ArcSight ESM 6.0c Patch 1. Security Target

ArcSight ESM 6.0c Patch 1 Security Target Versin 2.0 12 February 2014 Prepared fr: ArcSight, an HP Cmpany 1140 Enterprise Way Sunnyvale, CA 94089 Prepared By: Science Applicatins Internatinal Crpratin Cmmn Criteria Testing Labratry 6841 Benjamin Franklin Drive Clumbia, MD 21046

Table f Cntents 1. SECURITY TARGET INTRODUCTION... 4 1.1 Security Target, TOE, and CC Identificatin... 5 1.2 Cnfrmance Claims... 6 1.3 Cnventins, Terminlgy, and Acrnyms... 6 1.3.1 Cnventins... 6 1.3.2 Terminlgy and Abbreviatins... 7 1.4 TOE Dcumentatin... 8 2. TOE DESCRIPTION... 9 2.1 TOE Architecture... 9 2.1.1 ArcSight Cnsle... 9 2.1.2 ArcSight Manager... 9 2.1.3 CORR-Engine... 9 2.1.4 ArcSight SmartCnnectrs... 9 2.2 TOE Physical Bundaries... 10 2.3 TOE Lgical Bundaries... 13 2.3.1 TOE Security Features... 14 2.3.2 Capabilities Prvided by the Operatinal Envirnment... 15 2.3.3 Capabilities Excluded frm the Scpe f Evaluatin... 15 3. SECURITY PROBLEM DEFINITION... 15 3.1 Threats t Security... 15 3.1.1 TOE Threats... 16 3.1.2 Analytical Threats... 16 3.2 Organizatin Security Plicies... 16 3.3 Secure Usage Assumptins... 16 3.3.1 Intended Usage Assumptins... 16 3.3.2 Physical Assumptins... 17 3.3.3 Persnnel Assumptins... 17 4. SECURITY OBJECTIVES... 18 4.1 TOE Security Objectives... 18 4.2 Security Objectives fr the Envirnment... 18 5. IT SECURITY REQUIREMENTS... 19 5.1 TOE Security Functinal Requirements... 19 5.1.1 Security Audit (FAU)... 20 5.1.2 Identificatin and authenticatin (FIA)... 21 5.1.3 Security management (FMT)... 22 5.1.4 Prtectin f the TOE security functins (FPT)... 22 5.1.5 IDS Cmpnent Requirements (IDS)... 22 5.2 TOE Security Assurance Requirements... 23 5.2.1 Develpment (ADV)... 24 5.2.2 Guidance dcuments (AGD)... 25 5.2.3 Life-cycle supprt (ALC)... 26 5.2.4 Tests (ATE)... 27 2

5.2.5 Vulnerability assessment (AVA)... 28 6. TOE SUMMARY SPECIFICATION... 29 6.1 Intrductin... 29 6.1.1 Security Audit... 29 6.1.2 Identificatin and Authenticatin... 30 6.1.3 Security Management... 31 6.1.4 Prtectin f the TSF... 32 6.1.5 Analyzer Analysis... 34 6.1.6 Analyzer React... 34 6.1.7 Analyzer Data Review and Availability... 35 7. PROTECTION PROFILE CLAIMS... 37 8. RATIONALE... 39 8.1 Security Objectives Ratinale... 39 8.2 Security Requirements Ratinale... 39 8.3 Security Assurance Requirements Ratinale... 40 8.4 Requirements Dependency Ratinale... 41 8.5 Extended Requirements Ratinale... 41 8.6 TOE Summary Specificatin Ratinale... 41 8.7 PP Claims Ratinale... 42 List f Figures Figure 1: TOE Physical Bundaries... 11 List f Tables Table 1: System Requirements fr nn-fips ArcSight ESM 6.0c Patch 1... 12 Table 2: System Requirements fr FIPS 140-2 cmpliant ArcSight ESM 6.0c... 13 Table 3: Security Functinal Cmpnents... 19 Table 4: Auditable Events... 20 Table 5: EAL3 Assurance Cmpnents... 24 Table 6: Mdificatin f PP claims... 38 Table 7: Security Functins vs. Requirements Mapping... 42 3

1. Security Target Intrductin The Target f Evaluatin (TOE) is ArcSight Enterprise Security Management (ESM) Versin 6.0c Patch 1, hereinafter referred t as ESM r the TOE. ESM is an intrusin detectin system (IDS) analyzer able t cncentrate, nrmalize, analyze, and reprt the results f its analysis f security event data generated by varius IDS sensrs and scanners in the peratinal envirnment. ESM integrates existing multi-vendr devices thrughut the enterprise int its scpe and gathers generated events. ESM allws users t mnitr events in real-time, crrelate events fr in-depth investigatin and analysis, and reslve events with autmated escalatin prcedures and actins. ESM gathers events generated by multi-vendr devices, nrmalizes, and stres thse events in the CORR-Engine, and then filters and crrelates thse events with rules t generate meta-events. The TOE is cmpsed f the fllwing cmpnents: ArcSight Cnsle prvides the primary interface t the TOE fr users t manage the TOE s resurces and view and mnitr the security events generated by the TOE. ArcSight Manager the central engine f the TOE, it manages the TOE s resurces and is respnsible fr prcessing, filtering, and crrelatin f security events. Crrelatin Optimized Retentin and Retrieval (CORR)-Engine prvides the repsitry fr string resurces and security events ArcSight SmartCnnectrs imprt security event data generated by security scanners and sensrs in the peratinal envirnment, nrmalize the imprted data int the TOE s security event frmat, and frward the security events t the ArcSight Manager fr strage and prcessing. The evaluated cnfiguratin includes the fllwing specific ArcSight SmartCnnectrs: SnrtDB Snrt is an pen-surce netwrk intrusin detectin system, capable f perfrming realtime traffic analysis and packet lgging n IP netwrks. It can perfrm prtcl analysis and cntent searching/matching, and can be used t detect a variety f attacks and prbes, including buffer verflws, stealth prt scans, CGI attacks, SMB prbes, and OS fingerprinting attempts. This ArcSight SmartCnnectr imprts events generated by Snrt (and stred in a database) int the TOE. NessusXML Nessus is a remte security scanner. The Nessus Vulnerability Scanner is able t remtely audit a given netwrk and determine whether it has been brken int r misused in sme way. This ArcSight SmartCnnectr imprts events generated by the Tenable Nessus XML File device int the TOE. Checkpint-OPSECNG Check Pint's Open Platfrm fr Security (OPSEC) integrates and manages all aspects f netwrk security thrugh an pen, extensible management framewrk. The Check Pint OPSEC Sftware Develpment Kit (SDK) prvides Applicatin Prgramming Interfaces (APIs) fr pen prtcls. It includes the Lg Exprt API (LEA), which lets ArcSight securely receive bth realtime and histrical auditing lg data generated by Check Pint OPSEC NG. The ArcSight SmartCnnectr fr Check Pint OPSEC NG devices uses LEA exclusively. The LEA allws Check Pint lg data t be exprted t third-party applicatins such as the ArcSight SmartCnnectr. These applicatins are called LEA Clients. When the cnnectin between the LEA Server (usually a FW-1 Management Server) and the SmartCnnectr (LEA Client) is established, the LEA Server sends all the recrds in the lg file t the cnnectr, ne after the ther. Cisc Secure IPS SDEE Cisc IPS Sensrs are netwrk security appliances that detect unauthrized activity ver the netwrk, analyzing traffic in real time, letting users quickly respnd t security breaches. When unauthrized activity is detected, the sensrs can send alarms prviding details f the activity and can cntrl ther systems, such as ruters, t terminate the unauthrized sessin r sessins. This ArcSight SmartCnnectr wrks as an IPS client and imprts events generated by Cisc IPS sensrs int the TOE. 4

The fllwing cmpnents are included in the ESM sftware, but are utside the scpe f the evaluated cnfiguratin: Pattern Discvery is a feature f the ArcSight Manager that is licensed separately and is nt enabled as part f the TOE. The cmpnent mines histrical trends t baseline and prfile expected behavir. Pattern Discvery is used as a learning tl that an authrized user can use n the gathered infrmatin t create plicies. The TOE itself ffers the capabilities fr the authrized users t define plicies and rules withut the use f this tl. All SmartCnnectrs except fr the fur listed abve that have been chsen t be part f the TOE. Management Cnsle is a web-based interface used t view dashbards, mnitr events, manage users, and manage cnnectrs. Cnnectr management cmpnent is a separately licensed cmpnent f the Management Cnsle. Nte that these capabilities are still available thrugh the ArcSight Cnsle. ArcSight Web is a web-based interface used t mnitr events, view dashbards, view cases, acknwledge ntificatins, access reprts, and access the Knwledge Base. The ArcSight Web is a separate licensed cmpnent. ArcSight Express includes a set f rules, reprt templates, alerts and dashbards that allw smaller security teams t gain visibility int their envirnment n the first day, with n rule/reprt develpment required. ArcSight Express is marketed as Security in a bx and des nt expse all f the functinality and security functins being claimed in this Security Target. ArcSight Express is a separate licensed prduct. The remainder f this sectin identifies the Security Target (ST), the Target f Evaluatin (TOE), and Security Target cnventins, cnfrmance claims, and rganizatin. The Security Target cntains the fllwing additinal sectins: Sectin 2 Target f Evaluatin (TOE) Descriptin This sectin gives an verview f the TOE, describes the TOE in terms f physical and lgical bundaries, and states the scpe f the TOE. Sectin 3 Security Prblem Definitin This sectin details the expectatins f the envirnment, the threats that are cuntered by the TOE and its envirnment and the rganizatinal security plicies that the TOE must fulfill. Sectin 4 TOE Security Objectives This sectin details the security bjectives f the TOE and peratinal envirnment. Sectin 5 IT Security Requirements This sectin presents the Security Functinal Requirements (SFR) fr the TOE, and details the assurance requirements fr EAL3 augmented with ALC_FLR.2. Sectin 6 TOE Summary Specificatin This sectin describes the security functins represented in the TOE that satisfies the security requirements. Sectin 7 Prtectin Prfile Claims Sectin 8 Ratinale This sectin presents any prtectin prfile claims. This sectin clses the ST with justificatins fr security bjectives, stated requirements, and TOE summary specificatins as t their cnsistency, cmpleteness, and suitability. 1.1 Security Target, TOE, and CC Identificatin ST Title ArcSight ESM Versin 6.0c Patch 1 Security Target 5

ST Versin Versin 2.0 ST Date 05 Nvember 2013 TOE Identificatin The TOE is ArcSight ESM Versin 6.0c Patch 1 cmprising: ArcSight Cnsle: ArcSight-6.0.0.1333.0-Cnsle-Win.exe with patch Patch-6.0.0.1378.1-Cnsle-Win.exe 6.0.0.1333.0-Cnsle-Linux.bin with patch Patch-6.0.0.1378.1-Cnsle-Linux.bin ArcSight SmartCnnectrs (SnrtDB, NessusXML, Checkpint-OPSECNG, Cisc Secure IPS SDEE) ArcSight-6.0.1.6574.0-Cnnectr-Win.exe ArcSight-6.0.1.6574.0-Cnnectr-Linux.bin ArcSight Manager with CORR-Engine: ArcSightESMSuite-1208.tar, which includes ArcSight-6.0.0.1333.0-Manager-Linux.bin, and with patch ArcSightESMSuite-1254.tar, which includes ArcSight-6.0.0.1378.0-Manager-Linux.bin. TOE Develper ArcSight, an HP Cmpany Evaluatin Spnsr ArcSight, an HP Cmpany CC Identificatin Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin, Versin 3.1, Revisin 3, July 2009. 1.2 Cnfrmance Claims This ST and the TOE it describes are cnfrmant t the fllwing Cmmn Criteria (CC) specificatins: Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin Part 2: Security functinal cmpnents, Versin 3.1, Revisin 3, July 2009 Part 2 Extended Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin Part 3: Security assurance cmpnents, Versin 3.1, Revisin 3, July 2009 Part 3 Cnfrmant This ST and the TOE it describes are cnfrmant t the fllwing package: EAL 3 augmented with ALC_FLR.2 The TOE is further cnfrmant t the fllwing Prtectin Prfile (PP): U.S. Gvernment Prtectin Prfile Intrusin Detectin System Analyzer Fr Basic Rbustness Envirnments, Versin 1.3, July 25, 2007. ArcSight has elected t pursue a mre rigrus assurance evaluatin. The prduct meets all the U.S. Gvernment Intrusin Detectin System Analyzer Prtectin Prfile Functinal and Assurance Requirements; additinally the TOE cnfrms t all the Assurance Requirements fr an EAL3 prduct and includes Flaw Remediatin. The resulting assurance level is therefre, EAL3 augmented with ALC_FLR.2. 1.3 Cnventins, Terminlgy, and Acrnyms 1.3.1 Cnventins The fllwing cnventins have been applied in this dcument: Security Functinal Requirements Part 2 f the CC defines the apprved set f peratins that may be applied t functinal requirements: iteratin, assignment, selectin, and refinement. Iteratin: allws a cmpnent t be used mre than nce with varying peratins. In the ST, iteratin is indicated by a letter in parenthesis placed at the end f the cmpnent. Fr example 6

