User Entity Behavioral Analytics
Company
IBM
Project Duration
8+ months
Role
Lead UX Strategist & Designer
The Problem
User and Entity Behavior Analytics (UEBA), a term first coined by Gartner in 2015, represents the evolution of User Behavior Analytics (UBA). While UBA focuses solely on tracking end-user behavior patterns, UEBA extends this capability to monitor non-user entities—such as servers, routers, and Internet of Things (IoT) devices—for abnormal behavior or suspicious activity that may indicate security threats.
IBM currently offers User Behavior Analytics (UBA) through QRadar Core at no additional cost. However, users have reported several challenges with this solution, including:
- Poor performance
- Complex configuration
- Lack of advanced features like entity analytics (UEBA)
The growing demand for UEBA presents a significant market opportunity, yet IBM is currently lagging behind competitors and losing sales as a result.
My Role
At IBM, I led a forward-facing UEBA initiative, defining a scalable and user-centric approach to threat detection for SOC analysts. I drove market research, identified key differentiators, and aligned cross-functional teams on product strategy. This work resulted in the creation of intuitive workflows that help analysts understand system impact and make faster, more informed security decisions.
Impact
- 36% workflow increase based on current UBA workflow
- 88% increase in data transparency and architecture
The Process
Understanding
I led the team through an in-depth discovery phase to fully understand the implications of the current UBA system within QRadar Classic and audit how competitors developed their UEBA systems. This analysis allowed us to benchmark IBM's existing features against those of competitors and identify impactful features to consider for our new UEBA solution.
Following this, we established high-level jobs-to-be-done, which guided us in identifying the key personas involved and their roles at different points within the workflow.
Research Validation Phase
Goals:The primary objective of this generative UX research round was to uncover user needs related to User and Entity Behavior Analytics (UEBA) solutions. These insights will directly inform the development of our UEBA Minimum Viable Product (MVP).
Methodology:We conducted in-depth, 60-minute interviews with each participant.
Participants:
4 Non-IBM customers using competitor UEBA solutions
1 IBM customer using QRadar UBA
2 Internal IBM MSS Engineers utilizing QRadar UBA
Key findings
- Deciding factors
- Use cases
- Threat of GenAI
- Single pane experience
- Configurations
- Lack of context
Concepting Phase
I led the team through a workshop using a structured 4-step methodology designed for rapid ideation and refinement. By generating quick, iterative concepts, we established an efficient critique and pivot process, ultimately producing a well-aligned solution focused on enhancing the journey of a security analyst.
Mid-Fidelity
After an in-depth exploration of rapid concepting, we transitioned into mid-fidelity designs. Here, I incorporated unique use cases that users of this new application had not previously considered, ensuring a more comprehensive and user-centered approach to the design.
Getting a proper flow down allowed us to get pivotal feedback from users when we tested concepts.
User Testing
Goals:This second round of user research focused on gaining a deeper understanding of the key informational needs of users within a UEBA hunting and monitoring context, specifically targeting the user profile and timeline UI elements. Insights from this research were intended to guide the design of our MVP.
Methodology:We conducted comprehensive, 60-minute interviews with each participant.
Participants:
5 Non-IBM customers using competitor UEBA solutions
3 Internal MSS analysts/engineers currently using QRadar UBA
Key findings
- No black boxes, show the “why”
- Actionable insights
- Ability to take action
Hi-Fidelity Concepting
Following our testing round, I gained valuable insights that guided a user-centered shift in our concept. We focused on providing greater context within a streamlined, single-pane experience. This adjustment created a more engaging interface, empowering users to seamlessly explore and dive deeper as needed.
Final Concept
Imagine enhancing your cybersecurity stance not just by detecting anomalies but by understanding them deeply and intuitively. The anomaly canvas is designed with this goal in mind. It allows users to visually map out the journey to an anomaly, adding and connecting relevant nodes that truly matter in the broader context of a threat.
Each node you introduce and every connection you draw helps construct a robust, detailed case around potential security threats. This isn't just about seeing an anomaly; it's about comprehending the how and why behind it. What makes this even more powerful is our integrated AI and ML model, which learns dynamically from how you interact with the system. Each node you add and each link you create teaches the model to better understand not just any anomaly, but the specific characteristics that matter to your security environment.
By using this tool, you're not just reacting to threats—you're actively teaching your system to recognize, anticipate, and adapt to them based on real, actionable intelligence that you map out on your screen.
