This article guides you through the integration process of Kaspersky Security Center with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations.

Requirements

• Kaspersky Security Center version 14.x up to version 15.1.x
  • A Kaspersky user with the Administrator role.
• An active Lumu Defender subscription
• A Docker-enabled host with Internet visibility over Lumu and Kaspersky Security Center servers.

Preliminary setup - Encryption keys

The Kaspersky Security Center Out-of-the-Box response integration uses asymmetric encryption keys to secure integration configuration data. The Lumu Portal will ask you for a public key as part of the configuration process. The overall process is covered in two tasks:

• Install OpenSSL
• Generate the pair of encryption keys, public and private.

You can use an existing public key to configure the integration. Make sure you have access to the matching private key. Both are required to successfully complete the configuration process.

Install OpenSSL

Most Unix-based systems already have openssl installed. If this is your case, you can jump forward to the Generate the encryption keys section.

Follow the instructions given for your operating system below.

Windows systems

If you already have OpenSSL installed in your Windows system, you can skip forward to the Generate the encryption keys section.

If you don’t have OpenSSL installed on your Windows system, you can use the WinGet command line tool to install it. Follow these instructions to install OpenSSL on Windows:

2. Once in the Command Prompt, run the following command and follow the on-screen instructions:

3. Open your system settings by opening the Start menu and search for System Settings. The View Advanced System Settings app will appear, click on it.

4. Go to the Advanced tab (1), and click on Environment Variables (2) found in the lower right corner.

5. Locate yourself on the System Variables field. Using the Variable column, locate and select the Path variable and click Edit (1). The Edit environment variable window will appear.

6. In the Edit Environment Variable window, click New (1) to add a new variable record. Copy and paste the following value in the text field that requests your input.

%PROGRAMFILES%\OpenSSL-Win64\bin

Finish by clicking OK until you reach the Settings window again.

7. Open a new Command Prompt window and run the following command to test the installation.

You must get the following:

Unix-based systems

Most Unix-based distributions have OpenSSL installed. If your system doesn’t have it, you can install it using the package manager of your operating system.

To check if your Unix-based distribution has OpenSSL installed, use your distro package manager. To check this in Ubuntu, input the following command:

If you see the word installed between brackets at the end of the line, it means OpenSSL is already installed.

To install OpenSSL in case your distro doesn’t already have it, use your package manager to install it. To install it in Ubuntu, you must run the following command:

Generate the encryption keys

To configure the integration, you must generate a new encryption key pair, consisting of both a public and private key. These keys will be stored in a .pem file that will be created in the same folder your command prompt is in when you run the command. In the following example, the .pem file would be created in the Util folder under the C drive.

Input the following commands in a Command Prompt on Windows systems or a Terminal in Unix-based systems.

1. First, generate the private key. It will be needed to generate the public key. Run the following command:

openssl genrsa -out PRIVATE_KEY.pem [KEY_LENGTH]

Replace the parameters in red as follows:

1. PRIVATE_KEY is the name of the .pem file where the private key will be stored.
2. KEY_LENGTH is the length of the generated key. The recommended value is 2048, minimum.

2. Now, generate the public key using the private key. To do so, run the following command:

openssl rsa -in PRIVATE_KEY.pem -pubout -out PUBLIC_KEY.pem

1. PRIVATE_KEY is the name of the .pem file where the private key was stored. It is the same name as in the previous step.
2. PUBLIC_KEY is the name of the .pem file where the public key will be stored.

Store the keys in a safe place. Both keys are required to configure the integration and for its proper operation.

The .pem files can be opened in a text editor to access the key stored within.

Preliminary setup - Kaspersky Security Center (KSC)

You must set up your KSC console before proceeding to activate the integration. Log in to your KSC Web UI with an admin user and follow the steps described in the following sections to complete these requirements:

• Verify the Web Kaspersky access and the Web plug-in for the Windows Policy.
• Create the Integration User Role.
• Create the integration User.
• Set English language for the Integration User.
• Copy the Policy ID and its Web Rule name.
• Copy the Application Category ID.

Verify the Web Kaspersky access and the Web plug-in for the Windows Policy

1. Browse the Kaspersky Web URL to verify the page loads correctly. The IP address and port are needed for integration, keep them at hand for later use.

2. Log in to the web console. In the left panel, go to Settings (1) and select Web plug-ins (2). Check if you have installed the Windows Policy. If it is not, ask your Kaspersky operator to install it.

Now, you can proceed to create the integration role.

Create the integration user role

1. Click on Roles (1) under the User & roles section. Then, click on + Add (2)

2. Select a name for the new role. Then, go to the Access rights tab. Follow The Principle of Least Privilege and assign the Access rights as shown below.

• Kaspersky Security Center Administration Server → General features → Management of administration groups
• Kaspersky Security Center Administration Server → General features → Basic functionality
• Kaspersky Security Center Administration Server → System management → Software inventory
• Kaspersky Endpoint Security for Windows → Application Control
• Kaspersky Endpoint Security for Windows → Web Control
  

Now, you can proceed to create the integration user.

