Name of Your Organization:

ArcSight, Inc.

Web Site:

http://www.arcsight.com

Compatible Capability:

ArcSight Enterprise Security Manager (ArcSight ESM)

Capability home page:

http://www.arcsight.com/product.htm

1) Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

ArcSight directly provides a commercially available security information management software solution. For more information visit http://www.arcsight.com or call 408-864-2600

4) Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

ArcSight does not directly expose the version of CVE that it uses because we consume reports from security devices, where we do not care about the version of CVE. The only point where ArcSight needs to be up to date, is the mappings from infosec events to vulnerabilities, which is guaranteed by updating the mappings for every release of ArcSight.

5) Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (recommended):

As part of the content generation, we have tools which connect to partner Web pages to download the latest content for their devices. In the case of CVE, we have a tool which connects to cve.mitre.org and downloads the latest CVE and CAN entries. These files are then processed to make the content available in the next release.

6) Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect a newly released CVE version (recommended):

ArcSight has a "Content Subscription" service. Part of the update-bundle is an update to the vulnerability mappings which contain the CVE information.

7) CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

This information is included in the ArcSight "Vulnerability" online-help page as shown below.

8) Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability's repository (required):

• Using the vulnerability navigator, the user can use the "resource graph" or "resource grid" feature by right-clicking on a resource to show the resources associated with a vulnerability (in this case an asset). See images and documentation pages 7 and 17 below.

Vulnerability Tree

Vulnerability Resource Graph

p. 7 - "Using the ArcSight Console"

p. 17 - "Using the ArcSight Console"

• If an event is reported in ArcSight, the user can right-click on the event and immediately get to the associated vulnerability resource. (See documentation page 59 below).

p. 59 - "Using the ArcSight Console"

• General handling of vulnerabilities is described on pages 115 and following in the documentation.

p. 115 - "Using the ArcSight Console"

• ActiveChannels can also be used with a filter to search for a vulnerability as shown in the Analysis Operations portion of the "Using the ArcSight Console" document.

9) Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability's repository (required):

There are three ways for a user to get to the vulnerabilities (CVE being one of the authorities ArcSight supports).

1. If an event is reported in ArcSight, the user can click on the event and immediately get to the associated vulnerability resource. (See page 59 above).
2. The asset-tree shows all the assets of a customer. Per asset all their known vulnerabilities are shown. From the list of vulnerabilities, the user can navigate to the corresponding vulnerability resource. (See image and documentation page 113 below)
   

   p. 113 - "Using the ArcSight Console"

3. The vulnerability navigator (See images in number 8 above) lets the user navigate through all the vulnerabilities that were found on his network.
4. There are more ways to navigate from certain resources to their associated vulnerabilities.

10) Documentation Indexing of CVE-Related Material <CR_4.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CVE" in your index. Alternately, provide directions to where these "CVE" items are posted on your web site (recommended):

ArcSight uses a concept called reference pages for documenting individual aspects of the product. By right-clicking on elements in the ArcSight Console, the user can choose to get all the reference pages associated with an object.

Reference Pages

In the ArcSight documentation, there is no specific entry for CVE because ArcSight deals with many vulnerability authorities and cannot mention them all separately. Users are informed about reference pages that they find in ArcSight results as shown above.

11) Candidates Versus Entries Indication <CR_6.1>

If CVE candidates are supported or used, explain how you indicate that candidates are not accepted CVE entries (required):

Information from vulnerability scanners is recorded in the way they are reported. However, for the cross-mapping of vulnerabilities between vulnerability authorities and from infosec events to vulnerabilities, we have to treat CVE and CAN entries as one entity. The user is exposed to exactly what the reporting devices was reporting. CVE and CAN entries are showing up as different vulnerability authorities in the product and are therefore easily distinguishable. Reference pages associated with the vulnerability authorities will take the user to the corresponding pages of CVE or CAN to describe what this vulnerability authority is about, outlining the difference between CVE and CAN.

