Agentless network-traffic mapping and security tool
System Architecture Mapper (SAM) is an agentless interactive network-traffic mapping and security tool.
It is designed for three main tasks:
SAM can solve many problems. When nobody really knows how your legacy system is connected, SAM can provide a map of which machines are talking to which others. During an acquisition, merger, or migration, SAM can catalogue active IT assets and how they’re connected to allow changes to take place from a fully informed viewpoint. SAM can give you immediate feedback on suspicious traffic, attacks, and other anomalous traffic.
The security dashboard shows you alerts that have been triggered on traffic that SAM has ingested. These are each marked with a severity, and depending on the source of the alert, they may be accompanied by an email or even a SMS message. Each of these alerts carries with it extended details that describe the traffic that triggered the alert and what happened.
Rules are a way to manually flag specific types of traffic. For example if you know that a particular host is compromised, or if Alice shouldn't be talking to Bob on port 3306, then rules are the way to go. Rules are either applied immediately when traffic arrives, or periodically in quantized time chunks, depending on what the rules are measuring.
Anomaly detection is to flag traffic that is different from normal traffic. Anomaly detection allows your system to detect traffic situations that you hadn't thought of or even identify attacks that haven't been documented in traditional rule-based systems. Over time the plugin learns how your network typically acts and responds. Based on feedback you provide to the plugin by accepting or rejecting its warnings, it continues to learn and refine its algorithm to reliably and smartly identify traffic that you'll want to be alerted of. The anomaly detection plugin is available only as part of a subscription package for SAM.
The main view into your network, SAM’s map depicts a network by grouping the hosts into subnets at /8 /16 and /24, and arranging them in a 16x16 grid. Connections formed between hosts are drawn as arrows pointing from source to destination, or to a specific port when zoomed in fully.
The map allows for filtering by ports or time periods, searching for a host or subnet, and turning the visibility of client and server nodes on and off.
By selecting a node in the map you can see extra information about it, including the ability to rename it, or follow a link to the complete host information.
Different protocols are shown with colored links (blue TCP, red UDP) and connections that get more use (connections, bits, packets) are drawn thicker.
The Table View provides information on groups of hosts, with aggregate information about the links between them. It uses transforms the network data into a spreadsheet view to isolate the hosts and subnets that have the properties you’re looking for.
The Table View has the most sophisticated filtering capabilities and allows you to search and sort all nodes based on highly customizable criteria such as environment (production vs. dev), its role as a client or server, and user-defined tags.
Replicating what you can do in dedicated spreadsheet software is not the goal of SAM, so all data is downloadable in csv format for use in any other spreadsheet software.
Host Details provides all the available information on an individual host and allows you to add more information. Host information covers tags, environment, alias, incoming and outgoing connections, ports used, and (for subnets) active child nodes.
For a specific host you can:
SAM can be configured to send syslog data directly (and securely!) to the cloud and makes that data available immediately. You can watch your network map fill up as new data is added. This would allow you to use the most up-to-date information possible in the fewest steps. Fewer steps means a simple workflow, fewer mistakes, and faster results.
The data used by SAM is currently limited to IPv4.
SAM is fully capable of importing data from PaloAlto syslog files, tcpdump streams, and from nfcapd binary files and has basic support for several other formats including Cisco ASA, AWS VPC Flow, and TShark. Creating an importer for your own log files is quite simple and there are many examples to guide you through it.
SAM supports MySQL and SQLite database options, with higher performance from MySQL.