C060 Certification Report
RSA Security Analytics v10.4
File name: ISCB-5-RPT-C060-CR-v1
Version: v1
Date of document: 4 August 2015
Document classification: PUBLIC
For general inquiry about us or our services,
please email: mycc@cybersecurity.my
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page i of x
PUBLIC
C060 Certification Report
RSA Security Analytics v10.4
4 August 2015
ISCB Department
CyberSecurity Malaysia
Level 5, Sapura@Mines,
No 7 Jalan Tasik, The Mines Resort City
43300 Seri Kembangan, Selangor, Malaysia
Tel: +603 8992 6888 • Fax: +603 8992 6841
http://www.cybersecurity.my
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page ii of x
PUBLIC
DISTRIBUTION: UNCONTROLLED COPY - FOR UNLIMITED USE AND
DISTRIBUTION
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page iii of x
PUBLIC
Copyright Statement
The copyright of this document, which may contain proprietary information, is the
property of CyberSecurity Malaysia.
The document shall be held in safe custody.
©CYBERSECURITY MALAYSIA, 2015
Registered office:
Level 5, Sapura@Mines,
No 7 Jalan Tasik,
The Mines Resort City,
43300 Seri Kembangan
Selangor Malaysia
Registered in Malaysia – Company Limited by Guarantee
Company No. 726630-U
Printed in Malaysia
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page iv of x
PUBLIC
Foreword
The Malaysian Common Criteria Evaluation and Certification (MyCC) Scheme has been
established under the 9th
Malaysian Plan to increase Malaysia’s competitiveness in quality
assurance of information security based on the Common Criteria (CC) standard and to
build consumers’ confidence towards Malaysian information security products.
The MyCC Scheme is operated by CyberSecurity Malaysia and provides a model for licensed
Malaysian Security Evaluation Facilities (MySEFs) to conduct security evaluations of ICT
products, systems and protection profiles against internationally recognised standards.
The results of these evaluations are certified by the Malaysian Common Criteria
Certification Body (MyCB) Unit, a unit established within Information Security Certification
Body (ISCB) Department, CyberSecurity Malaysia.
By awarding a Common Criteria certificate, the MyCB asserts that the product complies
with the security requirements specified in the associated Security Target. A Security
Target is a requirements specification document that defines the scope of the evaluation
activities. The consumer of certified IT products should review the Security Target, in
addition to this certification report, in order to gain an understanding of any assumptions
made during the evaluation, the IT product's intended environment, its security
requirements, and the level of confidence (i.e., the evaluation assurance level) that the
product satisfies the security requirements.
This certification report is associated with the certificate of product evaluation dated 4th
August 2015, and the Security Target (Ref [6]). The certification report, Certificate of
product evaluation and security target are posted on the MyCC Scheme Certified Product
Register (MyCPR) at www.cybersecurity.my/mycc and the Common Criteria Portal (the
official website of the Common Criteria Recognition Arrangement).
Reproduction of this report is authorized provided the report is reproduced in its entirety.
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page v of x
PUBLIC
Disclaimer
The Information Technology (IT) product identified in this certification report and its
associate certificate has been evaluated at an accredited and licensed evaluation facility
established under the Malaysian Common Criteria Evaluation and Certification (MyCC)
Scheme (Ref [4]) using the Common Methodology for IT Security Evaluation, version 3.1
revision 4 (Ref [3]), for conformance to the Common Criteria for IT Security Evaluation,
version 3.1 revision 4 (Ref [2]). This certification report and its associated certificate apply
only to the specific version and release of the product in its evaluated configuration. The
evaluation has been conducted in accordance with the provisions of the MyCC Scheme and
the conclusions of the evaluation facility in the evaluation technical report are consistent
with the evidence adduced. This certification report and its associated certificate is not an
endorsement of the IT product by CyberSecurity Malaysia or by any other organisation that
recognises or gives effect to this certification report and its associated certificate, and no
warranty of the IT product by CyberSecurity Malaysia or by any other organisation that
recognises or gives effect to this certificate, is either expressed or implied.
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page vi of x
PUBLIC
Document Change Log
RELEASE DATE PAGES
AFFECTED
REMARKS/CHANGE REFERENCE
d1 27 July 2015 All Initial draft of certification report.
v1 4th August 2015 All Final version of certification report
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page vii of x
PUBLIC
Executive Summary
RSA Security Analytics v10.4 (SA) is the Target of Evaluation (TOE) for the Evaluation
Assurance Level 2 Augmented with ALC_FLR.1 Evaluation.
SA is a collection of appliances that form a security infrastructure for an enterprise
network. This architecture provides converged network security monitoring and
centralized security information and event management (SIEM). SA provides real-time
visibility into the monitored network and long-term network data storage to provide
detection, investigation, analysis, forensics, and compliance reporting. SA’s Capture
infrastructure collects log and packet data from the network. Packet collection extracts
metadata, reassembles, and globally normalizes all network traffic at layers 2 through 7
of the Open Systems Interconnection (OSI) model. This data allows SA to perform real-time
session analysis; incident detection, drill-down investigation, reporting, and forensic
analysis functions.
