Mastering the Essential Eight Maturity Model

The Essential Eight (E8) is a set of prioritized mitigation strategies developed by the Australian Cyber Security Centre (ACSC) to help organizations protect their internet-connected IT networks against various cyber threats. These security controls are part of the Australian Signals Directorate’s (ASD's) Strategies to Mitigate Cyber Security Incidents, a broader framework of best practices.

The Essential Eight strategies include:

1. Patch applications
2. Patch operating systems
3. Multi-factor authentication (MFA)
4. Restrict administrative privileges
5. Application control
6. Restrict Microsoft Office macros
7. User application hardening 
8. Regular backups

Why is the Essential Eight important?

The Essential Eight is crucial because it addresses the most effective areas of cybersecurity mitigation, helping organizations prevent, detect, and respond to cyber threats. By implementing these strategies, Australian businesses can significantly reduce the risk of cyber incidents, protect sensitive data, and ensure the integrity and availability of their systems.

Plus, according to the Australian government, proactively focusing on these tactics is “more cost-effective in terms of time, money, and effort than having to respond to a large-scale cybersecurity incident.” Considering the average cost of a data breach is $4.88 million – the highest it has ever been – organizations are much better off taking preventative measures than chasing threats after the fact.

Who does E8 compliance apply to?

The Essential Eight isn’t universally required. However, for certain Australian government agencies and departments, E8 security controls may be mandated by government directives, policies, or regulatory requirements.

In these cases, Essential Eight compliance is necessary to meet specific cybersecurity standards and regulations. Organizations outside the mandatory scope are encouraged to adopt the E8 as a best practice to protect against cyber threats, but they aren’t legally required to do so.

The ASD Essential Eight Maturity Model (E8MM) provides a structured approach for organizations to progressively implement E8 strategies, aiming to achieve a suitable level of maturity in their cybersecurity practices. More simply, it’s a framework for improving security controls.

The model categorizes maturity into four levels, each one based on mitigating increasing degrees of “tradecraft.” According to the Australian Signals Directorate, “malicious actors may exhibit different levels of tradecraft for different operations against different targets.”

For instance, a cybercriminal capable of advanced tactics could use them against one target while leveraging basic strategies against another. In turn, Australian organizations should consider which Essential Eight maturity level corresponds to their specific risk environment – i.e. the likelihood of an attack and its potential damage.

Here’s a breakdown of each level and what it entails:

• Maturity Level Zero: Indicates weaknesses in the overall cybersecurity posture, making the organization susceptible to attack. Simply put, organizations at this level lack adequate protections to safeguard sensitive data from unauthorized access and exploitation.
• Maturity Level One: Focuses on mitigating threats from malicious actors using basic, widely available tradecraft and tools. This level assumes threat actors are content to leverage well-known exploits, such as vulnerabilities that haven’t been patched.
• Maturity Level Two: Addresses threats from more sophisticated cybercriminals willing to invest additional time and effort to bypass security controls. For instance, they may actively target login credentials using phishing and social engineering techniques to circumvent weak MFA tools. This level also assumes malicious actors are likely to be more selective in targeting victims, preferring users with privileged access because they can harvest more sensitive information.
• Maturity Level Three: Aims to defend against highly adaptive and skilled adversaries using advanced tradecraft and techniques to compromise systems. Generally, this includes cybercriminals who are willing and able to invest time, money, and effort into bypassing stronger protections. For example, they may try circumventing sophisticated MFA mechanisms by stealing authentication tokens.

Thus, while Maturity Level Zero indicates the weakest security posture, Maturity Level Three represents the strongest.

Improving your Essential Eight maturity level

Regardless of where you begin, reaching a state of adequate cyber maturity is key to safeguarding sensitive data. Here are a few basic steps to get started:

1. Planning: Set a target maturity level and identify what’s required to achieve it. Consider the types of sensitive information your organization processes and how likely it is for threat actors to invest resources into targeting your systems. Based on this, consult the ASD’s maturity model to understand your control requirements.
2. Assessment: Conduct a gap analysis to identify areas of improvement. This will help establish how far your cybersecurity posture is from the target level’s baseline.
3. Implementation: Progressively roll out each mitigation strategy, ensuring that exceptions are minimized and documented.
4. Monitoring and review: Regularly review and update your mitigation strategies to maintain compliance and adapt to new threats. If your risk landscape changes, consider whether your current maturity level is sufficient.
5. Continuous improvement: Strive for higher maturity levels by refining and enhancing strategies over time.

