For many years, cybersecurity was an afterthought. "Core" business functions took center stage and security was not considered one of them. In fact, security was sometimes seen as an impediment to business, with security managers always cautioning against the use of new technology. However, times have changed.

If you're an Australian organization, you're probably in the process of implementing the Essential Eight: The cybersecurity framework created by the Australian Cyber Security Centre (ACSC). The Essential Eight requires you to determine your risk exposure level and gives you a maturity model to adhere to. Called the Essential Eight Maturity Model, which provides four levels of security maturity, starting from zero to three.

This two-part blog series explores the assessment procedure used to check if an organization has effectively implemented the Essential Eight mitigation strategies. It delves into how an organization can achieve their target maturity level.

[We recommend you glance through the first part of the blog series before reading this one. Click here to get a brief introduction to the topics mentioned above.]

This blog will explore the following topics:

Let us start with assessing whether you are indeed at level zero.

Are you at Maturity Level Zero?

Any organization that does not meet the security requirements of Maturity Level One, falls under Maturity Level Zero.

You likely belong to Maturity Level Zero if:

  • You haven't implemented proper security measures which has led to weaknesses in your network.
  • These weaknesses can lead to the confidentiality, integrity, and availability of your data being compromised.
  • You have common loopholes that can be easily exploited using publicly available tools and tradecraft.
  • It is easy for a bad actor to escape detection and gain access to systems or change system configurations by using administrative tools.

While this may not paint a pretty picture of your cybersecurity posture, it is best to assess where you stand, so you can recognize and tackle these risks head on. The ACSC's Essential Eight Maturity Model prescribes some basic measures you can adopt to ensure your organization takes the first step towards reaching Maturity Level One across all eight mitigation strategies.

Let's see how you can reach your nearest target maturity level and get accredited as such.

Reaching Maturity Level One using a SIEM solution

We recommend that you read our blog or download our free e-book on the Essential Eight before we explore the security controls that need to be implemented for each mitigation strategy. The table below briefly illustrates some of the security requirements to pass the assessment procedure for each control under the first mitigation strategy: Application Control.

Reaching your target maturity level: Level One

Mitigation Strategy Security control Security requirements for the assessment procedure How a SIEM can help you implement this
Application Control The execution of:
  • Executables
  • Software libraries
  • Scripts
  • Installers
  • Compiled HTML
  • HTML application
  • Control panel applets

is prevented on workstations from standard user profiles and temporary folders used by the operating system, web browsers, and email clients.

There are three ways assessors can test whether the control has been effectively implemented, according to the system owner's security policies and the kind of assessment tools that can be used.

  1. Using free and paid third-party tools: Assessors will attempt to write to and execute from all locations that user can access in the file system. They can use free or paid third-party tools to execute this.

  2. Using Microsoft tools alone: If the system owner is particular about using Microsoft tools, assessors can get the list of folder permissions through the SysInternal AccessChk command and the "whoami/groups" command. The latter helps determine the groups the user belongs to, in order to determine the effective permissions for each path.

  3. Without using tools: Assessors will ask for screenshots of effective access permissions along with screenshots of key paths.

SIEM solutions come with built-in security reporting modules which give analysts all the required information at one glance. Several vendors offer custom reports for compliance management. For example, Log360, ManageEngine's SIEM solution offers users the option of creating a customized compliance report.

Also, out-of-the-box reports, such as the ones listed below, can help you look out for and identify changes that can prevent the listed executions, detect file modifications, permission, and policy changes.

These include:

  • File monitoring
  • MITRE ATT&CK-based reporting
  • File integrity monitoring
  • Process tracking reports

A more detailed explanation of each report and how it can help effectively implement the security control is given below.

Here's how the reporting feature of a comprehensive SIEM solution can help you comply with the security requirements of Essential Eight's first maturity level:

1. File activity monitoring reports

About the report: The file activity monitoring reports in a SIEM solution give analysts a comprehensive audit of all the files shared on the network. They provide information about the modifications, creations, and deletions of files. There are also reports on renamed files, any permission changes made and top file operations that have been carried out, segregated based on users, devices, and files for easier reference. These reports provide granular information about the type of change that has occurred, who has instigated it, the name of the file or folder that has been modified, and the time and date the change occurred.

