What's new

The following changes have been introduced in Kaspersky Anti Targeted Attack Platform 8.0:

• Support has been added for user authentication in the Kaspersky Anti Targeted Attack Platform web interface using Open Single Management Platform accounts
• User accounts can now be deleted in Kaspersky Anti Targeted Attack Platform.
• Integration with Check Point NGFW and UserGate NGFW is now supported, with the ability to create blocking rules for malicious hosts on these platforms.
• The implementation of Cloud Access Security Broker (CASB)-based monitoring provides control over user access to prohibited cloud services and enables real-time alerts for attempts to use shadow IT resources.
• A Network Anomaly Detection capability has been added to identify sophisticated attacks and indicators of compromise that signature-based security tools miss. By analyzing network sessions, traffic volumes, and data transfer context, Kaspersky Anti Targeted Attack Platform detects abnormally large volumes of traffic over DNS, ICMP, TCP, UDP, RDP, and SSH, including overnight and on weekends. These deviations are indicative of covert data exfiltration, DNS and ICMP tunneling, network policy bypassing, and unauthorized remote access.

  In addition, the platform detects suspicious connections and network segmentation violations. These include the use of non-standard ports and protocols, RDP and SSH connections to external addresses, firewall configuration errors, and attempts to bypass access control restrictions. Special focus is placed on attacks targeting domain infrastructure and user accounts, such as DCSync, DCShadow, Kerberos-based attacks, and brute-force attempts, as well as internal reconnaissance activity, including Active Directory, LDAP, and Kerberos enumeration, port scanning, and DNS zone transfers.

  This capability also enables detection of connections to suspicious external resources and attacker command-and-control servers, including DGA domains, DNS TXT tunneling, and tunneling and file-sharing services, allowing early identification of compromised hosts and insider activity. All detected anomalies are displayed in the context of network sessions and are enriched with attributes for rapid analysis and investigation.

  Flexible configuration of thresholds, object lists, and attributes allows detection logic to be adapted to a specific infrastructure without vendor support. This increases the effectiveness of the security monitoring center and reduces the time required to detect complex attacks.

• The traffic copy analysis functionality has been expanded. It is now possible to view a list of verified URLs and files, as well as filter and search for objects in the list. All observed objects are automatically extracted from the mirrored network traffic to ensure maximum transparency and control.
• Alert data has been expanded:
  • Alerts generated during object inspection by Kaspersky Secure Mail Gateway now include information on the actions performed on the objects.
  • Visualization of the activity tree in alerts generated by the Sandbox component has been improved.
  • The following new alert types have been added:
    • CASB-based alerts triggered by access to prohibited cloud services;
    • Network Anomaly Detection alerts triggered by detected network anomalies.
• A new deployment mode has been added that enables retrospective analysis of previously recorded network traffic in automatic or manual mode.
• Additional alert data from Kaspersky Anti Targeted Attack Platform can now be transferred to Kaspersky Managed Detection and Response upon request by the MDR solution administrator.
• Support has been added for the automatic ingestion and dynamic analysis of files received from Kaspersky Endpoint Security for Windows and Kaspersky Endpoint Security for Linux in the Sandbox component.
• The KEDR functional block is no longer included in Kaspersky Anti Targeted Attack Platform. It is now available as the standalone solution Kaspersky EDR Expert.
• The number of Endpoint Agent components that can connect to a single Central Node has increased to 15,000.
• Support has been added for Sandbox analysis of encrypted archives received from Kaspersky Secure Mail Gateway.
• Support has been added for detecting insecure transmission of credentials (username and password) in unencrypted traffic. When this type of transmission is detected, Kaspersky Anti Targeted Attack Platform generates an IDS event and a corresponding alert.
• Support has been added for automatic detection of personal and unmanaged (BYOD) devices on the network without the use of third-party systems or manual analysis. The feature facilitates rapid identification of BYOD-related threats that bypass corporate policies, helping prevent data leaks, infections, and compliance violations. When BYOD devices are detected, Kaspersky Anti Targeted Attack Platform generates an EXT event and assigns the risk Unauthorized access (violation of the BYOD usage policy).

Changes in Kaspersky Endpoint Security 12.11 for Windows

You can view the list of changes in Kaspersky Endpoint Security 12.11 for Windows in the Kaspersky Endpoint Security for Windows Online Help.

Changes in Kaspersky Endpoint Security 12.4.0 for Linux

You can view the list of changes in Kaspersky Endpoint Security 12.4.0 for Linux in the Kaspersky Endpoint Security for Linux Online Help.

See also About Kaspersky Anti Targeted Attack Platform Using Kaspersky Threat Intelligence Portal Distribution kit Hardware and software requirements Limitations

Page top