Netflix Releases FIDO Open-Source Incident Response Software
Netflix just recently announced the open-source release of the company’s automated security incident response software known as FIDO, short for Fully Integrated Defense Operation. Like many organisations, Netflix used to manually investigate security-related alerts, which was a slow and labour-intensive process. The company hoped to automate much of the incident response process and began developing FIDO in 2011. Now, the Netflix security team has released the source code for FIDO, providing all enterprises with a free tool to improve their network’s security.
FIDO – The Netflix Watchdog
Incident response is a largely manual process for most companies. At Netflix,
“Our process for handling alerts from one of our network-based malware systems was to have a help desk ticket created and assigned to a desktop engineer for follow-up – typically a scan of the impacted system or perhaps a re-image of the hard drive. The time from alert generation to resolution of these tickets spanned from days to over a week.”
The company decided to experiment with automating the alert-to-ticket process, and “thus FIDO was born.” Netflix describes FIDO as “an orchestration layer that automates the incident response process by evaluating, assessing and responding to malware and other detected threats.” The way the software works is fairly straightforward and incredibly flexible.
FIDO starts by taking in events generated by a growing number of supported off the shelf security products like firewalls and anti-malware systems. FIDO then analyses the data while supplementing raw security notifications with contextual information. This method of analysis helps filter out false positives that would otherwise waste a security team’s time. FIDO’s analysis includes asking several relevant questions regarding the security event’s target.
“Is the machine a Windows host or a Linux server? Is it in the PCI zone? Does the system have security software installed and the latest patches? Is the targeted user a Domain Administrator? An executive? Having answers to these questions allows us to better evaluate the threat and determine what actions need to be taken (and with what urgency).”
FIDO also queries several external threat feeds such as VirusTotal and ThreatGrid. After the analysis is complete, FIDO assigns each event a “score”.
“Scoring is multi-dimensional and highly customizable in FIDO. Essentially, what scoring allows you to do is tune FIDO’s response to the threat and your own organization’s unique requirements. FIDO implements separate scoring for the threat, the machine, and the user, and rolls the separate scores into a total score. “
Organizations can tune FIDO to be as aggressive or passive as they need. For instance, a high score could trigger drastic actions such as banning a user’s account or disabling a network port. A more passive FIDO could simply send an email to an organization’s security team.
FIDO’s high degree of flexibility and customizability makes the software an attractive solution for many companies. FIDO is entirely open-source, and Netflix encourages FIDO users to suggest and submit their own improvements. Netflix also plans to release various features and improvements for FIDO in the future, including an administrative UI with detailed dashboards and statistics.
Images from Shutterstock and Netflix.