A model for presales activities

This course is based on a simplified understanding of how

pre-sales engineers participate in the sales cycle.
At early stages, engineers assist sales representatives by adding technical details to the product
value story. At this point, the engineers should be able to briefly describe technical capabilities,
features and benefits of the solution. They should also be able to recognize the opportunities to
offer alternative, additional or related products, which means that they should know the entire
product line and understand comparative characteristics of various Kaspersky offerings.

If the customer is interested in the products that can detect and help investigate sophisticated
attacks, the engineer needs to evaluate the customer's readiness for these products. Kaspersky
Anti Targeted Attack and Kaspersky Endpoint Detection & Response are expensive products
within the expert product line and are designed to be used by experts. Not all customers have
sufficient expertise or budget.

If the customer is not ready, the engineer should offer alternatives that meet the customer's
budget and functional expectations.

If the customer is ready, the engineer should discuss technical details of the products with the
customer's Information Technology (IT) and Information Security (IS) departments. During this
discussion, technical presentations, pre-recorded video demonstrations, scenarios and live demo
environments will come in handy.

Finally, if the customer is interested in the product and is satisfied with the demonstration, it is
time for a pilot rollout. At this stage, the engineer should discuss and find out the customer's
objectives for the pilot, develop the implementation plan, provide support during the
implementation and the pilot, gather data for the PoC report and participate in the report
presentation to the customer.

Modern threats
LESSON 2 of 56
Why solutions like KATA and KEDR are necessary?
What do they add to traditional security approaches?
To better understand this, let's look at the evolution of cyber threats.
Nowadays, attackers often use tools built into the operating system and popular
programs.

This complicates detecting traces of an attack to the utmost extent. In general, only the
organization’s Information Technology (IT) and Information Security (IS) employees can
differentiate between legitimate and malicious use of administration tools. No algorithm can do
this accurately and efficiently enough.

That is why traditional protection solutions designed to be as autonomous as possible and block
threats without the help of IT and IS experts cannot stop such attacks. Higher-end solutions—
such as KATA and KEDR—are needed that can detect potentially dangerous activity on
computers and on the network and provide analysts with a wider context for quick and accurate
incident classification and understanding what they are dealing with: an attack or legitimate
activity.
In today's world, it is extremely difficult to keep the internal infrastructure
secret.

Malefactors can easily find out what protection a company has. Attackers can manipulate the
code of their tools until they become invisible to the security solutions. After that, network
penetration is a matter of delivering malicious modules to the employees’ mailboxes. Finding
employees, finding out their role at the company and creating plausible messages that would
attract their attention is not a problem.

Endpoint protection solutions are not enough to counter these attacks. The capability of endpoint
protection solutions to employ sophisticated threat analysis is limited by the resources of a
personal computer. Detection of exclusive malware requires more powerful analysis tools such
as the Sandbox, which is included with KATA and KEDR. The ability to match activity of
unknown programs against known techniques employed by cyber criminals is also required.
Finally, contemporary attacks are significantly cheaper than the potential gain.

It is relatively easy for attackers to try many different tactics to achieve their goal. If an attack
fails today, they will continue it in a month with improved methods. As a result, security officers
can never consider their work to be completed. They should always act in the assumption that an
attack on the organization is happening right now, perhaps on different parts of the network at
the same time, and that some stages of the attack may have succeeded.

Officers need an effective strategy for detecting indicators of attack within the framework of
their overall security strategy to be able to efficiently counter these threats. And this strategy
must be backed up by effective tools like KATA and KEDR that gather and analyze information
about the activity that takes place on the network and endpoints.

Modern security stack

LESSON 3 of 56
Increasingly sophisticated attacks require equally
sophisticated approaches to defense.

Most intricate attacks can only be detected and investigated by qualified personnel. But
specialists are few, their time is expensive, and the data to analyze is growing.
Therefore, a security system must automate everything that can be automated without
sacrificing production.
Everything that is known to be malicious must be blocked. This is the task of attack prevention
systems, such as endpoint protection platforms. Not all prevention systems are equally efficient.
Kaspersky is widely recognized as a leader in endpoint protection and reliable threat detection.

Meanwhile, attackers can achieve their goals using the tools and methods widely employed by
system administrators. The vast majority of these methods are known and can be detected
automatically.

All potentially harmful activities must be detected and sent to analysts for verification. That’s
exactly what Detection & Response products do. If a specific incident turns out to be malicious,
analysts extract new, reliable indicators of compromise (IoC), such as addresses of command-
and-control servers and hashes of malicious modules. Prevention systems use these indicators to
block similar attacks at earlier stages in the future.

Of course, attackers regularly find new ways to bypass defenses and disguise their activities as
legitimate. Detection of such attacks pertains to the highly skilled and largely creative activity of
Threat Hunting. When analysts detect a new attack, they create indicators of compromise for
their prevention systems and detection rules for previously unknown examples of potentially
dangerous activity. These rules are indicators of attack (IoA) that are used in detection systems.

Not all Detection & Response solutions support threat hunting.

Kaspersky Endpoint Detection and Response

LESSON 4 of 56
Kaspersky Endpoint Detection and Response (KEDR) helps to collect and analyze data about
activities on the network endpoints, identify dangerous activities, contain an attack and eradicate
indicators of compromise with remote response tools.
Kaspersky Endpoint Detection & Response:

 1

1 Automatically checks telemetry for suspicious activity using the Targeted Attack
Analyzer technology
2 Enables information security officers to actively hunt for threats using the telemetry
database
3 Provides tools to remotely respond to an incident
4 Applies static and dynamic analysis technologies to the files: anti-malware scanning,
reputation check, digital signature check, emulation in a virtual environment, YARA
5 Permits searching Kaspersky Threat Intelligence Portal for additional information
about the detected objects
6 Permits searching the telemetry database and endpoints for indicators of compromise

Kaspersky Anti Targeted Attack

LESSON 5 of 56

Kaspersky Anti Targeted Attack (KATA) Platform is a tool for deep analysis of the
organization’s network traffic that uses such technologies as Sandbox, IDS, anti-malware
scanning, reputation lookup, YARA.
Kaspersky Anti Targeted Attack Platform:
1

1 Analyzes data in a raw copy of network traffic, in messages retrieved from the mail system and
in objects retrieved from the proxy server2

2 Uses highly efficient Sandbox analysis based on Kaspersky technologies with more than 10
years of history

3 Is armed with exclusive intrusion detection rules (IDS) and a unique database of compromised
addresses (URL reputation)

4 Integrates with perimeter protection products by Kaspersky to prevent attacks

5 Permits searching Kaspersky Threat Intelligence Portal for additional information about the
detected objects

6 Supports custom threat detection rules: YARA, Snort

Kaspersky Endpoint Detection & Response +

Kaspersky Anti Targeted Attack
LESSON 6 of 56

Kaspersky EDR and Kaspersky Anti Targeted Attack solve independent tasks. They can also
work together as an integrated solution with additional capabilities.
An integrated installation of Kaspersky Anti Targeted Attack and Kaspersky
Endpoint Detection & Response permits:

 1

1 Automatically detecting links between dangerous objects in traffic and dangerous activity on
the endpoints2

2 Automatically blocking dangerous objects that were previously detected in the traffic on the
endpoints3

3 Applying response tools to the endpoints related to network detections

Kaspersky EDR and Kaspersky Anti Targeted Attack are based on common components, which
ensures a seamless migration from a stand-alone solution to the integrated one.

Alternatives
LESSON 7 of 56

This section explains how to understand if Kaspersky Anti Targeted Attack/Kaspersky

Endpoint Detection & Response do not fit the customer’s needs and what to offer such
customers

Is the customer ready?