The scope of evaluation covers major security features as follows:
a) Security Audit: The TOE is able generates audit records of security relevant events
that include at least date and time of the event, subject identity and outcome for
security events.
b) Cryptographic Support: The TOE provides protection of the communications
surrounding the remote administrative sessions from disclosure and from
modification.
c) Identification & Authentication: The TOE allows the users to acknowledge end-user
license agreements and view warning banners prior to providing identification and
authentication data.
d) Security Monitoring with Security Information and Event Management (SIEM): The
TOE is able to identify potential misuse or intrusions and send an alarm to incident
management SA views.
e) Security Management: The TOE allows only authorized administrators to manage
the security functions and TSF data of the TOE via a web-based User Interface.
f) Protection of the TSF: The TOE provides protection mechanisms for its security
functions through authentication and appropriate permissions before any
administrative operations or access to TOE data and resources can be performed
on the TSF.
g) TOE Access: The TOE terminates interactive sessions after administrative
configured period of time.
h) Trusted path/channels: The TOE requires remote users to initiate a trusted
communication path using TLS for initial user authentication.
The scope of the evaluation is defined by the Security Target (Ref [6]), which identifies
assumptions made during the evaluation, the intended environment for the TOE, the
security function requirements, and the evaluation assurance level at which the product is
intended to satisfy the security requirements. Prospective consumers are advised to verify
that their operating environment is consistent with the evaluated configuration, and to
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page viii of x
PUBLIC
give due consideration to the comments, observations and recommendations in this
certification report.
This report confirms the findings of the security evaluation of the TOE to the Common
Criteria (CC) Evaluation Assurance Level 2 (EAL2) Augmented with ALC_FLR.1. This report
confirms that the evaluation was conducted in accordance with the relevant criteria and
the requirements of the Malaysia Common Criteria Evaluation and Certification (MyCC)
Scheme (Ref [4]).
The evaluation was performed by BAE Systems Applied Intelligence MySEF (Malaysia
Security Evaluation Facility) and completed on 3rd July 2015.
The Malaysia Common Criteria Certification Body (MyCB), as the MyCC Scheme Certification
Body, declares that the TOE evaluation meets all the Arrangements on the Recognition of
Common Criteria certificates and the product will be listed in the MyCC Scheme Certified
Products Register (MyCPR) at www.cybersecurity.my/mycc and the Common Criteria portal
(the official website of the Common Criteria Recognition Arrangement) at
www.commoncriteriaportal.org.
It is the responsibility of the user to ensure that RSA Security Analytics v10.4 meet their
requirements. It is recommended that a potential user of RSA Security Analytics v10.4
refer to the Security Target (Ref [6]) and this Certification Report prior to deciding whether
to purchase the product.
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page ix of x
PUBLIC
Table of Contents
Document Authorisation...................................................................................................ii
Copyright Statement..........................................................................................................iii
Foreword................................................................................................................................... iv
Disclaimer..................................................................................................................................v
Document Change Log ..................................................................................................... vi
Executive Summary ...........................................................................................................vii
Table of Contents................................................................................................................ ix
Index of Tables .......................................................................................................................x
1 Target of Evaluation........................................................................................1
1.1 TOE Description............................................................................................... 1
1.2 TOE Identification............................................................................................ 2
1.3 Security Policy.................................................................................................. 3
1.4 TOE Architecture ............................................................................................. 3
1.4.1 Logical Boundaries .......................................................................................... 5
1.4.2 Physical Boundaries......................................................................................... 6
1.5 Clarification of Scope...................................................................................... 6
1.6 Assumptions .................................................................................................... 7
1.6.1 Usage assumptions......................................................................................... 7
1.6.2 Environment assumptions.............................................................................. 7
1.7 Evaluated Configuration................................................................................. 7
1.8 Delivery Procedures ........................................................................................ 7
1.9 Documentation ................................................................................................ 8
2 Evaluation...........................................................................................................12
2.1 Evaluation Analysis Activities ...................................................................... 12
2.1.1 Life-cycle support .......................................................................................... 12
2.1.2 Development.................................................................................................. 12
2.1.3 Guidance documents .................................................................................... 13
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page x of x
PUBLIC
2.1.4 IT Product Testing......................................................................................... 13
3 Result of the Evaluation.............................................................................16
3.1 Assurance Level Information ....................................................................... 16
3.2 Recommendation........................................................................................... 16
Annex A References..........................................................................................................18
A.1 References...................................................................................................... 18
A.2 Terminology................................................................................................... 18
A.2.1 Acronyms........................................................................................................ 18
TOE Security Functions Interface ................................................................ 18
Security Functional Requirement ................................................................ 18
A.2.2 Glossary of Terms ......................................................................................... 20
Index of Tables
Table 1: TOE identification ........................................................................................................... 2
Table 2: List of Acronyms ........................................................................................................... 18
Table 3: Glossary of Terms......................................................................................................... 20
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 1 of 21
PUBLIC
1 Target of Evaluation
1.1 TOE Description
1 The TOE is RSA Security Analytics v10.4 (SA). SA is a collection of appliances that form
a security infrastructure for an enterprise network. This architecture provides
converged network security monitoring and centralized security information and event
management (SIEM). SA provides real-time visibility into the monitored network and
long-term network data storage to provide detection, investigation, analysis, forensics,
and compliance reporting. SA’s Capture infrastructure collects log and packet data
from the network. Packet collection extracts metadata, reassembles, and globally
normalizes all network traffic at layers 2 through 7 of the Open Systems
Interconnection (OSI) model. This data allows SA to perform real-time session analysis;
incident detection, drill-down investigation, reporting, and forensic analysis functions.
