Kaspersky Endpoint Detection and Response Optimum Integration

Kaspersky Endpoint Detection and Response Optimum is a solution for protecting an organization's IT infrastructure from threats such as exploits, ransomware, fileless attacks, and legitimate system tools used by attackers to compromise devices or data.

Kaspersky Endpoint Detection and Response Optimum monitors and analyzes the evolution of threats, and provides information about a potential attack to a security officer or administrator, helping them perform response actions in a timely manner.

Kaspersky Endpoint Detection and Response Optimum uses the following Threat Intelligence tools:

• The Kaspersky Security Network (hereinafter also referred to as KSN) cloud service infrastructure that provides access to Kaspersky file, website, and software reputation online knowledge base.
• Integration with the Kaspersky Threat Intelligence Portal, which contains and displays information about the reputation of files and websites.
• The Kaspersky Threats database.

Kaspersky Endpoint Security 12.3 for Linux is compatible with Kaspersky Endpoint Detection and Response Optimum version 3.1.

When interacting with Kaspersky Endpoint Detection and Response Optimum, Kaspersky Endpoint Security can:

• Send data about events on devices to Kaspersky Security Center. Kaspersky Endpoint Security sends monitoring data on processes, open network connections, and modified files to Kaspersky Security Center, as well as data on threats detected by the application and data on the processing results for these threats.
• Perform response actions to ensure security when receiving commands from Kaspersky Security Center.

Integration of Kaspersky Endpoint Security with the Kaspersky Endpoint Detection and Response Optimum solution is facilitated by a Kaspersky Endpoint Security component: Endpoint Detection and Response Optimum (EDR Optimum).

To use Kaspersky Endpoint Detection and Response Optimum functionality, you need to activate the EDR Optimum component. If the main license under which you are using Kaspersky Endpoint Security does not include the Kaspersky Endpoint Detection and Response Optimum functionality, you need to purchase a separate license for this functionality and add the EDR Optimum license key to the application.

If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, activation is performed on the Protection Server (a component of Kaspersky Hybrid Cloud Security for Virtualization Light Agent) by adding license keys to SVMs.

Integration with Kaspersky Endpoint Detection and Response Optimum involves the following steps:

1. Enabling required components of Kaspersky Endpoint Security

   Make sure that the following components of Kaspersky Endpoint Security are enabled and working:

   • File Threat Protection.
   • Web Threat Protection.
   • Behavior Detection.

   You can also enable execution prevention for objects.

2. Enabling threat analysis tools

   Make sure that Kaspersky Security Network is enabled in standard or extended mode.

   For the most effective operation of Kaspersky Endpoint Detection and Response Optimum, we recommend the extended Kaspersky Security Network mode.

3. Activating the EDR Optimum component

   Make sure one of the following conditions is satisfied:

   • You are using Kaspersky Endpoint Security under a license that includes the Kaspersky Endpoint Detection and Response Optimum functionality.
   • You have purchased a separate license for using the Kaspersky Endpoint Detection and Response Optimum functionality and added the EDR Optimum license key to the application.

     If you are using Kaspersky Endpoint Security in Light Agent mode to protect virtual environments, you need to add the license key for activating the additional functionality to SVMs.

4. Installing the Kaspersky Endpoint Detection and Response Optimum administration plug-in

   The Kaspersky Endpoint Detection and Response Optimum administration plug-in is a unified plug-in for managing agents on Windows, Mac, and Linux operating systems; the plug-in is necessary to display and view alert details.

5. Enabling the EDR Optimum component

   By default, EDR Optimum is disabled. You can enable or disable the component and manage integration settings:

   • Using the Web Console.
   • Using the command line.

     Managing the EDR Optimum component using Kaspersky Security Center Administration Console is not supported.

   You can check the status of the EDR Optimum component:

   • Using the Application component status report in the Web Console.

     The Endpoint Detection and Response Optimum component has been added to the list of Kaspersky Endpoint Security components. For detailed information about reports, please refer to the Kaspersky Security Center Help.

   • In the device properties in the Web Console.
   • Using the command line.
6. Enabling data transfer to the Administration Server

   To use all functionality of Kaspersky Endpoint Detection and Response Optimum, you must configure the following:

   • Enable sending information about files in Backup and Quarantine to the Kaspersky Security Center storage. To do this, you need to select the following check boxes in the policy properties:
     • About files in Backup
     • About files in Quarantine
   • Allow display of alert list To do this, you can enable the Show EDR alerts toggle switch in the main window of Kaspersky Security Center Web Console under Settings → Interface settings.

     The Show EDR alerts setting not available in a Web Console version earlier than 15.1.

In this section Enabling or disabling Kaspersky Endpoint Detection and Response Optimum integration Viewing the Kaspersky Endpoint Detection and Response Optimum integration status Viewing information about a detected threat and response actions

Page top