Risk & Compliance Guide

Essential 8 Security Controls

How Huntsman Security measures effectiveness
 Risk & Essential 8
Compliance Guide Security Monitoring

Essential 8 Security
Controls – Determine your
organisation’s alignment
The Australian Cyber Security Centre’s ACSC
Essential 8 Cyber Security Framework, if
implemented, mitigates 85% of targeted cyber
intrusions. This is the current security posture
recommended by government.
There are a number of cyber security frameworks in use around the world, many of which
have significant similarities to Australia’s ACSC Essential 8, including NCSC Top 10 (UK) and
NIST (USA). The eight security controls incorporated into the Essential 8 Framework are the
fundamental mitigation strategies required to protect your organisation.

What the Essential 8 Framework covers

Essential 8 Security Controls

Prevents
attacks Application Patch
Disable untrusted
User application
Microsoft Office
Whitelisting Applications hardening
macros

Limits extent
of attacks Restrict Patching
Multi-factor
administrative operating
authentication
privileges systems

Recovers
data &
system Daily backup
availability of important data

02
 Risk & Essential 8
Compliance Guide Security Monitoring

Essential 8 Principles
Below are the core principles of the Essential 8:

The costs of compromise can be more expensive than preventative

measures. Implementing the Essential 8 mitigation strategies can save
1 organisations considerable time, money, effort and reputational damage
compared to cleaning up after a compromise.

While no single mitigation strategy is guaranteed to prevent cyber security

incidents, ACSC recommends organisations implement a package of the
2 eight essential strategies as a baseline. This baseline makes it much harder
for adversaries to compromise systems.

Before implementing the strategies, organisations need to identify their

3 assets and perform a risk assessment to identify the level of protection
required from cyber threats.

03
 Risk & Essential 8
Compliance Guide Security Monitoring

Establishing your Baseline Cyber Security Posture

In order to develop your alignment to the Essential 8, you first need to establish your
current cyber posture against the controls i.e. what controls are in place and how
effective they are. If you haven’t implemented some or all of the strategies, the road
map below gives an overview of how to get started.

Stage 1: Planning
Establishing a current, objective view of your organisation’s alignment to the Essential 8
can be challenging and time consuming. Huntsman Security’s Essential 8 Auditor is a
product that has been designed for this purpose.

The Essential 8
Auditor delivers a
snap shot in time
view of your cyber
posture

04
 Risk & Essential 8
Compliance Guide Security Monitoring

The agentless, self-install software delivers a snapshot in time view of your Essential 8
coverage and compliance to enable you to simply and quickly identify gaps and plan
for implementation and improvement of the controls. Detailed below is an excerpt
from the report, for the Application Whitelisting control.

Essential 8 Auditor –Application Whitelisting snapshot

Stage 2: Implementation & Ongoing Monitoring of the Essential 8

Once your organisation has established a plan for implementing and improving its
cyber resilience, you need to determine how you are going to track the ongoing
effectiveness of your security controls against the Essential 8. Protecting your
organisation’s key assets is vital; the dynamic nature of your environment and
those that you interact with means that a current, robust position today may be
compromised with vulnerabilities tomorrow.

In order to maintain a continuous view of your compliance to the Essential 8,

Huntsman Security has created the Essential 8 Scorecard.

The Essential 8
Scorecard provides
measurement,
and enables
management,
of cyber risk.

05
 Risk & Essential 8
Compliance Guide Security Monitoring

A stand-alone product, the Essential 8 Scorecard provides an ongoing view of your

compliance to the ACSC Essential 8 controls. The capability delivers:

• Real-time monitoring for continuous measurement of compliance status;

• Cyber Security KPIs – objective performance metrics for each of the eight controls;
• Automated reporting - Live Dashboard and Weekly Control Reports;
• Senior Executive reporting suitable for Risk Management, Cyber Audit and Annual
Attestation requirements;
• Alerts when non-compliance, or potential risks, occur (contextualised for your
environment, enabling calculation of % compliance);
• Trend reporting to show performance over time.

