View
3.112
Download
2
Category
Preview:
Citation preview
CRAIG DAVIES HEAD OF SECURITY •
ATLASSIAN @CRDAVIES
SecOps, a Love StoryHow Atlassian’s Security Team works together
ANDREW WURSTER T/L • ATLASSIAN @YOURCISCOKID
It’s a big bad world out there
Build trust with every team.
Remove Barriers
Be Transparent
Be Consistent
Meet the Security Team
We handle (allthethings) security
Trust@Atlassian
Detect and respond Secure by Design
Scale
ATX SYDMTV
Security Engineering Security Intelligence
Information is key to Cyber Security Test, Test, Test:
Plan for the worst:
Data must be useful:Don’t look at everything, look at what matters
We work through scenarios, what could happen?
We test everything, from threats to our incident plans.
Everything is Connected
Intel Hub
A Day in the Life
Active Bitbucket users
increase wk / wk
25%
Incident Investigation
False Positive OR
Low Priority
Not so fast… create a JIRA
True Positive AND
High Priority
New Incident
BAU Task
The Playbook
Logging PipelineOther IncidentsEmail Ingestion JIRA Service Desk
New Security Incident
Industry Groups
• Big cool statistic
• 2,569
• Add-Ons in Marketplace
Phase 1: Detect and Analyze
Security Playbook
Active Bitbucket users
increase wk / wk
25%
Create tasks in JIRA,
track bigger stuff in Confluence
• Big cool statistic
• 2,569
• Add-Ons in Marketplace
Establish Comms
Phase 2:Contain, Eradicate, Recover
• Big cool statistic
• 2,569
• Add-Ons in Marketplace
Allocate work
all users
IT Team
Understanding the problem: Investigation workflow
Active?2FA Enabled?
Successful?
IT Team
all users
Active?2FA Enabled?
Successful?
>1m failed
IT Team
all users
Active?2FA Enabled?
Successful?
successful
>1m
~100k
failed
IT Team
all users
Active?2FA Enabled?
Successful?
successful
>1m
~100k
failed
IT Team
~= 90k active users
all users
Span and Control: how can we contain it?
bad actors
3rd party breach data
3rd party breach data
hunter2
doris83@example.com
legit requests
bad requests
Apply Filter
Contain and Eradicate
By the books: Block a Malicious IP
Play / Policy: How to block …
Config Repo
git PR
By the books: Block a Malicious IP
Policy
By the books: Block a Malicious IP
Config Repo Live Config
deploy
• Big cool statistic
• 2,569
• Add-Ons in Marketplace
Allocate work
Recovery
Phase 3: Review
The Incident is over You’ve survived
Time for PIR
Post Incident Review
Helping you
Trust.atlassian.com
megabytes
terabytes
0.0001%
Are you ready?
People:
Process:
Data:Would you know if you had an attack?
Test everything - dry runs
Encourage open discussion and don’t be driven by rules
Thank you!
CRAIG DAVIES HEAD OF SECURITY •
ATLASSIAN @CRDAVIES
ANDREW WURSTER T/L • ATLASSIAN @YOURCISCOKID
Recommended