As the title says, I am curious whether this is usual and what are alternatives to HTTPS traffic interception to protect a company and for doing incident response & analysis.
I've worked for customers in the past who did this. For the most part it was a huge hassle and didn't really help with incident response and analysis.
You have to install company root certificates on clients, perhaps even merely self-signed ones if they've been particularly cheap and lazy. Then traffic needs to be routed through a firewall / proxy as well.
This in turn can lead to issues with tools such as Maven or NPM. These issues can be hard to debug.
Besides, if you don't know what you're doing - and most companies don't specialise in network security - it's easy to get the setup wrong and create major security problems.
Sometimes the motivation isn't so much protection against malware but rather a petty desire to know what employees are doing.
For these reasons I'd strongly advise against this practice.
As for alternatives:
Follow and encourage the use of accepted best practices.
Yep, we have proxy servers with SSL decryption/inspection. Root CA installed on all company devices.
There are a number of whitelisted URLs (banks, and services that refuse to work with a MITM'ed cert) but other than the initial headache during implementation, it is pretty seamless now.
My current company doesn't do this but I'm curious how it is supposed to help with incident response and analysis. Are you talking about server traffic or employee laptop's traffic?
I can't speak to how common the practice is but it's often an option on firewalls. My understanding of the reasoning behind it is that it allows the company to monitor employees usage of the network to protect from data exfiltration and malware that uses HTTPS.
It's usually done as part of a firewall that will MITM traffic on the network.
The employee laptop's traffic. I don't have many details since this is new to me too. Here is some solution and what it does. https://www.netskope.com/solutions
You have to install company root certificates on clients, perhaps even merely self-signed ones if they've been particularly cheap and lazy. Then traffic needs to be routed through a firewall / proxy as well.
This in turn can lead to issues with tools such as Maven or NPM. These issues can be hard to debug.
Besides, if you don't know what you're doing - and most companies don't specialise in network security - it's easy to get the setup wrong and create major security problems.
Sometimes the motivation isn't so much protection against malware but rather a petty desire to know what employees are doing.
For these reasons I'd strongly advise against this practice.
As for alternatives:
Follow and encourage the use of accepted best practices.
Educate and trust your employees about security.