2 The powerful synthesis of the TOE with its key management functionality delivers
significant cost-effective benefits and efficiencies in the operational, incident and
change management processes.
3 The details of TOE functions can be found starting in section 2.1 of the Security
Target version 1.0
4 There are eight security functionalities covered under the scope of the evaluation
which are:
Security Function Description
Security Audit The TOE is able generates audit
records of security relevant events that
include at least date and time of the
event, subject identity and outcome
for security events.
Cryptographic Support The TOE provides protection of the
communications surrounding the
remote administrative sessions from
disclosure and from modification.
Identification & Authentication The TOE allows the users to
acknowledge end-user license
agreements and view warning banners
prior to providing identification and
authentication data.
Security Monitoring with Security
Information and Event Management
(SIEM)
The TOE is able to identify potential
misuse or intrusions and send an
alarm to incident management SA
views.
Security Management The TOE allows only authorized
administrators to manage the security
functions and TSF data of the TOE via a
web-based User Interface
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 2 of 21
PUBLIC
Protection of the TSF The TOE provides protection
mechanisms for its security functions
through authentication and appropriate
permissions before any administrative
operations or access to TOE data and
resources can be performed on the
TSF
TOE Access The TOE terminates interactive
sessions after administrative
configured period of time.
Trusted path/channels The TOE requires remote users to
initiate a trusted communication path
using TLS for initial user
authentication.
1.2 TOE Identification
5 The details of the TOE are identified in Table 1 below.
Table 1: TOE identification
Evaluation Scheme
Malaysian Common Criteria Evaluation and Certification
(MyCC) Scheme
Project Identifier C060
TOE Name RSA Security Analytics
TOE Version v10.4
Security Target Title RSA Security Analytics v10.4 Security Target
Security Target Version 0.3
Security Target Date 27 April 2015
Assurance Level
Evaluation Assurance Level 2 (EAL2) Augmented with
ALC_FLR.1
Criteria
Common Criteria for Information Technology Security
Evaluation, September 2012, Version 3.1 Revision 4 (Ref
[2])
Methodology
Common Evaluation Methodology for Information
Technology Security Evaluation, September 2012, Version
3.1 Revision 4 (Ref [3])
Protection Profile
Conformance
None
Common Criteria
Conformance
CC Part 2 Extended
CC Part 3 Conformant
Package conformant to EAL2 Augmented (ALC_FLR.1)
Sponsor and Developer RSA The Security Division of EMC
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 3 of 21
PUBLIC
10700 Parkridge Blvd.
Suite 600
Reston, VA 20191
Evaluation Facility BAE Systems Applied Intelligence MySEF
1.3 Security Policy
6 There are no organisational security policies that have been defined regarding the use
of the TOE.
1.4 TOE Architecture
7 The TOE includes both logical and physical boundaries which are described in Section
2.2 of the Security Target (Ref [6]).
8 The following figure 1 shows the evaluated configuration that comprise the TOE:
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 4 of 21
PUBLIC
Figure 1
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 5 of 21
PUBLIC
1.4.1 Logical Boundaries
9 The scope of the evaluation was limited to those claims made in the Security Target
(Ref [6]) and includes only the following evaluated security functionality:
a) Security Audit: The TOE generates audit records of security relevant events that
include at least date and time of the event, subject identity and outcome for
security events. The TOE provides the default Administrator and Operator roles
with the ability to read the audit events. The environment stores the audit records
and also provides the system clock information that is used by the TOE to
timestamp each audit record.
b) Cryptographic Support: The Transport Layer Security (TLS 1.2) protocol in FIPS
mode is used to provide protection of the communications surrounding the remote
administrative sessions from disclosure and from modification. TLS is also used
for distributed internal TOE component communications. The TOE uses a FIPS-
validated module for SSH protected communication pathways for the transfer of
file event source data from log data sources to the TOE.
The TOE uses OpenSSL object module Red Hat Enterprise Linux 6.2 with RPM
version file of 1.0.0-20.el6 (FIPS 140-2 validation certificate #1758) for both SSH
and TLS communications.
The TOE uses the RSA BSAFE Crypto-J cryptographic library: BSAFE SSL-J 6.1.3.1 for
Java applications, which incorporates BSAFE Crypto-J 6.1.2. The latter is certified
under FIPS 140-2 Certificate #XXXX, which also falls under Consolidated Validation
Certificate #XXXX.
c) Identification and Authentication: The TOE allows the users to acknowledge end-
user license agreements and view warning banners prior to providing identification
and authentication data. No other access to the TOE is permitted until the user is
successfully authenticated. The TOE maintains the following security attributes
belonging to individual human users: username, password and role.
