

Introducing FIDO: Automated Security Incident Response - akerl_
http://techblog.netflix.com/2015/05/introducing-fido-automated-security.html

======
USNetizen
Anyone else notice the source they provide seems a bit light on functional
code in multiple areas? Lots of stubs, empty methods, commented-out blocks and
such throughout.

Did they neuter it by stripping out core functionality prior to releasing as
open source? Sort of disappointing if so.

Almost seems useless in its current state given the degree of missing code
(caveat: I have not run it yet, only read through the code in the GitHub
repo).

~~~
USNetizen
Looking at it deeper I notice the scoring system is less advanced than I would
have thought coming from a Netflix-type organization. Etsy released a tool a
while back for general anomaly detection that used much more advanced
statistical analysis. Would have loved to see more of that in here.

------
kevinschumacher
Anyone else surprised to see that this is a C# application? Anyone know if how
much C# development happens at Netflix?

~~~
retr0h
This looks exciting.

[https://github.com/Netflix/Fido/issues/2](https://github.com/Netflix/Fido/issues/2)

~~~
macca321
Maybe if you like watching car crashes.

------
Osiris
My understanding is this was developed internally inside their security team,
so it likely isn't a reflection of their standard development process.

I'm glad to see this become open source. I became aware of this when they
integrated with my API a few months ago [1].

[https://github.com/Netflix/Fido/blob/master/Main/Detectors/D...](https://github.com/Netflix/Fido/blob/master/Main/Detectors/Detect_Protectwise_v1.cs)

------
obituary_latte
Is this intended to compliment or replace things like alienvault/snort? Can it
handle raw nix logs? Logstash? Windows events? It seems like from the post
some kind of third party connection is required (LANDesk?), but I may not be
reading right.

At any rate, thanks as always for sharing :)

~~~
freehunter
It doesn't seem like it replaces Snort, which is an intrusion prevention
system. It's more akin to AlienVault, which is a SIEM. Netflix shies away from
the term SIEM. They call this an incident response software. I'm reading
through it trying to figure out how it's different from a SIEM, but there's
not a lot of technical details.

~~~
thieving_magpie
So akin to snorby mixed with Ossec active-response? Should be interesting to
see if this gets picked up in an OS like Security Onion.

Also, it appears to use snort.

------
n3mes1s
panel at rsa
[https://www.youtube.com/watch?v=qzK9Mj2V6BA](https://www.youtube.com/watch?v=qzK9Mj2V6BA)

------
ldom66
I love the Windows ME comment

------
netman21
So NetFlix spent four years developing automated trouble ticketing? I wonder
if they evaluated the dozens of existing products that do this already?

~~~
Osiris
It's not trouble ticketing. It's an aggregator of threat analysis responses
from multiple sources that they use in the SOC to monitor for security threats
and incursions.

Is there already an open source product that does that? That would be
interesting to know about since I work in that space.

