How do you propose businesses keep malware and C2 off their network? You'd have corporate endpoints secretly communicating with any old DNS or SSH or web upload endpoint?
Egress controls and other network boundaries are doing the work there, not MITM. If I can connect to a remote server, I can encrypt my payload before sending it, too. This is a really hard battle to win - you need to store tons of data, have robust analysis systems, rooms full of analysts, etc. before you’re going to be able to tell that, say, the random looking cookie sent to an ad server-like hostname is actually encrypted data, that my Zoom video stream wasn’t company data, or that the “ad” was a control message.
That last is one of the reasons why I think enterprise ad blocking is an important security measure, and a likely outcome for sensitive jobs will be separating sessions - e.g. if you have general purpose browsing happening on a separate computer, some kind of remote session, etc. you will have a much easier time being able to restrict the network connectivity of the system with more sensitive data.
I think it's unacceptable for a business to be told "It's literally impossible to know what is being communicated outbound from your endpoint. We can only do heuristics."
Hot take. I mean, with TLS decryption, the company does control the endpoint, or at least what the endpoint trusts on a network layer. But people here are crying about that.