The TOE provides authentication failure handling that allows administrators to
configure the number of times a user may attempt to login and the time that the
user will be locked out if the number of the configured number of attempts has
been surpassed. The TOE detects when the defined number of unsuccessful
authentication attempts has been met, and enforces the described behaviour
(locks the user account for a specified time period).
d) Security Monitoring with Security Information and Event Management (SIEM): The
TOE receives network packets, reconstructs network transactions, extracts
metadata, and applies rules. The rules identify interesting events, effectively
matching signatures. Likewise, the TOE receives log data, parses the data, extracts
metadata, correlates events, and applies rules. Through signature analysis, the
TOE can identify potential misuse or intrusions and send an alarm to incident
management SA views. The incident management SA views provide the analytical
results to authorized users in a manner suitable for the user to interpret the
information. The analytical results are recorded with information such as date and
time. Only users with the Analysis and Administrator roles can read the metadata,
raw logs, raw packet data, and incident management data from the IDS data.
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 6 of 21
PUBLIC
e) Security Management: Authorized administrators manage the security functions
and TSF data of the TOE via the web-based User Interface. The ST defines and
maintains the administrative roles: Administrator, Analyst, and Operator.
Authorized administrators perform all security functions of the TOE including
starting and stopping the services and audit function, creating and managing user
accounts, manage authentication failure handling and session inactivity values and
read the audit and analyzer data.
f) Protection of the TSF: The TOE provides protection mechanisms for its security
functions. One of the protection mechanisms is that users must authenticate and
have the appropriate permissions before any administrative operations or access
to TOE data and resources can be performed on the TSF. The TOE is a collection
of special-purpose appliances. Each appliance provides only functions for the
necessary operation of the TOE, and limits user access to authorized users with an
administrative role.
Communication with remote administrators is protected by TLS in FIPS mode,
protecting against the disclosure and undetected modification of data exchanged
between the TOE and the administrator. The TOE runs in a FIPS compliant mode of
operation and uses FIPS-validated cryptographic modules.
g) TOE Access: The TOE terminates interactive sessions after administrative
configured period of time. The TOE also allows user-initiated termination of the
user's own interactive session by closing the browser or explicitly logging off.
Before establishing a user session, the TOE displays an advisory warning message
regarding unauthorized use of the TOE.
h) Trusted path/channels: The TOE requires remote users to initiate a trusted
communication path using TLS for initial user authentication. The TOE also
requires that the trusted path be used for the transmission of all SA interface
session data. The use of the trusted path provides assured identification of end
points and protection of the communicated data from modification, and
disclosure. The TOE uses a FIPS-validated module for SSH protected
communication pathways for the transfer of file event source data from log data
sources to the TOE. TLS and SSH ensure the administrative session and file transfer
communication pathways are secured from disclosure and modification.
1.4.2 Physical Boundaries
10 The TOE includes both logical and physical boundaries which are described in Section
2.2.2 of the Security Target (Ref [6]).
1.5 Clarification of Scope
11 The TOE is designed to be suitable for use in well-protected environments that have
effective countermeasures, particularly in the areas of physical access, trained
personnel, and secure communication in accordance with user guidance that is
supplied with the product.
12 Section 1.4 of this document described the scope of the evaluation which was limited
to those claims made in the Security Target (Ref [6]).
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 7 of 21
PUBLIC
13 Potential consumers of the TOE are advised that some functions and services of the
overall product have not have been evaluated as part of this evaluation. Potential
consumers of the TOE should carefully consider their requirements for using functions
and services outside of the evaluated configuration.
1.6 Assumptions
14 This section summarises the security aspects of the environment/configuration in
which the IT product is intended to operate. Consumers should understand their own
IT environments and that required for secure operation of the TOE which is defined in
the Security Target (Ref [6]).
1.6.1 Usage assumptions
15 Assumption for the TOE usage as listed in Security Target :
a) It is assumed that there will be one or more competent individuals assigned to
manage the TOE and the security of the information it contains.
b) The authorized administrators will follow and apply all administrator guidance in
a trusted manner.
1.6.2 Environment assumptions
16 Assumptions for the TOE environment listed in Security Target are:
a) TOE has access to all the IT System data it needs to perform its functions.
b) TOE Administrators will properly configure the network in the TOE operational
environment and configure adequate network capacity for the deployed TOE
components.
c) The TOE hardware and software critical to the security policy enforcement will be
located within controlled access facilities which will prevent unauthorized physical
access
1.7 Evaluated Configuration
17 The evaluated configuration is described in details (see Figure 1 Evaluated
Configuration) as described in Section 2.2.2.4.1 of the Security Target (Ref [6]).
1.8 Delivery Procedures
18 The delivery process for the TOE consist of two process:
a) Pre-Delivery Activities
b) Shipping Process
19 Further information about these procedures is provided in Section 2.4 and 2.5 of
Delivery documentation Ref [123]
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 8 of 21
PUBLIC
1.9 Documentation
20 It is important that the TOE is used in accordance with guidance documentation in
order to ensure secure usage of the product.
