Listen to this Post
Introduction:
In an era where ransomware attacks are executed in minutes and phishing campaigns grow more sophisticated by the day, achieving “zero genuine malware alerts” sounds like a security leader’s dream—or a monitoring failure. For PanAust, a multinational copper and gold producer operating across Laos, Papua New Guinea, and Chile, this became reality not through luck, but through a strategic partnership with Sekuro and the deployment of Airlock Digital’s application control solution across nearly 2,000 IT and OT endpoints. The result? Complete alignment with the Australian Cyber Security Centre’s Essential Eight Maturity Level Two, a clear pathway to Level Three, and months of uninterrupted operations free from genuine malware incidents. This article dissects the technical implementation, provides actionable commands and configurations, and explores how organizations can replicate this success.
Learning Objectives:
- Understand the architecture and deployment methodology behind enterprise-scale application whitelisting across hybrid IT/OT environments
- Master practical implementation techniques for application control on Windows and Linux systems using both native tools and third-party solutions
- Learn how to align endpoint security controls with the ACSC Essential Eight Maturity Model, progressing from Level Two to Level Three
You Should Know:
- Understanding the Essential Eight Maturity Model and Application Control
The Australian Signals Directorate’s Essential Eight is not merely a compliance checklist—it is a risk-based maturity framework designed to systematically reduce an organization’s attack surface. At Maturity Level Two, organizations defend against adversaries who invest moderate time and employ common social engineering techniques. Controls are consistently enforced across most users and devices, with reliable processes in place. Maturity Level Three represents full alignment with the mitigation strategy’s intent, protecting against capable threat actors who perform targeted intrusions using advanced tradecraft.
Application control—the first and most foundational of the Essential Eight strategies—operates on a simple but powerful principle: deny by default. Only trusted applications, scripts, and processes are permitted to execute. This proactive approach blocks ransomware, zero-day exploits, and unauthorized software before they can execute, effectively eliminating the attack vector rather than merely detecting it post-execution.
Why this matters for PanAust: Operating in developing nations with varying levels of cybersecurity maturity, PanAust faced elevated phishing-related malware risk. By implementing Airlock Digital, the organization established a sound base to move toward larger frameworks including NIST and ISO 27001. As Scott Brownlee, Cybersecurity Superintendent at PanAust, noted: “While we targeted Essential Eight Maturity Level Two, we realized that, with Airlock Digital, there would be minimal additional effort required to achieve Maturity Level Three”.
2. Deploying Application Control: A Step-by-Step Implementation Guide
PanAust’s deployment across approximately 2,000 endpoints followed a methodical, phased approach that minimized business disruption. Below is a comprehensive guide mirroring their successful methodology:
Step 1: Environment Discovery and Baseline Capture
Before enforcing any policies, the PanAust team captured configuration images on various hardware types and added them to a baseline. This discovery phase is critical for understanding what legitimate applications exist in your environment.
For Windows environments, use PowerShell to inventory installed applications:
Get-WmiObject -Class Win32_Product | Select-Object Name, Version, Vendor | Export-Csv -Path "C:\AppInventory.csv" -1oTypeInformation
For Linux environments, use package managers to generate inventories:
Debian/Ubuntu
dpkg-query -f '${Package}\t${Version}\t${Architecture}\n' -W > /tmp/app_inventory.txt
RHEL/CentOS
rpm -qa --queryformat '%{NAME}\t%{VERSION}\t%{ARCH}\n' > /tmp/app_inventory.txt
Step 2: Policy Definition and Trust Modeling
PanAust used multiple trust options to determine which applications and files to trust, reflecting organizational usage patterns. Trust can be established using:
– File hashes (exact match)
– Publishers (digital signatures)
– Paths (specific directories)
– Parent processes (execution relationships)
Step 3: Audit Mode Deployment
The team initially deployed Airlock Digital agents in audit mode—a non-blocking state that logs all execution attempts without preventing them. This allows administrators to observe what runs in the environment and refine policies before enforcement.
