At ReliaQuest, we use the AI and automation capabilities of GreyMatter to help our customers reduce threat actor dwell time and lower their mean time to contain (MTTC) to under 5 minutes.
The analyst is a key piece of this process. With recent advancements in GreyMatter, the burden of data analysis has now shifted from humans to machines. What used to take hours can now be done in minutes by AI-powered security operations platforms.
Today, we’re excited to announce the release of the GreyMatter Analyst Experience (AX), new interfaces that take advantage of AI and automation to give analysts the context they need to quickly make decisions that contain and remediate threats.
Our Approach to Designing the New AX
When we were designing the GreyMatter mobile app, we faced a unique challenge: How do we condense all the information necessary to resolve an alert while enabling users to meaningfully manage it from a mobile device?
To solve this problem, we turned to our users. But instead of asking analysts, “What do you want to see in the mobile app?” we asked them, “What information do you use when deciding how to respond to an incident?” While analysts confirmed that they still needed to have all the supporting data readily available, in most cases they only needed very basic information to identify the activity.
We found analysts were excited at the prospect of having a streamlined interface for viewing and responding to alerts. Even in the cases when further investigation was warranted, they valued having a straightforward view to get visibility fast and quickly decide on what next steps to take.
From a design perspective, we expected analysts would benefit from a more succinct view of escalated incidents. But what we didn’t expect was how much further it would shift them towards action. Within the first 30 days of usage, analysts who incorporated the mobile app into their process responded to incidents two-thirds faster than before. It wasn’t just that there was more clarity for incidents, but a focused approach to displaying information made it easier to engage with and act on those incidents.
Components of the New Experience
The GreyMatter analyst experience builds on what we learned as we built and released the mobile app. The new experience is designed to quickly provide analysts with the answers to three critical questions up-front:
- What happened?
- What has been done?
- What do I need to do next?
By presenting this information as clearly as possible, analysts can speed decision making and ultimately reduce mean time to resolve (MTTR).
Streamlined Incident Summaries
In addition to severity, status, and assignee for an incident, a succinct summary is now shown in the header to give context upfront. This is accompanied by dynamically recommended actions an analyst can run right there with a single click. In some cases, the incident header may be all an analyst needs to take decisive action on an incident. Think of it as a cheat sheet for the incident on a 3×5 notecard.
Organized and Accessible Data
Our clients have consistently relied on and appreciated the written analysis our analysts include with each escalated incident. Now this read-out is even easier to review, and referenced artifacts have been highlighted and can be clicked into to find additional information.
Advanced View for Detailed Investigation
When the technical details are needed, analysts can toggle on the “advanced view” to view all the logic, queries, and event logs that were gathered and referenced in building out the analysis. Even for analysts who prefer to heavily rely on the data themselves, providing clickable artifacts in the summarized view gives them the best starting point to navigate to the necessary data points.
What’s Next
It looks simple (it was designed that way), but this project is the culmination of many years of collaborating with analysts and iterating on solutions. It’s a big shift, but it’s also just the start. We know full well that incident response is a small part of everything that goes into a comprehensive security plan. Planning around security improvements, expanding visibility, and managing the work that is needed to make it happen are in our sights for streamlining and improving the analyst experience.
More improvements are coming, and we couldn’t do any of this without our clients and security professionals partnering with us to imagine a better, safer, and more secure world. If you’d like to learn more, or work with us, please reach out to us. Let’s make security possible.