In November 2023, the Australian Cyber Security Centre division of the Australian Signals Directorate made updates to its “Essential Eight” framework, a list of eight cyber security strategies designed to enhance an organization’s resilience against cyber threats.
The first two of the essential eight strategies address how organizations should approach patching applications and operating systems against the threat posed by vulnerabilities in the IT estate:
- Application patching: Recommendations for asset discovery, scanning, severity levels, patching cycles, and mitigation strategies for applications such as Office, PDF software, desktop client software, browsers, and security products.
- Operating system patching: Recommendations for asset discovery, scanning, severity levels, patching cycles, and mitigation strategies for operating systems depending on the criticality of the asset and the extent to which it is exposed to attack, for example, if it is an Internet-facing asset.
The recommendations contained in the two strategies are organized according to a set of Maturity Levels (from 0 to 3) with 3 representing the highest level of mitigation against attack.
These strategies are mandatory for public-sector organizations operating in Australia. However, with a record number of new vulnerabilities cataloged in globally in 2024, corporate and public-sector organizations worldwide should consider their adoption. So, if you are implementing or assessing a vulnerability management program in your organization against Maturity Level 3 of the recommendations contained in the Essential Eight, here are the key areas to consider.
Discover assets
To comply with the Essential Eight’s recommendations for vulnerability and patch management, organizations are advised to deploy an automated method for discovering the assets in the estate on a fortnightly basis.
This is best achieved using a Cyber Asset Attack Surface Management (CAASM) solution. The CAASM solution serves as a definitive reference guide and management point, using a range of connectors to discover, build, and maintain a complete inventory of your network, server, and cloud assets.
Ideally, given the rapidly changing nature of the hybrid network, the CAASM solution should automatically discover assets more frequently than fortnightly, say every 24 hours. It should also maintain a comprehensive understanding of firewall and network security policy, rendering the network as a dynamic model that can be explored and queried to help understand access paths, exposure and prioritize remediations.
The right CAASM solution will also enable you to identify internet-facing assets with vulnerabilities that could be exploited and those that could be subject to lateral attacks, such as from supply chain partner networks or even insider threats.
Scan the attack surface
The recommendations mandate that organizations should scan for missing patches and the presence of vulnerabilities across the attack surface, including Office applications and browsers, online services, operating systems, and firmware.
One of the biggest challenges to effectively managing the scanning process is that most organizations deploy scanners from different vendors and use more than one threat intelligence feed to advise on new vulnerabilities that need patching. This can create substantial management overheads as multiple reports need to be analyzed for vulnerability and threats, many of which are duplicates. A better way to scan the attack surface is to consolidate the output from all available scanners and intelligence feeds into a single authoritative list.
The most effective vulnerability management solutions do this by consolidating the output from multiple data sources and aggregating and de-duplicating the results to provide a master reference for driving the patch and vulnerability management program.
Detect vulnerabilities between scheduled scans
The recommendations also set out the frequency with which you should scan for missing patches for vulnerabilities, specifying daily, weekly, and fortnightly scan intervals, depending on factors such as the type of application or whether the asset is internet-facing.
These scan intervals provide a baseline for the vulnerability management program, but in any large organization, there will typically be areas of the network that cannot be scanned according to the schedule without negatively impacting network and business performance. In fact, there may even be air-gapped or segregated networks that cannot be scanned as part of any automated schedule.
An effective vulnerability program should enable you to meet the Essential Eight’s recommendations and augment the scheduled scanning cycles by using a vulnerability detector to detect missing patches between scans.
The detector can examine the attack surface model rather than the network, comparing the asset inventory with the latest threat intelligence to reveal new vulnerabilities in hours rather than days or weeks. Running the detector in this way provides advanced warning of potential exposures ahead of the scheduled scanning cycle.
Prioritize mitigations according to risk
The Essential Eight highlights the importance of mitigating a vulnerability according to criticality (as defined by the CVSS score) and the extent to which it is being actively exploited in the wild.
This is a baseline for prioritizing which vulnerabilities to address, but it can leave you facing a seemingly insurmountable challenge. Using industry-standard metrics such as criticality and exploitability alone is likely to yield vast numbers of “must-fix” vulnerabilities, leaving the team overwhelmed and unsure of what to address first.
An effective vulnerability management program will enable you to prioritize mitigation according to criticality and exploitability within the timelines specified by the Essential Eight. But it will also enable you to prioritize according to risk by factoring in environment-specific considerations such as the asset’s importance to the business and the extent to which it could be accessed across the network.
An effective vulnerability management solution can continuously analyze severity, exploitability, business impact, and exposure using a dynamic security model to inform the assessment. This provides the team with prioritized risk scores that demonstrate the extent of compliance with the Essential Eight and are also tailored to the organization’s unique circumstances.
Select the optimum mitigation
The recommendations specify that you should apply “patches, updates or vendor mitigations” for vulnerabilities within defined timeframes, such as 48 hours of a patch’s release. This type of approach will be familiar to anyone who has had to enforce or comply with a Service Level Agreement (SLA) for patch management.
The problem is that while a patch is frequently the most effective way to mitigate the risk of a vulnerability, patching cycles can often be complex and protracted, sometimes involving key assets being taken offline for extended periods of time.
An effective vulnerability management program helps you address the potential latency in the patching cycle by suggesting alternative remediations – such as updates, vendor mitigations, or temporary fixes. By analyzing the dynamic security model, the solution can suggest remediations such as a version upgrade, a change to firewall access, or the application of an IPS signature – all alternative remediations that can be applied to mitigate the risk until a patch can be deployed.
Conclusion
Australia’s Essential Eight is one of a range of regulatory guidelines being introduced by governments worldwide to improve cyber resilience. In the US, the President’s Executive Order on Improving the Nation’s Cybersecurity specifies standardized vulnerability response procedures. In the EU, NIS2 specifies vulnerability management processes for critical industries across the union.
These regulations require organizations to reevaluate their positions and implement a structured vulnerability management program to address the challenges of protecting the modern attack surface.
Learn how Skybox can help you improve cyber resilience:
