Ask most network security teams where their detection coverage is strongest and they'll point to the perimeter: next-generation firewalls, intrusion prevention systems, SSL inspection, DLP at the gateway. These controls are important — but they share a fundamental blind spot.
They watch the doors. They don't watch what's happening inside the building.
North-South vs. East-West
Network traffic is conventionally classified in two dimensions:
North-south traffic crosses the network perimeter — traffic entering from the internet, traffic leaving to external services, traffic between enterprise locations over WAN circuits. This is the traffic that most security tools are designed to inspect.
East-west traffic moves laterally within the network — server to server, workstation to workstation, application tier to application tier. In most enterprise data centers and cloud environments, east-west traffic vastly exceeds north-south traffic in volume.
The security implication is stark: once an attacker establishes an initial foothold inside the perimeter (through phishing, a compromised credential, a vulnerable edge service), all of their subsequent activity — reconnaissance, lateral movement, privilege escalation, data staging — happens in east-west traffic that the perimeter controls never see.
Why East-West Blind Spots Exist
The perimeter focus in security tooling isn't irrational — it reflects the architecture of traditional networks. In the hub-and-spoke network model, all traffic between locations traversed the core, and placing security controls at the core gave reasonable coverage. In flat data center networks, all significant traffic hit a top-of-rack switch, and monitoring at the aggregation layer caught most east-west flows.
Modern network architectures broke these assumptions. Hyperconverged infrastructure, containerized workloads, and software-defined networking allow east-west traffic to travel entirely within a physical host — never crossing a physical network device that a traditional probe could monitor. A VM talking to another VM on the same hypervisor host sends traffic across a virtual switch that exists only in software.
The result: organizations have built sophisticated perimeter security on top of an increasingly invisible interior.
What Attackers Do With East-West Freedom
The MITRE ATT&CK framework documents dozens of techniques that operate entirely within east-west traffic:
- Discovery: Port scanning internal subnets to identify systems and services
- Credential access: NTLM relay attacks, Kerberoasting, credential dumping from internal AD infrastructure
- Lateral movement: Pass-the-hash, pass-the-ticket, RDP/SMB traversal between workstations and servers
- Collection: Accessing file shares, querying databases, enumerating email
None of these require a connection to the internet during execution. A threat actor who has compromised a single workstation can map and traverse an entire Active Directory environment without generating a single north-south flow that perimeter controls would see.
The average breach dwell time — the time between initial compromise and detection — has historically exceeded 100 days in enterprises with mature perimeter security but limited east-west visibility. The attacker is inside; the monitoring is outside.
Establishing East-West Visibility
Getting visibility into east-west traffic requires monitoring from the network interior. There are several approaches:
Flow Telemetry from Internal Infrastructure
The most practical starting point for most organizations is enabling flow export on internal switching and routing infrastructure. Core switches, distribution switches, and inter-VLAN routing devices all see significant east-west traffic. NetFlow or IPFIX export from these devices captures the east-west conversation map without requiring packet capture or agent deployment.
This approach has coverage gaps — traffic between VMs on the same hypervisor host, intra-pod container traffic — but it covers the majority of inter-subnet east-west traffic in most environments.
Hypervisor-Level Collection
VMware vSphere supports distributed switch-level flow monitoring. Hyper-V environments can capture traffic through the virtual switch extension framework. Container orchestration platforms increasingly support eBPF-based network telemetry at the pod level.
For complete east-west coverage in virtualized environments, hypervisor or host-level collection is necessary to fill the gaps left by physical infrastructure telemetry.
Cloud VPC/VNet Flow Logs
In cloud environments, east-west traffic between instances in the same VPC or VNet is captured by VPC Flow Logs (AWS) and NSG Flow Logs (Azure). These are the cloud-native equivalent of NetFlow and are essential for east-west visibility in cloud-hosted workloads.
What to Look For
Once east-west telemetry is flowing, detection focuses on deviations from expected lateral communication patterns:
- New lateral connections: A system establishing a connection type (protocol, port, destination) it has never made before
- Unusual scan patterns: High fan-out connections from a single source to many destinations on the same port (internal port scanning)
- Authentication protocol anomalies: Unusual volumes of SMB, LDAP, or Kerberos traffic from workstation segments
- Data mover patterns: Large transfers from internal file servers or databases to a system that doesn't normally receive bulk data
FlowSight collects east-west flow telemetry from physical switches, virtual infrastructure, and cloud flow logs, building per-segment baselines that distinguish normal lateral communication from anomalous lateral movement. When a system starts talking to things it shouldn't — in ways that perimeter tools will never see — FlowSight surfaces it.
The Interior Is the Attack Surface
The perimeter is not gone, and perimeter security still matters. But in an environment where every breach begins with an interior phase — and that phase lasts months — treating the interior as a trusted zone is an architecture built for a threat model that no longer exists.
East-west visibility closes the gap between "attacker got in" and "we detected the attacker." That gap is where breaches become catastrophes.