Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
top
top
What's covered

standards

Compliance

Implementation

Related Links

Anchor
standards
standards
Standards

Back to Top

Security Analysis Solution (SAS) is built completely around the SCAP standard, allowing customers to import and manage their XCCDF benchmarks (checklists) which are used for assessing their computers.

...

Security standards and their acronyms are included in the following list:

Acroynm

Name

Description

More Detail

Anchor
SCAP
SCAP
SCAP

Security Content Automation Protocol

Specification for expressing and manipulating security data in standardized ways that allow machine-readable assessment and misconfiguration remediation.

http://scap.nist.gov

Anchor
OVAL
OVAL
OVAL

Open Vulnerability and Assessment Language

XML specification for exchanging technical details on how to check systems for security-related software flaws, configuration issues and patches.

http://oval.mitre.org

Anchor
XCCDF
XCCDF
XCCDF

eXtensible Configuration Checklist Description Format

XML-based specification for structured collections of security configuration rules.

http://scap.nist.gov/specifications/xccdf/

Anchor
CPE
CPE
CPE

Common Platform Enumeration

Naming convention for hardware, OS and application products.

http://cpe.mitre.org

Anchor
CVE
CVE
CVE

Common Vulnerability Enumeration Vulnerabilities and Exposures

Dictionary of publicly-known security-related software flaws.

http://cve.mitre.org

Anchor
CCE
CCE
CCE

Common Configuration Enumeration

Dictionary of software security configuration issues.

http://cce.mitre.org

Anchor
CVSS
CVSS
CVSS

Common Vulnerability Scoring System

Method for classifying characteristics of software flaws and assigning severity scores based on these characteristics.

http://www.first.org/cvss

Anchor
compliance
compliance
Compliance

...

Back to Top

SAS supports: 

Standard

Supported Versions

SCAP

1.0 - 1.1 2

OVAL

5.3 - 5.9 11

XCCDF

1.1.4 0 - 1.2

CCE

5.0

CPE

2.2 3

CVSS

2.0

SAS is SCAP-compliant with these following capabilities: 

  • FDCC Scanner
  • Authenticated Configuration Scanner
  • Authenticated Vulnerability and Patch Scanner

Anchor
imp
imp
Implementation

Back to Top

SCAP

SCAP is a public specification that provides standardized and automated security configurations, and vulnerability assessments. SCAP comprises the following standards:

  • XCCDF
  • OVAL
  • CPE
  • CCE
  • CVE
  • CVSS

The Federal Desktop Core Configuration (FDCC) and U.S. Government Baseline (USGCB) are examples of the SCAP specification, mandated across all U.S. federal agencies and openly available for other organizations to leverage.

Security configuration management products help organizations manage security proactively and ensure proper system configuration by combining the following elements:

  • Vulnerability assessment
  • Patch management
  • Automated remediation
  • Configuration compliance

SAS embraces the SCAP standard and can import SCAP content into the Thycotic Management Server (TMS). For further details, go to SAS 8.1 overview

XCCDF

SAS is compatible with XCCDF benchmarks and other types of checklists that adhere to the XCCDF specification including industry standards from:

  • Federal Desktop Core Confederation (FDCC)
  • United States Government Configuration Baseline (USGCB)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Sarbanes-Oxley Act (SOX)
  • Payment Card Industry Data Security Standard (PCI-DSS)

These benchmarks can be downloaded directly within SAS on the Download Profiles page, which presents a list of links to the author's published content from sources such as NIST. SAS also supports uploading multiple benchmarks or other checklists through the web browser interface directly from the user's file system in the form of XML files or compressed files of XML documents.

SCAP elements are correlated within the TMS during the import of these benchmarks. The profiles, used within security configuration policies, perform scheduled assessments and automated remediation to keep the targeted computers in compliance with the policies defined by the computer administrator.

Assessment results can be output as XCCDF results and made available in many reports across multiple endpoints and even between various OVAL checks.

For further information, go to Security configuration profiles.

