00:00:03 A

This episode of the Energy Pipeline is sponsored by Caterpillar Oil and gas. Since the 1930s, Caterpillar has manufactured engines for drilling, production, well service and gas compression. With more than 2100 dealer locations worldwide, Caterpillar offers customers a dedicated support team to assist with their premier power solutions.

00:00:28 B
Welcome to the Energy Pipeline Podcast with your host, Russell Stewart. Tune in each week to learn more about industry issues, tools and resources to streamline and modernize the future of the industry. Whether you work in oil and gas or bring a unique perspective, this podcast is your knowledge transfer hub. Welcome to the Energy Pipeline.

00:00:53 Russell Stewart
Hey everybody. As always, thanks for listening. And as always, thanks to Caterpillar Oil and Gas for sponsoring the podcast today. My guest on the show is Sasha. And Sasha, how do you pronounce your last name?

00:01:08 Saša Zdjelar
Yeah, it's pronounced dlr. So when you see it spelled, just think of the J as a Y sound and that might help a little bit.

00:01:16 Russell Stewart
Okay, so it's spelled Z, D, J, E, L A R. So forget about the D and treat the J as a Y. Zeler. I always butcher it up with my Texas accent, you know, but anyway, that's. Anyway, we'll just go with Sasha. How about that? That I can do. Sasha, you are a former ExxonMobil executive and that's always impressive to me. We've had ExxonMobil on Oggn podcast before, but it's quite the challenge to work your way through all their marketing and legal and everything to get somebody from ExxonMobil. What did you do for ExxonMobil?

00:02:10 Saša Zdjelar
Yeah, thanks. And first of all, thanks for having me on, Russell. Looking forward to the conversation. So I, yeah, I spent almost 20 years at ExxonMobil in various roles. You know, I joined straight out of graduate school and went through, you know, typical sort of new hire onboarding there and had a number of roles in the first few years from, you know, the system support and Unix support and desktop support. You know, kind of the typical things where you kind of cut your teeth in the industry, but maybe more importantly, you learn the business and you get tremendous business exposure. And then, you know, eventually worked my way up through, you know, team leadership and, you know, more group leadership, supervisory roles and eventually to some senior management roles, predominantly in cybersecurity. But I also spent a lot of time in other areas around, you know, ERP systems design and supporting our upstream technical, you know, teams, doing some leading some development teams, spend a lot of time in agile practices and running the desktop service. So, yeah, a number of varied roles, but always either mainstream in cyber or on the periphery of cyber security.

00:03:14 Russell Stewart
Okay, and is that. Was that in Houston?

00:03:17 Saša Zdjelar
That was in Houston, yeah. When I originally started, you know, my commute, I lived downtown, but I commuted north to some of the kind of office clusters that existed at the time. At the time on the north side. And then eventually, you know, things flipped. I moved to one part town and worked in Brook Hollow and some of the areas, and then eventually in the big campus that exists on the north side of town. Okay.

00:03:38 Russell Stewart
All right. Today you are the chief trust officer for a company called Reversing Labs, Is that right?

00:03:47 Saša Zdjelar
That's correct, Yeah. I worked for a long time at ExxonMobil and then went and spent some time at Salesforce and was the SVP of security there and then joined private equity. So I'm an operating partner in a company called Crosspoint Capital. One of our portfolio companies is Reversing Labs, and I have a role of a chief trust officer at Reversing Labs. That's correct.

00:04:09 Russell Stewart
Okay, so what do they trust you with at Reversing Labs? What's Reversing Labs?

00:04:14 Saša Zdjelar
Yeah, hopefully they trust me with a lot. So Reversing Labs is fascinating company. We've been around for now, 16 years, maybe even a few months more than 16. And throughout that entire time, the company's kind of ethos or purpose was always to be the best at finding malicious things in as many places as we could. So that originally started by being able to look at unbelievably complex files, regardless of size, type, extension, complexity packer, whether it was open source or commercial, and being able to find maliciousness in those files. So think of it like malware analysis, threat hunting, threat intel intelligence, types of capabilities that a few years ago, on the heels of SolarWinds, which I'm sure we'll talk a little bit more about later, that turned into a capability, that same engine that was able to take any file, any size, any complexity, and find maliciousness in all the components. Turns out that's exactly the engine that you need to be able to do software supply chain security. So post SolarWinds, the company's company also added to its portfolio very substantial capability, I would argue best in the industry to be able to take again, any piece of software, whether it's commercial or open source, and again, deconstruct it into all of its components, generate a software bill of materials on our own, not relying on the vendor to provide one, and then for every single component, analyze and convict that component. Is it malware? Has it been tampered? With, does it contain vulnerabilities, does it contain secrets, you know, et cetera, et cetera, et cetera.