Essential 8 Scorecard – Senior Executive Risk Report

06
 Risk & Essential 8
Compliance Guide Security Monitoring

Alignment with the Essential 8 Security Controls

Essential 8 How the Essential 8 Scorecard monitors the control

Control

Mitigation strategies to prevent delivery execution

The scorecard collects and monitors logs from all endpoints. From the logs, the scorecard has the capability to
alert in real time on applications that have been executed or blocked on the end point. The scorecard reporting
will provide a full list of executed software by privileged user that is either prohibited or unauthorised.
Application Pre-defined actions like logging off the user or putting the end point in quarantine can be automatically
Whitelisting
taken when an unauthorised application is executed.

The scorecard provides the capability to monitor application versions. For example, using the correlation engine,
the scorecard can alert if an endpoint is not updated with the latest signature version or if Windows updates
have not been applied.
Patch Applications

Microsoft Office applications leverage the power of macros to automate routine tasks. However, macros
can contain malicious code that can infiltrate endpoint devices and gain unauthorised access. By monitoring
application logs, the scorecard has the capability to alert on endpoints that may be infected or compromised by
Disable untrusted
Microsoft Office
exhibiting abnormal behaviour patterns on endpoints. The scorecard can also report on macro execution on
macros endpoint devices by monitoring the process events on endpoints.

Disabling running Internet-based Java code, untrusted macros, and disabling unneeded web browser features
would assist in elevating application security. The scorecard can identify applications that are targeted using
User application malicious webpages or attachments as well as monitor removable media. The scorecard can also monitor
hardening changes to policy to ensure that the existing policy applied for user application hardening is not changed.

Mitigation strategies to limit the extent of cyber security incidents

The scorecard monitors authentication events from endpoints (wired/wireless), Active Directory and network
devices, providing alerts and reporting on high privileged account activity. All administrative actions are
audited and reported on, and alerts can be generated when administrators perform un authorised actions.
Restrict
administrative Pre-defined actions like logging off the user or putting the end point in quarantine can be automatically taken
privileges when an unauthorised action is executed.

Operating system patching can be managed using System Centre Configuration Manager (SCCM) or Microsoft
Windows Server Update (WSUS). The scorecard collects endpoint and server logs and can report on devices
Patching that are not on the latest patch versions and provides alerts on unsuccessful
operating Windows updates.
systems

The scorecard provides monitoring on a number of multifactor authentication options. For example, smart
cards, passwords, user certificate and tokens (VASCO/RSA) and alerts an early warning for brute force attacks
Multi-factor and password guessing.
authentication

Mitigation strategies to recover data and system availabilty

Daily backup of critical system configuration settings and data provides a great disaster recovery strategy
during a security incident. The scorecard collects logs from backup devices and alerts on the health of
Daily backup backups as well as reports on who has accessed the backup device.
of important
data

07
 Want to find out more?
For more information on measuring the effectiveness of your cyber security
controls, please contact the appropriate Huntsman Security office listed on
the back cover.

About Huntsman Security

Huntsman Security is the trading name of Tier-3 Pty Ltd. The technology’s heritage lies
in delivering a key foundation stone of the cyber security risk management, monitoring
and response capability in some of the most secure and sensitive environments
within the intelligence, defence and criminal justice networks across the world, where
Huntsman Security solutions are deployed and accredited to the highest security levels.

HUNTSMAN | TIER-3 PTY LTD

ASIA PACIFIC EMEA NORTH ASIA

t: +61 2 9419 3200 t: +44 845 222 2010 t: +81 3 5953 8430

e: info@huntsmansecurity.com e: ukinfo@huntsmansecurity.com e: info@huntsmansecurity.com

Level 2, 11 Help Street 7-10 Adam Street, Strand Awajicho Ekimae Building 5F
Chatswood NSW 2067 London WC2N 6AA 1-2-7 Kanda Sudacho
Chiyodaku, Tokyo 101-0041

huntsmansecurity.com linkedin.com/company/tier-3-pty-ltd

© 2019 Tier-3 Pty Ltd, All rights reserved