Essential 8: Patch Applications & Patch Operating Systems

This Dashboard is in Beta and is not final. The Essential 8: Patch Applications & Patch Operating Systems Dashboard is designed to support organizations in implementing and monitoring the Essential Eight Strategies for mitigating cybersecurity risks. This comprehensive dashboard provides actionable insights into asset discovery, patch management, compliance, and exploitability to ensure a robust security posture across operating systems and applications.

The Australian Cyber Security Centre (ACSC) under the Australian Signals Directorate (ASD) provides guidance to address targeted cybersecurity intrusions through its Strategies to Mitigate Cyber Security Incidents. Among these, the Essential Eight describes the minimum set of preventative cybersecurity measures organizations should implement. This guidance, complemented by the Information Security Manual (ISM) controls, forms a robust framework to ensure the confidentiality, integrity, and availability of information technology and operational technology systems. This dashboard aligns with these controls to provide critical insights into the implementation of the Essential Eight.

The Tenable One Platform combines a suite of sensors to facilitate efficient vulnerability scanning, regardless of network complexity. By leveraging Tenable's capabilities, organizations can effectively discover, assess, and understand their attack surface, gaining comprehensive insights into exposure points. This is coupled with Exposure Response features that prioritize remediation efforts based on contextual risk. The dashboard includes critical features to highlight asset discovery, identify unsupported systems, monitor patch management timelines, track compliance rates, and classify exploitable vulnerabilities, ensuring comprehensive coverage of the Essential Eight.

To maximize relevance, organizations should leverage Dynamic Asset Lists. This ensures that the dashboard can be filtered to focus on data critical to implementing the Essential Eight. Tagging assets as Internet-facing or Non-Internet-facing enables differentiation for stricter service-level agreements (SLAs). For example, internet-facing systems require patching within 48 hours, while non-internet-facing systems have a longer patching window (e.g., two weeks). Asset tags, composed of Category:Value pairs (e.g., Connectivity:Internet-Facing), can be applied manually or automatically using filtering rules such as public IP ranges, open ports (e.g., 80, 443), or cloud metadata. This categorization simplifies monitoring and prioritization for Essential Eight compliance, ensuring that organizations address vulnerabilities in their most critical assets. Tagging by application risk level (e.g., High Risk, Low Risk) or system role further enhances visibility. For more details, refer to Tenable's Tagging Documentation.

This dashboard combines Tenable’s comprehensive vulnerability scanning, exposure insights, and asset prioritization with the ASD’s Essential Eight Strategies. By using the dashboard in conjunction with ISM controls and asset tagging, organizations can enhance their cybersecurity maturity, address vulnerabilities more effectively, and ensure compliance with Australia’s cybersecurity standards.

