Re: It's easy to detect the Aarons of the world nowadays.
Monitoring is a good (practically essential) start though, especially when your environment is too big for any one person to know what 'should' be going on with every device.
I've not spotted crypto-mining yet, but I've spotted servers filling their discs, which turned out to be something writing debug-level logs because the developer forgot to switch them off.
Another vote for Zabbix though. It can monitor practically anything with a network connection, and it's configurable seven ways from Sunday.