Maximizing Internal Intelligence for Defense Enablement Webinar

James Maguire:
Hi. I’m James Maguire. On today’s webcast, we’re talking about cybersecurity and the importance of maximizing internal intelligence for defense enablement. To help with that, we’ll take a deep dive into Polarity, which is a federated search, correlation, and analysis application for security operations teams. To discuss that, I’m joined by a major expert in the field. With me is Paul Battista, Executive Vice President of Corporate Development and General Manager of Polarity for ThreatConnect. Paul, really good to have you with us today.

Paul Battista:
Thanks, James. A pleasure to be here.

James Maguire:
So before we start, please tell us about ThreatConnect. I know a lot of people are already familiar with the company, but for those who don’t know as much, how does ThreatConnect serve its customers?

Paul Battista:
Yeah. So ThreatConnect has three core products. The first one and primary product is the threat intelligence platform, uh, really works to operationalize, uh, threat intel data. So it takes various feeds, open source and commercial feeds, and then allows, uh, the teams to, uh, practice the intelligence life cycle and operationalize that data. Uh, the second product is a risk, uh, quantification product called RQ. Um so in this sense we’re trying to actually put dollar amounts and help with prioritization of various controls and vulnerabilities, patch levels, etcetera. And then the third product is we’re gonna talk about today is polarity. Um, so this, uh, helps with the dissemination side of the intelligence lifecycle, getting data to the analysts at the time they need it.

James Maguire:
Sounds good. Alright. So before we begin, we have just a bit of housekeeping to do. First of all, thank you everyone for attending today. We really appreciate it. We do want to hear from you, and we’ll be answering your questions at the end of the presentation. So please feel free to send questions along using the q and a section on your screen. You don’t need to wait until the end. You can enter questions anytime during the presentation. Also, today’s webinar is being recorded. We’ll send you the recording in the next twenty four hours. Okay, Paul. Whenever you’re ready, please go ahead and search your presentation.

