Vendor Provided Validation Details –
Symantec Risk Automation
The following text was provided by the vendor during testing to describe how
the product implements the specific capabilities.
Statement of FDCC Compliance:
Symantec asserts that the Risk Automation Suite product does not alter the FDCC
settings on Microsoft Windows XP and
Two options for configuration assessment methods are provided at this time
(agent-based, and agent-less.
Our agent based solution (named the Remote Compliance Connector) may be
deployed as a persistent agent that is configured to communicate with the Risk
Automation Suite server while requiring NO modification of FDCC or Firewall
settings for XP or
The configuration assessments may be also be achieved via agent-less methods.
When performing assessments via agent-less methods the following requirement
applies:
Local
Firewall Rule: Target platforms which are running a local firewall must include
a firewall rule to allow the Risk Automation Suite scanner to remotely access
the machine. This is necessary if the Risk Automation Suite is deployed as an agent-less
platform. The firewall exception can be strictly limited to a single IP address
corresponding to the Risk Automation Suite scanner, while blocking all other
traffic. This rule can be deployed enterprise-wide through a simple group
policy setting or through the local policy on stand-alone machines.
When
performing configuration assessments on a Vista machine via agent-less methods
AND the computer is NOT a member of an Active Directory Domain (i.e., it is
considered "standalone" Vista machine), the following requirement
applies:
A new registry key named "LocalAccountTokenFilterPolicy"
must be created, the value type of the registry key need to be set to
REG_DWORD, and its value must be set to "1". Setting this registry
value allows standalone
Statement of SCAP Implementation:
The Risk Automation Suite is a highly-scalable, integrated framework of
compliance technologies, which enables organizations to quickly, and easily
measure security and compliance across the enterprise network. Built upon a SOA architecture, the Risk Automation Suite installs in
less than one day and easily scales to any enterprise class network, including
networks exceeding 100,000's of network assets. The Risk Automation Suite is
compatible and built upon all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and
OVAL. The Risk Automation Suite will quickly discover and classify every asset
connected to the network, scan the appropriate assets for compliance with
Federal standards (i.e. FDCC), and provide a centralized portal for continuous,
repeatable measurement and reporting.
The full implementation of SCAP 1.0 was added to the Risk Automation Suite in
version 3.5 and will be supported in future versions of Risk Automation Suite.
Certain components of SCAP had been previously supported in previous versions
of the Risk Automation Suite, however, the continued development of the SCAP
standards have been included comprehensively in the Risk Automation Suite 3.5.
Leveraging the SCAP standards, the Risk Automation Suite automates
enterprise-wide asset discovery, vulnerability detection, configuration
reporting, and policy compliance measurement in a single, easy to deploy, easy
to manage solution. The Risk Automation Suite Portal offers powerful asset classification,
scheduling and reporting features to provide users with complete command and
control over enterprise scans and report generation. Large government and
commercial entities rely on the Risk Automation Suite to continuously measure
IT security and compliance with government policies and standards, including:
HIPAA, PCI, FISMA, FDCC, C&A criteria, and NIST 800 Series standards.
Statement of CVE Implementation:
The Risk Automation Suite is a highly-scalable, integrated framework of
compliance technologies, which enables organizations to quickly, and easily
measure security and compliance across the enterprise network. Built upon a SOA architecture, The Risk Automation Suite installs in
less than one day and easily scales to any enterprise class network, including
networks exceeding 100,000's of network assets. The Risk Automation Suite is
compatible and built upon all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and
OVAL. The Risk Automation Suite will quickly discover and classify every asset
connected to the network, scan the appropriate assets for compliance with
Federal standards (i.e. FDCC), and provide a centralized portal for continuous,
repeatable measurement and reporting.
Common Vulnerability Enumeration (CVE) is used within Risk Automation Suite to
associate any vulnerabilities reported in the Risk Automation Suite Portal to a
corresponding CVE ID. CVE IDs are displayed on "Vulnerability
Distribution" reports and "Vulnerability Detail" reports, which
can be accessed by clicking on any vulnerability name in the Risk Automation
Suite Portal. Once viewing this page, users can click the CVE ID number to
access the NVD records for the CVE.
