December Trava Customer Webinar

Molly Morical: Welcome everyone to... This is Q4, our Trava Customer webinar. We're excited that you are here. Excuse me, we've got a lot of exciting things to share today. But before we get started, I wanted to do some introductions on who will be joining from the Trava side. So my name is Molly Morical. I am Trava's senior customer success manager. I also have Jara here. I'll let Jara introduce yourselves.

Jara Rowe: Yeah, I'm Trava's content marketing specialist, Jara Rowe. I host our podcast and you are subscribed to our newsletter. I do a lot of that stuff. So yeah, behind all of our content.

Molly Morical: Thank you. And then we have Jim. Bulldog Jim.

Jim: Hi, everybody. Good to be here again and always nice to connect with our customers. Just getting used to this whole webinar thing. Turns out I was stuck backstage, didn't realize it. Didn't realize we had a backstage. Very cool.

Molly Morical: And then we have Alex.

Alex Correa: Hello, everyone. Happy to be here today. Once again, I'm our technical product manager. So happy to share a bit about what the team has been up to from a development side of things and support any questions that might come through as well.

Molly Morical: Thank you, Alex. Okay, I'm going to share my screen. I'll go over the agenda and then we'll kick this thing off. Just a reminder, there is an open chat. So we will have Q&A at the end, but if there is at any point you have questions, feel free to put those in the chat and we can answer them during the call. So let's get this thing started. Okay. Can everyone see my screen okay? Perfect. Okay, so the agenda today, we'll go over some customer highlights, how Trava helps. So that'll be from me just giving everyone a reminder on what Trava can do to assist you. So we are not just a compliance platform. We offer some additional services that you may not know about. And then I will kick it over to Jim to talk about Trava being your compliance partner and just a full compliance overview. And then Alex will talk about product updates. Jim will go through what is to come for cybersecurity in 2024. And then Jara will talk about some upcoming webinars that we have and then we'll open it up for Q& A. So excuse me, I've got the weather here changing in Indiana from cold to warm and then it's just affecting my throat. So we'll go into customer highlights. We have a few. I think Jim's going to touch on one in a little bit more detail. But EIG was recognized with the prestigious Netty Award for best user experience design for their work on ultraviolet cyber. Congratulations to the EIG team. Chain. io just completed their SOC 2 Type II and got certified in that this past month. So congrats to the Chain team. And then Peer Insights who we've highlighted couple times on these calls, but they have just completed their ISO 27001, 2022 certified. And I know Jim wanted to make a couple comments regarding that because they have just been working with Trava very closely and have some cool things happening their way.

Jim: Yeah, I'd be happy to. I just realized we don't have a reactions button on this.

Molly Morical: Yeah, I was looking for that earlier.

Jim: I wanted to do a applause symbol when you were reading all those nice things. But anyway, we'll work on that. So I wanted to talk about the Pureinsights process just for a little bit to give a little bit of context. Not only did they get certified to the brand new 2022 version of ISO 27001. But as many of you are familiar with an external audit process, whether it's SOC 2 or ISO, there's always what are called findings or exceptions or minor issues or major issues or this kind of thing. And what was pretty unusual about Pureinsights is they had zero findings and zero exceptions, which is extremely unusual for a first time certification. So kudos to the Pureinsights team. But also, I would say kudos to the Trava team and the Trava process because part of what we do is that's what we assure. We assure that all criteria are going to be met. We assure high quality throughout the entire process, so that these third party external audits go extremely smoothly and our customers get the outcome that they intend.

Molly Morical: Thank you, Jim. I just wanted to touch on this really quick. So for anyone that's on the call, we like to do customer highlights every quarter. I also send out a customer newsletter that has highlights too. And this doesn't have to be just about certifications. Obviously, we recognized EIG for the Netty award. But if you have any cool things happening your way that you feel that you'd like to share with Trava and with the rest of the Trava customers, please send them my way. I'll have contact information at the end of this, or you can reach out to me directly. But this is really a spot for us to recognize you and all your accomplishments. So please keep that in mind.

Jim: The other thing that occurs to me about that, Molly, is our customers may not know what our other customers do. So this is a good place to talk about achievements maybe outside, as you pointed out, outside of security and compliance. And because there may be a customer on the call that says, " Wow, I need someone to help me with that."

Molly Morical: Right. Yep, that's exactly right.

Jim: And you know they'll be secure because they're with Trava.

