The Australian Cyber Security Centre’s (ACSC) Essential 8 framework is a set of cybersecurity mitigation strategies designed to help organizations protect themselves from cyber threats. This is the first in a set of blog series that discusses how organizations licensed for Microsoft 365 Business Premium can leverage its suite of tools to meet these requirements effectively, and also discuss recommendations for solutions to fully meet Essential-8 requirements, that are also used as part of databl’s DISP and Essential 8-aligned Managed Service offerings.
To kick things off, the first section in the framework is Patch Applications, which emphasises timely updates and patch management for applications to mitigate vulnerabilities.
Patch Applications Requirements Under Essential 8
Key Controls:
- Automated Asset Discovery (ISM-1807): Regular identification of assets to ensure all applications are known and managed.
- Vulnerability Scanning (ISM-1808): Use an up-to-date vulnerability scanner for applications.
- Critical Vulnerabilities Patching (ISM-1876): Apply patches for critical vulnerabilities within 48 hours of release.
- Non-Critical Vulnerabilities Patching (ISM-1690): Apply patches for non-critical vulnerabilities within two weeks.
- Unsupported Applications Removal (ISM-1905): Remove applications no longer supported by vendors.
- Automated Validation of Patch Success (ISM-1809): Ensure that patches are deployed successfully.
Summary Table: E8 Controls Mapped to ISM Controls – Patch Applications
(Refer to the ISM Guidelines for detailed information.)
| E8 Levels | ISM Control | Description |
|---|---|---|
| 1, 2, 3 | ISM-1807 | An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities. |
| 1, 2, 3 | ISM-1808 | A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. |
| 1, 2, 3 | ISM-1698 | A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in online services. |
| 1, 2, 3 | ISM-1699 | A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products. |
| 1, 2, 3 | ISM-1876 | Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. |
| 1, 2, 3 | ISM-1690 | Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist. |
| 1, 2, 3 | ISM-1691 | Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release. |
| 1, 2, 3 | ISM-1905 | Online services that are no longer supported by vendors are removed. |
| 1, 2, 3 | ISM-1704 | Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed. |
| 2, 3 | ISM-1906 | Office productivity suites, web browsers and their extensions are configured to restrict non-secure protocols. |
| 3 | ISM-1907 | Office productivity suites and web browsers validate digital signatures before executing code. |
| 3 | ISM-1809 | Automated validation of patches ensures successful deployments within the environment. |
How Microsoft 365 Business Premium Addresses These Controls
1. Automated Asset Discovery (ISM-1807)
Microsoft 365 Business Premium includes tools to help organizations maintain visibility into their assets:
- Microsoft Defender for Endpoint – Asset Inventory: Automatically discovers and catalogs devices in your environment, providing real-time inventory of endpoints and applications.
- Microsoft Intune Device Management Overview: Manages and tracks devices enrolled in your organization, ensuring all assets are accounted for.
2. Vulnerability Scanning (ISM-1808)
Microsoft 365 includes capabilities for identifying vulnerabilities across applications:
- Microsoft Defender for Endpoint – Vulnerability Management: Continuously scans for vulnerabilities and provides actionable recommendations to address them.
- Azure Security Center – Vulnerability Assessment: Extends scanning capabilities to Azure-hosted workloads and hybrid environments.
3. Critical Vulnerabilities Patching (ISM-1876)
Microsoft 365 enables fast-tracked deployment of critical patches:
- Windows Update for Business: Automates the deployment of critical updates to ensure timely patching.
- Intune Update Rings: Allows organizations to prioritise and fast-track critical updates within 48 hours.
- Microsoft Autopatch: Automatically deploys critical updates across Windows devices and Microsoft 365 apps.
4. Non-Critical Vulnerabilities Patching (ISM-1690)
For non-critical vulnerabilities, Microsoft 365 ensures compliance within the two-week timeframe:
- Intune Compliance Policies: Define update timelines and enforce policies to ensure non-critical patches are deployed.
- Microsoft Defender for Endpoint – Patch Status Monitoring: Tracks and monitors devices for overdue patches, ensuring compliance with timelines.
5. Unsupported Applications Removal (ISM-1905)
To address unsupported applications:
- Microsoft Defender for Endpoint: Detects and flags unsupported applications, recommending their removal.
- Intune App Protection and Configuration: Automates the removal of unauthorised or unsupported applications from devices.
