ASD8 – Implementing Australian Signals Directorate Essential Eight with Microsoft.
Introducing ASD8 and Microsoft
The Australian signals Directorate has been a frontrunner in creating, guiding and improving the cyber security posture of Australian Government and non government entities, through the Essential 8 cyber security controls which I have previously covered here and here are critical starting points for not just Australian businesses, but all businesses.
Personal comment: I would add to the Essential 8, User awareness training and web / email protection as the number one attack vector is email, but it is nevertheless a good starting point.
The ASD8 supports two of the three most prominent attack sources, as I have previously mentioned though, email security must be implemented for all businesses.
Kicksec’s ASD8 information
First, the purpose of the following post is to supply my readers with details and information that will support your implementation of the ASD Essential 8 cyber security controls, I get asked regularly for information and have decided that a blog post would be the best way to put this information together. This is not a prescriptive guide just a place to collect together what I have found over time.
Second, always be wary of vendors touting ASD Essential 8 solutions without providing the detail behind it, because once you dig into the depths (which one day I will write about) their are some very prescriptive requirements that vendors will gloss over and not be able to support. Even Microsoft here are not suitable across all 8 controls at Maturity level 3 without significant effort on your part to manage – and may still fall short, an example of this is “Third party patching” Microsoft have some capabilities here, but they are neither easy (SCCM) or complete (Intune Suite) across all platforms.
Finally, the Australian Signals Directorate Essential Eight is not a competition, if your business is not sure that they must get to Maturity level 3 (ML3) across the Eight controls, then you do not need to get to ML3, its that simple, Maturity Level 1 (ML1) is security basics, and Maturity Level 2 (ML2) is a good aspirational goal for many businesses. The higher the level, the more restrictive the operating environment becomes for users.
The information
The Australian Signals Directorate website itself has some great references in collaboration with Microsoft on how to configure a Microsoft environment.
https://blueprint.asd.gov.au/security-and-governance/essential-eight provides a starting point for configuring the eight controls.
This spreadsheet is a few years old but it also supports what capability should be enabled for each control with the ASD8 as well, you can find it here.
Another document with useful information regarding the ASD8 with Microsoft 365 is here:
http://kicksec.io/wp-content/uploads/2024/06/Implement-the-ACSC-Essential-8-with-Microsoft-365.pdf
ASD8 Areas where third party solutions are preferred
There are a few areas where my personal opinion is that third parties are a better option. Full disclaimer, I am employed by a company that resells or Distributes these technologies but you can do your own research on the best options.
Microsoft discusses both Microsoft 365 Business premium and Microsoft 365 E5 as being licenses that support the ASD8 journey, this is correct but somewhat nuanced.
The only license that supports significant ASD8 uplift is Microsoft 365 E5 or Microsoft 365 E3 + E5 security, Business premium does not support Office macro configuration to the required extent of the framework as I wrote about earlier.
Patch Applications, third party applications are not easily patched within the timeframes required by the ASD8, 2 weeks or 48 hours / internal vs external and depending on Maturity level. My solution of choice here is Automox, because Automox provides fast and granular patching across most common operating systems. There are several others available so please do your research as you may already own the capability but not be utilising it.
Microsoft does have capability here and it can work ok if the applications are very standardised through Systems Center Configuration Manager, Microsoft Intune Suite with application store – but without Automation.
Application allow / block listing, this control alone will significantly reduce your risk of Malware infecting a device if it gets through your email security (oh ASD8, why is email security missing?), the solution of choice that I recommend here is Airlock digital, the company is Australian (mostly) and is built from the ground up to do application control well. Updates, overrides for one time use, templating machines for easy learning are all a part of the solution.
Microsoft have two solutions, Applocker and Windows Defender Application Control, Applocker is going to go away one day and WDAC is not fully feature comparable yet. WDAC can work well and I have seen examples of this, but it is not easy and requires significant support unless the business has very limited apps. Microsoft do not provide 100% coverage here either, read this.
Not a part of the ASD Essential 8, but still critical is:
User Awareness training, Cyber security professionals sometimes dispute that this is a critical control, in my opinion it is, one less user clicking a phishing link or malware exe could be the difference between a compromise occurring or not. For user awareness my recommendation is usecure because usecure not only provides user awareness training but also helps with onboarding training, regulation training and so much more.
Microsoft Defender for Office 365 Plan 2 includes phishing awareness and training programs, but requires the stand alone license or an M365 E5 / E5 security license and does not provide other training capabilities.
Leave a Reply