Compliant Product - VMware Carbon Black Endpoint Detection and Response (EDR) Windows Sensor 7.2
Certificate Date: 2021.07.28CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11155-2021
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Protection Profile for Application Software Version 1.3
CC Testing Lab: Booz Allen Hamilton Common Criteria Testing Laboratory
The VMware Carbon Black Endpoint Detection and Response (VMware CB EDR) Windows Sensor 7.2 enterprise software application gathers event data on the endpoints and invokes the OS to securely transmit this information to the operating environment’s management server for centralized storage and indexing.
The TOE is the VMware Carbon Black Endpoint Detection and Response (VMware CB EDR) Windows Sensor 7.2 (“Windows Sensor”) application. The TOE is installed on administratively defined network endpoints, such as laptops, desktops, and servers. The TOE, when installed, operates as a Windows service to perform its function of observing and reporting on system-level behavior. Changes to the TOE’s data collection policy can only be initiated by the enterprise administrator using the management server in the operational environment.
The following list identifies the components and applications in the environment that the TOE relies upon to function properly:
· Microsoft Windows 10 (Windows): The operating system installed on the endpoint system that the TOE application is installed on. The Windows Sensor leverages operating system callbacks to collect system-relevant data information, store log files, access Windows key store, and invoke network access.
· Management Server (VMware CB EDR Server): The management server is used in the evaluated configuration to deploy the Windows Sensors, perform limited configuration, and collect the system data from these sensors. However, it is used to the extent that it can assist in the evaluation of the Windows Sensor software and no security claims for its functionality are made.
· Certificate Authority: The OCSP server deployed within the Operational Environment which confirms the validity and revocation status of certificates. Required to validate the Management Server certificate for HTTPS/TLS communications.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. VMware Carbon Black EDR Windows Sensor 7.2 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the VMware Carbon Black Endpoint Detection and Response (EDR) Windows Sensor 7.2 Security Target Version 1.5, July 21, 2021. The evaluation underwent CCEVS Validator review. The evaluation was completed in July 2021. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID11155-2021 prepared by CCEVS.
The TOE invokes the underlying platform to perform all cryptographic services including HTTPS/TLS trusted communications, and sensitive data encryption storage. As an application on an operating system, the TOE interfaces with the operating system’s key storage to securely store key data related to secure communications.
User Data Protection
The application restricts its access to the endpoint system’s network connectivity resources. It also restricts its sensitive data access to system logs and memory dumps stored on the endpoint system. Network activity is restricted to periodic management server polling, aka sensor check-in. During the periodic polling, the Sensor transmits sensor collected endpoint system data to the management server, retrieves configuration settings/updates and TOE software updates (if available) from the management server.
Identification and Authentication
The TOE relies on the OS to validate X.509.3 certificates for HTTPS/TLS communication.
During installation, the TOE is automatically configured to protect itself and its data from unauthorized access and implements the recommended Windows platform security mechanisms. The TOE application provides one CLI that provides the ability for an OS administrator to verify the application version. The TSF implements changes to its configuration received during the polling cycle from the management server.
The TOE does not transmit any personally identifiable information (PII) over the network.
Protection of the TSF
The TOE is packaged as separate software that is installed on the platform and can be uninstalled/removed if needed. In the evaluated configuration, all updates are obtained from the management server. The digital signature of the update package is verified by the host platform prior to being installed. The TOE will only initiate an update when the management server has indicated, during the periodic polling cycle, there is an authorized update available. Otherwise the TOE does not download, replace, or modify its own binary code.
The TOE implements anti-exploitation features, such as stack-based overflow protection, is compatible with security features provided by the OS, and only uses documented APIs and libraries.
The TOE invokes the OS platform to provide a trusted communication channel (HTTPS session over TLS v1.2) to the management server.