Endpoint Detection and Response
|
Kaspersky Endpoint Security 11.7.0 now has a built-in agent for the Kaspersky Endpoint Detection and Response Optimum solution (hereinafter also "EDR Optimum"). Kaspersky Endpoint Detection and Response Optimum is a solution for protecting the organization's IT infrastructure from advanced cyber threats. The functionality of the solution combines automatic detection of threats with the ability to react to these threats to counteract advanced attacks including new exploits, ransomware, fileless attacks, as well as methods using legitimate system tools. For more information about the solution, refer to the Kaspersky Endpoint Detection and Response Optimum Help. Kaspersky Endpoint Detection and Response Optimum reviews and analyses threat development and provides security personnel or the Administrator with information about the potential attack that is necessary for a timely response. Kaspersky Endpoint Detection and Response displays alert details in a separate window. Alert Details is a tool for viewing the entirety of collected information about a detected threat and managing response actions. Alert details include, for example, the history of files appearing on the computer. For details about managing alert details, refer to the Kaspersky Endpoint Detection and Response Optimum Help. |
The solution uses the following Threat Intelligence tools:
- The Kaspersky Security Network (hereinafter also referred to as "KSN") cloud service infrastructure, which provides access to real-time file, website, and software reputation information from the Kaspersky knowledge base. Using data from Kaspersky Security Network ensures faster responses by Kaspersky applications to threats, improves the performance of some protection components, and reduces the likelihood of false positives.
- Integration with Kaspersky Private Security Network (hereinafter also referred to as "KPSN"), which allows the user to gain access to KSN reputation database as well as other statistical data without sending data from their computers to the KSN.
- Integration with the Kaspersky Threat Intelligence Portal information system, which contains and displays information about the reputation of files and URLs.
- Kaspersky Threats database.
Kaspersky Endpoint Detection and Response Optimum requires Kaspersky Security Center version 13.2. In earlier versions of Kaspersky Security Center, it is impossible to activate the EDR Optimum feature.
The component can be managed only using the Web Console. You cannot manage this component using the Administration Console (MMC).
Integration with Kaspersky Endpoint Detection and Response Optimum
Integration with Kaspersky Endpoint Detection and Response Optimum involves the following steps:
- Installing the Kaspersky Endpoint Detection and Response Optimum component
You can select the Endpoint Detection and Response Optimum component during installation or upgrade, as well as using the Change application components task.
Following the Change application components task execution, the status of the task is displayed incorrectly. Instead of Completed successfully, the task has the Scheduled status. However, the task can still be completed successfully. Make sure that the new component is installed in the computer properties of the Kaspersky Security Center console (Applications → Kaspersky Endpoint Security for Windows → Components) or in the local application interface.
- Activating Kaspersky Endpoint Detection and Response Optimum
You can acquire a license to use Kaspersky Endpoint Detection and Response Optimum in the following ways:
- The EDR Optimum feature is included in the license for use of Kaspersky Endpoint Security for Windows.
The feature will be available immediately after activation of Kaspersky Endpoint Security for Windows.
- License extension for use of EDR Optimum.
The feature will be available after you add a separate key for Kaspersky Endpoint Detection and Response. As a result, two keys will be installed on the computer: a key for Kaspersky Endpoint Security and a key for Kaspersky Endpoint Detection and Response Optimum.
Licensing for the individual EDR Optimum feature does not differ from licensing for Kaspersky Endpoint Security.
Make sure that the EDR Optimum feature is included in the license and is running in the local interface of the application.
- The EDR Optimum feature is included in the license for use of Kaspersky Endpoint Security for Windows.
- Enabling the Endpoint Detection and Response Optimum component
You can enable or disable the component in Kaspersky Endpoint Security for Windows policy settings.
To use the component, the following conditions must be met:
- The application is activated and Kaspersky Endpoint Detection and Response Optimum functionality is covered by the license.
- The Endpoint Detection and Response Optimum component is turned on.
- Application components that Endpoint Detection and Response Optimum depends on are enabled and operational. The component depends on the following components:
How to enable or disable Endpoint Detection and Response Optimum component in the Web Console
The Kaspersky Endpoint Detection and Response Optimum component is enabled. Check the operating status of the component by viewing the Application components status report. You can also view the operating status of a component in reports in the local interface of Kaspersky Endpoint Security. The Endpoint Detection and Response Optimum component is added to the list of Kaspersky Endpoint Security components.
- Enabling data transfer to Administration Server
To enable all the EDR Optimum features, transfer should be enabled for the following types of data:
- Quarantine file data.
The data are required to obtain information about files quarantined on a computer through Web Console. For example, you can download a file from quarantine for analysis in Web Console.
- Threat development chain data.
The data are required to obtain information about threats detected on a computer in Web Console. You can view alert details and take response actions in Web Console.
How to enable data transfer to the Administration Server in Web Console
- Quarantine file data.
Migration from Kaspersky Endpoint Agent to Kaspersky Endpoint Security for Windows
If you are using Kaspersky Endpoint Security 11.7.0 or newer with the EDR Optimum component (built-in agent) installed, you do not need to do anything for the Kaspersky Endpoint Detection and Response Optimum solution to work. The EDR Optimum component is not compatible with Kaspersky Endpoint Agent. If Kaspersky Endpoint Agent is installed on the computer, when Kaspersky Endpoint Security is updated to version 11.7.0, Kaspersky Endpoint Detection and Response Optimum continues working with Kaspersky Endpoint Security. In addition, Kaspersky Endpoint Agent will be removed from the computer. To complete migration from Kaspersky Endpoint Agent to Kaspersky Endpoint Security for Windows, you need to transfer policy and task settings using the Migration Wizard.
If you are using Kaspersky Endpoint Security 11.4.0–11.6.0 for interoperability with Kaspersky Endpoint Detection and Response Optimum, the application includes Kaspersky Endpoint Agent. You can install Kaspersky Endpoint Agent side-by-side with Kaspersky Endpoint Security.
The EDR Optimum component as part of Kaspersky Endpoint Security supports interaction with the Kaspersky Endpoint Detection and Response Optimum 2.0 solution. Interaction with Kaspersky Endpoint Detection and Response Optimum version 1.0 is not supported.