FDP_ACC.1(a) and FDP_ACC.1(b) indicate that the ST includes tw iteratins f the FDP_ACC.1 requirement; a and b. Assignment: allws the specificatin f an identified parameter. Assignments are indicated using bld text surrunded by brackets (e.g., [assignment]). Selectin: allws the specificatin f ne r mre elements frm a list. Selectins are indicated using bld italics text surrunded by brackets (e.g., [selectin]). Refinement: allws the additin f details. Refinements are indicated using bld, fr additins, and strike-thrugh, fr deletins (e.g., all bjects r sme big things ). Extended Requirements (i.e., thse nt fund in Part 2 f the CC) are identified with (EXT) fllwing the identificatin f the new functinal class/name (i.e., Intrusin Detectin System (IDS)) and the assciated family descriptr. Example: Analyzer analysis (EXT) (IDS_ANL.1). Other sectins f the ST Other sectins f the ST use blding t highlight text f special interest, such as captins. 1.3.2 Terminlgy and Abbreviatins Refer t the U.S. Gvernment Intrusin Detectin System Analyzer Prtectin Prfile fr a glssary f terms assciated with IDS Analyzer technlgy. In additin, the fllwing terms are used within this Security Target. Term API authrized user ESM ESM Administratr GUI IDS IMAP JCE JVM LDAP NSS OS POP3 Definitin Applicatin Prgramming Interface An ESM user, i.e., a user with an accunt managed by ESM. Every authrized user is assigned t ne f the default rles prvided by the TOE (Administratr, Analyzer Administratr, Operatr, Analyst). Enterprise Security Management the name f the TOE described in this ST. An authrized user assigned the Administratr rle n the TOE, as distinct frm System Administratr and RDBMS Administratr. Whenever this ST uses the term Administratr withut qualificatin, ESM Administratr is meant. Graphical User Interface Intrusin Detectin Systems Internet Message Access Prtcl an applicatin layer Internet prtcl that allws an e-mail client t access e-mail n a remte mail server. Java Cryptgraphy Extensin an fficially released Standard Extensin t the Java Platfrm. JCE prvides a framewrk and implementatin fr encryptin, key generatin and key agreement, and Message Authenticatin Cde (MAC) algrithms. The TOE uses the SunJCE as its default cryptgraphic prvider. Java Virtual Machine a virtual machine capable f executing Java bytecde. It is the cde executin cmpnent f the Java sftware platfrm. Lightweight Directry Access Prtcl an applicatin prtcl fr querying and mdifying data using directry services running ver TCP/IP. Netwrk Security System Operating System Pst Office Prtcl, Versin 3 an applicatin layer Internet standard prtcl used by lcal e-mail clients t retrieve e-mail frm a remte server ver a TCP/IP cnnectin. 7

Term RADIUS Definitin Remte Authenticatin Dial in User Service a netwrking prtcl that prvides centralized Authenticatin, Authrizatin, and Accunting (AAA) management fr cmputers t cnnect and use a netwrk service. Resurces SMTP Refers specifically in this ST and the TOE guidance dcumentatin t the bjects the TOE emplys t manage the lgic used t prcess events. Examples f TOE resurces include: active channels; data mnitrs; filters; cases; assets; queries; trends; reprt templates; rules; and packages. A resurce defines the prperties, values, and relatinships used t cnfigure the functins the TOE perfrms. Resurces can als be the utput f such a cnfiguratin. Simple Mail Transfer Prtcl an Internet standard fr email transmissin acrss Internet Prtcl (IP) netwrks. SSL System Administratr Secure Sckets Layer A user defined in the underlying perating system supprting the TOE that has been granted administratr privileges in that perating system (e.g., Windws Administratr, Unix rt), as distinct frm ESM Administratr. 1.4 TOE Dcumentatin This sectin identifies the guidance dcumentatin included in the TOE. The dcumentatin cmprises: Installatin and Cnfiguratin Guide: ArcSight ESM Versin 6.0c, Octber 10, 2012 ArcSight ESM Administratr s Guide: ArcSight ESM Versin 6.0c, September 27, 2012 ArcSight Cnsle User s Guide: ArcSight ESM Versin 6.0c, September 20, 2012 SmartCnnectr Cnfiguratin Guide fr Check Pint OPSEC NG, December 21, 2012 SmartCnnectr Cnfiguratin Guide fr Cisc Secure IPS SDEE, September 28, 2012 SmartCnnectr Cnfiguratin Guide fr Tenable Nessus XML File, May 15, 2012 SmartCnnectr Cnfiguratin Guide fr Snrt DB, May 15, 2012 Cmmn Criteria Evaluated Cnfiguratin Guide: ArcSight ESM 6.0c Patch 1. 8

2. TOE Descriptin The TOE, ArcSight ESM Versin 6.0c Patch 1, is a security management sftware prduct designed t mnitr, analyze, and reprt n netwrk anmalies identified by third-party netwrk mnitring devices (e.g. Intrusin Detectin Systems (IDS) Sensrs r IDS Scanners, firewalls, etc). ESM als includes the capability t prvide enterprise-wide mnitring fr sub-netwrks mnitred by nn-hmgeneus netwrk mnitrs. As such, ESM prvides a slutin fr managing all netwrk events and/r activities in an enterprise frm a centralized view. ESM allws authrized users t mnitr events, crrelate events fr in-depth investigatin and analysis, and reslve events with autmated escalatin prcedures and actins. The TOE can be installed n a wide range f supprted platfrms, the details f which are prvided belw in sectin 2.1. All f the cmpnents can be installed n the same machine r all n different machines. The authrized users access the TOE lcally via the ArcSight Cnsle. The TOE in its evaluated cnfiguratin des nt prvide interfaces t ther external IT prducts. 2.1 TOE Architecture The TOE, ArcSight ESM 6.0c Patch 1, cmprises a number f different cmpnents that prvide a cmprehensive security event management system. 2.1.1 ArcSight Cnsle ArcSight Cnsle is a centralized view int an enterprise that prvides real-time mnitring, in-depth investigative capabilities, and autmated respnses and reslutins t events. The ArcSight Cnsle prvides authrized users with a graphical user interface (GUI) t perfrm security management functins, including management f TOE resurces, management f the TOE s analysis and reactin functins, and viewing audit data and analysis results. The ArcSight Cnsle cnnects t a single ArcSight Manager at a time via the netwrk. The ArcSight Cnsle requires the underlying perating system t prvide prtectin fr the TOE. The underlying perating system is cnsidered part f the envirnment. 2.1.2 ArcSight Manager ArcSight Manager is a high perfrmance engine that manages, crrelates, filters, and prcesses all ccurrences f security events within the enterprise. The ArcSight Manager sits at the center f ESM and acts as a link between the ArcSight Cnsle, CORR-Engine, and ArcSight SmartCnnectrs. The ArcSight Manager relies n the underlying perating system t prvide a file system t stre cnfiguratin files and errr lgs. The ArcSight Manager requires the underlying perating system t als prtect the file system. The file system as well as the underlying perating system is cnsidered part f the envirnment. Fr the ArcSight Manager t send ntificatin messages via e-mail, the Outging Mail Server (part f the envirnment) must be accessible frm the ArcSight Manager. ArcSight Manager uses Simple Mail Transfer Prtcl (SMTP) t send e-mail. 2.1.3 CORR-Engine The Crrelatin Optimized Retentin and Retrieval (CORR) Engine is the lgical access mechanism, particular schema, and table spaces that stres all captured events, and saves all security management cnfiguratin infrmatin, such as system users, grups, permissins, defined rules, znes, assets, reprt templates, displays, and preferences. The CORR-Engine stres data in data files n the file system available t the perating system where ArcSight Manager is als installed. The ArcSight Manager is the nly cmpnent that cmmunicates directly with the CORR-Engine. 2.1.4 ArcSight SmartCnnectrs ArcSight SmartCnnectrs cllect and prcess events generated by security devices (Targeted IT systems) thrughut an enterprise. The devices are cnsidered part f the envirnment in which the TOE perates. The devices cnsist f ruters, email lgs, anti-virus prducts, firewalls, Intrusin Detectin Systems, access cntrl servers, VPN systems, anti-ds appliances, perating system lgs, and ther surces where infrmatin f security 9

threats are detected and reprted. ArcSight SmartCnnectrs can be installed n the ArcSight Manager machine, a separate hst machine, r, when supprted, directly n a device. ArcSight SmartCnnectrs rely n the underlying perating system t cache events (security events and errr lgs) if they cannt be delivered immediately t the ArcSight Manager due t cmmunicatin prblems, r if the ArcSight Manager is experiencing temprary bursts f events. ArcSight SmartCnnectrs require the underlying perating system t prvide prtectin fr the TOE. The underlying perating system is cnsidered part f the envirnment. The SmartCnnectrs that are included in the evaluated cnfiguratin are: SnrtDB - Snrt is an pen-surce netwrk intrusin detectin system, capable f perfrming realtime traffic analysis and packet lgging n IP netwrks. It can perfrm prtcl analysis and cntent searching/matching, and can be used t detect a variety f attacks and prbes, including buffer verflws, stealth prt scans, CGI attacks, SMB prbes, and OS fingerprinting attempts. The ArcSight SmartCnnectr imprts events generated by Snrt (and stred in a database) int the ArcSight system. NessusXML - Nessus is a pwerful, up-t-date, and easy-t-use remte security scanner. The Nessus Vulnerability Scanner is able t remtely audit a given netwrk and determine whether it has been brken int r misused in sme way. The ArcSight SmartCnnectr imprts events generated by the Tenable Nessus XML File device int the ArcSight System Checkpint-OPSECNG - Check Pint's Open Platfrm fr Security (OPSEC) integrates and manages all aspects f netwrk security thrugh an pen, extensible management framewrk. The Check Pint OPSEC Sftware Develpment Kit (SDK) prvides Applicatin Prgramming Interfaces (APIs) fr pen prtcls. It includes the Lg Exprt API (LEA), which lets ArcSight securely receive bth realtime and histrical auditing lg data generated by Check Pint. The ArcSight SmartCnnectr fr Check Pint devices (including VPN-1/FW-1) uses LEA exclusively. The LEA lets Check Pint lg data t be exprted t thirdparty applicatins such as the ArcSight SmartCnnectr. These applicatins are called LEA Clients. When the cnnectin between the LEA Server (usually a FW-1 Management Server) and the SmartCnnectr (LEA Client) is established, the LEA Server sends all the recrds in the lg file t the cnnectr, ne after the ther. Cisc Secure IPS SDEE - Cisc IPS Sensrs are netwrk security appliances that detect unauthrized activity ver the netwrk, analyzing traffic in real time, letting users quickly respnd t security breaches. When unauthrized activity is detected, the sensrs can send alarms prviding details f the activity and can cntrl ther systems, such as ruters, t terminate the unauthrized sessin r sessins. Sensr installatin requires seven simple addressing parameters and n special training. When the sensr is installed, it immediately begins mnitring as a prmiscuus device by default. The ArcSight SmartCnnectr wrks as an IPS client and imprts events generated by Cisc IPS sensrs int the ArcSight ESM System. 2.2 TOE Physical Bundaries The ArcSight Cnsle, ArcSight Manager and ArcSight SmartCnnectrs are implemented as Java applicatins and execute in the cntext f an underlying Java Virtual Machine (JVM). This allws the cmpnents t be supprted n a wide range f platfrms and specific perating systems, as indicated in Tables 1 and 2 belw. The ArcSight Cnsle and ArcSight Manager cmpnents are supprted n JVM 1.6.0_20, while the ArcSight SmartCnnectrs are supprted n JVM 1.6.0_26. The fllwing diagram is a representatin f the physical bundaries f the TOE and its cmpnents. 10

Figure 1: TOE Physical Bundaries The primary means fr authrized users t interact with the TOE is via the ArcSight Cnsle. In additin, the TOE prvides varius cmmand scripts and utility prgrams, generically termed ArcSight Cmmands r shell cmmands (because they are executed frm a cmmand prmpt r cmmand shell n the underlying perating system). The shell cmmands are described in the guidance dcumentatin and are categrized as fllws: Allwed fr use in the evaluated cnfiguratin Allwed nly fr installatin/initial cnfiguratin Nt allwed in the evaluated cnfiguratin. The shell cmmands and their dispsitin are identified in the Cmmn Criteria Evaluated Cnfiguratin Guide, while each cmmand s methd f use is fully described in the ESM Administratr s Guide. The TOE can be cnfigured in either f tw security mdes: nn-fips mde (the default mde); and FIPS 140-2 cmpliant mde. The cnfigured security mde determines the cryptgraphic prtcl and the underlying cryptgraphic prvider the TOE uses t implement secure subsystem cmmunicatins. In nn-fips mde, cmmunicatins between the SmartCnnectrs and the Manager, and between the Cnsle and the Manager, are prtected using SSL v3.0. In this mde, the TOE uses SunJCE and Buncy Castle as the cryptgraphic prviders SunJCE is used fr SSL and mst ther cryptgraphic needs, while Buncy Castle is used fr certificate generatin in the TOE s setup wizard. The TOE uses X.509 Versin 3 certificates. The maximum key size fr the public key in the certificate is 1024 bits. 11

In FIPS 140-2 mde, the TOE uses the FIPS 140-2 validated Netwrk Security Services (NSS) cryptgraphic mdule, versin 3.11.4 (FIPS 140-2 certificate 814). Cmmunicatins between the TOE cmpnents are prtected using TLS v1.0. Fr additinal infrmatin n the NSS cryptgraphic mdule, see the ArcSight ESM FIPS 140-2 Cmpliance Statement and the NSS Cryptgraphic Mdule Versin 3.11.4 FIPS 140-2 Nn-Prprietary Security Plicy 1. While is recmmended that the TOE perate in FIPS 140-2 mde, this is nt required fr the evaluated cnfiguratin. The fllwing tables utline the system requirements fr ESM fr nn-fips and FIPS 140-2 cmpliant mdes. Specific system and installatin requirements are dcumented in Installatin and Cnfiguratin Guide: ArcSight ESM Versin 6.0c. ArcSight Cnsle Platfrm Supprted Operating System Typical System Cnfiguratin Linux Red Hat Enterprise Linux 6.2 Wrkstatin, 64-bit x86-cmpatible multi-cpu system 36-128 GB RAM memry, minimum 250 GB disk space Windws Micrsft Windws 7 SP1, 64-bit x86-cmpatible multi-cpu system 36-128 GB RAM memry, minimum 250 GB disk space ArcSight Manager (Includes CORR-Engine) Platfrm Supprted Operating System Typical System Cnfiguratin Linux Red Hat Enterprise Linux 6.2, 64-bit 8-cre prcessr 36 GB RAM memry, minimum 250 GB disk space (RAID 10), 15,000 RPM ArcSight SmartCnnectrs Platfrm Supprted Operating System Typical System Cnfiguratin Linux Red Hat Enterprise Linux 6.2, 64-bit x86-cmpatible CPU system 512 MB memry 1 GB disk space Windws Micrsft Windws Server 2008 R2, 64-bit x86-cmpatible CPU system 512 MB memry 1 GB disk space Table 1: System Requirements fr nn-fips ArcSight ESM 6.0c Patch 1 ArcSight Cnsle Platfrm Supprted Operating System Typical System Cnfiguratin Linux Red Hat Enterprise Linux 6.2 Wrkstatin, 64-bit x86-cmpatible, multi-cpu system 2-4 GB RAM 2 GB disk space ArcSight Manager (includes CORR-Engine) Platfrm Supprted Operating System Typical System Cnfiguratin 1 Available at http://csrc.nist.gv/grups/stm/cmvp/dcuments/140-1/140sp/140sp814.pdf. 12

Linux Red Hat Enterprise Linux 6.2 Wrkstatin, 64-bit x86-cmpatible multi-cpu system 36-128 GB memry 250 GB disk space ArcSight SmartCnnectrs Platfrm Supprted Operating System Typical System Cnfiguratin Linux Red Hat Enterprise Linux 6.2 Wrkstatin, 64-bit x86-cmpatible CPU system 512 MB memry 1 GB disk space Table 2: System Requirements fr FIPS 140-2 cmpliant ArcSight ESM 6.0c In summary, the evaluated TOE cnfiguratin includes the fllwing cmpnents: ArcSight Cnsle ArcSight SmartCnnectrs SnrtDB NessusXML Checkpint-OPSECNG Cisc Secure IPS SDEE ArcSight ESM Suite which includes Manager and CORR-Engine The fllwing ESM cmpnents are utside the evaluated cnfiguratin since they are nt cnsidered part f the cre prduct and/r require a separate license t activate. Licensing, installing, r enabling these cmpnents, which have nt been subject t evaluatin and are nt part f the evaluated cnfiguratin f the TOE, will render the TOE ut f its evaluated cnfiguratin. SmartCnnectrs, except the fur identified abve Pattern Discvery Management Cnsle ArcSight Web ArcSight Express Other perating envirnment cmpnents in supprt f the TOE can be described in terms f the fllwing cmpnents: Targeted IT systems (devices) in the envirnment sending and/r receiving netwrk traffic and/r security relevant netwrk peratinal data. SMTP Server t supprt e-mail ntificatins. POP3 and IMAP can be used t check fr e-mail acknwledgments. 2.3 TOE Lgical Bundaries This sectin describes the lgical scpe f the TOE, i.e., the lgical security features ffered by the TOE, in terms f the fllwing security functins: Audit; Identificatin and Authenticatin; Security Management; Prtectin f the TSF; and IDS Analyzer. In additin, this sectin identifies all capability t be prvided by the peratinal envirnment, and thse TOE capabilities excluded frm the scpe f evaluatin. 13

2.3.1 TOE Security Features 2.3.1.1 Audit ArcSight ESM 6.0c recrds tw types f events, security events and analyzer events. The analyzer events include the events cllected frm the managed netwrk via the SmartCnnectrs and discussed under the IDS Cmpnent Requirements. The security events relate t the prper functining and use f the system, and allw authrized users t track the management functins perfrmed. The TOE prvides Administratrs and Analyst Administratrs with capabilities t review the generated security events. The Administratr and Analyst Administratr rles are able t select what security events are actually generated by the TOE. Generated security events are stred in the CORR-Engine. The TOE mnitrs the amunt f space available fr string security events and sends a ntificatin t a cnfigured destinatin (e.g., an ESM Administratr) if the space drps belw a cnfigured level. In the event the security event strage space is exhausted, the Manager stps receiving events frm SmartCnnectrs (which are then cached n the SmartCnnectr hsts) until such time as space becmes available. 2.3.1.2 Identificatin & Authenticatin The ArcSight Manager maintains accunts f the authrized users f the system. The user accunt includes the fllwing attributes assciated with the user: user identity: authenticatin data (passwrds), authrizatins (grups r rles), and e-mail address infrmatin. This infrmatin is stred in the CORR-Engine. ESM requires users t prvide unique identificatin and authenticatin data befre any administrative access t the TOE is granted. ESM prvides an authenticatin mechanism fr users. The nly authenticatin mechanism supprted by the TOE is passwrds. 2.3.1.3 Security Management The ArcSight Cnsle prvides the authrized users with a graphical user interface (GUI) that can be used t cnfigure and mdify the functins f the TOE. The functins include the ability t manage user accunts, manage the Analyzer data, and manage the audit functins. The TOE prvides the fllwing default security management rles: Administratr; Analyzer Administratr; Operatr; and Analyst. The TOE enfrces restrictins n which management capabilities are available t each rle. Administratrs and Analyzer Administratrs are able t: mdify the behavir f the analysis and reactin functins; determine which auditable events are included in the set f audited events; determine the analyzer events cllected and prcessed by the TOE; and query and mdify all ther TOE data (except that Analyzer Administratrs cannt mdify user accunts). 2.3.1.4 Prtectin f the TSF ESM is nt intended t make data available t ther IT prducts, in fact, in the case f a distributed ESM architecture, the cmpnents are expected t be cnnected with a benign, private, and prtected cmmunicatin netwrk. ArcSight SmartCnnectrs, ArcSight Manager, and ArcSight Cnsle all prtect TSF data frm disclsure and mdificatin when transmitted between separate parts f the TOE, by cmmunicating using SSL cnnectins. The underlying perating system is required t prvide prtectin fr the TOE and its resurces. The underlying perating system is als respnsible fr prviding a reliable timestamp. The underlying perating system is cnsidered part f the peratinal envirnment. 2.3.1.5 Analyzer Analysis, Reactin, Data Review and Availability ESM cllects relevant infrmatin frm ne r mre netwrk surces and subjects it t statistical and signaturebased analysis, depending n cnfigured rules. Rules trigger respnses either n first match r after a given threshld has been passed. Ntificatin destinatins (e.g., authrized users) can be cnfigured t be ntified f a triggered rule at the ArcSight Cnsle r e-mail. The authrized users can view the analyzer data, reprts, t include the analytical results, query viewers, cnfiguratin infrmatin, and ther applicable analyzer data that is cllected. T prevent analyzer data lss, a warning is sent t a cnfigured ntificatin destinatin (e.g., ESM Administratr) shuld the database begin t run ut f strage space fr the Analyzer data recrds. The default setting fr generating this ntificatin is 90% f capacity. 14

2.3.2 Capabilities Prvided by the Operatinal Envirnment The TOE relies n the peratinal envirnment fr the fllwing cmpnents and capabilities: The underlying perating system f each TOE cmpnent is relied n t prtect the cmpnent and its cnfiguratin and lgs files frm unauthrized access. The underlying perating system f each TOE cmpnent is relied n t prvide a reliable date and time stamp fr use by the TOE. 2.3.3 Capabilities Excluded frm the Scpe f Evaluatin The fllwing features and capabilities f the TOE described in the guidance dcumentatin are nt included within the scpe f the evaluatin: The ability f the TOE t send Security Events as SNMP traps. Supprt fr external LDAP r RADIUS servers fr user authenticatin. The ArcSight Manager, ArcSight Cnsle, and ArcSight SmartCnnectr cmpnents all rely n prperties files that are stred in the file system f the underlying perating system supprting each cmpnent. Each prperties file is a text file cntaining pairs f keys and values. The keys determine which setting is cnfigured and the value determines the cnfiguratin value. The TOE maintains tw versins f each prperties file the default prperties file and the user prperties file. The default prperties files are prvided with the TOE. The user prperties files are created during initial cnfiguratin f the TOE using the apprpriate setup wizard (the Manager, Cnsle and SmartCnnectr cmpnents each have their wn setup wizard that is autmatically launched as part f the cmpnent installatin and cnfiguratin prcess). Settings in the user prperties file fr a cmpnent verride settings in the defaults prperties file fr that cmpnent. The cmpnent first reads in the values in the default prperties file, and then reads in the user prperties file and updates any settings that have different values. Each cmpnent perfrms bunds and sanity checks n the cnfiguratin values befre applying them t its cnfiguratin. The TOE is fully functinal using the default prperties set at install time. Manual mdificatin f the prperties files (e.g., using a text editr in the peratinal envirnment) is excluded fr the evaluated cnfiguratin. 3. Security Prblem Definitin The TOE security envirnment cnsists f threats t security, rganizatinal security plicies, and the secure usage assumptins as they relate t the TOE, ArcSight ESM 6.0c Patch 1 cmpnents; ArcSight SmartCnnectrs, ArcSight Manager with CORR-Engine, and ArcSight Cnsle. The TOE, ArcSight ESM 6.0c Patch 1, a subset f the ArcSight prduct 2 prvides fr a level f prtectin that is apprpriate fr IT envirnments that require: a) Cntinuus infrmatin abut devices and infrmatin n a netwrk b) Indicatins f vulnerabilities that exist n which netwrk devices The TOE is nt designed t withstand physical attacks directed at disabling r bypassing security features; hwever, it is designed t withstand lgical attacks riginating frm the attached netwrk. The TOE is suitable fr use in bth cmmercial and gvernment envirnments. 3.1 Threats t Security The fllwing are threats identified fr the TOE and the IT System the TOE mnitrs. The TOE itself has threats and the TOE is als respnsible fr addressing threats t the envirnment in which it resides. 2 Refer t Sectin 1 fr the list f the ArcSight ESM 6.0c Patch 1 sftware cmpnents included in the evaluated cnfiguratin and the cmpnents f the prduct that are nt included within the scpe f the evaluatin. 15

3.1.1 TOE Threats T.COMINT T.COMDIS T.LOSSOF T.NOHALT T.PRIVIL T.IMPCON T.INFLUX 3.1.2 Analytical Threats T.FALACT T.FALREC T.FALASC An unauthrized persn may attempt t cmprmise the integrity f the data analyzed and prduced by the TOE by bypassing a security mechanism. An unauthrized persn may attempt t disclse the data analyzed and prduced by the TOE by bypassing a security mechanism. An unauthrized persn may attempt t remve r destry data analyzed and prduced by the TOE. An unauthrized persn may attempt t cmprmise the cntinuity f the TOEs analysis functinality by halting executin f the TOE. An unauthrized user may gain access t the TOE and explit system privileges t gain access t TOE security functins and data. The TOE may be susceptible t imprper cnfiguratin by an authrized r unauthrized persn causing ptential intrusins t g undetected. An unauthrized user may cause malfunctin f the TOE by creating an influx f data that the TOE cannt handle. The TOE may fail t react t identified r suspected vulnerabilities r inapprpriate activity. The TOE may fail t recgnize vulnerabilities r inapprpriate activity based n IDS data received frm each data surce. The TOE may fail t identify vulnerabilities r inapprpriate activity based n assciatin f IDS data received frm all data surces. 3.2 Organizatin Security Plicies An rganizatinal security plicy is a set f rules, practices, and prcedures impsed by an rganizatin t address the security needs. P.ANALYZ P.DETECT P.MANAGE P.ACCESS P.ACCACT P.INTGTY P.PROTCT Analytical prcesses and infrmatin t derive cnclusins abut intrusins (past, present, r future) must be applied t IDS data and apprpriate respnse actins taken. Static cnfiguratin infrmatin that might be indicative f the ptential fr a future intrusin r the ccurrence f a past intrusin f an IT System must be cllected. The TOE shall nly be managed by authrized users. All data analyzed and generated by the TOE shall nly be used fr authrized purpses. Users f the TOE shall be accuntable fr their actins within the IDS. Data analyzed and generated by the TOE shall be prtected frm mdificatin. The TOE shall be prtected frm unauthrized accesses and disruptins f analysis and respnse activities. 3.3 Secure Usage Assumptins This sectin cntains assumptins regarding the security envirnment and the intended usage f the TOE. 3.3.1 Intended Usage Assumptins A.ACCESS The TOE has access t all the IT System resurces necessary t perfrm its functins. 16

3.3.2 Physical Assumptins A.PROTCT A.LOCATE The TOE hardware and sftware critical t security plicy enfrcement will be prtected frm unauthrized physical mdificatin. The prcessing resurces f the TOE will be lcated within cntrlled access facilities, which will prevent unauthrized physical access. 3.3.3 Persnnel Assumptins A.MANAGE A.NOEVIL A.NOTRST There will be ne r mre cmpetent individuals assigned t manage the TOE and the security f the infrmatin it cntains. The authrized administratrs are nt careless, willfully negligent, r hstile, and will fllw and abide by the instructins prvided by the TOE dcumentatin. The TOE can nly be accessed by authrized users. 17

4. Security Objectives This sectin identifies the security bjectives f the TOE and its supprting envirnment. The security bjectives identify the respnsibilities f the TOE and its envirnment in meeting the security needs. Mdificatins t the security bjectives as described in the U.S. Gvernment Prtectin Prfile Intrusin Detectin System Analyzer Fr Basic Rbustness Envirnments, t which this ST claims cmpliance are identified in Sectin 7 Prtectin Prfile Claims. 4.1 TOE Security Objectives The fllwing are the TOE security bjectives: O.PROTCT O.IDACTS O.RESPON O.EADMIN O.ACCESS O.IDAUTH O.OFLOWS O.AUDITS O.INTEGR The TOE must prtect itself frm unauthrized mdificatins and access t its functins and data. The Analyzer must accept data frm IDS Sensrs r IDS Scanners and then apply analytical prcesses and infrmatin t derive cnclusins abut intrusins (past, present, r future). The TOE must respnd apprpriately t analytical cnclusins. The TOE must include a set f functins that allw effective management f its functins and data. The TOE must allw authrized users t access nly apprpriate TOE functins and data. The TOE must be able t identify and authenticate authrized users prir t allwing access t TOE functins and data. The TOE must apprpriately handle ptential audit and Analyzer data strage verflws. The TOE must recrd audit recrds fr data accesses and use f the Analyzer functins. The TOE must ensure the integrity f all audit and Analyzer data. 4.2 Security Objectives fr the Envirnment The TOE's perating envirnment must satisfy the fllwing bjectives. OE.TIME OE.AUDIT_PROTECTION OE.INSTAL OE.PHYCAL OE.CREDEN OE.PERSON OE.INTROP The IT Envirnment will prvide reliable timestamps t the TOE. The IT Envirnment will prvide the capability t prtect audit infrmatin. Thse respnsible fr the TOE must ensure that the TOE is delivered, installed, managed, and perated in a manner which is cnsistent with IT security. Thse respnsible fr the TOE must ensure that thse parts f the TOE critical t security plicy are prtected frm any physical attack. Thse respnsible fr the TOE must ensure that all access credentials are prtected by the users in a manner which is cnsistent with IT security. Persnnel wrking as authrized administratrs shall be carefully selected and trained fr prper peratin f the Analyzer. The TOE is interperable with the IT System it mnitrs and ther IDS cmpnents within its IDS. 18