00:05:46 Russell Stewart
Okay, so let's back up here just a minute then. So, so the oil and gas industry is, it runs on what we call workflows. You mentioned, for example, ERP systems. What is that?

00:06:06 Saša Zdjelar
ERP now is maybe a little bit of a dated phrase for enterprise reporting platforms, but think of those as your saps, your Oracles, in some cases, even energy components for those in oil and gas or Siebel or Salesforce or any of those things that kind of run your corporate value chains. Hire to retire, order to cash, refinery optimization, seismic things. So it's sort of the giant platforms that your company actually runs on, which always ends up being commercial software for very good reasons.

00:06:41 Russell Stewart
Okay. And so the problem is these things are like, like everything else, I guess, in, in our world today, you got to have security on these things. And that's a, that's a critical issue, right?

 00:06:59 Saša Zdjelar
Yeah, I mean, I would categorize it very bluntly as maybe the largest area of risk where up until Reversing Labs made its capabilities available to the market, there really has not been a technical control. So maybe let me explain what I mean by that a little bit more. You know, companies run on software developed by someone else. You know, you hear phrases like the world runs on open source that's frequently brought up and it, it's largely true, and it's certainly sort of true as a general phrasing of the importance of open source. So yeah, the world does run on open source, but that's not what your company runs on. Your company, meaning any company runs on someone else's software. For some of these most important systems like erp, like treasury management or in the oil and gas space, on things like seismic interpretation, on refinery turnaround, on reservoir modeling. Those are things that you run from companies like Schneider Hydroelectric and Honeywell and Siemens and you know, SAP. And you know, companies like that is who makes the software that we all run. The challenge is when it's commercial, off the shelf software, meaning someone else's software that you buy and bring into your environment. Up until Reversing Labs capabilities were available in the market. The only way you had to analyze the security of what you were buying and bringing in. In other words, does it contain malware? Is it the next solar ones? Does it, has it been tampered with? Does it contain secrets? You know, does it have all the appropriate binary protections built in compile time? Does it have vulnerabilities? Your only mechanism was sort of, I'll call it sort of security theater. You know, you sent out questionnaires, they answered manual questions in Excel, or maybe you bought cyber insurance, or maybe you did some penetration testing to try to find vulnerabilities specifically, but you had nothing that even resembled a technical control that you could have high assurance that what you were buying and about to install in your environment is not bringing in a tremendous amount of risk. Well, now there is a technical control available, and it's through Reversing Labs capability called Spectra Assure, which is basically the ability to take any piece of commercial software and do this sort of analysis like I described, including to generate your own SBoM or what's called a software bill of materials, so you don't have to rely on what the vendor provides. If the vendor provides one, even better, then generate one with our product and compare them. And if they match, great news. If they don't match, now you have something to go back to the vendor and say, hey, you know, something here doesn't line up. We found different things than what you said were in the product. Does that make sense since.

00:09:32 Russell Stewart
But what happens when you do that?

00:09:35 Saša Zdjelar
What do you mean?

00:09:36 Russell Stewart
So you go back to the, to the vendor and you say, hey, your, your security doesn't, you know, we found weaknesses and blind spots in it. So now what happens?

