As discussed in part one of this series, Threat Stack is committed to making meaningful changes to its user interface (UI)–including alert context–to further reduce key security metrics like mean-time-to-know (MTTK). This is important because every minute, if not every second, counts when it comes to identifying potential security risks. Yet, according to IBM, the average time to identify a breach in 2020 was 207 days. To avoid our customers falling into this startling statistic, we’ve released fundamental new changes to our UI for an enhanced experience to provide sharper security — in turn, reducing MTTK. Let’s explore.
When a customer is notified of a new alert and begins the triage and response workflow, the Threat Stack Cloud Security Platform® can group alerts by common indicators such as compliance and process and then creates visualizations such as heat maps and trend graphs to provide alert trend insight on frequency and volume. In addition, contributing events are correlated to alerts to provide an activity trail to guide investigations.
With feedback from Threat Stack users, we recognized that common questions are often derived from navigating alert triage and investigations. Therefore, we added new alert context functionality that standardizes these commonly asked questions and provides proactive answers by default to our users. Alert context helps to quickly and accurately guide our users’ investigations into high severity alerts.
To accommodate our new alert context, we had to redesign how to display our rich alert data. We recognized that the current view had to be expanded to make space for our new functionality that showcased event occurrences for various types of activities, like alert highlights, new visualizations, and tables. As a result, we shifted from showing alerts in a horizontal drawer view to a more spacious and modern vertical drawer view, allowing users to view the pertinent alert details while also viewing the high-level alert table.
One of the new functions we are able to add in with the extra space is alert highlights. This new capability can supplement point-in-time context with a summary of historical activity related to the alert. This will provide our users with context about infrastructure, user, and process activity, offering crucial guidance during security investigations over the past month.
For example, instead of navigating through a multitude of events related to a specific user’s activity, Threat Stack provides a summary of the alert itself, such as the following:
Example of a specific user alert highlight on the Threat Stack Cloud Security Platform
Highlights also appear above our visualizations to summarize activity related to the user, agent, or process behavior in a human-readable format. For example, the following would appear above a histogram visualization showing activity for a specific user:
Example of a single user’s behavior summary on the Threat Stack Cloud Security Platform
We’ve also introduced a single-page alerts view, which provides users with visualizations such as a histogram that can show activity for users over the past 30 days. The histogram is interactive, allowing users to zoom in and investigate activity on dates of interest. The single-page alerts view is also deep linkable and can be exported to PDF, making it easy to share alerts of interest–including alert context–within the organization or with auditors.
Example of a single-pane alert page with sample data on the Threat Stack Cloud Security Platform
We’re enabling customers to navigate and manage their alerts seamlessly through the plethora of changes recently made to Threat Stack’s UI. Our goal is to reduce MTTK by providing more context so users can triage and investigate alerts quickly on our platform. These updates are only just the beginning of our design iteration for Threat Stack alerts.