RSA Security Analytics V10.4 Security Target
RSA ProprietaryRSA Security Analytics v10.4Security TargetVersion 0.3April 27, 2015Prepared for:RSA The Security Division of EMC210700 Parkridge Blvd.Suite 600Reston, VA 20191LMR Associates, LLCProject Director for RSA Security, LLCCommon Criteria Certification ProjectPrepared By:Leidos Inc. (formerly Science Applications International Corporation)Common Criteria Testing Laboratory6841 Benjamin Franklin Drive, Columbia, Maryland 21046RSA ProprietaryPage 1 of 51
RSA Proprietary27 April 2015 Version 0.3TABLE OF CONTENTS1SECURITY TARGET INTRODUCTION . 41.11.21.31.41.52SECURITY TARGET, TOE AND CC IDENTIFICATION . 4CONFORMANCE CLAIMS . 4CONVENTIONS . 5GLOSSARY . 5TERMINOLOGY . 5TOE DESCRIPTION . 72.1TOE OVERVIEW . 72.2TOE ARCHITECTURE . 72.2.1SA Product Components .72.2.2TOE Physical Boundaries. 102.2.3TOE Logical Boundaries . 152.3TOE DOCUMENTATION . 163SECURITY PROBLEM DEFINITION . 183.1ASSUMPTIONS . 183.1.1Intended Usage Assumptions . 183.1.2Physical Assumptions . 183.1.3Personnel Assumptions . 183.2THREATS . 184SECURITY OBJECTIVES . 204.14.25SECURITY OBJECTIVES FOR THE TOE. 20SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT . 20IT SECURITY REQUIREMENTS. 215.1EXTENDED COMPONENT DEFINITION . 215.1.1Extended Family Definitions . 215.2TOE SECURITY FUNCTIONAL REQUIREMENTS . 255.2.1Security audit (FAU) . 265.2.2Cryptographic Support (FCS) . 285.2.3Identification and authentication (FIA) . 285.2.4Security Monitoring with Security Information and Event Management . 295.2.5Security management (FMT) . 295.2.6Protection of the TSF (FPT) . 305.2.7TOE Access (FTA) . 305.2.8Trusted path/channels (FTP) . 315.3TOE SECURITY ASSURANCE REQUIREMENTS . 315.3.1Development (ADV) . 315.3.2Guidance documents (AGD) . 325.3.3Life-cycle support (ALC) . 335.3.4Tests (ATE) . 345.3.5Vulnerability assessment (AVA). 356TOE SUMMARY SPECIFICATION . 366.16.26.36.46.56.66.76.8SECURITY AUDIT . 36CRYPTOGRAPHIC SUPPORT . 37IDENTIFICATION AND AUTHENTICATION . 38SECURITY MONITORING WITH SECURITY INFORMATION AND EVENT MANAGEMENT . 39SECURITY MANAGEMENT . 41PROTECTION OF THE TSF . 42TOE ACCESS . 42TRUSTED PATH/CHANNELS . 42RSA ProprietaryPage 2 of 51
RSA Proprietary727 April 2015 Version 0.3RATIONALE . 437.1SECURITY OBJECTIVES RATIONALE . 437.1.1Security Objectives Rationale for the TOE and Environment . 437.2SECURITY REQUIREMENTS RATIONALE . 467.2.1Security Functional Requirements Rationale . 467.2.2Security Assurance Requirements Rationale . 497.3REQUIREMENT DEPENDENCY RATIONALE . 497.4TOE SUMMARY SPECIFICATION RATIONALE . 50LIST OF TABLESTable 5-1 TOE Security Functional Components. 26Table 5-2 Auditable Events . 26Table 5-3 EAL2 Augmented with ALC FLR.1 Assurance Components. 31Table 8-1 Objective to Requirement Correspondence . 47Table 8-2 Security Requirements to Security Functions Mapping . 51RSA ProprietaryPage 3 of 51
RSA Proprietary127 April 2015 Version 0.3Security Target IntroductionThis section identifies the Security Target (ST) and Target of Evaluation (TOE), ST conventions, ST conformanceclaims, and the ST organization. The Security Target was undertaken at the request and under the direction of LMRAssociates, LLC, acting as Project Director for RSA Security LLC, the Security Division of EMC, regarding theSecurity Analytics Version 10.4 Common Criteria Certification Project. The TOE is RSA Security Analytics (SA).SA is a collection of appliances that form a security infrastructure for an enterprise network. This architectureprovides converged network security monitoring and centralized security information and event management (SIEM).SA provides real-time visibility into the monitored network and long-term network data storage to provide detection,investigation, analysis, forensics, and compliance reporting. SA’s Capture infrastructure collects log and packet datafrom the network. Packet collection extracts metadata, reassembles, and globally normalizes all network traffic atlayers 2 through 7 of the Open Systems Interconnection (OSI) model. This data allows SA to perform real-timesession analysis; incident detection, drill-down investigation, reporting, and forensic analysis functions.The Security Target contains the following additional sections: Security Target Introduction (Section 1) TOE Description (Section 2) Security Problem Definition (Section 3) Security Objectives (Section 4) IT Security Requirements (Section 5) TOE Summary Specification (Section 6) Rationale (Section 7)1.1Security Target, TOE and CC IdentificationST Title –RSA Security Analytics v10.4 Security TargetST Version – Version 0.3ST Date – April 27, 2015TOE Identification –RSA Security Analytics 10.4TOE Developer – RSA The Security Division of EMC2Evaluation Sponsor – RSA The Security Division of EMC2CC Identification – Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4,September 20121.2 Conformance ClaimsThis TOE is conformant to the following CC specifications: Common Criteria for Information Technology Security Evaluation Part 2: Security functional requirements,Version 3.1 Revision 4, September 2012. Part 2 ExtendedCommon Criteria for Information Technology Security Evaluation Part 3: Security assurance components,Version 3.1 Revision 4, September 2012. Part 3 Conformant Assurance Level: EAL2 augmented with ALC FLR.1RSA ProprietaryPage 4 of 51
RSA Proprietary27 April 2015 Version 0.31.3 ConventionsThe following conventions have been applied in this document:Extended requirements – Security Functional Requirements not defined in Part 2 of the CC are annotated with a suffixof EXT.Security Functional Requirements – Part 2 of the CC defines the approved set of operations that may be applied tofunctional requirements: iteration, assignment, selection, and refinement.Iteration:allows a component to be used more than once with varying operations. In the ST, iteration isidentified with a number in parentheses following the base component identifier. For example,iterations of FCS COP.1 are identified in a manner similar to FCS COP.1(1) (for the component)and FCS COP.1.1(1) (for the elements).Assignment: allows the specification of an identified parameter. Assignments are indicated using bold and aresurrounded by brackets (e.g., [assignment]). Note that an assignment within a selection would beidentified in italics and with embedded bold brackets (e.g., [[selected-assignment]]).Selection:allows the specification of one or more elements from a list. Selections are indicated using bolditalics and are surrounded by brackets (e.g., [selection]).Refinement: allows the addition of details. Refinements are indicated using bold, for additions, and strikethrough, for deletions (e.g., “ all objects ” or “ some big things ”).Other sections of the ST – Other sections of the ST use bolding to highlight text of special interest, such as captions.1.4 PSDEESIEMSMTPSNMPSTTLSTOETSFDescriptionApplication Programming InterfaceCommon CriteriaEvaluation Assurance LevelEvents per SecondGraphical User InterfaceHypertext Transfer ProtocolHypertext Transfer Protocol SecureIntrusion Detection SystemLocal Area NetworkOperating SystemOpen Systems InterconnectionProtection ProfileSecurity Device Event ExchangeSecurity Information and Event ManagementSimple Mail Transfer ProtocolSimple Network Management ProtocolSecurity TargetTransport Layer SecurityTarget of EvaluationTOE Security Function1.5 TerminologyThe terminology below is described in order to clarify the terms used in the ST as well as those used in the TOEproduct documentation.AnalyzerThe function of an IDS that applies analytical processes to collected IDSdata in order to derive conclusions about potential or actual intrusions.RSA ProprietaryPage 5 of 51
RSA Proprietary27 April 2015 Version 0.3ConcentratorA concentrator that receives network packet metadata.DecoderA decoder that captures network packets.IDSIntrusion Detection System —a combination of services or functionssuch as an Analyzer that monitors an IT System for activity that mayinappropriately affect the IT System or its resources, and that can sendalerts if such activity is detected.IDS dataRefers both to raw data collected by the TOE and to the results ofanalysis applied by the TOE to that data.IndexIndexes are internal RA data structures that organize for searching themetadata elements of sessions and are generated during data processingfor a collection. The content of the index, and consequently the metadataelements that are displayed in the Navigation view, are controlled bysettings in effect during collection