The Essential Eight

Application Control
Compliance Statements

Understanding Essential Eight Compliance

The Essential Eight Overview

The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies are the Essential Eight.

Essential Eight Explained

The Essential Eight has been designed to protect organisations’ internet-connected information technology networks. While the principles behind the Essential Eight may be applied to enterprise mobility and operational technology networks, it was not designed for such purposes and alternative mitigation strategies may be more appropriate to defend against unique cyber threats to these environments.


The Essential Eight Maturity Model, first published in June 2017 and updated regularly, supports the implementation of the Essential Eight. It is based on ASD’s experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and assisting organisations to implement the Essential Eight.

The Essential Eight

The mitigation strategies that constitute the Essential Eight are:

  • Patch applications
  • Patch operating systems
  • Multi-factor authentication
  • Restrict administrative privileges
  • Application control
  • Restrict Microsoft Office macros
  • User application hardening
  • Regular backups

 

Airlock Digital and Compliance

Airlock Digital & Essential Eight

This following list demonstrates Airlock Digital compliance statements with the ACSC Essential Eight Security Model for Application Control.

Maturity Level 1

Controls

Application control is implemented on workstations.

Statement

Airlock supports installation on workstation endpoints and makes easy to administer application control a reality.

Application control is applied to user profiles and temporary folders used by operating systems, web browsers, and email clients.
 

Airlock performs application control on all folders (including user profiles and temporary folders) by default.

Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.

 
Airlock enforces application control for all file types listed in the corresponding requirement. Administrators must enable 'Script Control' within policy to gain full coverage of script file type enforcement.
 

Maturity Level 2

Controls

Application control is implemented on internet-facing servers.

Statement

Airlock can be installed on a wide variety of operating system types and can operate upon both internet connected and non-internet connected (air-gapped) servers.

Application control is applied to all locations other than user profiles and temporary folders used by operating systems, web browsers and email clients.

Airlock performs application control to all system locations by default, including operating system folders and program folders.

Microsoft’s recommended application blocklist is implemented.

Airlock includes the Microsoft Recommended Block Rules as a Predefined Blocklist package within the software which can be imported and applied to policy

Application control rulesets are validated on an annual or more frequent basis.

Centralised visibility of all allowed and blocked executions enables customers to validate the application control rulesets as frequently as desired. Additionally, trusted execution logging can be enabled to 'audit' rules that are in place to assist with the rule decommissioning process.
Allowed and blocked application control events are centrally logged.
All blocked execution events are centrally logged to the Airlock server from all clients by default. Centralised logging of allowed executions are performed when an administrator enables the 'Trusted Execution (Summary)' logging feature.
Event logs are protected from unauthorised modification and deletion.

Airlock does not provide any functionality within the software to delete or modify events that have been logged, this is by design.

Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events.

Alerting can be placed upon Execution History logs and Server Activity History messages, to automatically raise events as per organisations requirements. Log data is easy to view within the platform and can be forwarded to third-party SIEM platforms if desired.

Cyber security events are analysed in a timely manner to identify cyber security incidents.

Known suspicious and malicious file detections can be configured to raise automatic alerts via Email and SIEM platforms, as per organisations requirements.

Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.

Airlock data within the platform can be easily exported in industry standard formats (CSV, XML etc.) in order to support reporting and data sharing.

Cyber security incidents are reported to ASD as soon as possible after they occur or are discovered.

Airlock data within the platform can be easily exported in industry standard formats (CSV, XML etc.) in order to support reporting and data sharing.

Following the identification of a cyber security incident, the cyber security incident response plan is enacted.

Airlock enables organisations to proactively support incident identification and proactive 'hardening' of operating systems through its blocklist capabilities.

Maturity Level 3

Controls

Application control is implemented on non-internet-facing servers.

Statement

Airlock can be installed on a wide variety of operating system types and can operate upon both internet connected and non-internet connected (air-gapped) servers.

Application control restricts the execution of drivers to an organisation-approved set.

Airlock is designed to fully comply with this control, most importantly Airlock Digital as a vendor does not define what an organisation 'trusts' within policy. At all times Airlock Digital policies are confined to an organisation approved set. Driver loads are also controlled by the Airlock agent, even if the drivers load in a highly privileged context.

Microsoft’s vulnerable driver blocklist is implemented.

Airlock includes the Microsoft Recommended Driver Block Rules as a Predefined Blocklist package within the software which can be imported and applied to policy.

Event logs from non-internet-facing servers are analysed in a timely manner to detect cyber security events.

Alerting can be placed upon Execution History logs and Server Activity History messages, to automatically raise events as per organisations requirements. Log data is easy to view within the platform and can be forwarded to third-party SIEM platforms if desired.

Event logs from workstations are analysed in a timely manner to detect cyber security events.

Alerting can be placed upon Execution History logs and Server Activity History messages, to automatically raise events as per organisations requirements. Log data is easy to view within the platform and can be forwarded to third-party SIEM platforms if desired.

.

Note: Please note that higher level requirements are in addition to lower levels. For example to reach maturity level two you must also meet the requirements of maturity level one.

These answers are modeled off the November 2023 revision of the Essential 8 Maturity Model.