Kaspersky Anti Targeted Attack Platform (hereinafter also referred to as "the program") is a solution designed for the protection of a corporate IT infrastructure and timely detection of threats such as zero-day attacks, targeted attacks, and complex targeted attacks known as advanced persistent threats (hereinafter also referred to as "APT"). The program is developed for corporate users.
Kaspersky Anti Targeted Attack Platform includes two functional blocks:
Kaspersky Anti Targeted Attack (hereinafter also referred to as "KATA"), which provides perimeter security for the enterprise IT infrastructure.
Kaspersky Endpoint Detection and Response (hereinafter also referred to as "KEDR"), which provides protection for the local area network of the organization.
KEDR is licensed separately from KATA. To activate this functionality, you need to use a separate key. You can purchase KEDR with KATA or separately.
The program can receive and process data in the following ways:
Integrate into the local area network, receive and process mirrored SPAN, ERSPAN and RSPAN traffic, and extract objects and metadata from the HTTP, FTP, SMTP, and DNS protocols.
A copy of traffic redirected from one switch port to another port of the same switch (local mirroring) or to a remote switch (remote mirroring). The network administrator can configure which part of traffic should be mirrored for transmission to Kaspersky Anti Targeted Attack Platform.
Connect to the proxy server via the ICAP protocol, receive and process data of HTTP and FTP traffic, as well as HTTPS traffic if the administrator has configured SSL certificate replacement on the proxy server.
Connect to the mail server via the POP3 (S) and SMTP protocols, receive and process copies of e-mail messages.
Integrate with the Kaspersky Lab applications Kaspersky Secure Mail Gateway and Kaspersky Security for Linux® Mail Server, receive, and process copies of email messages.
For detailed information on Kaspersky Secure Mail Gateway and Kaspersky Security for Linux Mail Server, please refer to the documentation on these applications.
Integrate with external systems with the use of the REST API interface and scan files on these systems.
Receive data from individual computers that belong to the corporate IT infrastructure and run the Microsoft® Windows® operating system to constantly monitor processes running on those computers, active network connections, and files that are modified.
The Kaspersky Anti Targeted Attack Platform Endpoint Sensors component can be installed on individual computers and receive data from these computers.
Kaspersky Anti Targeted Attack Platform can be integrated with the Kaspersky Endpoint Security for Windows program by Kaspersky Lab (also referred to as “KES”).
For details about Kaspersky Endpoint Security for Windows, see Kaspersky Endpoint Security Help.
The program uses the following means of Threat Intelligence:
Infrastructure of Kaspersky Security Network (also referred to as “KSN”) cloud services that provides access to the online Knowledge Base of Kaspersky Lab, which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky Lab applications to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.
Integration with the Kaspersky Private Security Network (KPSN) Kaspersky Lab application to access the reputation databases of Kaspersky Security Network and other statistical data without sending data from user computers to Kaspersky Security Network.
Integration with the Kaspersky Lab information system known as Kaspersky Threat Intelligence Portal, which contains and displays information about the reputation of files and URLs.
The program can provide the user with the results of its performance and Threat Intelligence in the following ways:
Display operation results on the Central Node PCN or SCN servers web interface.
Publish alerts to a SIEM system already being used in your organization via the Syslog protocol.
Integrate with external systems via the REST API and send information on detects to external systems on demand.
Database of the reputations of objects (files or URLs) that is stored on the Kaspersky Private Security Network server but not on Kaspersky Security Network servers. Local reputation databases are managed by the KPSN administrator.
Senior security officer and Security officer users can perform the following actions in the program:
Monitor program performance.
View the table of detected signs of targeted attacks and intrusions into the corporate IT infrastructure, filter and search alerts, and view and manage each alert.
Look through the table of events occurring on the computers and servers of the organization IT infrastructure, search for threats, filter, view and work with each event.
Run tasks on hosts with Endpoint Sensors component: start programs and stop processes, download and delete files, place objects and their copies in Backup and Quarantine, and restore them from Quarantine.
Configure policies for preventing the startup of files that they consider to be unsafe on selected hosts with the Endpoint Sensors component.
Isolate separate hosts with the Endpoint Sensors component from the network.
Work with objects and their copies in Backup and Quarantine.
Work with the OpenIOC standard files to search on signs of targeted attacks, infected and probably infected objects on hosts with the Endpoint Sensors component and in the Alerts database.
Work with Indicators of Attack (IOA) to classify and analyze events.
Manage reports on the program performance and on detects.
Configure forwarding of notifications about alerts and about program operation problems to one or multiple email addresses.
Manage a list of VIP group addresses and a white list of data, and add to the local reputation database of KPSN.
Local administrator and Administrator can use the program to:
Configure program operation settings.
Configure servers for the distributed solution and multitenancy mode of the program.
Administer integration of the program with other programs and systems.
Manage accounts of program users.
Monitor program performance.
The program detects the following events occurring within the corporate IT infrastructure and notifies the user accordingly:
A file has been downloaded or an attempt was made to download a file to a corporate LAN computer.
A file has been sent to the email address of a user on the corporate LAN.
A website link was opened on a corporate LAN computer.
Network activity has occurred in which the IP address or domain name of a corporate LAN computer was detected.
Processes have been started on a corporate LAN computer.
Kaspersky Anti Targeted Attack Platform evaluates events and advises the user to direct attention to each detected event (alert) according to the impact that this alert may have on computer or corporate LAN security based on Kaspersky Lab experience.
The Kaspersky Anti Targeted Attack Platform user independently makes a decision about further actions in response to alerts.