LESSON 8 of 56
There are two significant barriers to using Kaspersky Endpoint Detection and
Response (KEDR) for most customers: 

 bullet

Significant infrastructure investments in the form of high-performance

servers
 bullet
High level of employees’ expertise required to make effective use of the
obtained information
Organizations that want to add a targeted attack counteraction system to their existing endpoint
protection are not always prepared to multiply their budgets. The cost of Kaspersky Anti
Targeted Attack or Kaspersky Endpoint Detection & Response is 4-6 times more than the cost of
Kaspersky Endpoint Security for Business Select, depending on the solution chosen and with the
lowest possible server hardware cost.

Costs in USD based on January 2021 price list for the USA
What should potential customers who do not have this budget do?
Kaspersky offers a wide range of security options, each supplementing and extending the
capabilities of Kaspersky Endpoint Security for Business.
The following solutions are priced between the costs of ‘standard’ endpoint
protection and Kaspersky Anti Targeted Attack/Kaspersky Endpoint Detection
& Response:
Kaspersky Endpoint Security for Business Advanced
Kaspersky Endpoint Detection and Response Optimum
Kaspersky Sandbox
Kaspersky Managed Detection and Response
The customers can use individual products or combine them with each other, or even with
Kaspersky Anti Targeted Attack/Kaspersky Endpoint Detection & Response.

KES for Business Advanced

LESSON 9 of 56

KESB Advanced activates the AAC (Adaptive Anomaly Control) module in

addition to the KESB Select functionality.

This module is designed to detect and block malicious activity that uses legitimate tools: popular
applications or utilities distributed within an operating system.

Any attempt to automatically block illegitimate use of system utilities is fraught with false
positives that will block legitimate activities of administrators and users. To minimize false
positives, Adaptive Anomaly Control uses context-based learning.

In Learning Mode, Adaptive Anomaly Control monitors activity on the computer, and if a
potentially dangerous activity is encountered, it considers this activity to be legitimate for that
particular computer and will not block it in the future. Any other potentially hazardous activity
that has not been met during the training period is considered atypical and will be blocked
automatically.

By monitoring the activity of the computer, Adoptive Anomaly Control automatically classifies
potentially dangerous actions into characteristic and uncharacteristic (even if sometimes not
ideally, but massively for the whole network), thus reducing the load on an analyst who would
have to do it manually for all computers.

In this way, KESB Advanced improves detection of attacks that use standard operating system
tools. In general, it does not require the help of an analyst and can work absolutely automatically.
Semi-manual learning is also possible, further improving detection.
 Kaspersky EDR Optimum
Kaspersky EDR Optimum enables analysts to deeper analyze threats detected on
the network endpoints and provides tools for rapid response: 

Isolate a host
Block access to a file
Kill a process
Delete a file
Quarantine a file

You can also scan endpoints for indicators of compromise (IoC) using Kaspersky EDR Optimum
and thus get more detections. You can import these indicators from third-party sources or create
with just a couple of mouse clicks based on an incident investigation.

Kaspersky EDR Optimum does not require any additional hardware (except space on the
Kaspersky Security Center server to store additional detection details) and supports management
via Kaspersky Security Center Cloud Console.
Kaspersky EDR Optimum is basically a manual or semi-automatic analysis tool. An analyst can
automate some operations.

Kaspersky Sandbox
LESSON 11 of 56

Kaspersky Sandbox integrates with endpoint security

applications and automatically scans files run on network
computers.
Unlike KATA Sandbox, Kaspersky Sandbox does not provide a detailed report, but simply
returns a binary result: whether the file is dangerous or not. Kaspersky Sandbox uses fewer types
of virtual machines than KATA Sandbox and therefore requires fewer resources to handle a
comparable file stream.

