NIAP: Compliant Product

»»

Compliant Product

Compliant Product - VMware Carbon Black Endpoint Detection and Response (EDR) Server 7.5

Certificate Date: 2021.08.02

Validation Report Number: CCEVS-VR-VID11156-2021

Product Type: Application Software

Conformance Claim: Protection Profile Compliant

PP Identifier: Protection Profile for Application Software Version 1.3

CC Testing Lab: Booz Allen Hamilton Common Criteria Testing Laboratory

CC Certificate [PDF]

Security Target [PDF]

Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Administrative Guide [PDF]

Product Description

The VMware Carbon Black Endpoint Detection and Response (VMware CB EDR) Server product’s primary functionality is receiving endpoint system event data from one or more host sensors for indexing, analyzing, and storing the event data. The VMware CB EDR Server also allows administrators to create and deploy sensor groups, configure host sensors, configure the data collection policy that each host sensor will enforce, update the host sensors, and uninstall host sensors.

Evaluated Configuration

The TOE is the VMware Carbon Black Endpoint Detection and Response Server 7.5 application, referred to as VMware CB EDR Server. The TOE is an application that is installed on a RHEL 7.6 system with Linux Unified Key Setup (LUKS) encrypted partitioning enabled. The TOE is administered through a web user interface (web UI) via a web browser. Through the web UI, an administrator has the ability to configure the TOE and perform management for the product’s primary functionality.

The following list identifies the components and applications in the environment that the TOE relies upon in order to function properly:

Component	Definition
Red Hat Enterprise Linux (RHEL) 7.6 server platform (OS and platform)	The host platform with the RHEL operating system environment that the TOE application is installed on.
Endpoint System with Host Sensor (VMware CB EDR Windows Sensor)* *evaluated separately	An application that is installed on a Windows platform which collects event data from the host platform and reports the data back to the TOE.
Administration Workstation	Any general-purpose computer that is used by an enterprise administrator to manage the TOE remotely via a web browser.
Certificate Authority	The server deployed within the Operational Environment which confirms the validity and revocation status of certificates. This is only required for the Endpoint System with Host Sensor to validate TOE server certificate. Including for completeness.

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. VMware Carbon Black EDR Server 7.5 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the VMware Carbon Black Endpoint Detection and Response (EDR) Server 7.5 Security Target Version 1.0, July 27, 2021. The evaluation underwent CCEVS Validator review. The evaluation was completed in August 2021. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID11156-2021 prepared by CCEVS.

Environmental Strengths

Cryptographic Support

The TOE invokes the underlying platform to perform all cryptographic services including HTTPS sessions over TLSv1.2 (HTTPS/TLS) trusted communications and hashing user password credentials for storage.

User Data Protection

The TOE application restricts its access to the host system’s network connectivity resources. Network activity is restricted to establishing HTTPS/TLS connections to remote management (via web UI) and sensor check-in requests. During the host sensor check-in, the TOE receives sensor-collected endpoint system data for the host sensor as well as providing any configuration and software updates for the host sensors to pull during the check-in. The TOE requires LUKS encrypted partitioning to protect local sensitive data storage.

Security Management

underlying platform’s recommended methods for storing and setting configuration options. The TOE provides enterprise administrators with the ability to manage the TOE and host sensor through a web UI.

Privacy

The TOE does not transmit any personally identifiable information (PII) over the network.

Protection of the TSF

The TOE is packaged as separate software that is installed on the platform and can be uninstalled/removed if needed. The enterprise administrator can verify the software version from the web UI. All updates are downloaded and installed by an enterprise administrator using the OS software package manager. The digital signature of the update is verified by the platform during installation. Otherwise, the TOE does not download, replace, or modify its own binary code. The TOE implements anti-exploitation features, such as stack-based overflow protection, is compatible with security features provided by the OS, and only uses documented APIs and libraries.

Trusted Path/Channels

The TOE invokes the OS platform to act as a HTTPS/TLS v1.2 non-mutual authentication server for both the host sensor check-in and the remote administrative web browser communication channels.

Vendor Information

VMware
Andy McAdams
6173937400
(617) 393-7499
amcadams@vmware.com

www.vmware.com

Site Map Contact Us Home