Most security stacks watch the front door. Firewalls inspect north-south traffic, VPNs control who enters, and web gateways filter what leaves. But the traffic that moves sideways, server to server, device to application, workload to workload, often passes without scrutiny. Attackers know this. Once inside, they move laterally through internal paths that no perimeter tool was designed to see.
East-west traffic monitoring closes that gap. It gives IT teams visibility into internal communication flows, surfaces anomalous behaviour, and enables containment before a single compromised endpoint becomes a company-wide breach. This guide explains what east-west monitoring looks like in practice, which signals matter, and how to build detection into your existing security architecture without adding operational complexity.
What is east-west traffic and why does it matter for security
East-west traffic is the data that moves between devices, applications and services within your network. It includes server-to-server API calls, database queries, authentication requests between internal systems, and machine-to-machine communication on production floors.
North-south traffic crosses the perimeter: users reaching the internet, external clients accessing a web server. East-west traffic stays inside. And in most mid-market environments, it vastly outnumbers north-south flows.
The problem is straightforward. Traditional firewalls sit at the perimeter and inspect north-south traffic. They have limited or no visibility into what happens between two servers in the same data centre, between a workstation and an internal file share, or between an IoT sensor and a historian on the production floor. This makes east-west traffic the preferred route for attackers performing lateral movement.
How lateral movement exploits east-west blind spots
Lateral movement is the technique attackers use to spread from an initial foothold to higher-value targets. A phished credential gets them onto one workstation. From there, they map the network, harvest additional credentials, and move sideways until they reach databases, backup systems, or domain controllers.
The numbers are sobering. According to Illumio’s 2025 Global Cloud Detection and Response Report, nearly 90% of organisations experienced a security incident involving lateral movement in the prior year, with each incident causing over seven hours of downtime on average. The CrowdStrike 2026 Global Threat Report measured the average eCrime breakout time at 29 minutes, with the fastest observed case at just 27 seconds. That is the window between initial access and lateral movement.
What makes detection particularly difficult is that attackers increasingly use legitimate tools. The same CrowdStrike report found that 82% of detections are now malware-free, with adversaries relying on valid credentials and built-in administration utilities. PowerShell, Remote Desktop Protocol, and WMI do not trigger antivirus alerts because they are standard IT tools. Only east-west traffic analysis can distinguish between a legitimate administrator connecting to a server and an attacker abusing the same protocol.
What to monitor: signals that indicate lateral movement
Not all east-west traffic is suspicious. The challenge is separating normal internal communication from anomalous behaviour. Focus on these categories of signals.
Unusual authentication patterns
Watch for a single identity authenticating to multiple systems in rapid succession, especially systems it has never accessed before. Failed authentication attempts followed by a successful login on a different host can indicate credential spraying or pass-the-hash attacks.
New communication paths
If a workstation in marketing suddenly initiates a connection to a database server in finance, that path deserves attention. Baseline your normal east-west flows first, then flag deviations. New server-to-server connections, particularly to infrastructure services like Active Directory or DNS, are high-priority signals.
Protocol anomalies
RDP, SMB, SSH and WinRM are common lateral movement vectors. Monitor for these protocols appearing on hosts or segments where they are not expected. An IoT sensor initiating an SMB connection is a clear red flag. A workstation running RDP to a server outside its defined application set is another.
Volume spikes and data staging
Before exfiltrating data, attackers often stage it on an internal system. Look for unusual volume increases on internal file shares, unexpected compression activity, or large data transfers between hosts that typically exchange small payloads.
Service account abuse
Service accounts with broad access and infrequent human oversight are prime targets. Monitor for service accounts used interactively, from new source IPs, or outside their expected schedule.
Why traditional tools miss east-west threats
Perimeter firewalls were not designed to inspect traffic between two hosts in the same subnet. Even internal firewalls typically operate at the VLAN boundary and use IP-based rules that cannot distinguish between authorised and unauthorised use of the same protocol.
Network segmentation helps, but classic segmentation based on VLANs only controls traffic between zones. Within a zone, communication is often unrestricted. An attacker who compromises one server in a zone can reach every other server in the same zone without crossing a firewall.
This is why microsegmentation has become the standard approach for organisations that take lateral movement seriously. Rather than trusting everything inside a zone, microsegmentation verifies every connection between every identity and every resource. It turns east-west monitoring from a passive detection exercise into an active enforcement mechanism.
Building an east-west monitoring strategy in five steps
Step 1: Map your internal communication flows
You cannot detect anomalies without knowing what normal looks like. Start with your most critical applications. Document which identities, devices, and services communicate with each system. Include machine-to-machine flows, not just human access.
For environments with agentless devices, printers, cameras, industrial PLCs, you will need inline visibility. These devices do not generate the same telemetry as managed endpoints. NIAC hardware placed between agentless devices and the network captures their communication patterns and enforces access controls at the same time.
Step 2: Establish identity-based baselines
IP addresses change. Device names get reused. The only stable anchor for east-west monitoring is identity: user identity, device identity, and workload identity. Build your baselines around who is communicating, not just which IP address is sending packets.
A Zero Trust architecture provides this foundation natively. When every access request is tied to a verified identity and evaluated against a policy, the access logs become a high-fidelity east-west traffic record. Each allowed or denied connection tells you exactly who reached what, from which device, under which conditions.
Step 3: Deploy detection at enforcement points
The most effective east-west monitoring happens at the points where access decisions are made. In a SASE architecture, that means your ZTNA gateway, your Secure Web Gateway, and your network controllers. These components already see every connection. Adding detection logic at these points avoids deploying a separate monitoring overlay.
