In an effort to bolster cyber defenses, all non-corporate Australian Commonwealth entities (NCCEs) and several private sector Australian organisations are encouraged to implement the Essential Eight, a set of cyber risk mitigation strategies and baseline framework developed by the Australian Signals Directorate (ASD). In November 2023, updates were made to the framework that impact maturity levels and put greater emphasis on rapidly patching vulnerable applications. The changes are counterbalanced with decreased timeframes on patching less pressing assets such as non-internet facing servers.
As Axonius has a global audience, we understand not all of our readers know what the Essential Eight is, but in this blog post, we’ll explain:
- What the Essential Eight is and how it categorises its maturity model
- Challenges organisations face in meeting the requirements of the framework
- How Axonius can help you meet the Essential Eight and assist in maturing your cybersecurity program based on the 2023 updates
The Essential Eight Explained
Designed to enhance an organisation's cybersecurity posture, the Essential Eight is defined by four maturity levels (Maturity Level Zero to Maturity Level Three) that help organisations implement each strategy, understand their current security stance, and establish a roadmap to achieve different cybersecurity maturity levels. The maturity levels are defined as:
Maturity Level Zero
This level acknowledges that the organisation’s overall security posture has weaknesses, and when exploited, systems and data could be compromised.
Maturity Level One
This maturity level’s focus is on threat actors who use widely available tradecraft to gain access and control of a system. Often these actors are more opportunistic rather than specifically targeted attacks.
Maturity Level Two
At this level, the focus is on threat actors who invest more time and effective tools in their attacks. They likely are more selective and will attempt to bypass controls implemented by organisations to avoid attacks and attempt to evade detection. As explained by the Australian Government, “Depending on their intent, malicious actors may also destroy all data (including backups) accessible to an account with special privileges.”
Maturity Level Three
This level focuses on malicious actors who are less reliant on public tools and techniques and often exploit the opportunities provided by weaknesses in an organisation's security posture and tools. The government gives the example of exploiting older software on inadequate logging and monitoring.
To meet the Essential Eight’s maturity levels and mitigate the threats posed, there are numerous objectives and controls organisations should strive to achieve. These include:
- Application control: Ensures only approved applications are used and accessible and helps prevent malicious code from running.
- Patch applications: Requires patching/mitigation of applications considered at ‘extreme risk’ (within 48 hours) and to use the latest version of applications.
- Configure Microsoft Office macro settings: Prevents the use of macros, which may contain malicious code that enables attackers to access sensitive information.
- User application hardening: Restricts malicious websites, scripts, and attacks that mimic legitimate functionality to evade application control.
- Restrict administrative privileges: Recommends implementing least privilege access control settings and restricts administrative privileges; these measures limit access to operating systems and applications and therefore help to reduce the cyber attack surface.
- Patch operating systems: Requires patching/mitigation of operating systems with known ‘extreme risk’ vulnerabilities within 48 hours; requires that entities use the latest version of all operating systems.
- Multi-factor authentication: Requires the use of multi-factor authentication protocols when accessing the Internet or web-based applications.
- Regular backups: Requires backing up critical data, systems, and configurations regularly, and retaining in accordance with business continuity requirements.
Source: Ask, Solve, Evolve
Challenges meeting the Australian Essential Eight
Though the Essential Eight is considered ASD’s most effective cybersecurity approach to date, Australia’s IT and security professionals still face challenges in meeting the requirements of the Essential Eight due to inefficient processes, data fragmentation, and, overall, an aging system.
- Segmented and siloed asset visibility: Increased BYOD policies and unsanctioned application downloads create siloed and segmented asset visibility, making it difficult to understand hardware and software applications that need to be managed, assessed for vulnerabilities, or patched. Remember, you can’t protect what you can’t see or what you don’t know exists. Leveraging a platform like Axonius that provides comprehensive asset visibility and contextual data to uncover risks can give security professionals a greater understanding of their vulnerability risk.
- Inefficient processes: According to recent BeyondTrust findings, cybersecurity professionals struggle to balance productivity while implementing aspects of the Essential Eight. Citing application control and restricting administrative privileges as a challenge due to budget and resource constraints, automation can free up IT and security teams impacted by resource limits causing inefficient and time-consuming processes to meet the rigors of Essential Eight controls.
- Progress is difficult to measure: Cybersecurity programs need to be able to show progress. However, to do so, you need the ability to accurately measure the progress of individual controls and the effectiveness of the overall cybersecurity program. Not an easy task without the correct tools at your disposal.
- Not a 'silver bullet solution’: While the Essential Eight serves as an adequate foundation for strengthening cyber defenses, it only sets the minimum standard for cyber risk mitigation and is not an end-all-be-all solution. As the cyber landscape evolves, implementing additional solutions to help your organization understand what they need to protect — beyond what the Essential Eight recommends — is vital to closing security gaps.
“As the Essential Eight outlines a minimum set of preventive measures, organisations need to implement additional measures to those within this security model where it is warranted by their environment. Further, while the Essential Eight can help to mitigate the majority of cyber threats, it will not mitigate all cyber threats.” - The Australian Signals Directorate
Axonius optimises the steps necessary to meet the Essential Eight
Recent high-profile cyber attacks in Australia have made it clear that cybercriminals aren’t slowing down. With cyber attacks listed as one of the primary concerns facing Australia, IT and security teams need to find optimised and efficient solutions to achieve the Essential Eight. Investing in a comprehensive asset management platform like Axonius can help organisations not only meet different requirements of the Essential Eight but also achieve advanced levels of maturity in their cybersecurity programs:
Essential Eight strategy: Patch applications & Patch operating systems
- Recommended approach: As part of the updates to the Framework, ASD is now recommending patching to be done in 48 hours instead of two weeks. To meet these requirements, firstly, measure and report on the same set of data, analyse it, and then distribute tasks to relevant teams across the organisation. Then, automate vulnerability management tasks to increase effectiveness with reduced resource allocation. By identifying vulnerabilities and correlating them to assets, IT and security professionals can gather context that helps them prioritise vulnerability importance based on asset criticality – helping expedite patching and remediation processes.
Essential Eight Objective: Multi-factor Authentication
- Recommended approach: Compile a user inventory and understand the totality of users in your organisation. A consolidated user inventory can identify users who are admins with no multi-factor authentication enabled and ensure least privilege access is applied across all multi-factor authentication solutions. Second, when it comes to managing SaaS applications, make sure you have the ability to identify inactive or unused user accounts that haven’t been properly decommissioned and discover suspicious user accounts. Leveraging a solution that provides the ability to suspend suspicious or inactive user accounts, and remove discovered app-to-app connections with access to sensitive company data.
Essential Eight Objective: Regular back-ups
- Recommended approach: Firstly, validate and provide assurance of backups and then automate policy enforcement to configure and automate back-ups. When non-compliance occurs, automated policy enforcement can also notify the proper people to identify policy non-compliance, and respond to, mitigate, or remediate issues.
A contemporary strategy now includes automated asset management
As cyber threats evolve, the ASD has adjusted the Essential Eight to maintain modern and practical cybersecurity guidance. The ASD’s most recent update includes the recommendation to use automated asset discovery. Specifically, the ASD recommends “to use an automated method of asset discovery at least fortnightly to detect assets that reside on a network and assist with follow-on vulnerability scanning activities.”
If you’d like to learn more about how Axonius can help your organisation with automated asset management and provide comprehensive and actionable data to meet the Essential Eight, contact us for a demo.