5. IT Security Requirements 5.1 TOE Security Functinal Requirements This sectin specifies the security functinal requirements (SFRs) fr the TOE. All SFRs were drawn frm Part 2 f the Cmmn Criteria v3.1 Revisin 3 and the Prtectin Prfile (PP) identified in Prtectin Prfile Claims sectin. This ST includes a number f extended requirements. Each f the extended requirements is defined in the U.S. Gvernment Prtectin Prfile Intrusin Detectin System Analyzer Fr Basic Rbustness Envirnments. The extended requirements can be identified by the use f the keywrd EXT in the title. Every SFR included in the PP is addressed in this Security Target. Each SFR, except as nted in Sectin 7, was cpied frm the PP. Each SFR was changed in this ST t cmplete peratins left incmplete by the PP r t make necessary refinements s that the intent f each SFR remains as specified in the PP. Each SFR was als changed, when necessary, t cnfrm t Internatinal Interpretatins and the versin f the CC being claimed. Security Functinal Class Security Audit (FAU) Identificatin and authenticatin (FIA) Security management (FMT) Prtectin f the TSF (FPT) IDS Cmpnent Requirements (IDS) Security Functinal Cmpnents Audit data generatin (FAU_GEN.1) Audit review (FAU_SAR.1) Restricted audit review (FAU_SAR.2) Selectable audit review (FAU_SAR.3) Selective audit (FAU_SEL.1) Guarantees f audit data availability (FAU_STG.2) Preventin f audit data lss (FAU_STG.4) User attribute definitin (FIA_ATD.1) Timing f authenticatin (FIA_UAU.1) Timing f identificatin (FIA_UID.1) Management f security functins behaviur (FMT_MOF.1) Management f TSF data (FMT_MTD.1) Specificatin f management functins (FMT_SMF.1) Security rles (FMT_SMR.1) Basic internal TSF data transfer prtectin (FPT_ITT.1) 3 Analyzer analysis (EXT) (IDS_ANL.1) Analyzer react (EXT) (IDS_RCT.1) Restricted data review (EXT) (IDS_RDR.1) Guarantee f analyzer data availability (EXT) (IDS_STG.1) Preventin f analyzer data lss (EXT) (IDS_STG.2) Table 3: Security Functinal Cmpnents 3 This requirement has been added t prtect inter-cmmunicatins, replacing FPT_ITA.1, FPT_ITC.1, and FPT_ITI.1) per PD- 0127. 19

5.1.1 Security Audit (FAU) 5.1.1.1 Audit data generatin (FAU_GEN.1) FAU_GEN.1.1 The TSF shall be able t generate an audit recrd f the fllwing auditable events: a) Start-up and shutdwn f the audit functins; b) All auditable events fr the [basic] level f audit; and c) [Access t the Analyzer and access t the TOE and Analyzer data]. Cmpnent Event Details FAU_GEN.1 FAU_GEN.1 FAU_GEN.1 FAU_SAR.1 FAU_SAR.2 FAU_SEL.1 FAU_STG.4 4 Start-up and shutdwn f audit functins Access t Analyzer Access t the TOE Analyzer data Reading f infrmatin frm the audit recrds Unsuccessful attempts t read infrmatin frm the audit recrds All mdificatins t the audit cnfiguratin that ccur while the audit cllectin functins are perating Actins taken due t audit strage failure Object ID, Requested access FIA_UAU.1 All use f the authenticatin mechanism User identity, lcatin FIA_UID.1 All use f the user identificatin mechanism User identity, lcatin FMT_MOF.1 FMT_MTD.1 FMT_SMF.1 All mdificatins in the behavir f the functins f the TSF All mdificatins t the values f TSF data Use f the management functins FMT_SMR.1 Mdificatins t the grup f users that are part f a rle User identity Table 4: Auditable Events FAU_GEN.1.2 The TSF shall recrd within each audit recrd at least the fllwing infrmatin: a) Date and time f the event, type f event, subject identity (if applicable), and the utcme (success r failure) f the event; and b) Fr each audit event type, based n the auditable event definitins f the functinal cmpnents included in the PP/ST, [the additinal infrmatin specified in the Details clumn f Table 4 Auditable Events]. 5.1.1.2 Audit review (FAU_SAR.1) FAU_SAR.1.1 FAU_SAR.1.2 The TSF shall prvide [Administratr, Analyzer Administratr] with the capability t read [all audit infrmatin] frm the audit recrds. The TSF shall prvide the audit recrds in a manner suitable fr the user t interpret the infrmatin. 5.1.1.3 Restricted audit review (FAU_SAR.2) FAU_SAR.2.1 The TSF shall prhibit all users read access t the audit recrds, except thse users that have been granted explicit read-access. 5.1.1.4 Selectable audit review (FAU_SAR.3) FAU_SAR.3.1 The TSF shall prvide the ability t perfrm [srting] f audit data based n [date and time, subject identity, type f event, and success r failure f related event]. 4 It appears the PP inadvertently mitted FAU_STG.4 frm the table. 20

5.1.1.5 Selective audit (FAU_SEL.1) FAU_SEL.1.1 The TSF shall be able t include r exclude auditable events frm the set f audited events based n the fllwing attributes: a) [event type]; b) [n additinal attributes]. 5.1.1.6 Guarantees f audit data availability (FAU_STG.2) FAU_STG.2.1 FAU_STG.2.2 FAU_STG.2.3 The TSF shall prtect the stred audit recrds in the audit trail frm unauthrized deletin. The TSF shall be able t [prevent] mdificatins t the audit recrds. The TSF shall ensure that [the mst recent, limited by available audit strage] audit recrds will be maintained when the fllwing cnditins ccur: [audit strage exhaustin]. 5.1.1.7 Preventin f audit data lss (FAU_STG.4 ) FAU_STG.4.1 The TSF shall [prevent auditable events, except thse taken by the authrized user with special rights 5 ] and [send an alarm] 6 if the audit trail is full. 5.1.2 Identificatin and authenticatin (FIA) 5.1.2.1 User attribute definitin (FIA_ATD.1) FIA_ATD.1.1 The TSF shall maintain the fllwing list f security attributes belnging t individual users: a) [User identity; b) Authenticatin data; c) Authrizatins (grups); d) Email address; and e) n ther security attributes]. 5.1.2.2 Timing f authenticatin (FIA_UAU.1) FIA_UAU.1.1 FIA_UAU.1.2 The TSF shall allw [actins where the peratinal envirnment has authenticated the user] n behalf f the user t be perfrmed befre the user is authenticated. The TSF shall require each user t be successfully authenticated befre allwing any ther TSFmediated actins n behalf f that user. 5.1.2.3 Timing f identificatin (FIA_UID.1) FIA_UID.1.1 FIA_UID.1.2 The TSF shall allw [actins where the peratinal envirnment has identified the user] n behalf f the user t be perfrmed befre the user is identified. The TSF shall require each user t be successfully identified befre allwing any ther TSFmediated actins n behalf f that user. Applicatin Nte: The TOE prvides cmmand scripts and utility prgrams that can be used t supprt management f the TOE and that are executed frm a cmmand prmpt r cmmand shell n the underlying perating system. Except where therwise excluded frm the evaluated cnfiguratin, these cmmands can be executed by a user that has access t the underlying perating system, has been successfully identified and authenticated by the underlying perating system, and has apprpriate permissins t the perating system file system lcatins frm which the cmmands are executed. 5 The users with the special rights are thse in ne f the fur security management rles (Administratr, Analyzer Administratr, Operatr, Analyst). 6 The PP indicates this peratin as a selectin, when in fact it is an assignment. The ST authr has indicated the crrect peratin perfrmed. 21

5.1.3 Security management (FMT) 5.1.3.1 Management f security functins behavir (FMT_MOF.1) FMT_MOF.1.1 The TSF shall restrict the ability t [mdify the behavir f] the functins [f analysis and reactin] t [Administratr, Analyzer Administratr]. 5.1.3.2 Management f TSF data (FMT_MTD.1) FMT_MTD.1.1 The TSF shall restrict the ability t [query and add Analyzer and audit data, and shall restrict the ability t query and mdify all ther TOE data] t [Administratr, Analyzer Administratr (cannt mdify user accunts)]. Applicatin Nte: The statement query and add Analyzer and audit data in this requirement refers t the ability t lk at and t change the set f events fr which audit recrds and Analyzer data are actually cllected. It des nt refer t the capability f lking at and changing either the generated audit recrds r generated Analyzer results. The ability t lk at the recrds within the audit trail is specified using FAU_SAR.1. The ability t lk at the Analyzer data is specified using IDS_RDR.1. Furthermre, FMT_MTD.1 is included t satisfy a dependency f FAU_SEL.1. In rder t satisfy this dependency, FMT_MTD.1 needs t address management f the selectin f audited events frm the set f auditable events. 5.1.3.3 Specificatin f Management Functins (FMT_SMF.1) FMT_SMF.1.1 The TSF shall be capable f perfrming the fllwing security management functins: [Management f Analyzer data, Management f Audit functins, Management f user accunts]. 5.1.3.4 Security rles (FMT_SMR.1) FMT_SMR.1.1 The TSF shall maintain the fllwing rles: [Administratr, Analyzer Administratr, Operatr, Analyst]. FMT_SMR.1.2 The TSF shall be able t assciate users with rles. 5.1.4 Prtectin f the TOE security functins (FPT) 5.1.4.1 Basic internal TSF data transfer prtectin (FPT_ITT.1) FPT_ITT.1 The TSF shall prtect TSF data frm [disclsure, mdificatin] when it is transmitted between separate parts f the TOE by using SSL cnnectins. 5.1.5 IDS Cmpnent Requirements (IDS) 5.1.5.1 Analyzer analysis (EXT) (IDS_ANL.1) IDS_ANL.1.1 IDS_ANL.1.2 The TSF shall perfrm the fllwing analysis functin(s) n all IDS data received: a) [statistical, signature]; and b) [n ther analytical functins]. The TSF shall recrd within each analytical result at least the fllwing infrmatin: a) Date and time f the result, type f result, identificatin f data surce; and b) [n ther security relevant infrmatin abut the result]. 5.1.5.2 Analyzer react (EXT) (IDS_RCT.1) 5.1.5.3 IDS_RCT.1.1 IDS_RCT.1.1 The TSF shall send an alarm t [ESM Manager with CORR-Engine and t any mnitring ArcSight Cnsle sessin r e-mail address] and take [actin specified by the rule that was triggered by the event] when an intrusin is detected. 22

5.1.5.4 Restricted Data Review (EXT) (IDS_RDR.1) IDS_RDR.1.1 IDS_RDR.1.2 IDS_RDR.1.3 The Analyzer shall prvide [Administratr, Analyzer Administratr, Operatr, Analyst] with the capability t read [Analyzer events, reprts (that includes the analytical results), query viewers, cnfiguratin infrmatin, and ther applicable Analyzer data] frm the Analyzer data. The Analyzer shall prvide the Analyzer data in a manner suitable fr the user t interpret the infrmatin. The Analyzer shall prhibit all users read access t the Analyzer data, except thse users that have been granted explicit read-access. (EXP) 5.1.5.5 Guarantee f Analyzer Data Availability (EXT) (IDS_STG.1) IDS_STG.1.1 IDS_STG.1.2 IDS_STG.1.3 The Analyzer shall prtect the stred Analyzer data frm unauthrized deletin. (EXP) The Analyzer shall prtect the stred Analyzer data frm mdificatin. (EXP) The Analyzer shall ensure that [the mst recent, limited by available analyzer event strage] Analyzer data will be maintained when the fllwing cnditins ccur: [Analyzer data strage exhaustin]. (EXP) 5.1.5.6 Preventin f Analyzer data lss (EXT) (IDS_STG.2) IDS_STG.2.1 The Analyzer shall [prevent Analyzer data, except thse taken by the authrized user with special rights 7 ] and send an alarm if the strage capacity has been reached. (EXP) 5.2 TOE Security Assurance Requirements The security assurance requirements fr the TOE are the Evaluatin Assurance Level 3 (EAL3) augmented with ALC_FLR.2 cmpnents as specified in Part 3 f the Cmmn Criteria. Nte that the EAL3 requirements that exceed EAL2 are indicated in italics in the fllwing table. N peratins are applied t the assurance cmpnents. Requirement Class ADV: Develpment Requirement Cmpnent ADV_ARC.1: Security architecture descriptin ADV_FSP.3: Functinal specificatin with cmplete summary ADV_TDS.2: Architectural design AGD: Guidance dcuments AGD_OPE.1: Operatinal user guidance AGD_PRE.1: Preparative prcedures ALC: Life-cycle supprt ALC_CMC.3: Authrisatin cntrls ALC_CMS.3: Implementatin representatin CM cverage ALC_DEL.1: Delivery prcedures ALC_DVS.1: Identificatin f security measures ALC_FLR.2: Flaw reprting prcedures ALC_LCD.1: Develper defined life-cycle mdel ATE: Tests ATE_COV.2: Analysis f cverage ATE_DPT.1: Testing: basic design ATE_FUN.1: Functinal testing ATE_IND.2: Independent testing - sample 7 The nly user with the special rights is the authrized Administratr. 23

