Security Unlocked 9.15.21
Ep 44 | 9.15.21

Entering the Virtual Battlefield


Nic Fillingham: Hello, and welcome to "Security Unlocked," a new podcast from Microsoft where we unlock insights from the latest in news and research from across Microsoft security, engineering and operations teams. I'm Nic Fillingham.

Natalia Godyla: And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft security deep dive into the newest threat intel, research and data science. 

Nic Fillingham: And profile some of the fascinating people working on artificial intelligence in Microsoft security. 

Natalia Godyla: And now let's unlock the pod. 

Natalia Godyla: Hello, everyone. Welcome to another episode of "Security Unlocked." I'm super excited to share our guest for today. We will be joined by Justin Underwood, who doesn't often speak publicly. So really excited that he was willing to join us for the podcast. 

Natalia Godyla: Justin has a long career in intelligence. He started in the military as a human intelligence collector, has worked to identify human sex traffickers and now works at Microsoft in our internal threat intelligence team. And I'm super excited for you to hear his explanation of human intelligence collector. I am just about to read Asimov, so I have a sci-fi headspace right now and definitely think of that role as some librarian of human intelligence in a future world. But he does a great job of describing that role and how it's informed his current career in threat intelligence, as well as details and trials and tribulations of making the transition from military life to private industry, which, if you are someone who is interested in making that transition and/or know someone who is, I think this is a really great episode for you. And I think with that, on with the pod. 

Natalia Godyla: Hello, Justin. Welcome to the podcast. Super happy to have you on today. 

Justin Underwood: Thank you. 

Natalia Godyla: Well, let's start with introducing you to the audience. So who are you? What is a day-to-day at Microsoft look like for you? 

Justin Underwood: Absolutely. My name is Justin Underwood. I am the senior threat intelligence analyst for a group known as OpTIC. That's the Operational Threat Intelligence Center at Microsoft. And our goal is to protect internal Microsoft. So you may be familiar with other intelligence or threat intelligence groups at Microsoft, such as MSTIC, the Microsoft Threat Intelligence Center. I'm bringing them up because to differentiate us, they're more of the nation-state-focused, customer-facing sort of side. And they partner with law enforcement and other agencies, while my team is focused on internal Microsoft. So we're the internal all-source intelligence cell or the internal threat intelligence group that - due to our understanding of the environment, we use that to surface or discover threats or ongoing attack campaigns and share that across the broader Microsoft, if you will. So we are focused, again, on internal, but given the complexity of our environment, we're constantly partnering with other teams to share insights or to get insights or to help substantiate some of our reporting and analysis. 

Natalia Godyla: And what are you working on right now? What big projects are you currently tackling? 

Justin Underwood: One of my current focuses is incident support. And by that, I mean whenever an incident does occur at Microsoft - again, speaking to the many disparate teams, both geographically dispersed or just different focus areas or in area of operations. One of the things that we do - my team - is try to collect all of the intelligence and to be specific. These are indicators of compromise or tactics, techniques and procedures, or TTPs, which - we use the MITRE ATT&CK framework to kind of capture that. 

Justin Underwood: And so we collect and aggregate all of the findings from an incident and - with the end goal of empowering and enabling defenders to search for further activity or to basically ensure they've done a complete or holistic search in relation to the current threat that we're tracking. So we're trying to - speaking to currently, we're trying to evolve and build out that process. We're, you know, testing out a different tool right now. 

Justin Underwood: And mainly, the partnering with other teams has to do with ensuring everybody's bought into the process and that it's properly briefed or shared whenever an incident kicks off. Because to use the phrase fog of war, sometimes during the highly complex or more larger incidents, there can be quite a bit of confusion. Because it's just kind of the nature of it. 

Justin Underwood: We're talking about security and intelligence professionals as well as incident responders, but we also have to partner with engineering groups - I mean, marketing people or product group people. And so trying to give everybody that single-pane-of-glass view into what intelligence there is in regards to an incident - that's what I'm currently focusing on developing further, again, with the focus being internal incidents report. So that's currently the main thing. Also, we're going through a hiring push. 


Justin Underwood: Trying to do all the interviews with candidates, so I've been on the phone a lot the past two weeks. 

Natalia Godyla: Very nice. So what did it look like before? It sounds like - you said it's an evolution. But when you're trying to pull all of this disparate data, were you looking at just too many tools and you're trying to bring it all into, like you said, one single pane of glass? What does that evolution look like? Or what does the before look like? 

Justin Underwood: Sure. Well, let's see. I started at Microsoft as a vendor about nine years ago. And so the first few years we were here, all of that happened in a spreadsheet. Now, much love to Excel. I mean... 

Natalia Godyla: (Laughter). 

Justin Underwood: Great for analysis, or - excuse me. It's great for an analyst to kind of collect some data in there, but it's not great to kind of talk about the intelligence lifecycle. Sharing - disseminating intelligence from a spreadsheet is, well, atrocious. 


Justin Underwood: Because the ability to edit, you know, version histories, et cetera, et cetera. So I mean, and it's still done, to some degree, at a lot of other companies and organizations, where they utilize a spreadsheet for the entirety of their forensics, for their indicators. But it's just not scalable. And so that's how it's done. That's how it was done. 

Justin Underwood: And so what we try to do is to focus on the collection side of it - of the intelligence lifecycle, is standardization of information, first off. So wherever you pass over information or information is surface, we ensure that it's processed so that it's uniform. The main reason for that is automated collection platform. So the evolution has been spreadsheets to a threat intelligence platform, which - we then use Kusto heavily for the dissemination component because, you know, again, structured data - that's the way to deliver it to both defenders and analysts. So it's gone from spreadsheets to Kusto, is the simplest way that I could describe it. 

Justin Underwood: But there's many other components to it. Again, just trying to give people that common place to surface intelligence, you know? That's another key part of the process. Because we have Teams. We have Outlook. You know, we used to have Lync and we used to have Skype and things like that. So a lot of side-channel conversations are occurring because, you know, knowledge sharing. You're working with some of the subject matter experts to get a better understanding of activity that you're seeing. 

Justin Underwood: And so being the person that has to go out and proactively discover in ways through OneNotes, through a random call you heard where somebody mentioned a new host name or something like that, our goal is to get that data, standardize it and then disseminate it to all of the defenders, again, to ensure they're able to search for the threat that we're actively hunting. So it's been a lot. But there's always more places to go. So... 

Natalia Godyla: I find it funny that - when talking to folks in threat intel, that Excel comes up as a tool and Twitter as a tool for collecting (laughter) data. Just goes... 

Justin Underwood: Absolutely. 

Natalia Godyla: ...To show - I mean, those are - they're not sophisticated tools. Then it must be hard to collate all the information if you're just pulling it from a Twitter feed. 

Justin Underwood: (Laughter). 

Natalia Godyla: So how did you find your way to Microsoft and cybersecurity, for that matter? 

Justin Underwood: Absolutely. Well, after I got out of the Army - I got out of the Army in 2012. And how I got into the threat intelligence phase, which - we can talk about the difference between cybersecurity and threat intelligence. I'm sure that will come out as well. But how I got into the threat intelligence face was, once I got out of the Army, went to college, one of my friends got hired at Bank of America for a new threat intelligence group that they were standing up. And he told me, you're perfect for it. I had a bit of a background in technology. Again, my main discipline's intelligence. 

Justin Underwood: So I got into Bank of America, and I worked there for about a year. And then I saw an opportunity at Xbox for what was known as XSEC at the time, Xbox Security. Being a gamer as well as wanting to work at Microsoft because I lived in the area, I applied for it. And it was for a - essentially a SOC analyst - security operations center analyst - with a little bit of incident response. Extremely small team. I applied for there and got the position. I worked there for about eight months - or, excuse me, 18 months. 

Justin Underwood: And then I saw a position for another vendor over at where I am currently for a threat intelligence analyst. And I knew I wanted to get back into the intelligence space, in particular with my experience at Xbox really informing my cybersecurity understanding and how that really operates at scale in an enterprise such as Microsoft. So if it wasn't for my time in cybersecurity in that way - obviously I still am in cybersecurity in a lot of ways, but those are my customers, more so. But I got all of that experience and understanding at Xbox, and that's really empowered me to be a more informed and useful intelligence analyst, I would argue. 

Natalia Godyla: So you referenced your background in intelligence. And on LinkedIn, your title was human intelligence collector, which I love. It sounds like, I don't know, an antiquarian of human intelligence in a sci fi film. So... 

Justin Underwood: (Laughter). 

Natalia Godyla: I have to ask. What was that role? What did you do as a human intelligence collector? 

Justin Underwood: Absolutely. Well, arguably, human intelligence is the oldest form of intelligence. And so the core responsibilities I had were interrogations and source operations, source operations being where you're trying to recruit or, to simplify, befriend somebody who has access to - we'll just say enemy data, where they have access to information that we're trying to seek from the enemy to better understand the threat, if you will. And so source operations is just, you're recruiting friends... 

Natalia Godyla: (Laughter). 

Justin Underwood: ...For whatever reasons - there's a lot behind that - so that I can get the information, interrogations. And liaison - so partnering with, like, key leaders in the area. In particular, I've worked in Korea and Iraq. Those were, like, the two main places I operated in. 

Natalia Godyla: So in that role, you're profiling people. And in your current role today, in some sense, you're using a similar skill, but you're profiling threat actors and - who perpetrate cybercrimes. So you know, how has your time in the military helped your roles in private industry, either your incident response background, your SOC analyst background or your threat intelligence role today? 

Justin Underwood: So just general military experience is - it really taught me how to understand what steps need to be taken to accomplish a task or to answer a question. I mean, really, I'm about to just talk about PMing - project managing - right now. So... 

Natalia Godyla: (Laughter). 

Justin Underwood: ...Understanding how to break down tasks into, like, achievable goals and how to delegate in some ways or prioritize being kind of the main. There's plenty of questions you can answer. And so it really helped me understand what is the valuable thing that I can bring to whatever my leadership is curious about. It especially helped with that. 

Justin Underwood: And as far as the intelligence space, that's really - that's how I got into the intelligence discipline. I - this job I'm in right now I didn't even know existed when I was a kid. So it's just - it really exposes you to, I mean, to simplify, the world, the geopolitical complexity that you come across in your daily job as - I mean, even as, like, a private first class, I'm in Korea, like, interfacing with people who I'm like, y'all are way more important than me. 


Justin Underwood: How did I get here? I guess that's imposter syndrome more than anything. 

Natalia Godyla: (Laughter). 

Justin Underwood: But it really kind of exposed me to the complexity of the world. And working at Microsoft, there's obviously a similar level of complexity due to the international footprint and the partnerships we have with government agencies all over the world. So it helped me to be able to be functional in that kind of environment, especially a fast-paced one. So like, you know, ruthless prioritization and how to actually accomplish a task in a timely enough manner to make it worthwhile - it taught me that. 

Justin Underwood: I think the shortest sort of summary of what the Army told me about intelligence that - you ask people on my team, I will say this ad nauseum... 

Natalia Godyla: (Laughter). 

Justin Underwood: ...Is that intelligence is worthless unless shared with the right people at the right time with the right context. Because you can imagine, you know, certain agencies or certain intelligence groups - they do have to protect their sources and methods. But I think that sometimes, it gets - well, secret squirrel. That's the joke that people - it gets too secret squirrel. Like, it's understandable in a lot of ways, but, you know, working, especially in the Army, with, you know, other foreign intelligence agencies, there's a whole lot of, I wish you would have told me that sooner (laughter). 

Natalia Godyla: What's been different about your two experiences? And truthfully, how hard was it to make the transition from military to private industry? 

Justin Underwood: Well, I think one component, to speak to your last part of your question, of the difficulty is, for better or worse, the military pretty much gives you a roadmap of what you're supposed to be doing. And that goes from day-to-day to the career paths. Now, obviously, there's a lot of options. You've got to earn it. But getting out, there is a whole lot more unknown. And speaking anecdotally, I know that some of my friends - like, one of the reasons why they don't get out is like, I don't know what to do next. And so that really - the uncertainty is a huge component of it. 

Justin Underwood: And I knew when I was getting out of the Army - I was like, OK. That - I did what - I accomplished what I wanted to. So that made it a little bit easier. But yeah, the difficulty is, you have all the options available to you as a civilian in that way. The benefit is also you have all of these options available to you. It's just, really, you have to understand what you actually want to do. And then there's no clear path to achieve it. 

Justin Underwood: And so I think the uncertainty component is usually the hardest of the transition. Obviously, if you can get a role, like - what is it? - the MSSA program, the - what is it? - Microsoft Software and Systems Academy. That's a program that I wish I knew about when I got out. Because the point of it is, it puts you into sort of a training pipeline that results in you getting experience at Microsoft out of the military. And I've have quite a few friends who have done it to great success. And I wish I would have known about that sort of transitional stuff before I got out. I mean, that could be obviously my own fault not seeking that out. But that could really address some of the uncertainty components of, how do I take my existing skills that I picked up here in the military and move them over? And that's one of the best programs I've seen for that transition. So wish I would have known about it earlier. 

Natalia Godyla: And to clarify, it is purely for veterans who are looking to enter private industry. It's not for general training to test out different roles. 

Justin Underwood: That's correct. 

Natalia Godyla: OK. Awesome. 

Justin Underwood: This is a Microsoft-specific transitional program that you can start while you're still in the military. But yes, it's also available to veterans. I don't know the details around, like, timing and, you know, how long you've been out... 

Natalia Godyla: Right. 

Justin Underwood: ...And things like that. But yeah, it is a - specifically aimed at currently serving or previously served, wanting to transition into Microsoft. 

Natalia Godyla: I think this is a perfect tee up for the next question. So for any of our listeners who are mid-transition, thinking about transition, know someone who wants to transition to private industry, what do you recommend? It sounds like there are some resources out there. But what else has helped you make the transition? 

Justin Underwood: I would say schooling - like, using the GI Bill. If nothing else, it makes it a lot easier to transition because, obviously, the resources that you're given during that. So I mean, first step, I want to say identify what resources are available to abstract a little bit. So the military provides a whole lot - differing levels of value, of course. But so see what's available to you, GI Bill just being one of the anecdotes that's been extremely helpful. 

Justin Underwood: The other one is more of an inward thing of, like, what are you actually trying to accomplish? Like, what not necessarily interests you, but what engages you? So you could be interested in something, but then when you're actually doing the work, you're like, I enjoy being aware of it, but actually doing some type of work - like data science. I'll give an example for me. Data science is fascinating to me. The way that people are able to interact with large data sets and, you know, pull analytics out of it is fascinating. And so, like, I looked into some of it, but I'm not a math guy, to simplify. Like, I understand where my skill sets are. I could learn those skill sets, but I wasn't passionate about it. I was passionate about the goal, but not the process. 

Justin Underwood: And so I realized, like, if you're not fully on board the entire way, is this really what you want? So truly understanding what you're trying to get out of your transitional process is extremely beneficial because, one, it's the reason why you're doing it. Your end goal is what motivates you through it. But you also kind of learn during that. If it's not engaging you while you transition, then maybe you should rethink it. 

Justin Underwood: And so the point or the recommendation I would give is try and find as many ways as possible to get real-world experience into relation to what you think is your objective. So, I mean, internships, even to be a human intelligence guy, reach out to somebody on LinkedIn with a job you want and say, hey, can I just get an informational discussion with you, walk me through the day to day? And I'm going to say that if you're coming from the military, I'm assuming you have some of those skill sets of proactiveness 'cause you have to advocate for yourself. 

Natalia Godyla: How did you decide where in the cybersecurity world you wanted to land? You've worked in a SOC. You work in intelligence now. I believe I remember there was some IR in there as well. So - and there's a ton that you can do. That doesn't even, you know, scratch the surface. There is AppSec. You could go into physical security. So when you were trying to determine that end goal, how did you parse through all of the options in cybersecurity alone? 

Justin Underwood: Kind of speaking to the real-world experience. So my experience of both Bank of America and Xbox, there would be certain times where I'd have to - you know, say an incident occurred or there's a threat actor we're concerned about. I would have to identify data sources, put it together into a coherent picture, if you will - sometimes literally a picture, sometimes just, you know, a short situational report - and then engaging with the decision-makers, like, having that discussion about why does this matter? And obviously, I'm advocating in ways like, this should matter to you. And then being a part of the process where, ultimately, a decision is made and a change is enacted that has, you know, levels of scale that I just didn't really assume would occur - you know, I'm able to influence a decision that then impacts millions and millions of people. That's what really drove me to the more threat intelligence analyst side of things - in particular strategic intelligence. 

Justin Underwood: So there's the tactical side of - which I do love the investigative going through logs, trying to find that, you know, two- or three-line item piece of activity that will say, hey, here's the next step in the attacker's kill chain. Let's go, you know, continue further. I love doing that as well. But I really found - and again, it might be some of my human skills. I really like talking to people about the threats, especially the people who make the decisions that, you know, change what our attack surface looks like or could potentially push, you know, some sort of detection to the billions of Windows devices out there. Being able to have my work at that scale is why I kind of landed in the current position I'm in. So that's what really led me to it. 

Justin Underwood: I still get to do some of the tactical stuff. Obviously, I spoke of incident support before. There's still tons of that in there. But what really drives me is trying to understand tomorrow's threat and then telling today's leadership what they should think about it. 

Natalia Godyla: So I did hear you mention that you're in school, so I do want to touch on that a bit. So can you tell us the program you're in today, what you're working on at school? 

Justin Underwood: Absolutely. I'm going to Georgetown University right now, and I'm doing a master - a master's of applied intelligence. And it's a relatively new degree program. I think it's only a couple years old. But the point of it is - and let me make sure I got the four categories - is a master's of professional studies with a focus on business intelligence, which I'm admittedly a bit light on. So it's, you know, a gap that I could bolster. But then its counterterrorism, threat intelligence and law enforcement support and intelligence. So those three I've got quite a bit of experience in, but, you know, always room to grow, develop and honestly do it off the network. 

Justin Underwood: But, yeah, Georgetown University's where I'm going, and that's one of the few intelligence-specific degree programs where it really attracted me, if you will, because the people that are teaching it, my professors, some of the other students that I have in there - the only way I can describe it is like it feels like the right group for me to be in. I remember when I was young, I was told, if you're the smartest person in the room, you're in the wrong room. I'm definitely not the smartest person in that room. So there's always something I'm learning, and there's always some expertise being just casually shared that I'm, you know, I'm fascinated by at times just because of the diversity of experiences that people have there. 

Natalia Godyla: So - and you mentioned earlier in our discussion, too, that if folks are looking to transition, schooling is a really good next step. So you - I'm sure you did a ton of discovery on different schooling programs that you could go through. So could you share some of the learnings? What were some of the differences in programs? Why did you potentially choose this program over another program? 

Justin Underwood: Yeah, absolutely. Another one - there were really two main candidates I had. The other one was University of Washington at their Tacoma campus. They have a cybersecurity and leadership master's program. And so again, though not intelligence-specific, the leadership portion of it really spoke to a lot of the components of the purpose of intelligence. You know, the purpose of intelligence is to drive operations and inform decision-making. 

Justin Underwood: And so that leadership component of the master's is - while I was like (ph), OK, I'm not trying to stick explicitly cybersecurity. Again, that expertise is extremely valuable, especially for threat intelligence. But my focus was more of the intelligence discipline because it's not just threat intelligence that we provide, if you will. It's an all-source intelligence analyst group. 

Justin Underwood: For a quick summary, all source means exactly as it sounds - open-source intelligence, signals intelligence. One of our goals is to aggregate all of that stuff together into - I'll say a pretty picture because that's the easiest way to describe it. But, yes, looking at UW, that program looked enticing, but it just wasn't for me. 

Justin Underwood: Nowadays, though, another certification program I'm going through as well - because schooling is always a great option, but there's so many other resources. In addition to them, there's Coursera. And these all have really good training materials, as well as certifications you can get at the end, that can allow you to kind of dip your toe in that water before you, you know, dedicate to a four-year degree or something of that nature. 

Justin Underwood: So that's something that I've not only visited, it's something I still do. I'm still doing just random certifications that interest me through Coursera. And so I believe between, you know, the schooling thing, there's so much other training as well that allows you to kind of get initial insights into what that discipline would look like. I would highly recommend those as well before you commit to a degree program. 

Natalia Godyla: This is a bit of a deviation, but you referenced it earlier in our discussion. So cybersecurity, threat intelligence - how do you see those two interacting? How do you see them being also just different terms for different spaces? 

Justin Underwood: There's a growing need for it. I'm sure everybody listening understands that. But, yeah, I mean, cybersecurity, obviously, is extremely important because think of the amount of devices and accounts that everybody has. That attack surface is going to continue to grow, and so will the need for people with the expertise and understanding to combat that. And then, of course, the engineering component to build better tools for the different types of threats that exist out there. 

Justin Underwood: So it's going to continue to evolve, and I think one of the larger threats to that is the supply chain side of things. So both digital and physical supply chains are becoming far more complicated than in the past. So, I mean, between usage of open-source code libraries or through, you know, partner or vendor programs or, you know, through actual relationships we built out with other companies, like, that attack service is growing larger than I think most people in the industry realize or, if not realize, really appreciate because, again, it just speaks to the complexity of it. And so cybersecurity professionals are going to continue to have to understand the internal workings of their environment, especially for large businesses, especially those with sensitive information like financial institutions or government agencies. It's going to continue to get more complex, and it's a problem that's going to be very hard to address, but I have faith. 

Justin Underwood: And then as far as the threat intelligence side - and again, it's a whole other conversation about the differentiation between those two, I would say. But the amount of overlap is enough to really just group together. But as far as the threat intelligence space is, how are we going to continue to interact with certain agencies or groups that we know are targeting us, that we know are compromising us? When I say us, I don't mean Microsoft in particular. I mean, you know, us at large. How are we going to continue to interface? How are we going to restrict their ability to do that? How are we going to combat their, you know, aggressive behavior in some ways? 

Justin Underwood: And that's going to be a really huge component as far as, like, at the geopolitical level that I discussed earlier - how somebody is going to combat that at that level I don't know because with the cyber battle space - so, you know, forever, there's been three battle spaces - air, land and sea. Well, within the past 30 years, we have a new battle space that's completely human-invented, the cyber battle space. 

Justin Underwood: And the difference and difficulty there is attribution. So we can have, you know, pretty good confidence who did what, but can we prove it enough to a level to where we can then do sanctions on them, for example? That's growing more and more difficult. And I'm just an input to that. I'm not that decision-maker. But I just see there's going to be a lot of mistakes made, I think, in the future with regards to what policies are enacted. 

Justin Underwood: And again, I'm talking about at the government level because of the difficulty of a lot of this, because of the complexity of a lot of this. So sometimes you shouldn't necessarily assume that because the news said this country did it, that's actually true 'cause - I'll give one anecdote. There was a attack on the Olympics that was posited, or it looked like it came from North Korea. But that was just, you know, a way to kind of distract or deter away from the actual attribution. I'll allow anybody who's curious in that to read up on that. But... 

Natalia Godyla: (Laughter). 

Justin Underwood: Yeah, I don't know what all I can say about stuff like that. 

Natalia Godyla: (Laughter). 

Justin Underwood: But the point being that how are we as intelligence professional or those interested in the intelligence profession, how are we going to, one, better partner with all of our brilliant cybersecurity people and analysts and engineers and get the right kind of information that we can then take to leadership to ensure that they're making the right decisions and really understand what the threat is? Well, it's enough of a task to take that next step of saying, like, how should you use this intelligence or information? Well, that's why the leaders are there. 


Natalia Godyla: So with some of those challenges ahead for the threat intelligence industry, do you have hope that those will be solved in time for the defenders to come out, you know, ahead? And then are there any indicators of the solutions, any technologies that you've seen that seem really promising in, for one, helping with attribution? 

Justin Underwood: I'm going to admit attribution is not a huge focus of my current work. 

Natalia Godyla: OK. 

Justin Underwood: I'm a little leery to comment specifically on that component of it. But I do, absolutely. I do have hope. Especially working at Microsoft, I've seen - again, the joke I kind of made earlier - if you're the smartest person in the room, get out of that room. You're in the wrong one. Again, Microsoft's a place that I'm never (laughter) the smartest person in the room. 

Natalia Godyla: Ditto. 

Justin Underwood: And that gives me a lot of hope and faith. Because to hear the discussions about - some people are looking - like, you know, I try to look one, three, five years into the future. There are some people who are, like, 10 or 15 years, understanding the technology and where it's going to lead. And fortunately, they're on our side, I guess you could say (laughter). 

Justin Underwood: But I absolutely have hope. But it's always going to be that back-and-forth game of, the new threat pops up. We've got to find a way to combat it. Or you know, hey, we completely shut down the infrastructure for this threat. Yay. You know, big win for us. But you know, then they're just building out newer, better infrastructure. So it's - there's going to be constantly that sort of cat-and-mouse game. But I'm absolutely hopeful to - again, it's a little philosophical. If humans were completely bad, we would no longer exist, in my opinion. Like, there is some good. There is some innate good, I feel like. And so that gives me hope. Whether or not that's valid, I don't know. But it helps me, at least (laughter). 

Natalia Godyla: From all of the conversations we've had on this podcast, I hear again and again from folks in the cybersecurity and intelligence space that that is why they're in the space, that they are good people who want to do good work and help others. So I definitely think that there's truth to that. 

Natalia Godyla: Well, thank you for spending some of your little public time with us. We definitely appreciate that. And if any of our audience does have any questions for you, you can send them to our email,, and we'd be happy to pass them along. Any other resources that are just in the industry that you might recommend if someone just really loved this conversation and wants to keep learning? 

Justin Underwood: Jeez. I'm trying to think of... 

Natalia Godyla: (Laughter). 

Justin Underwood: Yeah, yeah. I'm thinking of going through that Rolodex of, like, book recommendations and everything. I mean, there's a bunch of good, intelligence - like, if you're looking for a good source of intelligence other than the stuff that, like, MSTIC provides or our Defender TI groups. There's tons of public-facing blogs that they generate, absolutely amazing analysis - again, some of the best I've experienced, both military and personally. So I mean, it's a good source to look at. And, like, Microsoft Security Resource Center's blogs - they have a lot of good, up-to-date information they're providing. I'm trying to think of some other third-party sources, but some of them are competitors, so I'm just going to not do that on this. It's very... 


Natalia Godyla: Fair. 

Justin Underwood: But I mean, there's tons of intelligence groups. I will just - like, Recorded Future. They're focused on threat intelligence, cyberthreat intelligence. They're really good. There's, if you want to get the military, Stratfor. I've subscribed to some of the Stratfor's stuff - S-T-R-A-T-F-O-R. They have a lot of good insights. Let's see. Fire - I mean, FireEye, again - is, again, another extremely high-class, top-notch threat intelligence service. I mean, you look at a lot of the stuff that they've discovered, serviced or escalated, and it's the stuff you've read about in the news pretty constantly. So again, between all of those - and also imagine, like, the intelligence industry is rather small. So the overlap between each of those is noticeable as well, between each of those disparate groups. But yeah, those would be the initial recommendations. 

Justin Underwood: But honestly, I've just found a lot of news sources. I have a tab - or, excuse me, a folder in my bookmarks with, like, 40 or 50 just different news sources that I constantly go through. And how I've discovered a lot of them is - so some of my leadership will say, hey, what are we doing about this? And I'll see... 

Natalia Godyla: (Laughter). 

Justin Underwood: ...Where the article comes from. And I'm like, oh, I need to monitor this so I can answer their questions before they ask them as well. So sometimes that's another way to get a good resource if you're curious about intelligences. And just one point about intelligence - the goal or role of an intelligence professional is not to get smarter yourself, but to make your leaders more smarter. And yes, I said more smarter on purpose. 


Justin Underwood: But the whole purpose is to make them more informed so they can make their decision making. So paying attention to what their sources are can be just as valuable, sometimes just for the point of deconfliction or saying, hey, this isn't really a trustworthy source, and things like that. But again, that kind of only impacts people already in the industry. But you can apply all of these intelligence principles regardless of your field of choice. 

Natalia Godyla: By the way, what were the roles that you had open right now? Is this something that we could share with the public? 

Justin Underwood: I think - well, see, we have a service engineer posting, I know, coming up. We have a junior analyst position that's opened up. I don't know what the timing is between this and being released. But yeah, that should be filled by then hopefully. We have a PM position coming up that'll be extremely important in that cross-org collaboration. And then, yeah, there's some other strategic analyst roles we're hiring for as well. 

Natalia Godyla: Awesome. All right. Well, thank you so much for joining us today, Justin. It was a great conversation. And look forward to hopefully having you back on the podcast if you're willing to be public again. 

Justin Underwood: Yeah, we'll see what the public response is to this. 


Justin Underwood: No, absolutely. Appreciate the opportunity. It's - again, being a HUMINTer, I don't mind talking about things at length. So I appreciate the opportunity. It's been great. 

Natalia Godyla: Awesome. 

Natalia Godyla: Well, we had a great time unlocking insights into security, from research to artificial intelligence. Keep an eye out for our next episode. 

Nic Fillingham: And don't forget to tweet us at @msftsecurity or email us at with topics you'd like to hear on a future episode. Until then, stay safe. 

Natalia Godyla: Stay secure.