Visualising Security Data : SCCM patching traffic flows

Posted on March 3, 2014

I have been experimenting a little recently with visualisation of security data.

We have had some challenges with SCCM and needing to understand which clients were connecting to which servers, where and why. This data seemed very hard to come by and after some discussions with some helpful Microsoft South Africa folk the service provider pulled the IIS logs from most of our SCCM Primary Servers and the Distribution Points.

I then added in a Destination column (being the server from which the log was pulled) and combined the logs from all of the servers (6 Primary and 6 Distribution). In MS Access I then summarised the data by source and destination pairs, providing 13952 connections. This was exported as a CSV and headings added in using Notepad (Gephi wouldn’t read the data file without headings named to its liking).

The data was then loaded into Gephi as edge data. I then searched for each of the 12 servers in the node table, added in a Label, changed the colour and size (Red 30 for Primary Blue 20 for secondary), selected the Force Atlas option and let it plot my data. The 13 546 nodes and 113952 were then plotted providing the graph below (when exported as PDF).

The graph was somewhat unexpected in that I did not foresee so many of the workstations being served from Primary servers nor so many devices receiving data from multiple servers. A few of the DP’s (top and bottom of screen) clearly are not serving the numbers of workstations we would expect and need deeper investigation.

While Excel cross tabs and more detailed access queries provide more detailed insight into what is going on this visualisation very quickly demonstrates a very different picture to which the service provider running the SCCM infrastructure had been describing.

Have you done anything similar? Please do share.


Map of SCCM links using Gephi

Map of SCCM links using Gephi


Download the PDF version here :  map of sccm v2


Tags: , , , ,

Categories: Data Analytics, Security

3 Responses

  1. Barend:

    Very interesting. Definitely a nice way to visualise security data. I will do some research and see if software like Splunk and Solera deepsee can provide similar visualisations.

    08.04.2014 12:11 Reply

  2. Brian:

    Clarified boundary definitions are needed to resolve this.

    06.03.2014 10:56 Reply

    • Justin:

      Agreed it is most likely part of the solution, I am yet to be convinced that boundary definitions are the only fix required.

      16.03.2014 08:07 Reply

Leave a Reply

%d bloggers like this: