Cisco Secure, LiveAction, Splunk, and XDR integration for network analytics, telemetry, NetFlow, and packet capture

Figure 1. Security Insights architecture

How it works

As a LiveWire add-on accessible through the LiveNX UI, Security Insights operates natively in existing LiveNX and LiveWire environments, transforming network observability into actionable security intelligence. Using the same data that powers performance monitoring, it enables practical network detection without adding tools or complexity. By leveraging flow telemetry from LiveNX and packet-level analysis from LiveWire, Security Insights correlates these findings across all environments—LAN, WAN, SD-WAN, data center, and cloud—giving teams complete visibility into where and how threats emerge.

LiveWire provides deep forensic visibility by performing packet-level capture and analysis at the network edge. It not only captures payloads—including both encrypted and cleartext—but also identifies patterns and reconstructs sessions. This process of capture and analysis is called LiveFlow. These LiveFlow records are then sent to LiveNX, which detects anomalies by aggregating and enriching comprehensive network traffic telemetry. Traffic flow data is collected in LiveNX from NetFlow, IPFIX, sFlow, and Cisco high-speed logging and unified logging.

LiveNX’s centralized dashboard then displays these detected threats and traffic anomalies. Security Insights is open and standards-based, allowing for mapping to the Open Worldwide Application Security Project (OWASP) and MITRE ATT&CK frameworks and seamless integration with SIEM, SOAR, and XDR tools for coordinated response. If a detected threat is first seen in a SIEM or another security solution, security and network teams can leverage LiveNX and LiveWire for deeper investigation.

Both LiveWire and LiveNX are required components for Security Insights.

Use cases

This section outlines three real-world detection scenarios that demonstrate the benefits of using Security Insights.

Use case 1: Detecting anomalous Transport Layer Security activity

MITRE ATT&CK ID T1571 – Non-Standard Port

A global logistics company experiences unexpected spikes in encrypted traffic on non-standard ports. Security Insights automatically detects this pattern as “Unexpected Encryption on IANA Reserved Port”—a strong indicator of malicious tunneling activity used to hide command-and-control (C2) communications.

Investigation workflow:

  1. Detection (Security Insights)
    • Detects encrypted traffic on port 8088, which is not typically used for secure communications.
    • Maps detection to MITRE T1571 and flags the event.
    • Cross-references with known IANA-reserved ports for validation and automatically alerts the security operations team.
  2. Analysis (LiveNX)
    • Visualizes affected subnets and identifies systems generating the anomalous traffic.
    • Correlates flow records across WAN and SD-WAN links, confirming the pattern is isolated to a single IoT gateway.
    • Detects recurring communication intervals—a hallmark of beaconing.
  3. Forensics (LiveWire)
    • Captures and inspects packets to confirm encrypted payloads.
  4. Response
    • Security operations team isolates the IoT gateway and blocks all outbound traffic on unauthorized ports.
    • Forensic data is exported to the SIEM for post-incident validation and compliance reporting.

Outcome: Early detection prevented malware from establishing C2 persistence, reduced time to detect from hours to minutes, and improved visibility into encrypted traffic without decryption overhead.

Security Insights dashboard displaying top source and destination IPs, ports, severities, sources, and findings over time

Figure 2. Security Insights summary dashboard and detail view in LiveNX

Use case 2: Proactive threat hunting with threat intel indicators

MITRE ATT&CK ID: T1102 – Web Service

A financial institution’s threat intelligence feed reports suspicious domains associated with a recent C2 infrastructure campaign. Using Security Insights, the security team proactively hunts across their hybrid network for any evidence of contact with those domains.

Investigation workflow:

  1. Detection (Security Insights)
    • Imports threat intelligence indicators of compromise from an external feed and maps them to MITRE T1102.
    • Performs a network-wide correlation using flow telemetry to identify outbound communications to suspicious domains.
    • Flags multiple endpoints contacting the domain app-sync-storage[.]net, classified as a potential C2 web service.
  2. Analysis (LiveNX)
    • Analysts pivot into LiveNX to visualize communication frequency and duration by endpoint.
    • Correlates DNS queries and flow records to confirm repeated contact from a single subnet within the R&D network.
    • Detects unusual data size patterns consistent with exfiltration via HTTPS.
  3. Forensics (LiveWire)
    • Performs packet capture for the flagged hosts to confirm payload behavior.
    • Identifies POST requests containing Base64-encoded data to the suspicious domain.
    • Extracts the payload for sandbox analysis to confirm malicious exfiltration.
  4. Response
    • Sends data to the SOAR to automatically block the compromised domains and associated IP ranges.

Outcome: Stopped stealthy C2 communications before significant business losses occurred.

Use case 3: Forensic investigation of a TLS certificate abuse attack

MITRE ATT&CK ID: T1587.003 – Digital certificates

A large healthcare provider detects irregular SSL certificate behavior across its data centers. Security Insights flags multiple self-signed TLS certificates being used in outbound traffic—a possible sign of malware using forged certificates to bypass inspection controls.

Investigation workflow:

  1. Detection (Security Insights)
    • Identifies multiple self-signed and untrusted TLS certificates in use on internal outbound connections.
    • Maps detection to MITRE T1587.003 and classifies as Unusual Certificate Activity.
  2. Analysis (LiveNX)
    • Analysts use flow visualization to isolate traffic originating from affected systems.
    • Confirms repetitive, short-lived TLS sessions from an IoT medical device subnet to an external IP.
    • Detects abnormal TLS handshake intervals and cipher mismatches.
  3. Forensics (LiveWire)
    • Captures packets for full forensic analysis.
    • Confirms that outbound connections contain encrypted commands hidden within TLS payloads.
    • Identifies the use of self-signed certificates generated by the malware to establish persistence.
  4. Response
    • Integrates findings into the SIEM and SOAR for automated certificate revocation and alerting.
Live packet capture interface showing HTTP and TCP traffic details with packet list, metadata, and hex viewer

Figure 3. Security Insights individual packet data dashboard used for a forensic search

Outcome: Prevented C2 persistence via forged TLS certificates, enhanced compliance and audit readiness by retaining packet-level evidence, and strengthened certificate governance across the organization.

BlueCat Source

About Author

Blue Cat

See author's posts

Tags:

Related News

Hybrid and Multicloud Networking Strategies for Cloud Migrations

May 29, 2026

Modernizing Microsoft DNS and DHCP for Hybrid Active Directory Environments

May 29, 2026

You may have missed

Election threats are focused on campaign systems, not voting machines

June 1, 2026

Hybrid and Multicloud Networking Strategies for Cloud Migrations

May 29, 2026

Modernizing Microsoft DNS and DHCP for Hybrid Active Directory Environments

May 29, 2026

Tennessee man linked to 764 accused of series of crimes against children dating back to 2022

May 29, 2026

Federal audit reveals NIST’s NVD is plagued by poor planning and duplication

May 29, 2026

House panel poised to hold hearing centered on AI impact on cyber

May 28, 2026
WordPress Appliance - Powered by TurnKey Linux