Compliant Product - Exabeam Security Management Platform
Certificate Date: 2019.09.04CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID10923-2019
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314
CC Testing Lab: Booz Allen Hamilton Common Criteria Testing Laboratory
Exabeam Security Management Platform’s primary functionality is to collect network traffic and events, correlate the data collected to detect threats, and provide recommendations for responses to safeguard the network against cyberattacks.
The TOE is the Exabeam Security Management Platform containing the models EX3000 and EX4000. These models communicate with each other in the evaluated configuration making Security Management Platform a distributed TOE. The TOE’s software version is Core (PLT-i10) which includes the Data Lake (EX3000), and Advanced Analytics and Incident Responder (EX4000) software.
The following lists components and applications in the environment that the TOE relies upon in order to function properly:
OCSP Responder: A server deployed within the Operational Environment which confirms the validity and revocation status of certificates.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. Exabeam Security Management Platform was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the Exabeam Security Management Platform Security Target Version 1.0. The evaluation underwent CCEVS Validator review. The evaluation was completed in September 2019. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR- VID10923-2019 prepared by CCEVS.
Audit records are generated on each model for various types of management activities and events that occur on that model. These records include the date and time stamp of the event, the event type, and the subject identity. Audit records are stored in rsysreceived.log on each TOE model and can be configured to also be sent to a syslog server via a TLS connection. When the storage space allocated to rsysreceived.log is exhausted, the model will delete the oldest log file, archive the previous active file, and generate a new active file to which audit records are written.
Each TOE model provides cryptography in support of communications between itself and the Operational Environment. The protocols used for this are TLS, HTTPS, and SSH. The TOE uses TLS to secure the automatic transfer of syslog audit records. TLS/HTTPS is used to secure the connection for remote management of the TOE via the GUI and SSH is used to secure the remote CLI interface for remote management of the TOE. TLS mutual authentication is used for communication between TOE components.
Exabeam’s implementation of these has been validated to ensure that the algorithms are appropriately strong for use in trusted communications. The TOE collects entropy from sources contained within the device to ensure sufficient randomness for secure key generation.
Cryptographic keys are generated using the CTR_DRBG provided through this module and the references to the keys are destroyed when no longer needed.
In order for the EX3000 to send collected network events to the EX4000, the Security Administrator must have configured these two components to communicate. The Security Administrator also has the ability to disable communication between the TOE components
Each TOE model provides a local password authentication mechanism for the GUI, local CLI, and remote CLI that obscures password upon entry. Users accessing the remote CLI on each model can also authenticate using their SSH public key. The TOE models also enforce password length requirements and will lock users out due to too many failed authentication attempts. The only function available to an unauthenticated user is the ability to acknowledge a warning banner.
The TOE uses X.509 certificates to authenticate servers that it connects to over TLS. This includes each model connecting to the syslog server as well as EX3000 and EX4000 verifying the other TOE component’s X.509 certificates when they communicate. The TSF determines the validity of the certificates by confirming the validity of the certificate chain and verifying that the certificate chain ends in a trusted Certificate Authority (CA). The TSF connects with an OCSP Responder through HTTP to confirm certificate validity and revocation. The TSF can generate a Certificate Request that contains the “Common Name” and public key.
Each model of the TOE can be administered locally and remotely and uses role based access control (RBAC) to restrict privileges to authorized roles. The Security Administrator roles on the CLI are the “Exabeam user” role and the root account (can authenticate via the local CLI only). For the GUI, users with the “Administrator” role are considered the Security Administrators.
The TOE stores passwords in a variety of locations on each model depending on their use and encryption. They cannot be viewed by any user regardless of the user’s role. Additionally, pre-shared keys, symmetric keys, and private keys cannot be accessed in plaintext form by any user. There is an underlying hardware clock on each model that is used for accurate timekeeping and is set by the Security Administrator. Power-on self-tests are executed automatically on each TOE model during the boot process which includes verifying the TOE software’s and cryptographic module’s integrity. The TOE’s DRBG also performs its own health tests.
The version of the software installed on each model is verified via the GUI. The Exabeam user will SCP push (over SSH) the software package from their management workstation to each TOE component and then will run the commands to update the TOE component’s software. The software update process includes two different verifications of a SHA-256 public hash.
The TOE models display a configurable warning banner on each user interface prior to the user authenticating to that interface. The TOE components can terminate local CLI, remote CLI, and GUI sessions after a specified time period of inactivity. Administrator users have the capability to terminate their own sessions. Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session.
The TOE components connect and send data to IT entities via trusted channels. In the evaluated configuration, each model connects to a syslog server via TLS to send audit data for remote storage. TLS is used for the transfer of collected network event data from EX3000 to EX4000. TLS/HTTPS and SSH are used for remote administration of the TOE via the GUI and remote CLI respectively.