- Azure AD Conditional Access Overview: Blocks access for devices running unsupported software.
6. Automated Validation of Patch Success (ISM-1809)
Ensuring patches are applied successfully is critical:
- Intune Reporting and Analytics: Tracks patch deployment status across managed devices and generates compliance reports.
- Microsoft Defender for Endpoint – Advanced Reporting: Provides real-time monitoring of patching status and flags incomplete updates.
- Power BI Integration with Defender: Allows advanced reporting and validation of patch success through custom dashboards.
Addressing Gaps with Microsoft 365 Business Premium
While Microsoft 365 Business Premium provides robust capabilities for managing patch applications, there are certain gaps that organizations should address:
- Third-Party Applications:
- Microsoft tools focus on patching Microsoft products. Non-Microsoft applications may require additional solutions (e.g., Qualys, Tenable, or ManageEngine).
- Databl Recommendation: As a Tenable partner, Databl recommends leveraging Tenable.sc for comprehensive third party application scanning.
- Legacy Devices:
- Unsupported operating systems (e.g., Windows 7) may not be fully managed by Microsoft 365.
- Solution: Replace legacy systems or use supplemental tools like CrowdStrike EDR.
- Unmanaged Devices:
- Devices not enrolled in Intune or Defender for Endpoint remain unaccounted for.
- Solution: Implement Network Access Control (NAC) tools (e.g., Cisco ISE) or enforce Conditional Access to block non-compliant devices.
- IoT and OT Devices:
- IoT and Operational Technology (OT) devices are often outside the scope of Microsoft 365 tools.
- Solution: Use specialised solutions like Claroty or Nozomi Networks for IoT/OT visibility and patching.
-
Browser Plugin Vulnerabilities:
- Microsoft Defender for Business (included in Business Premium) does not detect vulnerabilities in browser extensions/plugins. Advanced vulnerability management, including browser plugin detection, requires an add-on like Microsoft Defender for Endpoint Plan 2.
- Solution: Upgrade to Defender for Endpoint Plan 2 or use tools such as Tenable.io or Qualys VMDR for comprehensive scanning and detection.
- Network Vulnerability Scanning:
- Microsoft 365 Business Premium does not include tools for scanning vulnerabilities in network assets (e.g., switches, routers, firewalls).
- Solution: Deploy a dedicated network-based vulnerability scanner such as Tenable.sc, Qualys VMDR, or Rapid7 InsightVM to ensure network assets are also protected.
- Databl Recommendation: As a Tenable partner, Databl recommends leveraging Tenable.sc for comprehensive network vulnerability scanning and compliance.
- Advanced Reporting:
- Built-in reporting may not meet complex compliance requirements.
- Solution: Use Power BI or Microsoft Sentinel for more advanced analytics and reporting.
- Databl Recommendation: As a SIEM experts, specialising in both Microsoft Sentinel and Splunk, Databl recommends implementing a SIEM solution.
Maximizing Microsoft 365 Business Premium for Patch Applications
To fully leverage Microsoft 365 Business Premium for Essential 8 compliance:
- Enable Microsoft Intune: Use Intune to manage devices, enforce update policies, and track compliance.
- Adopt Microsoft Defender for Endpoint: Gain detailed insights into vulnerabilities and patching status.
- Leverage Windows Autopatch: Automate update deployment for Microsoft products.
- Integrate Third-Party Tools: Extend patch management to non-Microsoft applications and devices.
- Deploy Network Scanning Tools: Use Tenable.sc or other network-based scanners for comprehensive coverage.
- Use Conditional Access: Block access for devices that do not meet compliance standards.
- Implement Advanced Reporting: Use Power BI or Sentinel to monitor and validate patching activities.
Additional resources
https://blueprint.asd.gov.au/security-and-governance/essential-eight/patch-applications/
https://learn.microsoft.com/en-us/compliance/anz/e8-patch-app
Conclusion
Microsoft 365 Business Premium offers powerful tools to meet the Essential 8 requirements for patch applications. By leveraging its capabilities—and addressing potential gaps with supplementary solutions—organizations can create a comprehensive patch management strategy that protects against vulnerabilities and enhances their overall cybersecurity posture.
Are you ready to take your Essential 8 compliance to the next level? Reach out to learn more about how Microsoft 365 Business Premium can help secure your business.
