Implementing the ACSC Essential 8 with Microsoft 365Alex Fields
I have had this request on my backburner for a while, and I finally got around to knocking it out: from a reader in the Land Down Under–Australia!
Update: Microsoft has a much-improved set of Learn articles on the Essential Eight, with detailed guidance on implementing the three Maturity Levels (MLs) for each of the Essential Eight security controls.
- ACSC Essential Eight – Overview
Have a look at these resources if you are looking for the “most bang for your security buck” so to speak.
The Australia Cyber Security Center (ACSC) published Strategies to Mitigate Cyber Security Incidents some years back. The most effective of these strategies were identified as the “Essential 8” (last updated April 2020 at the time of this writing). These have a lot of visibility in Australia, and other organizations around the world have picked them up as well–they act as a sort of “baseline” or reference point for cyber incident mitigation efforts.
Above, I have mapped these to the CIS Controls so that you can see how implementing this list will also help you to meet (at least partially) specific sub-controls in other cyber security frameworks; or said another way: these are the CIS sub-controls you would focus on to move the needle on the Essential 8.
Even though it overlaps with areas in CIS, it is not a complete cyber security strategy on its own—remember that if you fail to meet the Basic CIS Controls up to at least the Implementation Group 1 maturity level, then other mitigation strategies may be undermined (for instance, without an accurate hardware and software inventory up front you cannot implement these strategies effectively across all of your systems). Yet, the Essential 8 can be seen as another way of prioritizing your risk reduction backlog.
No Detection Strategies?!
I was also initially surprised that none of the ACSC’s Mitigation Strategies to Detect Cyber Security Incidents and Respond made it into the Essentials list. I suspect this is due to the additional expense and pre-requirement for on-going monitoring and human labor—which many small and mid-sized organizations simply have not had access to historically. I believe this should change within the next couple of years with more MSP’s offering services focused around cybersecurity, including Incident Response. In any case, note that the Essentials as they stand today tend to focus primarily on Protect, rather than Detect and Respond.
Nevertheless, detection and response is going to be a very important area for you to focus on as a service provider—so do not lose sight of it!