Case Study: How Kaizen Gaming Cut Log Latency 10x | See Full Story >>

Contact Us
Free Tools
See Demo
Graylog logo blue

The Essential Eight: The Foundation of Australian Compliance

The Essential Eight-The Foundation of Australian Compliance

The Australian Signals Directorate (ASD) is the overarching agency that incorporates the Australian Cyber Security Centre (ACSC), the government’s technical cybersecurity authority. In 2018, the ASD became a statutory agency, assuming responsibility for the Computer Emergency Response Team Australia and the Digital Transformation Agency.

As part of the agency’s mission to improve Australian cybersecurity, it established a series of strategies to help organisations mitigate cyber threat risks. Through this process, it established the Essential Eight, a set of fundamental security practices aligned to a maturity model. By understanding what the Essential Eight practices are and how it fits into the larger Australian data protection regulatory framework, organisations can improve their security posture and manage compliance more effectively.

 

What is the Essential Eight?

First published in 2017, the Essential Eight consists of the critical mitigation strategies that the ASD SCSC views as the baseline capabilities for protecting against cyberthreats. At a high level, the Essential Eight consists of the following:

  • Patch applications
  • Patch operating systems
  • Multi-factor authentication (MFA)
  • Restrict administrative privileges
  • Application control
  • Restrict Microsoft Office macros
  • User application hardening
  • Regular backups

 

How does the Essential Eight fit into broader Australian compliance?

The Essential Eight is a framework that organisations can use as the foundation for achieving their larger compliance objective since many regulations map to these baseline mitigation strategies.

Security of Critical Infrastructure Act 2018 (SOCI)

This national security law affects critical infrastructure, requiring them to manage cyber and operational risk as a way to protect Australia’s economy and security. SOCI Risk Management Programs (RMPs) often require ACSC baseline controls, which frequently include Essential Eight maturity targets.

This regulation affects the following sectors:

  • Energy
  • Water
  • Transport
  • Communications
  • Data storage / processing
  • Financial services
  • Healthcare
  • Food & grocery
  • Space
  • Defense industry
  • Higher education & research

 

Privacy Act 1988 / Notifiable Data Breaches Scheme

This is Australia’s primary privacy law that outlines requirements for protecting personal data and mandatory breach notification. While not specifically referenced, the Essential Eight is commonly used as a “reasonable security control baseline.”

The Privacy Act covers personal information and applies to any organisations with annual turnover of more than $3 million and small businesses with annual turnover of $3 million or less, including:

  • Private sector health service providers
  • Businesses that sells or purchases personal information
  • Credit reporting bodies
  • Contracted service providers for Australian Government contracts
  • Employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009
  • Businesses that hold accreditation under the Consumer Data Right System.
  • Businesses that opted-in to the Privacy Act
  • Business related to a business that fall within the Privacy Act
  • Businesses prescribed by the Privacy Regulation of 2013

 

What is the Essential Eight Maturity Model?

The Essential Eight Maturity Model sets out a series of stages so organisations can map out their risk mitigation strategies and iterate over time:

  • Maturity Level Zero: Weaknesses exist in the overall security postures and could facilitate data confidentiality, integrity, or availability.
  • Maturity Level One: Mitigations that respond to malicious actors leveraging widely available commodity tradecraft and opportunistically targeting common weaknesses.
  • Maturity Level Two: Mitigations that respond to malicious actors who are more selective about their targets, investing more time into a target and using more effective tools.
  • Maturity Level Three: Mitigations that respond to adaptive malicious actors who rely less on public tools and techniques, focus on particular targets, and invest some effort into evading technical controls.

 

Understanding the ASD ACSC mitigation strategies

The ASD ACSC sets out various strategies to mitigate cybersecurity incidents, categorizing them by their relative security effectiveness rating.

Essential

The Essential Eight are the eight fundamental strategies that are the risk mitigation baselines.

The essential mitigations for preventing malware delivery and execution are:

  • Application controls that prevent the execution of unapproved programs.
  • Patching applications.
  • Configuring Microsoft Office macro settings.
  • User application hardening.

 

The essential mitigations for limiting an incident’s extent are:

  • Restrict administrative privileges.
  • Patch operating systems.
  • Multi-factor authentication.

 

The essential mitigation for recovering data is:

  • Regularly backing up important data, software, and configurations.

 

Excellent

Beyond the initial Essential Eight, the ASD ACSC outlines various excellent mitigations that can reduce an incident’s likelihood or impact.

The mitigations ranked as excellent at preventing malware delivery are:

  • Automated dynamic analysis of email/web content (sandboxing).
  • Email content filtering.
  • Web content filtering.
  • Denying corporate computers direct internet connectivity.
  • Operating systems exploit mitigation (DEP, ASLR, EMET).

 

The mitigations ranked as excellent at limiting incident impact are:

  • Disabling local administrator accounts or ensuring unique passwords.
  • Network segmentation.
  • Protecting authentication credentials.

 

The mitigation ranked as excellent at detecting incidents is:

  • Continuous incident detection and response with automated analysis and centralised logging.

 

Very Good

As organisations seek to iterate their security programs, they can incorporate the additional mitigations described as very good.

The mitigations ranked as very good at preventing malware delivery are:

  • Server application hardening.
  • Operating system hardening.
  • Antivirus using heuristics/reputation.
  • Control removable storage media and connected devices.
  • Block spoofed emails (SPF/DMARC).

 

The mitigations ranked as very good at limiting incident extent are:

  • Non-persistent sandboxed environments for risky activities.
  • Software-based application firewalls for managing and monitoring incoming traffic.
  • Software-based application firewalls for managing and monitoring outgoing traffic.
  • Outbound web and email data loss prevention.

