What do updates to the Essential Eight Maturity Model mean for your organisation?
For many Australian organisations, the Essential Eight has become the baseline cybersecurity standard to align to in order to improve their cyber posture. Implementing all Essential Eight controls makes it much harder for adversaries to compromise systems.
The Essential Eight is a living framework that is adjusted and enhanced to meet the evolving cybersecurity landscape in Australia. Since the days as the ASD 4, the framework has seen numerous changes in its evolution to help organisations defend against, and best recover from, the most common cyber threats.
While we will not cover all the changes published by the ACSC on November 27, this blog will discuss the changes security professionals should take note of. For a complete overview of the changes, see the ACSC Essential Eight website.
What is the Essential Eight Maturity Model?
The Essential Eight Maturity Model defines four maturity levels, ranked on a scale from level zero through three, based on an organisation's ability to identify their exposure to cyber risk and focus on mitigating it. Each of these levels corresponds to a degree of security against increasingly complicated breach attempts. Working with each of the maturity levels requires assessing your current security protocols and improving security against different levels of threats that may present.
While Level 3 represents the highest maturity level, and represents a worthwhile goal for many organisations, it may not be necessary or appropriate for some businesses. Whether or not an organisation should aspire to level three depends on its risk profile, the types of data being handled, and the potential impact of a cybersecurity breach on its operations. However, all Australian organisations should seek to position themselves somewhere between level one and three on the Essential Eight Maturity Model.
What are the most important maturity model updates for cyber professionals?
1. Patch Applications - Critical vulnerabilities must be patched within 48 hours
The Essential Eight Maturity Model has set a new 48-hour window for patching critical vulnerabilities, with an emphasis on applications that often interact with content from the internet. This update highlights the speed at which modern threat actors exploit newly found vulnerabilities—especially zero-day threats.
While BeyondTrust doesn’t offer a patching solution, we work with many clients who need to block vulnerable versions of applications until patches can be deployed. Those customers find our minimum version control easy to manage and highly useful. Not only can it block vulnerable app versions, but it can also provide the end user with intuitive notifications. These notifications can provide a web link to authorised application patches, which the user can self-install using just-in-time process elevation. This can allow the user to have access to the patched application version on their device within minutes – without Helpdesk or packaging team overheads. Overall, this capability reduces the productivity loss suffered when applications or suitable versions / patches are unavailable or in the packaging team’s queue.
2. A new minimum standard for MFA
The latest version of the Essential Eight Maturity Model brings a new minimum standard of Multi-Factor Authentication (MFA) that impacts Maturity Level One.
At lower maturity levels, the Essential Eight now encourages the adoption of phishing-resistant forms of MFA. It also provides enforcement for organisations aligning to higher maturity levels.
BeyondTrust solutions allow granular control over where you enforce MFA for privileged access. Our Privilege Management for Windows & Mac solution supports Windows Hello natively for endpoint privilege management. Our customers also leverage security keys as part of application control and are able to apply MFA, even where applications are not MFA aware. Together, these capabilities provide users with a level of authentication that otherwise would not have been achievable. Additionally, our Password Safe, Remote Support, and Privileged Remote Access solutions integrate with a wide range of open standards allowing easy integration with MFA solutions or Identity Providers.
3. Restricting Administrative Privileges - New changes focus on granting, controlling, and rescinding privileged access
The Essential Eight Maturity Model introduced multiple changes related to the restriction of admin privileges:
Granting, controlling, and rescinding privileged access
The first of these changes focuses on consistently granting, controlling, and rescinding privileged access to systems and applications. Recognising and now supporting the growing usage of cloud services have also been included in the recent updates.
BeyondTrust Password Safe and Privileged Remote Access customers can take advantage of numerous features designed to help them meet the new requirements for dedicated admin accounts for cloud services. These include dedicated account mapping, complete audit trails, and usage monitoring of privileged accounts.
The inclusion of break glass accounts
A further update to the Essential Eight framework involves the inclusion of break glass accounts. These accounts must now be brought under management and secured using long, unique, and unpredictable credentials. This change highlights the powerful capabilities of such accounts.
Some organisations may turn to Windows Local Administrator Password Solution (LAPS) for this requirement. LAPS, however, will only let you manage a single account on each endpoint. For more complex environments, BeyondTrust solutions offer the management of multiple break glass accounts, including on roaming / intermittently connected endpoints.
Memory integrity protection
The final update around restricting admin privileges affects Maturity Level Three and focuses on memory integrity protection. BeyondTrust Privilege Management solutions help to protect endpoints against malicious processes that attempt to interfere with memory integrity. This includes providing protection against settings being turned off on the endpoint itself.
4. New application control requirements at Level Two
The changes in the Application Control reflect threat actors’ increased use of living off the land techniques in their attacks on Australian organisations.
The Essential Eight now requires the implementation of Microsoft’s recommended application blocklist at Level Two instead of the previous Level Three, with organisations performing annual reviews of application control rulesets.
The fact that organisations only need to review the rulesets annually points to the potential resourcing burden that many organisations would face if required to increase frequency. However, BeyondTrust Privilege Management customers can easily conduct such reviews and quickly apply relevant changes on a much more frequent basis, as well as ad-hoc in response to new threats. This will allow users to meet any internal or audit requirements with minimal resourcing overhead.
The ACSC has also split out the application control requirements to reduce the burden on organisations aligning to the Essential Eight. For Maturity Level One, organisations need to focus application control on user profiles and temporary folders. Moving to Maturity Level Two requires organisations to apply application control to all locations. BeyondTrust Privilege Management customers gain out-of-the-box functionality that helps them immediately align with Maturity Level Two.
As you can see from the above, existing BeyondTrust customers are already able to meet a number of the updated requirements. In some cases, our customers are even able to significantly exceed the needs of the Essential Eight.
If you would like to understand further how BeyondTrust solutions can assist your organisation on its Essential Eight journey, download our whitepaper to see how BeyondTrust’s solutions map onto the requirements of the Essential Eight. Or reach out to a member of our team. We are happy to provide you with further information based on your organisation's objectives and requirements.
Achieving Essential Eight Compliance with BeyondTrust
Complying with the Australian Cyber Security Centre (ACSC) Mitigation Strategies
Scott Hesford, Director of Solutions Engineering, APJ
Scott Hesford has over a decade of experience in IT security. Before joining BeyondTrust in 2019, he worked as Principal Consultant for CA Technologies and other large enterprises in Australia and New Zealand. A trusted cyber security advisor to enterprise customers, his experience spans across several industries such as banking, insurance, energy and utilities, in addition to state and federal governments. At BeyondTrust, Mr Hesford is an essential contributor in the regional security engineering department, helping enterprises and government agencies improve their security posture against internal and external threats.