Requirement Class AVA: Vulnerability assessment Requirement Cmpnent AVA_VAN.2: Vulnerability analysis Table 5: EAL3 Assurance Cmpnents 5.2.1 Develpment (ADV) 5.2.1.1 Security architecture descriptin (ADV_ARC.1) ADV_ARC.1.1D ADV_ARC.1.2D ADV_ARC.1.3D ADV_ARC.1.1C ADV_ARC.1.2C ADV_ARC.1.3C ADV_ARC.1.4C ADV_ARC.1.5C ADV_ARC.1.1E The develper shall design and implement the TOE s that the security features f the TSF cannt be bypassed. The develper shall design and implement the TSF s that it is able t prtect itself frm tampering by untrusted active entities. The develper shall prvide a security architecture descriptin f the TSF. The security architecture descriptin shall be at a level f detail cmmensurate with the descriptin f the SFR-enfrcing abstractins described in the TOE design dcument. The security architecture descriptin shall describe the security dmains maintained by the TSF cnsistently with the SFRs. The security architecture descriptin shall describe hw the TSF initialisatin prcess is secure. The security architecture descriptin shall demnstrate that the TSF prtects itself frm tampering. The security architecture descriptin shall demnstrate that the TSF prevents bypass f the SFR-enfrcing functinality. The evaluatr shall cnfirm that the infrmatin prvided meets all requirements fr cntent and presentatin f evidence. 5.2.1.2 Functinal specificatin with cmplete summary (ADV_FSP.3) ADV_FSP.3.1D ADV_FSP.3.2D ADV_FSP.3.1C ADV_FSP.3.2C ADV_FSP.3.3C ADV_FSP.3.4C ADV_FSP.3.5C ADV_FSP.3.6C ADV_FSP.3.7C ADV_FSP.3.1E ADV_FSP.3.2E The develper shall prvide a functinal specificatin. The develper shall prvide a tracing frm the functinal specificatin t the SFRs. The functinal specificatin shall cmpletely represent the TSF. The functinal specificatin shall describe the purpse and methd f use fr all TSFI. The functinal specificatin shall identify and describe all parameters assciated with each TSFI. Fr each SFR-enfrcing TSFI, the functinal specificatin shall describe the SFR-enfrcing actins assciated with the TSFI. Fr each SFR-enfrcing TSFI, the functinal specificatin shall describe direct errr messages resulting frm security enfrcing effects and exceptins assciated with invcatin f the TSFI. The functinal specificatin shall summarise the SFR-supprting and SFR-nn-interfering actins assciated with each TSFI. The tracing shall demnstrate that the SFRs trace t TSFIs in the functinal specificatin. The evaluatr shall cnfirm that the infrmatin prvided meets all requirements fr cntent and presentatin f evidence. The evaluatr shall determine that the functinal specificatin is an accurate and cmplete instantiatin f the SFRs. 5.2.1.3 Architectural design (ADV_TDS.2) ADV_TDS.2.1D ADV_TDS.2.2D The develper shall prvide the design f the TOE. The develper shall prvide a mapping frm the TSFI f the functinal specificatin t the lwest level f decmpsitin available in the TOE design. 24

ADV_TDS.2.1C ADV_TDS.2.2C ADV_TDS.2.3C ADV_TDS.2.4C ADV_TDS.2.5C ADV_TDS.2.6C ADV_TDS.2.7C ADV_TDS.2.8C ADV_TDS.2.1E ADV_TDS.2.2E The design shall describe the structure f the TOE in terms f subsystems. The design shall identify all subsystems f the TSF. The design shall describe the behaviur f each SFR nn-interfering subsystem f the TSF in detail sufficient t determine that it is SFR nn-interfering. The design shall describe the SFR-enfrcing behaviur f the SFR-enfrcing subsystems. The design shall summarise the SFR-supprting and SFR-nn-interfering behaviur f the SFR-enfrcing subsystems. The design shall summarise the behaviur f the SFR-supprting subsystems. The design shall prvide a descriptin f the interactins amng all subsystems f the TSF. The mapping shall demnstrate that all behaviur described in the TOE design is mapped t the TSFIs that invke it. The evaluatr shall cnfirm that the infrmatin prvided meets all requirements fr cntent and presentatin f evidence. The evaluatr shall determine that the design is an accurate and cmplete instantiatin f all security functinal requirements. 5.2.2 Guidance dcuments (AGD) 5.2.2.1 Operatinal user guidance (AGD_OPE.1) AGD_OPE.1.1D AGD_OPE.1.1C AGD_OPE.1.2C AGD_OPE.1.3C AGD_OPE.1.4C AGD_OPE.1.5C AGD_OPE.1.6C AGD_OPE.1.7C AGD_OPE.1.1E The develper shall prvide peratinal user guidance. The peratinal user guidance shall describe, fr each user rle, the user-accessible functins and privileges that shuld be cntrlled in a secure prcessing envirnment, including apprpriate warnings. The peratinal user guidance shall describe, fr each user rle, hw t use the available interfaces prvided by the TOE in a secure manner. The peratinal user guidance shall describe, fr each user rle, the available functins and interfaces, in particular all security parameters under the cntrl f the user, indicating secure values as apprpriate. The peratinal user guidance shall, fr each user rle, clearly present each type f securityrelevant event relative t the user-accessible functins that need t be perfrmed, including changing the security characteristics f entities under the cntrl f the TSF. The peratinal user guidance shall identify all pssible mdes f peratin f the TOE (including peratin fllwing failure r peratinal errr), their cnsequences and implicatins fr maintaining secure peratin. The peratinal user guidance shall, fr each user rle, describe the security measures t be fllwed in rder t fulfil the security bjectives fr the peratinal envirnment as described in the ST. The peratinal user guidance shall be clear and reasnable. The evaluatr shall cnfirm that the infrmatin prvided meets all requirements fr cntent and presentatin f evidence. 5.2.2.2 Preparative prcedures (AGD_PRE.1) AGD_PRE.1.1D AGD_PRE.1.1C AGD_PRE.1.2C AGD_PRE.1.1E The develper shall prvide the TOE including its preparative prcedures. The preparative prcedures shall describe all the steps necessary fr secure acceptance f the delivered TOE in accrdance with the develper's delivery prcedures. The preparative prcedures shall describe all the steps necessary fr secure installatin f the TOE and fr the secure preparatin f the peratinal envirnment in accrdance with the security bjectives fr the peratinal envirnment as described in the ST. The evaluatr shall cnfirm that the infrmatin prvided meets all requirements fr cntent and presentatin f evidence. 25

AGD_PRE.1.2E The evaluatr shall apply the preparative prcedures t cnfirm that the TOE can be prepared securely fr peratin. 5.2.3 Life-cycle supprt (ALC) 5.2.3.1 Authrisatin cntrls (ALC_CMC.3) ALC_CMC.3.1D ALC_CMC.3.2D ALC_CMC.3.3D ALC_CMC.3.1C ALC_CMC.3.2C ALC_CMC.3.3C ALC_CMC.3.4C ALC_CMC.3.5C ALC_CMC.3.6C ALC_CMC.3.7C ALC_CMC.3.8C ALC_CMC.3.1E The develper shall prvide the TOE and a reference fr the TOE. The develper shall prvide the CM dcumentatin. The develper shall use a CM system. The TOE shall be labelled with its unique reference. The CM dcumentatin shall describe the methd used t uniquely identify the cnfiguratin items. The CM system shall uniquely identify all cnfiguratin items. The CM system shall prvide measures such that nly authrised changes are made t the cnfiguratin items. The CM dcumentatin shall include a CM plan. The CM plan shall describe hw the CM system is used fr the develpment f the TOE. The evidence shall demnstrate that all cnfiguratin items are being maintained under the CM system. The evidence shall demnstrate that the CM system is being perated in accrdance with the CM plan. The evaluatr shall cnfirm that the infrmatin prvided meets all requirements fr cntent and presentatin f evidence. 5.2.3.2 Implementatin representatin CM cverage (ALC_CMS.3) ALC_CMS.3.1D ALC_CMS.3.1C ALC_CMS.3.2C ALC_CMS.3.3C ALC_CMS.3.1E The develper shall prvide a cnfiguratin list fr the TOE. The cnfiguratin list shall include the fllwing: the TOE itself; the evaluatin evidence required by the SARs; the parts that cmprise the TOE; and the implementatin representatin. The cnfiguratin list shall uniquely identify the cnfiguratin items. Fr each TSF relevant cnfiguratin item, the cnfiguratin list shall indicate the develper f the item. The evaluatr shall cnfirm that the infrmatin prvided meets all requirements fr cntent and presentatin f evidence. 5.2.3.3 Delivery prcedures (ALC_DEL.1) ALC_DEL.1.1D ALC_DEL.1.2D ALC_DEL.1.1C ALC_DEL.1.1E The develper shall dcument prcedures fr delivery f the TOE r parts f it t the cnsumer. The develper shall use the delivery prcedures. The delivery dcumentatin shall describe all prcedures that are necessary t maintain security when distributing versins f the TOE t the cnsumer. The evaluatr shall cnfirm that the infrmatin prvided meets all requirements fr cntent and presentatin f evidence. 5.2.3.4 Identificatin f security measures (ALC_DVS.1) ALC_DVS.1.1D ALC_DVS.1.1C ALC_DVS.1.1E The develper shall prduce develpment security dcumentatin. The develpment security dcumentatin shall describe all the physical, prcedural, persnnel, and ther security measures that are necessary t prtect the cnfidentiality and integrity f the TOE design and implementatin in its develpment envirnment. The evaluatr shall cnfirm that the infrmatin prvided meets all requirements fr cntent and presentatin f evidence. 26

ALC_DVS.1.2E The evaluatr shall cnfirm that the security measures are being applied. 5.2.3.5 Flaw reprting prcedures (ALC_FLR.2) ALC_FLR.2.1D ALC_FLR.2.2D ALC_FLR.2.3D ALC_FLR.2.1C ALC_FLR.2.2C ALC_FLR.2.3C ALC_FLR.2.4C ALC_FLR.2.5C ALC_FLR.2.6C ALC_FLR.2.7C ALC_FLR.2.8C ALC_FLR.2.1E The develper shall dcument flaw remediatin prcedures addressed t TOE develpers. The develper shall establish a prcedure fr accepting and acting upn all reprts f security flaws and requests fr crrectins t thse flaws. The develper shall prvide flaw remediatin guidance addressed t TOE users. The flaw remediatin prcedures dcumentatin shall describe the prcedures used t track all reprted security flaws in each release f the TOE. The flaw remediatin prcedures shall require that a descriptin f the nature and effect f each security flaw be prvided, as well as the status f finding a crrectin t that flaw. The flaw remediatin prcedures shall require that crrective actins be identified fr each f the security flaws. The flaw remediatin prcedures dcumentatin shall describe the methds used t prvide flaw infrmatin, crrectins and guidance n crrective actins t TOE users. The flaw remediatin prcedures shall describe a means by which the develper receives frm TOE users reprts and enquiries f suspected security flaws in the TOE. The prcedures fr prcessing reprted security flaws shall ensure that any reprted flaws are remediated and the remediatin prcedures issued t TOE users. The prcedures fr prcessing reprted security flaws shall prvide safeguards that any crrectins t these security flaws d nt intrduce any new flaws. The flaw remediatin guidance shall describe a means by which TOE users reprt t the develper any suspected security flaws in the TOE. The evaluatr shall cnfirm that the infrmatin prvided meets all requirements fr cntent and presentatin f evidence. 5.2.3.6 Develper defined life-cycle mdel (ALC_LCD.1) ALC_LCD.1.1D ALC_LCD.1.2D ALC_LCD.1.1C ALC_LCD.1.2C ALC_LCD.1.1E The develper shall establish a life-cycle mdel t be used in the develpment and maintenance f the TOE. The develper shall prvide life-cycle definitin dcumentatin. The life-cycle definitin dcumentatin shall describe the mdel used t develp and maintain the TOE. The life-cycle mdel shall prvide fr the necessary cntrl ver the develpment and maintenance f the TOE. The evaluatr shall cnfirm that the infrmatin prvided meets all requirements fr cntent and presentatin f evidence. 5.2.4 Tests (ATE) 5.2.4.1 Analysis f cverage (ATE_COV.2) ATE_COV.2.1D ATE_COV.2.1C ATE_COV.2.2C ATE_COV.2.1E The develper shall prvide an analysis f the test cverage. The analysis f the test cverage shall demnstrate the crrespndence between the tests in the test dcumentatin and the TSFIs in the functinal specificatin. The analysis f the test cverage shall demnstrate that all TSFIs in the functinal specificatin have been tested. The evaluatr shall cnfirm that the infrmatin prvided meets all requirements fr cntent and presentatin f evidence. 27

5.2.4.2 Testing: basic design (ATE_DPT.1) ATE_DPT.1.1D ATE_DPT.1.1C ATE_DPT.1.2C ATE_DPT.1.1E The develper shall prvide the analysis f the depth f testing. The analysis f the depth f testing shall demnstrate the crrespndence between the tests in the test dcumentatin and the TSF subsystems in the TOE design. The analysis f the depth f testing shall demnstrate that all TSF subsystems in the TOE design have been tested. The evaluatr shall cnfirm that the infrmatin prvided meets all requirements fr cntent and presentatin f evidence. 5.2.4.3 Functinal testing (ATE_FUN.1) ATE_FUN.1.1D ATE_FUN.1.2D ATE_FUN.1.1C ATE_FUN.1.2C ATE_FUN.1.3C ATE_FUN.1.4C ATE_FUN.1.1E The develper shall test the TSF and dcument the results. The develper shall prvide test dcumentatin. The test dcumentatin shall cnsist f test plans, expected test results and actual test results. The test plans shall identify the tests t be perfrmed and describe the scenaris fr perfrming each test. These scenaris shall include any rdering dependencies n the results f ther tests. The expected test results shall shw the anticipated utputs frm a successful executin f the tests. The actual test results shall be cnsistent with the expected test results. The evaluatr shall cnfirm that the infrmatin prvided meets all requirements fr cntent and presentatin f evidence. 5.2.4.4 Independent testing - sample (ATE_IND.2) ATE_IND.2.1D ATE_IND.2.1C ATE_IND.2.2C ATE_IND.2.1E ATE_IND.2.2E ATE_IND.2.3E The develper shall prvide the TOE fr testing. The TOE shall be suitable fr testing. The develper shall prvide an equivalent set f resurces t thse that were used in the develper's functinal testing f the TSF. The evaluatr shall cnfirm that the infrmatin prvided meets all requirements fr cntent and presentatin f evidence. The evaluatr shall execute a sample f tests in the test dcumentatin t verify the develper test results. The evaluatr shall test a subset f the TSF t cnfirm that the TSF perates as specified. 5.2.5 Vulnerability assessment (AVA) 5.2.5.1 Vulnerability analysis (AVA_VAN.2) AVA_VAN.2.1D AVA_VAN.2.1C AVA_VAN.2.1E AVA_VAN.2.2E AVA_VAN.2.3E AVA_VAN.2.4E The develper shall prvide the TOE fr testing. The TOE shall be suitable fr testing. The evaluatr shall cnfirm that the infrmatin prvided meets all requirements fr cntent and presentatin f evidence. The evaluatr shall perfrm a search f public dmain surces t identify ptential vulnerabilities in the TOE. The evaluatr shall perfrm an independent vulnerability analysis f the TOE using the guidance dcumentatin, functinal specificatin, TOE design and security architecture descriptin t identify ptential vulnerabilities in the TOE. The evaluatr shall cnduct penetratin testing, based n the identified ptential vulnerabilities, t determine that the TOE is resistant t attacks perfrmed by an attacker pssessing Basic attack ptential. 28

6. TOE Summary Specificatin This sectin describes the security functins implemented by the TOE t satisfy the SFRs. 6.1 Intrductin Each f the security functin descriptins is rganized by the security requirements crrespnding t the security functin. Each descriptin serves t explain hw the crrespnding functin specifically satisfies each f its related requirements. This serves t bth describe the security functins and ratinalize that the security functins are suitable t satisfy the necessary requirements. 6.1.1 Security Audit The TOE prcesses and recrds the fllwing general types f event: External events generated by IDS and IPS sensrs and scanners in the TOE s peratinal envirnment and imprted by the TOE fr analysis. External events prvide the surce f the TOE s Analyzer data; they are discussed separately in Sectin 6.1.7. Internal events these are divided int audit events and status mnitr events. Status mnitr events prvide infrmatin n the status and perfrmance f the TOE; they are nt discussed further. Audit events prvide infrmatin n TOE activity, including security-related activity. 6.1.1.1 Audit Data Generatin (FAU_GEN.1) The ArcSight Manager and the varius SmartCnnectrs generate audit events the SmartCnnectrs frward their audit events t the Manager. All audit events are stred in CORR-Engine, which is a cmpnent f the ESM Suite. ESM is relied upn t prtect the data stred in the CORR-Engine, including the audit events. The audit events the TOE can generate include: The start-up and shutdwn f audit functins (the audit functin autmatically starts at system start-up and can nly be shutdwn at system shutdwn. In bth instances, a recrd f the event is recrded.) Access t Analyzer Access t the TOE Analyzer data Reading f infrmatin frm the audit recrds Unsuccessful attempts t read infrmatin frm the audit recrds All mdificatins t the audit cnfiguratin that ccur while the audit cllectin functins are perating All use f the authenticatin mechanism All use f the user identificatin mechanism All mdificatins in the behavir f the functins f the TSF All mdificatins t the values f TSF data Use f the management functins Mdificatins t the grup f users that are part f a rle Actins taken by the TOE when the strage space fr audit recrds reaches capacity. 6.1.1.2 Audit Data Review (FAU_SAR.1, FAU_SAR.2, FAU_SAR.3) The ArcSight Cnsle prvides users in the Administratr and Analyzer Administratr rles the ability t view the audit events these users are expected t view the audit events using the ArcSight Cnsle. Access t the audit events via the ArcSight Cnsle is restricted t the Administratr and Analyzer Administratr rles. The audit events include the date and time f the event, the type f event, the subject identity, and the utcme f the event, such as whether it was a success r failure. The TOE relies n and btains a reliable date/timestamp frm 29

the peratinal envirnment. The audit events are presented by the ArcSight Cnsle in a readable frmat as such, Administratrs and Analyzer Administratrs can read and interpret the cntent f the infrmatin. In additin, Administratrs and Analyzer Administratrs can srt the audit events based n the fllwing event attributes: date and time f the event; subject identity; type f event; and success r failure f the related event. 6.1.1.3 Selectable Audit (FAU_SEL.1) The ArcSight Cnsle prvides Administratrs and Analyzer Administratrs the ability t include r exclude auditable events based n event type. Administratrs and Analyzer Administratrs can select t recrd r nt recrd activity based n a particular event fr example, all use f the authenticatin mechanism r all mdificatins in the behavir f the functins f the TSF. 6.1.1.4 Prtectin f Stred Audit Recrds (FAU_STG.2, FAU_STG.4) The ArcSight Manager des nt prvide any interfaces t mdify the audit recrds. T prevent audit data lss, a warning is sent t a cnfigured ntificatin destinatin (e.g., an ESM Administratr) shuld the database begin t run ut f strage space fr the audit recrds. Events are stred n a 30-day retentin perid based n Manager Receipt Time (MRT) f the event. As events age ut, the ldest events are remved t make rm fr the day s events. The default setting fr generating the first ntificatin is at 90% f capacity. If the strage space fr audit recrds reaches 98% capacity, space-based retentin, which is 26 Gb maximum fr events, autmatically takes ver and anther ntificatin is sent. At this time, the ldest events are deactivated t free up space. All incming ArcSight SmartCnnectrs events are stpped and all events that are currently being prcessed are stred temprarily in memry f the underlying perating system f the ArcSight Manager until the strage space prblem is cleared. The ArcSight Manager cntinues t create audit events fr any scheduled actins r actins triggered by the prcessing f any events received prir t the strage failure. Once space is free, the ArcSight Manager begins receiving events frm active ArcSight SmartCnnectrs. 6.1.2 Identificatin and Authenticatin 6.1.2.1 User Attribute Definitin (FIA_ATD.1) The ArcSight Manager maintains accunts f the authrized users f the TOE. The user accunt includes the fllwing attributes assciated with the user: user identity; authenticatin data (passwrd); authrizatins (grups, which equate t rles); and e-mail addressinfrmatin. T prtect the passwrds, the ArcSight Manager stres nly MD5 hashes f the passwrds in the database. The ArcSight Cnsle prvides the GUI fr Administratrs t create and maintain the user accunts. 6.1.2.2 User Identificatin and Authenticatin (FIA_UID.1, FIA_UAU.1) The ArcSight Cnsle requires authrized users t prvide unique identificatin and authenticatin data (passwrd) befre any administrative access t the ArcSight Cnsle is granted. Each authrized user must be successfully authenticated by prviding the crrect passwrd assciated with the user identity. The TOE enfrces the fllwing restrictins n passwrds: The minimum passwrd length is 6 characters The maximum passwrd length is 20 characters A passwrd cannt be the same as the name f its User resurce, cannt cntain whitespace characters (spaces, tabs, etc.), and can have a maximum f three cnsecutive repeated characters Passwrds expire after 60 days, requiring the user t change the passwrd Accunts that have been inactive fr 90 days are deactivated, preventing access T lgin t the ArcSight Cnsle, the user prvides the lgin name and passwrd. The ArcSight Cnsle cmpares the SHA 256 hash f the passwrd t that stred in the CORR-Engine. If either the lgin name r the passwrd is incrrect, the lgin request fails and n administratr functins are made available. As result f a successful lgin, the cnsle sessin is established and the administratr functins apprpriate t the user s assigned rles are made available. The TOE allws a maximum three cnsecutive failed lgin attempts, after which the user accunt is lcked fr 10 minutes. 30

The ArcSight Cnsle is the primary means fr authrized users t interact with the TOE. In additin, the TOE prvides varius cmmand scripts and utility prgrams, generically termed ArcSight Cmmands r shell cmmands (because they are executed frm a cmmand prmpt r cmmand shell n the underlying perating system). The shell cmmands are described in the guidance dcumentatin and are categrized as fllws: Allwed fr use in the evaluated cnfiguratin Allwed nly fr installatin/initial cnfiguratin Nt allwed in the evaluated cnfiguratin. The shell cmmands are executed frm the \bin directry within the installatin directry f the TOE in the underlying perating system s file system. In rder t run a shell cmmand, the user first has t be identified and authenticated by the TOE peratinal envirnment (i.e., the underlying perating system f the machine n which the TOE cmpnent is installed). The fllwing shell cmmands additinally require the user t prvide a user identity and passwrd fr a TOE user accunt: agentsetup; cnsle; managerinventry; and package. These cmmands (and all ther shell cmmands) are fully described in the Administratr s Guide. Fr these cmmands, the ArcSight Manager identifies and authenticates the user, in the same way as a user accessing the TOE via the ArcSight Cnsle. 6.1.3 Security Management 6.1.3.1 Security Management Rles (FMT_SMR.1) When an Administratr creates a user accunt, the accunt is created within a user grup. The user is granted the authrizatins assciated with its cntaining user grup(s) (a user can belng t mre than ne grup). Each user grup has an Access Cntrl List (ACL) assciated with it that specifies the read and write access that users within the grup have t all the resurces managed by the TOE. This is the TOE s mechanism fr implementing security management rles. The TOE prvides the fllwing built-in security management rles: Administratr uses the ArcSight Cnsle t view the verall health f an enterprise and perfrm administrative tasks such as managing, cnfiguring, and integrating ESM with multi-vendr devices. Users in the Administratr rle have full authrizatin t perfrm all functins in the TOE, including mdifying the behavir f the TOE s analysis and reactin functins, managing the audit functin and creating ther users. Analyzer Administratr the Analyzer Administratr rle (als identified as Authr in the guidance dcumentatin) uses the ArcSight Cnsle t manage resurces such as rules, filters, and data mnitrs, t enfrce enterprise security plicies and prcedures. Users in the Analyzer Administratr rle have authrizatin t mdify the behavir f the TOE s analysis and reactin functins and t query and mdify mst TSF data. Hwever, the Analyzer Administratr rle is nt able t create r mdify user accunts. Operatr uses the ArcSight Cnsle t assist in bserving, interpreting, and respnding t events. Operatrs can bserve real-time and replay events using Views, interpret events with Event Inspectr and Replay Cntrls, and respnd t events with preset, autmated actins, Replay Cntrl Tls, Reprts, and Knwledge Base articles. Users in the Operatr rle have authrizatin t view Analyzer events, reprts, query viewers, and cnfiguratin infrmatin, but d nt have authrizatins t mdify the behavir f the TOE s analysis and reactin functins, t create r mdify user accunts r t mdify the filters that cntrl which auditable events are actually audited. Analyst uses the ArcSight Cnsle t investigate events that have been frwarded t them by security peratins center staff and ther users, and can create custm resurces, such as filters, rules, and data mnitrs t respnd t security threats. With regard t management f TOE security functins and TSF data, users in the Analyst rle have the same authrizatin levels as Operatrs. 6.1.3.2 Management f Security Functins Behavir (FMT_MOF.1) The TOE requires user authenticatin befre any administrative actins, security-related r therwise, can be perfrmed (ther than entry f identificatin and authenticatin data) n the ArcSight Cnsle. As a result, nly users belnging t ne f the security management rles (Administratr, Analyzer Administratr, Operatr r 31

Analyst) can access any functin n the TOE via the ArcSight Cnsle. The Administratr and Analyzer Administratr rles have the capabilities t mdify the behavir f the TOE s analysis and reactin functins, by virtue f having read and write access t the varius TOE resurces that cntrl hw the TOE analyzes and reacts t security events. 6.1.3.3 Management f TSF Data (FMT_MTD.1) Users with the Administratr r Analyzer Administratr rle have the ability t query and mdify the cnfiguratin f the TOE as it relates t the generatin f Analyzer data. The Administratrs and Analyzer Administratrs can create, mdify, delete, cnfigure, and implement the rules n the TOE and the filters that determine which auditable events are actually audited. The Administratr is the nly rle that can create and mdify user accunts. 6.1.3.4 Specificatin f Management Functins (FMT_SMF.1) The ArcSight Cnsle implements the GUI that prvides the Administratrs, Analyzer Administratrs, Operatrs and Analysts with the interface t perfrm essential security management tasks. The tasks include the ability t manage user accunts, manage the Analyzer data, and manage the audit functins. 6.1.4 Prtectin f the TSF 6.1.4.1 Internal TOE TSF data transfer (FPT_ITT.1) The TOE can be cnfigured in either f tw security mdes: nn-fips mde (the default mde); and FIPS 140-2 cmpliant mde. The cnfigured security mde determines the cryptgraphic prtcl and the underlying cryptgraphic prvider the TOE uses t implement secure subsystem cmmunicatins. In nn-fips mde, cmmunicatins between the SmartCnnectrs and the Manager, and between the Cnsle and the Manager, are prtected using SSL v3.0. In this mde, the TOE uses SunJCE and Buncy Castle as the cryptgraphic prviders SunJCE is used fr SSL and mst ther cryptgraphic needs, while Buncy Castle is used fr certificate generatin in the TOE s setup wizard. The TOE uses X.509 Versin 3 certificates. The maximum key size fr the public key in the certificate is 1024 bits. In FIPS 140-2 mde, the TOE uses the FIPS 140-2 validated Netwrk Security Services (NSS) cryptgraphic mdule, versin 3.11.4 (FIPS 140-2 certificate 814). Cmmunicatins between the TOE cmpnents are prtected using TLS v1.0. Fr SSL cmmunicatin, all TOE cmpnents that are SSL endpints (i.e., ArcSight Cnsle, ArcSight Manager, and ArcSight SmartCnnectrs) need t stre tw types f key material: Key Pairs, cnsisting f a private key and the matching public key wrapped in a X.509 certificate X.509 Certificates f certificate authrities (CAs) whse certificates are trusted. ArcSight Manager is always the SSL server, and ArcSight SmartCnnectrs and the ArcSight Cnsle that cmmunicates with it, always represent the SSL client. When a SSL cnnectin is established, the client and server authenticate ne anther, using the key pairs and certificates in their key stres and trust stres. The server authenticatin mechanism in SSL requires the ArcSight Manager t have a valid SSL certificate. An SSL certificate cntains the ArcSight Manager s public key. The public key is used by the client t encrypt infrmatin. Only the ArcSight Manager (using its private key) can decrypt this infrmatin. ArcSight Manager s SSL certificate cntains a date range fr which it is valid as well as the ArcSight Manager s hst name. The SunJCE prvider used in nn-fips mde supplies the fllwing cryptgraphic services: An implementatin f the DES and Triple DES symmetric encryptin algrithms in Cipher Blck Chaining (CBC) mde An implementatin f the RSA asymmetric encryptin algrithm An implementatin f the HMAC-MD5 and HMAC-SHA1 keyed-hashing algrithms An implementatin f the Diffie-Hellman key agreement algrithm between tw r mre parties Key generatrs fr generating keys suitable fr the DES, Triple DES, HMAC-MD5, and HMAC-SHA1 algrithms 32

