Vendor Provided Validation Details - Arellia Security Analysis Solution v7.1

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Statement of FDCC Implementation

The Arellia Security Analysis Solution is a product that relies on the Symantec Management Platform V7.1 (SMP) product as a base Systems Management and CMDB platform. The product provides a plug-in task agent and supporting binaries to the standard Symantec (Altiris) Agent. All analysis and remediation is done by this agent running on the Windows-based endpoints. Everything is managed centrally through the Arellia web-based console, including the rollout of the agent components.

There are no additional changes necessary to the FDCC settings other than installing the required Symantec (Altiris) agent, and associated Arellia agents through the SMP infrastructure.

Statement of SCAP Implementation

Security Content Automation Protocol (SCAP) is a public specification that provides for standardized and automatable security configuration and vulnerability assessment, comprised of the eXtensible Configuration Checklist Description Format (XCCDF), Open Vulnerability and Assessment Language (OVAL), Common Platform Enumeration (CPE), Common Configuration Enumeration (CCE), Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS).

The Federal Desktop Core Configuration (FDCC) and U.S. Government Baseline (USGCB) are examples of the SCAP specification, mandated across all U.S. federal agents and made openly available to other organizations to leverage.

Effective Security Configuration Management products help firms manage security proactively. By combining elements of vulnerability assessment, patch management, automated remediation and configuration compliance, these products can help reduce risks by ensuring that systems are configured properly.

Arellia Security Analysis Solution embraces the SCAP standard to help meet these goals, providing the ability to import SCAP content into the Symantec Management Platform CMDB and allows for the continuous monitoring of security configuration management issues that arise due to system vulnerability and misconfiguration on endpoints within an organization.

Through fully automated processes, users can define policies that enforce the assessment of tailored SCAP profiles on a scheduled basis, optionally followed by automated remediation to keep their managed computers compliant. The results of these assessments and remediation are all collected and stored in the CMDB, allowing for rich reporting, alerting and data exchange. All data imported and collected can be leveraged to precisely identify specific conditions and turned into actionable tasks, furthering configuration compliance.

Arellia Security Analysis Solution supports SCAP version 1.0.

Statement of CVE Implementation

Common Vulnerabilities and Exposures (CVE) is a common identification and dictionary for computer and information security vulnerabilities and is maintained and hosted by The MITRE Corporation ( The National Vulnerability Database (NVD) publishes vulnerability summaries that provide detailed information for most known computer and information security vulnerabilities. These vulnerability summaries can be accessed using the CVE (Common Vulnerabilities and Exposures) identifier for a given vulnerability. NVD also regularly publishes NVD/CVE XML 2.0 data feeds that store similar information but in a schema-defined and machine-readable format.

Arellia Security Analysis Solution utilizes CVE identifiers to associate vulnerabilities identified in the imported SCAP data stream as well as the assessment results. When viewing the OVAL definitions within a profile, CVE identifiers are displayed with links to detail on the CVE website. Numerous reports are available within the product that show which computers are susceptible to the vulnerabilities identified by their CVE and combined with CVSS scoring metrics. The product also stores CVE entities as unique resources within the CMDB, leveraging the ability to associate and relate these to other CMDB resources, giving the administrator rich reporting and targeting data to work from.

Statement of CCE Implementation

Arellia Security Analysis Solution supports the public standard Common Configuration Enumeration (CCE) version 5.0, which provides an identification system for common security configuration issues and vulnerabilities. These identifiers are referenced within the SCAP and OVAL content.

The product shows the relationship of the CCEs to the OVAL checks within the view of a profile as well as within the results of an assessment performed on computers. These relationships are also modeled within the CMDB to provide for cross-profile views of assessment results, allowing the administrator to run reports that can filter the results to specific computers or groups of computers that have specific CCE results. There are numerous other reports that can be built based on these relationships, giving the administrator full control of the related data within the CMDB.