Paul Battista:
Thank you, James. So we covered, uh, background already. So, uh, you know, former intel officer here, uh, incident responder, penetration tester. So, uh, Polarity was really inspired by the work we did both in, uh, offense and defensive security. So what is Polarity? Uh, so Polarity in its simplest form is a federated search system. So you search in one place, it federates out and searches, uh, data, knowledge, intelligence, uh, where it resides today within your organization, and then brings that data back to the analyst and puts it together, fuses it together in one single view. So you can help, uh, make faster decisions, but informed decisions. So to talk briefly about the problems we solve, uh, it really is that diversity of tools. So the fact that data and tools are spread across an organization. And in order to do a complete job, you have to pivot between various different systems. Uh, the data in one is not the same as the data in the next system. And so there’s often a big effort and work to try to, uh, bring all the data into one place or do enrichment on the fly in a in a given system, whether that’s within a SIM, uh, or within a SOAR platform. Uh, but that gets, you know, 90% of the way there, and polarity is gonna cover that other 10% or or even make it so that you can do 50% of it there and then use polarity to cover the other 50% and, uh, help with your road maps. Uh, the insights that are lost, uh, often when it comes to having data in different places, if you don’t know where to look, um, you know, then, of course, uh, an analyst isn’t gonna check there. But even when an analyst knows, oh, there might be data there, they’re not always gonna go through the trouble of going in logging into every platform and checking it. So reducing that friction is key. And so how do we how do we solve that? So we enable, uh, analysts to get access to that data in a very easy friction free way. Uh, we’ll go through that in the demo. Um, we fuse the results into a single view, we call summary view, so that you’re not going and scrolling through lots and lots of search results. So if a lot of data does come back, um, we’re not really, um, forcing the analyst to spend, you know, hours scrolling, uh, and looking through stuff to get to the data they’re trying to make a decision on. We try to make it very easy for junior or senior, uh, team members to be able to find data. So if a member of the team doesn’t know where to search, how to log in, uh, maybe doesn’t even have creds yet into a given portal or system, uh, polarity allows them to search and find awareness of the fact that there’s data in that system, uh, without having to go open up another tab or go log in to a system. And we capture the telemetry throughout the process. So what was searched, um, where it was searched in terms of what window or system they were in when they searched it, the data that came back. Um, this is all optional telemetry that you as an organization can choose to collect if you wanna learn from the process the analyst process, uh, itself or learn about what data is most valuable to analysts as they’re making decisions. There’s three kinda key ways folks, uh, use polarity. The first and most simplest way is we have, uh, web access. Uh, this is, you know, very much similar to you going into a search form and, you know, running a Google search, for instance. So you come in into web and you can just run a search in a search bar, and you’ll get the results fused in here, um, in a in a single view. The the second way is with our client application, which I’ll be showing during this demo. The client application allows you to have this information and search capability on top of every tool you use, every workflow you have, um, and allows for shortcut keys as well as, um, computer vision components, which I’ll show how those work in a second. And then there’s the API access. So if you wanna embed the value of Plarity into other tools, uh, whether that’d be a ticketing system or a SOAR platform, you can run a single search over to Plarity, which then federates out and allows you to take, uh, make it easier to develop systems where you incorporate, uh, that enrichment similar to what I’m gonna show throughout this demo, just done at the API layer. Alright. So this is, um, uh, kind of a mock up of what I’m about to show, uh, and that is you can, uh, select an area of the screen. Player is gonna analyze that and then run a bunch of searches across various systems. And I I wanted to show this, like, animation here to really make the point, uh, into what we’re gonna cover in detail, which is institutional knowledge is not just threat data. It’s going to be spread across the organization. So this is your your ticketing systems, your intel platforms, your asset management platforms, notes that you might have, uh, taken, that team members have taken, um, as well as connecting to your SIM platforms and and EDR platforms, um, and then trying to fuse all that data into one single view. And I’ll show this in action now. Alright. So I have a screenshot from SOAR platform here with a suspected, um, uh, port scan, uh, two