21 The following documentation is provided by the developer to the end user as guidance
to ensure secure delivery, installation and operation of the product:
[1]. RSA Security Analytics v10.4 Security Target v0.3
[2]. Alerting
[3]. Appliance and Service Getting Started Guide
[4]. Archiver Configuration Guide
[5]. Event Stream Analysis (ESA) Configuration Guide
[6]. Incident Management
[7]. Incident Management Configuration Guide
[8]. Investigation and Malware Analysis
[9]. List of Core ESA Rules or Alerts
[10]. Log Collection Configuration Guide
[11]. Log Collection Deployment Guide
[12]. Log Collection Getting Started Guide
[13]. Security Analytics 10.4
[14]. Security Analytics Licensing Guide
[15]. Settings Tab
[16]. Step 1 : Change Default Administrators Password
[17]. System Preferences
[18]. System Security and User Management Guide
[19]. User Interface Guide
[20]. Add a User and Assign a Role
[21]. Alerts Summary View
[22]. Analyze a Host Profile Report
[23]. Analyze a Suspicious DNS Activity Report
[24]. Analyze a Suspicious Domains Report
[25]. Auditing Configuration Panel
[26]. Auditing Tab
[27]. Begin an Investigation
[28]. Concentrator Statistics
[29]. Decoder and Log Decoder Statistics
[30]. Deployment Overview
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 9 of 21
PUBLIC
[31]. Edit Incidents
[32]. Enable, Unlock and Delete User Accounts
[33]. How Entitlements Work
[34]. How Role Based Access Control Works
[35]. Investigate an Incident
[36]. Log Decoder Event Destination Configuration Parameters
[37]. Logging Functions
[38]. Malware Analysis View
[39]. Manage Access for a Report or Report Group
[40]. Monitor Health and Wellness of Security Analytics
[41]. Navigate View
[42]. Navigate View and Events View Settings Dialog
[43]. Network Architecture and Ports
[44]. Reporting Engine Audit Configuration
[45]. Role Permissions
[46]. Roles and Permissions for Analysts
[47]. Roles and Permissions for Malware Analysts
[48]. Roles Tab
[49]. Sample Syslog Auditing File
[50]. Security Analytics Licensing Guide
[51]. Security Analytics System Overview
[52]. Services Logs View
[53]. Set Up Licensing
[54]. Site Planning Guide
[55]. Site Requirements and Safety
[56]. Start, Stop or Restart a Service
[57]. Step 1 : Review Five Pre-Configured Security Analytics Roles
[58]. Step 2 : Choose System Level Settings
[59]. Troubleshoot Licensing
[60]. Troubleshoot Log Collection
[61]. Upload Files for Malware Scanning
[62]. View Detailed Malware Analysis of an Event
[63]. View Incident Details
[64]. View Malware Analysis Details for an Event
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 10 of 21
PUBLIC
[65]. View Malware Events in a Grid
[66]. Virtual Appliance Setup Guide
[67]. Install Security Analytics Virtual Appliance in Virtual Environment
[68]. Step 2: Create the Lockbox
[69]. Change the Lockbox Password
[70]. Configure Audit Log
[71]. Warehouse Analytics Overview
[72]. Set Network Time Source
[73]. Set the Time Range for an Investigation
[74]. Log Collection Event Sources Tab
[75]. Manage Users with Roles and Permissions
[76]. Netflow Logs
[77]. Network Rules Tab
[78]. New Rule Tab
[79]. Open Database Connectivity (ODBC) Logs
[80]. Procedures
[81]. Query Data in Navigate View
[82]. Remove an Appliance
[83]. SDEE
[84]. Services View
[85]. SNMP Trap Logs
[86]. Start, Stop or Restart ESA Service
[87]. Start, Stop or Restart a Service
[88]. Start and Stop Data Capture
[89]. Starting and Stopping Collection
[90]. Step 1 : Add or Update an Appliance
[91]. Step 2 : Choose System Level Settings
[92]. Step 3 : Configure Decoder Rules
[93]. Step 4 : (Optional) Create a Customized Login Banner
[94]. Step 4 : Start and Stop Aggregation
[95]. Stop and Start an Appliance Service
[96]. View Incident Queue
[97]. View System and Service Logs
[98]. VMWare
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 11 of 21
PUBLIC
[99]. Windows (WinRM)
[100]. Elements in the Browser Window
[101]. Add a User and Assign a Role
[102]. Enable, Unlock and Delete User Accounts
[103]. Set Query and Session Attributes
[104]. Step 1 : Review Five Pre-Configured Security Analytics Roles
[105]. Step 2 : (Optional) Add a Role and Assign Permissions
[106]. Step 3 : Set Up a User
[107]. Edit User Password
[108]. Filter Alerts
[109]. Query Data in Navigate View
[110]. Access System Settings
[111]. Add Service Dialog
[112]. Configure Lockbox Security Settings
[113]. Rules Tab
[114]. Define a Basic Rule
[115]. All Rules View
[116]. Define a Rule using Netwitness Data Source
[117]. Configure Application Rules
[118]. Configure Correlation Rules
[119]. Create an Aggregation Rule
[120]. Configure a Syslog Event Filter
[121]. RSA Security Analytics Design Documentation version 0.2
[122]. RSA Security Analytics 10.4 Common Criteria Test Report and Procedures
Report version 0.2
[123]. Security Analytics Common Criteria ALC Life Cycle Support Guidance version
Version 0.2
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 12 of 21
PUBLIC
2 Evaluation
22 The evaluation was conducted in accordance with the requirements of the Common
Criteria, version 3.1 Revision 4 (Ref [2]) and the Common Methodology for IT Security
Evaluation (CEM), version 3.1 Revision 4 (Ref [3]). The evaluation was conducted at
Evaluation Assurance Level 2+ (EAL2+) Augmented ALC_FLR.1. The evaluation was
performed conformant to the MyCC Scheme Policy (MyCC_P1) (Ref [4]) and MyCC
Scheme Evaluation Facility Manual (MyCC_P3) (Ref [5]).
