About Kaspersky Endpoint Detection and Response Optimum
Kaspersky Endpoint Detection and Response Optimum is a solution designed to protect an organization IT infrastructure from complex cyberthreats. The solution functionality combines automatic threat detection with the ability to respond to these threats to resist complex attacks, including new exploits, ransomware, fileless attacks, and methods that use legitimate system tools. The solution is intended for corporate users.
Updates functionality (including providing anti-virus signature updates and codebase updates), as well as KSN functionality will not be available in the software in the U.S. territory from 12:00 AM Eastern Daylight Time (EDT) on September 10, 2024 in accordance with the restrictive measures.
Solution architecture
The solution consists of the following components:
- Kaspersky Endpoint Agent as part of Endpoint Protection Platform (for example, as a part of Kaspersky Endpoint Security) is installed on individual devices in the organization IT infrastructure that are running under Microsoft Windows operating system. The application constantly monitors the processes running on these devices, open network connections and the files being modified.
- Kaspersky Security Center and Kaspersky Security Center Web Console (or Kaspersky Security Center Cloud Console and cloud Administration Console) allow you to centrally manage the solution and its settings by means of a single web interface.
- Kaspersky Sandbox (optional component, distributed separately) is intended for additional inspection of suspicious objects detected by EPP. For detailed information about Kaspersky Sandbox, refer to Kaspersky Sandbox Help.
Threat detection
Kaspersky Endpoint Detection and Response Optimum performs review and analysis of the threat development and provides the Security Officer or Administrator with information about a potential attack in order to respond to the threat in a timely manner.
Incident card is a tool for viewing all collected information about a detected threat and for managing response actions. An incident card is displayed in Kaspersky Security Center and may contain, for example, the following information about a detected threat:
- Threat development chain graph.
- Information about the device on which the threat is detected (for example, name, IP address, MAC address, user list, operating system).
- General information about the detection, including detection mode (for example, detection during on-demand scan or during automatic scan).
- Registry changes associated with the detection.
- History of the file presence on the device.
- Response actions performed by the application.
Threat development chain graph is a tool for analyzing the reasons of the threat. The graph provides visual information about the objects involved in the incident, for example, about key processes on the device, network connections, libraries, registry hives.
The solution uses the following Threat Intelligence tools for analyzing threats:
- Kaspersky Security Network (KSN) infrastructure of cloud services that provides access to the online Kaspersky Knowledge Base, which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky applications to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.
- Integration with Kaspersky Private Security Network (hereinafter also referred to as KPSN) that allows the users to access KSN reputation databases, as well as other statistics without submitting data to KSN from their computers.
- Integration with Kaspersky Threat Intelligence Portal information system, which contains and displays information about the reputation of files and URLs.
- Kaspersky Threats database.
Threat response
The threat response functionality provides the following automatic response actions that the application performs when threats are detected:
- Quarantine object.
- Delete file.
- Isolate device from the network.
- Run Critical Areas Scan on the device.
- Start search for indicators of compromise (IOC Scan) for a group of devices.
Additionally, the following actions are available to a Security Officer or an Administrator:
- Place objects to the Execution prevention list.
- Start process on the device.
- Terminate process on the device.
Kaspersky Endpoint Agent functions
As part of Kaspersky Endpoint Detection and Response Optimum solution, Kaspersky Endpoint Agent performs the following actions:
- Collects information about detections from Endpoint Protection Platform (for example, from Kaspersky Endpoint Security).
- Supplements verdict information with data about the detection.
- Submits data to Kaspersky Security Center to create a threat development chain.
- Starts IOC Scan tasks (search for indicators of compromise) on groups of protected devices.
- Performs actions in response to detected indicators of compromise, for example:
- enables network isolation of the device;
- starts Critical Areas Scan on the device.
- Submits objects to Kaspersky Sandbox for scan (if integration with Kaspersky Sandbox is configured).
Page top