Google Cloud Security

Mandiant Digital Threat Monitoring

Role: Lead UX Designer

Mandiant Digital Threat Monitoring (DTM) provides Google Cloud Security customers with the capability to detect and anticipate potential threats to their organizations from across the open, deep, and dark web. Customers are able to monitor underground marketplace listings, malware repositories, blogs, forums and paste sites for signs of imminent threats or evidence of successful attacks, including leaked data and compromised credentials.

Please note: all images and information derived from publicly available sources.

Project Highlights

  • Contributed to growing the DTM customer base by 20% in the last year, and more than a 50% improvement in key usage metrics.

  • Enabled the company to retire a legacy application, resulting in $500k in annual savings.

  • Collaborated closely with engineering teams and stakeholders to keep DTM on track over the course of Google’s acquisition of Mandiant, team changes and leadership churn.

  • Successfully anticipated future needs and grounded blue-sky ideation in conceptual designs.

Team Feedback

DTM wouldn't be where it is without Sebastian. He's vital in coming up with requirements and UX to help engineering start development. He's great at anticipating challenges and questions, and designing something that the user needs.”

~ Engineering Manager

Project Background

The Digital Threat Monitoring product was originally developed as a tool primarily for use by Mandiant’s internal analysts to protect Mandiant Managed Defense customers. I was brought onto the project as part of a larger effort to improve and productize the tool, and integrate it into a new product ecosystem.

Legacy DTM

  • Siloed, not integrated with other products

  • Used a deprecated visual design system

  • Limited functionality

  • Expensive to maintain and update

New DTM

I collaborated with product managers and engineers, and other technical and product stakeholders to identify gaps in the legacy product, write new product requirements, and define a roadmap to integrate DTM into the Mandiant Advantage product suite.

When Mandiant was acquired by Google Cloud, I worked to incorporate DTM into the Google Cloud Security product suite while maintaining the Mandiant brand within this new context.

Alerts

Alerts are generated by monitors - saved searches run against data collections - and are the primary object of the DTM user experience. The majority of a user’s time using the product is spent assessing and triaging alerts.

Alert filtering functionality was exponentially expanded, and alert display was improved with human-friendly titling, summaries, automated severity scoring, tagging, and alert aggregation, among many other UX enhancements.

Enriching DTM Alert data and integrating Mandiant Intelligence summaries into the Alert Details view were critical improvements, helping users understand context and assess risk without having to pivot into a separate product.

Monitor Configuration

Monitors are configured by the user to meet particular use cases and answer their most pressing questions, e.g. “have my usernames and passwords been leaked?” Monitor configuration underpins the entire product. It was also a major customer pain point as a misconfigured monitor could result in false alarms (noise), or missing a credible threat.

New DTM monitor configuration workflows were presented as a use-case based UX that simplified the setup process, improving time to value and lowering the level of expertise required to configure the product.

The monitor creation UI that I designed for the initial MVP (not shown here) was based on a set of conditional statements and booleans. It was powerful and flexible, but too complicated and error prone to meet the needs of a growing user base with varying degrees of in-house expertise.

I updated the MVP Monitor setup UI with a wizard flow based on a Google Cloud Design System “Stepper” component. This simpler UI was well received and met the needs of the majority of users. Advanced configuration options remained available for our expert-level users.

Envisioning the Future

Once DTM had been migrated to a new design system and implemented with a common set of Google components, it became feasible to explore in increasing number of UX improvements. The integration of additional Google-specific data sources extended the realm of what was possible and allowed us to address more user requests in our product roadmap.

A notional concept of how robust charting components might be integrated into the Alert List view. Also note that this shows DTM within the Google Threat Intelligence product suite.

Conclusion

During my tenure as the DTM UX Lead, Mandiant underwent an acquisition by Google Cloud. I worked under three project managers, oversaw two design system migrations, and encountered frequent shifts in business priorities that profoundly impacted our product’s direction. Despite these challenges, I am proud to have delivered innovative solutions that prioritized a high-quality user experience for our customers. Additionally, I played a crucial role in supporting complex business requirements and collaborating with product leadership to envision the future trajectory of DTM.

“Sebastian has worked through a challenging series of quarters on DTM as the project looks to find solid footing in a complex SecOps portfolio. He has designed and delivered high fidelity mockups and prototypes for features above and beyond the current roadmap of DTM.

~UX Manager