Cybersecurity has become crucial for businesses and government entities in today's ever-changing digital landscape. While various frameworks and guidelines are available, the Australian Signals Directorate's "Essential Eight" is an effective and practical approach to strengthening an organization’s security against cyber attacks and threat actors.
Achieving Essential Eight compliance can become a long process as organizations work towards high-security maturity levels across the eight security controls. Measuring progress via metrics helps organizations identify alignment with the framework and areas that need attention.
In this blog post, we’ll discuss critical metrics organizations should track to ensure they align with the Essential Eight. For those new to Essential Eight or seeking to improve their approach, these key metrics provide clarity and direction to navigate the complex world of cybersecurity.
Prepare for Essential Eight Compliance with UpGuard BreachSight >
What is the Essential Eight?
“Strategies to Mitigate Cybersecurity Incidents,” also known as the Essential Eight, is a set of cybersecurity strategies recommended by the Australian Cyber Security Centre (ACSC), first published in 2017. These initiatives were specifically designed to secure internet-connected Microsoft Windows-based networks. However, the protocols can also be applied to protect cloud services and other operating systems. It's important to note that other more effective mitigation strategies may be available for specific operating systems with unique cyber threats.
Mitigation strategies are cybersecurity practices, security policies, and tools designed to mitigate cybersecurity risks and protect an organization's information security from data breaches or unauthorized access. These strategies are intended to limit and manage the damages caused by cyber incidents while safeguarding digital assets, networks, and data.
Essential Eight Security Controls
The core of the Essential Eight is eight mitigation strategies designed to enhance an organization’s overall cybersecurity posture. The eight security controls are:
- Application Control: Organizations should only allow specified applications to run on their networks, including network endpoints like workstations and servers, preventing malware and unapproved applications from executing.
- Patch Applications: Organizations must promptly install security patches to prevent exploitation.
- Configuring Microsoft Office Macro Settings: Organizations should limit macro execution to trusted sources, preventing internet-based attacks. Microsoft Defender can scan Office macros for viruses.
- User Application Hardening: Organizations should configure web browsers and Microsoft Office to block unnecessary and potentially malicious content, which minimizes vulnerable points in applications.
- Patching Operating Systems: Organizations must update their operating systems regularly for better security and protection against potential threats
- Restricting Administrative Privileges: Organizations should limit administrative and privileged accounts, ensuring users have minimum access to get their work done.
- Multi-Factor Authentication (MFA): Organizations must implement dual authentication methods to prevent unauthorized access.
- Regular Backups: Organizations must create backups of important data to speed up recovery after a cybersecurity breach.
The Essential Eight Maturity Model
To help organizations implement the Essential Eight framework, the ASD also produced The Essential Eight Maturity Model. The model includes four different maturity levels based on mitigating increasing levels of targeting from malicious actors. This model helps organizations consider what level of targeting, rather than which malicious actors they aim to mitigate.
- Maturity Level 0: This baseline level signifies weaknesses in an organization’s cybersecurity posture. If exploited, confidential data and system integrity could be compromised.
- Maturity Level 1: In this level, malicious actors are content to utilize average tools to gain access to and control systems. These include publicly available exploits, stolen credentials, brute force, etc.
- Maturity Level 2: Malicious actors in this level are a step up in capability and are willing to invest more time and tools in a target. These include targeting specific credentials through phishing, circumventing weak MFA, etc.
- Maturity Level 3: In this level, malicious actors are more adaptive and less reliant on public tools and techniques. They can exploit weaknesses in cybersecurity posture, like older software or insufficient logging/monitoring—not only initially accessing systems but evading detection and solidifying their presence.
Who Should Implement the Essential Eight?
The Australian Federal Government has made it mandatory for all 98 non-corporate Commonwealth entities (NCCEs) to comply with the Essential Eight framework. Previously, the government only required entities to comply with the first four security controls of the Essential Eight. Now, all eight security controls must be followed for compliance requirements. To ensure organizations maintain every security control, Australia requires all entities to undergo a comprehensive audit every five years starting in June 2022.
Outside of NCCEs, the Essential Eight operates as a cybersecurity framework and not a regulation—meaning there are no requirements to implement the risk management strategies and no penalties for non-compliance. However, the ACSC strongly recommended the Essential Eight and the framework can be applied globally, as it provides practical and foundational cybersecurity approaches.
Tracking Essential Eight Compliance
Compliance with the Essential Eight demonstrates a high cybersecurity posture and adherence to best practices for mitigating cyber incidents. Achieving this compliance can be long and arduous, but tracking key metrics can help your organization identify what is working well—and what needs improvement.