A Diffie-Hellman key pair generatr fr generating a pair f public and private values suitable fr the Diffie-Hellman algrithm. The NSS cryptgraphic mdule used in FIPS 140-2 mde supplies the fllwing cryptgraphic services: An implementatin f the AES (FIPS 197) symmetric encryptin algrithm Implementatins f the Secure Hash Standard (SHA-1, SHA-256, SHA-384, and SHA-512) (FIPS 180-2) fr hashing An implementatin f HMAC (FIPS 198) fr keyed hash A randm number generatr (FIPS 186-2 with Change Ntice 1) t supprt encryptin key generatin Implementatins f Diffie-Hellman, EC Diffie-Hellman, and Key Wrapping using RSA keys fr key establishment Implementatins f DSA (FIPS 186-2 with Change Ntice 1) and RSA (PKCS #1 v2.1) fr signature generatin and verificatin. The fllwing cipher suites are enabled by default: TLS_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 Other supprted cipher suites are: TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA SSL_DH_ann_WITH_RC4_128_MD5 TLS_DH_ann_WITH_AES_128_CBC_SHA SSL_DH_ann_WITH_3DES_EDE_CBC_SHA SSL_DH_ann_WITH_DES_CBC_SHA SSL_DH_ann_EXPORT_WITH_RC4_40_MD5 SSL_DH_ann_EXPORT_WITH_DES40_CBC_SHA The fllwing are the nly ciphersuites available in FIPS mde: TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA The TOE des nt prvide the prtectin described abve fr the data transmitted t the CORR-Engine. Since the CORR-Engine is part f the ArcSight Manager installatin, n additinal frm f physical security is required. 33

6.1.5 Analyzer Analysis 6.1.5.1 Analyzer Analysis (IDS_ANL.1) The ArcSight Manager uses a cllectin f tls that allw authrized users t track, respnd, and reslve security threats and attacks. The Crrelatin Engine priritizes events based n the threat they pse t the prtected netwrk, identifies statistical anmalies in the cntent r vlume f events, and uses rules t bth crrelate events using signatures and trigger autmated respnse actins. The Crrelatin Engine in ArcSight Manager crrelates events acrss vendr, device, and time. By crrelating different events, the Crrelatin Engine detects successful attacks, their criticality, and threat level. The Crrelatin Engine is a sub-cmpnent f the ArcSight Manager implemented using threat evaluatin frmulae, statistical data mnitrs, and rules. The threat evaluatin frmulae are used t cmpute a numeric pririty fr each event. Statistical data mnitrs generate meta-events when fluctuatins are bserved in the vlume r cntent f the event stream. Rules may either be a simple filter r may perfrm a cmplex jin acrss several events in real-time. Rules then aggregate the ccurrences f the matching events. Rules trigger respnses either n first match r after a given threshld has been passed. A rule threshld is defined as either a set number f matches r a given amunt f time. If the threshld is passed, the Crrelatin Engine generates a derived event and perfrms the ther actins assciated with the rule. There are predefined threat level frmulae, statistical data mnitrs, and rules t detect intrusins and perfrm actins. Sme built in rules and data mnitrs are designed t mnitr the peratin and integrity f the ArcSight Manager and ArcSight SmartCnnectrs. Other rules and data mnitrs detect and respnd t attacks and suspicius activity, specific types f attacks n varius sensr types, netwrk cmpnents, r assets, and attack results r success f attack. 6.1.6 Analyzer React 6.1.6.1 Analyzer React (IDS_RCT.1) Rule actins are autmatic prcedures that ccur when all rule cnditins and threshld settings have been met. A rule is a prgrammed prcedure that can analyze netwrk events and generate additinal crrelatin events, as determined by security plicy. When creating rules, the Analyzer Administratrs 8 define the rule events and cnditins, threshlds, and rule actins. Cnditins define which events trigger the rule, threshlds set when a crrelatin event is generated, and actins state which respnses are taken when a crrelatin event is generated. A rule requires at least ne event and ne cnditin. The Analyzer Administratr can als assign mre than ne rule actin t any rule. Fr example, the ntificatin rule actins are used t infrm ArcSight users that an incident has ccurred. The ntificatin may be delivered t the user n the ArcSight Cnsle r by email. Rule actins can als be set t send infrmatin abut the event t a case r active list. Cases are entries in an event-tracking system used t track, investigate, and reslve suspicius events in a wrkflw-type envirnment. When suspicius events ccur, cases are created and assigned t users, wh then investigate and reslve them based n enterprise plicies and practices. Active list can be used t create a cnfigurable data stre that can hld infrmatin derived frm events r ther surces. Active lists can mnitr activity based n any rule-driven cmbinatin f event attributes r set f custm fields. Fr example, active lists are very useful fr tracking suspicius r hstile IP addresses as well as targets f attacks that may be cmprmised. The main uses f active lists are t: Maintain infrmatin, such as in the system cntent prvided Hstile List r Trusted List, which maintain infrmatin n hstile and trusted IP addresses (and crrespnding znes) Check fr the existence f particular infrmatin in lists using the InActiveList cnditin. Fr example, when a system is cmprmised (such as in a security breach), it can be added t the cmprmise list using rule actins. The infrmatin in the active list can then be used t cllect all the events that ccur n the asset while it is cmprmised. This can be used fr tracking and further investigatin n ther systems that have cme int cntact with the cmprmised system. 8 Nte that Administratrs als have the capability t create rules. 34

The fllwing list summarizes the rule actins supprted by the TOE. Further details f these rule actins are prvided in the guidance dcumentatin: Set Event Field Fills in a data field value fr crrelatin events generated by the rule Send t Open View Operatins requires HP Open View t be integrated with ESM, s serves n purpse in the evaluated cnfiguratin Send Ntificatin Sends e-mail messages t specified TOE users when rules are triggered Execute Cmmand Execute a cmmand line functin when the rule is triggered. The actin specifies the cmmand line functin t be executed and any variables the functin requires. Additinally, the actin specifies where and hw the cmmand line functin is t be executed. The fllwing ptins are available: Autmatically n the Manager hst, in which case the cmmand is executed withut further interventin On the Manager hst nly after executin cnfirmatin is received frm an authrized user at a Cnsle On applicable SmartCnnectrs Execute Cnnectr Cmmand Execute a SmartCnnectr cmmand that is applicable t the device it mnitrs Exprt t External System Sends the rule and the triggering events t an external system that is integrated with ESM (serves n purpse in the evaluated cnfiguratin) Create New Case Creates a new case when the rule is triggered Add t Existing Case Adds the assciated events t an already-defined case Add t Active List Adds the events t an existing Active List Remve frm Active List Remve the assciated events frm an existing Active List Add t Sessin List Add the assciated events t an existing Sessin List Terminate Sessin List Add the assciated events t the selected Sessin List and end the Sessin List. 6.1.7 Analyzer Data Review and Availability 6.1.7.1 Restricted Data Review (IDS_RDR.1) In an ArcSight ESM 6.0c Patch 1 envirnment, nly successfully authenticated users can access the ArcSight Cnsle and nly users wh hld the apprpriate authrizatin can view the data. Using the ArcSight Cnsle GUI, Administratrs can view the verall health f the enterprise as well as the data cllected. The Administratrs can als view the analyzer event data, reprts, t include the analytical results, query viewers, cnfiguratin infrmatin, and ther applicable analyzer data that is cllected. In additin, the Analyzer Administratr can view analyzer cnfiguratin and analyzer data. The Operatrs and Analysts can view the analyzer data cllected via the ArcSight Cnsle. The Operatr can als create reprts r query viewers, as can the Analyzer Administratr and Administratr. The reprts are captured views r summaries f data that can be viewed in the ArcSight Cnsle r exprted fr sharing in a variety f file frmats. Authrized users can create reprts by pulling tgether the result sets frm ne r mre queries (a query is an ArcSight resurce that defines the parameters f data t gather frm an ArcSight data surce) r trends (a trend is an ArcSight resurce that defines hw and ver what time perid data will be evaluated fr trends. A trend is always based n a query). The query viewers are a type f resurce fr defining and running SQL queries n ther TOE resurces, including trends, assets, cases, cnnectrs, events, and s frth. Each query viewer cntains an SQL query alng with ther lgic fr establishing and cmparing baseline results, analyzing histrical data t find patterns in netwrk activity, and perfrming drill-dwn investigatin n a particular aspect f the results. 35

All data is presented in such a manner that it can be read and the cntents f the data can be interpreted; thus the reader can understand the cntent f the infrmatin presented. 6.1.7.2 Guarantee f Analyzer Data Availability (IDS_STG.1) All users must be identified and authenticated. In an ESM envirnment, nly successfully identified and authenticated users can access the ArcSight Cnsle, and then nly users wh hld the apprpriate authrizatin can view the data that is cllected and analyzed by ArcSight SmartCnnectrs. The TOE prvides a mechanism fr managing database strage f the ptentially large amunt f events that can be cllected and generated by the TOE. The TOE is able t package chrnlgical sectins f past data fr reasnable retrieval and reuse thrugh database partitin management. Partitin management is established and cnfigured during installatin f the TOE. The Partitins tree in the ArcSight Cnsle prvides the Administratr rle with capabilities t manage partitins. A time-based retentin is a time-delimited recrd f database activity. The default 30 days. The TOE uses partitins as a means f cntrlling and string vlumes f past events t facilitate subsequent analysis. Events remain active accrding t the time-based retentin set initially during installatin. The events stred during the ldest day within the given retentin perid are remved t make rm fr newer events. Alng with time-based retentin perid, ESM is als cnfigured fr space-based retentin, the default is 26 GB f event strage. Space-based retentin autmatically executes when capacity is reached at 98%. 6.1.7.3 Preventin f Analyzer Data Lss (IDS_STG.2) T prevent analyzer data lss, tw warnings are sent t a cnfigured ntificatin destinatin (e.g., Administratr) in the event the database begins t run ut f strage space fr the analyzer data recrds. The first ntificatin cmes in the frm f a warning and is sent at 90% f capacity. The secnd ntificatin cmes in the frn f an errr and is sent at 98% f capacity. If CORR-Engine strage fills up, the ArcSight Manager stps accepting new events frm all ArcSight SmartCnnectrs. Thse ArcSight SmartCnnectrs will use lcal perating system disk-based cache t preserve thse events until the ArcSight Manager starts accepting events nce again. If that lcal cache als fills, then SmartCnnectrs will discard the ldest blcks f event data frm that lcal cache in rder t cntinue receiving and string new events. Once space has been freed n the CORR-Engine strage, the ArcSight Manager is re-enabled s that the cached and live events may flw up frm the ArcSight SmartCnnectrs. If the ArcSight Manager fails, the ArcSight SmartCnnectrs cache the data and wait fr the ArcSight Manager t return. Analyzer data in memry at the time f the crash may be lst. The crrelatin facility f the prduct peridically writes a checkpint f its state. When the checkpint is reladed, all previusly stred events that ccurred between the time f the checkpint and the crash are replayed in rder t restre the state f crrelatin prir t the crash. At which time when the ArcSight Manager cmes back n-line, it will receive all cached and live events frm the ArcSight SmartCnnectrs. If an ArcSight SmartCnnectr fails, it will n re-starting resume prcessing with the next lg file line r database rw. 36

