In February, during the onset of the Russia-Ukraine war, the Australian Cyber Security Center (ACSC) sent out a key alert on its official website urging all Australian organizations to prioritize cybersecurity and immediately improve their security posture. It recommends that organizations prioritize taking the following actions:

  1. Patch applications and devices
  2. Implement mitigations against phishing and spear phishing attacks
  3. Ensure that logging and detection systems are fully updated and functioning
  4. Review incident response and business continuity plans.
  5. Source: ACSC

One of the key measures ACSC suggests is implementing the essential eight cybersecurity controls, which can help organizations defend their systems and data more effectively from threat actors.

In this blog, we'll explore:

  • What the essential eight controls are
  • Why they came to be
  • What the essential eight maturity model is
  • Who should comply
  • How you can get essential eight compliant with an effective SIEM solution

What are the essential eight controls?

The essential eight cybersecurity controls, or mitigation strategies, consist of:

Mitigation Strategy 1: Application control

This is a measure used to prevent the execution of malicious code, i.e. malware in systems, application control identifies applications that are allowed to be used, and develops controls to ensure only those are accessible. To implement this measure, organizations need to gain an overview of all applications and processes run by users in the network. Also necessary is tracking unusual activity and taking immediate action if required.

Mitigation Strategy 2: Patch applications

This involves the timely implementation of new patches and vulnerability scans to detect new issues, and the assignment of individuals to be responsible for these actions. To execute this control effectively, organizations must find a way to analyze the data obtained from different vulnerability scanners, and generate actionable analytical insight. When a threat is detected, action should be taken to mitigate it immediately and automatically.

Mitigation Strategy 3: Configure Microsoft Office macro settings

Essential eight lists a set of measures organizations can take to mitigate the threat of malicious macros that could contain malignant code for a planned cyber invasion. These include disabling macros for users that do not require it, only enabling macros from trusted sources, and checking macros for digital signatures before use. Organizations should also be able to track activities like processes, services, or applications launched unbeknownst to the user that might indicate a possible attack.

Mitigation Strategy 4: User application hardening

This control lists measures which limit or curb user applications that regularly interact with content from the web. This is accomplished by hardening configurations, like blocking Flash and advertisements on web browsers, or blocking JavaScript on certain websites.

Mitigation Strategy 5: Restrict administrative privileges

ACSC suggests implementing measures like identifying tasks that require privileged access, creating separate attributable accounts for members who carry them out, and restricting administrative privileges to a select few to limit the escalation of critical activities. This prevents malicious actors from taking over important security controls and configurations.

Mitigation Strategy 6: Patch operating systems

Similar to patching applications, patching operating systems involves regularly checking for newly-released patches (like keeping an eye out for Patch Tuesday if you are a Microsoft user), and analyzing data from vulnerability management systems to take timely action. Those involved in this process must take the initiative to check if the patch is necessary and safe, and test it before deployment.

Mitigation Strategy 7: Multi-factor authentication

Apart from the usual measures used to implement MFA, ACSC recommends additional measures like hardening devices to the maximum extent, ensuring a visual notification appears for every authentication request, and storing software certificates in the devices' trusted platform module.

Mitigation Strategy 8: Regular backups

Regular offline and online backups are highly recommended. These should also provide measures to alert users or indicate a breach, as well as specify proper incident response actions.

Why did essential eight come into place?

In 2010, the ACSC, a part of the Australian Signals Directorate (ASD) released a document called Strategies to Mitigate Cyber Security Incidents which cited 37 security controls. The controls were arranged in order of which were most effective for addressing cyberattacks, and the top four were made mandatory for Australian Federal organizations in 2014. In 2011, ACSC claimed that implementing the Top Four helped organization effectively address 85% of targeted cyberattacks.

The ASD expanded the Top Four to the essential eight in its third update of the Strategies to Mitigate Cyber Security Incidents-Mitigation Strategies in 2017. While the first four were to prevent malware attacks, the next four were intended to mitigate possible cyberthreats.

