Kaspersky Endpoint Detection and Response Optimum Integration

Kaspersky Endpoint Detection and Response Optimum is a solution for protecting an organization's IT infrastructure from threats such as exploits, ransomware, fileless attacks, and legitimate system tools used by attackers to compromise devices or data.

Kaspersky Endpoint Detection and Response Optimum monitors and analyzes the evolution of threats, and provides information about a potential attack to a security officer or administrator, helping them perform response actions in a timely manner.

Integration of Kaspersky Industrial CyberSecurity for Linux Nodes with the Kaspersky Endpoint Detection and Response Optimum solution is provided by a Kaspersky Industrial CyberSecurity for Linux Nodes component, Endpoint Detection and Response Optimum (hereinafter also referred to as EDR Optimum).

Kaspersky Industrial CyberSecurity for Linux Nodes 1.5 is compatible with Kaspersky Endpoint Detection and Response Optimum version 3.0.

Versions of Kaspersky Industrial CyberSecurity for Linux Nodes earlier than 1.5 do not include the EDR Optimum component.

Kaspersky Endpoint Detection and Response Optimum uses the following Threat Intelligence tools:

• The Kaspersky Security Network (hereinafter also referred to as KSN) cloud service infrastructure that provides access to Kaspersky file, website, and software reputation online knowledge base.
• Integration with the Kaspersky Threat Intelligence Portal, which contains and displays information about the reputation of files and websites.
• The Kaspersky Threats database.

When interacting with Kaspersky Endpoint Detection and Response Optimum, Kaspersky Industrial CyberSecurity for Linux Nodes can perform the following functions:

• Send data about events on devices to Kaspersky Security Center. Kaspersky Industrial CyberSecurity for Linux Nodes sends to the Kaspersky Security Center monitoring data on processes, open network connections, and modified files, as well as data on threats detected by the application and data on the results of processing these threats.
• Perform response actions to ensure security when receiving commands from Kaspersky Security Center.

Integration with Kaspersky Endpoint Detection and Response Optimum involves the following steps:

1. Enabling the required components of Kaspersky Industrial CyberSecurity for Linux Nodes

   Make sure that the following components of Kaspersky Industrial CyberSecurity for Linux Nodes are enabled and running:

   • File Threat Protection.
   • Web Threat Protection.
   • Behavior Detection.
2. Enabling threat analysis tools

   Make sure that Kaspersky Security Network is enabled in standard or extended mode.

   For the most effective operation of Kaspersky Endpoint Detection and Response Optimum, we recommend the extended Kaspersky Security Network mode.

3. Activating the EDR Optimum component

   Make sure one of the following conditions is satisfied:

   • You are using Kaspersky Industrial CyberSecurity for Linux Nodes under a license that includes the Kaspersky Endpoint Detection and Response Optimum functionality.
   • You have purchased a separate license for using the Kaspersky Endpoint Detection and Response Optimum functionality and also added the EDR Optimum license key to the application.
4. Installing the Kaspersky Endpoint Detection and Response Optimum administration plug-in

   The Kaspersky Endpoint Detection and Response Optimum management plug-in is a unified plug-in for managing agents on Windows, Mac, and Linux operating systems; the plug-in is necessary to display and view alert details.

5. Enabling the Kaspersky Endpoint Detection and Response Optimum Integration

   By default, the integration of Kaspersky Endpoint Detection and Response Optimum with Kaspersky Endpoint Detection and Response Optimum is disabled: You can enable, disable, or configure the integration:

   • Using the Web Console.
   • Using the command line.

     Managing the EDR Optimum component using Kaspersky Security Center Administration Console is not supported.

   You can check the status of the EDR Optimum component:

   • Using the Application component status report in the Web Console.

     The Endpoint Detection and Response Optimum component has been added to the list of Kaspersky Industrial CyberSecurity for Linux Nodes components. For detailed information about reports, please refer to the Kaspersky Security Center Help.

   • In the device properties in the Web Console.
   • Using the command line.
6. Enabling data transfer to the Administration Server

   To use all functionality of Kaspersky Endpoint Detection and Response Optimum, you must enable the following settings:

   • Notification about files in Backup is enabled/disabled.

     You can enable this setting in the policy properties under Application settings → General settings → Storage settings.

     By enabling this setting, you allow information about files that Kaspersky Industrial CyberSecurity for Linux Nodes has moved to Backup on the device to be sent to Kaspersky Security Center.

   • Show EDR alerts.

     You can enable this setting in the main window of Kaspersky Security Center Web Console under Settings → Interface settings.

     By enabling this setting, you allow the list of alerts to be displayed.

     The Show EDR alerts setting not available in a Web Console version earlier than 15.1.

In this section About response actions for commands Enabling or disabling Kaspersky Endpoint Detection and Response Optimum integration Viewing the Kaspersky Endpoint Detection and Response Optimum integration status Viewing information about a detected threat and response actions Searching for indicators of compromise Requirements for IOC files Enabling or disabling device network isolation Configuring network isolation exclusions Start process Terminate process Receive file from device Delete file from device

Page top