Trava Customer Webinar June 2023

Molly Morical: Thank you for joining our customer webinar. I think this is our second one. We do these quarterly. We sync together the end of every quarter and just do some overview, some updates of what Trava has accomplished the last 90 days, some updates, and then some Q& A. Before I share my screen and get started, I wanted to do some introductions. My name is Molly Morical. I am Trava's senior customer success manager. I lead the entire customer success side over here, so hopefully you all have had the chance to meet me. If not, please shoot me over a message. I'd love to personally set up a call with you. We have a few other guests on the call. I will let, Jara, I'll let you go next.

Jara Rowe: Awesome. I'm Jara Rowe. I'm the content marketing specialist at Trava. If you've ever listened to our podcast, I am the host of that, which we will talk a little bit about later. Joe, I'll pass it to you.

Joe Cress: Joe Cress, technical implementation specialist here at Trava. I help with onboarding during the sales process, making sure all of our customers are set up for success. Alex?

Alex Correa: Hello, everyone. My name is Alex Correa. I'm the technical product manager here at Trava. I work with both the engineering team and the rest of the business, to help understand some of the needs that our customers have. Make sure that we are prioritizing the features and opportunities that will provide you the most value, and of course, for some of you, your clients as well.

Molly Morical: Best for last, Jim?

Jim Goldman: Hi, everybody. Jim Goldman, CEO and co- founder of Trava. I also interact with many of you in a virtual CISO role. Yes, that really is a Trava skateboard right there.

Molly Morical: You knew to answer it before someone would ask.

Jim Goldman: Exactly.

Molly Morical: Every call we're on someone asks, " Is that a skateboard behind you, Jim?"

Jim Goldman: Yes. Yes, it is.

Molly Morical: Okay. Thank you, everyone. What I'm going to do is share my screen, go over our agenda, and then I will kick it off over to Jim. Keep in mind if you have any questions, there is a chat. I think you can submit it anonymously, tongue- tied, or just straight through. If you have any questions throughout anything, please feel free to send something in and let us know, and we will get started. All right. Can everyone see my screen? Thank you. All right. Introductions we just did. First on the agenda, is we're going to let Jim talk about Trava's ISO journey. Trava just completed our ISO 27001 certification. We actually have quite a few customers that are going through certifications right now. They've achieved some this year already, and I'll let Jim highlight those. We have some that are also coming up soon, which is cool, so those we'll be sharing on our next quarterly webinar. Then we will toss it over to Alex to go over Trava features, some nice things that they have done, product and engineering team in our platform. Then content highlights with Jara and then Q& A feedback, so we will get started. Let's talk about ISO 27001, Jim.

Jim Goldman: Well thanks, Molly, and it's a pleasure to be here with all of our customers, whether you're live or hearing this recording at some point in the future. We are a customer- centric company, which is why we're now inaugurating these webinars that we hope to do quarterly. But also along that same thing, because we are customer- centric and helping our customers achieve compliance, whether it's in SOC 2 or ISO 27001. Or CMMC or maybe a privacy compliance framework, such as GDPR or CCPA. We felt it was important for us to put our money where our mouth is, so to speak. As I say, we wanted to practice what we preach. We did decide, actually, we decided two years ago, and we started executing about a year ago to become ISO 27001 certified. A couple of reasons for that. One is unlike SOC 2, which is basically a North American standard, you can call it an American standard, ISO 27001 is a recognized international standard for cybersecurity. We thought that was important and there was a new version ratified by the International Standards Organization that comes up with these standards. There was a new version, which is known as the 2022 version of ISO 27001. We decided to go for that for our certification, and we were one of the first companies in the United States to get certified to that new standard. Anyone who was certified to the previous 2013 standard, has five years to be certified to the 2022 standard. We just decided to shortcut that whole thing and go straight to the 2022 standard. I already talked about why we chose ISO over SOC 2. This is a two- stage audit. The first stage they look at your program, they look at the controls that you have in place. They assess are the controls properly designed and implemented? It's only if you get a positive outcome on that initial audit, called the Stage 1 audit, are you allowed to go to the Stage 2 audit, where they actually look at the evidence over an extended period of time. That actually proves that you have implemented those controls and you have evidence to prove that those controls are properly managed and monitored on an ongoing basis. We did all that and I'm proud to say that we had zero exceptions and zero opportunities for improvement cited in our report. That's very, very unusual, especially for an initial audit as ours. We are very proud of that. Then just in terms of effort, because I know sometimes people want to know, " Well, what did it take?" It took us about a year, but the important thing is we didn't hire anyone new to work on this full- time. Marie Joseph, who some of you interact with, she's our chief compliance person. Her title is actually senior security solutions engineer. Then Ohn Fram, who's our internal security expert, internal security officer, if you will. His title is senior security engineer. Each of the three of us worked on that along with the rest of our job for about a year. Obviously, there were some more intense periods of work, especially immediately proceeding the audit and during the audit. But overall, in terms of setting the expectations, that's about what it took us. I think that's it, Molly.

Molly Morical: Thank you. Next, I just wanted to touch on, because we have quite a few different customers on here. A lot of feedback I've got when I started here is a lot of customers didn't know that we were more than just a platform, which tees up this next slide to talk about some successes from some of our current customers. I know times have been rough for the economy, everything, and there's been riffs. There's just been a lot of changes and Trava is here to help. If you've talked to me on a call you know that I always say, " I live, eat and breathe customer success." That is literally what we aim to help you with. If you are wanting information or if you need help with a certification and you don't know where to start, feel free to ask us that. We are not just a platform, we are here to help you with any of that that we can, and we'd be more than happy to do that.

Jim Goldman: Go ahead. Thanks for that, Molly.

Molly Morical: Yeah. Talk about some of the customers that actually are partnering with Trava to get some certifications.

Jim Goldman: It's a really good point. Our job, as Molly said, is to take each of our customers from where they are to where they wish to be on the timeframe that works for them. We produce customized roadmaps on a quarter- by- quarter basis. Very often that's a convenient thing for you to share with your customers, to demonstrate to them that you are serious about your security and compliance program. These are just a few of the successes that we've been able to enable for our customers by coming alongside them and partnering with them in their compliance journey. Chain. io passed their SOC 2 Type 1, and now we're actively working with them on their SOC 2 Type 2. That audit in Camp has been a long- time customer of Trava, and so they recently got re- certified after their SOC 2 Type 2, which is always good. We have a great customer in Logik. io. Also, congrats to them on their huge Series A round that they successfully closed. We got them ISO 27001 certified in a really pretty aggressive timetable to tell you the truth, because they serve a lot of enterprise customers and international customers, so getting ISO certified was important to them. We got them both through Stage 1 and Stage 2 so they have a certificate just like we do. MetaCX has been a customer of ours for a while, and we took over again, to what Molly was referring to, we took over more of the management of their compliance program. They recently got their SOC 2 Type 2 certificate successfully renewed. Then our friends at PureInsights should have GDPR compliance. We're working with them on security certification, as well as Partner Fleet, we're working with them on security certification. As I say, we have several other customers that are on their way this year, and we look forward to sharing their successes in the next quarterly webinar.

Molly Morical: Yeah, thank you. I just wanted to touch on this, this is just customers that have gotten this this year. Obviously, we've been working with them for a while, so we will have quite a few more. We have quite a few actually that are in their final stages of audits and such. Like Jim said, we're excited to share the next round on our next quarterly webinar. Thank you, Jim. Okay. If Jim, you have nothing else, I will stop sharing my screen and let Alex go over some product features in our platform.

