How to Protect the Crown Jewels with East-West Network Visibility

In the ever-evolving cybersecurity landscape, staying ahead of potential threats is paramount. Most cybersecurity and networking professionals recognize the need for North-South monitoring or inspecting the network traffic that enters and leaves the network. However, no solution can accurately detect and block all suspicious traffic without impacting business operations. Therefore, organizations cannot afford to overlook East-West traffic monitoring, which refers to communications within the network. East-West traffic includes essential business communications between customers, employees, applications, and servers but may include malicious actors disguising their actions as normal business communications. 

East-West traffic includes corporate local area networks (LAN) to regional offices, LAN to internal data centers, communication within internal data centers (e.g., front-end web server to back-end database server), and communication within a cloud-based data center. We’ll explore the importance of using East-West network visibility to protect mission-critical data and assets, also known as the “crown jewels” of an organization, and how to effectively mitigate the business impact of these services if compromised by an attack.

Why East-West Traffic Monitoring Matters

A typical attack on an enterprise begins with initial access or the compromise of at least one computer or user. That initial access opens the door for the attacker to peruse the network, discover the valuable data they wish to steal or corrupt, and execute their mission. North-South monitoring is built to detect and block that initial access, but attackers often find a way to breach that layer of security and compromise a system. Unless you can monitor East-West traffic, the attacker can conduct their operations from a compromised computer or user without detection. The attacker can use many techniques to discover your network, move laterally to compromise other computers, acquire user accounts and credentials, discover, collect, and steal critical data, and corrupt data. Early detection of this activity is necessary to detect the presence of an attack within the network and thwart the activity before damage is done to the enterprise.

East-West traffic monitoring requires the identification of normal network operations and detection of deviations in network behavior. Examples include understanding who (users and other servers) usually communicate with your critical servers, the network protocols used for these communications, and the typical behavior of these communication channels. Deviations from typical behavior could indicate an attack.

Time is critical in a security incident. Security-based East-West traffic monitoring provides real-time visibility into internal network activities, enabling quick responses to potential threats and minimizing the impact of security incidents.

Protecting the Crown Jewels Requires Better Network Visibility

Security teams in today’s world need end-to-end visibility throughout their entire enterprise network – from SD-WAN and remote offices to hybrid / multi-cloud environments to co-los and data centers. When there is a lack of visibility, SecOps teams do not have adequate insight into all stages of the MITRE ATT&CK framework. Security teams assume that the network has already been breached. In other words, the initial phases of MITRE ATT&CK – reconnaissance and initial access – have already happened. Relying solely upon North-South network visibility now becomes inadequate to track the internal movement of the attacker and progress through the MITRE ATT&CK framework, which includes execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, and collection tactics.

An enterprise relying only on North-South network visibility can only see the initial compromise and the data exfiltration. They are blind to most attacker tactics and techniques executed within the network using a compromised computer. If the initial compromise is undetected, then only the exfiltration can be seen, which can be challenging to detect as attackers know how to blend in with normal traffic. Even if the exfiltration is detected, it is too late to prevent damage to the enterprise. Your only recourse is to determine what data was stolen and inform your customers and employees about the breach that occurred. Often, ransomware is performed in addition to or instead of data exfiltration, which means detection only happens when the business has been severely damaged. However, with East-West visibility, there are many more opportunities to detect suspicious and malicious activity, even if the first compromise is missed.

Attacks of this nature underscore the need for complete, continuous network monitoring, an understanding of response strategies, and uninhibited visibility to detect anomalies that encompass traffic flowing in every direction. With internal and external-facing solutions, IT, NetOps, and SecOps teams can implement complete visibility monitoring, leveraging data derived from network packet traffic, helping address hard‑to-isolate issues across hybrid and remote environments.

Some security solutions allow IT organizations to continuously monitor each edge of their environment and gather real-time insights from deep packet inspection in North-South communications. As businesses grow and mature, they need solutions that scale to ensure complete network visibility across all North-South and East-West communication channels. Solutions of this nature will enable IT organizations to secure the crown jewels of their entire network before a successful attack occurs and before any attack damages the enterprise.

A Final Word

Ultimately, by understanding the network's threat landscape, IT management teams can better understand and identify where the crown jewels reside to make abnormal behavior more apparent to NetOps and SecOps teams when threats occur. The best way to detect and remediate that atypical network behavior is through East-West network visibility. When the crown jewels are under attack, security teams can swiftly verify and authenticate the traffic, reducing the risk of unauthorized network access, discovery, lateral movement, and data collection.

Related articles: