Essential Eight Framework
Australian organisations holding sensitive information, such as health and government entities, have become attractive targets for malicious actors due to their critical roles in society. However, these entities face challenges in implementing effective security measures.
In 2017, the Australian Signals Directorate (ASD), assisted by the Australian Cyber Security Centre (ACSC), introduced a set of mitigation strategies within a framework known as the Essential Eight (E8). This framework emphasises the most effective security controls, helping organisations protect sensitive information and critical systems from cyber threats.
The Essential Eight framework includes three maturity levels, labeled from Level One to Level Three. These levels not only guide organisations in enhancing their defenses but also serve as a high-level indicator of an organisation’s overall cybersecurity maturity.
The three levels of maturity in the Essential Eight are:
Maturity Level 1: Focuses on protecting against common, broad attacks from opportunistic adversaries using simple tactics. Controls are basic and defend against non-targeted threats.
Maturity Level 2: Aimed at defending against more skilled attackers who may specifically target the organisation. Controls are stronger, with faster response times and a wider range of threats addressed, including targeted attacks using methods like social engineering.
Maturity Level 3: Designed to protect against highly determined attackers who put in significant effort to breach the organisation. Controls are advanced, with quick response capabilities, centralised monitoring, and a thorough approach to potential threats.
The Essential Eight is named for its eight distinct security controls, each tailored to address a specific area of cybersecurity risk. These controls are:
- Application Control: Restrict execution of unapproved or malicious software to prevent unauthorised applications from running.
- Patch Applications: Regularly update and patch applications to address known security vulnerabilities.
- Configure Microsoft Office Macro Settings: Restrict the use of macros, especially in untrusted documents, to prevent malware execution.
- User Application Hardening: Disable or restrict features that can be exploited, such as Flash, Java, and ads in web browsers.
- Restrict Administrative Privileges: Limit administrative access to reduce the risk of account compromise and lateral movement within the network.
- Patch Operating Systems: Ensure operating systems are up to date with the latest security patches to mitigate vulnerabilities.
- Multi-Factor Authentication: Implement multi-factor authentication (MFA) to protect against unauthorised access, especially for sensitive accounts.
- Daily Backups: Regularly back up important data and store it securely to ensure recovery in case of data loss or compromise.
Image 1 – The Essential Eight controls
Automation for E8 Compliance
Reaching higher maturity levels entails a range of consistent activities, including asset discovery, vulnerability scanning and regular backups and deployment. For example, a response within 48 hours is required when new security patches for operating systems or installed tools are released.
Automation and DevOps strategies are effective for executing these tasks quickly, enabling organisations to achieve desired maturity levels more quickly and reliably.
Additionally, automation can lead to long-term cost savings by reducing operational expenses, making it easier for the organisation to maintain the maturity level they have achieved over time.
Another benefit of using automation for E8 compliance is that it reduces reliance on individual employees’ knowledge for reporting compliance levels. This means if a senior employee leaves, their departure won’t result in a loss of crucial knowledge about your business environment compliance level.
Challenges of Implementing Automation
Using automation to achieve compliance has many benefits, but it also comes with costs and challenges. Before you start working on automating the E8 controls, you will need to address the technical debts in your environment. For example, if you are using outdated software versions or have legacy operating systems that no longer receive updates, these will need upgrades or replacements to ensure compliance with the E8 and to enable seamless integration with modern automation tools.
Another challenge you may encounter is the increase in complexity within your environment. While automation can reduce manual operational tasks, automating all your processes can also introduce new dependencies. For instance, generating a daily E8 compliance report for an application might depend on another pipeline that deploys the application, which in turn might depend on upgrading the server hosting the application. This upgrade might also rely on creating a golden image for your server before deployment. A small failure in any part of this chain could result in a report indicating non-compliance with the E8 standards.
Moreover, automation requires your team to utilise a diverse set of DevOps tools to effectively complete automation tasks. The automation process could involve various tools, ranging from containerisation and infrastructure-as-code, to scanning tools, as well as multiple scripts and programming languages. Therefore, it’s essential to ensure your team is equipped with the necessary knowledge and tools to successfully implement and manage the automation processes.
Automation Tools
Automation requires a suite of tools that work together to successfully automate the E8 controls, continuously monitor the environment and report on compliance levels and status. We will list some tools that can help your business achieve a higher level of compliance maturity more efficiently.
- Version Control Tool: These tools provide version control for both code and configurations, enabling your team to keep a record of code changes. This allows members to monitor updates, review changes, and revert to earlier versions. Examples include GitHub and GitLab.
- Pipelines Tool: These tools automate the deployment, building of images, testing environments, checking compliance levels, and generating reports. Some options are Azure Pipelines, AWS CodePipeline, Buildkite, and GitHub Action. This is the most important tool as it forms the backbone of your automation; choose carefully based on your needs, business environment, and other tools. For example, if you are using Azure as your Cloud Provider, it might be beneficial to select Azure Pipelines.
- Containerization and Image Building: These tools are crucial for creating golden images or containers that satisfy E8 requirements. Docker and Packer are useful tools in this area.
- Infrastructure-as-Code Tool: You will need these tools to automate infrastructure deployment in AWS, Azure, etc. Suggested tools include Terraform and AWS CloudFormation.
