Endpoint Detection and Response Expert (on-premise)
|
Kaspersky Endpoint Security for Windows supports integration with the Kaspersky Endpoint Detection and Response Expert (on-premise) solutions. Kaspersky Endpoint Detection and Response Expert (on-premise) is an enterprise cybersecurity solution that includes Kaspersky applications that allow an organization to defend against most types of cyber risks and cover the most important threat propagation scenarios. EDR Expert (on-premise) components are deployed on the Open Single Management Platform (OSMP). This platform runs cross-platform scenarios in a single interface and allows integrating Kaspersky applications with third-party applications into a comprehensive security system. One of the central elements of the solution is SIEM. SIEM tracks events coming from all components and correlates these events with each other using vendor and user-defined rules. EDR Expert (on-premise) looks at logs and telemetry received from the corporate infrastructure to automatically detect attacks and allows investigating incidents using a unified investigation graph which combines all events collected in EDR Expert (on-premise), including events from Kaspersky applications and third-party information security products. For response to advanced incidents, EDR Expert (on-premise) uses preset and user-defined scenarios. You can also use response actions from third-party applications and response scenarios that involve multiple applications. |
Threat Intelligence tools
Kaspersky Endpoint Detection and Response uses the following Threat Intelligence tools:
- Integration with Kaspersky Threat Intelligence Portal, which contains and displays information about the reputation of files and web addresses.
- Kaspersky Threats database.
- The Kaspersky Security Network (hereinafter also referred to as "KSN") cloud service infrastructure, which provides access to real-time file, website, and software reputation information from the Kaspersky knowledge base. Using data from Kaspersky Security Network ensures faster responses by Kaspersky applications to threats, improves the performance of some protection components, and reduces the likelihood of false positives.
Principle of operation of the solution
Kaspersky Endpoint Security is installed on individual computers on the corporate IT infrastructure and continuously monitors processes, open network connections, and files being modified. Information about events on the computer (telemetry) is sent to the EDR Expert (on-premise) server. In this case, Kaspersky Endpoint Security also sends information about threats discovered by the application as well as information about processing results for these threats to the telemetry collection servers.
The EDR Expert (on-premise) integration is configured in the Kaspersky Security Center console. The built-in agent is then managed using the Open Single Management Platform (OSMP), including running tasks, managing quarantined objects, viewing reports, and other actions.
Kaspersky Endpoint Security configurations for working with EDR Expert (on-premise)
The following configurations can be used for working with EDR Expert (on-premise):
- [KES+built-in agent]. In this configuration, Kaspersky Endpoint Security acts as both the application that ensures the security of the computer and the application for working with EDR Expert (on-premise). The built-in agent for EDR Expert (on-premise) is available in Kaspersky Endpoint Security 12.11 for Windows or later.
- [third-party EPP+EDR Agent]. In this configuration, the security of the IT infrastructure is provided by the third-party Endpoint Protection Platform (EPP). The interaction with EDR Expert (on-premise) is provided by Kaspersky Endpoint Security in the Endpoint Detection and Response Agent (EDR Agent) configuration. In this configuration, EDR Agent is compatible with third-party EPP applications. EDR Agent for EDR Expert (on-premise) is available in Kaspersky Endpoint Security 12.11 for Windows or later.