I worked at a government agency that used Zscaler to perform TLS MITM inspection. You have to create a tunnel to a Zcaler datacenter and send all your traffic to them encrypted with a certificate they provide so they can decrypt it. Then they encrypt it again and send it on its way. It can detect things that otherwise could not but you are putting a LOT of trust into Zscaler security because anyone who hacks them can see EVERYTHING you are doing. And it is a HUGE waste of processing power and joules. You can create exceptions for URLs and source IPs.
I much prefer filtering on the endpoint before TLS encryption.
You'd think last year's Clownstrike incident would put the lie to the efficacy of the fucking-for-virginity approach to endpoint security favored by organizations but no.
At the enterprise level, security isn't really about security, it's about having an audit trail so bad actors can be caught after the fact.
You would be surprised how much of corporate cybersecurity is done like this. It has not in anyway improved sine crowdstrike, on the contrary EDR shenanigans has probably grow 100% since last year.
These security companies must have really good salesmen. Or maybe IT departments are always ran by clueless fools, who knows?
The security team cares about minimizing risks to the company and to their own careers.
Deviating from what everybody else is doing makes it so that the burden of proving that your policies are sane is on you and if anything bad happens your head is the first to roll.
You use CrowdStrike and the company lost millions of dollars due to the outage? That's not your problem, you applied industry standard practices.
You don't use CrowdStrike and the company got hacked? You will have to explain to the executives and the board why you didn't apply industry standard practices and you will be fired.
> Or maybe IT departments are always ran by clueless fools, who knows?
I think IT has its fair share of clueless fools, but what I've noticed is that when the "security department" is separate, people there tend to have no idea what they're talking about and rely on checklists. Plus, "everybody uses X, that means we're missing out".
There's no reason to do anything else. Nobody has gone to jail as of yet for not securing their company, and even "security" companies that get utterly popped still have plentiful business a year later.
There is no legal incentive to do good security. There is no market incentive to do good security. Why is it so surprising to people that we have abysmal security?
In my case, it's surprising because companies waste a ton of money buying snake oil and aggravating their users for next to no benefit. You'd expect companies that "only care about their bottom line" to optimize this away, yet they don't.
It is like hiring bodyguards. Bodyguards could kill the person they are protecting at any time BUT they have an economic and legal incentive to not do so and so you bet that the odds of being killed by bodyguards is far lower than by some random stalker.
Like wise giving Crowdstrike root access to everything is a bet that you will on the whole be more secure than if you didn't and for most companies I believe this is true. But if you are Google or AWS you are going to be able to do better than Crowdstrike.
Compelling users to have software indistinguishable in its operation from malware running on their machines for security purposes is, as the expression goes, like fucking for virginity.
They even do per-service stuff- their big AI feature is that it will detect people pasting social security numbers or other PII into ChatGPT and block it.
"encrypt it again" in this case means establishing a new TLS connection to the original host and forwarding the decrypted contents in this new connection. This is obviously required if the original host only had a https endpoint, and (more importantly) so the traffic isn't exposed on the wider internet.
I much prefer filtering on the endpoint before TLS encryption.