OVAL

SAS supports OVAL, a public standard for creating vulnerability, configuration, and patch checks using a declarative XML syntax.

SAS imports OVAL content from SCAP data content streTMS and evaluates OVAL definitions, generally in the context of XCCDF benchmark profiles, to test configuration settings and vulnerabilities on managed computers. XCCDF adjusts the configuration of these assessments to better suit customer needs, all orchestrated within our user interface.

SAS also reports individual or group assessment results across multiple computers that have performed these assessments, giving rich reporting data that can be used for other system configuration management tasks and policies.

OVAL content is delivered to the endpoints where the assessments are performed resulting in OVAL results being sent back and correlated into the TMS, giving the administrators access to the OVAL and XCCDF compliant XML output as well as numerous reports than can correlate these assessments to the managed elements within the TMS.

CCE

SAS supports the public standard CCE, which provides an identification system for common security configuration issues and vulnerabilities. These identifiers are referenced within the SCAP and OVAL content.

The product shows the relationship of the CCEs to the OVAL checks within the view of a profile and in the results of an assessment performed on computers. These relationships are also modeled within the TMS to provide for cross-profile views of assessment results, allowing administrators to run reports that can filter the results to specific computers or groups of computers that have specific CCE results. There are numerous other reports that can be built based on these relationships, giving administrators full control of the related data within the TMS.

CCE references are also present in the OVAL results product output, as well as a CSV formatted file output, all accessible through the Resource Explorer user interface.

CPE

Common Platform Enumeration (CPE) is an open standard that describes IT platforms (such as hardware, operating systems and applications). XCCDF Benchmarks define applicable platforms through CPE designations.

Upon import of the XCCDF benchmarks, SAS will extract all CPE references, then analyze and process them against the managed computers to build filters used within the TMS. These filters are maintained and kept up-to-date through various tasks as new computers and profiles are introduced into the system. These targets can be used by other products, but have proven to be a good starting point for targeting assessments within security analysis policies.

When you create security configuration policies, use these CPE-based filters as a starting point for targeting the endpoints to perform the SCAP assessments. These policy targets can be further tailored to narrow down the policy to specific endpoints.

The CPE references are also viewable within result output and available to use when correlating results and assessed computers within reports and data exchange.

CVE

CVE is a common identification and dictionary for computer and information security vulnerabilities, and is maintained and hosted by the MITRE Corporation (http://cve.mitre.org). The National Vulnerability Database (NVD) publishes vulnerability summaries that provide detailed information for most known computer and information security vulnerabilities. You can access these vulnerability summaries using the CVE identifier for a given vulnerability. NVD also regularly publishes NVD/CVE data feeds that store similar information but in a schema-defined and machine-readable format.

SAS utilizes CVE identifiers to associate vulnerabilities identified in the imported SCAP data stream as well as the assessment results. When viewing the OVAL definitions within a profile, CVE identifiers are displayed with links to detail on the CVE website. Numerous reports are available within the product that show which computers are susceptible to the vulnerabilities identified by their CVE and combined with CVSS scoring metrics. SAS also stores CVE entities as unique resources within the TMS, leveraging the ability to associate and relate these to other TMS resources, giving the administrator rich reporting and targeting data to work from.

CVSS

CVSS is a public standard that defines methods for scoring and rating computer vulnerabilities. These vulnerabilities are referenced using a CVE identifier and allow the administrator to prioritize and remediate those that pose the greatest risk. The CVSS list is maintained on the NIST website and provides scores for common threats and vulnerabilities.

Thycotic Security Analysis Solution provides tasks that can be run on managed computers that will gather CVE analysis results and analyze this data to produce CVSS score information for the managed computers. The product also displays CVSS scoring details in reports for managed computers that have been analyzed, including the CVE ID, score level, availability impact, confidentiality impact, integrity impact, and published date information. There are also links to the CVEs in the product output that you can navigate to find additional information on the CVSS scores for vulnerabilities.

Policies

Create a Security Analysis policy

 

Back to Top