Prototype
User Entity Behavioral Analytics
Company
IBM
Project Duration
8+ months
Role
Lead UX Strategist & Designer
The Problem
User and Entity Behavior Analytics (UEBA), a term first coined by Gartner in 2015, represents the evolution of User Behavior Analytics (UBA). While UBA focuses solely on tracking end-user behavior patterns, UEBA extends this capability to monitor non-user entities—such as servers, routers, and Internet of Things (IoT) devices—for abnormal behavior or suspicious activity that may indicate security threats.
IBM currently offers User Behavior Analytics (UBA) through QRadar Core at no additional cost. However, users have reported several challenges with this solution, including:
- Poor performance
- Complex configuration
- Lack of advanced features like entity analytics (UEBA)
The growing demand for UEBA presents a significant market opportunity, yet IBM is currently lagging behind competitors and losing sales as a result.
My Role
At IBM, I led a forward-facing UEBA initiative, defining a scalable and user-centric approach to threat detection for SOC analysts. I drove market research, identified key differentiators, and aligned cross-functional teams on product strategy. This work resulted in the creation of intuitive workflows that help analysts understand system impact and make faster, more informed security decisions.
Impact
- 36% workflow increase based on current UBA workflow
- 88% increase in data transparency and architecture
The Process
Understanding
I led the team through an in-depth discovery phase to fully understand the implications of the current UBA system within QRadar Classic and audit how competitors developed their UEBA systems. This analysis allowed us to benchmark IBM's existing features against those of competitors and identify impactful features to consider for our new UEBA solution.
Following this, we established high-level jobs-to-be-done, which guided us in identifying the key personas involved and their roles at different points within the workflow.
Research Validation Phase
Goals:The primary objective of this generative UX research round was to uncover user needs related to User and Entity Behavior Analytics (UEBA) solutions. These insights will directly inform the development of our UEBA Minimum Viable Product (MVP).
Methodology:We conducted in-depth, 60-minute interviews with each participant.
Participants:
4 Non-IBM customers using competitor UEBA solutions
1 IBM customer using QRadar UBA
2 Internal IBM MSS Engineers utilizing QRadar UBA
Key findings
- Deciding factors
- Use cases
- Threat of GenAI
- Single pane experience
- Configurations
- Lack of context
Concepting Phase
I led the team through a workshop using a structured 4-step methodology designed for rapid ideation and refinement. By generating quick, iterative concepts, we established an efficient critique and pivot process, ultimately producing a well-aligned solution focused on enhancing the journey of a security analyst.
Mid-Fidelity
After an in-depth exploration of rapid concepting, we transitioned into mid-fidelity designs. Here, I incorporated unique use cases that users of this new application had not previously considered, ensuring a more comprehensive and user-centered approach to the design.
Getting a proper flow down allowed us to get pivotal feedback from users when we tested concepts.
User Testing
Goals:This second round of user research focused on gaining a deeper understanding of the key informational needs of users within a UEBA hunting and monitoring context, specifically targeting the user profile and timeline UI elements. Insights from this research were intended to guide the design of our MVP.
Methodology:We conducted comprehensive, 60-minute interviews with each participant.
Participants:
5 Non-IBM customers using competitor UEBA solutions
3 Internal MSS analysts/engineers currently using QRadar UBA
Key findings
- No black boxes, show the “why”
- Actionable insights
- Ability to take action
Hi-Fidelity Concepting
Following our testing round, I gained valuable insights that guided a user-centered shift in our concept. We focused on providing greater context within a streamlined, single-pane experience. This adjustment created a more engaging interface, empowering users to seamlessly explore and dive deeper as needed.
Final Concept
Imagine enhancing your cybersecurity stance not just by detecting anomalies but by understanding them deeply and intuitively. The anomaly canvas is designed with this goal in mind. It allows users to visually map out the journey to an anomaly, adding and connecting relevant nodes that truly matter in the broader context of a threat.
Each node you introduce and every connection you draw helps construct a robust, detailed case around potential security threats. This isn't just about seeing an anomaly; it's about comprehending the how and why behind it. What makes this even more powerful is our integrated AI and ML model, which learns dynamically from how you interact with the system. Each node you add and each link you create teaches the model to better understand not just any anomaly, but the specific characteristics that matter to your security environment.
By using this tool, you're not just reacting to threats—you're actively teaching your system to recognize, anticipate, and adapt to them based on real, actionable intelligence that you map out on your screen.
