Introduction

TL;DR

SCOT collects cyber alerts and raw intelligence into a single platform where Analysts can triage, document, enrich, and track and coordinate their activities. Its goal is goal is to make teams more effective by encouraging data sharing, coordination, and documentation of their efforts to make their enterprise safe.

Overview Overview

The Challenge

Working in Cyber security is a dynamic and often unpredictable process. What starts out as a simple alert or new vulnerability notice may lead a team down a rabbit hole full of surprises. At each step, your team of analysts are discovering new data, analyzing new threats, performing notifications, coordinating remediation, and designing new defenses. Capturing this activity and sharing it with the team while increasing each members effectiveness is the challenge that SCOT was built to overcome.

The Sandia Cyber Omni Tracker (SCOT) is a cyber security incident response and threat intelligence management platform, designed and developed by cyber security practitioners. SCOT provides a novel approach to coordinate the team’s efforts while capturing the knowledge gained by the team. Providing the tools to accept alerts from your detection infrastructure, analyze that data for deeper patterns, take automated actions, and provide a variety of functions that enhance a cyber security team’s effectiveness, SCOT keeps your team in sync with minimal effort.

Need

Many advanced cyber security teams have a variety of tools and systems to detect, collect, and analyze cyber security data. The systems, while solving pieces of the puzzle, often fail to give the analyst a holistic view of their current state and what their response is to cyber events. Teams often try to fill that gap with ticketing systems, which often lack the flexibility to work with the often elliptical nature of investigating cyber events and threats. Research and work product of the teams are often stored in various hard to integrate locations. Critical “tribal knowledge” can go on vacation or take other positions. Without a ready corpus of past examples, training new team members becomes a lengthy process. Each additional tool brought in to address these deficiencies adds to the cognitive load to an already over-tasked team.

Approach

SCOT’s approach focuses on removing the friction between analysts and their tools. It enables analysts to document and share their response and research efforts and makes it easily discoverable by others. Automated actions enhance each member’s effectiveness. Real-time updates to all users keeps the team in sync and prevents costly rework. SCOT automatically discovers connections between events and highlights them, allowing the team to discover and detect advanced adversaries. Centralization of data reduces the contextual shifts necessary to formulate a holistic view of your cyber defense activities.

Benefit

We have seen many benefits since developing and using SCOT. Over the years, we have faced a rising tide cyber events and SCOT has helped us manage that rise and has helped us identify ways for our defense to stay ahead. Using SCOT as a training tool, new team members begin contributing in weeks, not months. SCOT automated IOC detection tracks millions of indicators and presents them in ways that help the team spot adversaries methods and tactics. By centralizing our alert processing, we are able to easily distribute alert triage preventing burn-out. An open platform, SCOT is easily adaptable and can grow to meet new challenges easily.

Competition

Compared to other solutions, SCOT excels in several areas. Designed to be flexible and easy to use, SCOT eliminates the steep learning curve of traditional SIEMS. SCOT makes it easy for analysts to enter data and to discover needed knowledge, therefore knowledge capture occurs organically and without prodding and without the myriad of fields and pull-downs of a ticketing system. SCOT is simple to install and requires minimal maintenance and as an open source product, provides an excellent ROI.

Why Use SCOT?

  • Designed to be easy to use, learn, and maintain.
  • Real Time updating keeps team in sync and efforts coordinated.
  • Automated detection and correlation of growing list of common cyber security indicators such as IP addresses, domain names, file hashes, and email addresses.
  • Alert centralization from a wide variety of security systems.
  • Extensible infrastructure to allow additional automated processing.
  • Full Text searchable knowledge-base that allows the entire team to easily discover and learn from past cyber security events.
  • Open Source. Hack it up to meet your needs. (Please share!)

Quotes from SCOT Users

  • SCOT just works and never slows me down.
  • I’m putting more and more of my investigation notes into SCOT. It has paid of tremendously for me and helped me discover several non-obvious patterns.
  • Aside from my email client, it’s the one application that is always on my screen.
  • Give up SCOT? I’d leave incident response first!

SCOT Venn SCOT Venn