14 DAY TRIAL // For the past four years, Netflix has been relying on a system of its own creation, called FIDO, for cutting down the time needed to respond efficiently to a security incident; and now the company makes the code freely available to the public.
FIDO stands for Fully Integrated Defense Operation and it is designed for screening security events and taking an appropriate action automatically based on data collected from different resources, both internal and external.
FIDO captures events, correlates and scores them
The system works by receiving a raw security event from security products and putting it into a relevant context that can be easily interpreted and dealt with by the security incident response team.
FIDO starts by analyzing the nature of the targeted resource and its attributes, such as the operating system running, available security products or privileges of the user.
In the next step, the system correlates the information with previously recorded data and provides an overall score for the event, based on the type of threat, the machine targeted, and the user.
Correlating the information takes into consideration factors like the number of security solutions that detected and blocked the threat. If the incident has already been addressed, FIDO issues a notification that may not require additional action.
Improvements are on the way
The response component in FIDO can enforce measures like disabling accounts, shutting down VPN sessions or blocking a network port.
FIDO project leader Rob Fry, along with Brooks Evans and Jason Chan, says that most of the actions taken by the tool have been in accordance with Netflix’s needs. However, the code responsible for this activity has been removed in the open source version of the tool.
“We will re-implement this functionality in the OSS version when we are better able to provide the end-user reasonable and scalable control over enforcement customization and actions,” the security experts say.
They add that there are plans to improve the user interface with dashboards, as well as the configuration for assistance and rule enforcement. Plans for external integration include PAN, OpenDNS and SentinelOne.
According to the experts, FIDO reduced the time needed to address a security incident from about a week to just hours.