2.1 Evaluation Analysis Activities
23 The evaluation activities involved a structured evaluation of the TOE, including the
following components:
2.1.1 Life-cycle support
24 An analysis of the TOE configuration management system and associated
documentation was performed. The evaluators confirmed that the TOE provided for
evaluation is labelled with its reference.
25 The evaluators confirmed that the TOE references used are consistent.
26 The evaluators examined the method of identifying configuration items and
determined that it describes how configuration items are uniquely identified.
27 The evaluators examined the configuration items in the configuration item list and
determined that they are identified in a way that is consistent with the CM
documentation. The application of the CM systems was examined during the site
visits at the AT&E Labs, Commercial Cybersecurity Division, 6841 Benjamin Franklin
Drive, Columbia, MD 21046, United States of America and the evaluators confirmed
that the CI List was consistent with the provided evidence.
28 The evaluators examined the delivery documentation and determined that it described
all of the procedures required to maintain the integrity of the TOE during distribution
to the consumer.
2.1.2 Development
29 The evaluators analysed the TOE functional specification; they determined that the
design completely and accurately describes the TOE security functionality interfaces
(TSFIs), and how the TOE security function (TSF) implements the security functional
requirements (SFRs).
30 The evaluators examined the TOE design specification; they determined that the
structure of the entire TOE is described in terms of subsystems. They also determined
that, it provides a complete, accurate, and high-level description of the SFR-enforcing
behaviour of the SFR-enforcing subsystems.
31 The evaluators examined the TOE security architecture description; they determined
that the information provided in the evidence is presented at a level of detail
commensurate with the descriptions of the SFR-enforcing abstractions contained in
the functional specification and TOE design.
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 13 of 21
PUBLIC
2.1.3 Guidance documents
32 The evaluators examined the TOE preparative user guidance and operational user
guidance, and determined that it sufficiently and unambiguously described how to
securely transform the TOE into its evaluated configuration, and how to use and
administer the product in order to fulfil the security objectives for the operational
environment. The evaluators examined and tested the preparative and operational
guidance, and determined that they were complete and sufficiently detailed to result
in a secure configuration.
2.1.4 IT Product Testing
33 Testing at EAL2+ Augmented ALC_FLR.1 consists of assessing developer tests,
perform independent function test, and perform penetration tests. The TOE testing
was conducted by evaluators from BAE Systems Applied Intelligence MySEF. The
detailed testing activities, including configurations, procedures, test cases, expected
results and actual results are documented in a separate Test Plan Reports.
2.1.4.1 Assessment of Developer Tests
34 The evaluators verified that the developer has met their testing responsibilities by
examining their test plans, and reviewing their test results, as documented in the
Evaluation Technical Report (Ref [7]) (not a public document because it contains
information proprietary to the developer and/or the evaluator).
35 The evaluators analysed the developer’s test coverage and found them to be complete
and accurate. The correspondence between the tests identified in the developer’s test
documentation and the interfaces in the functional specification, TOE design and
security architecture description was complete.
2.1.4.2 Independent Functional Testing
36 At EAL2+ Augmented ALC_FLR.1, independent functional testing is the evaluation
conducted by evaluator based on the information gathered by examining design and
guidance documentation, examining developer’s test documentation, executing
sample of the developer’s test plan, and creating test cases that augmented developer
tests.
37 All testing was planned and documented to a sufficient level of detail to allow
repeatability of the testing procedures and results. The evaluators confirmed that the
developer supplied test documentation includes test plans, expected test results and
actual test results. The result of the independent functional tests were developed and
performed by the evaluators are consistent with the expected test results in the test
documentation.
Identifier Security Function Descriptions
F001 FMT_SMR.1, FMT_MOF.1,
FMT_SMF.1, FMT_MTD.1,
FIA_ATD.1.1, FAU_SAR.1.1
FAU_SAR.2.1
This test aims to verify that the TOE
performs Security Management,
Identification and Authentication and
Security Audit functions.
F002 FIA_ATD.1.1 FIA_AFL.1.1
FIA_AFL.1.2, FIA_UAU.1.1,
FIA_UAU.5.1, FIA_UAU.5.2
This test aims to verify that the TOE
performs Identification and Authentication
security functions.
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 14 of 21
PUBLIC
Identifier Security Function Descriptions
F003 FIA_AFL.1.1 FIA_AFL.1.2,
FTA_SSL.3.1
This test aims to verify that the TOE
performs Identification and Authentication
security functions.
F004 FAU_GEN1.1, FAU_GEN.1.2,
FAU_GEN.2.1,
FAU_SAR.1.2
This test aims to verify that the TOE
performs Security Audit functions.
F006 FIA_UID.1.1, FIA_UID.1.2 This test aims to verify that the TOE
performs Identification and Authentication
security functions
F007 IDS_ANL_EXT.1 This test aims to verify that the TOE
performs Intrusion Detection Systems
Analyser Analysis function
F008 IDS_RCT_EXT.1.1 This test aims to verify that the TOE
performs Intrusion Detection Systems
Analyser React function
F009 IDS_RDR_EXT.1 This test aims to verify that the TOE
performs Intrusion Detection Systems
Restricted Data Review function
F010 FTP_TRP.1 FPT_ITT.1 This test aims to verify that the TOE
performs Trusted path/channels functions
F011 FTA_SSL.3, FTA_SSL.4
FTA_TAB.1
This test aims to verify that the TOE
performs TSF Initiated termination and
default TOE access banners functions
F012 FCS_SSH_EXT.1
FCS_TLS_EXT.1
This test aims to verify that the TOE
performs Cryptographic support on SSH
protocol and Transport Layer Security
protocol.