Alex Correa: Perfect. Thank you, Molly. I am excited to talk through a bit of what is new within the platform here in the past couple of months. Let me go ahead and share my screen and we can go ahead and get started. When it comes to product features within Q2, we've released a handful of things I'm pretty excited to share with the group here today. Number one, we created a new organization of scans within the platform within the assessments module. I'm happy to go ahead and give a demonstration of that feature here right now actually. If we jump in here, I'm in one of a possible client, Rocky Road Construction Company. If we go to start an assessment, what you will see is now within our full vulnerability assessment, we've really worked to make sure that the language within the platform reflects the way that it is commonly understood within the market. For those of you with clients, the way your clients will very much understand the language. For our scans within each assessment, they're now bucketed by either external scans or internal scans. Ideally, this helps give both you and your clients the opportunity to understand, number one, what surface area are these scans going to be covering, but also what level of effort to implementation can I expect from any one of these scans? Our external scans are going to be that group that is much more straightforward. They likely don't require as much setup. They're things you can likely do as long as you just get some basic information from your client. The internal scans is the group of scans that will require more coordination from your client or from yourself in order to get set up. That's just one thing we found to be just a really nice quality of life change for our users, to make sure that we are reflecting state of the industry and conversations within the platform. Additionally, one of the things we've released is a new reports module. Reporting is a huge part of the functionality within the Trava platform. As part of that, we wanted to make sure that it was easy for users to be able to reference the sets of reports that they or their users generate within the platform. If we head back in here to Rocky Road Construction Company, you can see we have this reports module here on the left- hand side. When you click into the reports module, what you'll be presented with is a table of all of the reports that have been generated for your client, if you are within a client. Here, we'll present you with the name of the report, the type of report, when it was created, the status of that report. Some of them might still be generating if you generate a larger report, who it was created by, and the ability to download that report. Because we recognize there are times when you might generate a report and need to reference it later, but don't necessarily want to go through and regenerate it and risk picking the wrong assets for that report. Within this feature, we also have user privacy in mind and customer privacy in mind. Users and customers are only able to see those reports that are associated with clients that they have access to. Additionally, we make sure that the names of those that created some reports are obfuscated, if a user doesn't have the ability to see the full list of users within the platform for that client. We really tried to have a security first mindset. I've showed you this within the client level, and for our SaaS customers it would be a similar view to this. If you are an agency and a wholesaler, or an MSP or MSSP, you do have that higher level view that is available to you. At that high- level view, we're bringing more aggregate functionality to the platform. Here you'll see we've actually added that reports module to the highest level landing page. There you'll be able to see the same table but with that breakdown of the individual clients that a given report was made for. If you wanted to see who the last report was made for across any of your clients, you would be able to do so and see that same information. Next, we have a pretty exciting set of functionality that we're going to debut here in the coming weeks, but I wanted to make sure we went through it within this conversation and in this webinar. It's going to be the introduction of our risk management module. A ton of thought and effort has gone into this set of functionality between both security and engineering internally for us. We're currently at the end of our internal testing of this feature, but within the coming weeks, we expect it to hit the platform. As far as the overall contents of the risk management module, when it becomes available, it will appear as another left- hand module here within the platform. Users will be able to click on that risk management module, and be presented with both a risk register and mitigation roadmap. All of this functionality and all of the data you're seeing within here, are based on a particular survey within the platform. Currently, in its initial implementation that will go live to users, this feature will be based on the CIS v8 IG1 survey that we have within the platform. That's the Implementation Group 1 for the CIS control set. In order to complete that, for those of you that have never used that survey before, what you'll do is go to your surveys, select the CIS v8 IG1, and go ahead and complete that survey. I also want to call out that there are some of our customers who might have recently done a CIS v8 IG1 survey and that's no small task. Within the platform, we have also added the ability to start a survey from a previous survey. If this feature launches and you've just completed your CIS survey with minimal changes to your controls infrastructure, what you can do is start from that last one. It'll pre- populate those responses for you. You can click submit, and then your information for your risk management module will populate with that most recent information. Within this feature, what we've broken down are, as I mentioned, the risk register and mitigation roadmap. The risk register specifically focuses on what we've defined as 14 high- level risks that any organization faces. They range from things like ransomware all the way to natural disasters. What happens in the backend, is we will take those responses to the CIS survey. We will score them based on some internal metrics and algorithms that we have, and then calculate the total risk that any of these risks present to your business, so that you can view them in that order. Within that, we of course, have some additional fields. We have the title, we have impact and likelihood as to important data points for us, as well as the total risk, the priority of these things and the owner. To highlight some of the value here, we recognize that when we generate