FIDO Creation
FIDO was born out of an idea I had in March of 2011. At the time we were having issues taking FireEye alerts and getting them to our Helpdesk/Desktop folks fast enough for remediation. Basically, there was a need to take alerts generated from a FireEye appliance and automate the alert into an actionable item. The first version was written in an obscure scripting language, was about 50 lines long and essentially used an email plugin to retrieve email alerts generated by FireEye and then to automatically generate tickets in Service-Now. While this was a trivial approach, it took our average response time down from 12-36hrs to less than a few hours. The bigger 'win' for us, though, was that we saw greater possibilities by adding in new features and capabilities.
In mid-2012 the second version of FIDO took the brainstorming ideas we came up with and put them into action. It was the first version where external threat feeds were integrated. We also started pulling in host and user information. Detector support went from just FireEye to include SourceFire and Sophos. Alerts went from text based to HTML. This was the start of FIDO having correlation. The first pieces of enforcement were implemented. Overall the second version was a much bigger success, and again, it got us thinking about what else we could come up with. This time around, though, it wasn't a few ideas but a deluge of enhancements and feature requests.
Which brings us to the current version, which internally is called v3.1, but as OSS will be v0.1. The first two versions of FIDO we didn’t have any intention of open sourcing. This changed, though, after we received so much positive feedback and attention from security vendors and colleagues.
To make FIDO more relevant at other companies I decided to make FIDO modular. The idea being if someone were to download and use FIDO, why not give them the ability to ‘check a box’ for what they had as part of their internal security stack. If part of your security stack wasn’t in FIDO, then create it and give back to the community, or ask someone to help create it for you. This modular approach is key to FIDO as it allows us to plug-in new threat feeds, data sources, detectors, etc.
The latest version of FIDO went live internally in October 2014. The codebase, features, and intention of what FIDO was to become was really laid down with this version. The number of initiatives, features and product functionality introduced with this version is extensive. While not all functions and features are currently live in the OSS release, it will be our intention to update FIDO as either we or the community have contributions.