Components

• Operating System Patch Published Summary - The 'Operating System Patch Timeliness'  component displays a detailed distribution of patch release statuses for operating systems. The  component categorizes the number of systems with no patch available and systems with patches released at intervals of less than 7, 14, 21, or 28 days, as well as those released over 28 days ago. This  component enables organizations to assess the timeliness of patch deployment for operating systems, aiding in strategic patch management to ensure system security and compliance. 
• 2 Day Patch Mitigation Summary - The 2-Day Compliance Overview  component provides a detailed summary of vulnerability management within a two-day timeline. The  component categorizes vulnerabilities by their severity, Critical, High, and Medium and Low, and tracks their resolution status.The first row represents vulnerabilities that have been fixed within SLA. The second row represents vulnerabilities that have not been fixed, but is still within SLA therefore it acts as a sort of grace period row. The third row represents vulnerabilities that have been fixed outside of SLA. The last row represents vulnerabilities that have not been fixed and is currently outside SLA. This  component helps assess immediate remediation efforts and pinpoint gaps in vulnerability resolution.
• Understanding Risk - Remediation Opportunities - This table displays the top remediations for the network. For each remediation, the risk reduction for the network if the remediation is implemented is shown, along with the number of hosts affected. The table is sorted so that the highest risk reduction is at the top. Implementing the remediations will decrease the overall vulnerability of the network. Adding filters to the component, such as filtering on only critical severity vulnerabilities or filtering on a specific asset group, can narrow the focus of the component, giving remediation opportunities in specific areas.
• Application Patch Published Summary - The 'Application Patch Availability'  component provides a breakdown of patch release timelines for applications categorized by their patch availability status. The  component highlights the total count of applications with no patch available, as well as those with patches released within 7, 14, 21, or 28 days, and over 28 days ago. This data helps identify the urgency of addressing vulnerabilities in applications, prioritizing those with delayed or unavailable patches to mitigate security risks effectively.
• 2 Week Patch Mitigation Summary -  The 2-Week Compliance Overview  component offers an in-depth analysis of vulnerabilities managed over a 14-day timeline. The  component classifies vulnerabilities by severity, Critical, High, and Medium and Low, and provides insights into their resolution progress. The first row represents vulnerabilities that have been fixed within SLA. The second row represents vulnerabilities that have not been fixed, but is still within SLA therefore it acts as a sort of grace period row. The third row represents vulnerabilities that have been fixed outside of SLA. The last row represents vulnerabilities that have not been fixed and is currently outside SLA. This  component is a vital tool for monitoring medium-term remediation performance and identifying outstanding security risks.
• Online Services Detection Summary - The Online Services Detection Summary component provides an overview of vulnerabilities identified in online services based on plugin detections. The component lists plugins by name, categorizes their severity levels, and displays the total count of detections for each. This component offers insights into the most frequently detected vulnerabilities, allowing organizations to prioritize addressing high-severity issues and gain a clear understanding of their online service risk landscape. 
• Exploitable Application Summary - The Exploitable Application Summary  component offers an analysis of application vulnerabilities categorized by severity levels (Low, Medium, High, and Critical) and their exploitability ease. Using the CVSSv3 Attack Complexity metric, vulnerabilities are classified as 'Hard to Exploit' for high complexity and 'Easy to Exploit' for lower complexity. Additionally, vulnerabilities deemed 'Not Exploitable' are highlighted. This  component helps organizations assess the risk landscape of applications and allocate resources effectively to address vulnerabilities that are easier for attackers to exploit, especially those with critical severity.
• 1 Month Patch Mitigation Summary - The 1 Month Compliance Overview component offers an in-depth analysis of vulnerabilities managed over a 14-day timeline. The component classifies vulnerabilities by severity, Critical, High, and Medium and Low, and provides insights into their resolution progress. The first row represents vulnerabilities that have been fixed within SLA. The second row represents vulnerabilities that have not been fixed, but is still within SLA therefor it acts as a sort of grace period row. The third row represents vulnerabilities that have been fixed outside of SLA. The last row represents vulnerabilities that have not been fixed and is currently outside SLA. This component is a vital tool for monitoring medium-term remediation performance and identifying outstanding security risks. 
• Exploitable Application Summary - The Exploitable Application Summary  component offers an analysis of application vulnerabilities categorized by severity levels (Low, Medium, High, and Critical) and their exploitability ease. Using the CVSSv3 Attack Complexity metric, vulnerabilities are classified as 'Hard to Exploit' for high complexity and 'Easy to Exploit' for lower complexity. Additionally, vulnerabilities deemed 'Not Exploitable' are highlighted. This  component helps organizations assess the risk landscape of applications and allocate resources effectively to address vulnerabilities that are easier for attackers to exploit, especially those with critical severity. 
• Application Patch Risk Summary - The Application Patch Risk Comparison component provides a detailed analysis of application vulnerabilities by comparing patch availability and release timelines between 'Most Targeted Apps' and 'Other Apps.' For the 'Most Targeted Apps'column, the filter used is the CPE filter equaling to some common apps like: 'cpe:/a:microsoft:edge', 'cpe:/a:microsoft:office', and 'cpe:/a:microsoft:word' to name a few. The component categorizes the data into six groups: applications with no patch available, those with patches released within 7, 14, 21, or 28 days, and those with patches released over 28 days ago. This visualization helps prioritize patch management efforts by highlighting the number of vulnerable applications in each category, emphasizing the urgency for securing the most targeted applications versus less critical ones.
• Exploitable Operating System Summary - The Exploitable Operating System Summary  component provides a detailed breakdown of vulnerabilities in operating systems based on their severity (Low, Medium, High, and Critical) and exploitability ease. Exploitability is determined using the CVSSv3 Attack Complexity metric, where vulnerabilities with 'High' complexity are categorized as 'Hard to Exploit,' and others are labeled as 'Easy to Exploit.' The  component also identifies vulnerabilities that are 'Not Exploitable.' This matrix enables organizations to prioritize patching efforts by focusing on vulnerabilities with lower attack complexity (easy to exploit) while addressing critical vulnerabilities that could pose significant risks.