About Kaspersky Anti Targeted Attack Platform

Kaspersky Anti Targeted Attack Platform (hereinafter also referred to as "the application") is a solution designed for the protection of a corporate IT infrastructure and timely detection of threats such as zero-day attacks, targeted attacks, and complex targeted attacks known as advanced persistent threats (hereinafter also referred to as "APT"). The solution is developed for corporate users.

The Kaspersky Anti Targeted Attack Platform solution includes two functional units:

• Kaspersky Anti Targeted Attack (hereinafter also referred to as "KATA"), which provides perimeter security for the enterprise IT infrastructure.
• Network Detection and Response (hereinafter also referred to as "NDR"), which provides protection of the corporate LAN.

The solution can receive and process data in the following ways:

• Integrate into the local area network, receive and process mirrored SPAN, ERSPAN and RSPAN traffic, and extract objects and metadata from the HTTP, HTTP2, FTP, SMTP, DNS, SMB, and NFS protocols.
  

  A copy of traffic redirected from one switch port to another port of the same switch (local mirroring) or to a remote switch (remote mirroring). The network administrator can configure which part of traffic should be mirrored for transmission to Kaspersky Anti Targeted Attack Platform.

  Kaspersky Anti Targeted Attack Platform supports receiving mirrored traffic from aggregating devices: a network packet broker or a network tap. If filtering is to be applied to traffic coming from aggregating devices, the hardware requirements of Kaspersky Anti Targeted Attack Platform must be adjusted. To determine the actual hardware requirements of the solution, we recommend doing a pilot deployment first.

• Connect to the proxy server via the ICAP protocol, receive and process data of HTTP, HTTP2, and FTP traffic, as well as HTTPS traffic if the administrator has configured SSL certificate replacement on the proxy server.
• Connect to the mail server via the POP3 (S) and SMTP protocols, receive and process copies of e-mail messages.
• Integrate with Kaspersky Secure Mail Gateway and Kaspersky Security for Linux Mail Server, receive, and process copies of email messages.
• Receive and process copies of network traffic obtained from a remote location using the Kaspersky SD-WAN application. This functionality improves the flexibility of detecting and monitoring network activity, allowing you to analyze traffic from different points on the network and take appropriate action to ensure network security.

  For detailed information on Kaspersky Secure Mail Gateway, Kaspersky Security for Linux Mail Server and Kaspersky SD-WAN, please refer to the documentation of these applications.

• Integrate with external systems with the use of the REST API interface and scan files on these systems.

The solution uses the following means of Threat Intelligence:

• Infrastructure of Kaspersky Security Network (also referred to as "KSN") cloud services that provides access to the online Knowledge Base of Kaspersky, which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky applications to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.
• Integration with Kaspersky Private Security Network (KPSN) to access the reputation databases of Kaspersky Security Network and other statistical data without sending data from user computers to Kaspersky Security Network.
• Integration with the Kaspersky information system known as Kaspersky Threat Intelligence Portal, which contains and displays information about the reputation of files and URLs.

The solution can provide the results of its operation and Threat Intelligence to the user in the following ways:

• Display the results of work done in the web interface of the Central Node, Primary Central Node (hereinafter also PCN) or Secondary Central Node (hereinafter also SCN) servers.
• Publish alerts to a SIEM system already being used in your organization via the Syslog protocol.
• Integrate with external systems via the REST API and send information on alerts generated by the solution to external systems on demand.
• Publish information on Sandbox component alerts in the local reputation database of Kaspersky Private Security Network.

Users with the Senior security officer or Security officer role can perform the following actions in the application:

• Monitor the components of the solution.
• View the table of detected signs of targeted attacks and intrusions into the corporate IT infrastructure, filter and search alerts, view and manage each alert, and follow recommendations for evaluating and investigating incidents.
• Manage user-defined YARA, Sandbox, and Intrusion Detection rules: upload rules that the application uses to check for events and create alerts.
• Manage Network Anomaly Detection rules.
• Manage network isolation rules for devices through Check Point NGFW and UserGate NGFW solutions.
• Manage copies of objects in Storage.
• Manage reports about application performance and alerts.
• Configure the sending of notifications about alerts and problems encountered by the application to email addresses of users.
• Manage the list of VIP alerts and the list of data excluded from the scan, and populate the local reputation database of KPSN.
• Store and download copies of raw network traffic for analysis in external systems.

Users with the Security auditor role can perform the following actions in the application:

• Monitor the components of the solution.
• View the table of detected signs of targeted attacks and intrusions into the enterprise IT infrastructure, filter and search alerts, and view the data of each alert.
• View the list of computers with the Endpoint Agent component that support automatic file exchange with Kaspersky Anti Targeted Attack Platform.
• View user-defined YARA rules, Sandbox rules, and Intrusion Detection rules.
• View Network Anomaly Detection rules.
• View network isolation rules applied through the Check Point NGFW and UserGate NGFW solutions.
• View reports about application performance and alerts.
• View the list of VIP alerts and the list of data excluded from the scan.
• View all settings made in the application web interface.
• Store and download copies of raw network traffic for analysis in external systems.

Users with the Administrator role can perform the following actions in the application:

• Edit application settings.
• Configure servers for the distributed solution and multitenancy mode.
• Set up the integration of the application with other applications and systems.
• Manage TLS certificates and set up trusted connections between the Central Node server and the Sandbox server, between Kaspersky Anti Targeted Attack Platform servers and the Endpoint Agent component, and with external systems.
• Manage accounts of application users.
• Configure automatic file exchange with applications acting as an Endpoint Agent component for subsequent scanning of the files in Sandbox.
• Monitor application health.

See also Kaspersky Anti Targeted Attack Platform Help Data provision Application licensing Architecture of the application Operating principle of the application Distributed solution and multitenancy Sizing Guide Installing and performing initial configuration of the application Configuring the sizing settings of the application Configuring firewall rules Configuring integration of the Endpoint Agent component with the NDR functional block Integration with mail sensors Getting started with the application Managing accounts of application administrators and users Authentication using domain accounts Authentication using OSMP accounts Participation in Kaspersky Security Network and use of Kaspersky Private Security Network Managing the Sandbox component through the web interface Uploading an independently prepared certificate to the Sandbox server For administrators: Getting started with the application web interface For security officers: Getting started with the application web interface Managing user-defined Sandbox rules Preparing data for GosSOPKA Sending notifications Managing logs Viewing application messages Configuring the storage duration for system logs and detections of Kaspersky Anti Targeted Attack Platform Viewing information about files that have sent for scanning to the Kaspersky Anti Targeted Attack Platform Managing Kaspersky Endpoint Security for Windows Managing Kaspersky Endpoint Security for Linux Backing up and restoring data Upgrading Kaspersky Anti Targeted Attack Platform Managing application components in the administrator menu Using the KATA API Using the NDR API Sources of information about the application Contacting the Technical Support Service Information about third-party code Trademark notices

In this Help section What's new Using Kaspersky Threat Intelligence Portal Distribution kit Hardware and software requirements Limitations

Page top