Essential 8 Maturity Model - What's New?

In past blog posts we've covered strategies in the Essential 8. Today I thought I’d look at the recent changes to the Essential 8 Maturity Model.

The model provided by the Australian Signals directorate (ASD) by way of the Australian Cyber Security Centre (ACSC) helps businesses assess their maturity level and degree of compliance with the eight strategies. The model was revamped in early 2019 and went from five maturity levels for each strategy down to three. This simplification removed a level zero, which was basically a non-compliance level and was essentially redundant, and level four which was for extreme risk environments. For businesses falling into this category the recommendation is to now contact the ACSC for additional advice. The three remaining levels are defined as follows: If you're at maturity level one, you are partly aligned with the intent of the strategy, level 2 is mostly aligned and level 3 is fully aligned. The ACSC recommend that organisations should aim for level three for each mitigation strategy.

The ACSC has updated the new three level model a couple of times since February, most recently at the start of July. This latest update saw a reasonably significant change to the application whitelisting strategy. Application whitelisting only allows authorised programs to run and if implemented properly will stop malicious code running on a system. Its importance is illustrated by the fact that the ACSC know requires whitelisting to be implemented on all workstations and servers to reach the base level, maturity level 1.

The requirements for server whitelisting have been ramping up (and rightly so) whereas previously there was more of a focus on whitelisting for workstations. We've seen the model evolve from not requiring whitelisting on servers, to then requiring it on Active Directory and email servers, to finally requiring it on all servers. Maturity level three also now requires that Microsoft’s recommended block rules are implemented to prevent bypasses.

If you have implemented whitelisting but have not yet rolled it out to all servers, then the effort should not be considerable. This is assuming that a dedicated whitelisting package has already been implemented. Microsoft do have built in tools such as AppLocker, that are effective, however management can be difficult and purpose built product such as Airlock Digital are often the best bet.

In the latest maturity model backup restoration requirements have also changed. Level one now requires partial backup restoration be tested on an annual or more frequent basis as opposed to at least once. The restoration requirements have been updated on all levels to require more frequent restoration tests. In my experience backups often overlooked and fall down the list of priorities. Backups will not prevent a cyber security incident, but recovering from an incident and being able to restore data is certainly essential. If you use cloud systems, you may not have even considered backups, and whether or not you can recover data if it was encrypted or deleted. Reviewing the maturity model and ensuring backups of important data are at least at level one is a good start.

 The maturity model is a great way to quickly assess where you’re at in terms of the Essential 8 and help you focus energy and efforts. It gives you a place to start and a goal, just be aware it’s not a static document and is constantly evolving. Have you checked the model, what's your current maturity level?


Colin has over 20 years consulting experience working with organisations ranging from small business to large enterprises. He has consulted in the United Kingdom, Canada and Australia. He specialises in Microsoft based technology solutions, disaster recovery implementations and information security.