two IPs, two two, uh, uh, part of the scan here, one scan and the other one. And this is actually in the slides here. It’s an image, uh, a screenshot captured. And, actually, to show that I’ll break out of PowerPoint for a second and just show you. This is this is an image. Um, this is important to highlight because it allows us to demonstrate that polarity can truly work on top of any application. Um, so here’s polarity, uh, floating on top of PowerPoint right now. And what I can do is I can select this focus mode button here, and I can select an area of the screen. Again, this is a picture, so this works on top of any tool, whether it’s a custom system, you know, we’ve never seen before. Uh, for instance, we have government customers. Plarity runs on top of their classified systems. We’ve never seen what that UI looks like, but Plarity still runs on top of it without issue. Um, and so I select the area of the screen here. It analyzes the pixel values within that area, extracts out the textual content, extracts out the entities that are worth searching, and then runs federated search across the systems I’ve configured it to do, um, here and brings back the results here into this view. So, again, this would be floating, uh, could be on a second monitor or floating right on top of my desktop. And I’m gonna walk through a couple of these results as as they relate to internal, um, systems, which is the the topic of the talk today. So CIDR ranges. One of the things that Clari is very good at is understanding IPs within various CIDR ranges. So if you have, you know, that spreadsheet or you have a system that manages all your CIDR ranges within the organization, uh, Polarity can recognize when you’re looking at an IP that falls within a CIDR range and give you the context. So for example, in this situation, the IP that’s the dot ten dot zero dot thirty range is the Ashburn VPN DHCP pool. So I can, you know, get a sense for what I I’m looking at here is probably a user system connecting via VPN, uh, on that side. And if that wasn’t clear, I also have a lookup going over to Splunk, uh, that this system is a user system, IP to user, and I can see it’s used by, uh, Heather Riley in this case, and a XPS 15 laptop. So, um, this gives me, uh, kind of quick triage view capability of understanding what I’m looking at going right from a raw IP over to context about that. Um, and this next one here, this other IP, you can see I have a, uh, Google Cloud, uh, Compute Engine here. And so I’m able to see that this is actually a server sitting out in the cloud in our DMZ, uh, uh, based on that. So with with the nature of cloud assets these days, they’re highly dynamic. They spin up. They spin down. So in order to be able to capture and understand what I’m looking at from a cloud asset perspective, we’re connecting out to that API and running a, you know, real time search and getting that context back, understanding that that device. I am also simultaneously doing, and I’ll go back to this one for it, uh, searches across Splunk indexes. So I’m doing a index discovery here, and that allows me to see what indexes this given entity falls within. So, uh, oftentimes, analysts might have their go to place to search, but there might be two or three or four or more other indexes where that are relative to what they’re looking at. And in this case, we’re we’re doing that discovery. So I can see, uh, you know, it it is in that IP to to user here, and I can click into that and see the results coming back here. Past users that were on this IP from a DHCP perspective and the current user here. Um, whether that’s Splunk, Elastic, uh, connecting to SIM or custom platform, Postgres, Redis, wherever you keep that data, we wanna enable the team to be able to have access to that, uh, that type of query, that type of information, uh, and to be able to do it without having to, again, pivot into another platform or worry about trying to squeeze enrichment into every little nook and cranny of your source system. You’ll notice throughout this, uh, demo that I’m clicking in to various tabs here. Um, so what you’ll see is when I’m clicked out, you have a summary view of the application, and then when I click in, we’re going into what we call the detailed view. So know that throughout this presentation, this is highly configurable. What you wanna display in a summary view versus what you wanna display in a detailed view, highly configurable to, um, the customers to control what information they wanna display. Uh, I have ticketing here with a star because the what I wanted to talk about is while there’s no ticketing system coming back, it doesn’t mean we didn’t search it. So in this case, I actually searched Zendesk, Jira, and ServiceNow, uh, and got no results back. So I, as an analyst, can have confidence that I ran those searches even if I’m not seeing the results. So something worth mentioning, um, is that sometimes it’s valuable to not get results back knowing that it was searched. And this next slide here, again, just like before, it’s an image. And just like before, when I select the area of the screen, it’ll analyze all that content. So