The Netflix team has released FIDO -- an open source system for automatically analysing security events.
Not to be confused with FIDO Alliance, Netflix's platform stands for Fully Integrated Defense Operation, the platform's Github describes FIDO as "an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware."
It continues that the primary purpose of FIDO is to handle the manual effort needed to evaluate threats coming from today's security stack, as well as the large number of alerts generated by them.
Aiming to make existing security tools more efficient and accurate, FIDO is designed to reduce "the manual effort needed to detect, notify and respond to attacks against a network."
Netflix elaborate:
The idea for FIDO came from a simple proof of concept a number of years ago. Our process for handling alerts from one of our network-based malware systems was to have a help desk ticket created and assigned to a desktop engineer for follow-up - typically a scan of the impacted system or perhaps a re-image of the hard drive.
The time from alert generation to resolution of these tickets spanned from days to over a week. Our help desk system had an API, so we had a hypothesis that we could cut down resolution time by automating the alert-to-ticket process. The simple system we built to ingest the alerts and open the tickets cut the resolution time to a few hours, and we knew we were onto something - thus FIDO was born.
Netflix provide the following diagram of FIDO's architecture:
FIDO's operation begins with the receipt of an event via one of FIDO’s detectors that identifies malicious activities or threats, generating an alert for further analysis. This is examined in more depth, supplementing raw event data with supporting information and context.
To gather data on the threat and what actions is needed, FIDO queries various internal data sources -- with Active Directory, LANDesk, and JAMF currently supported.FIDO also consults external threat feeds to assess how serious an issue may be, and to field out false positives.
Data gathered is correlated by FIDO and scored -- with scoring customisable by the end organisation using the platform. Finally, FIDO determines the appropriate a next action, ranging from sending an email to the security team, to disabling a network port.
Jason Chan, the cloud security director of engineering for Netflix, engaged with the community on Reddit in the discussion Netflix introduces FIDO, an Automated Security Incident Response tool offering to field questions about the platform.
Asked "Could you do this with cots software rather than your custom framework?", Chan responded:
Yes, certainly parts. Look at products sold as 'automated threat response' or 'security orchestration.'
...Vendors are trying to solve all/many customers problems -- we have a small subset we're interested in. Having worked in security since the late 90s, including for multiple security companies, I'm very familiar with how product roadmaps and support works. I'm careful about how ingrained and dependent our core security processes/capabilities become on any particular vendor.
FIDO is OSS and Netflix welcome suggestions and contributions from the community.