Behavior Is the Battlefield: Rethinking the Cyber Perimeter
On the 28th episode of Enterprise AI Defenders, hosts Evan Reiser and Mike Britton, both executives at Abnormal AI, talk with Rob Nolan, Vice President and Chief Information Security Officer at Expeditors. Expeditors is a Fortune 500 freight and logistics company, powering over 25% of all U.S. customs clearance. They enable global trade and supply chain resilience for many of the world’s most recognizable brands. In this conversation, Rob shares how AI is changing the attack surface and the defensive playbook, why behavior and identity have become the new cybersecurity perimeter, and how AI helps enterprise defenders flip the script and regain their advantage.
AI is transforming cybersecurity on both sides of the battlefield. As attackers use AI to launch faster, more personalized threats, defenders are rethinking their strategies—shifting focus to behavior, identity, and proactive, AI-powered defense. For Rob, the shift in threat dynamics is clear. “From my point of view… it feels a bit asymmetric in that we’re on the losing side of that.” He describes a growing gap between attackers and defenders, not because of a lack of talent but because of capacity. “No matter what, we’re always going to feel like we’re a couple of steps behind.” Attackers are getting faster and more tailored, using AI to create detailed, company-specific messages that target employees with increasing precision. “It always starts with the user and trying to convince them that this is the right action they should take,” Rob explains. “Pulling available evidence from the internet in a faster way, and then turning around and using that as a way to convince somebody to take an action that they normally wouldn't—that's the first element.” To combat this, Rob’s team focuses on understanding their environment better than the attackers. “It's ensuring that we can then turn around and flip the script effectively, making our environment more prone to alerting and identifying anomalies… so that we can track those things down in the event that they breach our defenses.”
The shift toward identity and behavior as the new perimeter is central to Rob’s strategy. “You know, they're the perimeter, effectively, right? Everywhere that person is, they're holding something or have one way into your environment.” Understanding and tracking normal behavior allows defenders to identify threats based on deviations from those patterns. “If we associate that to the assets they're trying to use, whether that be data or physical devices, then it becomes even easier for us to see, okay, this is a common pattern.” That behavioral context grows over time. “As an entity within your network or within your organization grows, so does their pattern. Certain things fall off, and new things grow… knowing and tracking those behaviors over time has just been the main driver.” And this approach extends beyond detection to how teams build their training and programs. “We're much better off teaching them the right way to do it so that they can do their job, be more effective, and use AI responsibly.”
Despite the asymmetric threats, Rob sees a clear path forward for defenders: leveraging AI themselves. “The reality is that if I think about a solution that helps us defend against AI attacks, it's more AI.” His team has started “operationalizing our defenses around our communication stack, our collaboration stack… identifying abnormalities within them, and trying to stop them or at least to inspect or interrogate them when necessary.” That focus on communication is deliberate. “Outside of misconfiguration, it's usually the human.” Rob’s vision is for a platform that uses existing telemetry to learn context over time. “There are systems already today that exist… and help them capture logs from specific critical business systems.” The key is feeding enough data into AI models to learn patterns and flag anomalies without compromising privacy. “Managing that in either a supervised way or a non-supervised way or having the AI manage the AI is likely the way that we'll track and get ahead of some of these threats that we don't know yet about.”
For Rob Nolan, defending the enterprise isn’t just about blocking threats—it’s about enabling the business while staying one step ahead of attackers. And that starts with knowing the industry inside and out. “The first thing that I want to do when I step into a company is how do we make money? What does this organization do? Because if I don't fundamentally understand that… you likely won't get fired for implementing the right solutions, but you won't be much of a value to the company.” At Expeditors, where cybersecurity impacts not just internal operations but global supply chains, Rob is building a playbook focused on behavior, identity, and AI-driven insights. “Cybersecurity matters for us because we're a customer's first company… We have thousands of customers all over the world who depend on us to be reliant, resilient, and available.” Rob's team is proving that defenders can still have the upper hand by flipping the script with AI and putting people at the center of defense.