12) Candidates Versus Entries Explanation <CR_6.2>

If CVE candidates are supported or used, explain where and how the difference between candidates and entries is explained to your customers (recommended):

As outlined in number 11 (above), two different entries are maintained for CVE and CAN entries in ArcSight, making it easy for the user to distinguish the two.

13) Candidate to Entry Promotion <CR_6.3>

If CVE candidates are supported or used, explain your policy for changing candidates into entries within your capability and describe where and how this is communicated to your customers (recommended):

We are dealing not only with CVE, but with lots of other vulnerability authorities. In order to cross-map vulnerabilities, we need to abstract from the notion of CVE and CAN and treat them as identical entities. This is only done for the cross-mappings. As outlined in 11 (above) and 12 (above), we do treat them differently when we present them to the user.

14) Candidate and Entry Search Support <CR_6.4>

If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's ability to look for candidates and entries by using just the YYYY-NNNN portion of the CVE names (recommended):

The CVE and CAN entries are represented in trees. (See images in number 8 above) A user can use the tree to navigate to the needed entries by opening the CVE or CAN tree and browsing for them. To find the vulnerabilities associated with a certain asset, a user does not have to go via the vulnerability tree, but can directly access the vulnerabilities exposed by an asset without having to search for them. (see image above) ArcSight also provides the capability of generating a report based on vulnerability IDs. The report could either find all assets exposing a certain vulnerability or all events associated with a vulnerability. To run the report, it is optional to distinguish "CVE" or "CAN" entries.

Furthermore, a search function is available that works over all the resources in ArcSight. Searching for CVE numbers will show all the resources associated with that CVE entry.

Vulnerability Search

15) Search Support for Promoted Candidates <CR_6.5>

If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's support for retrieving the CVE entry for a candidate that is no longer a candidate (recommended):

As already outlined in 11 (above), 12 (above) and 13 (above) and 15 (above), ArcSight is using CVE and CAN entries. All the features support both types.

16) Candidate Mapping Currency Indication <CR_6.6>

If CVE candidates are supported or used, explain where and how you tell your users how up-to-date your candidate information is (recommended):

As explained in 5 (above) for every release, we are upgrading the vulnerability mappings. Apart from the mappings, ArcSight relies on whatever information the security devices are sending.

Type-Specific Capability Questions

17) Finding Tasks Using CVE Names <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):

Tasks in ArcSight are cases. A case has vulnerability information associated. Through the search feature (see question 14 above), a user can search for the vulnerability and get to a case.

Additionally, cases can be queried with so-called search groups (see documentation p. 100 below).

p. 100 - "Using the ArcSight Console"

18) Finding CVE Names Using Elements in Reports <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):

ArcSight uses so-called Asset Reports that can be configured to report all the assets with their corresponding vulnerabilities. (see documentation p. 118 and 223 below)

p. 118 - "Using the ArcSight Console"

p. 223 - "Using the ArcSight Console"

19) Getting a List of CVE Names Associated with Tasks <CR_A.2.4>

Give detailed examples and explanations of how a user can obtain a listing of all of the CVE names that are associated with the tool's tasks (recommended):

The term task in this context can be any of the resources in ArcSight. As outlined in other questions above, either a report can be generated that lists all the vulnerabilities associated with a resource (e.g., an asset) or most of the times, a right-click on the resources opens a resource-graph that shows the relations (see documentation p. 17 above)

Additionally, a right-click on a case provides the capability to build a "resource grid". This will show all the cases and the vulnerabilities they mention.

Case View

20) Selecting Tasks with a List of CVE Names <CR_A.2.5>

Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CVE names (recommended):

ArcSight does not provide for input via files for interacting with the user interface. What can be done is running a report with the condition being a selection of vulnerabilities. However, the vulnerabilities would have to be entered via the console user interface.

