Network Security Monitoring relies on watching network traffic to identify suspicious and malicious activity. A large and definitely growing amount of network time is outside the reach of network-based sensors. I would personally still find network traffic generated by a compromised host to be extremely useful, regardless of how that host connects to any network. One option I pitched to NetWitness yesterday was to deploy a software agent to a suspected compromised system for purposes of collecting and storing network traffic. This approach has the benefit (some would say drawback) of intercepting encrypted traffic as well.”]
Source: https://taosecurity.blogspot.com/2008/02/nsm-at-endpoint.html