Kaspersky Sandbox improves detection of targeted attacks and zero-day threats, operates in fully
automatic mode and does not require any analyst input.
Kaspersky Managed Detection and
Response
Kaspersky also offers an MDR (Managed Detection and
Response) service to companies that do not have highly
qualified personnel for analyzing incidents. 
Kaspersky employees analyze customer’s data and advise on how to respond to an incident:
which incident to consider more important, how best to handle it, and which tools to use.

In Kaspersky MDR Optimum, it is the customer’s analyst who responds to an incident. For this
purpose, Kaspersky MDR Optimum includes all the functionality of Kaspersky EDR Optimum.

Within the framework of Kaspersky MDR Expert, Kaspersky analysts can respond to cyber-
security incidents (with the consent of the customer's analysts).

Kaspersky MDR can detect any hidden threats and does not require any additional hardware. The
Expert solution does not ask the customer to do much. With the Kaspersky MDR Optimum
solution, the customer’s analyst must participate in incident response.
 Summary of alternatives
Let us summarize all these alternatives.

KESB Advanced uses Adaptive Anatomy Control to detect attacks that employ legitimate tools.
It can run completely automatically without an analyst, but at the same time, training with an
analyst will improve detection efficiency. KESB Advanced does not require any infrastructure
investments when compared to KESB Select and supports cloud management.

Kaspersky Endpoint Detection & Response Optimum enables an analyst to investigate and
respond to security incidents. The product automates the most typical response scenarios, does
not require any infrastructure investments, and is managed through the cloud.
Kaspersky Sandbox is the most automatic of the listed products. It protects against sophisticated
and targeted malware, does not require analyst input, but requires a high-performance server
installed at the customer’s site and does not support cloud management.

Within the framework of Kaspersky Managed Detection & Response, Kaspersky experts armed
with high-performance analytic systems detect the most complex threats. This approach does not
require any investment in the customer's infrastructure. Kaspersky MDR Optimum assumes that
it is the customer's staff who responds to an incident. Kaspersky MDR Expert allows the
customer to delegate a part of response tasks to Kaspersky experts.

What’s best for a customer?

If there are no analysts at all and no time for investigations: KSB and KESB Advanced—both
work out of the box (you only need to activate the required features, but do not have to think
much about the settings)

So what should the customer choose from this variety of capabilities and
products? Let's consider four sub-types of potential customers:

 Customers with very tight budgets

 Customers with an immature approach where security is the responsibility of IT
(often, with lowest priority)
 Customers with committed professionals in charge of security but without a full-
fledged dedicated IS department independent of IT
 Mature customers who already have or are building SOC, CSIRT or CERT

You can offer the cheapest solutions to low-budget customers:

 Kaspersky Endpoint Security for Business Advanced
 Kaspersky EDR Optimum add-on to supplement KESB Select (in those regions
where this offer is available)
Customers without an information security department will benefit from the
most automated products:

 Kaspersky Sandbox
 Kaspersky Endpoint Security for Business Advanced (can work automatically)
 Kaspersky MDR Expert, an expensive solution with excellent detection that allows
the customer to delegate some of the response functions to Kaspersky experts

Customers with a small information security team who need response tools but
are unlikely to hunt for threats will benefit from:

 Kaspersky EDR Optimum

 Kaspersky MDR Optimum or Expert
Of course, they can also use automated security solutions such as KESB Advanced and
Kaspersky Sandbox if the budget permits.
Customers interested in threat hunting will benefit from:

 Kaspersky Endpoint Detection & Response

 Kaspersky Endpoint Detection & Response with Kaspersky Anti Targeted Attack
 Kaspersky MDR Expert; in this case, because of the ability to communicate with
Kaspersky analysts

Technical features: KEDR

Let's take a closer look at the benefits of the expert line products and which methods
and technologies they are based on. 

We will start with Kaspersky Endpoint Detection & Response.

