Integration with Kaspersky Anti Targeted Attack Platform

Kaspersky Endpoint Security is compatible with the Kaspersky Anti Targeted Attack Platform solution, which is designed to protect the IT infrastructure of organizations and promptly detect threats, such as zero-day attacks, targeted attacks, and advanced persistent threats (APT). To read more, check out the Kaspersky Anti Targeted Attack Platform Help.

The Kaspersky Endpoint Security application can integrate with the following components of the Kaspersky Anti Targeted Attack Platform solution:

• Kaspersky Endpoint Detection and Response (KATA) protects devices on the corporate LAN. When interacting with Kaspersky Endpoint Detection and Response (KATA), Kaspersky Endpoint Security can:
  • Send data about events on devices (telemetry) to the Kaspersky Anti Targeted Attack Platform server with the Central Node component ("KATA server"). Kaspersky Endpoint Security sends monitoring data on processes, open network connections, and modified files to the KATA server, as well as data on threats detected by the application and data on the results of processing these threats.
  • Execute response actions to ensure security when receiving commands from Kaspersky Anti Targeted Attack Platform.
• Kaspersky Network Detection and Response (KATA) protects the internal enterprise network and sends data about events on devices (telemetry) to the Kaspersky Anti Targeted Attack Platform server with the Central Node component (hereinafter also the NDR server).
• KATA Sandbox analyzes and scans objects to detect malicious activity and indicators of targeted attacks on the corporate IT infrastructure using special servers with deployed virtual images of operating systems (hereinafter also the Sandbox server).

Integration with these components of the Kaspersky Endpoint Detection and Response (KATA) solution is provided by the following components of the Kaspersky Endpoint Security application:

• Endpoint Detection and Response (KATA) (hereinafter also EDR (KATA))
• Network Detection and Response (KATA) (hereinafter also NDR (KATA))
• Sandbox

You can configure the integration of the Kaspersky Endpoint Security application with all components of the Kaspersky Anti Targeted Attack Platform solution, as well as with each component individually.

To integrate with Kaspersky Anti Targeted Attack Platform components, you need to activate the Kaspersky Anti Targeted Attack Platform solution (see the solution help for more details). There is no need to activate the Kaspersky Endpoint Security components that provide integration. The main licenses for Kaspersky Endpoint Security include this functionality.

Integration of the Kaspersky Endpoint Security application with Kaspersky Anti Targeted Attack Platform is possible only if the Behavior Detection component is enabled. Otherwise, the necessary telemetry is not transmitted (except for synchronization requests).

The Kaspersky Endpoint Detection and Response (KATA) component can additionally use data received from the following components:

• File Threat Protection.
• Network Threat Protection.
• Web Threat Protection.

The Kaspersky Network Detection and Response (KATA) component can additionally use data received from the following components:

• File Threat Protection.
• Network Threat Protection.
• Web Threat Protection.
• Anti-Cryptor.
• Application Control.
• Device Control.
• System Integrity Monitoring.

While integrated with the Kaspersky Anti Targeted Attack Platform solution, devices running Kaspersky Endpoint Security establish encrypted connections to the KATA/NDR/Sandbox server using the HTTPS protocol. To ensure the security of the connection, the following certificates issued by the KATA/NDR/Sandbox server are used:

• KATA/NDR/Sandbox server certificate. The connection is encrypted using the server's TLS certificate. You can elevate the security of the connection by verifying the server certificate on the Kaspersky Endpoint Security side. To do this, you need to add the KATA/NDR/Sandbox server certificate before enabling integration with the Kaspersky Anti Targeted Attack Platform solution.
• Client certificate. This certificate is used for additional connection protection using two-way authentication (i.e. the KATA/NDR/Sandbox server checks devices with the Kaspersky Endpoint Security application). The same client certificate can be used by multiple devices. By default, the KATA/NDR/Sandbox server does not check client certificates, but two-way authentication can be enabled on the Kaspersky Anti Targeted Attack Platform side. In this case, you need to enable two-way authentication in the Kaspersky Endpoint Detection and Response (KATA), Kaspersky Network Detection and Response (KATA), or KATA Sandbox integration settings and add the client certificate (cryptocontainer with certificate and private key).

Certificates for securing the connection to the KATA/NDR/Sandbox server are provided by the Kaspersky Anti Targeted Attack Platform administrator.

A proxy server is used to connect to the KATA/NDR/Sandbox server if use of a proxy server is configured in the general application settings of Kaspersky Endpoint Security.

By default, integration with Kaspersky Anti Targeted Attack Platform solution components is disabled. You can enable or disable the integration, and configure the following integration settings via the command line, Web Console, and Administration Console:

• Configure general KATA/NDR/Sandbox server connection settings.
• Add or remove KATA/NDR/Sandbox server certificates.
• Configure two-way authentication when connecting to KATA/NDR/Sandbox servers and add client certificates.
• Configure event forwarding.
• Enable or disable telemetry (only when integrated with Kaspersky Endpoint Detection and Response (KATA)).

  If integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response is enabled, process exclusions are not applied when sending telemetry.

Managing Kaspersky Anti Targeted Attack Platform integration settings in Kaspersky Security Center Cloud Console is not supported.

In this section Configuring EDR (KATA) / NDR (KATA) in the Web Console Configuring EDR (KATA) / NDR (KATA) in the Administration Console Configuring EDR (KATA) / NDR (KATA) on the command line Configuring the KATA Sandbox integration in the Web Console Configuring the KATA Sandbox integration on the command line

Page top