processing.Log ConcentratorA concentrator that receives log metadata,Log DecoderA decoder that captures log data.MetadataSpecific data types (Service Type, Action Event, Source IP Address, etc.)created by the parsers which are counted and itemized in the captureddata. A detailed list of metadata for each parser may be found in the SAGuidance.ParserA software module that defines tokens and instructions for lexicalprocessing of network streams. Processing includes stream identificationand metadata extraction.ServicesComponents of the product that work together to provide the securityfunctions of the TOE such as Analyzer, Concentrator, and DecoderRSA ProprietaryPage 6 of 51
RSA Proprietary227 April 2015 Version 0.3TOE DescriptionThe Target of Evaluation (TOE) is RSA Security Analytics (SA), hereafter referred to as Security Analytics, SA or theTOE.2.1 TOE OverviewSA is a collection of appliances that form a security infrastructure for an enterprise network. This architectureprovides converged network security monitoring and centralized security information and event management (SIEM).SA provides real-time visibility into the monitored network and long-term network data storage to provide detection,investigation, analysis, forensics, and compliance reporting. SA’s capture infrastructure imports log and collectspacket data from the network. Packet collection extracts metadata, reassembles, and globally normalizes all networktraffic at layers 2 through 7 of the OSI model. This data allows SA to perform real-time session analysis. SArecognizes over 250 event source types, which are aggregated, analyzed, and stored for long-term use.Data is collected and aggregated by the Decoder and Concentrator appliances. Collected data is aggregated into acomplete data structure across all network layers, logs, events, and applications. The Event Stream Analysis (ESA)appliance uses this data to provide advanced stream analytics such as correlation and complex event processing athigh throughputs and low latency. ESA uses Event Processing Language to bring meaning to the event flows. SAServer’s user interface uses this aggregated data to provide incident detection, and drill-down investigation1. TheArchiver appliance is a specialized concentrator or variant that receives, indexes, and compresses logs. The Archiveris adapted to hold indexed and compressed raw log and metadata, and indices for an extended period of time. TheReporting Engine and SA Server’s user interface use the data to provide compliance reporting and in-depth networkanalysis. Raw packets and packet metadata are not stored in the Archiver.The TOE implements additional security functions such as identification and authentication of TOE users; auditing;security management; and trusted path.The security management functions of the TOE are performed via the SA Server Interface, which is a web-basedbrowser GUI. This interface allows authorized administrators to manage the user accounts, session lockout values andother TSF data, and view the IDS data and alerts.2.2 TOE Architecture2.2.1 SA Product ComponentsSA is composed of multiple components that can be combined on appliances or deployed with multiple appliancesdepending on network needs. The components are broken into the Capture Architecture and the Analysis Architecture.2.2.1.1Capture ArchitectureThe SA Capture architecture is composed of the Decoder, Concentrator, and Broker. Each component is describedbelow.Decoder: The Decoder performs capture for either packets or logs. When deployed, either the packet or log capturecapability is enabled. A Decoder collects packets, extracts metadata, reassembles and normalizes network traffic. ALog Decoder imports logs by either retrieving (pulling) the log records from an event source or by receiving the logrecords from the event sources (pushed). Each appliance sends its collected data to an assigned Concentrator.Within a Log Decoder appliance is a Log Collector service that imports logs from the following sources: SyslogSNMP TrapNetFlow1The SA product provides additional capabilities for reporting, and forensic analysis functions, which are notincluded in the scope of evaluation.RSA ProprietaryPage 7 of 51
