At SEKOIA.IO, we constantly work to ensure our customers are informed and protected from the latest threats.
We focus on automation through new features optimizing our users daily work and enhancing their efficiency. Playbooks for automation, graph exploration for incident investigations, data extraction or honeypots to generate new threat indicators, lookups and smart-description for more readable events. We continue to improve SEKOIA.IO constantly. To remain ahead of the curve, we use an ideation process that allows us to shape our next features. We will cover this process and its organisation within this post.
We used Design Thinking to bring up new features, a new method developed at Stanford University by Rolf Faste and spread by Tim Brown of IDEO. It is a powerful way to foster creativity, cooperation and experimentation.
The following figure illustrates the four stages of our ideation process.
The Empathize stage aims to collect feedback to identify sticks points, issues and missing features from our products. The feedback we gathered came from several sources, that we’ll explain right now.
The first part of our daily users are our customers. To collect their feedback, SEKOIA.IO relies on two sources: 1) our CARE team that continuously maintains contact with our customers and 2) interviews between the Product Owners (POs) and the customers.
Through constant communication with users, CARE collects the sticking points and missing features reported during the interactions. For example, a missing intake format or a relevant source of CTI indicated by our customers helps us to look for areas for improvement.
To ensure a more complete feedback, SEKOIA.IO organizes, on a regular basis, interviews with customers. The goal is to learn first-hand how our customers operate, how they use our products, to identify their needs and to gather their requests. Our CARE team identifies the relevant contacts to interview, sets up an appointment and monitors the exchange. A development team member runs the interview with predefined questions and observes how the interviewee uses our platform: habits, what works well, as well as what blocks, …
The other daily users are employees from SEKOIA.IO. It is the main tool that our internal Intelligence analysts and Security operators use in their daily work. Experts in their field, they are identifying potential issues, looking for the next level of information needed or potential improvements. Similarly to our customers, they face software issues, identify missing information and find potential improvements for the detection workflow or for the Intelligence production. Their insights are highly qualitative and the communication process has been smoothed by years of relationships with the development team.
Additionally, the development team permanently observes the platform. They catch performance issues, notice missing or improvable functionalities and diagnose frustration points.
The proximity between our teams enables quick and exhaustive feedback on issues and new features.
To collect this information, we schedule retrospectives on a regular basis. The members report all the missing points identified during the previous period and work to spot enhancements that could be developed in the next iterations.
To encourage and ease the participation, we divide the retrospective in several exercises.
- A first exercise, as an icebreaker, to let everybody speak and gather the mood of the team. We have different icebreaker exercises and we pick the one that best fits with the current situation. For example, picture 4 areas : positive ??/ negative ?? / mitigated?? / neutral☁? and let everyone select which one represent their daily mood best with the reason of their choice.
- A second one to identify sticky points, motivation or risks. The sailboat is a good exercise: draw a sailboat, with an anchor, heading to an island surrounded by reef, driven by the wind, on a sunny day. Ask attendees to note on post-its what helped them (the wind), what slowed them down (the anchor), their motivations (the sun), their goals (the island) and the risks they foresee (the reefs).
- The third exercise aims to solve issues raised by the previous one. Ask the members to identify how to overcome the difficulties (cut the anchor and inflate the sail), how to avoid or decrease the risk (bypass the reef) and how to increase their motivation. To help them, you can use the Start-Stop-Continue exercise: Split a board in 3 columns. The first column (Start) is to express actions that the team should start; The second one (Stop) is to express actions or habits that don’t work and should be stopped; the last one (Continue) is to express what works and that the team should continue. The attendees can put sticky notes in each column.
- A final exercise lets members express themselves with a last word or with thanks.
All gathered information feeds the backlog.
Another source of feedback are sales leads. During commercial prospecting, our sales correspond with leads about their needs, their way to work and about their previous experiences with XDR software.
