FIDO Creation
FIDO was born out of an idea I had back in March of 2011. At the time we were having issues taking FireEye alerts and getting them to our Helpdesk/Desktop folks fast enough for remediation. Basically, there was a need to take alerts generated from a FireEye appliance and automate the alert into an actionable item. The first version was written in an bash, was about 100 lines long and essentially used an email plugin to retrieve email alerts generated by FireEye and then to automatically generate tickets in Service-Now. While this was a trivial approach, it took our average response time down from 12-36hrs to less than a hour. The bigger 'win' for us, though, was that we saw great possibilities by adding in new features and capabilities.
In mid-2012 the second version of FIDO took the brainstorming ideas we came up with and put them into action. It was the first version where external threat feeds were integrated. We also started pulling in host and user information. Detector support went from just FireEye to include SourceFire and Sophos. Alerts went from text based to HTML. This was the start of FIDO having correlation and the first pieces of enforcement were implemented. Overall the second version was a much bigger success, and again, it got us thinking about what else we could come up with. This time around, though, it wasn't a few ideas but a deluge of enhancements and feature requests.
Which brings us to the current version, which internally is called v3.1, but as OSS will be v0.1. I never had any intention of open sourcing FIDO, but this changed after we received so much positive feedback and attention from security vendors, colleagues, and others. The problem this created was I had written FIDO to be proprietary. Netflix OSS was at this time gaining traction, but never did I imagine FIDO would be asked to be included. As such, the codebase was written in a proprietary way... so I started re-doing FIDO in a way to used externally.
To make FIDO more relevant outside of Netflix I decided to make it modular. Each company has a unique security stack and additional unique ways to use those tools. The idea being if someone were to download and use FIDO, why not give them the ability to ‘check a box’ for what they had as part of their internal security stack. If part of your security stack wasn't in FIDO, then create it and give back to the community, or ask someone to help create it for you. This modular approach is key to FIDO as it allows us to 'plug-in' new threat feeds, data sources, detectors, etc. While the plug-in framework is still immature, it has great possibilities as it matures.
The latest version of FIDO went live internally in October 2013. The codebase, features, and intention of what FIDO was to become was really laid down with this version. The number of initiatives, features and product functionality introduced with this version is numerous. While not all functions and features are currently live in the OSS release, it will be our intention to update FIDO as either we or the community have contributions.
Keep in mind, this is a working prototype that we are releasing to have the community help with. There are undoubtedly issues with the code and other problems which cannot be fixed during the 10%-15% of the time I get to dedicate to this project.