Molly Morical: That's right. Okay, so I wanted to talk a little bit about how Trava can help you. Obviously, anyone that has been working with us knows that Trava is a platform where you can run vulnerability scans, do control surveys. But we are so much more than that and I just wanted to send a reminder on other ways that Trava can help you with any compliance needs you may have. So we do have our full Trava platform. We have over 10 vulnerability scans, internal and external. Alex is going to touch on a little bit of that here shortly. But we also help with compliance needs. So if you are a customer that is starting to go through a framework and you need to be... GDPR attestation letters. If you need to get SOC 2 compliant or ISO compliant or certified, we help you with that. So we offer compliance advisory packages depending on what framework you are looking for. That consists of project management of your policies, controls, task assignments, facilitating evidence and gathering. We also help conduct internal and external audits, readiness assessments. Depending on the type of need, we can help you with meeting with external auditors. We do business continuity, disaster recovery, tabletop exercises. We also do a full compliance program management. So I don't want everyone say like hand holding. But we really help and we are your partner throughout this entire thing. So we will help take on more responsibility off of your plate and really help you with your full compliance program. We have two fantastic vCISOs that can offer vCISO services. So if you have specific questions that you just don't know the answer to, we've got Jim and Michael Magyar that can help with that. We do incident detection and response tabletop exercises, security program strategy help. And then we also offer penetration testing, which I know a lot of specific frameworks aren't requiring penetration testing, but it's obviously something good to do every single year overall for your company. And I don't think a lot of customers know that we do that. So just a reminder on those services. If you have any questions about them, you want to dig in any deeper, please let me know. We'd love to help you. Okay, let's go into some product features with Alex.

