Vendor Provided Validation Details - Dell KACE K1000 System Management Appliance 5.3.45496

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

 

 

Statement of SCAP Implementation

The Security Content Automation Protocol (SCAP) is a standard that allows organizations to automate vulnerability testing. Dell KACE provides system management solutions to manage client systems and offers many features including endpoint security through an easy to use, affordable and comprehensive appliance with a single web-based console. The KACE management appliance provides endpoint protection features like patching, application virtualization, secure browsers, OVAL assessment and SCAP scanning.

 

SCAP is a collection of six open standards developed jointly by the government and private sector.  It allows for a standardized way to enumerate, document and refer to commonly known vulnerabilities, exposures, configurations, and checklists and also includes the language for communication of the standard content. Tools developed around SCAP components can be used to assess, test and document security status of managed systems. This allows for better standards compliance and regulatory enforcement.

 

The KACE solution allows users to schedule, run and report on SCAP scans. The SCAP Scan feature can scan endpoints for a list of XCCDF checklists and can report on results. The user will be able to see how many CCE items the endpoint satisfied and how many it failed to pass. The appliance provides an intuitive user interface that allows users to easily check how systems performed against the standard security checklists and cross link the systems with other features like asset management, inventory, patching and software distribution etc. to easily diagnose and remediate issues.

 

Users can also perform OVAL assessments through the management console. The KACE appliance loads the latest set of vulnerabilities from the CVE list and allows users to schedule and run assessments of endpoint systems against any of the available list of CVEs. This lets admins assess the security status of their endpoint systems and enables them to create a security configuration and remediation plan based on the assessments. Users can then crosslink the systems to the other management modules and implement configuration management and security remediation to keep their endpoints secure.

 

This SCAP scan feature and the OVAL Assessment feature also provide the framework that users can use to achieve FDCC compliance.

 

 

Statement of FDCC Scanner Implementation

The Federal Desktop Core Configuration (FDCC) is a set of compliance requirements recommended by the National Institute of Standards and Technology (NIST) for security settings of desktop computers within US government agencies.

The K1000 SCAP Scanner enables agencies of all sizes to audit their systems to ensure FDCC compliance, but may also be used by other organizations who seek to leverage the FDCC benchmarks to help enforce their own set of configuration standards.

 

The KACE solution allows users to schedule, run and report on SCAP scans. The SCAP Scan feature can scan endpoints for a list of XCCDF checklists and can report on results. The user will be able to see how many CCE items the endpoint satisfied and how many it failed to pass. The appliance provides an intuitive user interface that allows users to easily check how systems performed against the standard security checklists and cross link the systems with other features like asset management, inventory, patching and software distribution etc. to easily diagnose and remediate issues.

 

Users can also perform OVAL assessments through the management console. The KACE appliance loads the latest set of vulnerabilities from the CVE list and allows users to schedule and run assessments of endpoint systems against any of the available list of CVEs. This lets admins assess the security status of their endpoint systems and enables them to create a security configuration and remediation plan based on the assessments. Users can then crosslink the systems to the other management modules and implement configuration management and security remediation to keep their endpoints secure.

 

This SCAP scan feature and the OVAL Assessment feature also provide the framework that users can use to achieve FDCC compliance.

 

 

Statement of CVE Implementation

Common Vulnerability Enumeration (CVE) is a publicly available standard enumeration of documented vulnerabilities and exposures that are part of the SCAP framework. KACE is a leading global provider of systems management and systems deployment appliances that are easy to use, comprehensive and affordable. The KACE endpoint security feature includes the ability to schedule and run OVAL assessments and SCAP scans. This allows the KACE appliance to assess systems for software vulnerabilities and run reports against standard security checklists. The OVAL assessment and SCAP scan capabilities allow organizations to implement compliance standards like FDCC.

 

CVE provides a standardized way of indexing and referencing known and documented vulnerabilities. CVE is the oldest of the six SCAP components. It provides a baseline to evaluate security tools for coverage and also enables integration between tools by providing standardized data definitions for vulnerabilities. The KACE SCAP scanner allows for testing against standard security benchmarks that use CVE definitions that are available and apply to the specific benchmarks. CVE identifiers are also reported in the results.

 

 

Statement of CCE Implementation

Common Configuration Enumeration (CCE) is a publicly available standard enumeration of documented configurations that are part of the SCAP framework. KACE is a leading global provider of systems management and systems deployment appliances that are easy to use, comprehensive and affordable. The KACE endpoint security feature includes the ability to schedule and run OVAL assessments and SCAP scans. This allows the KACE appliance to assess systems for software vulnerabilities and run reports against standard security checklists. The OVAL assessment and SCAP scan capabilities allow organizations to implement compliance standards like FDCC.

