Integration with Kaspersky Anti Targeted Attack Platform

Kaspersky Endpoint Security is compatible with the Kaspersky Anti Targeted Attack Platform solution, which is designed to protect the IT infrastructure of organizations and promptly detect threats, such as zero-day attacks, targeted attacks, and advanced persistent threats (APT). To read more, check out the Kaspersky Anti Targeted Attack Platform Help.

The Kaspersky Endpoint Security application can integrate with the following components on the Kaspersky Anti Targeted Attack Platform:

• Kaspersky Endpoint Detection and Response (KATA). The component protects devices in the local network of an organization. When integrated with Kaspersky Endpoint Detection and Response (KATA), Kaspersky Endpoint Security can:
  • Send information about events on devices (telemetry) to the Central Node server that provides interaction with Kaspersky Endpoint Detection and Response (KATA) (hereinafter also referred to as the KATA server). Kaspersky Endpoint Security sends monitoring data on processes, open network connections, and modified files to the Central Node server on the Kaspersky Anti Targeted Attack Platform, as well as data on threats detected by the application and data on the results of processing these threats.
  • Execute threat response actions to ensure security when receiving commands from Kaspersky Anti Targeted Attack Platform.

  Integration with Kaspersky Endpoint Detection and Response (KATA) 7.1 and earlier is supported.

• Kaspersky Network Detection and Response (KATA). The component protects the internal network of an organization. When integrated with Kaspersky Network Detection and Response (KATA), Kaspersky Endpoint Security can send information about events on devices (telemetry) to the Central Node server that provides interaction with Kaspersky Network Detection and Response (KATA) (hereinafter also referred to as the NDR server).
• Sandbox. The Sandbox technology makes it possible to analyze and scan objects on special servers with deployed virtual images of operating systems to detect malicious activity and indicators of targeted attacks on the corporate IT infrastructure. When integrating the Kaspersky Endpoint Security application with Sandbox on the Kaspersky Anti Targeted Attack Platform, the application sends files for scanning to a Central Node server, which handles the interaction with Sandbox.

Integration with components on the Kaspersky Anti Targeted Attack Platform is provided by the following components of the Kaspersky Endpoint Security application:

• The Endpoint Detection and Response Expert (on-premise) component (hereinafter also referred to as EDR Expert (on-premise)).

  Starting with Kaspersky Endpoint Security 12.4 for Linux, the Endpoint Detection and Response (KATA) component has been renamed to Endpoint Detection and Response Expert (on-premise). Now this component provides integration not only with Kaspersky Endpoint Detection and Response (KATA), a component of the Kaspersky Anti Targeted Attack Platform, but also with the Kaspersky Endpoint Detection and Response Expert (on-premise) solution.

• The Network Detection and Response (KATA) component (hereinafter also NDR (KATA)).
• The Sandbox component.

You can configure the integration of the Kaspersky Endpoint Security application with all components of the Kaspersky Anti Targeted Attack Platform solution, as well as with each component individually.

While integrated with Kaspersky Anti Targeted Attack Platform, devices running Kaspersky Endpoint Security establish encrypted HTTPS connections with Central Node servers that provide the integration. To ensure a secure connection, the following certificates issued by Central Node servers are used:

• Server certificate. The connection is encrypted using the server's TLS certificate. You can elevate the security of the connection by verifying the server certificate on the Kaspersky Endpoint Security side. To do this, you need to add the server certificate before enabling integration with the Kaspersky Anti Targeted Attack Platform solution.
• Client certificate. This certificate is used for additional connection protection using two-way authentication (the Central Node server authenticates devices with the Kaspersky Endpoint Security application). The same client certificate can be used by multiple devices. By default, the server does not check client certificates, but two-way authentication can be enabled on the Kaspersky Anti Targeted Attack Platform side. In this case, you need to enable two-way authentication in the settings of the EDR Expert (on-premise), NDR (KATA), or Sandbox component and add the client certificate (cryptocontainer with certificate and private key).

The certificates for securing the connections to servers that handle the interaction with components of the Kaspersky Anti Targeted Attack Platform solution must be provided by the Kaspersky Anti Targeted Attack Platform administrator.

If the general settings of Kaspersky Endpoint Security stipulate that a proxy server must be used, the connection to servers that handle the interaction with Kaspersky Anti Targeted Attack Platform components is made through a proxy server.