here I have a, um, netstat from the server that was, uh, port scanned, and we’re able to quickly triage the active connections, uh, within there. Uh, in this situation, I get a lot more data. I do have a little bit of scrolling, but for each entity, I have that summary view. So I have a very quick understanding of what I’m looking at, um, just by glancing. Everything is color coded here, also configurable. So right now I have, uh, kinda investigation systems, um, colored in a purple tone. I have ThreatConnect colored in orange tone. I have, uh, informational data in white, uh, my telemetry data about my search history, which I’ll go into more briefly later in a light gray. Polarity Assistant, I’ll show later in the blue. So, um, current color coding oh, and I should mention, I have my threat intel data, uh, highlighted in, uh, shades of pink. Note taking, uh, is built into the platform. So just like we saw the DHCP pool there and that note on on that entity, um, we also have notes on IP addresses or any other string you want. So as analysts go about and do their work, they take notes one time, and then they’re able to access that data wherever they might see that again in the future. So I just hit that, um, plus button there, and this is our UI where you could take notes of things on the fly. Uh, in this example, uh, this note was taken on this IP address as a dynamically configured link local address. So this is an address you’ll often see on cloud assets, uh, uh, for the metadata, uh, services here. And so here’s the note that was taken. Uh, if I come across this IP again in the future, I’ll always have access to that note so I don’t need to forget it. If my coworkers come across it, they’ll have that awareness, uh, as well. On the threat intel side, you can see how the bright pink really stands out. So as I’m looking at this, uh, list of IPs, maybe I should pay extra attention on the 92 address, uh, as a threat score from Mandiant of 89. And, again, like before, I can click in and get an understanding of that or click over and compare it to what recorded feature says about the same entity. I will break out of the PowerPoint here briefly just to show how this works exactly the same if I was in the application. So now I’m looking at the same exact screen in the cloud asset. This time, I’m gonna turn on, uh, what we call highlight mode. And so this is gonna do an inline highlight on the data on my screen. So just like augmented reality, uh, it’s doing these highlights on the screen, and now I can mouse over and pull back the intel on it. So this is really useful if you have a lot of data on the screen and you’re, like, looking at say, alright. What was this one again? Uh, and you can you can just mouse over and then pull back. Oh, yeah. This was this uh, GCE asset I looked at previously. Oh, and by the way, uh, here’s that asset before that I was looking at Heather Riley, the laptop. What’s interesting about this one, just filling out a narrative here, we have a server asset connecting to a laptop on 443. This time, you’ll notice with that laptop, I pulled back I did pull back ticketing information. So here I can see that this was part of a past ticket. I can click in and see it was part of a spear spear phishing ticket in the past. Um, you know, view and pivot on some of the notes on that, Uh, but did wanna highlight, uh, that as a way that folks can grab, uh, information. And, uh, I think we ran a poll on ticketing systems. What we found, uh, working with our customers is often that customers will have more than one ticketing system. Uh, might be two, might be five different systems. And so very laborious to try to, uh, integrate them all with programmatically with code or to ask an analyst to go check two or three or four different systems. Um, we’ve had, you know, customers who had more than four different systems, and they were asked the users were asked, please check them all. Um, so, uh, when they became Clarity customers, this is one of those things, this thank you notes I got. You know, thank you so much for building Clarity because, uh, now I know I’ll have to check by five different Jira systems that I was checking previously. Uh, and then the last thing I wanna talk about is kind of rabbit holes. So I’m looking, you know, triaging, uh, this data, the system here. Uh, but within the system, without leaving the application I’m in, I can start to dive down a rabbit hole. Yeah. In other words, I can continue an investigation. So here I see that this IP is tied to this user. I can hit a keystroke and pivot on that. So now I just ran a search on the h Riley user ID. Uh, this went against, uh, Splunk again, um, or Elastic or really wherever you’re keeping this data. Uh, and I have, you know, recent domains visited from a from a proxy perspective. Uh, one of the new domains never visited before here versus the common ones that they’ve been visiting in the past. And I can, again, pivot on pivot one more. Path down the rabbit hole. Now I’ve searched that domain. Uh, I can see it’s uncategorized, uh, but I can see it’s a newly created domain here. Maybe check SENTINEL. Looks like