 

The CCE provides unique identifiers to system configuration issues to enable a standard way of referencing configuration data across multiple information sources and tools. Within the SCAP Scan feature the list of security checklists can be run and results can be viewed from within the management console. Users can drill through the results to check the list of CCEs that the systems passed or failed. Users can then crosslink to the other system management modules like Inventory, Asset Management, Configuration Management, Patching, Software Distribution etc. to do further diagnosis or take corrective actions to remediate the issues all from within a single web-based console.

 

 

Statement of OVAL Implementation

The Open Vulnerability and Assessment Language (OVAL) is a standard to document, and share security content across the entire spectrum of security tools and services. KACE is a leading global provider of systems management and systems deployment appliances that are easy to use, comprehensive and affordable. The KACE endpoint security feature includes the ability to schedule and run OVAL assessments and SCAP scans. This allows the KACE appliance to discover, assess systems for software vulnerabilities and run reports against standard security checklists. The OVAL assessment and SCAP scan capabilities allow organizations to implement compliance standards like FDCC.

 

The KACE SCAP scanner allows running tests against standard security benchmarks defined by the XCCDF specification. The OVAL standard that is also part of the SCAP specification contains the details on the set of tests that are needed to successfully test against each benchmark. The OVAL engine within the SCAP scan module allows users to run CCE tests. The configuration identifiers within the XCCDF benchmarks combined with the OVAL tests allow users to map results to FDCC Compliance requirements.

 

 

Statement of CPE Implementation

The CPE is a publicly available standard enumeration of technology platforms like Windows XP, Red Hat Linux etc, that is part of the SCAP framework. KACE is a leading global provider of systems management and systems deployment appliances that are easy to use, comprehensive and affordable. The KACE endpoint security feature includes the ability to schedule and run OVAL assessments and SCAP scans. The KACE SCAP functionality uses the CPE enumerations to identify the various technology platforms. The first phase of the SCAP configuration scan involves CPE check to make sure that the benchmark being assessed is applicable to the particular platform.

The KACE endpoint security feature uses the CPE definitions in the assessments as well as in the reports that show the results of the assessments. This allows for assessments to be performed on the correct platforms and remediation to be applied to the right systems. Users can view reports of assessment results in different slices and dices. Admins can also group systems based on the different platforms and apply different scan schedules per group. Users can then crosslink to the other system management modules like Inventory, Asset Management, Configuration Management, Patching, Software Distribution etc. to do further diagnosis or take corrective actions to remediate the issues all from within a single web-based console.

 

 

Statement of CVSS Implementation

The CVSS (Common Vulnerability Scoring System) is a publicly available standardized methodology to score and rank the impact of vulnerabilities. KACE is a leading global provider of systems management and systems deployment appliances that are easy to use, comprehensive and affordable. The KACE endpoint security feature includes the ability to schedule and run OVAL assessments and SCAP scans. As part of the SCAP scanner the user can run tests against standard security benchmarks and view results on what vulnerabilities exist on their systems. CVSS allows organizations to assess, evaluate and rank the severity and impact of security vulnerabilities thereby enabling them to prioritize remediation efforts and be better prepared to address security breach incidents.

Currently the methodology is available for vulnerabilities enumerated by the CVE standard. The CVSS provides a quantifiable and consistently repeatable way of assessing the impact of vulnerabilities. Scores using this methodology are currently only implemented and available for CVE (Common Vulnerability Enumeration) items. The scores for a specific CVE can be located at the associated location on the National Vulnerability Database website. For example CVE-2006-1315 at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1315. 

 

 

Statement of XCCDF Implementation

The Extensible Configuration Checklist Description Format (XCCDF) is a standard specification language for writing security checklists, benchmarks, and related documents. It provides a set of security checklists for specific components of a computer system. KACE is a leading global provider systems management and systems deployment appliances that are easy to use, comprehensive and affordable. The KACE endpoint security feature includes the ability to schedule and run OVAL assessments and SCAP scans. This allows the KACE appliance to discover, assess systems for software vulnerabilities and run reports against standard security checklists. The OVAL assessment and SCAP scan capabilities allow organizations to implement compliance standards like FDCC.

 

The KACE appliance allows admins to perform SCAP scans to test systems or groups of systems against publicly available XCCDF security checklists. The results of SCAP scans are available through the KACE console and can be drilled down to view details that provide insights into the list of CCEs that the system passed or failed. Users can then crosslink to the other system management modules like Inventory, Asset Management, Configuration Management, Patching, Software Distribution etc. to do further diagnosis or take corrective actions to remediate the issues all from within a single web-based console.