Kaspersky Endpoint Detection and Response Optimum

Kaspersky Endpoint Detection and Response Optimum (hereinafter also referred to as EDR Optimum) is a solution designed to protect an organization's IT infrastructure from complex cyberthreats. The solution's functionality combines automatic threat detection with the ability to respond to these threats to resist complex attacks, including new exploits, ransomware, fileless attacks, and methods that use legitimate system tools. For more information about the solution, refer to the Kaspersky Endpoint Detection and Response Optimum Help.

Kaspersky Industrial CyberSecurity for Nodes 4.2 introduces the built-in agent to work as part of EDR Optimum solution version 2.0 and later.

Solution architecture

The solution consists of the following components:

• Kaspersky Industrial CyberSecurity for Nodes is installed on individual devices in the corporate IT infrastructure running a Microsoft Windows operating system. The application constantly monitors the processes running on these devices, as well as open network connections and files modifications.
• Kaspersky Security Center with the Kaspersky Security Center Web Console allow centralized management of the solution and its settings.

Principle of operation of the solution

EDR Optimum reviews and analyses threat development and provides the Security officer or Administrator with information about the potential attack that is necessary for a timely response. EDR Optimum displays alert details in a separate window. An alert is an event in the corporate IT infrastructure that the application has identified as unusual or suspicious and that can pose a security threat for the corporate IT infrastructure.

Alert Details is a tool for viewing the entirety of collected information about a detected threat. Alert details include, for example, the history of files appearing on the computer.

The solution uses the following Threat Intelligence tools for analyzing threats:

• Kaspersky Security Network (KSN) infrastructure of cloud services, which provides access to the online Kaspersky Knowledge Base, which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network facilitates faster responses by Kaspersky applications to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.
• Integration with the Kaspersky Private Security Network (hereinafter also referred to as KPSN), which allows the users to access KSN reputation databases, as well as other statistics, without submitting data to KSN from their computers.
• Integration with the Kaspersky Threat Intelligence Portal information system, which contains and displays information about the reputation of files and URLs.
• The Kaspersky Threats database.

Threat response

The threat response functionality provides the following automatic actions that the application performs when threats are detected:

• Quarantine object.
• Delete file.
• Isolate device from the network.
• Run Critical Areas Scan on the device.
• Start search for indicators of compromise (IOC Scan) for a group of devices.

Additionally, the following actions are available to a Security Officer or an Administrator:

• Place objects on the Execution prevention list.
• Start process on the device.
• Terminate process on the device.

If you are using version 4.2 or later of the application as part of the EDR Optimum solution, to manage alert details, you must upgrade the web plug-in of Endpoint Detection and Response to version 15.1 or later. Otherwise, if you have the Kaspersky Endpoint Agent web plug-in installed, threat development chains in incident cards opened with this web plug-in may contain limited data or errors.

Functionality of Kaspersky Industrial CyberSecurity for Nodes 4.5

As part of the EDR Optimum solution, Kaspersky Industrial CyberSecurity does the following:

• Collects information about alerts.
• Supplements verdict information with data about the detection.
• Sends data to Kaspersky Security Center to generate alert details.
• Starts IOC Scan tasks (search for indicators of compromise) on groups of protected devices.
• Handles detected indicators of compromise, for example:
  • enables network isolation of the device;
  • starts Critical Areas Scan on the device.

Support for previous versions of Kaspersky Industrial CyberSecurity for Nodes

If you are using Kaspersky Industrial CyberSecurity for Nodes older than 4.2 for interaction with EDR Optimum, you must install Kaspersky Endpoint Agent. Kaspersky Industrial CyberSecurity for Nodes 4.5 uses the built-in agent for interaction with EDR Optimum.

In this section Integration of the built-in agent with EDR Optimum Scan for indicators of compromise (IOC) Move file to Quarantine Get file Delete file Process start Terminate process Execution prevention Computer network isolation Cloud Sandbox Licensing EDR Optimum

Page top