7. Prtectin Prfile Claims The TOE cnfrms t the U.S. Gvernment Prtectin Prfile Intrusin Detectin System Analyzer Fr Basic Rbustness Envirnments, Versin 1.3, July 25, 2007. In additin, ArcSight has elected t pursue a mre vigrus assurance level as depicted in Sectin 1.2, Cnfrmance Claims. Sectin 1.3 f the U.S. Gvernment Prtectin Prfile Intrusin Detectin System Analyzer Fr Basic Rbustness Envirnments, Versin 1.3, July 25, 2007 states STs that claim cnfrmance t this PP shall meet a minimum standard f demnstrable-pp cnfrmance. This ST is a suitable slutin t the generic security prblem described in the PP. Fllwing are the changes t the PP defined security prblem definitin, security bjectives, and security requirements. All changes in the ST are equivalent t r mre restrictive than stated in the PP. This Security Target includes all f the assumptins, rganizatinal security plicies, and threats statements described in the PP, verbatim. This Security Target includes all f the Security Objectives frm the PP, verbatim, except as nted belw. The security bjective, O.EXPORT was remved frm the ST since the TOE des nt transmit data t external IT prducts The peratinal envirnment security bjective, OE.AUDIT_SORT was remved since the TOE perfrms this functin and des nt rely n the perating envirnment. This Security Target includes all f the Security Functinal and Security Assurance Requirements frm the PP verbatim, except as nted belw. Requirement Cmpnent Mdificatin f Security Functinal and Security Assurance Requirements FAU_GEN.1 Refined t be cmpliant with CC v3.1, Revisin 3. FAU_SAR.1 FAU_SEL.1 FAU_STG.2 FAU_STG.4 FIA_AFL.1 FIA_ATD.1 FIA_UAU.1 FIA_UID.1 FMT_MOF.1 FMT_MTD.1 Assignment cmpleted the assignment. Assignment cmpleted the assignment. Assignment cmpleted the assignment. Selectin - Changed the selectin t prevent since the TOE des nt ffer any interfaces t mdify audit recrds. Selectin cmpleted the selectin. Assignment - cmpleted the assignment. In additin, the PP indicates this peratin as a selectin, when in fact the peratin is an assignment. The ST authr has indicated the crrect peratin perfrmed. Remved the requirement was remved frm the ST since the TOE des nt allw r supprt access frm external IT prducts. In additin, the authenticatin mechanism is SSL, and therefre this requirement is nt applicable. Reference PD-0127. Assignment - cmpleted the assignment. Assignment cmpleted the assignment. Assignment cmpleted the assignment. Refinement t crrectly identify the rle(s) supprted by the TOE. Assignment cmpleted the assignment. 37

Requirement Cmpnent FMT_SMF.1 FMT_SMR.1 FPT_ITA.1 FPT_ITC.1 FPT_ITI.1 FPT_ITT.1 FPT_STM.1 IDS_ANL.1 IDS_RCT.1 IDS_RDR.1 IDS_STG.1 IDS_STG.2 EAL3 Mdificatin f Security Functinal and Security Assurance Requirements Added this requirement was added in this Security Target t satisfy a dependency added t FMT_MOF.1 by Internatinal Interpretatin RI#65 that was adapted in CC Part 2, v2.3. This requirement simply requires that security functins actually be present in additin t being prtected if they are present and therefre des nt impact PP cnfrmance. Refinement - replaced the PP-defined rles f authrized Administratr and authrized Analyzer administratr with the TOE-defined rles f Administratr, Analyzer Administratr, Operatr, and Analyst. The Administratr and Analyzer Administratr rles defined by the TOE satisfy the PP requirement fr the authrized Analyzer Administratr, while the Operatr and Analyst rles defined by the TOE satisfy the PP requirement fr the authrized Administratr. Remved The TOE des nt transmit data t external IT prducts, and therefre this requirement is nt applicable. Remved The TOE des nt transmit data t external IT prducts, and therefre this requirement is nt applicable Remved The TOE des nt transmit data t external IT prducts, and therefre this requirement is nt applicable Added Since the TOE des nt des nt cmmunicate with IDS cmpnents utside f the IDS system TOE the FPT_ITA.1, FPT_ITC.1, and FPT_ITI.1 SFRs were remved. The requirement, FPT_ITT.1 was added t prtect inter-cmmunicatins between the distributed TOE cmpnents. Selectin cmpleted the selectin. Remved The TOE relies n the peratinal envirnment t prvide a reliable timestamp as indicated by the security bjective fr the envirnment OE.TIME. Selectin cmpleted the selectin. Assignment - cmpleted the assignment. Assignment - cmpleted the assignment. Assignment - cmpleted the assignment. Assignment cmpleted the assignment. Selectin cmpleted the selectin. Selectin cmpleted the selectin. Added the PP requires nly EAL2. Hwever, t satisfy the assurance requirements f the envirnment which requires mre assurance that the security functins are enfrced, this Security Target has adpted the EAL3 security assurance requirements. Table 6: Mdificatin f PP claims 38

8. Ratinale This sectin prvides the ratinale fr cmpleteness and cnsistency f the Security Target. The ratinale addresses the fllwing areas: Security Objectives; Security Functinal Requirements; Security Assurance Requirements; Requirement Dependencies; Extended Requirements; TOE Summary Specificatin; and, PP Claims 8.1 Security Objectives Ratinale The TOE cnfrms t the U.S. Gvernment Prtectin Prfile Intrusin Detectin System Analyzer Fr Basic Rbustness Envirnments, Versin 1.3, July 25, 2007. This Security Target includes all f the Security Objectives fr the TOE frm the PP, verbatim, except as nted belw. The security bjective, O.EXPORT was remved frm the ST since the TOE des nt transmit data t external IT prducts. Reference PD-0127. This Security Target includes all f the Security Objectives fr the Envirnment frm the PP, verbatim, except as nted belw. The peratinal envirnment security bjective OE.AUDIT_SORT is nt applicable t the envirnment fr this TOE and was remved frm the ST. The security bjectives fr the TOE prvide the ability t srt the audit lgs and prvide prtectin f the audit trail. The security bjective ratinale is presented in Sectin 6.1 and Sectin 6.2 f the U.S. Gvernment Prtectin Prfile Intrusin Detectin System Analyzer Fr Basic Rbustness Envirnments. 8.2 Security Requirements Ratinale The security requirements ratinale is presented in Sectin 6.3 f the U.S. Gvernment Prtectin Prfile Intrusin Detectin System Analyzer Fr Basic Rbustness Envirnments. All f the security functinal requirements have been reprduced frm the U.S. Gvernment Prtectin Prfile Intrusin Detectin System Analyzer Fr Basic Rbustness Envirnments t this ST, except as nted belw: The fllwing security functinal requirements were added t the ST: FMT_SMF.1 this requirement was included t satisfy a dependency f FMT_MOF.1 intrduced by Internatinal Interpretatin RI#65 that was adapted in CC Part 2, v2.3. FMT_SMF.1 requires that a defined set f security management functins are made available s that an administratr can effectively manage the security cnfiguratin f the TOE. This security functinal requirement prvides direct supprt fr the O.EADMIN security bjective. FPT_ITT.1 this requirement was included t prtect inter-cmmunicatins in lieu f FPT_ITA.1, FPT_ITC.1, and FPT_ITI.1. ArcSight ESM 6.0c is nt intended t make data available t ther IT prducts. In fact, the distributed ArcSight ESM 6.0c architecture cmpnents shuld be cnnected with a benign, private, and prtected cmmunicatin netwrk. This security functinal requirement prvides direct supprt fr the O.PROTCT and O.INTEGR security bjectives. Reference PD-0127. The fllwing security functinal requirements were remved frm the ST: 39

FIA_AFL.1 this requirement is intended t detect attempts t access the TOE by untrusted external IT prducts. The TOE supprts SSL authenticatin mechanism when transmitting data between TOE cmpnents. The TOE des nt supprt r allw access t the TOE frm external IT prducts, therefre this requirement is nt applicable. Reference PD-0127. FPT_ITA.1 this requirement is intended t specify hw audit and Analyzer data are made available t external (trusted) IT prducts that wuld prvide audit and Analyzer data services. Since the TOE prvides these functins internally, n external IT prducts are necessary. Even thugh this requirement is trivially satisfied, it is nt applicable. Nte that when the TOE is distributed, TSF data is transferred ver a netwrk that is prtected frm assciated threats. Reference PD-0127. FPT_ITC.1 this requirement is intended t specify hw TSF data is prtected while transmitted t external (trusted) IT prducts. Since the TOE prvides all functinality fr the Analyzer in a self-cntained manner, n data is transferred t external prducts. Even thugh this requirement is trivially satisfied, it is nt applicable. Nte that when the TOE is distributed, TSF data is transferred ver a netwrk that is prtected frm assciated threats. Reference PD-0127. FPT_ITI.1 - this requirement is intended t specify hw mdificatins t TSF data can be detected when it is transmitted t external (trusted) IT prducts. This includes bth integrity checks and detectin f mdificatin during transmissin. Since the TOE des nt transmit data t external prducts. Even thugh this requirement is trivially satisfied, it is nt applicable. Nte that when the TOE is distributed, TSF data is transferred ver a netwrk that is prtected frm assciated threats. Reference PD-0127. Remval f these requirements des nt have any impact n ther security functinal requirements. 8.3 Security Assurance Requirements Ratinale ArcSight has elected t pursue a mre rigrus assurance level than as specified in U.S. Gvernment Prtectin Prfile Intrusin Detectin System Analyzer Fr Basic Rbustness Envirnments t EAL3 augmented with ALC_FLR.2, as specified in sectin 1.2 f this ST. EAL3 was chsen t prvide a mderate level f assurance that is cnsistent with gd cmmercial practices. As such, minimal additinal tasks are placed upn the vendr assuming the vendr fllws reasnable sftware engineering practices and can prvide supprt t the evaluatin fr design and testing effrts. The chsen assurance level is apprpriate with the threats defined fr the envirnment. While the TOE may mnitr a hstile envirnment, it is expected t be in a nn-hstile psitin and embedded in r prtected by ther prducts designed t address threats that crrespnd with the intended envirnment. In additin, augmentatin was chsen t prvide the added assurances that result frm having flaw remediatin prcedures and crrecting security flaws as they are reprted. The TOE meets all the U.S. Gvernment Prtectin Prfile Intrusin Detectin System Analyzer Fr Basic Rbustness Envirnments assurance requirements as stated in Sectin 6.5 fr EAL2. Additinally, the TOE cnfrms t all the assurance requirements fr an EAL3 prduct. The resulting assurance level is therefre, EAL3 augmented with ALC_FLR.2. The EAL3 requirements that exceed EAL2 by the U.S. Gvernment Prtectin Prfile Intrusin Detectin System Analyzer Fr Basic Rbustness Envirnments are ratinalized belw: ADV Develpment; ADV_FSP.3 Functinal specificatin with cmplete summary It is imprtant t dcument the SFR-supprting and SFR-nn-interfacing actins and errr messages t demnstrate they are nt SFR-enfrcing. ADV Develpment; ADV_TDS.2 Architectural design It is imprtant t prvide sufficient infrmatin t determine the TSF bundary and t describe hw the TSF implements the security functinal requirements. ALC Life-cycle supprt; ALC_CMC.3 Authrisatin cntrls It is imprtant t demnstrate the CM perates in accrdance with the CM Plan. ALC Life-cycle supprt; ALC_CMS.3 Implementatin representatin CM cverage 40

It is imprtant t demnstrate that the parts that cmprise the TOE that are under CM cntrl are in fact mdified in a cntrlled manner with prper authrizatin. ALC Life-cycle supprt; ALC_DVS.1 Identificatin f security measures It is imprtant t demnstrate the physical security f the develpment facility as well as persnnel, prcedural, and ther security measures as deemed apprpriate. ALC Life-cycle supprt; ALC_LCD.1 Develper defined life-cycle mdel It is imprtant t demnstrate the cntrlled develpment and maintenance f the TOE. ATE Tests; ATE_COV.2 Analysis f cverage It is imprtant t demnstrate the TSF has been tested against the functinal specificatin and that the test dcumentatin crrespnds t all the TSFIs in the functinal specificatin. ATE Tests; ATE_DPT.1 Testing basic design It is imprtant t demnstrate the TSF subsystems behave and interact as described in the architectural descriptin. 8.4 Requirements Dependency Ratinale The dependency requirements ratinale is presented in Sectin 6.6 f the U.S. Gvernment Intrusin Detectin System Analyzer Prtectin Prfile. This Security Target includes tw Security Functinal Requirements nt included in the U.S. Gvernment Intrusin Detectin System Analyzer Prtectin Prfile; FMT_SMF.1 and FPT_ITT.1. The requirement, FMT_SMF.1 was included t satisfy a dependency f FMT_MOF.1 and FMT_MTD.1 intrduced by Internatinal Interpretatin RI#65 that was adapted in CC Part 2, v2.3 and is included CC v3.1. The SFR intrduces n additinal dependencies itself. The requirement FPT_ITT.1 was included t supprt inter-cmmunicatins in lieu f FPT_ITA.1, FPT_ITC.1, and FPT_ITI.1. The requirement FPT_ITT.1 des nt intrduce any dependency requirements. 8.5 Extended Requirements Ratinale There are n extended requirements beynd thse in the U.S. Gvernment Prtectin Prfile Intrusin Detectin System Analyzer Fr Basic Rbustness Envirnments. The extended requirements ratinale is presented in Sectin 6.4 f the U.S. Gvernment Prtectin Prfile Intrusin Detectin System Analyzer Fr Basic Rbustness Envirnments. 8.6 TOE Summary Specificatin Ratinale Each subsectin in Sectin 6, the TOE Summary Specificatin, describes a security functin f the TOE. Each descriptin is rganized by requirement with ratinale that indicates hw each requirement is satisfied by aspects f the crrespnding security functin. This set f security functins wrk tgether in rder t satisfy all f the security functins and assurance requirements. Furthermre, all f the security functins are necessary in rder fr the TSF t prvide the required security functinality. This sectin in cnjunctin with Sectin 6, the TOE Summary Specificatin, prvides evidence that the security functins are suitable t fulfill the TOE security requirements. The fllwing table identifies the relatinship between security requirements and security functins, shwing that all security requirements are addressed and all security functins are necessary (i.e., they crrespnd t at least ne security requirement). 41

Security Audit Identificatin & Authenticatin Security Management Prtectin f the TSF IDS Analyzer 8.7 PP Claims Ratinale See the Prtectin Prfile Claims sectin. FAU_GEN.1 X FAU_SAR 1 X FAU_SAR.2 X FAU_SAR.3 X FAU_SEL.1 X FAU_STG.2 X FAU_STG.4 X FIA_UAU.1 X FIA_ATD.1 X FIA_UID.1 X FMT_MOF.1 X FMT_MTD.1(a) X FMT_MTD.1(b) X FMT_SMF.1 X FMT_SMR.1 X FPT_ITT.1 X IDS_ANL.1 X IDS_RCT.1 X IDS_RDR.1 X IDS_STG.1 X IDS_STG.2 X Table 7: Security Functins vs. Requirements Mapping 42