In 2010, or about three lifetimes ago in cybersecurity terms, our Australian Signals Directorate (ASD) published their ‘Top 4’ mitigation strategies for protecting yourself against cyber breaches. Their hypothesis, based upon analysing many, many targeted cyber-intrusions by cyber-criminals and nation state actors, was that if an organisation got these four right then they’d be well protected against 85% of attacks. Those are great odds – especially if you consider the concept of the two-hikers-who-meet-a-bear!

The strategies recommended were:

1. Application whitelisting – only allow known and trusted applications to execute
2. Patching applications to ensure that they are up to date and don’t have vulnerabilities (remember, Adobe Flash and Shockwave were still around then!)
3. Patching operating system vulnerabilities, obviously, and
4. Restricting administrative privileges

Aimed principally at other Government entities, ASD recommended that all four should be considered mandatory and basic hygiene – and cyber professionals that I’ve spoken to over the years would agree. Unfortunately, compliance proved hard for most organisations to really achieve, since application whitelisting was (and to some degree still is) an implementation nightmare, and in 2010 very few organisations trusted vendor auto-update functions for their workstations due to regular issues with patch failures and the dreaded blue-screen-of-death. Consequently, while everyone knew what they should do, the how meant that the Top 4 remained aspirational for all but the most stringent of operating environments.

In 2017, though, things changed. Firstly, the ‘Top 4’ became the ‘Essential-8’, and the language about implementation became more nuanced (a process that has continued with the publication of the ‘Maturity Model’, the latest iteration of which has just been released in recent months). Like its predecessor, the Essential-8 seeks to define those key controls that will reduce the chances of a cybersecurity breach, or minimise the impact and downtime that a breach will cause. The Essential-8 builds upon the original list by adding multi-factor authentication, backups, and two classes of end-user application management (one dedicated to MS Office Macros!), and in doing so ASD have built a great framework for guiding organisations of all sizes and across all segments towards strong technical security.

So, just eight controls?

Not so fast. In addition to the eight categories of controls, ASD have released a Maturity Model which you can use to prioritise your implementation and assess how far you’ve come. I say categories, because at Maturity Level 3 (the highest) there are some 69 assessment points to be considered – for example, there are 15 controls under the heading ‘Restrict Admin Privileges’. If we allow that Maturity Level 0 is a starting point, then to get to Maturity Level 1 requires 32 controls to be implemented.

ASD have given plenty of advice as to how to approach their Essential 8 and the Maturity Model, including the key recommendation that pushing any one of the eight to a higher level at the expense of another is pointless. Organisations should aim to get all eight to Maturity Level 1 before focussing on moving any up to Maturity Level 2 (though of course that will happen for some controls by default because they may not change between the two levels).

It’s also important to recognise that the Essential 8 is a distillation from ASD’s list of 37 Strategies to Mitigate Cyber Security Incidents. While these 37 strategies will all benefit your organisation, ASD have graded them according to the impact that they will have – from ‘Essential’ down to ‘Limited’ – and yes, eight of them were labelled Essential! But it’s important not to ignore the other strategies, as they will all have a security benefit.

How should we use the Essential 8?

The good news for cybersecurity strategists these days is that there are several really strong frameworks that can be used to inform your program. They range from the comprehensive NIST CSF and MITRE ATT&CK frameworks to the system-oriented CIS. Management, risk and governance can be based upon various ISO standards.

As is befitting a technical organisation, ASD’s Essential-8 is focussed on helping to define and build your defences against cyber breaches – they won’t address compliance obligations or DDoS for example. To really get the benefit, Essential-8 should be used as the technical element, driven by your own governance and risk frameworks, and then they can offer an extremely valuable way of prioritising your security program or activities.

I believe that for organisations of all sizes, using the Essential 8 is a great way to ensure that you are building some of the critical elements of your security architecture and processes, and the uncomplicated presentation makes it suitable for organisations at varying levels of governance maturity. You may choose to implement or comply with a more comprehensive framework, but getting the Essential-8 in place first should be considered, well, essential.