Alex Correa: Hello, everyone and Molly. I'm going to have you share your screen for this slide in the next one and then I'll go ahead and take over. But very excited to share some updates with everyone here In the realm of product development. There are four key things I want to hit on that we focused on for the early part of Q4, as we head into the end of the year. And number one, we did develop and release a new scan. It's called the perimeter scan. The perimeter scan exists now within the platform, within the category of external scans. And its purpose is to identify and find the open ports within an external system or IP address that it has been provided and determine vulnerabilities based on the software running behind those ports. So if we can detect that a port is open and one of the systems that's been scanned, we can detect if there's a software behind that port that is vulnerable and tie that directly to a CVE. So that when the vulnerabilities are returned to you, you have the ability to understand directly with that CVE number how this vulnerability may be impacting your system or the system that you've scanned. I want to highlight, once again, it will appear within that list of external scans and it'll appear within any of your assessments that enable that scan. Secondly, we have another new scan called the web application surface scan. In a similar vein to the perimeter scan, it is an external assessment. But this scan in particular we're pretty excited to offer. As some of you may know, we do currently have a web application scan. It is quite an intensive scan and assessment, and is generally a credentialed scan that requires authentication. This web application surface scan is designed to be a lighter version of this scan that does not require authentication, and solely looks at the external surface of your web application. We identified that this scan can help those customers who want to make sure they're testing their systems regularly, but don't necessarily want to add to the request and site visit volume that our full web application scan might bring with it. So what we've seen with some customers is that they will have their full web application scan that is credentialed, scheduled at a pretty regular cadence. And this surface scan scheduled at a more frequent cadence so that they can feel more comfortable getting a high frequency of scanning. Third, for those customers that work with us that leverage a client- based architecture, those being generally our managed service providers and insurance- based customers, one thing that is core to that workflow is of course adding clients to the platform and adding in your customers. With that, we want to always strive to make the platform as seamless as possible for you and to make sure it is always easy for you to get your clients in so that you are able to start providing them the benefits of vulnerability management. In that vein, what we've developed is the ability to import clients via a CSV file. I'll go ahead and give a demo of that functionality right after this next bullet is overviewed, but we're pretty excited to share that. And then finally, one thing I want to highlight is that some of our customers are leveraging a shareable link for cyber risk checkups that is available within certain subscription levels. And what we've done is improved this report for any customers that have used this so that the report mimics that of the cyber risk checkup within the platform, and has a bit more of the branding that our MSP customers and insurance agency customers are able to leverage within their report process. So pretty excited to share those updates. At a high level, before we jump into a quick overview, I do want to just highlight and make sure that I'm sharing, as we head into the end of the year and towards the end of December and mid- December, the team is absolutely focused on stability and scalability of the system. And so while all of you are hopefully resting and having a great time with your families, we will be making sure that our systems and yours are as secure as possible. So jumping right in, Molly. I'm happy to share my screen from here and give a quick overview of the things that I've highlighted today, where customers can expect to find them and how you might leverage them within your processes. Let me first start by sharing my screen. And here, what you can see is our general assessment configuration page. Within the assessment configuration page, you'll find in the full vulnerability assessment section are two new scans that we discussed. The first being our perimeter scan and the second being our web application surface scan. They're both within this external scans category. And if we double click on this perimeter scan here, what you'll see is you have the ability to provide both a domain name or IP address. Underneath the perimeter scan, does focus specifically on IP addresses, but we have the ability if you provide a domain to resolve that to an IP address. This helps any customers regardless of their technical savvy level to be able to leverage this scan. So if you know the IP address or range of IP addresses that you would like to be scanned, feel free to provide them. If you really only know a domain that you would like to be scanned that's associated with your infrastructure, you're able to provide that as well. Once entered, this gets added to any other assessment as you can see here, and we'll run, once you of course start the assessment. To give you a quick insight into what some of these vulnerabilities look like, we've got an example right here. And here, you can see within these we have CVEs for these vulnerability titles, because these are directly tied to those. But we still provide the same level of detail and information we always have. We have a link to more specific details, a link to the source, as well as an overview of the threat itself with a more human level description. And then finally, of course, we provide you with a vulnerability ID. Should you have any questions about any of the vulnerabilities you find within our assessments, you're always welcome to reach out to our support team to help get an understanding of what that vulnerability might mean or how it can might compare to another. That's our perimeter scan. Jumping to our web application surface scan, once again, this is fairly similar to our web application scan. Our web application surface scan is a bit simpler in this case because it only requires the domain of the web application you wish to scan. So in this instance, all you need to do is provide that domain and you would be able to start the assessment with that domain provided. One thing I will highlight, if you are a customer who generally does full vulnerability assessments and an authenticated web application scan, you don't need to run a web application surface scan at the same time. Our full web application scan does cover the exact same amount, but more. This web application surface scan, once again, is meant to provide you an opportunity to evaluate that surface area as you go. The next item I want to highlight is our import via CSV functionality. So for those of you that may be a managed service provider or an insurance agency, this screen might look familiar. This is your client management screen. What we've done is where we've historically only had the client's button, we've added an import clients via CSV functionality, where you are able to begin uploading a CSV file of your clients so that they can be uploaded in bulk. In order to help you, we've of course provided a document with a how- to of how to generate a CSV, as well as a template that you can use to get started on generating the formatting you would need for importing these clients. It's downloadable, it's very small, it's just a header row. But it gives you the information you would need. Once completed, you would go ahead and upload it to this field and be able to upload all of your clients. And they would appear within your client's table. And then wrapping things up, for those of you that leverage the cyber risk checkup link, what you have now is the ability to have your branding that you can set up on this page come through to your cyber risk checkup links. So if you have a contact name, a domain, an icon, a logo, any of the users or customers that leverage your shareable cyber risk checkup link, will see that branding on those reports as well as in the emails and communications they receive. This way, we're giving you a further ability to demonstrate the value you provide to your customers. And that wraps up the updates I've got for Q4. Once again, as I mentioned, the team is focused on these feature developments early in the quarter so that we can make sure we are focusing for the end of the year on stability and scalability of our systems. So you can rest assured that we are working diligently, to make sure that you all are in the best position possible. Thank you.

Molly Morical: Thank you, Alex. Okay, let's jump back in. I bypassed this, so I apologize, Jim. We can tee this off. But I think talking about the services that we offer that maybe customers don't know about, and then Alex showing some features and new updates in the platform could tee this up for good conversation with you as far as changes that Trava has been making, and then us being a compliance partner for our customers. So if you don't mind, would you talk a little bit about an overview of compliance for us?

Jim: Yeah, I'd be happy to. And I think you really captured our new messaging. Like many of our customers, we're always looking at our product market fit and our go- to- market efforts and our messaging and so forth. And what we realized was that we're leading as our messaging about our software platform. And really what we are, is we're a compliance partner. Yes, it is software enabled. But our true value, we've said it in different ways. We said our software is great, but our people are tremendous or whatever it was, or people are spectacular. But when you come right down to it, that one thing that we offer is we are your compliance partner. Now what does that mean? Different customers need different amounts of partnership, is the easiest way to put it, based on their resources, based on their business case for compliance, based on their goals, et cetera. And so really, what we've done is we've started to differentiate, and I would say become more comprehensive, in those partnership services that we offer. So traditionally, what we offered is what we're now calling compliance advisory. So we're the experts in a given compliance certification, be it SOC 2, ISO 27001. On the privacy side, GDPR or CCPA. And on the federal side, in CMMC or FedRamp. What we've done beyond that was we've realized that some of our customers don't have the in- house resources to really bring those projects over the finish line in an efficient manner. And so the next thing that we're able to offer in terms of just advice, " Here's what you should do next, here's your priority", is we actually do pretty active project management. And so literally, we're ultimately responsible for living a given project on time. And then the final layer that really has come about in the last year, as companies have had reductions in force or someone's left for another job... And they've taken a minute and said, " Well, should we really try to backfill this position?", because compliance people, good compliance people, are difficult to find and expensive. So several of our customers said, " Well, could you do more for us? Could you literally be our compliance person?" And the answer is yes. And so the key differentiator there is we're more hands- on in your compliance management platform, regardless of whether it's Carbide or Drata or Vanta or any of the others. So we'll literally be in that compliance management platform for you. Not just for the setup, but also assuring that throughout the year, the evidence is being brought into that compliance management platform on time, it's good quality, et cetera. We're almost doing that ongoing continuous monitoring of your compliance program that's needed. So that when it comes to that point in the year where we have to do internal audit, we're not going to have a lot of findings because we've been keeping an eye on it throughout the year. And then also, you have greater assurance that your external audit's going to go fine. So that's really Molly in a nutshell, what we're doing. We've just expanded the depth of the relationship with our customers, in terms of what we can do for them in terms of compliance.

Molly Morical: Right. And I think one thing I want to note, you touched on SOC 2, ISO, GDPR, CCPA, CMMC. There could be things like FedRamp or TX- RAMP that customers are asking about. But I don't want to say the possibilities are endless. But if you are having customers or if our customers are starting to hear from their potential customers that, " Do you have this? Do you have this? Can you help me fill out this questionnaire?", those are other things you can bring to us that we can review and see what additional things we could help you with. So obviously, you highlighted the ones that we have been focusing on. But that's not limited. So I just wanted to make a note of that as well, that we want to help with the full package that you have. We want to make sure, like you said, if someone has a timeframe, we work on roadmaps when we first set things up. And if you have an audit scheduled at this time, we will work to make sure that we fit within your needs. That way you have a successful audit and get your certification.

Jim: That's a very good point. Two others that occur to me right off the top of my head are HIPAA and PCI. What I would point out, especially for our customers that are thinking about or currently doing business internationally, international certifications get... I don't want to use the word complicated. But there's a whole lot more out there than you might think. And in some countries, they're by industry. So for instance, when I was at Salesforce, we had three different certifications in Germany just for the automobile, just in order to serve the automobile industry in Germany. So when I was at Salesforce, I was responsible for 35 or 40 different certifications worldwide. So I doubt one of our customers could come up with a certification that I hadn't heard of. So by all means, reach out.

Molly Morical: Yes, thank you. Okay, I think you are still up, Jim, about 2024 and what's going on in cybersecurity.

Jim: Okay, I better take a sip of water then. Go ahead. Yeah, there we go. So the first thing you may be saying is, " There's nothing new about ransomware, Jim." And to some extent, that may be true. But I think we're going to see some evolution here. And I don't know exactly what's going to happen. I just want to talk about what I know, the warning signs. You may not have heard it, but there's a cyber terrorist group from Iran that has broken into water treatment plants now. And so what I have seen on the ransomware front is the cyber criminals or cyber terrorists are now targeting targets that would have been considered off limits before. So hospital and healthcare systems, water treatment plants, et cetera. The other development that you may have heard about is there's a group of 40 countries that are now saying, " We need to stop this. We need to agree that we're no longer going to pay these ransoms", et cetera. There has also been in the past couple of months some pretty well publicized FBI take- downs of ransomware groups. So my point in saying all that is ransomware isn't going to go away anytime soon. What I would also say is don't believe any technology advertisement that says, " Buy this one thing because it's the magic anti ransomware protection you need." As you see in the Trava platform, almost everyone has ransomware as a risk. But if you click on, " And what do I need to fix in order to mitigate that risk?", it's a whole combination of a variety of different things. So I'll stop there on that one. There are, at least in the United States, couple of developments that we expect to hit in 2024. The NIST Cybersecurity Framework, NIST CSF, has been around for some time. It is a great standard, by which any company can measure the immaturity or whatever. There is a NIST 2.0 that we expect to be... It's out and I don't know what you'd say, quasi official at this point. But it's supposed to be officially ratified sometime in the first half of next year. And I would say the biggest change, which I'm thrilled about, quite frankly, is... The big difference is they've added a whole section on governance, the importance of governance. So it's not just okay to have a bunch of controls, of the right controls in place. If you don't have a governance layer over it, making sure those things are being done properly and continuously monitored, that type of thing, all the things that Trava tends to stress with its customers, then you don't really have a comprehensive cyber program. And so I'm really quite enthusiastic about NIST 2.0. And then finally, if there's any Department of Defense contractors, we've got at least a couple of our customers that we're working on CMMC certification for. We've been in limbo. In other words, believe it or not, despite all the publicity, CMMC is not a mandate yet. But we expect that requirement to be finalized or ratified or whatever governmental term you want to use. We expect that to happen in 2024, which means at that point, it's no longer an option. Tier three and tier four Department of Defense contractors must meet those criteria.