this initial bucket of risks, it's based on our internal default settings. If you, as an organization, find that your business context doesn't necessarily line up with the scoring that was used. You have the ability to go ahead and edit the priority of these items, as well as edit the underlying data points that are used within that algorithm, to score the controls and the risks themselves. If a certain risk aligns with your company mission any more or less or with any financial objectives you have, you can save those changes. Then in subsequent iterations of this report, it will use those as the scoring default. Additionally, we want to make sure you can track an impact description if you want to add some more business specific context and then assign an owner. If you have an owner at your business that might be the ultimate responsible party for this risk, you're able to assign them here. Then lastly, for the risk register, I want to highlight that there's a lot of information that goes into this and it can feel a bit black boxy. What we've done is try to present all of the underlying information in the most user- friendly way possible. Here, as I mentioned, that CIS survey helps fuel this. What we do is we also allow you to view the individual controls on our survey that really ties one- to- one to the questions in the survey, and the responses that led to the scoring of this individual risk. As you can see, these are all of the controls from that survey that were related to this risk. Then finally, we have an opportunity to view the action items associated with this. Action items are the individual units that make up our mitigation roadmap functionality. The goal of the mitigation roadmap being now that we understand the high- level risks facing your business, we can start creating a roadmap for you to take action and mitigate those risks. This is a breakdown of all of the actions that a business can take to mitigate all 14 of those risks. Overall, at the point of release, we'll have about 73 action items and the status of those action items will automatically be marked as not started or completed based on your responses to those questions. The action items themselves are initially sorted by the overall impact they will have on your risks. For example, the items at the top of your mitigation roadmap, if we view the risks that they are associated with, have the highest impact because they will help mitigate risk across the highest number of areas. The items at the bottom of your mitigation roadmap, will actually be associated with fewer risks and thus they will have a little bit less impact. They're certainly still important, but if you're trying to get the most bang for your buck, we've tried to sort them in that fashion. These action items have a bit of a description, but additionally here we recognize there may be specific business context. We allow you to add notes. We allow you to associate a cost to remediation, so that you can understand what it will cost to alleviate this issue or to complete this action. Then additionally, assign owners as well as modify statuses to these risks, so that you as an organization can track the responsibility and the completion of these things. Similar to the risk register, you can also view controls and view the associated risks, as I mentioned. Our goal, as I mentioned, is to release this in the coming weeks. It will be available to our SaaS customers and our MSP and SSP customers first. Those individuals, as I mentioned, will have access to that in the coming weeks. But for our MSP and MSSP customers, the individual client types that will have access to this, are going to be specific to the assess clients because those are the clients that have access to the CIS v8 IG1 survey. If you're an MSP or an MSSP, hopefully that reach true to you. If not, feel free to reach out to us and we'll help you identify which of your clients are assessed. That was a large overview and I want to get through this next one. Then I know we have a few questions that have probably popped up. But just to highlight this next feature we've had in Q2, subdomain enumeration, and this is a pretty exciting one for us as a business. I'm going to talk a bit more high level about this one because it can be a bit more complicated to demonstrate visually without the context. Within our scanning infrastructure, one of the things we recognize is that organizations and users are trying to gauge the overall risk and surface area of any of their customers or you as a business, if you're using our functionality for yourselves. What we wanted to do was implement functionality that allows us to take a root domain or a website URL, an apex domain for those of you in the more technical side. Then understand what all of the subdomains associated with all that, with that apex domain are, and then run some of our scans against those. We are getting a much more comprehensive set of information to present to you within our assessments. In this first implementation, which is available now, subdomain enumeration is available for two specific scans. It's available for our breach scan and our certificate scan. For those of you that primarily use our CRC, those scans are part of the CRC, and so you will gain that benefit by running a CRC. But it is worth noting that we are going to be leveraging this functionality for MSPs, the assess clients. For our agency and wholesaler customers, your underwriting and your risk management clients. Those are the clients types that will be able to receive this benefit. To help put a point on the value of this subdomain enumeration, I've pulled together some examples. Here, for our client, WALLYMART, what we've done is run a standard CRC. What we found is WALLYMART has around six vulnerabilities from that CRC. Without subdomain enumeration, we're really only looking at that website that they gave us directly. With subdomain enumeration, what we now have is the ability to understand all of those subdomains that WALLYMART might have. Then additionally see a change of going from about six vulnerabilities all the way to 81. Now it is worth acknowledging some of these vulnerabilities may be the result of intentional configuration. But within our platform you do, of course. Have the ability to flag a vulnerability as potentially irrelevant or intentional. Then it will be hidden from your view forever, which will help create a more representative list of vulnerabilities. Those are the big changes we've had here in the past quarter in releases. I'm pretty excited to be able to share these. The team has worked very diligently to be able to implement them. I want to check with Molly, are we wanting to take questions on some of these now or would you like me to continue?