Components
Kaspersky Endpoint Detection & Response includes the following applications:

Kaspersky Endpoint Agent is installed on workstations and servers running Microsoft Windows
operating systems. This application collects data about activities on the computer. The collected
data is sent to Central Node for further analysis. Central Node can command the Agents to
contain dangerous activity

Central Node is the main component of the system. It retrieves data from agents, performs in-
depth static analysis of files, detects anomalous activity on endpoints, stores and publishes the
results. It also interacts with the Sandbox Servers by forwarding objects for payload analysis

Sandbox Server is a special hypervisor with a set of virtual machines running several different
versions of operating systems and most common applications. Sandbox dynamically analyzes
executable files, office documents, scripts and multimedia files by running them in a virtual
environment, logging the activities and scrutinizing the results.

Sensor acts exclusively as a proxy in KEDR: it transmits telemetry from Endpoint Agents to the
Central Node. This feature can be useful, for example, to optimize telemetry traffic from a
regional office to the organization's headquarters.
In large organizations with numerous computers, a distributed installation with several Central
Nodes that constitute a hierarchy and are managed from a single console is possible.
 

Telemetry collection
LESSON 16 of 56
Endpoint Agents collect the following data from the network endpoints:

Events in Windows logs

Processes’ activities
File operations
Operations with the registry
Loaded drivers
Network activities
Commands entered from the keyboard
AMSI events
Events of protection applications

These data are sent to the Central Node as they accumulate. If there is no connection to the
Central Node, telemetry gets queued on the drive and is transferred as soon as connection is
restored.
Targeted attack analyzer
LESSON 17 of 56

Targeted Attack Analyzer analyzes data retrieved from monitoring endpoint

activity and detects indicators of targeted attacks on the company’s IT
infrastructure.

Targeted Attack Analyzer receives telemetry from Endpoint agents. These data are added to the
database, compiled and analyzed in real time. Targeted Attack Analyzer uses various rules to
detect dangerous activities, and the rules are regularly updated in the database. Security officers
can also add custom rules for telemetry analysis.

Two classes of TAA rules are used in Kaspersky Endpoint Detection & Response. Some rules
are aimed at detecting indicators of attacks. If endpoint’s activity matches one of these rules, the
Central Node creates a TAA alert.

Other rules do not create alerts, but add tags to events. Tags help analysts to faster navigate
through numerous events and decide which activity needs investigation and which does not.

For example, there are rules that tag actions falling within the MITRE ATT&CK classification.
Tags with technique names complement TAA alerts and help make decisions about which steps
to take in response to the attack.
Telemetry database
LESSON 18 of 56
The telemetry database supports functions important for security specialists:

 bullet

Threat hunting

 bullet

Root cause analysis

 bullet
Retrospective search
All of this is accessible through an intuitive interface that provides:

 bullet

Visualization of processes’ relationships

 bullet

Flexible database search engine

 bullet

Context-sensitive use of mitigation and response tools at any stage of hunt or

analysis
 bullet
Transformation of search conditions into attack detection rules for the
Targeted Attack Analyzer technology
Kaspersky EDR permits storing telemetry data for as long as necessary, provided that sufficient
storage space is allocated.

Network isolation
LESSON 19 of 56
Network isolation is enforced via Endpoint Agents and blocks all incoming and outgoing packets
and connections except those for which exclusions are specified.

Endpoint Agent has unconditional exceptions for:

 bullet

DNS and DHCP protocols to ensure that the computer remains operational
and, in particular, that the Endpoint Agent is able to communicate with the
Central Node
 bullet
For services and processes of Kaspersky Endpoint Agent and other
Kaspersky applications that can be installed on the computer
An analyst can also create any other exclusion manually, using a simple list of settings. For
example, an analyst can allow incoming connections to be able to connect to the computer’s
desktop for detailed investigation. Exceptions can be adjusted after the computer has already
been isolated. Since built-in exceptions do not prevent the Endpoint Agent from communicating
with the Central Node, it will be able to retrieve and apply the new settings.