 

The mitigations ranked as very good at detecting incidents are:

  • Host-based intrusion detection/prevention.
  • Endpoint detection and response (EDR).
  • Hunt to discover incidents using threat intelligence.

 

The mitigations ranked as very good at recovery are:

  • Business continuity and disaster recovery plans.
  • System recovery capabilities.

 

The mitigation ranked as very good at insider risk is:

  • Personnel management, including vetting, account termination, and explaining security obligations.

 

Good

The ASD ACSC only ranks one mitigation as good:

  • User education, including phishing awareness, password hygiene, and removable media policies.

 

Limited Effectiveness

The ASD ACSC ranks the following security incident mitigation activities as having limited effectiveness:

  • Signature-based antivirus
  • TLS encryption between email servers
  • Network-based intrusion detection/prevention systems (NIDS/NIPS)
  • Capture network traffic for analysis

 

Best Practices for Implementing and Monitoring the ASD ACSC Mitigations

For organisations seeking to implement the Essential Eight and other cybersecurity mitigation strategies, the following best practices offer a way to plan the process.

Centralise Logs from Across the Environment

Centralizing, normalizing, and correlating logs generated by the organisation’s IT and security technology stacks enables security teams to gain visibility into the effectiveness of their mitigation strategies.

Using a security information and event management (SIEM) solution as a single location for managing logs enables organisations to correlate data from:

  • Operating systems.
  • Authentication systems.
  • Endpoints
  • Network devices.
  • Cloud services.
  • Security tools.

 

By correlating log data from these diverse sources, organisations can monitor the effectiveness of their ACSC mitigation controls around:

  • Application control.
  • Restricting administrative privileges.
  • Multi-factor authentication.
  • Patch management monitoring.

 

Implement Audit Trails for Security-Relevant Events

Audit logs provide the verifiable security activity record that security operations and compliance require. Effective audit logging should answer the following questions:

  • What action occurred?
  • Who performed the action?
  • When did the action take place?
  • Where did the activity originate?
  • What system or resource did the activity impact?

 

These logs support forensic investigations, accountability, and regulatory evidence. For organisations implementing the ACSC mitigation strategies, this process enables visibility into and documentation around:

  • Privilege escalation.
  • Configuration changes.
  • Login attempts and MFA failures.
  • Software installation.
  • Patch deployments.

 

Monitor User Behavior and Privileged Activity

User behavior and activity monitoring enables organisations to detect policy violations or compromised accounts faster. By establishing baseline behavior and monitoring for deviations, organisation can detect security incidents with insight into:

  • Credential misuse.
  • Insider threats.
  • Abnormal access patterns.
  • Unauthorised configuration changes.

 

As organisations work to implement the Essential Eight and then mature their security programs further, monitoring privileged use access enables them to track the effectiveness of:

  • Restricting administrative privileges.
  • Multi-factor authentication.
  • Credential protection controls.

 

Track Configuration and Infrastructure Changes

Modern environments consist of dynamic systems that can easily drift from baseline configurations. Monitoring infrastructure activity enables organisations to detect:

  • Unauthorised firewall changes.
  • New privileged accounts.
  • Cloud configuration modifications.
  • Policy changes affecting security posture.

 

This visibility supports ASCS mitigations like:

  • System hardening, including user applications, operating systems, and servers.
  • Network segmentation.
  • Administrative access control.

 

Use Correlation and Enrichment to Prioritise Risk

By centralizing log data in a single solution, organisations can gain insights by augmenting the raw logs with context. Correlating enriched log events allows teams to prioritise high-risk security alerts and reduce false positives, improving investigation speed and accuracy. Some examples of context that organisations should apply to their data include:

  • User identity.
  • Geolocation
  • Asset classification.
  • Threat intelligence.
  • User and asset risk scores.

 

Adding context to log data helps organisations align with ACSC mitigation strategies like identifying:

  • Suspicious login behavior.
  • Lateral movement.
  • Malware execution.
  • Exploit attempts.

 

Automate Compliance Reporting and Dashboards

Security and compliance teams often struggle to prove that controls function as intended. A SIEM enables these teams to:

  • Generate compliance dashboards.
  • Create scheduled reports.
  • Visualise security trends.
  • Provide documentation to auditors.

Teams can use these dashboards to build reports around ACSC mitigations like:

  • Privileged account activity.
  • Patch status.
  • Authentication failures.
  • Endpoint protection alerts.

 

Graylog: Essential Eight Monitoring Done Right

Using Graylog, organisations can accelerate compliance readiness by using our cloud-native capabilities and out-of-the-box content to gain immediate value from their logs. Our anomaly detection ML improves over time without manual tuning, adapting rapidly to new data sets, organisational priorities, and custom use cases so that you can automate key user and entity access monitoring.

Our purposeful approach to AI-powered security operations speeds up investigations, reduces errors, and gives teams confidence in their decision-making capabilities. With Graylog’s context-rich investigations, threat-smart prioritisation, and frictionless workflows, security teams cut through noise and reduce alert fatigue, all while documenting their security controls’ effectiveness and response activities to achieve compliance outcomes.

 

Jeff Darrington

Jeff Darrington is Graylog's Director, Technical Marketing. He is a long-time Graylog OS user with extensive experience in IT Operations, IT product solutions deployment in Firewalls, Networking, VOIP, Physical security Controls, and many others.
View More Posts By Jeff Darrington

Categories

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.

Blog Graphic
Read Now