Cracking the Code: How to Operationalise the Essential 8 Framework

What is the Essential Eight Framework? 

In November 2023 the Australian National Cyber Strategy was updated to reflect the strategic move from a “defend” to a “prepare” strategy. This strategic change applies to all industry and government agencies in Australia. To help with this transition, the Australian Signals Directorate (ASD) developed the “Essential 8” compliance framework as an important component of this national cybersecurity strategy shift. It is designed to help organisations measure the maturity of their cybersecurity and risk programs. The Essential 8 has 148 controls that roll into 8 key fundamental technology areas to define compliance standards.

The Essential 8 integration & visibility challenge

Microsoft had a heavy hand in influencing the Essential 8, and although not explicitly stated, many controls are mapped to Microsoft technologies. This is not a bad thing or a dig at Microsoft, I give them credit for their influence. But, the reality is that not every government or enterprise has Microsoft products. For them, implementing the Essential 8 has several challenges. 

Continuous compliance reporting 

Efficiently implementing easy-to-understand Essential 8 reporting for distributed environments can be quite challenging. Organisations need to be able to report on both point-in-time risk posture and real-time statuses relative to the Essential 8 framework. Vendor-agnostic security automation solutions, like Swimlane Turbine, can help solve this compliance reporting challenge. 

Real-time dashboards for the Essential 8 

Expanding on the compliance challenge, Australian organisations also need real-time dashboards that can establish a baseline understanding of their security posture relative to the Essential 8. There are two fundamental ways to populate a multi-factor dashboard like this. 

1. Integration and ingestion – Integrate all systems and ingest the telemetry necessary to report against the Essential 8 controls and maturity framework. 
2. Assessment – Create an automated assessment that acts as an environmental scale to examine your organisation’s Essential 8 risk posture. The answers to the assessment questions are then used to populate the dashboard. 

Behind the scenes of the Swimlane Essential 8 dashboard 

We examined both of these methods when we built Swimlane’s Essential 8 dashboard for our Australian customers. Check out this demo video from my friend and colleague, Gavin Coulthard, to see the final outcome. If you’re curious, keep reading this blog to hear more perspectives and lessons learned along the way. 

There are pro’s and con’s to both the integrations and assessment methods of building dashboards. We opted to use the assessment method to establish a quick Essential 8 baseline report. This custom assessment can scan internal tools and third parties to capture information from the existing technology stack and human-insight-based questions. Turbine’s ability to ingest and interpret documentation made this assessment process a great option for us. This initial audit takes a couple of days, and results in an audit trail complete with empirical evidence regarding Essential 8 framework maturity. 

From the Essential 8 to multi-compliance frameworks 

The complexity of compliance automation and visibility challenges do not end with the Essential 8. Many enterprises and MSSPs need to comply with multiple compliance frameworks. As automation solutions providers, our next challenge was to provide customers with a central system of record for all of their compliance frameworks. Our goal was to deliver a solution where customers could all control across multiple frameworks in one location. This required the ability to understand and audit each control relative to its unique framework lifecycle. 

So we have the challenge clear in our minds, the reference source and we are ready to build it out. I’m not the technical wizz in this story, that is my Architect, Gavin Coulthard.  He leveraged pre-built reporting from our CISO, who has built his own environment to manage his NIST compliance, and in about 2 weeks the multi-compliance automation solution was built. 

What makes the Swimlane multi-compliance automation solution unique? 

That sounds pretty good and it is, but it’s not that simple. There are some obvious questions for anyone reading this that has depth of experience in this area; aren’t there already products that do this? 

The answer to that is yes and no. 

• Yes – Specific compliance management products exist. Nearly all have, what I would call, a compliance sweet spot because they have evolved from what can best be described as a specific industry compliance. These products are highly specialized and designed for industries where regularity legislation mandated such adoption. A classic example is financial services where parts of the industry are highly regulated and compliance is a tool used to enforce such legislation. 
• No – Most solutions do not look to bring all compliance frameworks or telemetry sources together into a unified view. This very challenge of integrating, correlating and streamlining complexity is precisely Swimlane’s strength. Flexibility and a highly composable user interface are the two qualities that differentiate Swimlane Turbine from any other security automation solution. They are the reasons why Turbine can automate such a wide variety of use cases to deliver maximum ROI.  

Compliance is here to stay, so automate it. 

We are just at the beginning of this movement, the evolving regulatory landscape will only continue to increase overhead. The extraordinary thing about compliance is that if embraced and managed it’s also the key to organisational efficiency and success.  In other words, what is considered on the surface as an overhead that needs to be done is the key to unlocking an organisation’s efficiency and potential.  
The key to unlocking this potential is managing compliance in a fully integrated and unified matter. Security automation is the way to do it. To learn more about how this all works, request a demo at swimlane.com/demo