What's new

Kaspersky Industrial CyberSecurity for Networks 4.1 has the following new capabilities and refinements:

• The security audit functionality is added to assess device compliance with security standards and perform other checks on devices. Device scans can be performed using Kaspersky Endpoint Agent or by remote connection to devices via the protocols that ensure secure management and data transfer. For the safe storage and use of the identification and authentication information, a secret storage is implemented in the application. Detailed information about the results of running security audit jobs is provided in the reports that can be generated automatically or manually.
• The functionality of asset control is expanded in terms of monitoring device equipment. Based on data from EPP applications, as well as during active polls, the application receives and displays more information about the equipment (information about processors, RAM, local disks) and additionally updates information obtained during traffic analysis or entered manually. When the equipment is changed or new information is received during equipment monitoring, the application registers the corresponding events.
• The application capabilities are expanded in terms of determining device categories. Additional algorithms are implemented for more accurate category identification based on data from EPP applications and on the results of traffic analysis.
• The functionality for displaying EDR incidents is added. The events based on EPP technology display information about threat development chains received from Kaspersky Endpoint Agent. When viewing the activity events included in the threat development chain, you can use links with file hashes and URLs to obtain information about the reputation of these objects on the Kaspersky Threat Intelligence Portal. You can export data about the activity events to the indicator of compromise files (IOC files) for further use in the IOC search tasks performed using Kaspersky Endpoint Agent.

  IOC files — files containing a set of indicators, if they match, the application considers an event to be detected.

• Capabilities to trigger response actions are added. On the devices with Kaspersky Endpoint Agent installed, you can trigger response actions to prevent or minimize the impact of the detected threats from devices (for example, enable network isolation of the device). Response actions can be triggered both when working with events and when working with devices. At the same time, all provided response actions are available when working with events that are EDR incidents (events for which the threat development chains are built).
• Display information about network sessions as a table. In addition to the functionality of the network interaction map, the application displays a table of network sessions, thus providing more capabilities for investigating incidents and analyzing network connection statistics. To fill the table with data, the Network Session Detection method is added to the application; this method can be enabled or disabled.
• The Brute-force Attack and Scan Detection method is added to the Intrusion Detection technology. This method is used to analyze network activity statistics in order to detect signs of credentials brute force attacks, denial of service, scanning, network service spoofing, and other anomalies. The method uses built-in rules. When the rules are triggered, the application registers events based on the Intrusion Detection technology.
• Capabilities for managing technologies are expanded. To gradually commission the application components, you can enable or disable technologies separately on the Server and sensor nodes, as well as on the monitoring points. When configuring the technology usage modes, you can specify the date and time of the automatic switch from the training mode to the monitoring mode.
• The capability to download traffic received at monitoring points is added. The traffic is downloaded from the internal storages with the traffic dump files on the Server and sensors nodes, as well as from the external storages if they are connected at the nodes. For downloading traffic, you can use various options to filter network packets, including defining a period for which to download traffic, and filtering expressions. You can download traffic from storages when viewing information about nodes and monitoring points, as well as when viewing the table of network sessions and when working with a network interactions map.
• The graphical user interface is improved. The useful space is increased for displaying information and parameters of the selected elements in the details areas.
• The list of supported types of external projects for import is extended. New types of projects containing configurations of process control settings for devices can be imported into the application.
• Extended support for application layer protocols and devices for process control – there are now additional capabilities for analyzing traffic of supported protocols and devices, and new supported protocols and devices have been added.