-
Notifications
You must be signed in to change notification settings - Fork 159
Threat Feeds
Threats feeds are a hot commodity in security right now. And when it comes to detectors one of the biggest complaints I get about is they spew out too many false-positives. For Netflix, since the detector is just the trigger and not the final determination of whether an endpoint has been infected, threat feeds fill in much of the work necessary to determine if the intelligence and algorithms behind the detector are accurate. We do not take an alert from a detector as a threat. Never trust, always verify. We put the alert as an event into FIDO to determine if the alert is a threat. In this scenario, what threat feeds provide, if used right, are a crowdsourced way to analyze large amounts of data and reap the rewards. What this allows you to do is sanity check the alert coming from your detector and validate against your own configurable company information how bad a potential threat might be. In the FIDO assembly line, after machine and user information has been gathered, it's time to send the 'bad guy' information to begin to develop a better picture of the external threat. In short, threat feeds are what can allow you to reduce or eliminate false-positives.
Current threat feeds FIDO supports:
- VirusTotal
- ThreatGRID
- AlienVault open source IP list
Threat feeds currently in progress or planned:
- ThreatGRID
- ProtectWise
- Cyphort
- OpenDNS
- Lastline
- WildFire
- Team Cymru
- IID
- Metascan
- Quttera
While I wish we could have had more available at OSS release, I can tell you many of these have been tested and will be released when they are ready. If you don't see a threat feed listed, or have questions, just let me know. Additionally, if you're interested in creating one we'd be happy to have the help.
On to the next step... [Event Correlation](https://github.com/Netflix/Fido/wiki/Event Correlation).