There is a relational amplification affect here. As you increase the number of hosts on your network, the bigger the smoke screen for SSH data streams. We live in a mixed environment along which serves traffic to not only regular employees but also business partners, state and federal agencies, etc., etc.. As Tiger states, the ability to effectively trigger on pure SSH sessions will be extremely difficult and labor intensive if possible at all.

PS

Websense rulez.