Lateral Movement Detection

Good news, everyone! Perimeter security watches north-south traffic — requests entering and leaving the network. Most security investment goes here. But the majority of damage from a compromise happens in east-west traffic — the lateral movement between internal services. A compromised agent does not need to send data out immediately. It needs to reach other agents, escalate privilege, and access data stores. All of that movement is east-west.

1. Baseline Normal East-West Patterns Before you can detect anomalous lateral movement, you need to know what normal looks like. Agent A talks to Services X and Y with an average of 200 requests per hour. Agent B talks to Services Y and Z with 50 requests per hour. Any deviation from this pattern — a new destination, a spike in volume, an unusual time of day — is a candidate for investigation.
2. Deploy Network Detection and Response NDR tools analyze traffic metadata between internal endpoints. They identify new connections that have no historical baseline, traffic volume anomalies, and protocol anomalies. Deploy NDR on east-west traffic, not just at the perimeter. The perimeter sees the obvious attacks. East-west sees the sophisticated ones.
3. Correlate with Agent Behavior Logs A network anomaly in isolation is a data point. The same anomaly correlated with an unusual agent behavior — a sudden change in tool usage, an unexpected skill registry modification, an access pattern deviation — is an investigation. Network and application telemetry together tell the full story.