The Australian Signals Directorate's Essential Eight is the most widely adopted cyber security baseline in Australia, mandatory for Commonwealth entities at Maturity Level 3 and required at ML2 for DISP members and critical infrastructure operators. This guide maps every strategy across ML1, ML2, and ML3 to specific Zecurit Endpoint Manager capabilities.
The Essential Eight, first published by the Australian Signals Directorate in 2017 and updated most significantly in November 2023, is built differently from frameworks like ISO 27001 or NIST CSF. It was not constructed from theory or international consensus. It was assembled directly from ASD's own experience in threat intelligence, incident response, and penetration testing of Australian government and critical infrastructure systems.
The result is a framework that answers a specific question: which eight controls, applied together, stop the greatest proportion of the attacks that are actually happening to Australian organisations right now? The 2024-25 ASD Annual Cyber Threat Report recorded over 1,200 cyber security incidents (up 11% year on year), and Victorian Government analysis found that 84% of reported incidents could have been prevented or substantially reduced by implementing at least one Essential Eight control.
This guide maps every Essential Eight strategy across ML1, ML2, and ML3 to specific capabilities in Zecurit Endpoint Manager, so IT and security teams can see exactly where one platform moves the dial across multiple strategies at once.
Compliance targets vary by organisation type, but the framework applies broadly across Australian government and industry:
Each strategy is assessed independently. An organisation can be ML2 for patching and ML1 for application control simultaneously, but overall maturity is capped at the lowest-performing strategy.
The strategy is absent or so weak it provides no meaningful defence. Vulnerable to opportunistic automated attacks.
Protects against commodity threats using widely available tools. Basic controls exist but gaps remain. Critical vulnerabilities patched within 48 hours.
Protects against adversaries willing to invest time and effort. The mandated baseline for Australian Government and DISP members. Phishing-resistant MFA required.
Protects against sophisticated adversaries. 48-hour patching for all critical vulnerabilities, strict allowlisting, continuous monitoring across all environments.
Application control prevents the execution of unapproved or malicious software by only allowing explicitly approved applications, libraries, scripts, and installers to run on workstations and servers. It is the most technically challenging Essential Eight strategy to implement well, and one of the most effective at stopping ransomware and commodity malware.
Software Inventory discovers every installed application across the fleet in real time, forming the foundational catalogue from which an approved application list is built. Software Alerts notify IT teams instantly when any unauthorised or prohibited application is installed on any managed endpoint, and Software Deployment ensures only approved, centrally managed applications are pushed through a controlled process. Software Licence Management supports the 12-monthly allowlist review cycle by surfacing every installed application, version, and entitlement across the organisation.
Patching applications that interact with untrusted internet content, including web browsers, email clients, office suites, PDF readers, and security software, is a primary attack surface for adversaries. The November 2023 update significantly tightened the patching timelines across all maturity levels in response to ASD's analysis of actual exploit deployment speeds.
Patch Management continuously scans every managed endpoint for missing patches, ranking them by CVSS score and active exploit intelligence so critical vulnerabilities surface immediately. Automated deployment during configured maintenance windows means critical patches can reach every managed endpoint within hours of release, directly supporting the 48-hour ASD requirement at ML1 and ML3. Real-Time Patch Status Monitoring gives security teams a live view of unpatched endpoints across the entire fleet, and Patch Compliance Reports produce the dated, per-device evidence assessors need to verify patching timelines were met.
Vulnerability Management maps every installed application against the current CVE database, supporting the fortnightly vulnerability scanning cadence required at ML2 and ML3 and enabling the threat-intelligence-informed triage ASD expects for patch prioritisation decisions.
Malicious Office macros remain one of the most consistently used initial access techniques. Configuring macro settings centrally, rather than leaving them to user discretion, removes a significant attack vector from every workstation in the environment simultaneously.
Configuration Management deploys and enforces Windows group policy and registry settings across the entire fleet, including Microsoft Office macro settings, trusted locations, and hardening configurations based on both ASD and vendor guidance. Hardware and software change alerts detect the moment any configuration deviates from the approved baseline, enabling rapid remediation before an attacker can exploit the gap. Remote Script Execution can deploy Group Policy preferences, registry changes, and PowerShell logging configuration across thousands of endpoints simultaneously.
Web browsers, email clients, and other user-facing applications expose a large and constantly evolving attack surface. Hardening these applications by disabling unnecessary features, blocking web advertisements, and removing unsupported legacy plugins significantly reduces the attack surface without impacting legitimate business use.
Configuration Management deploys and enforces browser hardening settings, Office security configurations, and application-level security policies centrally across all managed endpoints, applying both ASD guidance and vendor-recommended settings simultaneously. Software Deployment can remove unapproved browser extensions or unsupported legacy plugins silently across the fleet. Software Inventory surfaces every installed browser extension and plugin for review, supporting the annual hardening review requirement at ML3.
Administrative privileges are the most valuable credential an attacker can obtain. Once privilege escalation is achieved, lateral movement, data exfiltration, and ransomware deployment become trivial. Restricting and governing administrative accounts is one of the highest-leverage controls in the entire framework.
Configuration Management's User and Group Management lets IT teams create, modify, and disable local administrator accounts remotely, enforce password policy, and audit every account change from a central console. Remote Access sessions are governed by role-based access controls requiring explicit session confirmation, with full session logging that captures every administrative action taken on a managed device. User Logon Reports surface access patterns across administrator accounts, supporting the 12-month revalidation cycle required at ML2 and the ongoing governance of break-glass account credentials at ML3.
Operating system vulnerabilities, particularly those enabling remote code execution without user interaction, represent some of the highest-severity risks on the CVE list. The November 2023 update aligned OS patching timelines with application patching, making 48-hour patching for critical OS vulnerabilities a requirement from ML1 upward.
Patch Management automates the full OS patch lifecycle across Windows endpoints from detection through deployment to compliance verification. CVSS-based prioritisation surfaces critical OS vulnerabilities immediately, with automated deployment during configured maintenance windows enabling the 48-hour patching requirement at ML1 and ML3 without manual intervention on every device. Windows Update Policy Management provides central control over update delivery, approval, and deferral. Vulnerability Management continuously maps OS versions against known CVEs, supporting the fortnightly scanning cadence required at ML2 and ML3. Hardware Inventory tracks OS version across every enrolled device, making it straightforward to identify any endpoint running an unsupported or end-of-life operating system.
MFA is the single most effective control for preventing account compromise from credential theft, phishing, and brute-force attacks. The November 2023 update raised the bar significantly: phishing-resistant MFA is now required from ML2, and workstation authentication must use phishing-resistant methods at ML2 and ML3.
Remote Access sessions in Zecurit require explicit session confirmation from the end user before any remote connection is granted, adding a verification layer beyond credential-based authentication for all remote management sessions. Configuration Management enforces Windows Hello for Business, smart card, and certificate-based authentication policies at the endpoint level, directly supporting phishing-resistant workstation authentication at ML2 and ML3. User and Group Management enforces password policy across all local accounts, reducing the value of any credential that does bypass MFA. User Logon Reports and Security Alerts provide the centralised audit logging of authentication events that ML2 and ML3 require.
Backups are the last line of defence when all other controls have failed. ASD's updated guidance emphasises prioritising backup content by business criticality rather than simply backing up "important data," and requires regular testing of restoration procedures, not just the existence of backups.
Hardware Inventory and Software Inventory maintain a continuously updated record of every device and its installed software and configuration, which is the foundational data needed to restore configuration settings after a ransomware or destructive attack. Configuration Management records approved configuration profiles centrally, enabling rapid reconfiguration of clean endpoints after an incident. Remote Script Execution can automate post-incident device rebuilding and configuration restoration across large fleets simultaneously. Access controls through User and Group Management restrict backup system access to authorised administrators only, supporting the ML2 and ML3 access restriction requirements.
A consolidated view of which Essential Eight strategies Zecurit Endpoint Manager directly supports, and at which maturity levels. Strategies marked with a primary indicator are core capabilities; those marked partial require supplementary tooling for full coverage.
| Essential Eight Strategy | Zecurit Capabilities | ML1 | ML2 | ML3 |
|---|---|---|---|---|
| S1: Application Control | Software InventorySoftware AlertsSoftware Deployment | ✓ | ✓ | Partial |
| S2: Patch Applications | Patch ManagementVulnerability ManagementCVSS PrioritisationPatch Compliance Reports | ✓ | ✓ | ✓ |
| S3: Configure MS Office Macros | Configuration ManagementRemote Script ExecutionChange Alerts | ✓ | ✓ | ✓ |
| S4: User Application Hardening | Configuration ManagementSoftware DeploymentSoftware Inventory | ✓ | ✓ | ✓ |
| S5: Restrict Admin Privileges | User and Group ManagementSession AuditUser Logon Reports | ✓ | ✓ | Partial |
| S6: Patch Operating Systems | Patch ManagementVulnerability ManagementWindows Update PolicyHardware Inventory | ✓ | ✓ | ✓ |
| S7: Multi-Factor Authentication | Session ConfirmationConfiguration ManagementUser Logon Reports | ✓ | Partial | Partial |
| S8: Regular Backups | Hardware InventoryConfiguration ManagementRemote Script Execution | ✓ | ✓ | Partial |
The Essential Eight's weakest-link rule means that every gap in any one strategy caps your overall maturity, regardless of how well the other seven are implemented. For organisations trying to reach ML2 under DISP requirements or ML3 under PSPF obligations, closing gaps across multiple strategies simultaneously is what determines whether the programme succeeds or stalls.
Patch Management and Vulnerability Management (Strategies 2 and 6) are where Zecurit Endpoint Manager delivers the most direct Essential Eight value: automated detection, CVSS-ranked prioritisation, and deployment within 48 hours for critical vulnerabilities, with Patch Compliance Reports that give assessors the dated, per-device evidence they need to verify ML1 through ML3 timelines were met.
Across Strategies 1, 3, 4, 5, and 8, Zecurit's software inventory, configuration management, access control, and remote scripting capabilities address the endpoint-level component of each requirement. This means a single deployment supports movement across the majority of the framework, rather than requiring one tool per strategy.
For Australian organisations building toward ML2 or ML3, the right starting point is a platform that closes multiple Essential Eight gaps at once, then fills in the remaining gaps with targeted complementary tooling. Zecurit Endpoint Manager is that starting point.
Zecurit develops cloud-based IT management solutions designed for modern IT teams. The Zecurit platform helps organisations manage endpoints, track assets, enforce security policies, and securely support distributed workforces through centralised, easy-to-use tools.
To learn more about Zecurit Endpoint Manager and how it supports your Essential Eight compliance programme, start a free 14-day trial or contact the Zecurit team.
Contact Zecurit