Configuring the receipt of data from EPP applications

Kaspersky Industrial CyberSecurity for Networks can receive and process data received from Kaspersky applications that perform functions to protect workstations and servers. These applications are included in the Endpoint Protection Platform (EPP) and are installed to endpoint devices within the enterprise IT infrastructure.

Data transfer from EPP applications is performed by computers that have Kaspersky Endpoint Agent installed. Kaspersky Endpoint Agent is installed to workstations and servers in the enterprise IT infrastructure as a supplement to EPP applications.

The current version of Kaspersky Industrial CyberSecurity for Networks can receive and process data from the Kaspersky Endpoint Agent application included in the distribution kit of Kaspersky Industrial CyberSecurity for Nodes. Installation of Kaspersky Endpoint Agent can be performed separately or together with Kaspersky Industrial CyberSecurity for Nodes.

The maximum number of computers from which data from EPP applications can be received and processed is 1,000.

Data from Kaspersky Endpoint Agent is forwarded to Kaspersky Industrial CyberSecurity for Networks through integration servers. Integration server functions can be performed by any node that has a Kaspersky Industrial CyberSecurity for Networks component installed (Server or sensor). For integration with Kaspersky Endpoint Agent, you need to add integration servers to the nodes that will receive data from Kaspersky Endpoint Agent.

On a Kaspersky Industrial CyberSecurity for Networks node, integration server functions are implemented by the service named kics4net-epp-proxy that facilitates integration with EPP applications. The installation package for this service is included in the distribution kit of Kaspersky Industrial CyberSecurity for Networks.

When an integration server receives data from Kaspersky Endpoint Agent, the application may do the following:

• Register events based on EPP technology (workstation and server protection events).
• Populate the device table with devices hosting installed EPP applications (and devices that have had bidirectional interactions with such devices).
• Update the device table with information about devices hosting installed EPP applications (for example, the operating system version, information on the model or developer).
• Display special icons on the nodes of the network interactions map and the nodes of topology map, that indicate the presence and the connection status of EPP applications.
• Display on the map of network interactions the connections where one of the interaction parties is a device with an installed EPP application (in this case, data received from monitoring points traffic has priority when displaying information about such connections).

Computers hosting Kaspersky Endpoint Agent establish secure connections with integration servers over the HTTPS protocol. Connections are secured by using certificates issued by the Kaspersky Industrial CyberSecurity for Networks Server. The following certificates can be used in connections:

• Integration server certificate. This certificate is verified by the computer with Kaspersky Endpoint Agent each time a connection is being established. A connection is not established until certificate verification is successfully completed.
• Client certificate. This certificate is used to authenticate integration server clients that are computers with Kaspersky Endpoint Agent. The same client certificate can be used by multiple computers with Kaspersky Endpoint Agent. By default, an integration server does not verify certificates of clients, but you can enable client certificate verification to reinforce the security of connections.

Kaspersky Security Center is used to deliver certificates and public keys to computers with Kaspersky Endpoint Agent. This data is uploaded to Kaspersky Security Center using a communication data package, which needs to be created in Kaspersky Industrial CyberSecurity for Networks after an integration server is added.

Only users with the Administrator role can configure receipt of data from EPP applications.