Flagging data streams larger than a gigabyte is going to tag every high quality Microsoft teams call that goes on for longer than an hour. Also, sometimes I have to upload a disc image or docker image somewhere. I can’t imagine a company where you had to justify yourself every time that happened.
Most of the time the exfil doesn’t go to Russian IP space or anything like that. It goes to an S3 bucket controlled by the attacker, and looks exactly like backup or replication traffic.
Network-layer security devices are pretty useless in 2023. Everything is encrypted and everything talks to everything else as part of “normal” operations.
