You need someone to go with you on the Essential 8 journey, so clearly articulate your risk appetite and what you are willing to accept
Your data has never been so valuable and so vulnerable. As organisations face new security threats at a scale and impact never seen before, the Australian Signals Directorate Essential 8 is a set of risk mitigation strategies designed to protect organisations from cyber-attack and limit the impact that they have on Australian businesses.
At a recent roundtable in Sydney hosted by Secure Agility, a group of Australia’s IT and information security leaders gathered to discuss the maximum level of Essential 8 compliance without compromising on innovation and execution.
In this blog, we will review the significant topics raised during the meeting and offer advice on the best approach to delivering Essential 8 compliance out of the box.
What are the ACSC Essential 8, really?
The Essential 8 is a framework with recommendations for information security best-practices across eight areas. These are:
1. Application control 2. Patch applications 3. Configure Microsoft Office macro settings 4. User application hardening 5. Restrict administrative privileges 6. Patch operating systems 7. Multi-factor authentication 8. Regular backups
The Essential 8 has helped IT professionals benchmark their current cyber security posture and procedures, but for many, it has caused further complexity and confusion.
Speaking at the event, Steven Woodhouse, a highly experienced senior IT executive with more than 20 years cyber security experience, said while the Essential 8 was originally developed for the Windows desktop-server ecosystem, and despite being released in 2017, many organisations still struggle to comply.
“E8 compliance should go hand in glove with your information management strategy and all the eight are still valid in this day and age,” Woodhouse said.
Today, many organisations use applications and services which were not considered for the Essential 8, but the principles remain relevant.
Woodhouse said Essential 8 compliance can also be tailored to be in line with your own business requirements.
“For example, application whitelisting across a network of 1300 schools where they want to have the ability to make specific app decisions themselves, is not practical or desirable,” Woodhouse said. “You can implement different controls to achieve a similar outcome – for an attack to be successful it needs to have the privilege and needs to traverse the network and end point protection as well. You can still prevent attacks without whitelisting.”
From patching to MFA: Assess your maturity level
Essential 8 compliance has four maturity levels (0 to 3) with Maturity Level 3 is considered best practice across the eight domains.
Start by assessing your organisation’s current maturity of the Essential 8, and what are you aiming for.
“What will work for one organisation might not work for others and you will need to assess the risk, cost and ability to do business. The more restriction you put in place, the harder it is for the business,” Woodhouse said.
For MFA, Woodhouse is a big believer in it, and, in reality, most MFA programs will require organisational change and some effort on the part of the individual to use. “However, there are a few MFA programs out there that have built-in compliance features and support systems,” he said. In the case of authentication, there are modern tools like JITPAM which can assist with compliance across several of the eight.
Regarding backups, Woodhouse said people struggle with backup vs archive and it’s not the same thing.
“Everybody needs to backup and archive, and you need to test and protect your backups to ensure they cannot be compromised,” he said.
How far can you get out of the box?
Woodhouse said out of box Essential 8 compliance is an exaggeration, as the solutions focus on one or two of the controls but can’t do them all.
“You need someone to go with you on the Essential 8 journey, so clearly articulate your risk appetite and what you are willing to accept.”
While there might never be a single product or solution that magically ticks the compliance box, the MSP model is helpful as it combines consulting expertise with service delivery.
“Work with your MSP on how to implement the Essential 8 controls,” Woodhouse said.
Many organisations struggle to achieve compliance with the Essential 8 principles due to the complex terminology used. By providing a simplified overview of these concepts, Secure Agility can help organisations achieve compliance without further complication. As a next step, our Essential Detection Starter package will address at least half of the Essential 8 areas of criticality.