The ASD recently recommended that all Australian organizations implement Essential Eight to improve their cybersecurity posture due to the increasing number of cyberattacks prior to Russia's attack on Ukraine.

What is the essential eight maturity model?

The essential eight maturity model defines four maturity levels based on mitigating the risk caused by threat actors and the latest trade-craft or techniques used by them. The four maturity levels help organizations identify their areas of cyber risk and focus on mitigating these risks.

Before implementing the essential eight maturity model, organizations should decide on a target maturity level and then try to achieve it across all eight controls before moving on to the next one.

Maturity Level 0: Organizations with weak cybersecurity postures, whose data can be easily compromised by threat actors using various trade crafts and techniques, fall under this category.

Maturity Level 1: Organizations at maturity level one focus on mitigating risk from opportunistic threat actors who leverage available tools and frequently used techniques to spot vulnerable applications and systems to exploit. Using commonly employed social engineering techniques to launch a malicious Windows Macros file is one example of these attacks.

Maturity Level 2: The second level is a class of organizations that can block adversaries who are well-equipped and use techniques that are slightly more advanced than maturity level 1. For example, threat actors might attempt to impersonate users or accounts to gain privileges. These adversaries are also better at bypassing security controls.

Maturity Level 3: Here, organizations deal with more resourceful adversaries who use more advanced tools or techniques, and have specific targets. Since they spend a lot of time researching their targets, these adversaries easily spot any loopholes in the target organization's security policy, such as outdated software or lax security monitoring. They use this to gain entry and avoid detection to access privileged controls or obtain confidential data, which they may either steal or destroy, based on their intention.

ACSC also details how organizations can mitigate threats at each level across all eight security controls, and reach their target maturity level. For example, implementing MFA, the seventh mitigation strategy in the model, differs across organizations according to their maturity levels. While level 1 organizations must prioritize using MFAs for authenticating internet-facing services, level 2 and 3 organizations must also log all successful and unsuccessful authentications.

While achieving level 3 maturity means that an organization has implemented the necessary controls described by the ACSC to mitigate threats of a higher level, it does not stop adversaries from carrying out attacks. The ACSC suggests that, apart from achieving the third maturity level, it is essential that organizations put into place the controls listed in the Information Security Manual, their cybersecurity framework, and Strategies to Mitigate Cyber Security Incidents.

Who should comply?

While the Top Four are mandatory for all Australian Federal government agencies, the Essential Eight are expected to be made mandatory soon for all 98 Commonwealth entities.

Use Log360 to ace the ASD's essential eight audit

A comprehensive SIEM solution like ManageEngine Log360 can help organizations collectively address and comply with important security controls in ACSC's Essential Eight. The CASB capability in Log360 can help organizations recognize banned applications used by employees and curb their access. It can detect shadow IT activity and help IT administrators address it immediately through real time alerts, sent via SMS and email. Through these features, Log360 can also help implement the additional measures recommended for MFA like ensuring visual notifications appear for every authentication request.

Log360's real time security monitoring feature helps track changes made by privileged users and trace suspicious activities like unusual logon attempts or modifications made to important files. The SIEM solution's incident management module enables the user to customize a set of workflows to be executed for each security incident, and facilitates building a proper incident response mechanism according to the maturity level of the organization.

To learn more about how Log360 can help you with Essential Eight compliance, sign up for a free, 30-day trial to check it out yourself. Or request a free product demo with our product experts.

  • Please enter a business email id
  • By clicking 'Read the ebook', you agree to processing of personal data according to the Privacy Policy

Get the latest content delivered
right to your inbox!

Thank you for subscribing.

You will receive regular updates on the latest news on cybersecurity.

  • Please enter a business email id
    By clicking on Keep me Updated you agree to processing of personal data according to the Privacy Policy.

Expert Talks


© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.