similar data. Newly created domain. Uh, and then what’s interesting here is I actually have a SharePoint document that references that domain. So in this example here, maybe it was, uh, HR person or someone else doing recruiting came across the, uh, this resume and, you know, went to the the website in Crest in question here. I’ll just show a couple more, uh, use cases here. I have a telephone number. Uh, maybe I wanna take a look at where that, you know, first, uh, area code is. So it looks like it’s Newburgh, New York. Looks like this person’s in Alabama. I’m gonna sort search a Twitter handle or x handle. Browse out to that. And actually see that the doesn’t mean it’s necessarily bad, but it can spot the fact that the domain is different than the one I was just looking at here. Alright. Continuing on. There we go. Alright. Slightly different use case now. Taking a look at vulnerabilities, uh, and I will show off highlight. And I’ll do like before. I’m gonna draw a box. Same as before, it’s still an image, really demonstrating that we work on top of any application, any workflow. And so, uh, just like the last, uh, example, we found a SharePoint document related to, um, this vulnerability, being able to find and, you know, search, uh, internal knowledge, social media posts about the vulnerability. Data miner integration there on the commercial side. Twitter there. Um, exploit code available for that. So if I’m triaging a a vulnerability, um, all those different places that security analysts would go search, we try to configure ahead of time for them, uh, and allow them to just pull that data in, uh, very, very quickly. Again, pulling in the threat intel data, uh, and in this case, uh, threat actor groups leveraging that. Um, the other thing I’m pulling in here is my coworkers view, so I can see which coworkers are looking at the same information. This is off of that telemetry I mentioned towards the beginning. So because we’re able to we’re able to enable customers to capture their search history, um, we can then display that back to analysts when appropriate so they can see, um, not only that if they searched it in the past, but also what other coworkers might have searched it and where datasets came back, uh, and had results for that thing. Uh, and then again, just like before with ticketing systems, I put a star next to it because, uh, in this case, I checked our scanners, I checked Nasys. I checked Rapid7, and I didn’t have any results for this. So I have, you know, some certainty in my workflow. I would have gone out and checked those things to see, you know, what do we have any systems that would have been flagged as vulnerable to it? But I can have confidence that it was checked even though I don’t have any result here. Coming back. Another example, this time I’m in, uh, EDR system. I’m looking at file hashes. So you see polarity analyze these two two file hashes. I have results for one, and I’m able to, uh, I wanna check circle. So, uh, it’s been flagged as known malicious here. EcoTrail, uh, as well, never observed this. Uh, if I have a binary handy, I can actually drag and drop the sample right into it, um, as well as you can see ThreatConnect assessing it high on that side as well. So we have both, uh, Cal side critical here as well as ThreatConnect. We can report false positives. We can provide feedback, uh, into this here on a threat rating perspective, on a confidence rating perspective. I can submit tags. Um, this is important to note, um, that when what’s available to you with polarity is not all just bringing data to you. Um, you can submit data into the platform, um, whatever that platform be. In this example, it’s it’s ThreatConnect. But if it’s, uh, another platform, a ticketing system, a SOAR platform, uh, you wanna kick off playbooks, it is, um, bidirectional in terms of how you leverage the tool. Just like before, we gotta hit in, uh, Jira so we can find, you know, other tickets associated with that, and I already covered the Direct Connect. Um, I can submit forms as well, some emails, send them over to ticketing systems just like integration with Direct Connect. Um, this is, uh, polarity forms is a, uh, generic ability to send, uh, RFIs, forms, uh, very configurable, whatever you wanna send, wherever you wanna send it type integration. Okay. Just like the last several examples, again, image this time from Teams. So, uh, oftentimes, you know, you might have your Slack bots or automations within within Teams. Yeah. They’re usually pretty bare bones. Uh, Polarity does give you the ability to get a little bit more richer, uh, example back from any search. So while I’m sitting inside of a chat and someone’s asking me about how to file, Ash, for instance, uh, I can quickly run a search on that across all my holdings. I also search the two domains that were there as well. And within that, I have in bright purple here, uh, both Defender and Microsoft Sentinel. So I’ll go into Defender first. Uh, functionality. Right? Device isolation, front hunting steps, as well as the alerts. I can pivot into the platform and view those alerts. On the Sentinel side, similar capabilities.

