If you’re unsure where to get started with cybersecurity, you’re not alone. It’s a huge, shapeshifting topic that organisations ignore at their peril. To help businesses protect themselves against threats like cyber attacks and identity theft, the Australian Cyber Security Centre (ACSC) publishes a prioritised list of mitigation strategies, called the Essential Eight, to guide your efforts.
What is the Essential Eight when it comes to cybersecurity?
The Essential Eight is a series of baseline strategies taken from the Strategies to Mitigate Cyber Security Incidents. Implementing these eight things, as a minimum, makes it much harder for cybercriminals to compromise your systems.
For many organisations even this advice may seem unwieldy, especially if you’re in the beginning stages of assessing risk or establishing governance around cyberthreats. The ACSC recognises the dilemma, so they publish the Essential Eight Maturity Model to provide the most recent advice on how to implement the Essential Eight. With this support, organisations can track their alignment with the ‘intent’ of the mitigation strategies.
Recent updates to the Essential Eight Maturity Model
In July 2021, ACSC made significant updates to the Essential Eight Maturity Model and its corresponding implementation advice, and provided a new, overarching FAQ. In no specific order, we think the following are the most important take-home points.
1.The risk of doing nothing
ACSC gets straight to the bottom line in the FAQ: “Implementing the Essential Eight … can be more cost-effective … than having to respond to a large-scale cybersecurity incident.”
2. Start at the bottom rung
The Essential Eight Maturity Model has always defined Maturity Level One, Two, and Three, but ACSC has brought back the lowest level, Zero. It “signifies that there are weaknesses in an organisation’s overall cybersecurity posture” that could allow “compromise of the confidentiality of their data, or the integrity or availability of their systems and data”.
Level Zero equates to “get serious; you are a sitting duck”.
3. All for one; one for all
In a major change of direction, ACSC explicitly advises “organisations should plan their implementation to achieve the same maturity level across all eight mitigation strategies before moving on to higher maturity levels”.
When maturity was measured separately for each mitigation strategy, many organisations addressed each in turn, which could result in “an imbalanced cybersecurity posture”.
Previously “Patch Operating System” Maturity Level Three and “Application Control” Maturity Level Zero may have been acceptable. Not anymore. Now it will put you at an overall Maturity Level Zero (i.e., a sitting duck).
4. Do you have a bullseye on your back?
In the new implementation section, the first step is to “identify a target maturity level” based on what level of “adversaries” your organisation may attract.
The first part of the new risk-based approach is to get real about how big a target your organisation is, since “the likelihood of being targeted is influenced by their desirability to adversaries”. This is how the different levels break down:
- Level One is opportunistic attacks using “commodity tradecraft”.
- Level Two is the “modest step-up” in tools and effort.
- Level Three is targeted, adaptive and “much less reliant on public tools and techniques”.
5. Don’t Stop Me Now!
Level Three “will not stop adversaries that are willing and able to invest enough time, money and effort to compromise a target”. If you might attract the big guns of cybercrime, then keep going with the rest of the ASCS mitigation strategies and the Australian Government Information Security Manual (ISM).
6. Stay on target
Exceptions and “compensating security controls” may be needed for “legacy systems and technical debt”. However, scope should be minimised and the need “monitored and reviewed on a regular basis”.
Be aware that Essential Eight is designed to protect Microsoft Windows-based internet-connected networks. For other purposes –different operating systems, cloud services, or mobile users – additional mitigation strategies might give better bang for your buck.
7. Do what’s needed; don’t wait for a breach
All the mitigation strategies have been revised, with requirements reordered and added to all maturity levels. The FAQ details the changes for each mitigation strategy.
Level One focuses on highest risks first:
- internet-facing services
- vulnerabilities and hardening common attack vectors like browsers, Office, and .pdf readers
- testing your backups.
Help is available if you’re concerned about how to implement the new Level One requirement for “vulnerability scanner” to identify “security vulnerabilities” in applications and operating systems. Microsoft Defender for Endpoint software inventory crosschecks all vulnerabilities listed in the CVE list, not just software from Microsoft and other popular vendors.
Level Three aligns with the “assume breach” mindset, which requires central logging and monitoring in most areas. If you don’t have a comprehensive SIEM (Security Information and Event Management) solution, then we recommend you give serious consideration to Azure Sentinel.
8. Dream the impossible dream
Maybe it all seems too hard, but it is crucial you protect your organisation. It’s no longer a matter of if you’ll be a victim of cybercrime; it’s a matter of when. If you’re feeling out of your depth, please contact an experienced partner in cybersecurity and identity management like Zetta.
If you really want to view the older version of the Essential Eight Maturity Model, then head over to the WayBack Machine, but why look back when the future keeps getting better – and more secure?
If you need help securing your environment and preventing the risk of cyber attacks, please reach out to our Security Team. We will also be presenting on this topic at an upcoming Microsoft Security Partner Meetup Event on 20th October in Perth. Why not plan to join us?