Molly Morical: Thank you. Okay, let's go to Jara to talk about another webinar.

Jara Rowe: Yeah, just here to let you all know that on Tuesday, this coming up Tuesday at 11 A. M. Eastern, the team will be hosting another webinar, really just to help people get set up and prepared for 2024. We'll go over some more things that Jim just went over about ransomware, other emerging trends, talk more about compliance and other things. I would definitely encourage all of you to share this with your coworkers, as they might not be as in tune with the cybersecurity world as you all are. This is a great learning opportunity. And even if you can't attend, I would still encourage you to register as we will be sending out a recording at the end. So yeah, please feel free to share this with your internal teams. That'd be great. Also, I mentioned our podcast earlier. We are in the midst of recording season three. It's called The Tea on cybersecurity. And we're really focusing the first half of the episodes on compliance. So if there are any questions you have about specific frameworks or different terms like controls and all these other things that are new to people like me, and maybe some of you as well, let us know. You can reach out to me or Molly and she can forward it to me, because I would love to help get your questions answered during the podcast.

Molly Morical: Yes. And if you haven't ... So just a quick thing, if someone wants to listen to season one and season two, is there a place for them to find that?

Jara Rowe: Yeah, you can actually find it wherever you like to listen to your podcast. They're also all linked on our website. So if you go to travasecurity. com, it's like, " Learn from Trava." There's the podcast link there, but you can find us on Spotify, Apple Music and anywhere else where you listen to podcasts.

Molly Morical: Yeah, and I know, I think you and I talked about this a while ago, that in cybersecurity, there's new things to learn all the time. But when you're actually having these webinars and you're interviewing someone or bringing someone from a different company, you're learning more all the time. So I feel like since I've been here for a while, I know a lot about this. But every single... When I've been listening to the podcast to catch up, it's awesome to hear from other companies and people's experiences and just... It's never- ending knowledge, which I think is awesome.

Jara Rowe: I've learned a lot as well. So I would just encourage you to listen to it or again, share with your co- workers. Just people find cybersecurity intimidating, but we try to dumb it down, for just lack of better words, for people like me. Or yeah.

Molly Morical: So yeah, if you haven't listened to any of those, I highly suggest you do. Again, anywhere that you listen to your podcast, they're awesome. So thank you, Jara.

Jara Rowe: Yeah, no problem.

Molly Morical: Okay, I will leave this open. I don't know if we've had any questions come in the chat. But if anyone has any specific questions, we can hang out for a minute and see if there's anything that we can help answer. And if not, then we could let things go a little early.

Jim: It doesn't look like there's any open questions. I just wanted to add one thing in regards to feedback. We know everybody's time is very valuable. We want these customer webinars to be worthwhile for our customers. So any suggestions you have about a whole section that we're not doing or a different way to organize it or whatever, we're always open to suggestion. We believe in continuous improvement here at Trava, and we consider our customers part of the Trava family. So by all means, we want to hear from you.

Molly Morical: Right. Yeah, something that we see all the time, and especially something I say, I'm sure Jason would say since I see him on, is I always say that your success is our success and we want to grow. Obviously, we are startup and we're growing and we can't do what we're doing without customers like all of you. So even on our one- on- one calls that we have, if there's things that you like, let us know. If there's things that you don't like, obviously let us know, because continuous improvement. But we want you to be successful and satisfied with what you're getting out of Trava. So if there's something that you want to see more of, we are always open to those suggestions. That way, we can help continue ensuring success for customers like yourself. I don't think we have any chats coming in. I did get a couple chats via Slack that I will respond back to. But I'd say if we don't have anything, then we can wrap this up early and let everyone get back to their day. So thank you all for joining. We-