear details: Enforce mandatory fields, consider templates.
  • Advanced search: Filter by various criteria, use faceted search.

Collaboration Challenges:

  • Real-time feed: Show updates, comments, actions within the system.
  • Internal chat: Integrate chat or collaboration tools for communication.
  • Roles & permissions: Define clear access based on user roles.

User Interview

As part of the empathy research process, I conducted user interviews with three participants who are cybersecurity analysts. The interviews aimed to gain insights into their experiences, challenges, and perspectives within the cybersecurity domain. The following questions were asked, and their responses are summarized below.

Question: Can you describe your current process for managing and responding to cybersecurity incidents?
Answer: Our current process starts when we receive alerts from our SIEM, IDS/IPS, or other security tools. We manually review each alert to triage if it's a real incident.
Question: How do you currently prioritize which incidents to work on first?
Answer: We mostly go by our gut feeling of which seems most critical based on the little info in the alert.
Question: What are the biggest challenges or pain points in your current incident management process?
Answer: The biggest pain points are having too many alerts to manually review, lacking full context on each one, and not having a structured prioritization process.
Question: What are the most important fields or details you need to have for every incident ticket?
Answer: The most important fields are probably incident type, severity, affected assets, and any IOCs or observables.
Question: How do you currently search for or filter through incidents based on specific criteria?
Answer: Searching through incidents is really difficult currently beyond just basic filters in our SIEM.
Question: How does your team collaborate and share information when working on incidents together?
Answer: For major incidents, we have a group email thread going to collaborate. For smaller ones, we just work individually.
Question: How do you assign or transfer ownership of incidents between team members?
Answer: There's no formal hand-off process - we just email the next person if we need to pass it along.
Question: Can you walk me through the typical lifecycle or workflow of an incident from detection to resolution?
Answer: The typical lifecycle is: receive alert > triage incident > initiate analysis > investigation > response > clean-up & recovery.

Persona

Photo by Unsplash

Mark

The Overwhelmed Analyst

"I feel like I'm drowning in tickets! Half the time I don't even know what I'm looking at, and figuring out priorities takes forever."

Role: Tier 1 Security Analyst, 2 years experience.

Challenges: Struggles with high ticket volume, unclear ticket details, and difficulty prioritizing critical issues. Feels overloaded and stressed.

Needs: A system that prioritizes tickets automatically, provides clear and concise information, and offers filtering and search options for efficient ticket management.

Photo by Unsplash

Sarah

The Disconnected Defender

"I feel like I'm working in a silo. I have no idea what my colleagues are doing, and getting help takes ages. We need a system that keeps us all on the same page."

Role: Security Analyst specializing in malware analysis, 5 years experience.

Challenges: Lacks visibility into team activity, struggles with inefficient communication channels, and finds escalation paths unclear. Feels isolated and frustrated.

Needs: A system with real-time updates, integrated chat or collaboration tools, and clear escalation procedures with role-based notifications.

User Flow

Streamlined User Flow: Incident to Analyst Notification

  1. Detection: System identifies suspicious activity
  2. Triage: Automated analysis or human review assesses severity and gathers context.
  3. Ticketing: System or analyst creates a ticket with key details and priority.
  4. Assignment: Automatic or manual allocation to best-suited analyst.
  5. Investigation: Analyst gathers data, takes action
  6. Response: Automatic or manual notification to relevant teams/personnel
  7. Closure: Analyst updates ticket with findings and resolution, then closes the case.

Low Fidelity Wireframe

Design System

I created design system in Figma, including typography styles, color variables for light & dark theme, spacing rules, an iconic set, and a library of reusable UI components.

See more in Figma

Prototype

Light Mode Prototype

Dark Mode Prototype

Lessons learned

Next steps or future considerations

expand_less