RSA Proprietary 27 April 2015 Version 0.3File (pushed by SFTP and FTPS)Windows (WinRM)Windows (Legacy)ODBCCheck Point LEAVMWareSDEEConcentrator: Concentrators are deployed as either a packet or log Concentrator. These appliances aggregate andstore metadata received from multiple Decoders. Concentrators also perform queries to retrieve stored metadata, asrequested by external users or the SA Server.Broker: Brokers facilitate queries between Concentrators, allowing the SA Server access to metadata across thenetwork.2.2.1.2Analysis ArchitectureSA Server: The SA Server hosts the user interface. This interface enables an administrator to perform incidentdetection, management, investigation, and device and user administration. The SA Server User Interface (UI) isaccessed through HTTPS only (i.e., HTTP over TLS in FIPS mode).Archiver: The Archiver is a stand-alone appliance. Archiver receives, indexes, and compresses log data from LogDecoders. The Archiver is adapted to hold indexed and compressed raw log and metadata, and indices for anextended period of time. The Reporting Engine and SA Server’s user interface use the data (via the Broker) to providecompliance reporting and in-depth network analysis.ESA: ESA is a stand-alone appliance that provides advanced stream analytics such as correlation and eventprocessing. ESA receives event data from multiple Concentrators. ESA uses an advanced Event Processing Language(EPL) to filter, aggregate, join, correlate, and recognize patterns across multiple disparate event streams. ESAprovides incident detection and alerting2.Malware Analysis: The Malware Analysis service analyzes file objects to assess the likelihood the file is malicious.This service uses network session analysis and static file analysis3 to check for malware. The service can performcontinuous or on-demand polling of Decoders or Brokers to extract sessions identified as potentially carryingmalware.Incident Management: Collects Alerts and provides authorized users the ability to group them logically and start anIncident response workflow to investigate and remediate the security issues raised. Incident Management allows theuser to configure rules to automate the aggregation of Alerts into Incidents. The IM service periodically runs rules toaggregate multiple Alerts into an Incident and set some attributes of the Incident (e.g. severity, category, etc.). Userscan access these functions through the SA UI.Reporting Engine: The Reporting Engine is deployed on the same appliance as the SA Server. The Reporting Enginesupports the definition and generation of reports and alerts. Administrators can create rules that govern how data isrepresented in reports and alerts. The Reporting Engine also manages the alert queue, allowing administrators toenable and disable alerts.Each appliance in the SA solution can also be deployed as a virtual appliance. The functionality of the virtualappliance is the same as the hardware-based solution, though there are differences in throughput.2SA can send alerts over email, syslog or SNMP traps, but these types of alert notification are not within the scope ofevaluation.3The SA product provides additional capabilities for dynamic file analysis, and security community analysis, whichare not included in the scope of evaluation.RSA ProprietaryPage 8 of 51
RSA ProprietaryBrokerReportBroker IncidentReportingManageingEnginementUIEngine27 April 2015 Version 0.3MalwareAnalysisSAServerJVMJVMJVMJVMJVMJVMJVM SLog ceHardwareHardwareFigure 2-1 Evaluated ConfigurationRSA ProprietaryPage 9 of 51
RSA Proprietary27 April 2015 Version 0.3Communications between components are protected using TLS. The TOE configuration is described further inSection 2.2.2.4.2.2.2 TOE Physical Boundaries2.2.2.1Included Product ComponentsProduct components included in the TOE are listed below. Error! Reference source not found.shows arepresentative deployment of the TOE in its evaluated oder (zero or more)Log Decoder (zero or more)Note: A SA deployment includes at least one Decoder or Log Decoder.Concentrator (zero or more)Log Concentrator (zero or more)Note: A SA deployment that contains a Log Decoder must include a Log Concentrator. Likewise, adeployment that includes a Decoder for network packets must include a Concentrator for network packets.Broker (One or more)Event Stream Analysis (ESA) (one or more)Archiver (one or more)Security Analytics Server (one or more)Incident Management (one or more)Malware Analysis (one or more)Reporting Engine (one per SA Server)Java Virtual Machine (JVM) (one for each of the following services on the SA Server: Broker, IncidentManagement, Malware Analysis, Reporting Engine Services, and one for the UI and SA Server itself.Additionally, the ESM runs in its own JVM)PostgreSQL database (one for each malware analysis)TokuMX database (one for each SA Server and ESA)2.2.2.2Excluded Product ComponentsSA product components excluded from the TOE in the evaluated configuration are:1.2.3.4.5.6.Warehouse applianceRSA Live (content delivery)Malware CommunityMalware SandboxVirtual Log CollectorLegacy Windows Log CollectorSA product features excluded from the TOE in the evaluated configuration are:1.2.3.4.5.6.7.Direct-Attached Capacity (DAC) storage for ArchiverRepresentational State Transfer, Application Programming Interface (REST API)External authentication services (such as RADIUS, LDAP, and Windows Active Directory)Export of security audit records to Syslog serverSending SMTP, SNMP, or Syslog alertsIntegrated Dell Remote Access Controller (iDRAC) out-of-band appliance management capabilitiesSerial and USB device connections (Used during installation and maintenance only)RSA ProprietaryPage 10 of 51
RSA Proprietary2.2.2.327 April 2015 Version 0.3Services and Products in the Operational EnvironmentThe TOE relies on the services and products in operational environment:1.2.3.4.5.6.7.8.9.2.2.2.4Operating System: provides execution environment for SA components. The OS is CentOS version 6.5.Hypervisor: provides virtualization for SA virtual appliances. The hypervisor is ESXi version 5.0 or later.Administrator Workstation / Browser: provides human users access to SA Server user interface. SA supportsMicrosoft Internet Explorer (versions 10 and 11), Firefox (version 26 to 30), Safari (version 6), and Chrome(version 34 and 35.x).Syslog server: SA Server can forward security audit records and alerts to an external Syslog server. Note:export to Syslog server was not tested in the evaluation.SMTP Server: SA Server can send email messages via SMTP server. Note: the email message capability wasnot tested in the evaluation.SNMP Server: SA Server can send SNMP traps. Note: the SNMP capability was not tested in the evaluationAuthentication Server: provides external authentication methods (such as Windows Active Director,RADIUS, and LDAP). Note: the external authentication capability was not tested in the evaluationNetwork Traffic Sources: source of network traffic. Note: The TOE has a direct physical connection to anetwork traffic source (Decoder (packet) network connection)Log Decoder Event Sources: provide log data to the TOE. SA supports event sources:a. Syslogb. SNMP Trapc. NetFlowd. Filee. Windows (WinRM)f. Windows (Legacy)g. ODBCh. Check Point LEAi. VMWarej. SDEETOE ConfigurationsRSA deploys Security Analytics as a collection of appliances providing services. RSA provides the TOE as eitherhardware appliances or virtual appliances. The deployment of appliances varies from customer to customer. Acustomer with a small volume of network or log data would combine services onto a few appliances. A largeenterprise customer would have appliances for each service with multiple Decoder, Concentrator, and Brokerappliances. The evaluated configuration represents the range of deployments.2.2.2.4.1Hardware Appliance DeploymentsThe evaluated configuration includes the following appliances (see Figure 2-1 Evaluated Configuration):1.2.3.Security Analytics Server (hosting SA Server UI, Broker, Incident Management, Malware Analysis, andReporting Engine services)a. Broker, Incident Management, and Reporting Engine Services each have their own JVM. MalwareAnalysis has its own JVM and a PostgreSQL.b. Also contains a TokuMX High Performance MongoDB distribution.One Decoder applianceOne Log Decoder applianceNote: A SA deployment includes at least one Decoder or Log Decoder with the following deployment.a.Can be deployed standalone or on appliance with Concentrator.b.Typical deployment is one-to-one Decoder/ Concentrator pairs; though multiple Decoders perConcentrators are technically possible.RSA ProprietaryPage 11 of 51
