Vender Provided Validation Details - Lumension Security¡¯s Endpoint Management and Security Suite, V7.1

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

 

Statement of SCAP Implementation

Lumension Security Configuration Management¢â is an open, standards-based solution that enables customers to leverage the wealth of knowledge and content from leading security think tanks like the National Institute for Security and Technology¡¯s (NIST) repository, the world¡¯s largest open repository of vulnerability, patch, and configuration assessments, dramatically reduce their ¡®time to security¡¯, and deliver instant value from their investment. The best practices content in this repository, created and approved by the security community, is based upon the SCAP open set of standards, a combination of six common vulnerability identification standards including CVE, OVAL, CPE, CCE, XCCDF and CVSS in a future stage. 

Lumension Security Configuration Management will allow Administrators to upload the SCAP Archive thru the Configuration Policy Manager Web Page.  This page allows the Administrators to select the desired benchmark and profile for quick assessment.  The Configuration Policy Manager also allows multiple benchmarks to be assigned to a policy for mixed or heterogeneous environments. 

 

Statement of CVE Implementation

Common Vulnerabilities and Exposures (CVE) is a list or dictionary that provides common identifiers for publicly known information security vulnerabilities and exposures. Using a common identifier makes it easier to share data across separate databases and tools that until CVE were not easily integrated.

Lumension Security Configuration Management adopts CVE by displaying CVE ID¡¯s for missing security patches or software vulnerabilities.  Users can also select the CVE ID to hyperlink directly to the public National Vulnerability Database (NVD) hosted by NIST.  The CVE references can be viewed by navigating to Groups > Compliance Detail > Select a Device Name that has been scanned > Expand the Benchmark > drill thru the tree and select the hyperlink of the test to launch the detailed assessment results page.  

Users can also search for CVE ID¡¯s by navigating to the Vulnerabilities Page and enter the CVE ID in the Name/CVE No search field to display detail results and to identify additional systems that are applicable to the software vulnerability. 

 

Statement of CCE Implementation

The Common Configuration Enumeration (CCE) provides common identifiers to system configurations in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.  The CCE ID's are included in the SCAP data streams to map security best practices to computer configurations.  Lumension Security Configuration Management will display the CCE ID's after a computer has completed the scan and is hosted in XML format on the SCM Server for further analysis.  CCE ID¡¯s are also available when exporting the scan results. 

Lumension Security Configuration Management¢â is an open, standards-based solution that enables customers to leverage the wealth of knowledge and content from leading security think tanks like the National Institute for Security and Technology¡¯s (NIST) repository, the world¡¯s largest open repository of vulnerability, patch, and configuration assessments, dramatically reduce their ¡®time to security¡¯, and deliver instant value from their investment. The best practices content in this repository, created and approved by the security community, is based upon the SCAP open set of standards, a combination of six common vulnerability identification standards including CVE, OVAL, CPE, CCE, XCCDF and CVSS.

 

Statement of CPE Implementation

The Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. CPE is simply a standards based dictionary of software product names. 

Lumension Security Configuration Management adopts CPE to verify that configuration scans are not conducted on systems that are not applicable to the Benchmark or Profiles.  This allows Administrators to include security benchmarks that are applicable to Windows 2000, Windows XP, Windows 2003, and Windows Vista systems into a single configuration policy.  Administrators can assign this configuration policy to the built-in Windows System Group which can be cascaded down to child groups like Windows 2000, Windows XP, Windows 2003, Windows Vista systems.  Administrators can easily review the scan results for each operating system version to get a complete view of their assessment results.  This will ensure no additional resource overhead will exist on systems being scanned for a benchmark that is not applicable to that system. 

 

Statement of CVSS Implementation

The Common Vulnerability Scoring System (CVSS) is an open standard for assigning scores to a vulnerability that indicates its relative severity compared to other vulnerabilities. It offers visibility into how each score was calculated by revealing the underlying vulnerability characteristics that are inputs to the score calculation.

Lumension Security Configuration Management adopts CVSS by displaying CVE ID¡¯s for missing security patches or software vulnerabilities.  Users can also select the CVE ID to hyperlink directly to the public National Vulnerability Database (NVD) hosted by NIST.  The CVE references can be viewed by navigating to Groups > Compliance Detail > Select a Device Name that has been scanned > Expand the Benchmark > drill thru the tree and select the hyperlink of the test to launch the detailed assessment results page.   Once the detailed assessment results page has been launched, users can click on the CVE ID that will hyperlink to the NVD website where the CVSS severity score is displayed. 

 

Statement of XCCDF Implementation

The Extensible Configuration Checklist Description Format (XCCDF) is a specification language for writing security checklists, benchmarks, and related kinds of documents.  An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring.

XCDDF is used by the Lumension Security Configuration Management Agent (SCM Agent) that interprets the checklist, scans the system, and posts the results to the Lumension Security Configuration Management Server to collect the results.  The results can be viewed by:

• Viewing the Compliance Detail Report. 

• Viewing the Compliance Summary Report

• Viewing the Configuration Assessment Completed Job. 

Through a new dialog users can easily download the XCCDF results in SCM Server. Users select the parameters for the results file, including a list of benchmarks, method of receiving file and options for adding multiple organizations.

 

Statement of OVAL Implementation

The Open Vulnerability and Assessment Language (OVAL) is an open standard XML language to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services.

Lumension Security Configuration Management uses OVAL during the scan or assessment for the selected system to evaluate, carry out, and report the results of the OVAL Definitions for that platform. 

The OVAL Test ID can retrieve by

1.  See page 56 in the Users Guide

Lumension Security Configuration Management adopts Mitre¡¯s Oval Interpreter show how information can be collected from a computer for testing, to evaluate and carry out the OVAL Definitions for that platform, and to report the results of the tests