Implementing Essential Eight controls with Devicie
With most enterprises now adopting some form of remote work arrangements, the need and demand for robust security to protect employee devices has never been greater.
In the face of rising cybercrime and evolving cybercriminal tactics, end-user devices are often the most vulnerable and where the vast majority of successful cybercrime attacks, including ransomware, currently happen.
In fact, according to IDC, 70 per cent of security threats originate from end-user devices.
The Essential Eight Maturity Model from the Australian Cyber Security Centre (ASCS) is one of the strongest forms of cyber defence organisations can leverage in their fight against cybercrime.
Yet despite its importance, many organisations and agencies struggle to implement the Essential Eight controls effectively.
The Attorney General’s Department has confirmed its intention to mandate all Essential Eight controls for public sector entities. This came after a 2020 parliamentary committee report found that no federal government entity had implemented the mandated controls.
Additionally, in November 2021 the Audit Office of NSW found none of NSW’s lead cluster agencies had implemented all Essential Eight controls.
While many agencies and organisations have fallen behind in building necessary cyber resilience, innovation in cloud-native technology and automation means implementing defence in depth across end-user devices (in line with the Essential Eight) is now much easier to do.
How Devicie automates Essential Eight controls
Devicie enables organisations, large and small, to quickly automate hundreds of security controls on end-user devices, in line with best practice frameworks, including the ASD Essential Eight.
In this blog, I have outlined how Devicie assists organisations in meeting maturity levels 1, 2 and 3 across each of the Essential Eight security controls on end-user devices.
1. Application controls
Devicie can control the execution of applications and components on workstations through Windows Defender Application Control and AppLocker.
Devicie can also provide basic risk assessment guidance on new application requests and on the back-catalogue applications.
Through these technologies, Devicie can help organisations achieve levels 1 through 3 on the employee endpoints.
2. Patch applications
Devicie provides patches for applications available through Microsoft Intune within 24-48 hours of release and enforces updates on a standard 30/60/90 day cycle.
Devicie can tailor release of patches and updates to suit the Essential Eight two-week cycle for third party applications, meeting the level 2 requirements for workstations.
Devicie can expedite urgent patches through the Intune ecosystem as required in 8-24 hours.
3. Configure Microsoft Office macro settings
Devicie can control Microsoft Office macros at the user and machine level and enforces these controls at the end-user device.
Through management of the native Office defences, Devicie enables organisations to achieve level 3 maturity
4. User application hardening
Devicie can enforce browser, office and third party software configurations and settings where available.
Devicie can deny-list and remove deprecated or risky applications, such as IE11 and PowerShell 2.0, achieving level 3 requirements.
Additional software security controls can also be applied for key applications such as Acrobat Reader.
Devicie can provide the appropriate intel feeds to support the SOC in alerting and acting on possible violations and attacks.
Devicie can support all of the controls one end-user devices to level 3 maturity for organisations that require them.
5. Restrict administrative privileges
Devicie provides and enforces controls over local administration access to end-user devices.
Users are not provided with admin credentials by default.
Local default admin accounts are renamed and disabled. A centrally-controlled local admin account is created.
Customers can add privileged users to a specific group which enables them to elevate to local admin.
Devicie can establish secondary privileged accounts as local admin users. These users are managed by customers through their AAD.
Through these controls, Devicie can help organisation configure their administrative access to end-user devices in line with maturity levels 1 to 3.
6. Patch operating systems maturity
Devicie makes patches for the operating systems available through Intune within 24-48 hours of release and enforces updates on a standard 30/60/90 day cycle.
As with the application updates, Devicie can tailor release of patches and updates to suit the Essential Eight 2-week cycle, meeting the level 2 requirements for end-user devices.
Devicie can enforce migration to latest operating system releases within required time windows and provides a pilot programme over the first 14 days of release to achieve this.
Devicie only deploys supported operating systems, ensuring compliance with the level 3 requirement.
7. Multi-factor authentication maturity
This is largely out of scope for Devicie, as it is focussed at the workstation for devices accessed through AAD accounts, and therefore cannot enforce meaningful controls over MFA ASD8 requirements.
However, with additional Intune API rights, Devicie can monitor and report on MFA status across user accounts.
This auditing and logging, and associated visualisations, is pivotal for organisations to achieve level 1 to 3 maturities.
8. Regular backups maturity
Devicie ensures user data is located on cloud storage, such as OneDrive, and as a result, it subject to the versioning controls and backups inherent to the services.
Software and configuration are packaged within Devicie, allowing for the rapid rebuild of workstations and their return to a ‘known good’ state in the event of a failure or other loss of integrity or data.
This supports the persistence of data, and restoration of end-user devices and configurations, assisting organisations with their data recovery and business continuity strategies and solution, key aspects of successfully implementing regular and reliable backups to meet maturity levels 1 to 3.
Devicie prides itself on harnessing the power of cloud-native technology and automation to enable organisations to apply defence in depth controls across their end-user device fleet. If you’d like to know more, and to see some sample dashboards, be sure to download our Essential Eight Capabilities Statement.