Markel + Expel: cybersecurity partnership drives business growth

Markel is a leading global specialty insurer and owns an impressive portfolio of products and services businesses. Markel traces its roots to 1930, when it was started by namesake Sam Markel as an insurance company for jitney buses.

As an organization that insures complex risk, manages diverse investments, and provides a home for great businesses, Markel is committed to doing what’s right in order to win over the long term. That means cybersecurity is among the organization’s top priorities.

Lewis McIntyre, director of Markel’s cybersecurity and incident response team, understands the threat posed by cyber risks. McIntyre started at Markel as a cybersecurity analyst and now leads a team of security professionals responsible for monitoring the company’s networks and providing context and intelligence on the threats that put Markel at risk.

Markel’s cybersecurity team wanted to ensure that the organization’s security infrastructure was able to evolve to support Markel’s growth and success well into the future.

“Being proactive in our approach will position Markel to continue succeeding in the face of the evolving threat landscape,” McIntyre recalls. “While we had the ability to deal with a serious attack, having additional expertise on hand would help us better work through the attack lifecycle. We also needed to maintain ‘business as usual’ while we worked through incidents. We knew there was a clear opportunity to sharpen our approach to handling incidents.”

McIntyre and his team saw this as an opportunity, and understood that with the right tools and support in place, the Markel security operations center (SOC) could evolve from a traditional SOC to a security fusion center—seamlessly integrating various security functions and capabilities into a next-generation center of cybersecurity excellence.

“One of the biggest opportunities we saw that would help us take that leap forward was to add expertise around threat detection and response,” McIntyre recalls. “We had a small team in house, and knew that if we found the right partner for our journey, we’d be better positioned to achieve our goals. We set out to find a vendor that would provide these capabilities, and help us realize our longer-term goals for SOC advancement.”

In addition to robust detection and response offerings, high on the team’s list of requisites for a partner was an alignment of security philosophies. “We were looking for a trusted partner relationship,” says McIntyre. “We weren’t viewing this search as simply getting a point solution, but rather bringing in a company that could grow alongside us, and help us to improve and learn. We wanted to transition from making fear-based security decisions to making risk-based ones.”

After speaking with multiple vendors and evaluating their capabilities, Markel’s cybersecurity team chose Expel, due in large part to its high-touch approach to managed security operations and the fact that the two organizations shared the same vision of cybersecurity as a business enabler.

“Expel showed interest in providing a great product and were invested in getting to know us, as a team. They shared our philosophy for security operations, and demonstrated an understanding of our overarching goals,” notes McIntyre. “We loved how Expel took the time to get to know our environment and understand our pain points. The team knew exactly where they could help uplevel our detection and response capabilities.”

Expel was up and running in Markel’s environment quickly, and the team invested the time to get to know Markel’s team and its specific requirements. This allowed both organizations to challenge one another and push the program forward.

“Every conversation we had with Expel was productive,” says McIntyre. “The team worked to ensure that any changes we made anywhere in our security stack wouldn’t have unexpected or negative outcomes, and vice versa. It was like we had a built-in system of checks and balances.”

Markel reported an immediate improvement in its detection and response capabilities, and felt at ease turning that function over to Expel. McIntyre and his team were then free to get back to the business of leveling-up the overall security function.

“Having Expel allowed us to beat our mean time to remediate (MTTR) by more than 60%. And more importantly, since Expel has eyes on these alerts, our team had the flexibility to get out of the alert queue and focus on maturing our security capabilities,” McIntyre explains. “With Expel, we’re again being creative and thinking critically about how security can support the business. Frankly, it was a big relief—it just wasn’t possible without Expel.”

Integrating SIEM logs into Expel Workbench™, Expel’s security operations platform, was a big contributor to both the scope of Markel’s visibility and the speed at which it responded to incidents. “Folding our SIEM into Expel Workbench gives us a more comprehensive view of our Microsoft 365, Defender, and Azure Active Directory ID security events and alerts,” McIntyre notes. “Together, they enable faster and more accurate incident response. And with more streamlined workflows and less manual effort, we gain back valuable time to address other security needs.”

Additionally, what had previously been a missing piece of the puzzle for the team—Expel’s cloud integration—became an advantage for the company. McIntyre reported that Expel’s custom-written detections for Markel’s cloud environment identify alerts faster and more accurately than the previous vendor.

“The cloud is a significant element to our growth strategy, so we need to ensure our cloud security is tuned to our specific needs,” explains McIntyre. “The way Expel has tuned its rules for our cloud infrastructure gives us peace of mind that we simply didn’t have before.”

Expel doesn’t just support Markel with managing alerts and remediation incidents. McIntyre and his team also rely on the context and intelligence that the Expel Workbench delivers to inform critical decisions about Markel’s security strategies.

“Expel Workbench gives us a view into our entire environment, and is the key to our development of a very focused threat model; and integrating our SIEM has improved the efficiency and effectiveness of our security operations,” says McIntyre. “We’re much more proactive and focused on priority, and have a better understanding of the risks we were managing. The integration enables faster and more accurate incident response. Additionally, it can streamline workflows and reduce manual effort, freeing up resources for other security tasks.”

In fact, Expel helps Markel better identify how it should invest in its cybersecurity capabilities. “One of the biggest benefits we get with Expel is critical information and reports,” McIntyre says. “Our CISO is then able to share this information with the rest of the C-level team and the board of directors to show precisely where we need to add resources.”

The shift to proactive and strategic security operations supports McIntyre’s goal of turning the SOC into a security fusion center, where technology works together seamlessly to support the organization’s goals for growth. Due in large part to its integration strategy, Expel keeps pace with Markel’s innovation, and works arm-in-arm with Markel to make sure that every decision implemented in the SOC is the right one for the organization.

“There’s no way we could have achieved everything we have in our security strategy without a partner who really understands what we’re trying to accomplish,” McIntyre says. “Expel supports our vision, not just in the security realm, but throughout our business.”

When asked if other organizations should consider Expel for their security operations, McIntyre wastes no time with his recommendation: “Absolutely. Expel knows the world of cybersecurity, the team will take the time to understand what your team is trying to accomplish, and they will work with you to make it happen.”

Benefits of partnering with Expel:

• Beat previous MTTR by 64%
• Reduced time spent containing incidents by 90%, often remediating threats in just 30 minutes