00:09:48 Saša Zdjelar
Yeah, what happens is you now have an opportunity for the vendor or you to take corrective action before you've signed, you know, before that contract is executed, before you've already purchased. So it becomes a contingency on, you know, doing business with that vendor. Or it becomes a contingency on a renewal with the vendor to say, hey, look, you know, I'm not buying until this passes an inspection. It's no different than not buying a house until it's sort of brought up to code. Right. By, by an inspector. So think of the reversing lab Spectre Assure capability is having an unbelievably sophisticated inspector, you know, prior to buying a home or in this case, prior to buying software. Now that, yeah, now I was going to say that that doesn't pertain to just the stuff you buy from others. Right. Your company, any company, is probably doing some amount of internal development as well. Now, that could be for your own internal use. You know, you're developing some software for your own, you know, business to use for their own purposes. Great. Or it could be software you develop for commercial purposes, meaning maybe you are a technology company that produces software, you know, that others use and that's the case in cases of some companies in kind of the oil and gas services space where they also produce software that we all buy and use. A good example is someone like, you know, Schlumberger for example, right. They make a lot of software that's used by the oil and gas industry in that scenario. You know, it gives the company the ability to analyze their own software before they ship it to their customers. So you can ship it with this high assurance or guarantee that there's nothing nefarious or malicious in the software that you're shipping to your customers.

00:11:25 Russell Stewart
So how big a problem is this? You brought up Solar Winds as I guess, a prime example. Talk about that a little bit.

00:11:37 Saša Zdjelar
Yeah, SolarWinds, I think is the Everyone is the example sort of commonly pointed out because it helps facilitate the conversation about the problem. But you know, just to be clear, if we looked at the last seven, eight, maybe nine years of breaches. So yeah, you have SolarWinds, but you have, you know, three CX, Circle, CI, Cassia, Avanti, Okta. You know, the list goes on and on and on about companies that have had software supply chain breaches or problems of some sort. And the common denominator that all these come to come back to is it's all commercial software. Right? It's all software you pay for, not open source. Now that doesn't mean that in all of that software there is not a tremendous amount of open source within it. There is, absolutely. But once you put a commercial wrapper around it and you sell it to a company, the process by which that enters a corporation is very different than the process by which open source components enter a company. So, you know, your question was, how big of a problem is it? Well, we can look at the impact that SolarWinds had. That was tremendous, but it started even earlier. One of the things people don't think about is back in 2017 when we had WannaCry and not Petya, you know, for those who have been around long enough to remember that, you know, that all started with a piece of Ukrainian tax software, also commercial software called Me Doc, you know, so for anyone who was a customer of that software, meaning commercial off the shelf software that they brought in, that's how that giant breach and that vulnerability, that's how that got into the environment, through commercial tax software, in fact, through an auto update of that software. So I mean, this concept of software supply chain problems and breaches has been around now for over a decade. Wow.

00:13:14 Russell Stewart
Okay, so you say reversing labs is.

00:13:16 Saša Zdjelar
How old reversing Labs, I think started back in 2008, 2009. So we're kind of right at the 16 year mark now.

00:13:25 Russell Stewart
16 years. Okay. All right, so how did they develop this, this software? What's unique about it?

00:13:36 Saša Zdjelar
Yeah, you know, the two co founders are absolutely brilliant. They both came out of backgrounds that were, you know, at Microsoft and bit 9 and some of these companies that were trying to solve these problems for a long time. But the co founders, you know, they had a kind of a perspective that I think has turned out to be true, that the approaches at that time in that era to finding maliciousness and things. So think about at that time it was solutions like antivirus. You know, they were deliberately limited. They were limited in the file sizes they can handle in the file types. And a lot of that just has to do with practical sales and engineering problems. So, you know, think about what every, you know, antivirus vendor, whether it's old school antivirus or new, you know, epp, EDR solutions from the leading companies, think about one of the main things that they sell you based on. You know, the key phrase you hear every time is it's never more than 1%, you know, CPU impact. Because none of them want to be perceived as sort of like the heavyweight agent. So they all ask their engineering teams, hey, what files can we handle? That keeps us at less than 1%. The engineering team comes back and says, well, something around 100 megabytes, maybe 120. And that's where they draw the line. And what most people don't appreciate is any files over whatever size that is, the product fails open. In other words, files sail right through and they're not even analyzed. Now the really kind of squirrely thing is the message that you get, even if there are any logs, is you get something like no malware found. What they leave out is the comma, because we didn't even look. Part that's never highlighted anymore. Yeah, yeah. And so what the co founder set out to do was to basically change this paradigm is to develop a no excuses engine that can rip apart any part, any file, any size, any complexity. If it was 3, 4, 500 megabytes, we have to handle that. Well, what if it used some sort of proprietary packer and compiler? We have to handle. Well, what if it's one of these file types that's not common? We have to handle that too. So they've been building now for the better part of 15 years this incredibly capable engine that can do exactly what I described. That's what gives them this Incredible advantage, even in things like malware analysis, threat hunting and threat intelligence. But now that same engine is applied to solve software supply chain security problems because it turns out that's the exact same engine. You need to be able to take any file or any piece of software, you know, enumerate all of its components, you know, deconstruct it, and then analyze every single component, you know, piece by piece until you get to the end. The only acceptable number is 100%. So does that, does that help answer the question?