Essential Eight Key Metrics
Overall, Essential Eight compliance is broken down into compliance with the eight security controls. To properly track compliance, below are specific metrics for each security control.
Application Control
Application control is a security practice that helps prevent unauthorized apps from running on a system by allowing only approved software to execute. The Australian Signals Directorate (ASD) recommends several types of application control, including an allow/block solution for all workstations and endpoints, an allow/block solution for all servers, and the implementation of Microsoft's latest block rules. In addition, implementing allow/block policies along with attack surface reduction rules can further enhance the security of your system.
To track your compliance across this security control, consider tracking these metrics:
- Percentage Devices with Application Control Enforced: Measures the proportion of all organization devices (e.g., workstations, servers) that have application control mechanisms, such as allow/block controls, actively in place
- Number of Unauthorized Application Execution Attempts: Total of instances where unapproved or blocked applications attempt to run
- Frequency of Application Allow/Block List Updates: Tracks how often an approved application list is updated, ensuring only necessary software is permitted while outdated or vulnerable applications are removed/replaced
Patch Applications
Patching applications involves applying updates to any software to fix vulnerabilities, enhance functionality, or resolve other issues. Before patching, you must identify all the vulnerabilities that require remediation in current applications and categorize them from low to extreme risk.
The ASD recommends all extreme risk vulnerabilities have security patches implemented within 48 hours, utilizing a solution that confirms all necessary patches are installed (i.e., patch management systems and providers) and ensuring all internal applications are compatible with patched vendor software.
Utilize the following metrics to identify your ability to patch applications:
- Percentage of Applications Patched within a Specified Timeframe: Measures the percentage of software applications that receive patches or updates within a specified timeframe (e.g., 30 days after a patch release), indicating effective vulnerability management
- Number of Outdated Applications in the Environment: Amount of applications running on outdated versions, which may include potential risks that require patching efforts based on vulnerabilities known for those versions
- Frequency of Vulnerability Scans and Patch Assessments: Gauges frequency of vulnerability scanning and patch assessments for proactive identification and rectification of software vulnerabilities
Configure Microsoft Office Macro Settings
Microsoft Office Macros are created to streamline workflows and automate repetitive tasks. However, a compromised macro can provide unauthorized access to sensitive resources, leading to security risks. The ASD recommends that organizations turn off all Microsoft Office macros for maximum security and only permit MS Office macros from Trusted Locations to be used in documents. Additionally, macros with write access should be limited to specific users, and any macros within documents accessed from the internet should be blocked.
To track your compliance with configuring Microsoft Office macros, consider these metrics:
- Percentage of Devices with Restricted Macro Settings: Measures the proportion of devices within your organization where Microsoft Office macro settings have been configured to block macros from running automatically, especially from untrusted sources
- Number of Macro-Related Security Incidents Detected: Amount of incidents where malicious macros attempted to execute or were blocked, which also assesses the effectiveness of macro security controls and potential threat landscape
- Frequency of Macro Settings Compliance Audits: Tracks how often the organization reviews and verifies the configuration of Microsoft Office macro settings across devices, ensuring consistent application of best practices and identifying any deviations needing adjustment
User Application Hardening
Application hardening refers to the practice of securing software configurations to minimize the possibility of vulnerability to potential threats. This process involves adjusting settings, turning off unnecessary features, and implementing restrictions within applications to limit possible entry points for malicious actors. The ASD recommends application hardening by configuring all web browsers to block or disable Flash content, web advertisements, and Java on accessed websites. Additionally, Microsoft Office settings should be adjusted to turn off Flash content support and prevent Object Linking and Embedding packages from activating.
The following metrics will help your organization track compliance with user application hardening:
- Percentage of Applications with Hardened Configurations: Identifies the proportion of applications across your organization configured with security-enhanced settings, such as turning off unnecessary features or restricting certain capabilities
- Number of Security Incidents Stemming from Unhardened Applications: Total amount of security incidents due to application vulnerabilities linked to inadequate hardening, which identifies areas that require more robust hardening measures
- Frequency of Application Hardening Reviews: Measures how often your organization assesses and updates application hardening standards and configurations, which helps hardening practices evolve with the changing threat landscape and remain effective against emerging vulnerabilities
Restrict Administrative Privileges
Limiting administrative privileges is a crucial process involving restricting the number of users with elevated access rights within a system or application. This access control approach ensures that only essential personnel can make significant changes or access sensitive information, reducing the potential for accidental or malicious misuse of these rights.
