If you have planned or aimed to start your journey toward implementation of essential eight, here is a guidance which can help you to do so.
Introduction
According to ACSC, the Essential Eight is designed to protect Microsoft Windows-based internet-connected networks, while it can be applied to cloud services and enterprise mobility, or other operating systems.
This framework published in June 2017, and it’s updated regularly, which is based on the ACSC’s experience in cyber threat intelligence, and cybersecurity incidents.
Strategies and Domains
As per the name there are eight strategies or domains in this framework
- Application control
- Patch applications
- Configure Microsoft Office macro setting
- User application hardening
- Restrict administrative privileges
- Patch operating systems
- Multi-factor authentication
- Regular backups
Maturity Levels
There are four level of maturity defined in the Essential Eight (Zero to Three), in which above mentioned strategies should be considered to implement at various levels.
- Maturity Level Zero, which means that there are weaknesses in an organisation’s overall cyber security posture, and attackers (even rookie ones!) can easily gain access.
- Maturity Level One, which indicates that there are some basic controls in place however, adversaries can simply leverage some basic tools to gain access and control victims’ systems.
- Maturity Level Two means that there are relatively good controls in place which make adversaries utilise more advance tools, compared to the previous maturity level, to gain access to organisations systems. This means that they must spend more time and money to manage their attacks, which depends on their incentive and possible gains.
- Maturity Level Three represents the reliable level of security and the implemented controls in which adversaries who are more adaptive and much less reliant on public tools and techniques, can target organisation. This means that the cost and time which they should spend as well as advanced tools/ techniques, may prevent them to manage such an attack, however if they have incentives and significant gain, they may target this type of organisations.
Implementation
- Assess your maturity against the eight strategies or domains
- Find the level of your maturity based on the given maturity model by ASCS
- Plan for a target maturity level suitable for your organisation then progressively implement each maturity level until that target is achieved.
- To do a robust implementation, a risk-based approach should be used by which the most critical risks must be addressed as the priority.
- Bear in mind that Essential Eight outlines a minimum set of preventative measures, which means that it will not address all cyber threats. In other words, you should consider additional measures and frameworks such as such Information Security Manual, NIST, or ISO27001, to have an advance cybersecurity defence.
- And finally, have an external/ independent party to assess your implementation in order to assure your compliance against Essential Eight.
At Rezilens we have an automated SaaS tool by which you can manage the above mentioned steps and then plan for the targeted maturity level, with an affordable price.
Please contact us for any further information or assistance.