Pretty is the Enemy of Great

When the team at Critical Informatics started redesigning our managed service product from the ground up for version 2.0, we had to ask ourselves a lot of questions about how to build on our success with a popular model, eliminating weaknesses, improving features we liked and extending it in ways that continue to show value in a market where it seems like everyone is claiming “advanced analytics” as their not-so-secret sauce.

Often, in early planning for products – the earliest decisions are philosophical in nature, rather than technical. This is reflected in my first post on version 2.0, where I explain that in many ways, it’s all about getting to the question – and the answers follow. In this post, I want to talk about another philosophy that we adopted in 2.0 which drives our sales and marketing team crazy, and we are still convinced was absolutely the right direction.

Critical Insight has a lot of features that are rare or non-existent in competitive products like access to packet capture for perfect replay of network events, zero false positive reporting and human analysts in the loop for all reported events. What we don’t (yet) have, is a beautiful customer portal that allows our customers to login and view beautiful pie charts and bar graphs which represent security related activities on their network. We deliver a monthly report (with beautiful graphs) that shows these things, but even that report wasn’t a priority for us, because we are focused on something else; helping our customers with security events.

If Critical Insight is monitoring your network, our job is to spot potential problems, verify that they are real problems and report only real problems to your incident response process/team for action. To do that, we need analysis platforms, threat intelligence, raw data and truly amazing analysts all performing at peak efficiency to boil everything down into a FEMA style Incident Action Plan that you can use to respond to a confirmed incident. Note that nowhere in that description is an on-demand pie-chart of what APTs are pinging your firewall today as a customer experience. We selfishly created a ton of interface/analytical/visualization tools for our own internal analysts and nothing for you.

This flies in the face of every IDS/IPS/Dashboard/VisualizationOfSecurityDataWillSaveUsAll that we’ve ever seen, and believe me – our sales team isn’t happy about it. It DOES, however provide our customers with the very things we promise. This is what allows Critical Insight to provide very very (very) expensive analyst time efficiently. For most of our customers, doing the nationwide search for an analyst with the skill, experience and capabilities to look at the fancy dashboard that most products produce and make sense of it is really out of the question. These folks are as rare as a 30 carat diamond and almost as expensive. Our focus has been around making the very best use of this hard to acquire talent and experience and providing it as a resource to our customers.

Maximizing the effectiveness of our analysts on your behalf will always remain our priority. For now, our monthly reporting satisfies that “death by numbers with colorful graphs” itch that the industry has assured us we must all scratch – but a live portal for data, analysis results and other dashboard-ey stuff is on the product roadmap. We can’t ever lose sight of what we MUST deliver though, curated analysis of security events from human analysts with sufficient detail for customer action.

I should probably mention that our analysts screens are not exactly objets d’art. If you hang out in the Critical Informatics Security Operations Center, you’ll see large screens full of text, meaningful to the development team and our analysts, but pretty densely packed for normal humans. The occasional bar chart will appear, but is quickly closed by an embarrassed looking analyst, hoping nobody saw it.

//]]>