The Target of Evaluation (TOE) is ArcSight Enterprise Security Management (ESM) 4.5 SP3 Patch 2 (software only) product with ArcSight Console, ArcSight Manager, ArcSight Database, and ArcSight SmartConnectors: NessusNSR, Checkpoint-OPSECNG, Snort DB, and Cisco Secure IPS SDEE.
\r\nESM is an intrusion detection system (IDS) analyzer able to concentrate, normalize, analyze, and report the results of its analysis of security event data generated by various IDS sensors and scanners in the operational environment. ESM integrates existing multi-vendor devices throughout the enterprise into its scope and gathers generated events. ESM allows users to monitor events in real-time, correlate events for in-depth investigation and analysis, and resolve events with automated escalation procedures and actions.
\r\nESM gathers events generated by multi-vendor devices, normalizes, and stores those events in the centralized ArcSight Database, and then filters and correlates those events with rules to generate meta-events.
","evaluation_configuration":"","security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process. The criteria against which the ArcSight ESM 4.5 SP3 Patch 2 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 3. The evaluation methodology used by the Evaluation Team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1, Revision 3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is the EAL3 assurance requirements package, augmented with ALC_FLR.2 (Flaw reporting procedures). The product satisfies all of the security functional requirements stated in the ArcSight ESM 4.5 SP3 Patch 2 Security Target, when configured as specified in the evaluated guidance documentation.
\r\nA validation team on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in August 2012. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID10423-2012), prepared by CCEVS.
","environmental_strengths":"ArcSight ESM 4.5 SP3 Patch 2 provides a moderate level of independently assured security in a conventional TOE and is suitable for a relatively benign environment with good physical access security and competent administrators.
\r\nArcSight ESM 4.5 SP3 Patch 2 supports the following security functions:
\r\nSecurity Audit
\r\nThe TOE records two types of events; security events and analyzer events. The analyzer events include the events collected from the managed network via the SmartConnectors and discussed under the IDS Component Requirements. The security events relate to the proper functioning and use of the system, and allow authorized users to track the management functions performed. The TOE provides Administrators and Analyst Administrators with capabilities to review the generated security events. The Administrator and Analyst Administrator roles are able to select what security events are actually generated by the TOE. Generated security events are stored in the ArcSight Database, which is supported by the underlying Oracle RDBMS. The TOE monitors the amount of space available for storing security events and sends a notification to a configured destination (e.g., an ESM Administrator) if the space drops below a configured level. In the event the security event storage space is exhausted, the Manager stops receiving events from SmartConnectors (which are then cached on the SmartConnector hosts) until such time as space becomes available.
\r\nIdentification and Authentication
\r\nThe TOE maintains accounts of the authorized users of the system. The user account includes the following attributes associated with the user: user identity: authentication data (passwords), authorizations (groups), and e-mail address information. This information is stored in the ArcSight Database. ESM requires users to provide unique identification and authentication data before any administrative access to the TOE is granted. ESM provides an authentication mechanism for users. The only authentication mechanism supported by the TOE is passwords.
\r\nSecurity Management
\r\nThe TOE provides the authorized users with a graphical user interface (GUI) that can be used to configure and modify the functions of the TOE. The functions include the ability to manage user accounts, manage the Analyzer data, and manage the audit functions.
\r\nThe TOE provides the following default security management roles: Administrator; Analyzer Administrator; Operator; and Analyst. The TOE enforces restrictions on which management capabilities are available to each role. Administrators and Analyzer Administrators are able to: modify the behavior of the analysis and reaction functions; determine which auditable events are included in the set of audited events; determine the analyzer events collected and processed by the TOE; and query and modify all other TOE data (except that Analyzer Administrators cannot modify user accounts).
\r\nProtection of the TSF
\r\nThe TOE is not intended to make data available to other IT products, in fact, in the case of a distributed ESM architecture, the components are expected to be connected with a benign, private, and protected communication network. ArcSight SmartConnectors, ArcSight Manager, and ArcSight Console all protect TSF data from disclosure and modification when transmitted between separate parts of the TOE, by communicating using SSL connections. The underlying operating system is required to provide protection for the TOE and its resources. The underlying operating system is also responsible for providing a reliable timestamp. The underlying operating system is considered part of the operational environment.
\r\nAnalyzer Analysis, Reaction, Data Review and Availability
\r\n\r\n
ESM collects relevant information from one or more network sources and subjects it to statistical and signature-based analysis, depending on configured rules. Rules trigger responses either on first match or after a given threshold has been passed. Notification destinations (e.g., authorized users) can be configured to be notified of a triggered rule at the ArcSight Console or e-mail. The authorized users can view the analyzer data, reports, to include the analytical results, query viewers, configuration information, and other applicable analyzer data that is collected. To prevent analyzer data loss, a warning is sent to a configured notification destination (e.g., ESM Administrator) should the database begin to run out of storage space for the Analyzer data records. The default setting for generating this notification is 95% of capacity.
","features":[]}