The Essential Eight
Application Control
Compliance Statements
The Essential Eight Overview
The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies are the Essential Eight.
Essential Eight Explained
The Essential Eight has been designed to protect organisations’ internet-connected information technology networks. While the principles behind the Essential Eight may be applied to enterprise mobility and operational technology networks, it was not designed for such purposes and alternative mitigation strategies may be more appropriate to defend against unique cyber threats to these environments.
The Essential Eight Maturity Model, first published in June 2017 and updated regularly, supports the implementation of the Essential Eight. It is based on ASD’s experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and assisting organisations to implement the Essential Eight.
The Essential Eight
The mitigation strategies that constitute the Essential Eight are:
- Patch applications
- Patch operating systems
- Multi-factor authentication
- Restrict administrative privileges
- Application control
- Restrict Microsoft Office macros
- User application hardening
- Regular backups
Airlock Digital & Essential Eight
This following list demonstrates Airlock Digital compliance statements with the ACSC Essential Eight Security Model for Application Control.
Maturity Level 1
Controls
Application control is implemented on workstations.
Statement
Airlock supports installation on workstation endpoints and makes easy to administer application control a reality.
Airlock performs application control on all folders (including user profiles and temporary folders) by default.
Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.
Maturity Level 2
Controls
Application control is implemented on internet-facing servers.
Statement
Application control is applied to all locations other than user profiles and temporary folders used by operating systems, web browsers and email clients.
Microsoft’s recommended application blocklist is implemented.
Application control rulesets are validated on an annual or more frequent basis.
Airlock does not provide any functionality within the software to delete or modify events that have been logged, this is by design.
Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events.
Alerting can be placed upon Execution History logs and Server Activity History messages, to automatically raise events as per organisations requirements. Log data is easy to view within the platform and can be forwarded to third-party SIEM platforms if desired.
Cyber security events are analysed in a timely manner to identify cyber security incidents.
Known suspicious and malicious file detections can be configured to raise automatic alerts via Email and SIEM platforms, as per organisations requirements.
Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.
Airlock data within the platform can be easily exported in industry standard formats (CSV, XML etc.) in order to support reporting and data sharing.
Cyber security incidents are reported to ASD as soon as possible after they occur or are discovered.
Airlock data within the platform can be easily exported in industry standard formats (CSV, XML etc.) in order to support reporting and data sharing.
Following the identification of a cyber security incident, the cyber security incident response plan is enacted.
Airlock enables organisations to proactively support incident identification and proactive 'hardening' of operating systems through its blocklist capabilities.
Maturity Level 3
Controls
Application control is implemented on non-internet-facing servers.
Statement
Airlock can be installed on a wide variety of operating system types and can operate upon both internet connected and non-internet connected (air-gapped) servers.
Application control restricts the execution of drivers to an organisation-approved set.
Airlock is designed to fully comply with this control, most importantly Airlock Digital as a vendor does not define what an organisation 'trusts' within policy. At all times Airlock Digital policies are confined to an organisation approved set. Driver loads are also controlled by the Airlock agent, even if the drivers load in a highly privileged context.
Microsoft’s vulnerable driver blocklist is implemented.
Airlock includes the Microsoft Recommended Driver Block Rules as a Predefined Blocklist package within the software which can be imported and applied to policy.
Event logs from non-internet-facing servers are analysed in a timely manner to detect cyber security events.
Alerting can be placed upon Execution History logs and Server Activity History messages, to automatically raise events as per organisations requirements. Log data is easy to view within the platform and can be forwarded to third-party SIEM platforms if desired.
Event logs from workstations are analysed in a timely manner to detect cyber security events.
Alerting can be placed upon Execution History logs and Server Activity History messages, to automatically raise events as per organisations requirements. Log data is easy to view within the platform and can be forwarded to third-party SIEM platforms if desired.
Note: Please note that higher level requirements are in addition to lower levels. For example to reach maturity level two you must also meet the requirements of maturity level one.
These answers are modeled off the November 2023 revision of the Essential 8 Maturity Model.