Statement of SCAP Implementation
SecureVue(R) from eIQnetworks is the first security platform to deliver true Unified Situational Awareness™. A key capability of situational awareness is SecureVue’s ability to deliver out-of-box, continuous monitoring of IT asset inventory and configuration state across a broad range of hosts, network devices, applications and databases.
SecureVue’s continuous asset and configuration monitoring capabilities are compliant with the SCAP specification. By monitoring inventory and configuration of assets, SecureVue allows security operations personnel to immediately identify when systems, applications and databases are no longer compliant with SCAP-based standards such as DISA STIGs and CIS Benchmarks, and immediately notifies appropriate personnel for remediation. Additionally, SecureVue’s other integrated capabilities – including log management, SIEM, network behavioral analysis, performance monitoring, file integrity monitoring (FIM), and more – allows security personnel to not only identify asset change details, but establish the context of who made the change, when and how.
SecureVue implements the SCAP 1.0 standard, which includes implementation of key protocols, including: eXtensible Configuration Checklist Document Format (XCCDF); Open Vulnerability Assessment Language (OVAL); Common Configuration Enumeration (CCE); Common Platform Enumeration (CPE); Common Vulnerability Enumeration (CVE); and Common Vulnerability Scoring System (CVSS).
SecureVue processes SCAP content containing files conformant to XCCDF, OVAL and CPE dictionary schemas, runs defined checks on a target system and produces SCAP conformant XCCDF and OVAL output. It also outputs HTML and XML reports which provide benchmark scores and information that a system administrator can use to make the target system more secure. The XCCDF and OVAL result files can be used by other tools in a variety of ways and contain detailed scoring and results information, as well as CVE, CCE and CPE identifiers. SecureVue validates SCAP streams against the industry standard XCCDF and OVAL schemas and its output can be validated against the corresponding schemas as well.
SCAP capabilities supported by SecureVue are:
· FDCC Scanner: the capability to audit and assess a target system to determine its compliance with the Federal Desktop Core Configuration (FDCC) requirements, as well as the United States Government Computing Baseline (USGCB) which supersedes FDCC requirements.
· Authenticated Configuration Scanner: the capability to audit and assess a target system to determine its compliance with a defined set of configuration requirements using target system logon privileges.
Integrating asset inventory and configuration auditing with other native, out-of-box capabilities – including log management, SIEM, network behavioral analysis, performance monitoring, FIM and more – SecureVue delivers a true, common operating picture (COP) of information security across all IT assets and throughout the stack, from the physical through application layers.
Statement of CVE Implementation
The CVE (Common Vulnerabilities and Exposures) standard links unique identifiers with known security vulnerabilities and/or exposures. CVE identifiers are typically found in the OVAL patch definition content of a SCAP data stream. An OVAL patch definition may contain a reference element that associates the definition with a CVE identifier. Links to various websites containing more information about the vulnerability and/or exposure may also be provided in the reference element.
SecureVue during import of SCAP content processes and imports the CVE specifications. The CVEs are available for viewing as part of browsing the ComplianceVue policy, are searchable and are made part of results output.
When the SecureVue processes a SCAP data stream against a target system, any CVE identifiers associated with entities in the stream will be found and provided in the results HTML and SCAP output files.
In the SecureVue results HTML files, CVE identifiers can typically be found in the OVAL results HTML file for the patch content. Detailed information on each definition processed can be found in the Definitions section of the HTML file. For each definition, there is a "References" column that displays any CVE identifiers that are associated with the definition.
This allows the user to determine the impact of a particular CVE, based on CVSS impact metrics. This also allows the user to prioritize different vulnerabilities found by comparing vulnerability scores with each other.
Statement of CCE Implementation
SecureVue v3.6 supports CCE v5.0. Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. The CCE (Common Configuration Enumeration) standard links unique identifiers with known system configuration issues. For example, CCE identifiers can be used to associate checks in configuration assessment tools with statements in configuration best-practice documents.
When the SecureVue processes a SCAP data stream against a target system, any CCE identifiers associated with rules and/or definitions in the stream will be found and imported. These are then provided in the UI for searching and viewing and are also included in resultant HTML files.
CCE identifiers are typically found in the OVAL definition content and the XCCDF content of a SCAP data stream. An OVAL definition may contain a reference element that associates the definition with a CCE identifier. A link to the CCE website containing more information about the system configuration issue is also provided in the reference element. An XCCDF Rule may contain an ident element that associates the Rule with a CCE identifier.
In the SecureVue results HTML files, CCE identifiers can typically be found in the HTML and XML reports. For OVAL results HTML files, detailed information on each definition processed can be found in the Definitions section of the HTML and XML file. For each definition, there is a "References" column that displays any CCE identifiers that are associated with the definition in addition to the CCE identifier.