21) Selecting Tasks Using Individual CVE Names <CR_A.2.6>

Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CVE names (recommended):

See questions 17 (above) and 20 (above). Using the search feature, the user can navigate to any resource in ArcSight.

22) Non-Support Notification for a Requested CVE Name <CR_A.2.7>

Provide a description of how the tool notifies the user that task associated to a selected CVE name cannot be performed (recommended):

ArcSight provides the capability to query for all the tasks (cases), which are not resolved. In the query, the user can specify that he is looking for cases that are dealing with a certain vulnerability, expressed as CVE number.

Service Questions

23) Service Coverage Determination Using CVE Names <CR_A.3.1>

Give detailed examples and explanations of the different ways that a user can use CVE names to find out which security elements are tested or detected by the service (i.e. by asking, by providing a list, by examining a coverage map, or by some other mechanism) (required):

ArcSight reads information from third-party security devices. This question does not apply. To answer the question, the security devices which are reporting into ArcSight have to be analyzed. A list of devices ArcSight supports can be found at http://www.arcsight.com/product_supported.htm

24) Finding CVE Names in Service Reports Using Elements <CR_A.3.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the user can determine the associated CVE names for the individual security elements in the report (required):

Questions 17 (above) and 20 (above) already explained the usage of the search feature to navigate to resources. Using the search, so-called scanner reports can be accessed. These reports show the input from a certain scanner, showing all the vulnerabilities and descriptions thereof.

25) Service's Product Utilization Details <CR_A.3.4>

Please provide the name and version number of any product that the service allows users to have direct access to if that product identifies security elements (recommended):

ArcSight is a security information management product (SIM). It therefore supports many security devices which report vulnerability information.

A complete list of products supported can be found on the Web page:
http://www.arcsight.com/product_supported.htm

The security scanner products supported are:

eEye Retina Network Security Scanner v4.9
Foundstone FoundScan - v 3.0, 4.0
Harris STAT scanner - v5.1
ISS Internet Scanner - v6.21, 7.0
ISS System Scanner v4.2
nCircle IP360 Device Profiler
Nmap v3.5
OVAL
Symantec ESM - v5.5
Nessus - v1.1.0 and above
QualysGuard
Visionael Security Audit v1.x

31) Electronic Document Format Info <CR_B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):

From a documentation standpoint, all of ArcSight's documentation is available in PDF format. PDF documents can be searched with a PDF reader. Furthermore, online documentation (javahelp) is available in HTML format. The online help can be accessed via the ArcSight console and is context sensitive.

As output, ArcSight can generate reports in HTML, CSV and PDF format. These reports can be searched with any type of reader.

32) Electronic Document Listing of CVE Names <CR_B.3.2>

If one of the capability's standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):

ArcSight Scanner reports show all the vulnerabilities reported by the scanners along with the CVE numbers and an English name, reported by the security scanner (see image below).

Scanner Report

33) Electronic Document Element to CVE Name Mapping <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability's individual elements to the respective CVE name(s) (recommended):

ArcSight does not map the CVE IDs to any kind of name. It uses whatever the security devices are reporting.

34) Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CVE name(s) (required):

See questions 17 (above) and 20 (above). Using the search feature, the user can navigate to any resource in ArcSight.

35) GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability's elements, also describe the format of the mapping (required):

ArcSight collects information from security devices. In the case of real-time events, an event has a "vulnerability" field. This field shows the exploited vulnerability of an event. The mapping file is the one already provided for question 2 (above).

36) GUI Export Electronic Document Format Info <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):

ArcSight reports can be run either on events or assets. Asset reports can contain the vulnerabilities associated with the assets. The output formats that are supported are CSV, HTML, RTF, XLS and PDF. All this output can be searched using the appropriate viewers.

37) Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Raffael Marty

Title: Senior Security Engineer

38) Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CVE entries our capability identifies."

Name: Raffael Marty

Title: Senior Security Engineer