Netflix looses FIDO hack attack dog as open source

Netflix has released source code for its automated incident response tool to help organisations cut through the noise of security alerts.

Project lead and security boffin Rob Fry together with Brooks Evans, and Jason Chan announced the unleashing of the Fully Integrated Defense Operation (FIDO) saying it has chewed the time to respond to incidents from weeks to hours.

They describe FIDO as an orchestration layer that automates incident response by evaluating, assessing and responding to malware and other threats.

"Our process for handling alerts from one of our network-based malware systems was to have a help desk ticket created and assigned to a desktop engineer for follow-up - typically a scan of the impacted system or perhaps a re-image of the hard drive," the boffins say in a post.

"The time from alert generation to resolution of these tickets spanned from days to over a week.

"Our help desk system had an API, so we had a hypothesis that we could cut down resolution time by automating the alert-to-ticket process. The simple system we built to ingest the alerts and open the tickets cut the resolution time to a few hours, and we knew we were onto something - thus FIDO was born."

The boffins say FIDO has loyally served the video locker attic for four years, and holds great potential for other organisations to slash the laborious manual slog of incident response.

The system works using a growing number of supported off-the-shelf detectors such as firewalls and intrusion detection systems which funnel alerts into FIDO's bowl.

It will then sniff data sources including Active Directory, LANDesk, and JAMF in a nominated machine to uncover facts like patching status and administrator credentials which is then used to determine how urgently security teams need to respond.

External threat feeds including VirusTotal and ThreatGrid are explored to build context around events and to catch out false positives.

A score is assigned to a given threat based on this information and whether the event has been flagged by other detectors which could indicate a more serious attack is underfoot.

A high score could lead to FIDO disabling an account and barking alerts at security teams, or simply generating a note.

The Netflix pooch can be tuned to an organisation's needs, making it more aggressive or passive depending on requirements.

The tool is part of a series of open source security offerings Netflix has gifted the community.

Last year it released three tools Scumblr, Sketchy, and Workflowable under the Dirty Laundry project. ®