The typical process for investigating security-related alerts is labor intensive and largely manual. To make the situation more difficult, as attacks increase in number and diversity, there is an increasing array of detection systems deployed and generating even more alerts for security teams to investigate.
Netflix, like all organizations, has a finite amount of resources to combat this phenomenon, so we built FIDO to help. FIDO is an orchestration layer that automates the incident response process by evaluating, assessing and responding to malware and other detected threats.
4. The Human Problem
• Vendors and organizations are not doing enough to lower the bar
• 62% of organizations have not increased security training
• 83% of enterprises lack the resources or skills to protect assets
• Majority of the work is done manually… self-defeating
• Response time windows are too high
• Enforcement, mitigation is largely manual
5. Too Many Alerts, Too Little Time/Resources
Network defenders are overwhelmed by the volume of alerts
• Typical Fortune 1000 organization experiences thousands of new security events everyday (1)
• Data review is time consuming
Current industry best practices rely on analysts using SIEM
technologies + manual use of threat intel feeds
• Too many false positives
• Very little guidance on how to filter the signal from the noise
The Technical Problem
Source: (1) IBM 2014 Cyber Security Intelligence Index
6. “There are 400 alerts in my SIEM, and I have time/resources to
investigate 10. Which 10 do I choose?” (1)
Source: (1) CISO from Fortune 200 Company
The Technical Problem
8. F.I.D.O. = Orchestration
• The work of a human, but at machine speed
• Data enrichment
• Get more out of security investment
• Adds consistency
• Filter out false positives
• Threat, user, machine and asset scoring
11. At First, Simplicity
Disjointed Security
Network Alert Firewall/IPS/IDS
Endpoint Defense
Support Person
Support Person
=
=
Bad!
Blocked!
Malware
12. At First, Simplicity
Joining the disjointed
Network Alert Firewall/IPS/IDS
Endpoint Defense
Support Person
Blocked
Not Blocked
Malware
13. At First, Simplicity
Joining the disjointed
• Aggregate data from multiple human jobs at once
• Look for corresponding events
• Reduce severity where one detector blocks
• Reduce response time
• Opened door to other ideas
14. Look Outside the Security Sphere
Network Alert Firewall/IPS/IDS
Endpoint Defense
Support Person
Expanding data sources
Blocked
Not Blocked
User
Asset
Machine
Data Source
Malware
15. Data Source
Expanding data sources
• Systems management, inventory, HR, AD, etc.
• Added machine, user, asset posture
• Not just about the threat, context is still king
• Example: any alert against PCI, PII, Domain Admin, CEO,
etc., would be more critical
Look Outside the Security Sphere
16. Threat Feeds
Value in Crowdsourcing
Alert
Support Person
Data Source
User
Asset
Machine
Threat Feeds
Correlation
18. Threat Feeds
• Too much data to do manually, more effective automated
• Can provide rich detailed layers of context
• As a stack, can cover the multiple layers
• Cross-correlation between feeds
• Scheduled artifact checking
• Prelude to detection
Value in Crowdsourcing
20. Historical Data
• Security alerts
• User, machine
• Artifacts (IP, hash, URL)
• Introduces thresholds
• Retrospection
Historical
Looking back is important
21. Scoring Engine
Assessing the DataAlert
Support Person
Correlation
Scoring
0%-100%
User
Asset
Machine
Threat
Total
Data Source
User
Asset
Machine
Threat Feeds
Historical
28. Correlation Initiatives
• More data, different data, more data points
• Move past 1000 vectors
• More indicators
• Move laterally across data (detector, threat feed, whatever)
• Drill in multiple layers deep
• Better data enrichment algorithms for higher quality associations, thresholds,
increments
• Independent processes for correlation ( micro services ]
• Continue to evaluate ML for correlation
29. • F.I.D.O. is not ML, but we are working on it
• ML for scoring first (Thank you Mines.IO team)
• ML for security is hard, efficacy can be challenging
• Correlation can be repeatable
• Correlation is what security people do… codify it
Correlation Initiatives
30. F.I.D.O. High Level
F.I.D.O.
Threat
User
Machine
Asset
Total Score
Kill NIC
Client Sandboxing
Network Sandboxing
Automated Re-image
Kill VPN
DHCP Blacklist
Disable Account
Reset Password
Recommendation
Link to Docs
Actions Performed
Create Ticket
Updates DB
1. Detectors 2. Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification
31. F.I.D.O. High Level
F.I.D.O.
Carbon Black
ProtectWise
Cyphort
SentinelOne
DHCP
RPC
SSH
DNS
VirusTotal
ThreatGRID
OpenDNS
AlienVault
LDAP
Jamf
Landesk
SCCM
Endpoint
Detectors
Previous Threats
Historical User/Machine
OS
Threat Feeds
Thresholds
Threat
User
Machine
Asset
Total Score
Kill NIC
Client Sandboxing
Network Sandboxing
Automated Re-image
Kill VPN
DHCP Blacklist
Disable Account
Reset Password
Recommendation
Link to Docs
Actions Performed
Create Ticket
Updates DBARP
ThreatExchange
Niddel
Palo Alto Network
HR
1. Detectors 2. Host Detection 3. Threat Stack 4. Data Sources 5. Correlation 6. Scoring 7. Enforcement 8. Notification
32. F.I.D.O. High Level
1. Response measured in days to week
2. Aggregation of data took hours
3. 80% of alerts not processed
4. Minimal endpoint/user information
5. Little or no scoring information
Pre-F.I.D.O. Post-F.I.D.O.
1. Response measures less than an hour
2. Aggregation of data takes minutes
3. All alerts processed
4. Detailed endpoint/user information
5. Detailed scoring information
Success?
33. F.I.D.O. High Level
Success?
Time = Days
7 Days1 Days> 1hr
Time = Hours
4 Hours30 Mins>10mins
Response Time
Data
Aggregation
Pre-F.I.D.O.
Post-F.I.D.O.
+23hrs Improvement
+20mins Improvement
36. What’s Next?
• ML for scoring (Thanks Mines.IO guys)
• More and tighter integrations
• Full stack: Ubuntu, python, node, nginx, couchdb & more
• Web UI: both configuration and admin
• API for data ingestion or export