For native Windows AppLocker in audit mode:
Enable AppLocker in audit mode via Group Policy Set-AppLockerPolicy -PolicyXmlFile "C:\AppLockerPolicy.xml" -Merge Verify mode Get-AppLockerPolicy | Select-Object -ExpandProperty RuleCollections
Step 4: Phased Enforcement Rollout
PanAust transitioned from audit to enforcement mode site by site over four months. This gradual approach allows for iterative policy refinement and minimizes operational disruption.
Step 5: Ongoing Policy Maintenance
The seamless policy management workflows enabled PanAust to easily assign common security policies to non-IT Windows servers, Linux servers, and workstations. IT workstations and Windows servers were allocated to separate policy groups to support specialist software needs.
- Bridging IT and OT: Unified Security Without Compromise
One of the most significant technical achievements in the PanAust deployment was extending application control from IT environments to operational technology (OT) endpoints without running two separate products. OT environments—which control physical processes like mining operations—are typically more sensitive to performance impacts and harder to patch.
Airlock Digital’s lightweight agent minimized impact on system resources while providing consistent protection across both domains. The Trusted Installer feature further streamlined secure software deployment across IT and OT environments by automatically detecting software deployments and tagging each application component during installation.
Key Integration Points:
- Microsoft SCCM/MECM and InTune for Windows deployment automation
- Jamf for macOS environments
- BigFix for cross-platform patch and deployment management
For organizations managing hybrid environments, consider these native Linux application control commands:
Using `auditd` to monitor application execution on Linux:
Install auditd sudo apt-get install auditd Debian/Ubuntu sudo yum install audit RHEL/CentOS Add a rule to monitor all execve syscalls sudo auditctl -a always,exit -F arch=b64 -S execve -k app_execution View logs sudo ausearch -k app_execution --format raw
Implementing basic allowlisting with `fapolicyd` (RHEL/CentOS):
Install fapolicyd sudo yum install fapolicyd Start the service sudo systemctl enable fapolicyd --1ow Add trusted files to the allowlist sudo fapolicyd-cli --file add /usr/bin/trusted_app sudo fapolicyd-cli --update
- Advanced Threat Prevention: Blocklisting, OTPs, and Exception Management
While allowlisting defines what can run, blocklisting defines what absolutely cannot. Airlock Digital implements pre-defined rules aligned with the MITRE ATT&CK framework and Microsoft recommended block rules.
One-Time Passwords (OTPs) provide a secure mechanism for temporary exceptions—critical for maintaining business continuity when legitimate but untrusted applications need to execute. PanAust’s team used this feature sparingly, with only a few exceptions issued through OTPs to enable developers to access essential processes.
Creating custom blocklists on Windows using PowerShell:
Block specific executable by hash
$rule = New-AppLockerPolicy -RuleType Exe -User Everyone -Action Deny -Hash @{Hash=@(Get-FileHash -Path "C:\Path\malware.exe")}
Set-AppLockerPolicy -Policy $rule -Merge
Managing exceptions with Group Policy:
Create a path-based exception $pathRule = New-AppLockerPolicy -RuleType Exe -User "BUILTIN\Administrators" -Action Allow -Path "C:\TrustedTools\" Set-AppLockerPolicy -Policy $pathRule -Merge
- Achieving Essential Eight Maturity Level Three: The Next Frontier
With Maturity Level Two achieved, PanAust identified a clear pathway to Level Three. The transition requires:
– Full coverage across all assets, users, and data
– Automated enforcement of application control policies
– Prompt identification and remediation of any deviations
For organizations aiming for Level Three, consider these additional controls:
Implementing Windows Defender Application Control (WDAC) alongside Airlock:
Create a WDAC policy from a reference system New-CIPolicy -FilePath "C:\WDACPolicy.xml" -Level Publisher -Fallback Hash Convert to binary format and deploy ConvertFrom-CIPolicy -XmlFilePath "C:\WDACPolicy.xml" -BinaryFilePath "C:\WDACPolicy.p7b"
Linux SELinux/AppArmor integration for granular control:
AppArmor: Create a profile for an application sudo aa-genprof /usr/bin/application SELinux: Set enforcing mode and check denials sudo setenforce 1 sudo ausearch -m avc -ts recent
Automated patch management for drivers and firmware: The November 2023 Essential Eight update added requirements for patching vulnerabilities in drivers and firmware. Automate this using:
Windows: Check for driver updates via PowerShell
Get-WindowsDriver -Online | Where-Object {$_.ProviderName -1e "Microsoft"}
Linux: Update firmware via fwupdmgr
sudo fwupdmgr refresh
sudo fwupdmgr update
6. Measuring Success: ROI, Metrics, and Continuous Improvement
The PanAust deployment delivered measurable outcomes: zero genuine malware alerts in months, 2,000 endpoints secured across IT and OT, and Essential Eight Maturity Level Two achieved. These results align with broader industry findings—a Forrester Consulting Total Economic Impact study commissioned by Airlock Digital reported a 224% ROI and a $3.8 million net present value over three years for organizations adopting Airlock’s allowlisting approach.