D001 FIA_UAU.1
FIA_UID.1, FTA_TAB.1
This test aims to verify that the TOE
performs Timing of identification and
authentication and default TOE banners
functions
D002 FMT_MOF.1 This test aims to verify that the TOE
performs Management of security functions
behaviour functions
D003 FAU_SAR.1 FAU_STG.1 This test aims to verify that the TOE
performs Audit review and protected audit
trail storage function
D004 IDS_ANL_EXT.1 This test aims to verify that the TOE
performs Intrusion Detection Systems
Analyser Analysis function
38 All testing performed by evaluators produced the expected results and as such the
TOE behaved as expected.
2.1.4.3 Penetration Testing
39 The evaluators performed a vulnerability analysis of the TOE in order to identify
potential vulnerabilities in the TOE. This vulnerability analysis considered public
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 15 of 21
PUBLIC
domain sources and an analysis of guidance documentation, functional specification,
TOE design, and security architecture description.
40 From the vulnerability analysis, the evaluators conducted penetration testing to
determine that the TOE is resistant to attack performed by an attacker possessing a
basic attack potential. The following factors have been taken into consideration during
penetration tests:
a) Time taken to identify and exploit (elapse time);
b) Specialist technical expertise required (specialised expertise);
c) Knowledge of the TOE design and operation (knowledge of the TOE);
d) Window of opportunity; and
e) IT hardware/software or other requirement for exploitation.
41 The penetration tests focused on:
a) SQL Injections
b) Cross Site Scripting
c) Cross-Site Request Forgery (CSRF)
d) Security Misconfiguration
e) Failure to restrict URL Access
f) Information Disclosure
g) Directory Traversal
h) Buffer Overflow
42 The results of the penetration testing note that there is no residual vulnerability found.
However, it is important to ensure that the TOE is use only in its evaluated
configuration and in secure environment as specified in the Security Target (Ref [6]).
2.1.4.4 Testing Results
43 Tests conducted for the TOE produced the expected results and demonstrated that
the product behaved as specified in its Security Target and its functional specification.
In addition, the documentation supplied as evidence for the EAL2+ ALC_FLR.1
Common Criteria evaluation of the TOE was analysed to identify possible
vulnerabilities.
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 16 of 21
PUBLIC
3 Result of the Evaluation
44 After due consideration during the oversight of the execution of the evaluation by the
certifiers and of the Evaluation Technical Report (Ref [7]), the Malaysian Common
Criteria Certification Body certifies the evaluation of RSA Security Analytics performed
by BAE Systems Applied Intelligence MySEF.
45 BAE Systems Applied Intelligence MySEF, found that RSA Security Analytics upholds the
claims made in the Security Target (Ref [6]) and supporting documentations, and has
met the requirements of the Common Criteria (CC) assurance level 2 Augmented with
ALC_FLR.1 (EAL2+ALC_FLR.1).
46 Certification is not a guarantee that a TOE is completely free of exploitable
vulnerabilities. There will remain a small level of risk that exploitable vulnerabilities
remain undiscovered in its claimed security functionality. The risk is reduced as the
certified level of assurance increases for the TOE.
3.1 Assurance Level Information
47 EAL2 provides assurance by a full security target and analysis of the SFRs in that
Security Target, using a functional and interface specification, guidance
documentation and a basic description of the architecture of the TOE, to understand
the security behaviour.
48 The analysis is supported by independent testing of the TSF, evidence of developer
testing based on the functional specification, selective independent confirmation of
the developer test results, and a vulnerability analysis (based upon the functional
specification, TOE design, security architecture description and guidance evidence
provided) demonstrating resistance to an attacker possessing a -Basic attack potential.
49 EAL2 also provides assurance through use of a configuration management system and
evidence of secure delivery procedures.
3.2 Recommendation
50 The following recommendations are made:
a) Potential purchasers of the TOE should review the intended operational
environment and ensure that they are comfortable that the stated security
objectives for the operational environment can be suitably addressed.
b) The users should make themselves familiar with the developer guidance
provided with the TOE and pay attention to all security warnings.
c) The users must maintain the confidentiality, integrity and availability of
security relevant data for TOE initialisation, start-up and operation if stored or
handled outside the TOE
d) System Auditor should review the audit trail generated and exported by the
TOE periodically
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 17 of 21
PUBLIC
e) The users must ensure appropriate network protection is maintained, the
network on which the TOE is installed must be both physically and logically
protected, commensurate with the sensitivity of the TOE keys.
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 18 of 21
PUBLIC
Annex A References
A.1 References
[1] Arrangement on the recognition of Common Criteria Certificates in the field of
Information Technology Security, May 2000.
[2] The Common Criteria for Information Technology Security Evaluation, Version 3.1,
Revision 4, September 2012.
