Essential 8 Cybersecurity Lessons: Insights from Our Compliance Journey

We’ve embarked on a journey of cybersecurity hardening, aligning with benchmarks and frameworks such as PCI, CIS, NIST, and the Australian Cyber Security Centre’s Essential 8 (E8). Our experience has not just been about ticking boxes but deeply understanding and implementing these robust measures. Here, we share some key lessons from our work on the Essential 8, a journey filled with challenges, insights, and transformations.

Patching Applications

One lesson was the need to patch enterprise application in less than 48 hours. This rapid response is critical in mitigating vulnerabilities but is far from simple. It demands a proactive approach to security, asset and patching management.

Optimizing Patching Processes

When it comes to bedding in patching processes for high compliance, we’ve observed it often follows an extreme version of the 80/20 rule. More than 80% of the effort goes into patching the last 20% of devices, middleware, basic software or enterprise applications. This disproportion highlights the need for strategic planning and efficient resource allocation. Compliance in this space is black and white, is patched or it isn’t so you’ll find you need to do whatever it takes to get the patches installed. This includes rebuilding systems\servers within the month. Another tip is to compress your patch windows as much as possible, gone are the days where we have 70 patch windows a month. Run the KISS principle and get the bulk of the patching work done early, that way you have plenty of time to work out the inevitable issues.

The Imperative of Multi-Factor Authentication (MFA)

It’s becomes clear: you need to MFA your world. MFA acts as a critical barrier against unauthorized access, ensuring that security is not solely reliant on passwords. If you have air gapped or isolated environment the options of on-premises MFA solutions are fast becoming hard to find. Another key take away is you now need (as of November 2023) to enforce the ‘Something you have’ principle.

Managing Administrative Privileges

Restricting administrative privileges is essential but expect pushback. Administrators are accustomed to a certain level of access, and this change can be met with resistance. Communication and training are key in this transition and shouldn’t be overlooked. It’s a journey that we have all had to go on and being told you need another 5 accounts to manage can be a hard pill to swallow considering that an average systems administrator juggles over 80 work-related passwords already.

Application Control and Future-Proofing

For Application control, aligning with Windows Defender Application Control (WDAC) is advisable, especially if aligning with the NIST Cybersecurity Framework (CSF) is in your future. WDAC offers a robust solution compatible with evolving security standards. AppLocker has been pushed aside by Microsoft and the focus is now on WDAC. This means you can’t get a decent level of maturity with Frameworks such as NIST CSF if your using Application control that only operates at the application layer.

Restricting Office Macros

While restricting Office macros is vital for security, it can be a finance team’s worst nightmare due to their heavy reliance on Excel. Balancing security with functionality is crucial in such scenarios. Start by slowly rolling out Macro restrictions allowing anyone to request an exemption. After round one is complete circle back and tighten it down.

Blocking Advertisements

Blocking internet advertisements generally requires third-party software. Be prepared to implement and manage an additional tool in your cybersecurity arsenal. Alot of Government agencies will use a central filtering product, so this one is more for the GBE’s (Government Business Enterprises) and the semi government owned businesses.

The Role of Backup Immutability

Backup immutability plays a significant role in compliance. Ensuring that backups cannot be altered or deleted adds an essential layer of protection against ransomware and other malicious attacks. If you still rely on off-site tapes, you can technically claim immutability however the tapes that are stored in your library can still be compromised which means your restore point is a lot further back than the last tape backup.

A Word of Caution on Compliance Reporting Products

Finally, a crucial insight from our journey: be cautious with Essential 8 compliance reporting products. The complexities of cybersecurity make it nearly impossible to automatically check compliance across all categories. These tools often leave you with a substantial amount of manual work and a lingering feeling of ‘there just not quite there’. It’s important to remember that while tools aid in compliance, they are not a complete solution.

Our journey with the Essential 8 has been enlightening, challenging, and ultimately rewarding. As we continue to evolve our cybersecurity practices, we remain dedicated to safeguarding our digital assets and those of our clients.