James Maguire:
And

Paul Battista:
then oh, well, let’s say I’m a Slack user instead. When it comes to adding data that shows up in that feed here, um, we have a subscribe methodology. So I can say, hey. I want Slack. So I’m just gonna subscribe to Slack. And now I’m gonna run that same search, And that’ll incorporate Slack into my results. So kind of two use cases here. Um, one, while you’re in chat and you need to do enrichment and understand what you’re looking at, we’re able to pull back data and enrich the Slack or Teams conversations. But, also, when you’re outside of those applications, you’re able to check to see is there past history results for those. So you can see here message from Joe that, um, uh, he got a hit. And then the third use case is if I wanna start or post into a channel here, I can post into a channel, um, starting with the entity that I’m analyzing as well. So I can start a conversation in in a in a chat from here. So kinda all all different ways to to help, uh, enable and make that easy for you. Alright. And my last example here. So now I’m in ServiceNow. I have a whole bunch of data. I select it. Running lots and lots of searches. In this case, we’re seeing, you know, fifty, sixty results come back, but there might have just run six, seven hundred searches that were just run-in a few seconds’ time. Talk about being able to, uh, uh, be able to be thorough, uh, just in a few seconds’ time and get data back on, you know, have hits on on Sentinel again, GeoHint data, uh, Chronicle, Google SecOps, Email reputations coming back here. Uh, let’s see. I wanted to cherry pick have I been pwned. There it is. So I reached the limit here. Um, so I didn’t have this, so I can retry the search and pull back data there. So, um, when it comes to, uh, polarity querying APIs, uh, we try to be very friendly with the APIs and the limits. We have built in robust caching, um, so that we’re actually saving you on your API lookups versus trying to do full on enrichment on every single event that comes across the wire. Um, and it can be a shared cache or an individual cache depending on permissions. We have full role based access control for all these integrations, highly configurable when it comes to that. Um, so in this situation, I click that button, and I pulled in the have I been pulling data on that side. I also pull back confluence data. Where is This one here. Um, so whether it’s Confluence, internal Wiki, SharePoint sites, wherever it is that you keep data, we wanna make it really easy to pull back pull back that information. Um, and then I wanna talk about overlap. So this whole time that I’ve been given the demo, I’ve been keeping what we call breadcrumbs of all my history. So this is the first search you saw me do. A couple of the IPs that were extracted from that. The second search, the things that were extracted, third, fourth search, etcetera, working across. So my my entire breadcrumbs of my analysis have been kept. And then we have a little bit of a visual indicator, uh, on areas where there’s overlap. So I can see there’s overlap on this file hash with that kinda maroon reddish, um, highlight around it, and I can see there’s overlap on, uh, all these entities that just got pulled pulled out of there. Um, so another coworker, um, has been searching the same thing recently. And I can show my teammates nodes and, you know, see see that overlap. So the lines here represent various users, and so I can drill in and see what what is the user that overlapped. Wayne Peterson from the team, he’s been searching some of the same data that I’ve been searching. And then we can also, like I showed briefly before, look at that history. So not only have, uh, has Lane been searching it, but other folks have been searching it too. And I can see it goes back to, um, August of this year. Actually, it might go back even further. Let’s see. That’s the last thirty days. Let me look at the last year. Oh, yeah. So demo demo examples here, uh, going back all the way a year here. I cherry picked. So we have over 200 integrations, but I tried to grab a bunch of the logos from integrations that are more kind of your internal, um, not your necessarily your threat intel data. So, uh, things like your your various, um, data repositories and SQL Servers, uh, Redis, uh, etcetera, uh, your, um, things like SIM, you know, Splunk, Securonix, Sumo Logic, uh, Google SecOps, uh, etcetera. There, you got your various tips. So we do, you know, of course, have the integration with ThreatConnect from the Clarity to ThreatConnect side, but we also integrate with, uh, other tips as well. So it’s not limited to just ThreatConnect and other intel platforms. Uh, you have your various EDR systems, um, and and other tools, and, finally, your various ticketing systems and and other tools there. Uh, it’s very easy for you to leverage the over 200 integrations already built. Um, so this is our integration store, and you’re able to one click install these onto the platform. Uh, and then you it’s as simple as dropping in an API key, uh, usually for most integrations, and then you get to query those systems. Uh, very quick setup, very easy setup. Um, this does not involve, you know, building complex queries or an ETL process. Um, you know, really, really simple to deploy, uh, Polarity, uh, and configure it. If you wanna configure custom integrations to, um, you know, your own API tools, also, we have a whole framework for doing that. And with that, I’ll bring it over to q and a.

James Maguire:
Alright. We got some questions. Uh, interesting presentation, Paul. Alright. So here’s one I think is probably on everyone’s mind. Uh, can I build custom integrations?

Paul Battista:
Yeah. So, um, to build a custom integration with Clarity, uh, it’s pretty simple. You define three things. The type of data that you wanna recognize. So, uh, examples I gave during this presentation were user ID, IP address, file hash, uh, CVE. Um, but you can do something completely custom. You can define a regular expression to describe the data. Uh, so that’s step one. Step two of building integration is the action to take. This is usually connect out to an API and run a search, but it could be submit data somewhere. Um, really, it’s up to you. Anything you can do in JavaScript, the real node in JavaScript, you can do with a clarity integration. Uh, and then the third thing you define is what to display in that window, both the summary view and the detailed view, what data is useful to the to the team member, to the analyst as they’re doing the work. Okay. An example of a couple integrations that, um, I didn’t show but really give, um, demonstrate the the flexibility of the platform. Uh, the simplest integration is probably a conversion, an epoch time converter. So it just, you know, when it, uh, you have an epoch Linux time on your screen, which just looks like a a a long number, uh, it converts it over to human human readable, converts time zones automatically. That integration took fifteen, twenty minutes to build, um, versus an integration, like, we have an integration with CyberChef. If you use CyberChef, this is like a decoder ring built by GCHQ, uh, the UK government. Um, that integration, um, you know, took a week plus to build, but that allows you to do all sorts of encoding and decoding and manipulation of data, very robust built in integration. Um, so there’s two kinda ends of the scale. It can be as simple as fifteen minutes to build something or maybe a week. Usually, it’s a few hours. Alright.