Leveraging the SCAP standards, the Risk Automation Suite automates
enterprise-wide asset discovery, vulnerability detection, configuration
reporting, and policy compliance measurement in a single, easy to deploy, easy
to manage solution. The Risk Automation Suite Portal offers powerful asset
classification, scheduling and reporting features to provide users with
complete command and control over enterprise scans and report generation. Large
government and commercial entities rely on the Risk Automation Suite to
continuously measure IT security and compliance with government policies and
standards, including: HIPAA, PCI, FISMA, FDCC, C&A criteria, and NIST 800
Series standards.
Statement of CCE Implementation:
The Risk Automation Suite is a highly-scalable, integrated framework of
compliance technologies, which enables organizations to quickly, and easily
measure security and compliance across the enterprise network. Built upon a SOA architecture, the Risk Automation Suite installs in
less than one day and easily scales to any enterprise class network, including
networks exceeding 100,000's of network assets. The Risk Automation Suite is
compatible and built upon all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and
OVAL. The Risk Automation Suite will quickly discover and classify every asset
connected to the network, scan the appropriate assets for compliance with
Federal standards (i.e. FDCC), and provide a centralized portal for continuous,
repeatable measurement and reporting.
Common Configuration Enumeration (CCE) is used within the Risk Automation Suite
to associate configuration values reported in the Risk Automation Suite Portal
to a corresponding CCE ID. CCE IDs are displayed on the "Control Detail
Report", which can be accessed by clicking on any Control name in the Risk
Automation Suite Portal. Once viewing this page, users will find the CCE ID
located in the Control Description field. The CCE ID can be clicked on to
access the NVD record for the CCE.
Leveraging the SCAP standards, the Risk Automation Suite automates
enterprise-wide asset discovery, vulnerability detection, configuration
reporting, and policy compliance measurement in a single, easy to deploy, easy
to manage solution. The Risk Automation Suite Portal offers powerful asset
classification, scheduling and reporting features to provide users with
complete command and control over enterprise scans and report generation. Large
government and commercial entities rely on the Risk Automation Suite to
continuously measure IT security and compliance with government policies and
standards, including: HIPAA, PCI, FISMA, FDCC, C&A criteria, and NIST 800
Series standards.
Statement of CPE Implementation:
The Risk Automation Suite is a highly-scalable, integrated framework of
compliance technologies, which enables organizations to quickly, and easily
measure security and compliance across the enterprise network. Built upon a SOA architecture, The Risk Automation Suite installs in
less than one day and easily scales to any enterprise class network, including
networks exceeding 100,000's of network assets. The Risk Automation Suite is
compatible with all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. The
Risk Automation Suite will quickly discover and classify every asset connected
to the network, scan the appropriate assets for compliance with Federal
standards (i.e. FDCC), and provide a centralized portal for continuous,
repeatable measurement and reporting.
Common Platform Enumeration (CPE) is used by the Risk Automation Suite to align
SCAP data streams and assessment results with the intended platforms. CPE
values are imported from XCCDF data streams and are used in conjunction with
OVAL definitions and the Risk Automation Suite Configuration Management
scanner.
Leveraging the SCAP standards, the Risk Automation Suite automates
enterprise-wide asset discovery, vulnerability detection, configuration
reporting, and policy compliance measurement in a single, easy to deploy, easy
to manage solution. The Risk Automation Suite Portal offers powerful asset
classification, scheduling and reporting features to provide users with
complete command and control over enterprise scans and report generation. Large
government and commercial entities rely on the Risk Automation Suite to
continuously measure IT security and compliance with government policies and
standards, including: HIPAA, PCI, FISMA, FDCC, C&A criteria, and NIST 800
Series standards.
Statement of CVSS Implementation:
The Risk Automation Suite is a highly-scalable, integrated framework of
compliance technologies, which enables organizations to quickly, and easily
measure security and compliance across the enterprise network. Built upon a SOA architecture, the Risk Automation Suite installs in
less than one day and easily scales to any enterprise class network, including
networks exceeding 100,000's of network assets. The Risk Automation Suite is
compatible and built upon all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and
OVAL. The Risk Automation Suite will quickly discover and classify every asset
connected to the network, scan the appropriate assets for compliance with
Federal standards (i.e. FDCC), and provide a centralized portal for continuous,
repeatable measurement and reporting.
