Vendor Provided Validation Details - Symantec Risk Automation Suite 4
The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. 

 

Statement of FDCC Compliance:
Symantec asserts that the Risk Automation Suite product does not alter the FDCC settings on Microsoft Windows XP and Vista systems.

 

Three options for configuration assessment methods are provided at this time (agent-based, off-line and agent-less. 

 

Our agent based and off-line solution (named the Remote Compliance Connector) may be deployed as a persistent agent that is configured to communicate with the Risk Automation Suite server while requiring NO modification of FDCC or Firewall settings for XP or Vista.

 

The configuration assessments may be also be achieved via agent-less methods.  When performing assessments via agent-less methods the following requirement applies:

 

• Local Firewall Rule: Target platforms which are running a local firewall must include a firewall rule to allow the Risk Automation Suite scanner to remotely access the machine. This is necessary if Risk Automation Suite is deployed as an agent-less platform. The firewall exception can be strictly limited to a single IP address corresponding to the Risk Automation Suite scanner, while blocking all other traffic. This rule can be deployed enterprise-wide through a simple group policy setting or through the local policy on stand-alone machines.

 

When performing configuration assessments on a Vista machine via agent-less methods AND the computer is NOT a member of an Active Directory Domain (i.e., it is considered “standalone” Vista machine), the following requirement applies:

A new registry key named "LocalAccountTokenFilterPolicy" must be created, the value type of the registry key need to be set to REG_DWORD, and its value must be set to "1". Setting this registry value allows standalone Vista computers to be remotely.

Statement of SCAP Implementation:
Risk Automation Suite is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built upon a SOA architecture, Risk Automation Suite installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets.  Risk Automation Suite is compatible with all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. Risk Automation Suite will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

The full implementation of SCAP 1.0 was added to Risk Automation Suite in version 3.5 and will be supported in future versions of Risk Automation Suite. Certain components of SCAP had been previously supported in previous versions of Risk Automation Suite, however, the continued development of the SCAP standards have been included comprehensively in Risk Automation Suite 4.

Leveraging the SCAP standards, Risk Automation Suite automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The Risk Automation Suite Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on Risk Automation Suite to continuously measure IT security and compliance with government policies and standards, including: FISMA, FDCC, C&A criteria, and NIST 800 Series standards.

Statement of CVE Implementation:
Risk Automation Suite is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built upon a SOA architecture, Risk Automation Suite installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. Risk Automation Suite is compatible with all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. Risk Automation Suite will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

Common Vulnerability Enumeration (CVE) is used within Risk Automation Suite to associate any vulnerabilities reported in the Risk Automation Suite Portal to a corresponding CVE ID. CVE IDs are displayed on "Vulnerability Distribution" reports and "Vulnerability Detail" reports, which can be accessed by clicking on any vulnerability name in the Risk Automation Suite Portal. Once viewing this page, users can click the CVE ID number to access the NVD records for the CVE.

Leveraging the SCAP standards, Risk Automation Suite automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The Risk Automation Suite Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on Risk Automation Suite to continuously measure IT security and compliance with government policies and standards, including: FISMA, FDCC, C&A criteria, and NIST 800 Series standards.

Statement of CCE Implementation:
Risk Automation Suite is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built upon a SOA architecture, Risk Automation Suite installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. Risk Automation Suite is compatible with all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. Risk Automation Suite will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

Common Configuration Enumeration (CCE) is used within Risk Automation Suite to associate configuration values reported in the Risk Automation Suite Portal to a corresponding CCE ID. CCE IDs are displayed on the "Control Detail Report", which can be accessed by clicking on any Control name in the Risk Automation Suite Portal. Once viewing this page, users will find the CCE ID located in the Control Description field. The CCE ID can be clicked on to access the NVD record for the CCE.

Leveraging the SCAP standards, Risk Automation Suite automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The Risk Automation Suite Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on Risk Automation Suite to continuously measure IT security and compliance with government policies and standards, including: FISMA, FDCC, C&A criteria, and NIST 800 Series standards.

Statement of CPE Implementation:
Risk Automation Suite is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built upon a SOA architecture, Risk Automation Suite installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. Risk Automation Suite is compatible with all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. Risk Automation Suite will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

Common Platform Enumeration (CPE) is used by Risk Automation Suite to align SCAP data streams and assessment results with the intended platforms. CPE values are imported from XCCDF data streams and are used in conjunction with OVAL definitions and the Risk Automation Suite Configuration Management scanner.

Leveraging the SCAP standards, Risk Automation Suite automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The Risk Automation Suite Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on Risk Automation Suite to continuously measure IT security and compliance with government policies and standards, including: FISMA, FDCC, C&A criteria, and NIST 800 Series standards.

Statement of CVSS Implementation:
Risk Automation Suite is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built upon a SOA architecture, Risk Automation Suite installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. Risk Automation Suite is compatible with all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. Risk Automation Suite will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

The Common Vulnerability Scoring System (CVSS) is used within Risk Automation Suite to prioritize and display risk scores for any vulnerabilities reported in the Risk Automation Suite Portal. CVSS scores can be viewed for each vulnerability on the "Vulnerability Distribution" reports, "Vulnerability Detail" reports, and "View Host" reports. Vulnerabilities can be sorted and prioritized by CVSS scores. Scoring metrics and modifiers can be entered and updated to achieve scoring and prioritization that reflects the user’s unique and realistic threat environment.

Leveraging the SCAP standards, Risk Automation Suite automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The Risk Automation Suite Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on Risk Automation Suite to continuously measure IT security and compliance with government policies and standards, including: FISMA, FDCC, C&A criteria, and NIST 800 Series standards.

Statement of XCCDF Implementation:
Risk Automation Suite is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built upon a SOA architecture, Risk Automation Suite installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. Risk Automation Suite is compatible with all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. Risk Automation Suite will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

The Extensible Configuration Checklist Document Format (XCCDF) is used by Risk Automation Suite to automate the importation of XCCDF enabled checklists, benchmarks, and related documents. During importation, users can choose from any available profiles and benchmarks within the XCCDF file to build the desired checklist. XCCDF content is translated into policies and standards within Risk Automation Suite that can be easily measured and reported. Following importation, XCCDF content can be viewed and measured in "Policies and Controls" reporting.

Leveraging the SCAP standards, Risk Automation Suite automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The Risk Automation Suite Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on Risk Automation Suite to continuously measure IT security and compliance with government policies and standards, including: FISMA, FDCC, C&A criteria, and NIST 800 Series standards.

Statement of OVAL Implementation:
Risk Automation Suite is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built upon a SOA architecture, Risk Automation Suite installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000's of network assets. Risk Automation Suite is compatible with all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. Risk Automation Suite will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (i.e. FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting.

The Open Vulnerability Assessment Language is used by Risk Automation Suite to define and test system vulnerabilities, patches and configuration values. OVAL content, consisting of configuration and patch definitions, can be imported into Risk Automation Suite and included in the Risk Automation Suite scanning processes. Risk Automation Suite interprets OVAL definitions, executes scans remotely against target machines and returns the OVAL test results to the Risk Automation Suite portal for measurement against XCCDF checklists and benchmarks. OVAL references including the definition can be viewed in the Risk Automation Suite "Control Detail Report" and "Edit Control" dialogue for any imported OVAL definitions.

Leveraging the SCAP standards, Risk Automation Suite automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The Risk Automation Suite Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on Risk Automation Suite to continuously measure IT security and compliance with government policies and standards, including: FISMA, FDCC, C&A criteria, and NIST 800 Series standards.