RSA Proprietary4.5.6.7.27 April 2015 Version 0.3One Concentrator appliance for packet dataOne Concentrator appliance for log dataNote: A SA deployment that contains a Log Decoder must include a Log Concentrator. Likewise, adeployment that includes a Decoder for network packets must include a Concentrator for network packets.a.Can be deployed standalone or on appliance with Decoderb.Typical deployment is one-to-one Decoder/ Concentrator pairs; though it is possible for a singleConcentrator to aggregate from multiple Decoders.One Event Stream Analysis appliance (and JVM)a.Deployed standaloneb.Receives event data from multiple Concentratorsc.Also contains a TokuMX High Performance MongoDB distributionNote: Deployments could have more than one ESA appliance.One Archiver applianceNote: Deployments could have more than one Archiver.a.Deployed standaloneb.Only aggregates capture data from Log DecoderThe deployment described above includes sufficient appliances to demonstrate the TOE security functions even whenadditional appliances are used in a deployment. The deployment uses each of the TOE components. The interactionsbetween TOE components remain the same when multiple components are installed on a single appliance, albeitwithout the need for protected communication
The Target of Evaluation (TOE) is RSA Security Analytics (SA), hereafter referred to as Security Analytics, SA or the TOE. 2.1 TOE Overview SA is a collection of appliances that form a security infrastructure for an enterprise network. This architecture provides converged network security monitoring and centralized security information and .
For Mac OS X v10.7 and v10.8, click Print & Scan. For Mac OS X v10.6, click Print & Fax. 2 Click the Fiery Server in the list of printers, and then click Options & Supplies. 3 To change the installable options, do one of the following: For Mac OS X v10.9, click the Options tab. For Mac OS X v10.6, v10.7, and v10.8, click the .
- RSA Archer eGRC Suite: Out-of-the-box GRC solutions for integrated policy, risk, compliance, enterprise, incident, vendor, threat, business continuity and audit management - RSA Policy Workflow Manager: RSA Data Loss Prevention and RSA Archer eGRC Platform - RSA Risk Remediation Manager: RSA Data Loss Prevention and RSA Archer
claims, and the ST organization. The Security Target was undertaken at the request and under the direction of LMR Associates, LLC, acting as Project Director for RSA Security LLC, the Security Division of EMC, regarding the Security Analytics Version 10.6 Common Criteria Certification Project. The TOE is RSA Security Analytics (SA). SA is a
OS: Windows 8.1, Windows 10 Mac OS X v10.10 (Yosemite) OS X v10.11 (El Capitan) macOS v10.12 (Sierra) macOS v10.13 (High Sierra) macOS v10.14 (Mojave) macOS v10.15 (Catalina) AG00021F03I. 1. Load the installation software CD supplied with the product. Display the contents of the CD and dou-
Each RSA number is a semiprime. (A nu mber is semiprime if it is the product of tw o primes.) There are two labeling schemes. by the number of decimal digits: RSA-100, . RSA Numbers x x., RSA-500, RSA-617. by the number of bits: RSA-576, 640, 704, 768, 896, , 151024 36, 2048.
Les clients RSA qui utilisent à la fois RSA ECAT version4.0 et ultérieure et RSA Security Analytics version10.4 et . Security Analytics Incident Management fournit un accès par clic droit au serveur de la console ECAT pour les clés méta suivantes: Adresse IP (ip-src, ip-dst, ipv6-src, ipv6-dst, orig_ip),hôte (alias-host, .
RSA, The Security Division of EMC RSA Data Loss Prevention Suite v6.5 Security Target ST Version Version 0.7 ST Author Corsec Security, Inc. Amy Nicewick ST Publication Date 2009-04-20 TOE Reference RSA Data Loss Prevention Suite v6.5 build 6.5.0.2179 Keywords Data Loss Prevention, DLP, Datacenter, Network, Endpoint 1.3 TOE Overview
This dissertation is about the Loyalist Regiments of the American Revolution, 1775-1783. These were the formal regiments formed by the British, consisting of Americans who stayed Loyal to the British crown during the American Revolutionary War. They fought in most of the main campaigns of this war and in 1783 left with the British Army for Canada, where many of them settled. The Loyalist .
