The Australian Cyber Security Centre’s (ACSC) new updates to the Essential Eight Maturity Model are designed to combat new and advanced cyber criminal tactics and threats, giving organisations the best chance of protecting themselves.

At a high level, the main changes were:

  • The introduction of Maturity Level Zero
  • A more risk-based rather than compliance-based approach to maturity
  • A package approach to implementing all eight strategies together

Maturity Level Zero

Level Zero is designed to represent those organisations with significant weaknesses in their cyber defence. These weaknesses are also easily exploited, meaning that one compromise could have significant impacts on their data confidentiality, integrity, and business uptime.

An organisation may fall under Level Zero if they fail to implement basic antivirus and firewall solutions, if they have poor employee awareness training, and if they lack incident response policies.

The ACSC’s introduction of Level Zero is purely to enable more accurate reporting purposes. Organisations should not emulate or aim to achieve Level Zero.

Risk-Based Approach

Prior to July, the Essential Eight Model took a compliance-based approach: for example, if your organisation satisfied certain standards, you were considered to reach a certain maturity rating. The old interpretation took a punitive approach that punished and criticised organisations for failures to comply, which has been eased in the new definition.

The new interpretation moves toward a more robust, risk-based approach. Essentially, each maturity level now represents the level of sophistication a cyber adversary needs to achieve if they want to breach your defences. Previously, the interpretation depended on your organisation’s compliance with predetermined standards.

For instance, some organisations have legacy systems that prevent total compliance with the Essential Eight, which assumes the usage of modern systems and applications. The new interpretation of the model allows these organisations to implement risk management processes to mitigate the weaknesses of legacy systems, while still achieving the maturity level.

Implementation as a package

Historically, each of the eight strategies was evaluated separately, meaning an organisation could report eight separate maturity levels. However, the Essential Eight were always designed to complement, support, and build upon each other. Pursuing one strategy and ignoring the others will still leave your organisation vulnerable to being compromised in the other seven ways.

Blending the Essential Eight together gives an organisation the best chance of defending against the broadest range of cyber attacks. The ACSC now officially recommends achieving consistent levels of maturity for each strategy before progressing to higher maturity ratings.

Many organisations, the ACSC reported, were focusing extensively on the first four strategies, which are focused on prevention — blocking the delivery and execution of malware on your systems. However, these organisations have undeveloped capabilities to deal with threats that have breached their defences. In the modern cyber security landscape, as remote workforces lead to a widening attack surface, only focusing on prevention strategies is insufficient.

The other strategies in the Essential Eight help organisations minimise and recover from successful cyber attacks. Developing these multiple layers of defence — detection, prevention, and recovery and response — will create a wider net for you to handle more sophisticated attacks.

Key changes introduced to controls

  • Changes to focus on using file system access permissions to prevent malware executing from user profiles and temporary folders used by operating systems, web browsers and email clients.
  • Introduced logging to support incident response activities.
  • Introduced monitoring to support identification and response to cyber security events.
  • The use of vulnerability scanners was introduced for all maturity levels.
  • The use of attack surface reduction rules related to Microsoft.
  • Additional emphasis was placed on separating privileged and unprivileged operating environments, and the accounts associated with them, for all maturity levels.
  • Patching recommendations were changed for all maturity levels to remove the need for every security vulnerability to be individually risk-assessed to determine patching timeframes.
  • Multi-factor authentication recommendations were changed to focus on the use of different types of authentication factors (e.g. something you know, something you have and something you are) rather than specific authentication factors (e.g. password, smartcard and fingerprint).
  • Backup recommendations were changed to focus on performing and retaining backups in accordance with an organisation’s own business continuity requirements, as opposed to specifying backup frequencies and backup retention timeframes.

How can CT help?

Our Extended Detection and Protection (XDP) solution is a new approach to threat detection and protection, covering all the Essential Eight controls and more. Our integrated approach offers comprehensive protection for your organisation’s applications, infrastructure and data from unauthorised access and misuse. It delivers visibility across networks, clouds and endpoints while applying analytics and automation to address increasingly sophisticated threats. Our XDP platform addresses several key changes with the Essential Eight principles.

Our Detect and Response solutions capability:

  • Collects, correlates, and analyses cyber security events and anomalous activities in a timely manner.
  • Supports logging and incident response activities.

Our EDR (Endpoint Detect and Response), ZTNA (Zero Trust Network Access) and SASE (Secure Access Service Edge) solutions:

  • Configures systems, networks, and applications are configured to reduce their attack surface.
  • Covers the use of attack surface reduction rules related to Microsoft Office.
  • Enables verification of macros to prevent malicious macros, malicious applications, and attachments from executing.
  • The use of vulnerability scanners was introduced for all maturity levels to identify missing patches, and our Vulnerability Management solutions:
  • Ensures asset vulnerabilities are identified and documented, critical to improving the ‘patching applications’ maturity level.

Our Managed Security solution:

  • Enables monitoring for unauthorised personnel, connections, devices, and software to ensure compliance with admin privileges requirements.
  • Separates privileged and unprivileged operating environments, and the accounts associated with them, for all maturity levels.
  • Deploys multiple methods to identify and authenticate personnel to systems, applications, and data repositories, to support Multi Factor Authentication and admin privileges.
  • Establishes and retains backups in accordance with our clients’ business continuity requirements.

To discover more about how CT can help you improve your organisation’s cyber maturity, contact us today.