As time has progressed, monitoring has moved further and further inside the enterprise. Once upon a time, an enterprise could monitor only its perimeter and still be in decent shape. Then, attackers started moving up the OSI stack (as has been discussed previously in this blog and elsewhere). Now, with attackers using legitimate domains/sites, encrypted command and control, and a whole host of other techniques to hide in the noise/legitimate traffic, it is getting increasingly difficult for the defender to keep pace. It appears to me that the only long term monitoring solution is to go all the way to the endpoint somehow (in tandem with instrumenting the network for monitoring of course). I'm not sure I see how else we can obtain the visibility on the interior segments of the network that we so desperately need.
A sad reality I fear.