Compliant Product - VMware Carbon Black Endpoint Detection and Response (EDR) Server 7.5
Certificate Date: 2021.08.02CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11156-2021
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Protection Profile for Application Software Version 1.3
CC Testing Lab: Booz Allen Hamilton Common Criteria Testing Laboratory
The VMware Carbon Black Endpoint Detection and Response (VMware CB EDR) Server product’s primary functionality is receiving endpoint system event data from one or more host sensors for indexing, analyzing, and storing the event data. The VMware CB EDR Server also allows administrators to create and deploy sensor groups, configure host sensors, configure the data collection policy that each host sensor will enforce, update the host sensors, and uninstall host sensors.
The TOE is the VMware Carbon Black Endpoint Detection and Response Server 7.5 application, referred to as VMware CB EDR Server. The TOE is an application that is installed on a RHEL 7.6 system with Linux Unified Key Setup (LUKS) encrypted partitioning enabled. The TOE is administered through a web user interface (web UI) via a web browser. Through the web UI, an administrator has the ability to configure the TOE and perform management for the product’s primary functionality.
The following list identifies the components and applications in the environment that the TOE relies upon in order to function properly:
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. VMware Carbon Black EDR Server 7.5 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the VMware Carbon Black Endpoint Detection and Response (EDR) Server 7.5 Security Target Version 1.0, July 27, 2021. The evaluation underwent CCEVS Validator review. The evaluation was completed in August 2021. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID11156-2021 prepared by CCEVS.
The TOE invokes the underlying platform to perform all cryptographic services including HTTPS sessions over TLSv1.2 (HTTPS/TLS) trusted communications and hashing user password credentials for storage.
The TOE application restricts its access to the host system’s network connectivity resources. Network activity is restricted to establishing HTTPS/TLS connections to remote management (via web UI) and sensor check-in requests. During the host sensor check-in, the TOE receives sensor-collected endpoint system data for the host sensor as well as providing any configuration and software updates for the host sensors to pull during the check-in. The TOE requires LUKS encrypted partitioning to protect local sensitive data storage.
underlying platform’s recommended methods for storing and setting configuration options. The TOE provides enterprise administrators with the ability to manage the TOE and host sensor through a web UI.
The TOE does not transmit any personally identifiable information (PII) over the network.
The TOE is packaged as separate software that is installed on the platform and can be uninstalled/removed if needed. The enterprise administrator can verify the software version from the web UI. All updates are downloaded and installed by an enterprise administrator using the OS software package manager. The digital signature of the update is verified by the platform during installation. Otherwise, the TOE does not download, replace, or modify its own binary code. The TOE implements anti-exploitation features, such as stack-based overflow protection, is compatible with security features provided by the OS, and only uses documented APIs and libraries.