Configuring operation with EPP applications

Kaspersky Industrial CyberSecurity for Networks can receive and process data received from Kaspersky applications that perform functions to protect workstations and servers. These applications are included in the Endpoint Protection Platform (EPP) and are installed to endpoint devices within the enterprise IT infrastructure.

Data transfer from EPP applications is performed by the Endpoint Agent software components. Depending on the EPP application being used, the following software can perform the Endpoint Agent functions:

• Kaspersky Endpoint Agent application. This application is installed on workstations and servers in the enterprise IT infrastructure as a supplement to the used EPP application that supports Kaspersky Endpoint Agent (for example, Kaspersky Industrial CyberSecurity for Nodes).
• Application modules embedded into the EPP application. Application modules that perform the Endpoint Agent's functions are built into Kaspersky Industrial CyberSecurity for Linux Nodes of the versions that support Kaspersky Industrial CyberSecurity for Networks operation in the integration mode.

Using the data received from EPP applications, Kaspersky Industrial CyberSecurity for Networks allows you to perform various actions on devices with Endpoint Agent.

To connect to Kaspersky Endpoint Agent on devices running obsolete operating systems, such as Windows 7, Kaspersky Industrial CyberSecurity for Networks may rely on outdated and potentially vulnerable encryption protocols and algorithms. If there are no devices running obsolete operating systems on your network, or there is no need to connect to such devices, we recommend disabling obsolete and potentially vulnerable protocols and encryption algorithms in Kaspersky Industrial CyberSecurity for Networks. For more information, you can contact Technical Support.

The maximum number of computers from which data from EPP applications can be received and processed is 1,000.

Data from computers with the Endpoint Agent software components is forwarded to Kaspersky Industrial CyberSecurity for Networks through integration servers. Integration server functions can be performed by any node that has a Kaspersky Industrial CyberSecurity for Networks component installed (Server or sensor). For integration with Endpoint Agent, add integration servers to the nodes that receive data from computers with Endpoint Agent.

On a Kaspersky Industrial CyberSecurity for Networks node, integration server functions are implemented by the service named kics4net-epp-proxy that facilitates integration with EPP applications. The installation package for this service is included in the distribution kit of Kaspersky Industrial CyberSecurity for Networks.

When an integration server receives data from Endpoint Agent, the application may do the following:

• Register events based on EPP technology (workstation and server protection events).
• Populate the device table with devices hosting installed EPP applications (and devices that have had bidirectional interactions with such devices).
• Update the device table with information about devices hosting installed EPP applications (for example, the operating system version, information on the model or developer).
• Display special icons on the nodes of the network interactions map and the nodes of topology map, that indicate the presence and the connection status of EPP applications.
• Display on the map of network interactions the connections where one of the interaction parties is a device with an installed EPP application (in this case, data received from monitoring points traffic has priority when displaying information about such connections).
• Monitor the device equipment.
• Log network sessions.

Using Endpoint Agent software components, you can perform the following actions when working with Kaspersky Industrial CyberSecurity for Networks:

• Scan devices as a part of vulnerability and compliance audit jobs and configuration control jobs.
• Trigger response actions when logging events using the EPP technology, if threat development chains are built for these events in Endpoint Agent.

Computers hosting Endpoint Agent establish secure connections with integration servers over the HTTPS protocol. Connections are secured by using certificates issued by the Kaspersky Industrial CyberSecurity for Networks Server. The following certificates can be used in connections:

• Integration server certificate. This certificate is verified by the computer with Endpoint Agent each time a connection is established. A connection is not established until certificate verification is successfully completed.
• Client certificate. This certificate is used to authenticate integration server clients that are computers with Endpoint Agent. The same client certificate can be used by multiple computers with Endpoint Agent. By default, an integration server does not verify certificates of clients, but you can enable client certificate verification to reinforce the security of connections.

Kaspersky Security Center is used to deliver certificates and public keys to computers with Endpoint Agent. This data is uploaded to Kaspersky Security Center using a communication data package, which needs to be created in Kaspersky Industrial CyberSecurity for Networks after an integration server is added.

Only users with the Administrator role can configure receipt of data from EPP applications.

In this section: Scenario for preparing to receive data from EPP applications Adding an integration server Creating a communication data package for integration server clients Integration servers table Enabling and disabling an integration server Editing integration server settings Removing an integration server

Page top