Create the Integration User

Ensure you can create an Integration user without MFA enforcement. The integration will not work with a user with MFA enabled.

1. Click on Users and groups (1) under the User & roles section. Then, click on + Add (2).

2. Assign a name for the new user and configure its password. Then, go to the Roles tab. Add the following roles using these scopes.

• Set Administration Server as the scope.
• Assign the scope that applies and covers the policy of the machines.
  

Set English language for the Integration User

Once the integration user is created, log into the KSC Web console. The first login for the integration user appears as follows. Please confirm and accept the disclaimer manually.

To make sure the console remains in English, go to Settings (1), then select Language (2), and set English as the language.

Now, it's time to create the web rule for the selected integration policy.

Copy the Policy ID and its Web Rule name

A Windows policy may already exist, so you only need to add a Web Rule to it. If not, create a Windows policy and name its Web Rule for the integration.

Follow these steps to create a policy for Kaspersky Endpoint Security for Windows.

1. Go to Policies & profiles (1) under Assets/Policies, and click Add (2).

2. Go to the Application settings tab, then select Security Controls (1) and click Web control (2).

3. Click on Add (1) to create a new Web rule.

4. Assign a name and follow the image below. Select Apply to individual addresses and/or groups (1) under the Addresses section, then add canary.lumu.net. Once finished, click OK and then Save to finish configuring the policy.

Keep the Web rule name at hand, it will be required for the integration.

5. Then, open the policy and copy the integer displayed at the end of the URL; this is the policy ID required for the integration, keep it at hand. For this example, the policy ID is 13.

Now, follow similar steps for the application category to obtain the category ID.

Copy the Application Category ID

Follow these steps to feed a hash indicator:

1. Navigate to Operations → Third party applications, then click on Application categories (1) and click on + Add (2).

2. KSC does not allow the creation of an empty Application category. You must specify at least one condition. Go to the Conditions tab and click on + Add (1) to include one.

3. Choose the Hash, metadata, or Certificate option and select Specify manually from the dropdown. Then click Next.

4. Now, select File Hash and SHA256 and copy this test SHA256 hash: 9db86588cfff19b36c508049afa4fba7cf542c8cf43f1ec153652c54f56593a8. Then, click on Next to finish.

5. Once the application category is created, click on it and extract the Category ID from the URL. In this example, the Category ID is 9.

To recap, you currently have the following parameters for the integration:

• IP address and port of the KSC server
• Username and password
• Web rule name
• Policy ID
• Application category ID

Add the integration

1. Log in to your Lumu account through the Lumu Portal and navigate to the Integrations screen.

2. Locate the Kaspersky Security Center integration in the Response section on the available apps area. Click Add (1) to view its details.

3. Familiarize yourself with the integration details available in the app description and click on Activate to activate the integration.

4. Give the integration a distinctive Name, select the Threat Types to include, and choose one of the following options based on the integration's purpose: IPs addresses, domains & hashes, Only IPs addresses & domains, Only domains, or Only Hashes. When finished, click Next.

5. In the next window, you must enter the Public Key generated in Step 2 of the Generate the encryption keys section. You can do so in two different ways:

• You can copy and paste the contents of the .pem file you generated by opening the file in a text editor and placing them in the text field that awaits your input.
• You can upload it directly. To do so, click on the Upload from your device button under the text field. Head to the location where you stored the .pem file to do so.
  

This will be used by Lumu to safely store the secrets related to the integration. Click Next to continue.

This public key must be the pair of the private key you will use in later steps of the configuration process.

6. The next window will ask you to fill in the following information to connect to your Kaspersky Security Center Web Console:

• Username: The username created for the integration.
• Password: The password for the integration user created earlier.
• Hostname or IP: The KSC hostname or IP address. Ensure your integration device can resolve the hostname if used.
• API Port: The port for API connection. The default value is 8080 if left blank.
  

Click Next when finished.

7. Specify the details of your integration. Based on the selections in Step 4, you will need to provide the following:

• If you select all indicators (IP, Domains, and Hashes): you must provide Policy ID, Web Control Rule Name, and Application Category ID.
  
• If you select only IP and Domains, or only Domains: you must provide Policy ID and Web Control Rule Name.
  
• If you select only Hashes: you must provide Application Category ID only.
  

Click on Active, to finish the integration.

8. The integration is now created and active. Now, the Lumu Portal will display the details of the created integration:

Deploy and configure the integration component

Now, it is time to deploy and configure the Kaspersky Integration component. You can find detailed instructions on how to deploy it in our Docker Hub repository.

Integration results

You will see new network indicators in your KSC web rule policy as a result of the integration.

Do not manually edit this web rule; it is managed by the integration.

You will also find a new sha256 hash indicator, if available, in the Application category condition tab of the relevant integration category.

Do not manually edit this Application Category; it is managed by the integration.