1 IMDEX 2025 Digital Banner 01 728x90px

Morey Haber
Morey Haber

Achieving the Australian Cyber Security Centre’s (ACSC) Essential Eight requires an understanding in project management, solution deployment, and cyber security best practices to achieve complete coverage. As defined by ACSC, a Maturity Model has been developed to measure the successful stages of a deployment and quantify the critical objectives for the Australian Department of Defence. This framework ultimately is designed to provide a robust foundation for mitigating cyber threats and enhancing the security posture of governmental agencies.

However, a strategic approach is required to implement the Essential Eight within defence agencies and to best navigate the guidance in the Maturity Model.

At the outset, it is crucial to understand the Essential Eight and its associated Maturity Model. The Essential Eight comprises eight mitigation strategies designed to protect systems against a variety of cyber adversaries. These strategies are:

  1. Application Control: Ensuring only approved applications can execute on systems.
  2. Patch Applications: Regularly updating applications to remediate vulnerabilities.
  3. Configure Microsoft Office Macro Settings: Restricting the use of macros to prevent malicious code execution.
  4. User Application Hardening: Strengthening applications to resist exploitation.
  5. Restrict Administrative Privileges: Limiting administrator privileges to reduce the attack surface.
  6. Patch Operating Systems: Keeping operating systems updated to mitigate security flaws.
  7. Multi-Factor Authentication (MFA): Implementing MFA to verify user identities.
  8. Regular Backups: Conducting routine backups to ensure data recovery.

The maturity model associated with the Essential Eight defines Four Maturity Levels:

  • Zero (0): Indicates significant weaknesses exploitable by adversaries with little or no coverage with policies, procedures, and tooling.
  • One (1): Partially aligns with the intent of the mitigation strategy and has partial coverage for policies, procedures, and solutions to mitigate essential eight defined risks.
  • Two (2): Mostly aligns with the intent of the mitigation strategy and critical / sensitive systems are covered. In maturity level two, gaps may still exist that can be exploit and require coverage or policies for a complete implementation across an environment.
  • Three (3): Fully aligns with the intent of the mitigation strategy and all assets, data, and personal are covered by the specified controls and any deviations are promptly identified and brought under management.

The Australian Cyber Security Centre (ACSC) advises organisations to achieve uniform maturity across all essential eight strategies before progressing to the next level of maturity. This holistic approach ensures comprehensive defense against cyber threats and that all criteria are treated equally and without bias. Therefore, implementing the Essential Eight within defence agencies requires a structured approach for all eight disciplines and recommendations from industry experts can assist in their implementation as industry best practices for cybersecurity.

Indeed, achieving Essential Eight and maturing them throughout an organisation requires a series of steps. These include: 

  1. Implementing and Optimising Application Control: Application control is fundamental to protecting systems from unauthorised software, and achieving this at any maturity level involves blocking all applications except those specifically whitelisted based on a predefined policy.

For defence, effective application control requires robust systems to monitor, assess, and authorise software that is strictly appropriate for the organisation. This is where principles of Privileged Access Management (PAM) become indispensable. In a defense setting, restricting access based on need-to-know and least privilege principles limit the risk of unauthorised applications slipping through with inappropriate privileges. By leveraging a PAM solution, the department can ensure that only approved applications can execute, they have the proper privileges to execute, and the results safeguard systems even from insiders who might inadvertently or maliciously attempt to introduce unapproved software. This naturally ties in with the requirement to restrict administrative privileges. 

  1. Patch Applications: Vulnerability management is a fundamental cybersecurity discipline required for any organisation, and for the defence sector, a measured approach is essential for complete coverage. With thousands of endpoints and applications, achieving maturity in patching applications requires discovery, automation, and prioritisation. This means deploying automated patch management systems to close security gaps before adversaries can exploit them.

To stay on top of this, the Australian Department of Defence can employ continuous vulnerability scanning on-premises using network or agent-based vulnerability assessment scanners. In the cloud, this should be performed using Cloud Security Posture Management (CSPM) solutions that can assess for risks using cloud native API’s in lieu of credential scans based on hostname or IP address. This will identify vulnerabilities regardless of where they may reside, provide fundamentals for a risk-based approach to remediation, and allow for applying patches with minimal impact on critical operations. Importantly, patch management should not be a once-a-month task but a continuous process to achieve the highest level of maturity.

  1. Microsoft Office Macros: Macros are a well-known attack vector, commonly exploited by threat actors using attachments in email, file transfers, links on websites, and previously infected documents. To achieve a high level of maturity, the goal is to disable macros entirely and restrict macro access to vetted, pre-authorised personnel and specific documents where they are mission critical. If possible, they should never be used at all – ever. 

Defence departments must implement stringent controls for macros by technology like EDR and PAM that monitor and restrict macro-enabled files through access and privileges. Regularly assessing the department’s reliance on macros and revisiting policies around them will also help ensure that security is not compromised for convenience.

  1. User Application Hardening: User application hardening targets widely used but often overlooked applications like browsers and PDF readers. For a defence agency, browser-based attacks can be devastating due to their potential to bypass layered perimeter defenses.

