2017/02/06: all this encryption breaks Deep Packet Inspection. All the IDS's, IPS's and NGFW's that we bought are becoming obsolete. They can't inspect the encrypted packets. Of course they try to hold onto this technology by introducing technologies like SSL inspection (aka SSLbump). This technology basically breaks the trust model of Internet encryption by acting as a man-in-the-middle. The place where you work spoofs itself as the encrypted site you are going to. Because they control your computer, you don't even know it is happening. Then they decrypt your Internet traffic to use DPI on it and then re-encrypt it back to the Internet.
Instead of holding onto deep packet inspection, I think we need to transition to new methodologies for detecting bad things on the network. Telemetry data is one of these ways through passive monitoring of netflows or DNS queries By looking at traffic on your network and determining what looks anomalous, you may be able to determine where the nefarious activity is happening. By looking at your DNS queries and investigating Passive DNS with Bind RPZor using OpenDNS you can cut down on a huge amount of bad sites on the Internet and interrupt phishing campaigns and malware.