Managed Detection and Response

Kaspersky Endpoint Security 11.6.0 introduces the built-in agent for the Managed Detection and Response solution. The Kaspersky Managed Detection and Response (MDR) solution automatically detects and analyzes security incidents in your infrastructure. To do so, MDR uses telemetry data received from endpoints and machine learning. MDR sends incident data to Kaspersky experts. The experts can then process the incident and, for example, add a new entry to Anti-Virus databases. Alternatively, the experts can issue recommendations on processing the incident and, for example, suggest isolating computer from the network. For detailed information about how the solution works, please refer to the Kaspersky Managed Detection and Response Help.

When interacting with Kaspersky Managed Detection and Response, the application lets you perform the following functions:

Integration with Kaspersky Managed Detection and Response

Integration with Kaspersky Managed Detection and Response consists of the following steps:

  1. Configuring Private Kaspersky Security Network

    Skip this step if you are using Kaspersky Security Center Cloud Console. Kaspersky Security Center Cloud Console automatically configures Local Kaspersky Security Network when installing the MDR plug-in.

    Private KSN supports data exchange between computers and Kaspersky Security Network dedicated servers, but not Global KSN.

    Upload the Kaspersky Security Network configuration file in the Administration Server properties. The Kaspersky Security Network configuration file is located within the ZIP archive of the MDR configuration file. You can obtain the ZIP archive in the Kaspersky Managed Detection and Response Console. For details on configuring Private Kaspersky Security Network, see Kaspersky Security Center Help. You can also upload a Kaspersky Security Network configuration file to the computer from the command line (see the instructions below).

    How to configure Private Kaspersky Security Network from the command line

    As a result, Kaspersky Endpoint Security will use Private KSN to determine the reputation of files, applications, and websites. The policy settings in the Kaspersky Security Network section will show the following operating status: KSN network: Private KSN.

    You must enable extended KSN mode for Managed Detection and Response to work.

  2. Activate Managed Detection and Response

    Load the BLOB configuration file in the Kaspersky Endpoint Security policy (see the instructions below). The BLOB file contains the client ID and information about the license for Kaspersky Managed Detection and Response. The BLOB file is located inside the ZIP archive of the MDR configuration file. You can obtain the ZIP archive in the Kaspersky Managed Detection and Response Console. For detailed information about a BLOB file, please refer to the Kaspersky Managed Detection and Response Help.

    How to activate Managed Detection and Response in the Administration Console (MMC)

    How to activate Managed Detection and Response in the Web Console and Cloud Console

    How to activate Managed Detection and Response from the command line

    As a result, Kaspersky Endpoint Security will verify the BLOB file. BLOB file verification includes checking the digital signature and the license term. If the BLOB file is successfully verified, Kaspersky Endpoint Security will upload the file and send the file to the computer during the next synchronization with Kaspersky Security Center. Check the operating status of the component by viewing the Application components status report. You can also view the operating status of a component in reports in the local interface of Kaspersky Endpoint Security. The Managed Detection and Response component will be added to the list of Kaspersky Endpoint Security components.

  3. Supporting Managed Detection and Response

    You must enable the following components for Managed Detection and Response to work:

    Enabling these components is non-optional. Otherwise Kaspersky Managed Detection and Response cannot function because it does not receive required telemetry data.

    In addition, Kaspersky Managed Detection and Response uses data received from other application components. Enabling those components is optional. Components that provide additional data include:

    For Kaspersky Managed Detection and Response to work with Administration Server via Kaspersky Security Center Web Console, you must also establish a new secure connection, a background connection. Kaspersky Managed Detection and Response prompts you to establish a background connection when you deploy the solution. Make sure the background connection is established. For details about the integration of Kaspersky Security Center with other Kaspersky solutions, refer to the Kaspersky Security Center Help.

Migration from Kaspersky Endpoint Agent to Kaspersky Endpoint Security for Windows

Kaspersky Endpoint Security version 11 and later supports the MDR solution. Kaspersky Endpoint Security versions 11 – 11.5.0 only sends telemetry data to Kaspersky Managed Detection and Response to enable threat detection. Kaspersky Endpoint Security version 11.6.0 has all the functionality of the built-in agent (Kaspersky Endpoint Agent).

If you are using Kaspersky Endpoint Security 11 – 11.5.0, you must update databases to the latest version to work with the MDR solution. You must also install Kaspersky Endpoint Agent.

If you are using Kaspersky Endpoint Security 11.6.0 or later, to work with the MDR solution, you must select the Managed Detection and Response component when installing the application. In this case, you do not need to install Kaspersky Endpoint Agent.

To migrate from Kaspersky Endpoint Agent to Kaspersky Endpoint Security for Windows:

  1. Configure integration with Kaspersky Managed Detection and Response in the Kaspersky Endpoint Security policy.
  2. Disable the Managed Detection and Response component in the Kaspersky Endpoint Agent policy.

If the Kaspersky Endpoint Security policy also applies to computers that do not have Kaspersky Endpoint Security 11 – 11.5.0 installed, you must first create a separate Kaspersky Endpoint Agent policy for those computers. In the new policy, configure integration with Kaspersky Managed Detection and Response.

Page top