James Maguire:
Here’s another another question. Uh, how does Polarity differ from TIP browser plug ins?

Paul Battista:
Good question. So, um, first off, uh, we do have a plug in. So Polarity does have a browser plug in. Uh, I did not, uh, demo it, um, but, uh, we do have that, uh, and even that plug in is very different than your tip browser plug in. So your tip browser plug in typically queries, uh, just the one tip, Uh, and it usually, you know, brings back data from that single platform. So polarity from the beginning has always been about bringing data back from all the various tools sources, uh, not just threat intel data, but other data sources as well, uh, in fusing that into that common UI that I showed. So those are kinda some of the key differences on, you know, just our plug in from, like, a polarity plug in versus a browser plug in. Now when you extend that out to, well, what about the polarity client versus the browser plug in? Well, the Clarity client allows you to work outside of a browser. Um, so you can go and use tools like Wireshark or Ida Pro or Ghidra or, you know, Command Line, uh, anywhere you could possibly go. Even detonating malware inside of a VM, polarity will run right on top of that, and your browser plug in is typically not gonna work in that type of environment.

James Maguire:
Are you talking about this one, but I still think it’s a good question. Uh, how easy is it to set up integrations from polarity to other tools?

Paul Battista:
Yeah. So, um, it’s typically as simple as dropping in an API key. Uh, it really depends on the tool, but most integrations are that simple. Uh, one click install, configure what users should have access, and then put an API key if it’s a shared API key. If it’s not a shared API key, then each user will drop in their own credentials, username and password, or an API key depending on the system. Um, the integrations that are a little more complex but still not very complex at all would be an example like the Splunk integration. The Splunk integration, our customers install multiple of them, uh, by design. So they might stall for every query they wanna run, install an integration, and then they configure that query there. So the the analyst, the team doesn’t need to go run a query, um, you know, manually in the in the Splunk Splunk UI. Uh, it’s preconfigured, um, to run. So that takes a little bit longer to set up, but I’m I’m talking, you know, minutes to set up more to especially if you have the queries that are most popular for your team to run.

James Maguire:
Uh, does Polarity offer different user access levels within the organization?

Paul Battista:
Yes. So we have full role based access control, um, you know, group group level access. So if you have different teams with different um, permissions and different access, you can configure that in Polarity.

James Maguire:
Alright. One last question. Uh, does Polarity do any caching or optimizations for datasets that have API limits?

Paul Battista:
We do. So, uh, many of the integrations might have some throttling built in, um, but at the high, uh, high level perspective, we have robust caching built into the platform. So anyone building an integration or using our current integrations, uh, don’t have to worry about caching. You can set, uh, TTLs on whether a result came back. So if you have a result, set the TTL, or you can set a TTL, a different TTL, and if there’s a a miss. So you ran a search and you didn’t get any results back, you might want a different TTL because you might wanna, you know, check the authoritative system sooner. Um, some systems like, um, let’s say, Shodan as an example, you might set a higher TTL because they scan the Internet every two weeks, so you don’t need a very short TTL. But maybe a virus total integration, you might wanna have a shorter TTL because, you know, different binaries are going in there on a on a daily basis. So, uh, highly configurable. Um, it could be a shared cache or not. So oftentimes, if, uh, if the application of the system allows, um, you might share a cache across the team and then save on API lookups.

James Maguire:
Alright. Paula, thanks for the presentation. There’s a lot of good material. Uh, and to everyone attending, thank you so much for your time and attention. I remind you that the webinar is being recorded, and we’ll be sending out to you in the next twenty four hours. Thanks again, and have a great day.

Paul Battista:
Thank you, James. Appreciate it. Thanks, everyone.