About Kaspersky Endpoint Detection and Response Optimum

Kaspersky Endpoint Detection and Response Optimum is a solution designed to protect an organization's IT infrastructure from complex cyberthreats. The solution's functionality combines automatic threat detection with the ability to respond to these threats to resist complex attacks, including new exploits, ransomware, fileless attacks, and methods that use legitimate system tools. The solution is intended for corporate users.

Solution architecture

The solution consists of the following components:

• Kaspersky Endpoint Agent, as part of Endpoint Protection Platform (for example, as a part of Kaspersky Endpoint Security), is installed on individual devices in the organization's IT infrastructure that are running under Microsoft Windows operating system. The application constantly monitors the processes running on these devices, as well as open network connections and files modifications.
• Kaspersky Security Center and the Kaspersky Security Center Web Console (or Kaspersky Security Center Cloud Console and cloud Administration Console) allow you to centrally manage the solution and its settings by means of a single web interface.
• Kaspersky Sandbox (optional component, distributed separately) is intended for additional inspection of unknown objects detected by EPP; these objects can be exploited by intruders to harm user computer or data. For detailed information about Kaspersky Sandbox, refer to Kaspersky Sandbox Help.

Threat detection

Kaspersky Endpoint Detection and Response Optimum performs review and analysis of threat development and provides the Security Officer or Administrator with information about a potential attack in order to respond to the threat in a timely manner.

Incident card is a tool for viewing all received information about a detected threat and for managing responsive actions. An incident card is displayed in Kaspersky Security Center and may contain, for example, the following information about a detected threat:

• Threat development chain graph.
• Information about the device on which the threat was detected (for example, name, IP address, MAC address, user list, operating system).
• General information about the detection, including detection mode (for example, detection during on-demand scanning or during automatic scanning).
• Registry changes associated with the detection.
• History of the file presence on the device.
• Responsive actions performed by the application.

Threat development chain graph is a tool for analyzing the reasons for the threat. The graph provides visual information about the objects involved in the incident, for example, key processes on the device, network connections, libraries, and registry hives.

The solution uses the following Threat Intelligence tools for analyzing threats:

• Kaspersky Security Network (KSN) infrastructure of cloud services, which provides access to the online Kaspersky Knowledge Base, which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network facilitates faster responses by Kaspersky applications to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.
• Integration with the Kaspersky Private Security Network (hereinafter also referred to as KPSN), which allows the users to access KSN reputation databases, as well as other statistics, without submitting data to KSN from their computers.
• Integration with the Kaspersky Threat Intelligence Portal information system, which contains and displays information about the reputation of files and URLs.
• Kaspersky Threats database.

Threat response

The threat response functionality provides the following automatic responsive actions that the application performs when threats are detected:

• Quarantine object.
• Delete file.
• Isolate device from the network.
• Run Critical Areas Scan on the device.
• Start search for indicators of compromise (IOC Scan) for a group of devices.

Additionally, the following actions are available to a Security Officer or an Administrator:

• Place objects on the Execution prevention list.
• Start process on the device.
• Terminate process on the device.

Kaspersky Endpoint Agent functions

As part of the Kaspersky Endpoint Detection and Response Optimum solution, Kaspersky Endpoint Agent performs the following actions:

• Collects information about detections from Endpoint Protection Platform (for example, from Kaspersky Endpoint Security).
• Supplements verdict information with data about the detection.
• Submits data to Kaspersky Security Center to create a threat development chain.
• Starts IOC Scan tasks (search for indicators of compromise) on groups of protected devices.
• Performs actions in response to detected indicators of compromise, for example:
  • enables network isolation of the device;
  • starts Critical Areas Scan on the device.
• Submits objects to Kaspersky Sandbox for scanning (if integration with Kaspersky Sandbox is configured).