Expel insider · 5 MIN READ · SCOUT SCHOLES · OCT 31, 2024 · TAGS: AI / EDR / Managed security
TL;DR
- ICYMI: We recently announced that Kevin Mandia joined Expel’s board of directors
- We hosted a fireside chat with Expel CEO David “merk” Merkel and Kevin Mandia where they covered the future of cyber defense (you can watch the recording here)
- This blog recaps their unplugged chat, and answers customer questions from the discussion
Expel’s CEO David “merk” Merkel and Kevin Mandia, founder of Mandiant and Expel’s newest board member, recently got together for a no-holds-barred chat. These security pioneers covered everything from the state of cybersecurity now to what they’re expecting in the future of cyber defense, and even answered a few questions along the way. Here are some of the highlights—check out the full recording for all the commentary!
Changes in the managed security market
Since merk and Kevin first met in the Air Force at the beginning of their careers, the market around managed security has changed drastically. For starters, it used to be mostly physical security, and cybersecurity was the new, emerging market. Together, they’ve seen the market go through phases based on how customers are solving their security challenges, from DIY to MSSPs to MDR.
When Mandiant was founded in 2006, the future was clear at the time. Mandiant was an endpoint company with a clear strategy: respond to every breach that matters, and then build an endpoint technology to detect what was missed. In short, responding to every breach was strategically important for good security. And conceptually, the idea for managed security is the same today.
The difference now is that the path to delivery has changed. Bad actors still break in, install malware, and you have to go hunt it down—faster than it can break down your tech. In today’s version of that scenario, though, everyone is armed with more data and stronger technology—like AI—meaning better security models and learning systems can be explicitly targeted to fit unique customer needs, based on unique customer data. And it’s those unique solutions that are the answer to success in today’s market.
The delivery of protection may change, but the goal of responding to every breach—strategically—remains the same.
MDR is critical to a sound cybersecurity strategy today
As Kevin said, “If you’re taking a calculus test with 50 people who don’t know calculus, throwing more people at it won’t get you a better test score. You need a calculus expert to nail the test, and security is the same way. One security expert is often worth infinite nonexperts, and no CEO of a company wakes up and goes, ‘my top priority is cyber defense.’”
Cybersecurity is something business leaders care about, because it can make or break their goals of delivering their product to the market and generating value. But none of them have time to observe the inner workings of their entire tech stack while simultaneously becoming security experts to manage that themselves.
Every company needs cybersecurity, regardless of industry, size, or location. There’s no reason for anyone to do it alone, especially in today’s landscape where security experts—like MDR providers—exist, ready and willing to help protect your attack surfaces.
The future of threats, MDR, and cyber defense
The short answer is that threats—and crime—will persist. They always have, and they always will as a part of human history. But in today’s and tomorrow’s world of cyber threats and crime, the risk is only growing bigger. Technology changes, and more and more things are shifting to a digital landscape. This opens up cyber spaces to more risk, both financially and based on the supply chain of software in today’s landscape. And at the end of the day, people will people, so the format of threats just changes based on the landscape.
For MDR specifically, we’ve learned based on experience that customers want to buy a product without having to buy a team to manage the product. But the challenge with that today is complexity. You have customers of all shapes and sizes across the globe, and on top of that, their tech stacks are vastly different. No two are the same, and some are antiquated; others are shiny and new, and most are a combination of both. MDR providers’ biggest future challenge is creating a security solution that works for all of those.
And overall? Optimism is key. It’s very easy to look at the constant threat of crime knowing it’ll never fully be solved, and immediately lose focus on fighting against adversaries. No one likes losing all the time, so you have to shift your mindset. Working in cybersecurity is great job security, because threats aren’t going to ever disappear. And the best part—in Kevin’s opinion—is that we get to be on the frontlines for change. Whether it’s identifying an actual criminal and stopping them or shaping policy, there’s still so much to accomplish in this space.
Questions from attendees
We’ve asked merk to answer two additional questions we received after the event, and are sharing that Q&A here because they’re great questions to consider.
Modern security reminds me of an ourboros, just an infinite loop of abstractions and dependencies until the snake is eating its own tail, so I understand AI and generative learning models being inevitable. But how do Kevin and merk see the industry balancing automated systems and human guardrails in a sector where the human element is always a factor and a threat vector?
merk: “The ouroboros analogy is dead on. We’re in a cycle of more threats, more tools, and more data than people alone can handle. Automation, especially with AI and machine learning, is necessary. It processes high-volume, repetitive events, allowing our experts to focus on the stuff that actually needs a human mind. But AI isn’t a replacement; it’s a force multiplier. Automation sorts through noisy alerts and adds context, and people make the important judgment calls.
“But here’s the thing: automation isn’t a silver bullet. While AI can improve how automation handles vast data streams and detect patterns faster than humans, the role of people in this space is still pivotal. Expel sees a hybrid model as the way forward, where machines handle the grunt work, flag anomalies, gather critical intel on incidents, and execute predefined remediations. Self-driving cars are a good example: powerful technology, but you still want a person behind the wheel when it counts. Human analysts remain essential for higher-level oversight, context-based decision-making, and adapting to the nuances of each unique threat landscape.
If you want to know more about this, Kevin expands on his thoughts on GenAI ‘helping the defender more’ in this recent CRN article.”
Kevin stated that the real key to security is attribution and reduction of safe harbors, and hinted he saw ways the latter was possible. How do we reduce safe harbors for bad actors/APTs in countries like Russia and North Korea that, for obvious reasons, have no desire to comply with US law enforcement attempts?
merk: “Kevin’s point is clear: without accountability, attackers will keep operating out of safe harbors, so the focus needs to be on making those harbors less safe. He emphasizes that attribution—knowing exactly who’s behind an attack—is key. When we can accurately identify attackers, nation states can push for coordinated international pressure, like sanctions or legal actions that limit where these actors can operate freely. Having the attribution information—and the impact of attacks—provides political impetus to go and do something about it.
Kevin sees a path forward where reducing safe harbors isn’t just about technology; it’s about creating real-world consequences through alliances and cooperation. This multi-pronged approach—attribution, diplomatic pressure, and enforcement—is how we make progress in holding threat actors and the countries that harbor them accountable.”
You can watch the full webinar with even more banter and commentary from merk and Kevin here. Questions? Share them here and we’ll have an Expel security expert reach out.
