LogRhythm Integrated SolutionSecurity TargetVersion 1.1March 30, 2012Prepared for:LogRhythm, Inc.4780 Pearl East CircleBoulder, CO 80301Prepared By:Science Applications International CorporationCommon Criteria Testing Laboratory6841 Benjamin Franklin Drive.Columbia, MD 21046May be reproduced only in its original entirety without revision.

Security TargetVersion 1.1, March 30, 2012 Copyright 2012 LogRhythm, Inc. All rights reservedThis document may be reproduced only in its original entirety without revision.WarrantyThe information contained in this document is subject to change without notice. LogRhythm, Inc. makes nowarranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied warrantyof the merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any direct,indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of thisinformation.TrademarkLogRhythm is a trademark of LogRhythm, Inc.May be reproduced only in its original entirety without revision.2

Security TargetVersion 1.1, March 30, 2012Contents1. SECURITY TARGET INTRODUCTION .51.1SECURITY TARGET, TOE AND CC IDENTIFICATION .51.2CONFORMANCE CLAIMS .61.3CONVENTIONS AND ACRONYMS .61.3.1Conventions .61.3.2Acronyms .72.TOE DESCRIPTION .82.1TOE OVERVIEW .82.2TOE ARCHITECTURE .82.2.1Physical Boundaries . 112.2.2Logical Boundaries . 122.2.3Excluded Product Functionality . 152.3TOE DOCUMENTATION . 153.SECURITY PROBLEM DEFINITION . 163.1ASSUMPTIONS . 163.1.1Intended Usage Assumptions . 163.1.2Physical Assumptions . 163.1.3Personnel Assumptions . 163.2THREATS . 163.2.1TOE Threats. 173.2.2IT System Threats . 173.3ORGANIZATIONAL SECURITY POLICIES . 174.SECURITY OBJECTIVES . 194.14.25.INFORMATION TECHNOLOGY (IT) SECURITY OBJECTIVES . 19SECURITY OBJECTIVES FOR THE ENVIRONMENT. 19IT SECURITY REQUIREMENTS . 215.1EXTENDED COMPONENTS DEFINITION . 215.2TOE SECURITY FUNCTIONAL REQUIREMENTS . 215.2.1Security Audit (FAU) . 225.2.2Identification and Authentication (FIA) . 235.2.3Security Management (FMT) . 245.2.4Protection of the TSF (FPT) . 245.2.5IDS Component Requirements (IDS) . 255.3TOE SECURITY ASSURANCE REQUIREMENTS. 265.3.1Development (ADV) . 275.3.2Guidance Documents (AGD) . 285.3.3Life-cycle Support (ALC) . 295.3.4Tests (ATE) . 305.3.5Vulnerability Assessment (AVA) . 306.TOE SUMMARY SPECIFICATION . 326.1TOE SECURITY FUNCTIONS. 326.1.1Security Audit. 326.1.2Identification and Authentication . 336.1.3Security Management . 346.1.4Protection of the TSF . 356.1.5IDS Component Requirements . 377.PROTECTION PROFILE CLAIMS . 41May be reproduced only in its original entirety without revision.3

Security Target8.Version 1.1, March 30, 2012RATIONALE . 448. OBJECTIVES RATIONALE. 44SECURITY FUNCTIONAL REQUIREMENTS RATIONALE . 44SECURITY ASSURANCE REQUIREMENTS RATIONALE. 45REQUIREMENT DEPENDENCY RATIONALE . 45TOE SUMMARY SPECIFICATION RATIONALE. 45PP CLAIMS RATIONALE . 45TablesTable 1 - TOE Security Functional Components . 22Table 2 - Auditable Events . 22Table 3 - System Events . 25Table 4 - EAL 2 augmented with ALC FLR.2 Assurance Components . 27Table 5 - Protection Profile Claims . 43Table 6 - Requirement to Objective . 44Table 7 - Requirement Dependencies . 45May be reproduced only in its original entirety without revision.4

Security TargetVersion 1.1, March 30, 20121. Security Target IntroductionThis section identifies the Security Target (ST) and Target of Evaluation (TOE) identification, ST conventions, STconformance claims, and the ST organization.The TOE is an Intrusion Detection System (IDS) consisting of several components that coordinate with one anotherto collect and analyze information from multiple log sources (such as Windows events, syslog, flat file, NetFlow,sFlow, databases or applications) and provides tools to view and analyze IDS results and to issue alerts of significantevents.The product can also provide endpoint monitoring and control functionality, but these capabilities are not addressedby the IDS System PP, to which the TOE claims conformance. As such, they are outside the scope of the evaluation.The endpoint monitoring and control functionality is provided by three components: the User Activity Monitor(UAM); the File Integrity Monitor (FIM); and the Data Loss defender (DLD). All three components are disabled bydefault. In addition, the FIM requires a separate license.The product includes support for the use of a SQL Server for user authentication, but this option must be disabled inthe evaluated configuration. The TOE must be configured to use Windows Active Directory or the local Windowsoperating system for user authentication.The Security Target contains the following additional sections: TOE Description (Section 2)This section gives an overview of the TOE, describes the TOE in terms of its physical and logicalboundaries, and states the scope of the TOE. Security Problem Definition (Section 3)This section details the expectations of the environment, including the assumptions, organizational securitypolicies, and threats that are countered by the TOE and TOE environment. Security Objectives (Section 4)This section details the security objectives of the TOE and TOE environment. IT Security Requirements (Section 5)This section presents the security functional requirements (SFRs) for the TOE, and details the assurancerequirements for EAL2 augmented with ALC FLR.2. TOE Summary Specification (Section 6)This section describes the security functions represented in the TOE that satisfy the security requirements. Protection Profile Claims (Section 7)This section presents the Protection Profile claims and supporting rationale. Rationale (Section 8)This section closes the ST with the justifications of the security objectives, requirements and TOEsummary specifications as to their consistency, completeness, and suitability.1.1 Security Target, TOE and CC IdentificationST Title – LogRhythm Integrated Solution Security TargetST Version – Version 1.1ST Date –March 30, 2012TOE Identification – LogRhythm, Version 6.0.4 with Microsoft SQL Server 2008 R2 Enterprise EditionMay be reproduced only in its original entirety without revision.5

Security TargetVersion 1.1, March 30, 2012TOE Developer – LogRhythm, Inc.Evaluation Sponsor – LogRhythm, Inc.CC Identification – Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2,September 20071.2 Conformance ClaimsThis TOE is conformant to the following CC specifications: Common Criteria for Information Technology Security Evaluation Part 2: Security FunctionalRequirements, Version 3.1, Revision 2, September 2007. Common Criteria for Information Technology Security Evaluation Part 3: Security AssuranceComponents, Version 3.1, Revision 2, September 2007. Part 3 ConformantThis ST and the TOE it describes are conformant to the following package: Part 2 ExtendedEAL 2 Augmented with ALC FLR.2This ST and the TOE it describes are conformant to the following protection profile: