[iagooar]

To be fair, evidence of absence is close to impossible in the space of infrastructure and network security.

[themoonisachees]

As someone who's entire job is to maintain a gigantic qradar cluster (IBM won't sell us larger licenses), I sure hope 1p have to logs to back their claims because I know that it is possible that they do.

[genmud]

Full PCAP, process auditing and centralized logs are not only a thing, they have been for decades.

It just simply isn't worth the investment for CIO/CTO/CISO types because it isn't sexy. To say it's impossible is just factually inaccurate.

I know more than a few places doing 40gbps and 100gbps full packet capture for 30+ days. And relatively speaking, the investment isn't that large (for tens of petabytes it isn't as expensive as you might think).

[thesh4d0w]

We did this 5+ years ago at a managed hosting company, just for 3 days worth of data. Was still invaluable for figuring out complex events.

[ghostpepper]

OTOH every tech CEO knows this and they always say "We have no evidence of compromise" right before they discover evidence of compromise