Long gone are the days when it was necessary to attract serious resources and competent specialists to carry out a complex hacker attack. Nowadays, advanced malware can be purchased without much effort on the darknet, or even rented for a while using the MaaS (Malware-as-a-service) model.
The creators of such services not only offer their customers a convenient tool management console for unauthorized intrusion into someone else's IT infrastructure, but are also always ready to provide technical support if the user of the service is "confused by the pedals." This practice has made the threshold for sophisticated targeted attacks minimal, with attackers typically targeting those with something to take. And this, of course, is primarily a company.
EDR class solutions
The flurry of targeted attacks has led to the emergence of a special type of information security tool called EDR (Endpoint Detection and Response). EDR activity is aimed at protecting the end nodes of the corporate network, which most often become the entrance gate of the attack. The main tasks of EDR are to detect signs of intrusion, generate an automatic response to an attack, provide specialists with the ability to quickly determine the scale of the threat and its source, and collect data for subsequent investigation of the incident.
The functionality of EDR is based on the ability of this type of software to conduct detailed analysis of events and proactively search for threats, automate repetitive daily protection tasks, and conduct a centralized collection of endpoint device health monitoring data. All this helps to raise the productivity of information security specialists working, for example, in the SOC (Security operations center) of a large company.
Kaspersky Endpoint Detection and Response
Several years ago, Kaspersky Lab entered the EDR market with its own Kaspersky Endpoint Detection and Response (KEDR) solution , which has earned itself a good reputation in the eyes of industry experts. Companies that are seriously concerned about information security usually use KEDR as part of a comprehensive solution that includes KEDR itself, the Kaspersky Anti Targeted Attack (KATA) platform, and the Managed Detection and Response (MDR) service.
This combination allows cybersecurity professionals to effectively counter the most advanced and advanced types of modern attacks. As a rule, such solutions are resorted to by Enterprise-level organizations with their own SOC or at least a separate small security department. The cost of the necessary licenses for software and services is quite high, but if we are talking, for example, about a national-scale bank, then the potential risks are many times higher than the cost of providing information security.
Optimal EDR for Medium Business
Often, midsize companies cannot afford to maintain their own SOC or employ several specialized specialists. That being said, they are of course also interested in the possibilities provided by EDR solutions. Especially for these clients, Kaspersky Lab has just released the product Kaspersky EDR for Business OPTIMAL .
In just six months, this product has gained well-deserved popularity. It is part of the so-called. An "Optimal IT Security Framework" developed by a vendor specifically for customers who cannot afford expensive, specialized software to combat sophisticated cyber attacks.
In addition to the aforementioned "Kaspersky EDR for Business OPTIMAL", which includes technologies of the EPP (Endpoint Protection Platform) class and basic EDR technologies, the framework also includes the Kaspersky Sandbox tool and the Kaspersky MDR Optimum service.
Let's list the key features of " Kaspersky EDR for Business OPTIMAL ". Its main function is to monitor end devices, detect emerging threats and collect information about them.
For each detected incident, an attack development graph is compiled, supplemented with information about the device and the activity of its operating system. The product can use Indicators of Compromise (IoC) identified during the investigation or downloaded from external sources to find threats or traces of previous attacks.
The reaction of defense mechanisms to a detected threat can be configured based on the nature of the attack: isolation of network hosts, quarantine or deletion of infected objects in the file system, blocking or prohibiting the launch of certain processes in the operating system, etc.
The functionality of the product can be significantly expanded thanks to the means of integration with other Kaspersky Lab products - the Kaspersky Security Network cloud service, the Kaspersky Threat Intelligence Portal information system and the Kaspersky Threats database. These technologies and services are included in the license price (KSN) or are provided free of charge (OpenTIP, Kaspersky Threats).
Architecture and deployment
Deployment of Kaspersky EDR for Business OPTIMAL on a corporate network does not require large computing resources. All endpoint devices must have Kaspersky Endpoint Security installed with the Endpoint Agent enabled, compatible with any Windows operating systems starting from Windows 7 SP1 / Windows Server 2008 R2 and occupying no more than 2 GB of disk space. For its full operation, a single-core processor with a clock speed of 1.4 GHz and 1 GB (x86), 2 GB (x64) of RAM is enough.
The system requirements for the computer from which the solution will be controlled are slightly higher. We are talking about a local Kaspersky Security Center server equipped with an administration console, but you can also use the cloud service Kaspersky Security Center Cloud Console. In both cases, the product control is accessed via a web browser. The local Kaspersky Security Center server requires access to the Microsoft SQL Server or MySQL DBMS.
Deployment of Kaspersky Security Center is performed using the installation wizard and does not take much time. During installation, a folder is created for storing installation packages and updates, and the administration server is configured.
Installation of Kaspersky Endpoint Security with the Endpoint Agent component enabled is performed centrally using the Protection Deployment Wizard. During the installation process, the administrator is asked to define a list of protected hosts, download installation files, configure a policy for notifications about security events, etc. After that, in fact, the deployment will begin in accordance with the selected options.
An alternative way to distribute Kaspersky Endpoint Security with the Endpoint Agent component enabled over the network can be using Windows group policies.
With the release of " Kaspersky EDR for Business OPTIMALยปCompanies were able to use modern tools for detecting and responding to threats without having to invest in their own information security service.
The solution may well be serviced by the customer's system administrators, for whose qualifications Kaspersky Lab has prepared appropriate trainings .