Prototype
User Entity Behavioral Analytics
Company
IBM
Project Duration
8+ months
Role
Lead UX Strategist & Designer
The Problem
User and Entity Behavior Analytics (UEBA), a term first coined by Gartner in 2015, represents the evolution of User Behavior Analytics (UBA). While UBA focuses solely on tracking end-user behavior patterns, UEBA extends this capability to monitor non-user entities—such as servers, routers, and Internet of Things (IoT) devices—for abnormal behavior or suspicious activity that may indicate security threats.
IBM currently offers User Behavior Analytics (UBA) through QRadar Core at no additional cost. However, users have reported several challenges with this solution, including:
- Poor performance
- Complex configuration
- Lack of advanced features like entity analytics (UEBA)
The growing demand for UEBA presents a significant market opportunity, yet IBM is currently lagging behind competitors and losing sales as a result.
My Role
At IBM, I led a forward-facing UEBA initiative, defining a scalable and user-centric approach to threat detection for SOC analysts. I drove market research, identified key differentiators, and aligned cross-functional teams on product strategy. This work resulted in the creation of intuitive workflows that help analysts understand system impact and make faster, more informed security decisions.
Impact
- 36% workflow increase based on current UBA workflow
- 88% increase in data transparency and architecture
The Process
Understanding
I led the team through an in-depth discovery phase to fully understand the implications of the current UBA system within QRadar Classic and audit how competitors developed their UEBA systems. This analysis allowed us to benchmark IBM's existing features against those of competitors and identify impactful features to consider for our new UEBA solution.
Following this, we established high-level jobs-to-be-done, which guided us in identifying the key personas involved and their roles at different points within the workflow.
Research Validation Phase
Goals:The primary objective of this generative UX research round was to uncover user needs related to User and Entity Behavior Analytics (UEBA) solutions. These insights will directly inform the development of our UEBA Minimum Viable Product (MVP).
Methodology:We conducted in-depth, 60-minute interviews with each participant.
Participants:
4 Non-IBM customers using competitor UEBA solutions
1 IBM customer using QRadar UBA
2 Internal IBM MSS Engineers utilizing QRadar UBA
Key findings
- Deciding factors
- Use cases
- Threat of GenAI
- Single pane experience
- Configurations
- Lack of context
Concepting Phase
I led the team through a workshop using a structured 4-step methodology designed for rapid ideation and refinement. By generating quick, iterative concepts, we established an efficient critique and pivot process, ultimately producing a well-aligned solution focused on enhancing the journey of a security analyst.
Mid-Fidelity
After an in-depth exploration of rapid concepting, we transitioned into mid-fidelity designs. Here, I incorporated unique use cases that users of this new application had not previously considered, ensuring a more comprehensive and user-centered approach to the design.
Getting a proper flow down allowed us to get pivotal feedback from users when we tested concepts.
User Testing
Goals:This second round of user research focused on gaining a deeper understanding of the key informational needs of users within a UEBA hunting and monitoring context, specifically targeting the user profile and timeline UI elements. Insights from this research were intended to guide the design of our MVP.
Methodology:We conducted comprehensive, 60-minute interviews with each participant.
Participants:
5 Non-IBM customers using competitor UEBA solutions
3 Internal MSS analysts/engineers currently using QRadar UBA
Key findings
- No black boxes, show the “why”
- Actionable insights
- Ability to take action
Hi-Fidelity Concepting
Following our testing round, I gained valuable insights that guided a user-centered shift in our concept. We focused on providing greater context within a streamlined, single-pane experience. This adjustment created a more engaging interface, empowering users to seamlessly explore and dive deeper as needed.
Final Concept
Imagine enhancing your cybersecurity stance not just by detecting anomalies but by understanding them deeply and intuitively. The anomaly canvas is designed with this goal in mind. It allows users to visually map out the journey to an anomaly, adding and connecting relevant nodes that truly matter in the broader context of a threat.
Each node you introduce and every connection you draw helps construct a robust, detailed case around potential security threats. This isn't just about seeing an anomaly; it's about comprehending the how and why behind it. What makes this even more powerful is our integrated AI and ML model, which learns dynamically from how you interact with the system. Each node you add and each link you create teaches the model to better understand not just any anomaly, but the specific characteristics that matter to your security environment.
By using this tool, you're not just reacting to threats—you're actively teaching your system to recognize, anticipate, and adapt to them based on real, actionable intelligence that you map out on your screen.
Prototype