The first approach is, IMO, more realistic. Although you can't prevent the exfiltration, you can detect it lazily after it's happened, including where it went, what was sent, etc. Although I'm sure several companies support this, [Eastwind Networks](https://www.eastwindnetworks.com/) does a great job for Cloud and on-prem workloads.
The second option, while more thorough, requires big boxes to run, doesn't scale well, is hard to install on clients (the only way I know to "break" HTTPS is to install a custom CA on all clients and MITM all public traffic, which would break for sites using HSTS and HTTP Public Key Pinning). It's only vaguely feasible, and is fraught with issues.
My company utlizes Corvill appliances and network taps on the switches to monitor activity. We mostly use it for metrics, but no reason it couldn't monitor exfil. Onky problem is it only has enough storage for about 3-4 days of network traffic.
* Network traffic capture for deferred analysis * Egress analysis (including decrypting SSL/HTTPS)
The first approach is, IMO, more realistic. Although you can't prevent the exfiltration, you can detect it lazily after it's happened, including where it went, what was sent, etc. Although I'm sure several companies support this, [Eastwind Networks](https://www.eastwindnetworks.com/) does a great job for Cloud and on-prem workloads.
The second option, while more thorough, requires big boxes to run, doesn't scale well, is hard to install on clients (the only way I know to "break" HTTPS is to install a custom CA on all clients and MITM all public traffic, which would break for sites using HSTS and HTTP Public Key Pinning). It's only vaguely feasible, and is fraught with issues.