How it helps implement the control: This report can help keep track of changes occurring in any temporary folders, unusual permission changes, or any other suspicious activity that could signal the execution of a malicious script.

Figure 1: File Monitoring reports in Log360, ManageEngine's comprehensive SIEM solution Figure 1: File Monitoring reports in Log360, ManageEngine's comprehensive SIEM solution

2. MITRE ATT&CK-based reports

About the report: A SIEM solution integrates with the MITRE ATT&CK framework to help security personnel spot adversaries, classify attacks, and single out attack tactics and techniques. The reports are classified according to the different tactics, techniques, and sub-techniques. There are separate reports to address threats classified under different sub-techniques, with each report looking out for IoCs specific to that threat.

How it helps implement the control: The MITRE ATT&CK framework extensively covers the techniques used by cybercriminals to carry out malicious executions, along with the activities that need to be tracked by security teams to detect them. A SIEM solution, like Log360, is integrated with the framework and produces specific reports for each of these techniques. Log360 offers security administrators a categorized and ready to be analyzed view of all executions that could lead to malicious activity. This feature will go a long way in spotting executions, scripts, installers, HTML applications, or control panel applets that are uncalled for and identify the user profile and workstation they were carried out from.

Figure 2: MITRE ATT&CK reports in Log360, ManageEngine's comprehensive SIEM solution Figure 2: MITRE ATT&CK reports in Log360, ManageEngine's comprehensive SIEM solution

3. File integrity monitoring

About the report: File integrity monitoring (FIM) reports help track any changes made to files or folders in workstations or devices in the network. Security admins and analysts can get detailed information about all file or folder changes including files or folders created, modified, deleted, moved, or renamed. There are specific reports that list out all folder permission changes, audit setting changes, folder owner changes, files or folders copy and pasted, and failed attempts to write or delete files.

How it helps implement the control: FIM reports can help monitor all files and folders for even the smallest of changes. Admins can set up alerts to be notified of any modifications. They can also create and schedule custom reports according to the compliance requirements of the Essential Eight framework for their target maturity level.

Figure 3: File integrity monitoring reports in Log360, ManageEngine's comprehensive SIEM solution Figure 3: File integrity monitoring reports in Log360, ManageEngine's comprehensive SIEM solution

4. Tracking processes and executions

About the report: Process tracking reports can help identify malicious executions, suspicious services, tasks, or processes. Each of the reports tracks information from Windows security logs and displays key data about the kind of process that has been executed, who instigated it, and when and where it was executed. There are other specific reports to track:

  • Services installed, started, stopped, and failed.
  • Startup type modified.
  • Creation, deletion, and modification of scheduled tasks.
  • New process creations and exits.

How it helps implement the control: These reports provide granularity into the kind of processes and services that are happening in the network. Analysts can get the complete picture of who instigated the process, the execution path, and when it took place with these insights. This can help them track the activity and recognize whether it must be examined further or not.

Figure 4: Process tracking reports in Log360, ManageEngine's comprehensive SIEM solution Figure 4: Process tracking reports in Log360, ManageEngine's comprehensive SIEM solution

Apart from these, a SIEM tool also offers users the ability to:

  • Create custom compliance reports to track activity according to their needs.
  • Customize their dashboard with the widgets of their choice.
  • Schedule reports at customized intervals.

Administrators can use these features to create reports that match the security requirements of the maturity level they are trying to reach, customize their dashboard so they can spot these at a glance, and schedule them at customized intervals to help with the documentation process for security audits.

To learn more about Log360, ManageEngine's SIEM solution, and how it can help you reach your target maturity levels, sign up for a free personalized demo with our product experts: https://www.manageengine.com/log-management/log360-demo-request-page.html

×
  • Please enter a business email id
     
  • By clicking 'Read the ebook', you agree to processing of personal data according to the Privacy Policy

Get the latest content delivered
right to your inbox!

Thank you for subscribing.

You will receive regular updates on the latest news on cybersecurity.

  • Please enter a business email id
  •  
  •  
    By clicking on Keep me Updated you agree to processing of personal data according to the Privacy Policy.

Expert Talks

     
 

© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.