The Common Vulnerability Scoring System (CVSS) is used within the Risk
Automation Suite to prioritize and display risk scores for any vulnerability
reported in the Risk Automation Suite Portal. CVSS scores can be viewed for each vulnerability on the "Vulnerability
Distribution" reports, "Vulnerability Detail" reports, and
"View Host" reports. Vulnerabilities can be sorted and prioritized by
CVSS scores. Scoring metrics and modifiers can be entered and updated to
achieve scoring and prioritization that reflects the users unique and realistic
threat environment.
Leveraging the SCAP standards, the Risk Automation Suite automates
enterprise-wide asset discovery, vulnerability detection, configuration
reporting, and policy compliance measurement in a single, easy to deploy, easy
to manage solution. The Risk Automation Suite Portal offers powerful asset
classification, scheduling and reporting features to provide users with complete
command and control over enterprise scans and report generation. Large
government and commercial entities rely on the Risk Automation Suite to
continuously measure IT security and compliance with government policies and
standards, including: HIPAA, PCI, FISMA, FDCC, C&A criteria, and NIST 800
Series standards.
Statement of XCCDF Implementation:
The Risk Automation Suite is a highly-scalable, integrated framework of
compliance technologies, which enables organizations to quickly and easily
measure security and compliance across the enterprise network. Built upon a SOA architecture, the Risk Automation Suite installs in
less than one day and easily scales to any enterprise class network, including
networks exceeding 100,000's of network assets. The Risk Automation Suite is
compatible and built upon all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and
OVAL. The Risk Automation Suite will quickly discover and classify every asset
connected to the network, scan the appropriate assets for compliance with Federal
standards (i.e. FDCC), and provide a centralized portal for continuous,
repeatable measurement and reporting.
The Extensible Configuration Checklist Document Format (XCCDF) is used by the
Risk Automation Suite to automate the importation of XCCDF enabled checklists,
benchmarks, and related documents. During importation, users can choose from
any available profiles and benchmarks within the XCCDF file to build the
desired checklist. XCCDF content is translated into policies and standards
within the Risk Automation Suite that can be easily measured and reported.
Following importation, XCCDF content can be viewed and measured in
"Policies and Controls" reporting.
Leveraging the SCAP standards, the Risk Automation Suite automates
enterprise-wide asset discovery, vulnerability detection, configuration
reporting, and policy compliance measurement in a single, easy to deploy, easy
to manage solution. The Risk Automation Suite Portal offers powerful asset
classification, scheduling and reporting features to provide users with
complete command and control over enterprise scans and report generation. Large
government and commercial entities rely on the Risk Automation Suite to
continuously measure IT security and compliance with government policies and
standards, including: HIPAA, PCI, FISMA, FDCC, C&A criteria, and NIST 800
Series standards.
Statement of OVAL Implementation:
The Risk Automation Suite is a highly-scalable, integrated framework of
compliance technologies, which enables organizations to quickly, and easily
measure security and compliance across the enterprise network. Built upon a SOA architecture, the Risk Automation Suite installs in
less than one day and easily scales to any enterprise class network, including
networks exceeding 100,000's of network assets. The Risk Automation Suite is
compatible and built upon all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and
OVAL. The Risk Automation Suite will quickly discover and classify every asset
connected to the network, scan the appropriate assets for compliance with
Federal standards (i.e. FDCC), and provide a centralized portal for continuous,
repeatable measurement and reporting.
The Open Vulnerability Assessment Language is used by the Risk Automation Suite
to define and test system vulnerabilities, patches and configuration values.
OVAL content, consisting of configuration and patch definitions, can be
imported into the Risk Automation Suite and included in the Risk Automation
Suite scanning processes. The Risk Automation Suite interprets OVAL definitions,
executes scans remotely against target machines and returns the OVAL test results
to the Risk Automation Suite portal for measurement against XCCDF checklists
and benchmarks. OVAL references including the definition can be viewed in the
Risk Automation Suite "Control Detail Report" and "Edit
Control" dialogue for any imported OVAL definitions.
Leveraging the SCAP standards, the Risk Automation Suite automates
enterprise-wide asset discovery, vulnerability detection, configuration
reporting, and policy compliance measurement in a single, easy to deploy, easy
to manage solution. The Risk Automation Suite Portal offers powerful asset
classification, scheduling and reporting features to provide users with
complete command and control over enterprise scans and report generation. Large
government and commercial entities rely on the Risk Automation Suite to
continuously measure IT security and compliance with government policies and
standards, including: HIPAA, PCI, FISMA, FDCC, C&A criteria, and NIST 800
Series standards.