17 comments

[ 3.9 ms ] story [ 34.9 ms ] thread
Anyone else surprised to see that this is a C# application? Anyone know if how much C# development happens at Netflix?
Up until last year, Netflix was using Silverlight for their player. They used to trot out on Microsoft dev conference stages and talk up IIS media streaming capabilities every now and then. For a while, it seemed like every feature microsoft announced for silverlight was basically aimed at Netflix... so not that surprising they have C# talent on staff?
Is this intended to compliment or replace things like alienvault/snort? Can it handle raw nix logs? Logstash? Windows events? It seems like from the post some kind of third party connection is required (LANDesk?), but I may not be reading right.

At any rate, thanks as always for sharing :)

It doesn't seem like it replaces Snort, which is an intrusion prevention system. It's more akin to AlienVault, which is a SIEM. Netflix shies away from the term SIEM. They call this an incident response software. I'm reading through it trying to figure out how it's different from a SIEM, but there's not a lot of technical details.
So akin to snorby mixed with Ossec active-response? Should be interesting to see if this gets picked up in an OS like Security Onion.

Also, it appears to use snort.

I love the Windows ME comment
So NetFlix spent four years developing automated trouble ticketing? I wonder if they evaluated the dozens of existing products that do this already?
Oh, so glad they gave the nod to the FIDO Alliance in passing.
It's not trouble ticketing. It's an aggregator of threat analysis responses from multiple sources that they use in the SOC to monitor for security threats and incursions.

Is there already an open source product that does that? That would be interesting to know about since I work in that space.

Anyone else notice the source they provide seems a bit light on functional code in multiple areas? Lots of stubs, empty methods, commented-out blocks and such throughout.

Did they neuter it by stripping out core functionality prior to releasing as open source? Sort of disappointing if so.

Almost seems useless in its current state given the degree of missing code (caveat: I have not run it yet, only read through the code in the GitHub repo).

Looking at it deeper I notice the scoring system is less advanced than I would have thought coming from a Netflix-type organization. Etsy released a tool a while back for general anomaly detection that used much more advanced statistical analysis. Would have loved to see more of that in here.
(comment deleted)