NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Exabeam Security Management Platform

Certificate Date:  2019.09.04

Validation Report Number:  CCEVS-VR-VID10923-2019

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314

CC Testing Lab:  Booz Allen Hamilton Common Criteria Testing Laboratory

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

Exabeam Security Management Platform’s primary functionality is to collect network traffic and events, correlate the data collected to detect threats, and provide recommendations for responses to safeguard the network against cyberattacks.

Evaluated Configuration

The TOE is the Exabeam Security Management Platform containing the models EX3000 and EX4000. These models communicate with each other in the evaluated configuration making Security Management Platform a distributed TOE. The TOE’s software version is Core (PLT-i10) which includes the Data Lake (EX3000), and Advanced Analytics and Incident Responder (EX4000) software.

The following lists components and applications in the environment that the TOE relies upon in order to function properly:

  • Management Workstation: Any general-purpose computer that is used by an administrator to manage the TOE. For the TOE to be managed remotely the management workstation is required to have:
    • Browser to access the TOE’s GUI
    • SSHv2 client to access the TOE’s secure shell command-line interface
  • Syslog Server: The TOE connects to a syslog server to send syslog messages for remote storage via TLS connection where the TOE is the TLS client. This is used to send copies of audit data to be stored in a remote location for data redundancy purposes.

OCSP Responder: A server deployed within the Operational Environment which confirms the validity and revocation status of certificates.

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. Exabeam Security Management Platform was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the Exabeam Security Management Platform Security Target Version 1.0. The evaluation underwent CCEVS Validator review. The evaluation was completed in September 2019. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR- VID10923-2019 prepared by CCEVS.

Environmental Strengths

Audit records are generated on each model for various types of management activities and events that occur on that model. These records include the date and time stamp of the event, the event type, and the subject identity. Audit records are stored in rsysreceived.log on each TOE model and can be configured to also be sent to a syslog server via a TLS connection. When the storage space allocated to rsysreceived.log is exhausted, the model will delete the oldest log file, archive the previous active file, and generate a new active file to which audit records are written.

Cryptographic Support

Each TOE model provides cryptography in support of communications between itself and the Operational Environment. The protocols used for this are TLS, HTTPS, and SSH. The TOE uses TLS to secure the automatic transfer of syslog audit records. TLS/HTTPS is used to secure the connection for remote management of the TOE via the GUI and SSH is used to secure the remote CLI interface for remote management of the TOE. TLS mutual authentication is used for communication between TOE components.

Exabeam’s implementation of these has been validated to ensure that the algorithms are appropriately strong for use in trusted communications. The TOE collects entropy from sources contained within the device to ensure sufficient randomness for secure key generation.

Cryptographic keys are generated using the CTR_DRBG provided through this module and the references to the keys are destroyed when no longer needed.


In order for the EX3000 to send collected network events to the EX4000, the Security Administrator must have configured these two components to communicate. The Security Administrator also has the ability to disable communication between the TOE components

Identification and Authentication

Each TOE model provides a local password authentication mechanism for the GUI, local CLI, and remote CLI that obscures password upon entry. Users accessing the remote CLI on each model can also authenticate using their SSH public key. The TOE models also enforce password length requirements and will lock users out due to too many failed authentication attempts. The only function available to an unauthenticated user is the ability to acknowledge a warning banner.

The TOE uses X.509 certificates to authenticate servers that it connects to over TLS. This includes each model connecting to the syslog server as well as EX3000 and EX4000 verifying the other TOE component’s X.509 certificates when they communicate. The TSF determines the validity of the certificates by confirming the validity of the certificate chain and verifying that the certificate chain ends in a trusted Certificate Authority (CA). The TSF connects with an OCSP Responder through HTTP to confirm certificate validity and revocation. The TSF can generate a Certificate Request that contains the “Common Name” and public key.

Security Management

Each model of the TOE can be administered locally and remotely and uses role based access control (RBAC) to restrict privileges to authorized roles. The Security Administrator roles on the CLI are the “Exabeam user” role and the root account (can authenticate via the local CLI only). For the GUI, users with the “Administrator” role are considered the Security Administrators.

Protection of the TSF

The TOE stores passwords in a variety of locations on each model depending on their use and encryption. They cannot be viewed by any user regardless of the user’s role. Additionally, pre-shared keys, symmetric keys, and private keys cannot be accessed in plaintext form by any user. There is an underlying hardware clock on each model that is used for accurate timekeeping and is set by the Security Administrator. Power-on self-tests are executed automatically on each TOE model during the boot process which includes verifying the TOE software’s and cryptographic module’s integrity. The TOE’s DRBG also performs its own health tests.

The version of the software installed on each model is verified via the GUI. The Exabeam user will SCP push (over SSH) the software package from their management workstation to each TOE component and then will run the commands to update the TOE component’s software. The software update process includes two different verifications of a SHA-256 public hash.

TOE Access

The TOE models display a configurable warning banner on each user interface prior to the user authenticating to that interface. The TOE components can terminate local CLI, remote CLI, and GUI sessions after a specified time period of inactivity. Administrator users have the capability to terminate their own sessions. Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session.

Trusted Path/Channels

The TOE components connect and send data to IT entities via trusted channels. In the evaluated configuration, each model connects to a syslog server via TLS to send audit data for remote storage. TLS is used for the transfer of collected network event data from EX3000 to EX4000. TLS/HTTPS and SSH are used for remote administration of the TOE via the GUI and remote CLI respectively.

Vendor Information

Exabeam, Inc.
Sandra Miranda
Site Map              Contact Us              Home