Integration with Kaspersky Anti Targeted Attack Platform
Kaspersky Endpoint Security is compatible with the Kaspersky Anti Targeted Attack Platform solution, which is designed to protect the IT infrastructure of organizations and promptly detect threats, such as zero-day attacks, targeted attacks, and advanced persistent threats (APT). To read more, check out the Kaspersky Anti Targeted Attack Platform Help.
The Kaspersky Endpoint Security application can integrate with the following components of the Kaspersky Anti Targeted Attack Platform solution:
- Kaspersky Endpoint Detection and Response (KATA) protects devices on the corporate LAN. When integrated with Kaspersky Endpoint Detection and Response (KATA), Kaspersky Endpoint Security can:
- Send information about events on devices (telemetry) to the Central Node server that provides interaction with Kaspersky Endpoint Detection and Response (KATA) (hereinafter also referred to as the KATA server). Kaspersky Endpoint Security sends monitoring data on processes, open network connections, and modified files to the KATA server, as well as data on threats detected by the application and data on the results of processing these threats.
- Execute response actions to ensure security when receiving commands from Kaspersky Anti Targeted Attack Platform.
- Kaspersky Network Detection and Response (KATA) protects the corporate LAN. When integrated with Kaspersky Network Detection and Response (KATA), Kaspersky Endpoint Security can send information about events on devices (telemetry) to the server that provides interaction with Kaspersky Network Detection and Response (KATA) (hereinafter also referred to as the NDR server).
- KATA Sandbox analyzes and scans objects to detect malicious activity and indicators of targeted attacks on the corporate IT infrastructure using special servers with deployed virtual images of operating systems. When integrated with KATA Sandbox, Kaspersky Endpoint Security can send files for scanning to the Central Node server that provides interaction with KATA Sandbox (hereinafter also referred to as the Sandbox server).
Integration with these components of the Kaspersky Endpoint Detection and Response (KATA) solution is provided by the following components of the Kaspersky Endpoint Security application:
- The Endpoint Detection and Response (KATA) component (hereinafter also EDR (KATA)).
- The Network Detection and Response (KATA) component (hereinafter also NDR (KATA)).
- The Sandbox component.
You can configure the integration of the Kaspersky Endpoint Security application with all components of the Kaspersky Anti Targeted Attack Platform solution, as well as with each component individually.
To integrate with Kaspersky Anti Targeted Attack Platform components, you need to activate the Kaspersky Anti Targeted Attack Platform solution (see the solution help for more details). There is no need to activate the Kaspersky Endpoint Security components that provide integration. The main licenses for Kaspersky Endpoint Security include this functionality.
For proper Integration of the Kaspersky Endpoint Security application with Kaspersky Anti Targeted Attack Platform, the Behavior Detection component must be enabled. If Behavior Detection is disabled, necessary telemetry is not transmitted (except for synchronization requests and threat detection data from other protection components).
If Behavior Detection uses the eBPF mechanism to get system telemetry (available on 64-bit operating systems with kernel version 5.3 and later with eBPF support), the telemetry data is more comprehensive.
The EDR (KATA) and NDR (KATA) components can use data from the following components:
While integrated with the Kaspersky Anti Targeted Attack Platform solution, devices running Kaspersky Endpoint Security establish encrypted connections to the KATA/NDR/Sandbox server using the HTTPS protocol. To ensure the security of the connection, the following certificates issued by the KATA/NDR/Sandbox server are used:
- KATA/NDR/Sandbox server certificate. The connection is encrypted using the server's TLS certificate. You can elevate the security of the connection by verifying the server certificate on the Kaspersky Endpoint Security side. To do this, you need to add the KATA/NDR/Sandbox server certificate before enabling integration with the Kaspersky Anti Targeted Attack Platform solution.
- Client certificate. This certificate is used for additional connection protection using two-way authentication (i.e. the KATA/NDR/Sandbox server checks devices with the Kaspersky Endpoint Security application). The same client certificate can be used by multiple devices. By default, the KATA/NDR/Sandbox server does not check client certificates, but two-way authentication can be enabled on the Kaspersky Anti Targeted Attack Platform side. In this case, you need to enable two-way authentication in the Kaspersky Endpoint Detection and Response (KATA), Kaspersky Network Detection and Response (KATA), or KATA Sandbox integration settings and add the client certificate (cryptocontainer with certificate and private key).
Certificates for securing the connection to the KATA/NDR/Sandbox server are provided by the Kaspersky Anti Targeted Attack Platform administrator.
A proxy server is used to connect to the KATA/NDR/Sandbox server if use of a proxy server is configured in the general application settings of Kaspersky Endpoint Security.
By default, integration with Kaspersky Anti Targeted Attack Platform solution components is disabled. You can enable, disable, or configure the integration using the command line, the Web Console, and Administration Console: When integrated with any Kaspersky Anti Targeted Attack Platform component, you can:
- Configure general KATA/NDR/Sandbox server connection settings.
- Add or remove KATA/NDR/Sandbox server certificates.
- Configure two-way authentication when connecting to KATA/NDR/Sandbox servers and add client certificates.
- Configure event forwarding.
When integrated with Kaspersky Endpoint Detection and Response (KATA), you also can:
Page top