It is important to note that CCE identifiers in the Detailed Results section of the reports provide a link to the CCE website to allow the user to gather additional information regarding the configuration issue.
Statement of CPE Implementation
SecureVue v3.6 supports CPE v2.2. The CPE (Common Platform Enumeration) standard is a structured naming scheme for hardware, operating systems and applications. It allows different tools to specify names for IT platforms in a consistent way. The XCCDF file included in a typical SCAP data stream contains one or more platform elements. The platform element contains a CPE identifier that associates an XCCDF Benchmark, Rule or Group with a target platform. If the target system is not an instance of the CPE identifier specified in a platform element, then the XCCDF Benchmark, Rule, or Group associated with that platform element is not applicable to the target system and will not be processed.
In order to determine if the target system is an instance of a CPE identifier, SecureVue processes the CPE dictionary and the CPE OVAL content in the SCAP data stream. The CPE dictionary contains one or more CPE identifiers, each associated with an OVAL definition that resides in the CPE OVAL content. If SecureVue processes the OVAL definition and the definition returns a result of "true", then the target system is said to be an instance of the associated CPE identifier. A list of CPE identifiers that the target system is an instance of is compiled in this fashion from the CPE dictionary, and then used when processing the XCCDF file. SecureVue ComplianceVue policies include a section typically called ‘inventory’ that include all CPE checks. If the CPE identifier specified by a platform element in the XCCDF file is not in the compiled CPE instance list, then the Benchmark, Rule or Group associated with that CPE identifier is not applicable to the target system and will not be processed. Rules that are not applicable to the target system will have a result of "not applicable".
Statement of CVSS Implementation
SecureVue v3.6 supports CVSS v2.0. The Common Vulnerability Scoring System (CVSS) is designed to provide an open and standardized method for rating information technology vulnerabilities and exposures. By assigning a score to vulnerability, one can determine its relative severity when compared to other vulnerabilities.
CVSS helps organizations prioritize and coordinate a joint response to security issues by communicating the base, temporal, and environmental properties of a given vulnerability. CVSS is an open standard for assigning a score to vulnerability and that score is an indication of its relative severity compared to other vulnerabilities.
In SecureVue 3.6 the CVE identifiers can typically be found in the security patches section of the HTML reports. For each security patch check, there is a "References" column that displays any CVE identifiers that are associated with the definition. Each CVE identifier will have a link to the NVD database webpage for that CVE. Each link can then be used to obtain the CVSS information from the National Vulnerability Database (NVD) site, including the NIST-calculated CVSS score, the full CVSS vector, and the CVSS calculator.
Statement of XCCDF Implementation
SecureVue v3.6 supports XCCDF version 1.1.4. XCCDF (eXtensible Configuration Checklist Description Format) is a XML schema used for writing security checklists and benchmarks. SecureVue loads XCCDF content from a SCAP stream and determines if the rules specified by the XCCDF content are satisfied by a target system. When SCAP content is imported, SecureVue validates XCCDF content and lets the user select a profile from the content. Rules are automatically selected and unselected based on the profile the user selects.
SecureVue calculates scores using all of the current XCCDF scoring models including the default, flat, flat un-weighted and absolute models.
A benchmark results XML document is generated using the XCCDF Results schema. Output also includes HTML files for human readable output. Since it uses the industry standard XCCDF Results schema, the benchmark results XML document can be imported into other Applications/tools.
Statement of OVAL Implementation
SecureVue v3.6 supports OVAL 5.4. OVAL (Open Vulnerability and Assessment Language) is a language used to standardize the transfer of security content among different tools.
SecureVue implements the Open Vulnerability Assessment Language (OVAL) by providing the ability to import Security Content Automation Protocol (SCAP) content that includes XML files in OVAL-compliant format. SecureVue loads OVAL content in conjunction with an XCCDF checklist and processes the OVAL definition content against a target system.
SecureVue implements validation routines that ensure that imported OVAL content is compliant with the standard by checking the files against schema documents. SCAP content which is being imported is processed and the user is notified if there is invalid content in OVAL file which is not in accordance with an OVAL schema.
After successful import of SCAP content containing OVAL, SecureVue creates a normalized and categorized policy within ComplianceVue, the product’s integrated compliance evaluation module that supports a broad range of out-of-box regulations, best practices and standards including DISA STIGs, CIS Benchmarks, FDCC, USGCB, FISMA/NIST800-53, PCI DSS, HIPAA and more. Once the policy has been automatically established within ComplianceVue, SecureVue compares the compliance polices on collected data from IT assets including Windows and UNIX/Linux hosts, network infrastructure and security devices, applications and databases, allowing users to browse and report on compliance results as well as assign remediation of specific non-compliance issues to individuals and groups using built-in workflow.
SecureVue allows export of compliance results in SCAP format that include OVAL results files. By using the industry standard OVAL schemas, SecureVue can share data with any application/tool that understands OVAL.