Kaspersky has updated its Endpoint Detection and Response product for enterprises with mature IT security processes. The newly-named Kaspersky Endpoint Detection and Response Expert delivers advanced APT-like attack protection functions. Its investigation and response capabilities are enhanced with automatic merging of alerts into incidents, YARA rules-based scanning, and API integration for the response on hosts. The new upgrade also features a cloud-based management console hosted in Azure – along with the previously available on-premise version – so customers with cloud-native infrastructure or those on their cloud journey can benefit from the proven and powerful EDR tool hosted on a cloud-platform they trust.
An EDR solution is an acknowledged must-have for dedicated cyberprotection, with Gartner predicting that more than 50% of enterprises will replace their legacy antivirus solutions with EDR by 2023. Within distributed IT infrastructure, it sometimes takes more than a month to detect an attack. However, EDR can help to eliminate an attack spread path as early as possible, arming enterprises with effective investigation tools.
More granular detection and investigation, and API for response
Kaspersky Endpoint Detection and Response Expert is the fully-fledged EDR product protecting against both mass and advanced enterprise threats. It also recommends new detection and investigation capabilities to help customers fine-tune their analysis of suspicious objects and detect attacks from a sea of alerts.
Suspicious files that trigger Indicator of Attack (IoA) rules can now be automatically sent to the sandbox for scanning. If a file appears to be malicious as a result of a sandbox check, an alert will be created. The added ability to build granular exceptions in IoA rules helps businesses to avoid false positives from legitimate administrator actions. For example, the rule can be configured so that it does not trigger on the administrator’s computer.
To detect malicious files on individual endpoints where there is suspicious activity, security operations center (SOC) analysts and threat hunters can now use YARA rules scanning on hosts[1]. On the endpoint, they can scan such areas as random-access memory (RAM), specified folders or all local discs.
Kaspersky Endpoint Detection and Response Expert also upgrades the investigation capability with the ability to merge automatic alerts into incidents. The mechanism correlates fragmented alerts in different endpoints and merges them into an incident, so analysts do not need to review all alerts with their own hands.
When it comes to incident response, IT security teams can conduct this through their third-party systems with API integration for the response on hosts. For example, they can integrate the ability to launch response actions to their security orchestration platform, such as SIEM or SOAR.
Cloud-based management console
The product management console is available in on-premise deployment as well as from the cloud, so organizations can choose their preferred option according to infrastructure setup. The new cloud version is hosted in Azure and enables faster piloting, implementation, and administration from anywhere, as well as greater transparency and a lower total cost of ownership for the protection product. Thanks to the subscription model, customers can quickly change the volume of licenses according to the number of nodes they need to cover.
“A fully-fledged EDR tool is an essential element of enterprise cybersecurity so it should be adapted to suit various customer needs in detection, response, and security management. With remote work ongoing and the trend in cloud adoption growing, the ability to manage EDR functions from the cloud is a requirement we’re happy to meet with this product update. Hosting the product on a third-party cloud platform also aligns with Kaspersky’s commitment to customers’ data privacy and trust in terms of data processing and location. Moving forward, a powerful and reliable EDR tool should be the foundation for further extended protection that will help enterprises gain visibility and control over all their security domains,” commented Sergey Martsynkyan, VP, Corporate Product Marketing at Kaspersky.