Molly Morical: No. Sure, absolutely. We've got time.

Alex Correa: Perfect. Okay. Do we have a list of which ones we have at the moment? Let's see, or if we have any. And if not, that's okay.

Jara Rowe: So far all of the questions we have are more about our services and not the product, but Alex, I have a question. What is a CIS survey?

Alex Correa: Yes. The CIS survey is specifically a compliance set of controls that is related to different groups. CIS is an organization and body that helps provide control sets against which businesses can align to. I am not the foremost expert on the team on CIS, so I will defer to someone else before I overspeak. But ultimately, CIS does have different implementation groups for the level that is most appropriate for an organization's cybersecurity maturity. For example, we focus on Implementation Group 1, because it is likely the one that is most appropriate for most businesses. It's definitely the most relaxed, if that's the term you can use here. As we go up in implementation groups, like Implementation Group 2 and 3, the controls become a bit more aggressive, to make sure that your organization is really taking action on some of those higher level security items.

Jara Rowe: Thank you.

Alex Correa: Of course, if anyone from the security team has another point to make, please let me know or if I have misspoken.

Molly Morical: No, you did great.

Alex Correa: Okay.

Molly Morical: I wanted to make a note. Showing the platform, and I'm sure people have customers have been in the platform, I saw a question come in about how often should I be logging in and checking scans? I think Joe was going to answer that. Before Joe does, I just wanted to make a point that if you don't have a vCISO service or any of those certification packages from us, you still have customer success access and that is my job. If you are running scans, if you have questions on scans, Joe and I can schedule a call with you and dig into any of that. We can walk you through how to set those up. As far as the vulnerabilities themselves after they've been ran, we have a cyber analysis name, Christina, who is on our team. That her and I have been having calls with customers and digging in those, excuse me, vulnerability scans in depth, so she can give you some advice on what she would do. But I know I've said it already on this call, our success is your success and we really do want to help you. Please use us to your advantage. Joe, do you want to answer that question regarding how often someone should log in?

Joe Cress: Yeah, absolutely. I typed an answer, but we can talk about it really quickly. If you do have scheduled scan set up, you should be getting email notifications when that scan is complete. Those email notification settings are actually in the settings area of the app. If there are any critical issues you need to be aware of, they'll be listed in that email. Not the actual issue, it'll just say, " Hey, you have some issues that need to be be aware of." It won't list the issues there. I would recommend logging in and checking your scans based on how you have your schedule scans arranged.

Jara Rowe: We do have a question about the subdomain enumeration. What kind of scans will subdomain enumeration help with in terms of expanding coverage?

Alex Correa: Yeah. Certainly a great question. Specifically for subdomain enumeration, the breach scan and the certificate scan will be our two scans that are most benefited from this. Our breach scan is the scan that will go to the dark web and identify any email or content breaches that have happened within your website or within your domain. Then additionally, our certificate scan will check the certificates associated with any of your hosted websites, engage any vulnerabilities from them. Subdomain enumeration will primarily benefit those scans. That said, we do have a DNS scan within the platform, which we'll check for misconfigurations within mail exchange servers. For any given domain, that scan does also benefit from subdomain enumeration as well. That scan has for a little bit now, but it is worth calling out that all three of those now at this point will receive that benefit. A good question.

Molly Morical: Thank you.

Alex Correa: Thank you. Yeah. Then continuing on here, what's coming next is, of course, a question that comes up for us and a couple of things I just wanted to highlight here. What we're focusing on as we move forward are a few things. Number one is IP attribution. It's a project we've been looking forward to to help really pay off some of the opportunities that subdomain enumeration will allow us to capitalize on. What it will do is help us correctly attribute different vulnerabilities to IP groups or individual IPs. We're pretty excited about that. MFA scanning has become another topic of conversation for us. Of course, multifactor authentication, as MFA stands for, is really associated with adding multiple layers of security to log- in processes, right? Some of you may have had the text me a link or a secure sign- in app, any of those other types of multifactor authentication types. We found those to be extremely crucial to security infrastructures. What we want to do is incorporate a scan that will allow organizations to get an objective measurement of their multifactor authentication implementation, whether or not it is required in the scope of which it is being implemented. Then finally, consolidated report management. As we've displayed the new reports module, which we're very excited about, we also recognize that generating reports, as the platform has grown, has become a bit of a process that's spread out throughout different areas. We're really excited to focus on centralizing that report generation process into a single location. So that users and customers are able to log in and in one single location, look at the reports that have been generated and generate any report that might be relevant to them or their clients. Those are our goals here for the next quarter.

Molly Morical: Thanks, Alex. I just want to say personally thank you to the product and engineering team. You guys have done so much and you take feedback from customers all the time. You try to work those in and you guys have just, you've done a lot of work in a little amount of time, so thank you.

Alex Correa: Yeah, of course. I can't take all the credit. The team does literally everything, so I got to give them all the credit. Awesome. Well, I'll go ahead and pass things back over to y'all.

Molly Morical: Okay. I will reshare my screen and then we will get into new educational content with Jara.

Jara Rowe: Awesome. Fantastic. As I mentioned, I host our podcast, the Tea on Cybersecurity, and if you couldn't tell by the question I asked Alex, I'm not a cybersecurity expert, so that is the entire premise of the podcast. I try to take other questions that some people may feel a little too silly to ask, and then we just tackle those topics. We're into season two now. So far, we've talked about cyber risk assessments, about the different compliance frameworks from like ISO to SOC 2. I know at the beginning, Jim talked about Trava's ISO journey. And we actually had a podcast episode about that, that will be released next week on Tuesday. You can get a little info about best practices, what we learned during the process and all of those things. The QR code right there, you can scan. If not, if you don't catch it in time, it's on our website. You can reach out to any of us as well and we can send you a link. Then also we have a webinar coming up on July 18th about AI cybersecurity tips, which I'm pretty sure a lot of us use these AI tools. I'm a big fan of ChatGPT, but I'm slowly learning about all of the different or potential risks that could happen by using these tools. We will give some best practices on how to be more secure and safe when using them, so you can scan that QR code as well. If not, we will be sending out this recording and a couple of other resources in a few days, so be on the lookout.

Molly Morical: Thank you. Okay, I think we went over some Q& A. I don't see anything else in the chat, but if anyone has any questions, feel free to send something in the chat and let us know. I know Jara was just talking about a webinar. I wanted to highlight I've started doing a customer newsletter monthly, and in that section, it asks and tells our customers about any successes from other customers. If you ever have any announcements or a podcast you're doing yourself, webinars, educational events, anything you want to promote on LinkedIn, anything like that, let us know. Send it to me, I can add it to the newsletter. Again, we do those monthly and we would love to help support you in any way that we can. Okay. The next customer webinar we're going to host is in September on the 31st. We will start sending out invites for that, so put that on your calendar. If you have questions and you don't have access to us via Slack or have not already communicated with us, here are some ways. Me, I have two different contacts. We have a success team, so there's quite a few of us that have access to that inbox, so Success @ TravaSecurity. com. Or a personal to me at Molly. Morical @TravaSecurity. com. Joe is lead of our customer support, 9: 00 to 5:00 Eastern, and that is support @ TravaSecurity. com. Or if you've been in the platform, you should see on your bottom right- hand corner of that, there is a live chat option that gives you access to that as well. Anything I missed, Joe?

Joe Cress: Nope. I have nothing to add. We're coming up on time here in a few minutes, but if anybody has any questions, feel free to ask them.

Jara Rowe: Also, I would like to clarify the next customer webinar will actually probably be September 28th. There is no 31st in September, so just want to clarify that that was on mistake.

Molly Morical: Just so everyone knows, I didn't do that slide, so that was not on me. Kidding. All right. Well, if there are no questions, thank you all for joining and attending and asking those questions. Feel free to reach out to us with any others, and if not, we will see you at our next customer webinar. Have a good day, everyone.