Tenable and the Essential Eight

Last updated: February 06, 2025

Tenable provides risk measurement and communication tools that are suited to consistently measuring an organisation’s maturity and risk posture. While Tenable can assist with measuring risk in many of the Essential Eight strategies, there are two strategies that Tenable cannot directly assist an organisation’s Essential Eight maturity level; Regular backups and Restrict Microsoft Office Macros. Tenable does conduct a check-and-verify process across the Essential Eight controls, but does not implement, modify, or remove any existing control artifacts. Tenable’s role is limited to reporting on the status of these artifacts in relation to the Essential Eight controls. Later in this cyber exposure study, we will explore how Tenable Host Audit scanning can be utilised to assist in verifying and assessing certain aspects of Regular Backups and the Restriction of Microsoft Office Macros, as part of the Essential Eight Strategies.

The Tenable One Platform incorporates a comprehensive suite of sensors designed to facilitate efficient vulnerability scanning, regardless of network complexity or infrastructure type. By leveraging these capabilities, organizations can effectively discover and assess their attack surface, gaining a clearer and more complete understanding of potential exposure points. Combined with Exposure Response, Tenable enables organizations to not only scan for vulnerabilities but also prioritize remediation efforts based on contextual risk. Tenable provides thorough vulnerability scanning and exposure insights for:

  • On-Prem and remote IT (Tenable Security Center and Tenable Vulnerability Management)

  • Internet Facing assets (Tenable Attack Surface Management)

  • Web Applications and APIs (Web App Scanning)

  • Cloud Resources (Cloud Security)

  • Industrial Infrastructure (OT Security)

  • Identity systems (Identity Exposure)

Implementing an Essential Eight mitigation strategy is likely to directly improve the security posture of an organisation. Auditing the implementation does not improve the maturity level of the mitigation, but rather, confirms the quality, consistency and expected state of that implementation.

Tenable’s risk-based vulnerability management capabilities include extensive auditing capabilities. The auditing capabilities empower you to confirm the state of just about any such implementation such as:

  • Essential Eight Application control (The application control agent is installed, its version, if log file exists, the application allow-list ›file exists)

  • Configure Microsoft Office macro settings (GPOs are in place to control Microsoft Office functions)

  • User application hardening (policies are in place as expected to control application function)

  • Restrict administrative privileges (Numbers of admins, admin lists, policies for controlling access, expiry of passwords, GPOs controlling passwords, complexities and MFA)

  • Multi-factor authentication (policies are in place to control authentication processes)

  • Regular backups (software installed, processes running, logs being written, policy in place)

This Cyber Exposure Study will detail how an organisation can verify the implementation of the Essential Eight Strategies. With the setup of Credentialed Scanning, Agent Scanning, Compliance Policy Scans, Dashboards and Reports, this guide will detail how Tenable can assist the organisation in confirming their overall security posture.

This study provides guidance through the subjects matching the Essential Eight Strategies:

  • Reducing the Impact of Malware

    • Patch Applications

    • Application Control

    • User Application Hardening

    • Restrict Microsoft Office Macros

  • Limiting the Impact of Security Incidents

    • Patch Operating Systems

    • Multi-factor Authentication

    • Restrict Administrative Privileges