Key metrics to track:
- Number of blocked execution attempts (indicative of threat prevention)
- Exception requests per user per month (measure of policy accuracy)
- Time to approve new applications (operational efficiency)
- Malware alerts generated (reduction indicates success)
Monitoring blocked executions on Windows:
Query AppLocker events from Event Log
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-AppLocker/EXE and DLL'; ID=8003} | Select-Object TimeCreated, Message
Monitoring on Linux with auditd:
Search for denied executions sudo ausearch -k app_execution -m EXECVE -sv no
What Undercode Say:
- Application control is the ultimate proactive defense. While EDR and SIEM tools focus on detection and response, application control prevents execution entirely. PanAust’s experience proves that “zero genuine malware alerts” is achievable when you stop threats before they run—not just detect them after the fact.
- IT/OT convergence demands unified security architecture. Running separate security solutions for IT and OT creates complexity, increases costs, and introduces gaps. PanAust’s decision to extend a single application control solution across both environments demonstrates that operational technology can be secured without compromising performance or requiring specialized tools.
Analysis: The PanAust-Sekuro case study offers three critical lessons for cybersecurity leaders. First, the Essential Eight Maturity Model is not an aspirational framework—it is an achievable, practical roadmap. PanAust reached Level Two and identified a clear path to Level Three with minimal additional effort, proving that maturity progression is incremental rather than revolutionary. Second, vendor partnerships matter. Sekuro’s expertise enabled PanAust to complete the deployment with minimal disruption, allowing internal teams to own and manage the solution long-term. Third, the “deny by default” paradigm shifts the security burden from detection to prevention. When combined with gradual enforcement rollouts and robust exception management (OTPs), allowlisting becomes operationally sustainable rather than administratively overwhelming. Organizations that embrace this model will not only achieve compliance but will fundamentally reduce their risk exposure in an increasingly hostile threat landscape.
Prediction:
- +1 The Essential Eight Maturity Model will become the de facto global standard for critical infrastructure protection, with non-Australian organizations voluntarily adopting its framework as best practice. PanAust’s success story will serve as a reference architecture for mining, energy, and manufacturing sectors worldwide.
- +1 Application control solutions will increasingly integrate with AI-driven policy recommendation engines, reducing the manual effort required to maintain allowlists and accelerating the transition from Maturity Level Two to Level Three.
- +1 The convergence of IT and OT security will accelerate, with unified application control platforms becoming the norm rather than the exception. Organizations that fail to bridge this gap will face escalating ransomware risks targeting industrial control systems.
- -1 The sophistication of threat actors will continue to evolve, with adversaries developing techniques to bypass allowlisting through signed but malicious drivers or exploiting trust relationships. Organizations must complement application control with robust patch management and continuous monitoring.
- -1 Regulatory bodies may raise the minimum Essential Eight maturity requirement for critical infrastructure from Level Two to Level Three, forcing organizations that have delayed implementation to undertake rushed, high-risk deployments.
- +1 The “zero genuine malware alerts” metric will become a key performance indicator for security teams, shifting the focus from reactive incident response to proactive prevention and fundamentally changing how cybersecurity success is measured.
▶️ Related Video (70% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Cybersecurity Essentialeight – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
