Netflix Releases FIDO Incident Response Tool

Engineers at Netflix have released another one of the company’s bespoke security tools as an open-source application, this time an incident-response system known as FIDO.

Engineers at Netflix have released another one of the company’s bespoke security tools as an open-source application, this time an incident-response system known as FIDO.

The tool is designed to help automate the process of incident response, and specifically it acts as a new layer that helps tie together existing applications by evaluating and assessing alerts that come into a network caused by malware detection and other problems. FIDO (Fully Integrated Defense Operation) has a number of different functions, including pulling in detection alerts from a variety of other security products, handling analysis, correlation and scoring, and notification.

“The idea for FIDO came from a simple proof of concept a number of years ago. Our process for handling alerts from one of our network-based malware systems was to have a help desk ticket created and assigned to a desktop engineer for follow-up – typically a scan of the impacted system or perhaps a re-image of the hard drive,” Rob Fry, Brooks Evans and Jason Chan wrote in a post explaining the tool. 

“The time from alert generation to resolution of these tickets spanned from days to over a week. Our help desk system had an API, so we had a hypothesis that we could cut down resolution time by automating the alert-to-ticket process. The simple system we built to ingest the alerts and open the tickets cut the resolution time to a few hours, and we knew we were onto something – thus FIDO was born.”

Once a security event is detected by one of the network devices connected to FIDO–such as a firewall, IDS, or anti-malware app–the tool begins its analysis and enrichment phase. This involves pulling in data from other internal and external sources to help add context to a given event, determine what the target was and figure out whether the event was legitimate or a false positive of some sort. From there, FIDO can be used for correlation of an incoming event with other similar alerts and scoring.

“FIDO implements separate scoring for the threat, the machine, and the user, and rolls the separate scores into a total score. Scoring allows you to treat PCI systems different than lab systems, customer service representatives different than engineers, and new event sources different than event sources with which you have more experience (and perhaps trust),” the Netflix engineers said.

After the scoring phase is complete, FIDO begins the process of notification. This can be a simple action, such as emailing someone, or a more complicated one such as shutting down a VPN session.

FIDO is just the latest in a series of internal tools that Netflix has turned into open-source applications for external use. Last year the company released two applications, called Scumblr and Sketchy, that can crawl a variety of social media sites and other resources to look for indications of an upcoming attack. Netflix also released a separate tool called Security Monkey that’s used to monitor Amazon Web Services configurations. The company has been using FIDO for several years but the company’s engineers said there’s still room for improvement.

“Netflix has been using FIDO for a bit over 4 years, and while it is meeting our requirements well, we have a number of features and improvements planned. On the user interface side, we are planning for an administrative UI with dashboards and assistance for enforcement configuration. Additional external integrations planned include PAN, OpenDNS, and SentinelOne. We’re also working on improvements around correlation and host detection,” they said.

Image from Flickr photos of Mike K

Suggested articles