SAM

Agentless network-traffic mapping and security tool

What is SAM?

System Architecture Mapper (SAM) is an agentless interactive network-traffic mapping and security tool.

It is designed for three main tasks:

  1. to visually depict how different nodes interact on a network, based off a log of connections-formed over a period of time: SAM helps you visualize your network as a graph of endpoints, connections, and ports to provide a high-level view. Designed with a system architect’s needs in mind, SAM consolidates information about the health and connectivity of a network and gives you a source of truth for how your system is operating.
  2. to compile an inventory and detailed host information on your IT assets. SAM compiles a spreadsheet inventory of your IT assets. You can drill down into this data set with advanced filters and sorting or just download all the data as CSV to manipulate in a dedicated spreadsheet program. The metadata page lets you see the fine details about a specific host or subnet in your network. These analysis tools give you the concrete numbers you need to make informed decisions.
  3. to flag suspicious network traffic through application of security rules and machine learning. SAM empowers you to create security rules that trigger alerts and emails. SAM learns your network architecture to identify suspicious traffic. When you give feedback on the warnings SAM suggests, SAM continues to learn to more accurately identify suspicious traffic.

SAM can solve many problems. When nobody really knows any more how your legacy system is connected SAM can provide a map of which machines are talking to which others. During a acquisition, merger, or migration, SAM can catalogue active IT assets and how they’re connected to allow changes to take place from a fully informed viewpoint. SAM can give you immediate feedback on suspicious traffic, attacks, and other anomalous traffic.

Security Dashboard

The security dashboard shows you alerts that have been triggered on traffic that SAM has ingested. These are each marked with a severity, and depending on the source of the alert, they may be accompanied by an email or even a SMS message. Each of these alerts carries with it extended details that describe the traffic that triggered the alert and what happened.

Rules are a way to manually flag specific types of traffic. For example if you know that a particular host is compromised, or if Alice shouldn't be talking to Bob on port 3306, then rules are the way to go. Rules are either applied immediately when traffic arrives, or periodically in quantized time chunks, depending on what the rules are measuring.

Anomaly detection is to flag traffic that is different from normal traffic. Anomaly detection allows your system to detect traffic situations that you hadn't thought of or even identify attacks that haven't been documented in traditional rule-based systems. Over time the plugin learns how your network typically acts and responds. Based on feedback you provide to the plugin by accepting or rejecting its warnings, it continues to learn and refine its algorithm to reliably and smartly identify traffic that you'll want to be alerted of. The anomaly detection plugin is available only as part of a subscription package for SAM.

Three views into your network

Map

The main view into your network, SAM’s map depicts a network by grouping the hosts into subnets at /8 /16 and /24, and arranging them in a 16x16 grid. Connections formed between hosts are drawn as arrows pointing from source to destination, or to a specific port when zoomed in fully.

The map allows for filtering by ports or time periods, searching for a host or subnet, and turning the visibility of client and server nodes on and off.

By selecting a node in the map you can see extra information about it, including the ability to rename it, or follow a link to the complete host information.

Different protocols are shown with colored links (blue TCP, red UDP) and connections that get more use (connections, bits, packets) are drawn thicker.

Table View

The Table View provides information on groups of hosts, with aggregate information about the links between them. It uses transforms the network data into a spreadsheet view to isolate the hosts and subnets that have the properties you’re looking for.

The Table View has the most sophisticated filtering capabilities and allows you to search and sort all nodes based on highly customizable criteria such as environment (production vs. dev), its role as a client or server, and user-defined tags.

Replicating what you can do in dedicated spreadsheet software is not the goal of SAM, so all data is downloadable in csv format for use in any other spreadsheet software.

Host Details

Host Details provides all the available information on an individual host and allows you to add more information. Host information covers tags, environment, alias, incoming and outgoing connections, ports used, and (for subnets) active child nodes.

For a specific host you can:

  • Add an alias to give the host a more memorable moniker, such as “Pacific Datacenter” or “Testing subnet.”
  • Add one or more tags with supplementary information. Some intended examples are things like “48GB” or “Project SAM.”
  • Set the host's environment: usually "production" or "dev", or inherited from a higher subnet

Live Feedback

SAM can be configured to send syslog data directly (and securely!) to the cloud and makes that data available immediately. You can watch your network map fill up as new data is added. This would allow you to use the most up-to-date information possible in the fewest steps. Fewer steps means a simple workflow, fewer mistakes, and faster results.

Support Capabilities

The data used by SAM is currently limited to IPv4.

SAM is fully capable of importing data from PaloAlto syslog files, tcpdump streams, and from nfcapd binary files and has basic support for several other formats including Cisco ASA, AWS VPC Flow, and TShark. Creating an importer for your own log files is quite simple and there are many examples to guide you through it.

SAM supports MySQL and SQLite database options, with higher performance from MySQL.

Questions?

Get in touch! We would be happy to answer any questions you have about SAM, how it can help you, and to find the best solution for your needs.

: info@riolet.com

: GitHub project

Thank you for reading.