Kaspersky Industrial CyberSecurity Endpoint Detection and Response Integration

Kaspersky Industrial CyberSecurity Endpoint Detection and Response is a solution for protecting an organization's IT infrastructure from threats such as exploits, ransomware, fileless attacks, and legitimate system tools used by attackers to compromise devices or data.

Integration of Kaspersky Industrial CyberSecurity for Linux Nodes with the Kaspersky Industrial CyberSecurity Endpoint Detection and Response solution is provided by a Kaspersky Industrial CyberSecurity for Linux Nodes component, Kaspersky Industrial CyberSecurity Endpoint Detection and Response (hereinafter also referred to as ICS EDR).

Kaspersky Industrial CyberSecurity Endpoint Detection and Response monitors and analyzes the evolution of threats, and provides information about a potential attack to a security officer or administrator, helping them perform response actions in a timely manner.

Kaspersky Industrial CyberSecurity Endpoint Detection and Response uses the following Threat Intelligence tools:

• The Kaspersky Security Network (hereinafter also referred to as KSN) cloud service infrastructure that provides access to Kaspersky file, website, and software reputation online knowledge base.
• Integration with the Kaspersky Threat Intelligence Portal, which contains and displays information about the reputation of files and websites.
• The Kaspersky Threats database.

Kaspersky Industrial CyberSecurity for Linux Nodes 2.0 is compatible with Kaspersky Industrial CyberSecurity Endpoint Detection and Response version 3.0.

Versions of Kaspersky Industrial CyberSecurity for Linux Nodes earlier than 2.0 do not include the ICS EDR component.

When interacting with Kaspersky Industrial CyberSecurity Endpoint Detection and Response, Kaspersky Industrial CyberSecurity for Linux Nodes can perform the following functions:

• Send data about events on devices to Kaspersky Security Center. Kaspersky Industrial CyberSecurity for Linux Nodes sends to the Kaspersky Security Center monitoring data on processes, open network connections, and modified files, as well as data on threats detected by the application and data on the results of processing these threats.
• Perform response actions to ensure security when receiving commands from Kaspersky Security Center.

Integration with Kaspersky Industrial CyberSecurity Endpoint Detection and Response involves the following steps:

1. Enabling the required components of Kaspersky Industrial CyberSecurity for Linux Nodes

   Make sure that the following components of Kaspersky Industrial CyberSecurity for Linux Nodes are enabled and running:

   • File Threat Protection.
   • Web Threat Protection.
   • Behavior Detection.

   You can also enable execution prevention for objects.

2. Enabling threat analysis tools

   Make sure that Kaspersky Security Network is enabled in standard or extended mode.

   For the most effective operation of Kaspersky Industrial CyberSecurity Endpoint Detection and Response, we recommend the extended Kaspersky Security Network mode.

3. ICS EDR component activation

   Make sure one of the following conditions is satisfied:

   • You are using Kaspersky Industrial CyberSecurity for Linux Nodes under a license that includes the Kaspersky Industrial CyberSecurity Endpoint Detection and Response functionality.
   • You have purchased a separate license for using the Kaspersky Industrial CyberSecurity Endpoint Detection and Response functionality and also added the ICS EDR license key to the application.
4. Installing the Kaspersky Industrial CyberSecurity Endpoint Detection and Response administration plug-in

   The Kaspersky Industrial CyberSecurity Endpoint Detection and Response administration plug-in is a unified plug-in for managing agents on Windows, Mac, and Linux operating systems; the plug-in is necessary to display and view alert details.

5. Enabling the Kaspersky Industrial CyberSecurity Endpoint Detection and Response Integration.

   By default, the integration of Kaspersky Industrial CyberSecurity for Linux Nodes with Kaspersky Industrial CyberSecurity Endpoint Detection and Response is disabled. You can enable, disable, or configure the integration:

   • Using the Web Console.
   • Using the command line.

     Managing the ICS EDR component using Kaspersky Security Center Administration Console is not supported.

   You can check the status of the ICS EDR component:

   • Using the Application component status report in the Web Console.

     The Industrial CyberSecurity Endpoint Detection and Response component has been added to the list of Kaspersky Industrial CyberSecurity for Linux Nodes components. For detailed information about reports, please refer to the Kaspersky Security Center Help.

   • In the device properties in the Web Console.
   • Using the command line.
6. Enabling data transfer to the Administration Server

   To use all functionality of Kaspersky Industrial CyberSecurity Endpoint Detection and Response, you must configure the following:

   • Enable sending information about files in Backup and Quarantine to the Kaspersky Security Center storage. To do this, you need to select the following check boxes in the policy properties:
     • About files in Backup
     • About files in Quarantine
   • Allow display of alert list To do this, you can enable the Show EDR alerts toggle switch in the main window of Kaspersky Security Center Web Console under Settings → Interface settings.

     The Show EDR alerts setting not available in a Web Console version earlier than 15.1.

See also: Response actions for commands from Detection and Response solutions

In this section Enabling or disabling Kaspersky Industrial CyberSecurity Endpoint Detection and Response integration Viewing the Kaspersky Industrial CyberSecurity Endpoint Detection and Response integration status Viewing information about a detected threat and response actions

Page top