Kaspersky Anti Targeted Attack Platform includes two functional blocks:
You can use the full functionality of the program (KATA key and KEDR key) or partial functionality (only KATA key or only KEDR key).
Principle of operation of Kaspersky Anti Targeted Attack
Kaspersky Anti Targeted Attack includes the following components:
Sensor, Central Node and Sandbox interoperate as follows:
IDS technology can recognize and detect network activity in 80 protocols, particularly in 53 application layer protocols of the TCP/IP model, detecting suspicious traffic and network attacks. Supported protocols include TCP, UDP, FTP, TFTP, SSH, SMTP, SMB, CIF, SSL, HTTP, HTTP/2, HTTPS, TLS, ICMPv4, ICMPv6, IPv4, IPv6, IRC, LDAP, NFS, DNS, RDP, DCERPC, MS-RPC, WebSocket, Citrix and others.
A Sensor component can also be a mail sensor, which is a server or virtual machine on which the Kaspersky application Kaspersky Secure Mail Gateway (KSMG) or Kaspersky Security for Linux Mail Server (KLMS) is installed.
If any threats are detected, the Central Node server records relevant information in the alert database. You can view the alert table in the Alerts section of the program web interface or by generating an alert report.
Alert information can also be published to a SIEM system that is used in your organization, as well as external systems. Information on Sandbox component alerts can be published in the local reputation database of Kaspersky Private Security Network.
Principle of operation of Kaspersky Endpoint Detection and Response
Kaspersky Endpoint Detection and Response includes the following components:
The component is represented by Kaspersky Endpoint Agent for Windows and Kaspersky Endpoint Agent for Linux programs.
Optional component.
The Sensor component can be used as a proxy server for outgoing connections from Kaspersky Endpoint Agent.
Kaspersky Endpoint Agent and Central Node components interoperate as follows:
Kaspersky Endpoint Agent for Windows sends information about the following events to the Central Node server:
Kaspersky Endpoint Agent for Linux sends information about the following events to the Central Node server:
The programs can integrate with workstation protection programs (Endpoint Protection Platform (hereinafter also "EPP")).
Kaspersky Endpoint Agent for Windows can integrate with the following EPP programs:
Kaspersky Endpoint Agent for Linux can integrate with Kaspersky Endpoint Security for Linux.
In this case, Kaspersky Endpoint Agent also sends information about threats detected by the EPP programs and results of threat processing by these programs to the Central Node server.
EPP programs, Kaspersky Endpoint Agent, and Central Node components interoperate as follows:
Kaspersky Endpoint Security for Windows can also supply Kaspersky Endpoint Agent for Windows with information about third-party applications with Antimalware Scan Interface support (hereinafter also referred to as "AMSI") sending objects (for example, PowerShell scripts) to Kaspersky Endpoint Security for Windows for additional scanning.
The Central Node server processes received data and displays the corresponding events in the program web interface.
EPP program data processing generates Scan: detect, Scan: detect processing result, AMSI scan events (when Kaspersky Endpoint Agent for Windows is integrated with Kaspersky Endpoint Security for Windows).
Events arriving at the Central Node server are marked by TAA (IOA) rules. As a result of this markup, alerts are generated for events that require user attention. If you have the Sandbox component, you can also automatically send files from Kaspersky Endpoint Agent hosts to be scanned by the Sandbox component in accordance with Kaspersky TAA (IOA) rules.
When the Central Node server is integrated with Kaspersky Endpoint Agent for Windows, you can do the following to react to detected threats:
When the Central Node server is integrated with Kaspersky Endpoint Agent for Linux, you can do the following to react to detected threats:
The principle of operation of Kaspersky Anti Targeted Attack Platform is shown in the following picture.
Principle of operation of Kaspersky Anti Targeted Attack Platform
You can configure settings of each Central Node component individually or manage several components in a centralized way in distributed solution mode.
A distributed solution is a two-tier hierarchy of Central Node servers. This structure sets apart a primary control server known as the Primary Central Node (PCN) and secondary servers known as Secondary Central Nodes (SCN).
The principle of operation of Kaspersky Anti Targeted Attack Platform in distributed solution mode is shown in the following picture.
Principle of operation of Kaspersky Anti Targeted Attack Platform in distributed solution mode