SecureVue from EiQ Networks is an IT security, risk and audit management platform that combines security information management (SIM) with governance, risk and compliance (GRC) to improve operational efficiency and reduce management complexity. Using an integrated model, SecureVue collects, correlates, archives, analyzes and reports on critical security and compliance data. Through end-to-end correlation, SecureVue transforms volumes of log, vulnerability, configuration, asset, performance, and flow data to automate incident identification and security breaches. Built-in network behavioral anomaly detection (NBA) automatically profiles flow data to identify anomalies. Additionally, a compliance library maps directly to specific regulations, best practices and control frameworks.
\r\nThe evaluated configuration of SecureVue is a standalone network deployment (no high availability) that includes the Central Server and Data Collector installed on separate hardware platforms, Host OS Agents (Window, and UNIX), and user documentation.
\r\nCentral Server
\r\nThe SecureVue Central Server is the nerve center of the solution performing all the data correlation and analytics, alert configuration, forensic analysis, GRC, and data archive management functions. The Central Server is responsible for the following security features: audit generation and review, management access control enforcement, identification and authentication (natively or by invoking an external mechanism), secure role based management via the Web Based GUI, protection of the TSF, trusted communication between components, trusted communications between the Central Server and a Browser for the Web Based GUI, management of the monitored network, risk and compliance assessment of the managed network.
\r\nData Collector
\r\nThe Data Collector interfaces between the Central Server and all the network devices, systems and applications within a SecureVue deployment. It is responsible for collecting log, vulnerability, configuration, asset, performance and NBA data automatically from all configured network devices, compressing them into delta files and sending to the Central Server for correlation, display, forensics, reporting and archiving. The Data Collector automatically updates the delta files (extracts of an original log file that only contains data that has been logged since the last update) to the Central Server on a regular basis without intervention from the administrator. The collected data is transferred to Central Server in encrypted format by using Central Server’s provided unique communication key.
\r\nAgents
\r\nAn Agent (OSAgent) is an alternate way to collect host data for use in SecureVue. By installing the agent on an enterprise Windows/Linux asset, a user can collect Windows/Linux host data from that host. The Agent has the additional capability to monitor changes on folders, files, registry (Windows only) and USB devices in real-time.
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. The TOE was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 R3.
\r\nThe evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 R3.
\r\nCygnaCom Solutions has determined that the product meets the security criteria in the Security Target, which specifies an assurance level of Evaluation Assurance Level (EAL) 2 augmented with augmented with ALC_FLR.2.
\r\nA team of validators, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed in May 2013.
","environmental_strengths":"Security Audit Functions
\r\nThe Central Server generates individual audit records of security significant events and associates each auditable event with the identity of the TOE user account that caused the event. This is generated and stored separately from the host OS’s audit records. The TOE provides a decentralized auditing functionality. The Central Server stores the audit trail at the OS level within the SecureVue directory tree.
\r\nTo view the audit records an administrator has several options in the Central Server’s Web Based GUI to view all user activity. These viewing functions give the administrator the ability to custom query (search and sort) the audit data based on User, Timestamp, and/or Activity.
\r\nThe administrators cannot modify or delete audit data through the TOE interfaces.
\r\nIdentification and Authentication Functions
\r\nEach individual must be successfully identified and authenticated with a username and password by the TSF or by an authentication service in the Operational Environment that has been invoked by the TSF before access is allowed to the TOE. An administrator can add new user accounts to SecureVue by the following ways:
\r\nThe Central Server is responsible for enforcing the I&A decision made natively or received from the configured external authentication mechanism.
\r\nThe TOE employs password masking during input, and a password policy that controls the password length and complexity when the user has been set to authenticate via Native Password handling. The TSF maintains security attributes for each individual TOE user.
\r\nSecurity Management Functions
\r\nThe management functions for the Central Server are accessible through the Central Server’s Web Based GUI.
\r\nThe TOE maintains administrative roles that determine the access an account holder has to the management functions and TSF data. All users of the TOE have access to management functions and TSF data and are considered administrators. The administrative role is determined by the User Group attribute of an individual’s account.
\r\nAfter the user has successfully authenticated, the TOE determines if the management function is available to that role. If the role does not have the privilege or permission the function is not activated (i.e. the Web Based GUI doesn’t present the function).
\r\nThe TOE supports 5 types of default user roles plus the ability to create custom roles.
\r\nProtection of Security Functions
\r\nThe Central Server performs a number of power-up and conditional self-tests to ensure proper operation of the cryptographic module. Power-up tests include cryptographic algorithm known answer tests and integrity tests. The integrity tests are performed using a HMAC-SHA-256 digest calculated over the object code of SecureVue. Power-up tests are run automatically when the cryptographic module is initialized. Additionally, power-up tests may be executed at any time by the administrator requesting the cryptographic module to force re-run of self-tests. If the tests fail, a Log file is created giving brief description of FIPS Self-Test Suite results, and Transitions to a Power-OFF state.
\r\nTrusted Channel and Cryptographic Support Functions
\r\nThe TSF includes a trusted communication infrastructure that provides trusted communication channels among its separately installed components. The ‘trusted communication channel’ ensures the two end points, (i.e., two components) are authenticated, their identity is associated to the data they transfer and that the data transferred is protected from modification and disclosure. The trusted communication channel between TOE components is established even if the components are installed on the same platform such as the Central Server and Data Collector can be installed on same platform.
\r\nEstablishment of these trusted communications channels depend on the functionality of both the TOE (crypto module) and the Operational Environment (network infrastructure and host TCP/IP protocols)
\r\nSecureVue uses and provides the FIPS 140-2 validated (Certificate #1051) OpenSSL cryptographic module Version 1.2. The services used by SecureVue are Key Transfer, Communications, Database, File/Password-encryption, and Decryption of data between TOE components.
\r\nCommunications to the browser is support by the operational environment using Apache or Microsoft IIS Server. Apache includes the use of a separate instantiation of OpenSSL that is not part of the FIPS certified cryptographic module but is part of Apache installation. MS IIS uses the default MS crypto module provided with the OS. The trusted channel used between the browser and the Central Server (handshaking and cipher suite) uses FIPS certified algorithms.
\r\nMonitoring and Management of Network Functions
\r\nThe TOE provides network monitoring and management of IT network assets for risk and compliance assessment. These functions include: scheduling the collection of network management and security data, storing uploaded collection data, evaluation of the collected data, and sending notifications to appropriate personnel for significant events in the assessment process.
\r\nThe information security and event management, through real-time monitoring and concise reporting solely depends on the policies enforced for event data collection. SecureVue provides a visual interface to create and manage the policies for specific event data collection. An Administrator can create and enforce the event collection policies and policy templates for effective event management. There are also ready-to-use collection policies available in SecureVue.
\r\nThe analysis provided by the TOE is driven and governed by the same policies as the collection procedures. The analysis methodology includes threshold verification, sequence matching, comparative (historical deltas), comparative against selected standards templates (for GRC Auditor function), and filtering based on policy or real time user input requests.
\r\nThe administrator can configure a policy to send an alert upon indication of an unwanted pattern/activity happening in the network. When an alert is generated, it can be displayed on the Central Server’s Web Based GUI and/or be sent as an email notification or SNMP trap.
","features":[]}