SCOT – Sandia Cyber Omni Tracker
The Sandia Cyber Omni Tracker (SCOT) is a cyber security incident response management system and knowledge base. Designed by cyber security incident responders, SCOT provides a new approach to manage security alerts, analyze data for deeper patterns, coordinate team efforts, and capture team knowledge.
SCOT integrates with existing security applications to provide a consistent, easy to use interface that enhances analyst effectiveness.
SCOT was developed at Sandia National Laboratories for by and for the Incident Response team over a period of several years. We’re making SCOT open source to try and help out the rest of the computer security community.
Why use SCOT?
SCOT was developed by incident responders for incident responders to make our jobs easier.
- Free text HTML (no hunting for the right field)
- Designed for Cyber Security data
- Instant updates keep the team in sync
- Automated detection/correlation of IPs, Email addresses, Domains and Hashes
- Integrated offline GeoIP databases
- Alert collection and standardization
- Plugin infrastructure for automation
- And much more
The number of alerts Sandia’s IR team has seen has nearly doubled in the past several years. SCOT enabled the team to keep up with this increase without adding additional team members. As a training tool, new team members started contributing in weeks, instead of months. In just over 4 years SCOT has amassed a database of over 700K indicators from analyst and alert input. These indicators help the team spot an adversary’s methods and tactics, as well as highlighting common targets within the enterprise. SCOT, processed over 1.6 million alerts since deployment, while maintaining 99.9% availability, and required minimal administration. SCOT is fully scalable to meet higher loads.
Sandia’s incident response team realized several advantages using SCOT over other solutions. SCOT’s ease of use eliminated the steep learning curve of traditional SIEMS and captured team knowledge much more effectively. Designed for cyber security, SCOT allows the IR team to enter data easily, instead of struggling to conform to a ticketing system designed for other purposes. While workflow systems handle linear workflows easily, SCOT is purpose built for the looping nature of cyber security investigations. SCOT also solves the challenges of keeping wikis, spreadsheets and documents up-to-date and accessible to an IR team. While top-notch analysts may be able to keep everything in their brains, SCOT will capture their knowledge for when they go on vacation or to other employment.
Minimum System Requirements
- Ubuntu 14.04 LTS, 16.04 LTS, or CentOS 7.
- 2 Quad Core CPU
- 16 GB RAM
- 1 TB Disk
Note: Requirements are for production use. It is quite possible to run SCOT in a small VM for testing or demonstration purposes. Your VM should have access to at least 4 GB of RAM in this case.