- Configuration Management Tool: These tools are used for configuring your environment and other technologies you use. An example is Ansible.
- Automated Auditing Tool: These tools can be used for testing and auditing your applications and infrastructure, automating tests for compliance and policy requirements. Suggested tools are Chef InSpec and Terrascan.
- Vulnerability Scanning Tool: These are essential as part of the Essential Eight, to monitor your environment and adhere to the requirements. Tools that can be used include Tenable Nessus and Rapid7.
- Compliance Management Tool: To effectively monitor compliance levels, your business will need a tool tailored to your infrastructure. If your environment is hosted on AWS, you can utilise Security Hub and AWS Config, which offers an E8 conformance pack template that can be easily integrated. Another tool that can be used to show the level of E8 compliance for the infrastructure services is Prisma Cloud.
However, these tools may not automatically recognise audit findings generated by external tools. To address this, you can either upload the findings directly to the platform or convert them into a compatible format for integration with the dashboard. Another option is to consider using tools like Chef Automate, which seamlessly integrates with Chef InSpec to deliver compliance insights for the generated finding reports.
Image 2 – Conformance pack for essential 8 in AWS Config
Case Study
In this section, we will explore a fabricated case study involving a business named AusTech and examine how automation can be leveraged to address various controls within the E8 cybersecurity framework. AusTech, an enterprise that depends on AWS for its infrastructure, employs Windows OS on its cloud servers to support various applications.
At AusTech, source code management is achieved using GitHub, and the business is relying on GitHub Actions to automate processes including deployment, controls checking and compliance reporting.
AusTech’s first pipeline utilises Packer to generate a golden image of the Windows OS daily at midnight. This golden image is configured to exclude all unnecessary applications and registry keys, while also tightening application controls. By doing so, the image aligns with the following E8 controls:
- “Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.”
- “Applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.”
- “Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.”
Further, AusTech utilises Ansible for extensive configurations on the golden image to enhance security further. These configurations help enforce restricted administrative privileges, disable unnecessary settings, enable PowerShell and OS event logs, and create a schedule to upload all logs to central and secure location. This can help to address multiple controls, such as:
- “Privileged accounts explicitly authorised to access online services are strictly limited to only what is required for users and services to undertake their duties.”
- “Privileged accounts (excluding those explicitly authorised to access online services) are prevented from accessing the internet, email and web services.”
- “Local Security Authority protection functionality is enabled.”
- “Credential Guard functionality is enabled.”
- “Remote Credential Guard functionality is enabled.”
- “Event logs are protected from unauthorised modification and deletion.”
- “PowerShell module logging, script block logging and transcription events are centrally logged.”
- “Command line process creation events are centrally logged.”
AusTech has another pipeline that uses Terraform to update the Windows servers with the newly created golden image a few hours after the Golden image was created. This approach ensures that AusTech stays compliant with two of the most vital controls in the E8 framework: Patch Applications and Patch Operating Systems. Several controls items require a rapid response within 48 hours, such as:
- “Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.”
- “Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.”
- “Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.”
- “Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.”
- “Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.”
- “Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.”
Moreover, a daily vulnerability scan is conducted using Tenable Nessus which is baked within the server’s golden image. This scanning pipeline not only identifies vulnerabilities and missed patches but also compiles a detailed report, uploads these findings to a designated and secure cloud storage, and alerts the security team about high-severity issues if found, thereby supporting the E8 controls:
- “A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in online services.”
- “A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.”
AusTech conducts also a daily early-morning pipeline to back up all data, settings, and critical files within their system to a secure central location in the cloud. Access to this cloud storage is restricted to authorised personnel only. This process helps ensure compliance with relevant controls:
- “Backups of data, applications and settings are performed and retained in accordance with business criticality and business continuity requirements.”
- “Backups of data, applications and settings are retained in a secure and resilient manner.”
Image 3 – AusTech different pipelines and addressed controls
To maintain accountability and compliance, AusTech incorporates the Chef Inspec tool within its pipelines to audit both the golden image and deployed infrastructure rigorously. This setup is designed to send alerts and halt operations if failure or breaches in controls are detected, ensuring immediate attention to compliance failures.
Additionally, AusTech employs Chef Automate to collect non-compliant findings generated by the Chef Inspec in different pipeline and display it in a central dashboard.
Through these automated mechanisms, AusTech demonstrates how businesses can leverage modern automation to monitor and enforce E8 controls, ensuring prompt detection and quick response to potential security issues.
Conclusion
Automation stands out as a crucial strategy for Australian organisations to comply with the Essential Eight framework. This method not only ensures the resilience and reliability of the compliance process but also introduces challenges, such as managing the complexity of interconnected processes and dealing with technical debts.
To succeed with automated compliance, organisations need the right tools, a skilled team and strong DevOps knowledge.
At Cevo, we have assisted multiple businesses in enhancing their security maturity and advancing through the Essential Eight’s levels. We offer a suite of services and support designed to help navigate the complexities associated with adhering to the Essential Eight effectively. Our experienced team has the expertise to accelerate your compliance journey and ensure its success. Feel free to reach out – we are eager to assist your business in enhancing its security and compliance posture.