[3] The Common Evaluation Methodology for Information Technology Security Evaluation,
Version 3.1, Revision 4, September 2012.
[4] MyCC Scheme Policy (MyCC_P1), v1a, CyberSecurity Malaysia, December 2009.
[5] MyCC Scheme Evaluation Facility Manual (MyCC_P3), v1, December 2009.
[6] RSA Security Analytics v10.4 Security Target, Version 0.3, 27 April 2015
[7] C060 Evaluation Technical Report for RSA Security Analytics, EAU000073-S026-ETR
v1.0, v1.0, 13 July 2015
A.2 Terminology
A.2.1 Acronyms
Table 2: List of Acronyms
Acronym Expanded Term
CB Certification Body
TSF data Data created by and for the TOE, which might affect the
operation of the TOE.
CC Common Criteria (ISO/IEC15408)
CEM Common Evaluation Methodology (ISO/IEC 18045)
CCRA Common Criteria Recognition Arrangement
TSFI TOE Security Functions Interface
SFR Security Functional Requirement
ISO International Organisation for Standardization
ISCB Information Security Certification Body
MyCB Malaysian Common Criteria Certification Body
MyCC Malaysian Common Criteria Evaluation and Certification
Scheme
MyCPR MyCC Scheme Certified Products Register
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 19 of 21
PUBLIC
Acronym Expanded Term
MySEF Malaysian Security Evaluation Facility
API Application Programming Interface
CC Common Criteria
EAL Evaluation Assurance Level
EPS Events per Second
GUI Graphical User Interface
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
IDS Intrusion Detection System
LAN Local Area Network
OS Operating System
OSI Open Systems Interconnection
PP Protection Profile
SDEE Security Device Event Exchange
SIEM Security Information and Event Management
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
ST Security Target
TLS Transport Layer Security
TOE Target of Evaluation
TSF TOE Security Function
Analyzer The function of an IDS that applies analytical processes to
collected IDS data in order to derive conclusions about
potential or actual intrusions.
Concentrator A concentrator that receives network packets.
Decoder A decoder that captures network packets.
IDS Intrusion Detection System —a combination of services or
functions such as an Analyzer that monitors an IT System for
activity that may inappropriately affect the IT System or its
resources, and that can send alerts if such activity is
detected.
IDS data Refers both to raw data collected by the TOE and to the
results of analysis applied by the TOE to that data.
Index Indexes are internal RA data structures that organize for
searching the metadata elements of sessions and are
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 20 of 21
PUBLIC
Acronym Expanded Term
generated during data processing for a collection. The
content of the index, and consequently the metadata
elements that are displayed in the Navigation view, are
controlled by settings in effect during collection processing.
Log Concentrator A concentrator that receives log data,
Log Decoder A decoder that captures log data.
Metadata Specific data types (Service Type, Action Event, Source IP
Address, etc.) created by the parsers which are counted and
itemized in the captured data. A detailed list of metadata for
each parser may be found in the SA Guidance.
Parser A software module that defines tokens and instructions for
lexical processing of network streams. Processing includes
stream identification and metadata extraction.
Services Components of the product that work together to provide the
security functions of the TOE such as Analyzer, Concentrator,
and Decoder
A.2.2 Glossary of Terms
Table 3: Glossary of Terms
Term Definition and Source
CC International
Interpretation
An interpretation of the CC or CEM issued by the CCMB that
is applicable to all CCRA participants.
Certificate The official representation from the CB of the certification of
a specific version of a product to the Common Criteria.
Certification Body An organisation responsible for carrying out certification
and for overseeing the day-today operation of an Evaluation
and Certification Scheme. Source CCRA
Consumer The organisation that uses the certified product within their
infrastructure.
Developer The organisation that develops the product submitted for CC
evaluation and certification.
Evaluation The assessment of an IT product, IT system, or any other
valid target as defined by the scheme, proposed by an
applicant against the standards covered by the scope defined
in its application against the certification criteria specified in
the rules of the scheme. Source CCRA and MS-ISO/IEC Guide
65
PUBLIC
FINAL
C060 Certification Report ISCB-5-RPT-C060-CR-v1
Page 21 of 21
PUBLIC
Term Definition and Source
Evaluation and Certification
Scheme
The systematic organisation of the functions of evaluation
and certification under the authority of a certification body
in order to ensure that high standards of competence and
impartiality are maintained and that consistency is achieved.
Source CCRA.
Interpretation Expert technical judgement, when required, regarding the
meaning or method of application of any technical aspect of
the criteria or the methodology. An interpretation may be
either a national interpretation or a CC international
interpretation.
Certifier The certifier responsible for managing a specific certification
task.
Evaluator The evaluator responsible for managing the technical aspects
of a specific evaluation task.
Maintenance Certificate The update of a Common Criteria certificate to reflect a
specific version of a product that has been maintained under
the MyCC Scheme.
National Interpretation An interpretation of the CC, CEM or MyCC Scheme rules that
is applicable within the MyCC Scheme only.
Security Evaluation Facility An organisation (or business unit of an organisation) that
conducts ICT security evaluation of products and systems
using the CC and CEM in accordance with Evaluation and
Certification Scheme policy
Sponsor The organisation that submits a product for evaluation and
certification under the MyCC Scheme. The sponsor may also
be the developer.
--- END OF DOCUMENT ---