CCE references are also present in the OVAL Results product output, as well as a CSV formatted file output, all accessible through the Resource Explorer user interface.

Statement of CPE Implementation   (min. 150 words, max. 500 words)

Common Platform Enumeration (CPE) version 2.2 is an open standard that describes IT platforms (hardware, operating systems and applications). XCCDF Benchmarks define applicable platforms through CPE designations.

Upon import of the XCCDF benchmarks, Arellia Security Analysis Solution will extract all CPE references, then analyze and process them against the managed computers to build filters used within the Symantec Management Platform. These filters are maintained and kept up-to-date through various tasks as new computers and profiles are introduced into the system. These targets can be used by other products, but have proven to be a good starting point for targeting assessments within Security Analysis policies.

When security configuration policies are created, these CPE-based filters are used as a starting point for targeting the endpoints to perform the SCAP assessments. These policy targets can be further tailored to narrow down the policy to specific endpoints.

The CPE references are also viewable within result output and available to use when correlating results and assessed computers within reports and data exchange.

Statement of CVSS Implementation

Common Vulnerability Scoring System (CVSS) version 2 is a public standard that defines methods for scoring and rating computer vulnerabilities. These vulnerabilities are referenced using a Common Vulnerabilities and Exposures (CVE) identifier and allow the administrator to prioritize and remediate those that pose the greatest risk. The CVSS list is maintained on the NIST website, providing scores for common threats and vulnerabilities.

Arellia Security Analysis Solution provides tasks that can be run on managed computers that will gather CVE analysis results and analyze this data to produce CVSS score information for the managed computers. The product also displays CVSS scoring details in reports for managed computers that have been analyzed, including the CVE ID, score level, availability impact, confidentiality impact, integrity impact and published date information. There are also links to the CVEs in the product output where users can navigate to find additional information on the CVSS scores for the vulnerabilities.

Statement of OVAL Implementation

Arellia Security Analysis Solution supports Open Vulnerability Assessment Language (OVAL), versions 5.3 through 5.9. OVAL is a public standard for creating vulnerability, configuration, and patch checks using a declarative XML syntax.

Arellia Security Analysis Solution imports OVAL content from SCAP data content streams. The product performs the evaluation of OVAL Definitions, generally in the context of XCCDF Benchmark Profiles, to test configuration settings and vulnerabilities on managed computers through an agent-based plug-in to the Symantec Management Agent. XCCDF provides ways to adjust the configuration of these assessments to better suit the customer needs, all orchestrated within our user interface.

Arellia Security Analysis Solution also provides ways to report individual or group assessment results across multiple computers that have performed these assessments, giving rich reporting data that can be used for other system configuration management tasks and policies.

OVAL content is delivered to the endpoints where the assessments are performed resulting in OVAL Results being sent back to the server and correlated into the CMDB, giving the administrators access to the OVAL and XCCDF compliant XML output as well as numerous reports than can correlate these assessments to the managed elements within the CMDB.


Statement of XCCDF Implementation

Arellia Security Analysis Solution is compatible with Extensible Configuration Checklist Description Format (XCCDF) version 1.1.4 benchmarks and other types of checklists that adhere to the XCCDF specification including industry-standard ones from FDCC, USGCB, HIPAA, SOX and PCI-DSS.

These benchmarks can be downloaded directly within the product on the Download Profiles page, which presents a list of links to the authorí»s published content from sources such as NIST. The product also supports uploading multiple benchmarks or other checklists through the web browser interface, directly from the userí»s file system in the form of XML files or compressed (ZIP) files of XML documents.

During the import of these benchmarks, the profiles and other related SCAP elements are correlated within the CMDB. The profiles are then used within security configuration policies to perform scheduled assessments and (optionally) automated remediation to keep the targeted computers in compliance to the policies defined by the computer administrator.

Assessment results can be output as XCCDF Results and made available in many reports across multiple endpoints and even between various OVAL checks, taking full advantage of customerí»s investments in CMDB-related configuration management.