The Australian Signals Directorate (ASD) updated its Essential Eight Maturity Model in November 2023, introducing tighter controls and clearer expectations for Australian organisations. One of the most important, and often misunderstood, strategies in that framework is Application Control.
If your business has been hearing about the Essential Eight but is not sure where to start, or if you implemented Application Control years ago and have not revisited it since, this blog is for you.
What is Application Control?
The Australian Cyber Security Centre (ACSC) defines Application Control as one of its Essential Eight strategies designed to prevent malicious code from executing on your systems.
It works by defining a list of approved, trusted applications that are permitted to run in your environment. Anything not on that list, including malware, unauthorised software, or any unapproved executable, is automatically blocked from running.
Previously known as "Application Whitelisting," the ACSC officially updated the terminology to "Application Control" to better reflect the broader, more nuanced approach required in today's threat environment. The concept is the same, but the implementation requirements have evolved significantly.
Application Control vs Blacklisting: What’s the difference?
A common question is how Application Control differs from blacklisting, which is another widely used approach.
Blacklisting involves maintaining a list of known bad applications or software you want to block. It works reasonably well when you are aware of specific threats, but it has a critical weakness: it is inherently reactive. You can only block what you already know about.
Application Control is the opposite approach. It is proactive. Rather than chasing every new threat, you define what is trusted and block everything else by default. This makes it significantly more effective against zero-day threats and novel attack vectors, for which no signatures or known patterns exist yet.
Why does Application Control remain #1 in the Essential Eight?
The costs of a cybersecurity breach extend well beyond the immediate technical response. Under Australia's Notifiable Data Breaches (NDB) scheme and the Privacy Act, organisations face significant regulatory obligations and potential penalties when personal data is compromised. Add to that the reputational damage, loss of client trust, and operational disruption, and the case for prevention becomes undeniable.
Here is why Application Control sits at the top of the Essential Eight:
- It allows only trusted applications to run.
Employees, even well-intentioned ones, sometimes install unauthorised software, tools they believe will help them do their jobs faster or better. Unfortunately, those applications can introduce malware into your environment. Application Control eliminates that risk by ensuring only pre-approved software can execute, regardless of how it arrives on a device. - It protects against zero-day attacks.
Cyber threats evolve faster than security patches. There is always a window between when a new vulnerability is discovered and when a fix becomes available. Because Application Control does not rely on known threat signatures, it provides a strong defence against zero-day exploits, attacks that target previously unknown vulnerabilities. - It reduces the cost and complexity of recovery.
Security incidents are expensive. Recovery from a ransomware attack, for example, can take days or weeks and involve significant IT effort, legal fees, and business disruption. Application Control directly reduces the likelihood of these incidents occurring in the first place, translating to meaningful reductions in IT workload and total cost of ownership (TCO). - It addresses “Living Off The Land” techniques.
A key driver behind the 2023 Essential Eight updates was the rise of Living Off the Land (LotL) attacks, where malicious actors exploit legitimate, built-in system tools (such as PowerShell or Windows Management Instrumentation) rather than deploying custom malware. Application Control, when properly implemented with up-to-date rulesets, limits the effectiveness of these techniques.
What changed in the 2023 Essential Eight update?
The November 2023 revision to the Essential Eight Maturity Model introduced several important changes to Application Control requirements:
Annual ruleset reviews are now required at Maturity Level 2.
Previously, the requirement to perform annual reviews of application control rulesets was only mandated at Maturity Level 3. The 2023 update moves this to Maturity Level 2, meaning more organisations are now expected to actively maintain and regularly review their approved application lists. Not just set-and-forget.
Microsoft's recommended application blocklists at Maturity Level 2.
Implementing Microsoft's recommended application blocklist is now a Maturity Level 2 requirement. This blocklist targets known-abused and vulnerable applications and executables, providing an additional layer of protection against LotL attacks and commonly exploited tools.
Broader framework tightening.
The 2023 update also tightened controls across the rest of the Essential Eight in ways that complement Application Control:
- Multi-Factor Authentication (MFA):
Now mandatory for all users with privileged access, with a requirement for phishing-resistant MFA methods at higher maturity levels. - Patch Applications:
Critical vulnerabilities must now be remediated within 48 hours across all maturity levels, down from more lenient timelines in previous versions. - Restrict Administrative Privileges:
Now mandatory, not just highly recommended. - Microsoft Office Macro Settings:
Macros are now disabled by default unless specifically enabled, reducing the macro-based malware attack surface.
These changes reflect a broader shift in the framework: the Essential Eight is no longer a static checklist. It is a living model that requires continuous review, testing, and improvement.
Assess your organisation's security posture
When did you last assess your organisation's Essential Eight maturity level? The 2023 update significantly raised the bar. Organisations that previously met Maturity Level 2 may find themselves reassessing following the tighter requirements.
A regular, independent security assessment gives you a clear picture of where your organisation stands in the current threat landscape and the steps needed to close the gaps. In our experience, most breaches are preventable, and the most common root cause is a lack of ongoing attention to evolving security requirements.
Application Control is the first strategy in the Essential Eight for good reason. If you are unsure whether your current implementation aligns with the 2023 updates, or if you have not started yet, we recommend scheduling a security consultation with one of our specialists. Book your commitment-free consultation today!