The Australian Cyber Security Centre doesn’t recommend any one solution to reach Maturity Level Three, but rather a series of mitigation strategies and security controls. Why? Because it takes a combination of processes and tools to protect against increasingly advanced threats.

Let’s break each mitigation strategy down in more detail:

1. Application control
   This security measure restricts the execution of unauthorized or unapproved software, preventing malware and potentially harmful applications from running on an organization’s systems. It involves creating and enforcing a whitelist of approved applications, ensuring only verified and necessary software can execute.
   Application control is crucial because it helps block the execution of malicious code, reducing the risk of malware infections and limiting the potential attack surface. Security controls may include whitelisting software, implementing executable rules, and continuously monitoring application activity.
2. Patch applications
   Over time, new exploits may render applications more vulnerable than before. This mitigation strategy addresses that risk by ensuring all software is frequently updated with the latest security patches. Regular patching may involve vulnerability scanning to identify misconfigurations and automated patch management to update systems on a timely basis.
3. Configure Microsoft Office macro settings
   Microsoft Office macros allow users to configure how their applications function. They’re essentially programming instructions that can automate repetitive tasks. Although useful for productivity gains, bad actors also leverage macros as vehicles for malware. For example, they may hide malicious code in an Excel file.
   Disabling or restricting macros from untrusted sources can prevent threats from taking a foothold in your environment, thus protecting critical assets from unauthorized access.
4. User application hardening
   User application hardening reduces the attack surface by disabling or restricting unnecessary features in certain applications, such as Flash, Java, and web ads, which attackers often exploit. Hardening is crucial because it removes or limits functionalities that can be leveraged to gain access or execute malicious code.
   Critically, this security measure also supports effective key management and public key infrastructure (PKI). Securing applications that use cryptographic keys can help protect them from being exposed or misused. This involves disabling unnecessary features and enforcing strong encryption standards within applications.
5. Restrict administrative privileges
   Administrative privileges refer to the elevated rights and permissions granted to certain user accounts, allowing them to make system-wide changes, install software, access sensitive data, and configure security settings. While privileged access is necessary for managing IT systems, it also presents a significant security risk if not properly controlled.
   If a cybercriminal gains access to a privileged account, they can exploit permissions to install malware, exfiltrate sensitive data, create backdoors, and disable security controls, effectively taking over the entire system. Restricting and managing administrative privileges is therefore crucial to minimizing the potential impact of such attacks.
   A hardware security module (HSM) used in conjunction with a privileged access management application can significantly enhance this strategy by securely managing and protecting cryptographic keys and sensitive operations. nShield hardware security modules work together with PAM applications to prevent account hijacking with best practice protection of privileged credentials such as API keys, SSH keys, DevOps secrets, and cloud admin accounts and the protection of the cryptographic keys that underpin the security of your infrastructure.
6. Patch operating systems
   Patching operating systems (OS) involves keeping the OS up to date with the latest security updates to fix known vulnerabilities. Similar to patching applications, this strategy is essential to protect against exploits that target known weaknesses and misconfigurations. Regular OS patching is vital because the operating system is the backbone of the IT infrastructure, and any vulnerability can lead to widespread security breaches.
7. Use multi-factor authentication
   MFA strengthens user authentication processes by requiring multiple forms of verification, such as something the user knows (password) and something the user has (security token). It can also request something they are, using facial recognition or fingerprinting to confirm biometric identifiers.
   This strategy is vital because it adds an additional layer of security, making it much harder for attackers to gain unauthorized access even if credentials are compromised. Phishing-resistant MFA, such as adaptive authentication, can make the process even more advanced by issuing risk-based, step-up verification under certain conditions.
8. Regular backups
   Regular or daily backups ensure that data can be restored in the event of data loss, corruption, or a cybersecurity incident. This strategy involves creating and maintaining secure, resilient backups of data, applications, and system settings, which are essential for business continuity. This practice provides a safety net, allowing organizations to recover from ransomware attacks, hardware failures, or other catastrophic events.

From MFA to privileged access management and beyond, Entrust offers a wide variety of solutions to help you implement the Essential Eight strategies and protect information.