00:16:08 Russell Stewart
Wow. Yeah. So, so this, the antivirus companies, or whatever you want to call them, security software, not wanting to take up 1% CPU. You solve that problem too, or why is that an issue?

00:16:27 Saša Zdjelar
Yeah, and just to be very clear, Reversing Labs is not, you know, antivirus product. It's not an agent that runs on your desktop. This is not competing with, you know, those types of solutions. But the way that they solve this problem is because they are not running locally on your machine. There isn't the concern around how many CPUs are tied up and are they competing for resources that, you know, a user would need or let's say in the, you know, in the oil and gas space that a geoscientist or a, you know, petroleum engineer would be using for something that's sort of revenue accretive. It's not competing with that. Right. These are solutions that run in the background. They run in the data center or in the cloud and they're analyzing software and files, you know, kind of out of band of antivirus solutions. But they do solve the problem of being able to analyze large file types. So another emerging kind of frontier. And think about what makes the oil and gas space so unique. Right. It's one of, I don't know, a handful of industries that's been around over a hundred years. Right. I used to work for a company that I think is now over 135 years old. So, you know, they were some of the earliest adopters of some of the most cutting edge tech at the time. Right. These were the first companies to have, I think, you know, Exxon was maybe like the second comp or the company to get the second crate to ever, you know, roll off the, the floor. You know, they had SAP Alpha, the very first instance of SAP that was made available. So technology that goes back many, many, many decades, that in some cases some derivative of it is still running and running, you know, large parts of the corporation, but also some of the most cutting edge and modern solutions as well. You know, all of the ephemeral workloads and kubernetes containers and you know, elastic compute workloads and cloud adoption and scientific computing and high performance computing to do some of the work that they do. So everything from sort of like the oldest to the newest and everything in between is what's running in the oil and gas industry, in particular, extremely large files. You know, I remember when I was, you know, working there and supporting our users, it was very common, you know, for a geoscientist to have to take a 26 gig, you know, file that contained kind of seismic and reservoir information and take it with them, you know, to somewhere in the Middle east if they were going to a conference or something like that. Try getting a solution to take files like that that are multi hundred megabytes or multi gigabytes or multi 10 gigabyte in size and having any solution analyze it to understand whether it's malicious. That's exactly where solutions like reversing labs and it's the only one in the industry can do anything like that.

00:18:52 Russell Stewart
Okay, so for energy companies to strengthen their software vetting processes, what, what do you, where do you, what's the practical strategies for doing that?