Achieving advanced levels of maturity here means enforcing security policies that block potentially harmful content such as unnecessary browser plugin’s, Java, and other features like browser native password management and credit card autofill. Defence organisations can enforce these restrictions by using enterprise-based browsers with centralised policy control and apply additional hardening measures by configuring endpoint protection tools that manage updates, application control, and the use of privileged accounts.

  1. Restricting Administrative Privileges: One of the core principles in modern cybersecurity is to reduce privileged access. Misuse of administrative privileges is one of the easiest ways for adversaries to breach systems, conduct lateral movement, find a path to privileges, and infiltrate an environment.

Defence can achieve significant maturity by adopting a zero-trust model that assumes no implicit trust, even within internal networks. Privileged Access Management solutions, which limit and track administrative access, can limit local and remote access to achieve these goals. In addition, role-based access control (RBAC) can help establish more precise access definitions, ensuring that users have only the permissions they need for their specific roles and nothing more. This applies regardless of if they are in the office, working remotely, or using cloud resources to conduct business. This requirement is generally linked to Application Control to mitigate both risks with one solution.

  1. Patching Operating Systems: Operating systems form the foundation of IT infrastructure and leaving them unpatched can lead to excessive risk. Like patching applications, patching OS’s must be automated, prioritised, and constantly monitored for unauthorised changes. 

For the Essential Eight, reaching higher levels of maturity means deploying automated patching and monitoring tools across all critical systems, from desktops to mission-critical servers and cloud resources. Additionally, redundancy must be built in to avoid operational disruption or the patch system itself becoming an attack vector.  All tier one systems should have some form of resiliency to ensure they can complete their mission. If a critical patch is needed during a firefight, not having a resilient patch management system could create a game over event. This is true for any tier one system and requires creating a balance between continuous patching, system uptime, and business expectations.

  1. Multi-Factor Authentication: The Defense Department’s sensitive information and operations make multi-factor authentication (MFA) an essential control. Full stop. While MFA should ideally be standard across all access points, it is especially critical for administrative access and remote users even if you are just getting started with the essential eight.

To mature to the highest levels, MFA must be enforced on every account, everywhere, all the time regardless of data, asset, or network segment. For defence agencies, this means not only deploying MFA for employees and contractors but also extending it to third-party vendors and partners who might access the network. Leveraging MFA with contextual adaptive authentication, such as location-based access or device reputation, can enhance security without overly complicating end user access. In addition, only FIDO2 based solutions be considered since legacy SMS, push, phone call, etc. approaches to MFA can easily be exploited by threat actors and mute the benefits of the technology if not properly deployed.

  1. Regular Backups: Finally, the importance of backups cannot be overstated, especially in a national security context. Backups should be regular, encrypted, and securely stored in offsite locations. 

Achieving maturity in backups requires periodic testing, restoration verification, and modelling how much time it would take to restore an entire environment. Defence agencies should have a backup and disaster recovery program that is frequently updated and capable of rapid restoration in the event of a data breach or ransomware attack. As a best practice recommendation, defense agencies should adopt both hot and cold backup strategies, with a rotating backup system that is isolated from the main network to prevent ransomware from corrupting all copies or in the event of a physical attack.

Leveraging A Platform for Accelerating Essential Eight Maturity

Privileged Access Management (PAM) solutions are instrumental in achieving several components of the Essential Eight. As a security discipline, consolidated platform, and solution they provide more coverage for the essential eight and the maturity model versus any other single solution available. Consider what PAM provides:

  • Application Control: PAM solutions can enforce application control policies, ensuring that only authorised applications are executed regardless of operating system.
  • Restricting Administrative Privileges: PAM tools manage and monitor administrative privileges, enforcing the principle of least privilege and reducing the risk of privilege escalation attacks.
  • Multi-Factor Authentication: Integrating third party MFA with PAM solutions enhances security by requiring multiple verification methods for accessing any accounts; especially privileged accounts.
  • Implementing Least Privilege: Enforcing the principle of least privilege limits access and privileges to accounts, data, and assets, and can reduce the potential impact of compromised accounts via privileged lateral movement.
  • Continuous Monitoring and Auditing: Regular monitoring and auditing of privileged access are essential for detecting and responding to suspicious activities promptly.

Incorporating these insights into your organisation’s cybersecurity strategy will enhance the effectiveness of the Essential Eight implementation and help mature as rapidly as possible to achieve compliance and your own security.

Achieving the Essential Eight maturity model within defence is a strategic imperative for safeguarding national security interests. By systematically implementing these mitigation strategies, leveraging advanced PAM solutions, and integrating insights from cybersecurity experts, defence agencies can establish a resilient defense against cyber threats. This comprehensive approach ensures that the organisation not only meets compliance requirements but also fosters a culture of security excellence and resilience.

Morey J. Haber is Chief Security Advisor, BeyondTrust.

APDR_Bulletin_728X90


For Editorial Inquiries Contact:
Editor Kym Bergmann at kym.bergmann@venturamedia.net

For Advertising Inquiries Contact:
Group Sales Director Simon Hadfield at simon.hadfield@venturamedia.net

Previous articleItalian Army taps Rheinmetall’s Skynex
Next articleSpace tech startup OrbitAID raises $1.5 million

LEAVE A REPLY

Please enter your comment!
Please enter your name here