Key detection rules to implement early:
- Alert on any identity accessing more than a defined number of distinct systems within a time window (e.g. five systems in ten minutes)
- Alert on protocols appearing on segments where they are not baselined (RDP on an OT segment, SSH on a printer VLAN)
- Alert on service accounts used outside their scheduled windows
- Alert on denied access attempts followed by successful access on a different resource
Step 4: Integrate with your SIEM or logging platform
East-west monitoring generates data. To make it actionable, stream access logs, policy decisions, and alerts to a central platform. Correlate east-west events with north-south telemetry. A suspicious inbound connection followed by unusual internal scanning is a higher-confidence signal than either event alone.
For NIS2 compliance, centralised logging of access decisions provides the audit evidence that regulators expect. Every policy change, every access grant, every denial is recorded and traceable. This supports the demonstrable risk management that NIS2 mandates for essential and important entities.
Step 5: Automate containment
Detection without response is a spectator sport. The value of east-west monitoring is realised when suspicious behaviour triggers automatic containment. That can mean revoking a session, isolating a device from the network, or restricting an identity to a limited set of applications while the security team investigates.
In a unified SASE platform, containment actions can be executed from the same console that detected the anomaly. There is no switching between tools, no manual firewall rule changes, no waiting for a network engineer to update an ACL. The ransomware prevention playbook covers containment strategies in detail, including how microsegmentation limits blast radius during an active incident.
The role of microsegmentation in east-west security
East-west monitoring and microsegmentation are two sides of the same coin. Monitoring shows you what is happening inside your network. Microsegmentation controls what is allowed to happen.
When you combine both, the result is a closed loop. Microsegmentation policies define which communication paths are legitimate. East-west monitoring flags anything outside those defined paths. Automated containment closes the loop by blocking or isolating anomalous connections.
The difference between traditional segmentation and microsegmentation is worth understanding here. Traditional segmentation creates broad zones. Microsegmentation operates at the identity and application level, which means every east-west flow has a policy decision attached to it. That policy decision is also a monitoring event.
Practical examples in European mid-market environments
Manufacturing company with IT-OT convergence. A Belgian manufacturer connects its HMIs and PLCs to the corporate network for maintenance and data collection. NIAC hardware isolates each industrial device, permitting only defined upstream flows to historians and update servers. When a compromised laptop on the IT side attempts to reach a PLC, the connection is denied and logged. The security team receives an alert within seconds, not after seven hours of undetected lateral movement.
Professional services firm with hybrid workers. A consultancy with 200 employees runs its ERP, document management, and financial systems across on-premises servers and cloud services. ZTNA provides per-application access for all users. When a compromised identity begins accessing file shares it has never touched, the access pattern deviates from baseline and triggers an alert. The session is suspended automatically while the team investigates.
Local government with distributed sites. A municipality manages services across twelve locations. SD-WAN connects the sites, and centralised policies ensure consistent access controls. East-west monitoring across sites reveals that a device at a remote office is scanning internal services. The device is isolated before it can reach the central citizen database.
How Jimber makes east-west monitoring workable
Jimber delivers Real SASE in one cloud-managed platform. Every access decision, whether from a user, a device, or an agentless machine, passes through a policy engine that logs the identity, the resource, the device posture, and the action taken. This creates a complete east-west traffic record without deploying a separate network monitoring tool.
Zero Trust Network Access ties every connection to a verified identity. The Secure Web Gateway and Firewall-as-a-Service extend policy enforcement to web traffic and outbound flows. SD-WAN ensures site-to-site connectivity is policy-controlled and observable. For devices that cannot run agents, NIAC hardware provides inline isolation and traffic logging, closing the blind spots that attackers exploit.
Everything is managed from a single console. MSPs serving multiple customers operate through a multi-tenant architecture with shared templates and centralised reporting. Access logs stream to existing SIEM platforms via API. Policy changes are versioned and auditable.
The result is east-west visibility that does not require a dedicated monitoring project, a separate analytics platform, or additional staff. It is built into the access model itself.
Frequently asked questions
Do I need a dedicated network detection tool for east-west monitoring?
Not necessarily. If your access layer logs every identity-based connection and policy decision, you already have east-west visibility. A unified SASE platform captures this data as a byproduct of enforcing access policies. Dedicated NDR tools add value in environments with high volumes of unstructured network traffic, but they are not a prerequisite.
How does east-west monitoring support NIS2 compliance?
NIS2 requires organisations to demonstrate risk management practices, incident containment capabilities, and access governance. East-west monitoring provides evidence that lateral movement is detectable and containable. Centralised logging of access decisions, combined with automated alerting, satisfies the audit trail requirements that regulators expect.
What about devices that cannot generate logs?
Printers, IoT sensors, cameras, and industrial equipment typically lack logging capabilities. NIAC hardware placed inline captures their communication patterns and enforces access controls. This brings agentless devices into your monitoring scope without requiring changes to the devices themselves.
How quickly can lateral movement be detected with this approach?
Detection speed depends on your baseline quality and alerting rules. Organisations with well-defined communication baselines and identity-based policies can detect anomalous lateral movement within minutes. The CrowdStrike 2026 Global Threat Report found the average breakout time is 29 minutes. Your detection and containment need to beat that window.
Can mid-market teams implement this without a dedicated SOC?
Yes. A unified SASE platform consolidates monitoring, alerting, and containment into a single console. Pre-built detection rules and automated responses reduce the need for dedicated security analysts. For organisations that want additional support, MSPs can manage east-west monitoring across multiple customers from the same multi-tenant platform.
Ready to see what is moving inside your network? Book a demo and see how east-west monitoring works in Jimber’s cloud-managed SASE console.