00:19:07 Saša Zdjelar
Yeah, I would suggest that they implement kind of a first ever technical control in this space. So that, that should ring, you know, that should be very, very positive. And for CISOs to hear that they have the ability to bring a technical control finally to this space. If you look at the polling of most boards in the last five to seven years, software supply chain security is somewhere in the top three, if not the top one in any survey you look, you look at out there. So this is bringing a technical control to a space that has not had one. So how would they do this? Well, they would start in the earliest phases with even organizations like procurement. We have customers, including customers in the oil and gas space that are implementing reversing Labs as a critical control before a piece of software is ever allowed into the network. So it first lands in sort of a call it like a DMZ location, you know, a location that's considered dirty or not yet clean. And only when reversing labs analyzes the software and declares it clean does it get moved kind of into the network proper or into the environment to then start being used by teams to install and build from. And that's happening with reversing labs technology specifically in the oil and gas sector. So, you know, that's kind of the practical, call it operationalization of this. And then there's many other ways you could apply the technology for internal development as part of CICD pipelines, for even software that you're developing internally to make sure that you are not inadvertently operating with a development pipeline that has been compromised, right? That has a component that's being brought in, open source or commercial component that's being brought in, that's malicious in some way or that you don't have tampering of the pipeline itself, right? Some sort of an insider risk or a breach where credentials have been stolen and now things are being added to your build that you, that no other tools can discover and then you push to your own production, you know, something that's nefarious or malicious. I'll highlight one other thing that's increasingly a topic that again uniquely Reversing Labs can solve is AI and ML models, right? So these are again, once we get past kind of the futuristic sounding kind of science fiction of artificial intelligence and machine learning models, when it comes down to it, they're just files. They're still just files, right? They are serialization formats and very large files in formats like Onyx and Pickle. Again, Reversing Labs is the only solution on the planet that can take these giant multi gigabyte files that represent the model and analyze it to tell you whether that model itself is malicious or has been tampered with. That's another critical capability that's being deployed in pretty much every industry vertical that we're aware of, including in the energy vertical.

00:21:45 Russell Stewart
So all these various softwares and whatnot, how often do you, you talked about putting them in a dirty zone and then declaring them clean. How often do you find them not clean? And then what do you do when. When it's not clean?

00:22:02 Saša Zdjelar
Yeah, great question. So a lot of this depends on every company's sort of sensitivity, we'll say, or risk tolerance. So there are number of policies you can define. So how often do we find things that contain truly malware? It's rare, but it happens more often than you would think. Now how often do we find other things that the company could deem highly problematic? For example, maybe it contains secrets or some sort of secret. So, you know, a private, a private certificate or a private SSH key or something like that? Actually, we find that quite often. And even the vendor that produced the software is completely unaware because they also don't have the appropriate tooling to find this on the way out. And then the further down the spectrum you might find also again, depending on the company's legal sensitivity, you also find a lot of license violations where, you know, the Vendor is shipping you software that they are not authorized, components of which that they are not authorized to use. And actually you are not allowed to use in your environment for your own commercial purposes either. And the vendor either doesn't care or they're unaware. So some of it is kind of a spectrum of concern, right? Some of the concerns may be for your procurement department, some of the concerns may be for your security department. Some of the concerns may be more for your legal department when it comes to licensing violations, for example.

00:23:23 Russell Stewart
Now, you said depends upon the risk tolerance. I wouldn't think you would want to tolerate any amount of risk in this area if. If at all possible. Is that right?

00:23:40 Saša Zdjelar
You know, academically, that's right. Practically speaking, it's infeasible to operate with zero risk, right? Every environment in every department, every function, whether it's, you know, audit or finance operates, amount of accepted risk. Perfection is both unbelievably expensive and usually out of reach. So a company will usually. Information security in general. The best definition I've ever heard is actually by Daniel Meisler where he defined it as the process of maintaining an appropriate amount of perceived risk. So it's not zero, it's an appropriate amount of the risk that you're perceiving in that moment. So I'll give you an example. The idea that a piece of software would be completely flawless from a vulnerability perspective, let's say, while I wish that were true, it is practically impossible to achieve zero vulnerabilities. Now, what is feasible and what is also, I would say, practical from a business perspective is that you insist on things like, well, listen, the software that we're getting from you, vendor, whoever that is, you know, it cannot contain any critical vulnerabilities or high, and it cannot contain any cisa. CISA has defined this known exploited vulnerability. Or Kevin, you know, CISA kev list, which basically means that patching has been mandated by the government. So it's reasonable to say, look, no critical high or CISA kev list vulnerabilities, you know, that might be sort of like, you know, the. Call it level one or two or some sort of basic. Now, can you also insist on no mediums, no lows? You know, you can certainly try, but I can tell you from practical experience that is generally not the speed at which business moves. So some degree of risk is always accepted. I think it's for every company to decide what their risk tolerance is and in what areas, you know, and things that are maybe productivity tools run by very few people that run in a Non privileged context. Maybe that's a different risk tolerance than for things that run in control systems environments. Right. Or in highly sensitive financial environments or maybe environments that have to do with safety, health environment, you know, or. Or corporate financials. So I think there are absolutely different degrees of risk tolerance.

00:25:50 Russell Stewart
And then once you establish that, then there are different ways that you can try to manage that risk.

00:25:58 Saša Zdjelar
Yeah, absolutely. Even in the case of our own solutions, you know, you have a way of kind of bucketing software that you bring into your environment in different, call it groups where you say, look, you know, okay, this stuff is destined for this type of use case. You know, we accept sort of level 2 or 3 maturity on this one. But, boy, this stuff is, you know, mission critical for the company. It has to do with, you know, critical systems to keep the company running. Or it has to do again with safety, health environment. For that we need, you know, level four or five or in the case of something that crosses a trust boundary. So think about how, you know, oil and gas operations works, right? You usually have some sort of a, twice a year, large maintenance period, you know, in a refinery, as, you know, anyone who has experience in the space knows to, you know, to bring down a refinery for maintenance and, you know, spin it back up or do turn. Turnaround. Very, very expensive, very complex, right? Yeah, very expensive proposition. So you usually kind of batch up your maintenance during the times when that happens. Well, while that generally applies to things like pipeline fittings and checking welds and replacing kind of hard components of a refinery, that same thing applies to software maintenance, right. It's usually during those windows. That's when you update your systems that run L2, L3, your PLC, SCADA networks. Wouldn't you want to know that the stuff that the software that is crossing that trust boundary, you know, from your L4 network or directly into your L2 and 3, when you're about to patch those systems or install new software and lab environments or in producing environments, don't you want to know that that is very, very high assurance? Wouldn't you want to have a software bill of materials for every one of those? Wouldn't you want to analyze that software thoroughly before you install it? That's the technical control here that I'm talking about. And in that kind of environment, you know, your risk tolerance, to your point about, is there a spectrum, you know, in those types of environments, your risk tolerance would probably be very, very low.

00:27:49 Russell Stewart
Well, that's great, Sasha. This has been a fascinating conversation. I. I guess, let's see. Reversing Labs, your website, is it reversing labs.com or it is.

00:28:02 Saša Zdjelar
It is. It's reversing labs.com and I'll give you one other resource that you know, your listeners may appreciate. For anyone that is involved in software development, we offer a completely free resource. The URL is just secure software. Literally just type in secure software in your browser and that will take you to a community version of our offering, completely free. There's no paywall, there's no login wall, there's nothing. And that is analysis of every package manager out there. Npm, Pypi, Ruby, gem, Maven, Nuget, whatever. It's analysis of every piece of open source, every version going back as far as you want. And it's constantly assessing all the open source out there and it's giving you, you know, our analysis of that open source component. If that's something that you use in your development or if it's something you find in third party commercial software and you want to check what it is, we offer that completely free and that could be a useful resource to your listeners.

00:28:56 Russell Stewart
Okay, so we're going to put that in the show notes. It's secure. What?

00:29:00 Saša Zdjelar
Secure software.

00:29:02 Russell Stewart
Secure software. That's simple enough. Just, just type that in and it goes there. All right folks, that was worth your price of admission today. In fact, I think this is why people listen to this podcast because we bring some, if I do say so myself, some very interesting and critical perspectives and I get the opportunity to meet folks like you, Sasha, and then introduce you to our audience. And that's the purpose of this podcast. So I really enjoyed this conversation, I really appreciate you coming on and we'll definitely put this SecureDOT software in the show notes so, so people can reach out. We'll put your LinkedIn URL in there so people can reach out to you if, if they want to. And again, I can't tell you enough how much I appreciate you coming on and sharing this information for our audience.

00:29:59 Saša Zdjelar
Thank you so much. Russell and I appreciate the opportunity to, to engage with you. Thanks again.

00:30:03 Russell Stewart
Okay, and as always, we thank everybody out there for listening. Post us on LinkedIn, tell your friends to listen to us and we'll see you next time.

00:30:12 E
Thanks for listening to oggn, the world's largest and most listened to podcast network for the oil and energy industry. If you like this show, leave us a review and then go to oggn.com to learn about all our other shows. Don't forget to sign up for our weekly newsletter. This show has been a production of the oil and G Gas global network.