To use Kaspersky Endpoint Detection and Response (KATA) functionality, you need to activate the EDR Expert (on-premise) component. If the main license under which you are using Kaspersky Endpoint Security does not include the Kaspersky Endpoint Detection and Response Expert (on-premise) functionality, you need to purchase a separate license for this functionality and add the EDR Expert (on-premise) license key to the application.

If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, activation is performed on the Protection Server (a component of Kaspersky Hybrid Cloud Security for Virtualization Light Agent) by adding license keys to SVMs.

Setting up the integration with Kaspersky Endpoint Detection and Response (KATA) and Kaspersky Network Detection and Response (KATA) components involves the following steps:

1. Enabling required components of Kaspersky Endpoint Security

   The EDR Expert (on-premise) and NDR (KATA) components can use data from the following components:

   • File Threat Protection.
   • Network Threat Protection.
   • Web Threat Protection.
   • Anti-Cryptor.
   • Application Control.
   • Device Control.
   • System Integrity Monitoring.

   For proper Integration of the Kaspersky Endpoint Security application with Kaspersky Anti Targeted Attack Platform, the Behavior Detection component must be enabled. If Behavior Detection is disabled, necessary telemetry is not transmitted (except for synchronization requests and threat detection data from other protection components).

   If Behavior Detection uses the eBPF mechanism to get system telemetry (available on 64-bit operating systems with kernel version 4.18 or later with eBPF support), the telemetry data is more comprehensive.

2. Activating the EDR Expert (on-premise) component

   To integrate with Kaspersky Endpoint Detection and Response (KATA), you need to activate the EDR Expert (on-premise) component. Make sure one of the following conditions is satisfied:

   • You are using Kaspersky Endpoint Security under a license that includes the Kaspersky Endpoint Detection and Response Expert (on-premise) functionality.
   • You have purchased a separate license for using the Kaspersky Endpoint Detection and Response Expert (on-premise) functionality and added the EDR Expert (on-premise) license key to the application.

     If you are using Kaspersky Endpoint Security in Light Agent mode to protect virtual environments, you need to add the license key for activating the additional functionality to SVMs.

   You do not need to activate the NDR (KATA) component because the main licenses of Kaspersky Endpoint Security already cover the Kaspersky Network Detection and Response (KATA) integration functionality.

3. Enabling the EDR Expert (on-premise) component

   By default, the Kaspersky Endpoint Detection and Response (KATA) Integration is disabled. To enable the integration, you need to enable and configure the EDR Expert (on-premise) component:

   • Using Kaspersky Security Center Web Console.
   • Using Kaspersky Security Center Administration Console.
   • Using the command line.

   If you are using the Web Console or the command line, to integrate with Kaspersky Endpoint Detection and Response (KATA), you need to select the EDR (KATA) integration mode in the settings of the EDR Expert (on-premise) component. If you are using the Web Console, select Endpoint Detection and Response Expert (version 7.1 or earlier) in the policy settings. If you are using the command line, set Mode=EDRKATA in the task settings.

   If you want to use Execution prevention for objects, you can enable the rules for execution prevention of objects of the EDR Expert (on-premise) component.

4. Enabling the NDR (KATA) component

   By default, the Kaspersky Network Detection and Response (KATA) Integration is disabled. To enable the integration, you need to enable and configure the NDR (KATA) component:

   • Using Kaspersky Security Center Web Console.
   • Using Kaspersky Security Center Administration Console.
   • Using the command line.

You can check the status of the EDR Expert (on-premise) and NDR (KATA) components:

• Using the Application component status report in the Web Console.

  For detailed information about reports, please refer to the Kaspersky Security Center Help.

• In the device properties in the Web Console (Assets (Devices) → Managed devices → <device name> link → Applications → <name of the Kaspersky Endpoint Security application> link → General → Components).
• On the command line by running the following command: kesl-control --app-info.

In this section Configuring the Kaspersky Endpoint Detection and Response (KATA) integration in the Web Console Configuring the Kaspersky Endpoint Detection and Response (KATA) integration in the Administration Console Configuring the Kaspersky Endpoint Detection and Response (KATA) integration on the command line Configuring the Kaspersky Network Detection and Response (KATA) integration in the Web Console Configuring the Kaspersky Network Detection and Response (KATA) integration in the Administration Console Configuring the Kaspersky Network Detection and Response (KATA) integration on the command line

Page top