(no title)

What he described is an auditing system with some particular policies of interest to a specific use case. Such a system should not have any direct access to the main system, and should ideally live in a fully segregated environment with tightly controlled read-only access to a copy of the data being audited.

The whole idea is that this system would not announce its presence on the network in any way so that the attacker is more likely to miss it. Even if the attacker does know that it's present, he should not know all the checks and validations that such a system uses to detect suspicious behaviour. Hell, you could air-gap the entire thing and just copy over data dumps by using USB sticks.

Granted, even in that situation you could get something like Stuxnet which may compromise the machines. However, if you have the resources to build another Stuxnet, chances are you don't really need to get into a bank network.