The ASD recommends limiting privileged access to only those who need it and implementing technical controls to prevent privileged users from using online services to read emails, browse the internet, or obtain files. Consider reviewing privileged access regularly and removing those who no longer need it.
To track how well your organization is restricting administrative privileges, utilize these three metrics:
- Percentage of Active User Accounts with Administrative Privileges: The proportion of all active user accounts currently possessing elevated administrative rights, offering a snapshot of the potential over-allocation of such privileges.
- Number of Admin Privilege Grant/Revoke Actions in a Given Period: The number of actions granting or revoking administrative privileges, measuring the dynamism of privilege allocation and ensuring it corresponds with legitimate business needs.
- Frequency of Administrative Access Audits: How often the organization conducts reviews of user accounts with administrative privileges, including verifying the necessity of these privileges for each user, ensuring users with elevated rights have a justified business need, and revoking privileges when no longer required.
Patch Operating Systems
Patching an operating system involves applying software updates to fix security vulnerabilities, improve functionality, and address software bugs. Regularly updating operating systems helps address known vulnerabilities, ensuring systems are not susceptible to exploits that attackers frequently target.
Like patching applications, the ASD recommends patching operating systems with high-risk vulnerabilities within 48 hours, utilizing patch management systems, and ensuring all internal applications are compatible with patched vendor software.
The following metrics will help your organization track how well operating systems are patched:
- Percentage of Systems Patched within a Specified Timeframe: Measures the percentage of devices that receive operating system patches or updates within a specified timeframe, such as 30 days from release
- Number of Systems Running Outdated or Unsupported OS Versions: Total amount of systems that operate on outdated or unsupported OS versions that may pose security risks or have unpatched vulnerabilities
- Average Time to Patch Critical OS Vulnerabilities: Gauges the time taken by your organization to patch critical operating system vulnerabilities (a shorter duration indicates higher OS security maintenance)
Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) is a security method that requires users to provide multiple verification methods to access an account or system. Implementing MFA is one of the easiest security controls and the most effective ways to prevent data breaches. Each authentication layer requires different credentials, making it more difficult to compromise network access, install ransomware, or conduct successful phishing.
The ASD recommends enforcing at least two layers of authentication on all privileged accounts and all sensitive resource access requests.
To track MFA in your organization, consider using the following metrics:
- Percentage of Users Enrolled in Multi-Factor Authentication (MFA): Percent of users that have successfully enrolled and use MFA, including both regular and privileged accounts
- Number of Authentication Failures or MFA Challenges: Amount of instances where MFA challenges are triggered (either legitimate access attempts or potentially unauthorized ones)
- Average Time to Resolve MFA Lockouts or Issues: Average duration it takes to resolve MFA-related challenges, like user lockouts (a shorter resolution time reduces potential workflow disruptions)
Daily Data Backups
In the event of a successful breach of your organization’s data, a recent data backup can ensure your organization gets back on track smoothly. Daily data backups refer to the routine process of copying and storing data daily to ensure its availability in the event of a security loss, corruption, or data breach.
The ASD recommends implementing multiple data backup and restoration processes, testing those processes regularly, and storing backups for at least three months.
The metrics below will help your organization track the effectiveness of daily data backup processes:
- Backup Success Rate: Percentage of scheduled data backups completed without errors, indicating the reliability of the backup process
- Average Time to Restore from Backup: Typical duration required to restore affected systems or data from a backup file
- Age of Oldest Unbacked-up Data: Time elapsed since the last successful backup for the oldest piece of data, assessing potential data loss exposure
Get Essential Eight Ready with UpGuard
The Essential Eight is concerned with baseline cybersecurity mitigation strategies. If your organization wants to grow your cybersecurity posture even further and manage your external attack surface—UpGuard is here to help.
UpGuard BreachSight helps you understand the risks impacting your external security posture and ensures your assets are constantly monitored and protected. Our all-in-one platform makes it easy to view your organization’s cybersecurity at a glance and communicate internally about risks, vulnerabilities, or current security incidents. Other features include:
- Data Leak Detection: Protect your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches
- Continuous Monitoring: Get real-time information and manage exposures, including domains, IPs, and employee credentials
- Attack Surface Reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting
- Shared Security Profile: Eliminate having to answer security questionnaires by creating an UpGuard Shared Profile
- Workflows and Waivers: Simplify and accelerate how you remediate issues, waive risks, and respond to security queries
- Reporting and Insights: Access tailor-made reports for different stakeholders and view information about your external attack surface