As with our customers, these discussions can help identify new features or improvements. In order to enrich the backlog, much like our current customers, we schedule interviews with the sales managers to gather feedback from the prospects. These interviews can be handled by any member of the production team.
Before the ideation phase, we organize a SEKOIA.IO company-wide demonstration of the product.
This moment allows us to show to our coworkers the latest features of the platform. The development team also participates to see the final result of the work done during the last production cycle. The demonstration lasts 90 minutes with several presentations. Each speaker has roughly 15 minutes to display the work done by its team. We allow time for a Q&A with the speaker between each of the presentations.
Taking notes of the work carried out by the colleagues emulates our inspiration and prepares us for the next phase.
This is the stage where ideas, features and enhancements will appear.
We previously explained how the SEKOIA.IO product team collects feedback to feed its backlog. To prepare the ideation phase, the Products Owners go through a first workshop to organize feedback by thematic.
Product Owners review the user requests, pick needs, sticky points or features from the backlog, debate about items to finally cluster them by proximity. For each cluster, a theme and subjects are drawn. Usually, three thematics are extracted (e.g. Remediation, Enhancement and stabilization of existing features, Improvement of parsers).
For each identified thematic, a workshop is prepared with three to four topics to examine (e.g. Remediation management, Course-of-action, Remediation orchestration). All members of the Product team are invited to participate in these workshops and encouraged to find solutions without judgment. This is called the divergence phase.
After a short introduction about the expectations, every one joins a working group according to their interests, skills and experience. The organizer checks every work group has a variety of profiles/skills : some teammates from the CTI, others from the development team, some security operators, ….
Depending on the topic, relevant information can be shared at the beginning of the workshop to help everyone understand the subject.
When all members are debriefed, the group starts to think about solutions. To encourage everyone to participate, we alternate 5 minutes of individual reflection, with group brainstorming where each member exposes its solutions, under the caring of others; Remind that judgments are not allowed. At the end of the workshop, all working groups meet together and each one shows their achievement.
After a divergence workshop, POs meet together to gather all solutions and debate about them. This is the convergence phase.
During this meeting, Product owners will sort, reject or rearrange the suggestions to only keep consistent, viable and suitable ones. For instance, the suggestion of a new feature (e.g. remediation management) can be transformed to enrich an existing one (like tasks assignment in courses-of-action), or as the opposite, to use an existing feature (e.g. playbooks) to offer new ones (e.g Remediation orchestration).
The last step is to repeat the previous ones. The ideation process is an iterative process with recurring activities (like empathize and iterate) and others more punctual (like inspire and ideate).
At SEKOIA.IO, inspiration and ideation steps are scheduled at the end of a quarter, as a transitive period between two production cycles.
We described how, at SEKOIA.IO, we proceed to define our next features. Our ideation process offers us a practical way to collect needs, stimulate creativity and select relevant solutions. We organized our ideation workshops as a friendly moment to share with our teammates based on exchanges, challenges and fulfillment; everyone is invited to participate without judgment and as peers.
If you want to explore the Design thinking concepts, we suggest, as an introduction, Design thinking playbook from Michael Lewrick that provides an accessible learning with clear pictures and a bright writing, or as an upgrade, Design sprint from Jake Knapp that schedules the Design Thinking process in 5 days.
Thank you for reading this article. You can also read our article on:
- Traffers: a deep dive into the information stealer ecosystem
- What is cyber threat intelligence (CTI)?
- Lucky Mouse: Incident Response to Detection Engineering
- XDR detection engineering at scale: crafting detection rules for SecOps efficiency
- Moving your security to the cloud?
- Detail of an alert, observable database, new exclusive source … the novelties of October 2021
- TAXII 2.1 is out: Pagination improvements
- How we made deployments safer at SEKOIA.IO
- Raspberry Robin’s botnet second life.
Chat with our team!
Would you like to know more about our solutions? Do you want to discover our XDR and CTI products? Do you have a cybersecurity project in your organization? Make an appointment and meet us!