Web traffic has always been a major access route for malicious users and software to get into the business. The solution to tackle this has been URL filtering, which has been around for many years, and more recently with DNS filtering. These two solutions have offered a robust solution to combat the issues.
However with the introduction of TLS 1.3 and DNS over HTTPS (DoT) this visibility is now disappearing. TLS 1.3 makes it much harder for a proxy to intercept HTTPS from the client, decrypt it and check it for malicious traffic, before encrypting it and passing it on. DoT causes the same issue for DNS. No longer can the proxy tell what the DNS request is.
The hard answer
Using a certificate infrastructure where the proxy has a trusted certificate and that is pushed to all clients is an option to remediate some of the issue; however it is not an easy task, especially with BYOD.
The future?
This means that the endpoint is becoming a greater focus for the protection. End Point Protection (EPP) software that has malware capabilities, can integrate with web browsers and make decisions about URL and DNS requests before they are encrypted seems to be the best way forward.