Netflix has open sourced FIDO (Fully Integrated Defense Operation), a system for automatically analyzing security events and responding to security incidents that the company has been successfully using for over 4 years.
“The typical process for investigating security-related alerts is labor intensive and largely manual,” Netflix’ Rob Fry, Brooks Evans, and Jason Chan explained in the announcement. “Netflix, like all organizations, has a finite amount of resources to combat this phenomenon, so we built FIDO to help.”
They say that FIDO cuts down the time it takes to handle alerts from their network-based malware systems, firewalls, intrusion detection systems, and other detectors, from days (and sometimes a week) to a few hours.
“FIDO provides a number of ways to ingest events, including via API (the preferred method), SQL database, log file, and email. FIDO supports a variety of detectors currently (e.g. Cyphort, ProtectWise, CarbonBlack/Bit9) with more planned or under development,” they noted.
Each event is then enriched with data from internal (currently supported are Active Directory, LANDesk, and JAMF) and external (threats feeds such as ThreatGrid and VirusTotal) data sources to enable more informed decision making.
Then, it tries to correlate this information with other data it has already received, and calculates a score (customized to an organization’s unique requirements) that is used to decide what kind of action is needed: a simple email alert, or protective measures such as disabling an account, ending a VPN session or all kinds of different actions for which future users of FIDO will have to implement functionality.
For more information about the system, check out the GitHub project page.
This is not the first time that the Netflix team open sourced software it created internally. Last year they made available three tools that allow security teams to keep an eye out for Internet-based discussions regarding potential attacks against their organization’s infrastructure.