Technology has transformed the way we do business today. With on-demand technology, companies can enjoy huge opportunities for improving productivity and reap the benefits of data sharing with customers, suppliers and business partners. However, this technology is increasingly subject to associated security risks.
Safeguarding business information assets is a key challenge. Data such as strategic plans, customer information and R&D results are both crucial to operational success and lucrative targets for attackers. Even generic security threats such as worms and viruses can interrupt business continuity and significantly lower profitability.
According to IDC, a global market intelligence firm, “Information protection and control will be a major area of investment over the next five years. Information has become the world’s new currency. The growing number of high-profile incidents in which customer records, confidential information, and intellectual property were leaked (or lost/stolen) has created an explosive demand for solutions that protect against the deliberate or inadvertent release of sensitive information.”
From a pure dollars and cents perspective, the average financial loss resulting from IT security inadequacies is $380,000 per retail business. That amount is not trivial to any business. Nor is the loss of customer confidence.
But how do you develop security solutions for the Internet that deal with threats deployed so rapidly that they have worldwide impact in mere seconds? That’s what the founders of Calyptix Security Corporation were thinking about as they came to Charlotte.
In 2000, Lawrence Teo had been studying computer science and security under Dr. Yuliang Zheng in the Honors Program at Australia’s Monash University (the Australian “Ivy League”), when Zheng, a noted cryptography expert, was recruited to join the faculty of UNC Charlotte and to support Wachovia in several cryptography initiatives. When Zheng accepted the offer to come to Charlotte, he invited Teo to complete his studies at UNC Charlotte.
“The invitation to study in Charlotte coincided with a rare visit that I was able to have with my parents in Malaysia. They were with me as I received Dr. Zheng’s phone call,” Teo recalls. “We were all excited, but my parents were a bit apprehensive having never met Dr. Zheng. That meeting didn’t take place until 2006 when I completed my Ph.D. and my parents came to Charlotte from Malaysia for the graduation ceremony.”
As Teo’s dissertation developed, new technology emerged. With the input and guidance from Zheng and assistance from Mark Wdowik, then head of UNC Charlotte’s Department of Technology Transfer, Teo gained confidence that his emerging Internet Defense Force had potential, and combined efforts with Zheng to form Calyptix Security Corporation.
The name Calyptix was taken from Eucalyptus Sideroxylon, the scientific name for the red ironbark, among the toughest of the hard wood trees. Indigenous to Australia, the tree is known for its ability to germinate by fire. At once alluding to the sturdiness of the protective software and its ability to defend relative to the swiftness and destructiveness of Internet security risks, the name seems doubly appropriate.
A Secure Birth
As a foundling company, Calyptix entered the UNC Charlotte Office of Technology Transfer’s 2003 Five Ventures Business Plan Competition—and won. Soon after the competition, Zheng and Teo, with contributions from Dr. Gail-Joon Ahn, published research on Internet-scale intrusion detection and signature-less intrusion prevention at reputable IEEE and ACM computer science conferences. Zheng was elected to the Steering Committee for the International Workshop on Information Assurance and chaired its annual 2004 workshop and was also appointed as founding director of UNC Charlotte’s Information Security and Assurance Center.
More recently, Zheng was appointed as the Steering Committee chair for the International Workshop on Practice and Theory in Public Key Cryptography (PKC). The PKC workshop is the first and longest-running workshop on public key cryptography, which is the cornerstone technology that enables all electronic commerce on the Internet today.
Zheng comments, “After the business plan competition and the publishing of our research, things began to happen quickly. In less than a year, the concept went from dissertation to technology. We were energized by the effectiveness of our ‘dynamic inspection engine’ and the attention our research attracted.”
Calyptix next faced the challenge of commercialization. Zheng and Teo had validated their new technology, but had not turned it into a product that would be marketable to businesses.
That’s when Charlotte attorney Ben Yarbrough, longtime encourager of the technology development community, gave in to his entrepreneurial fever and accepted Calyptix’s request to lead the company. As Calyptix’s chief executive officer, Yarbrough’s mission has been, and continues to be, deploying the technology as a product, identifying Calyptix’s differentiation in its marketplace, securing seed funding, and delivering the all-in-one solution to customers.
In addition to a chief executive officer, Calyptix has added IT security expertise from such noted institutions as MIT, and sales, marketing and administrative support to create the team that is now executing a “go-to-market” strategy.
Upon solidifying their idea at the Office of Technology Transfer at UNC Charlotte, Yarbrough prompted the company’s relocation to the Ben Craig Center. After reviewing a variety of different alternatives, Yarbrough says, “More important than the reasonable terms, loaner furniture, and great facilities were the staff and programs at the Ben Craig Center—which have been tremendous.”
A Gap in the Marketplace
The Calyptix principals surveyed the IT security marketplace to identify their niche—a gap in existing solutions that they could fill. Individual computer users have low level protection for their machines and huge corporations have extensive solutions that are integrated into massive security strategies, but small to midsize businesses (SMBs) have little choice in products that protect their networks and their data.
According to the U.S. Small Business Administration, SMBs account for almost 99 percent of the businesses in the U.S. and number approximately 20 million.
Unfortunately, SMBs suffer the lack of choice in the face of more than 140,000 network incidents per year. That count, taken in 2003, has increased by more than 100 percent each year since and will total more than 4.5 million network incidents per year by the end of 2007. The incidents and attacks themselves have changed over that four-year time span.
Historically, the goal of attacks was to be detected. Their efforts were devious but not necessarily covert. Today, the goal is financial gain. Attacks unobtrusively infect computers and turn them into “bots” to build a “botnet.” This botnet can enable cyber-terrorism attacks, fraudulent offers and transactions, and network degrading spam.
To add insult to injury, SMBs in health care, financial services, education or those who are credit card-accepting merchants face new regulatory compliance measures that require information flow to be accurately and securely tracked.
SMBs are truly up against the wall. They know that IT security is important. The legal and regulatory impact of ignoring it can have a crippling impact on a business. The loss of data and costs associated with its remediation wreak havoc on business value and financial bottom lines. The health of data and data networks is no less important to the small and midsize business than it is to enterprise level corporations.
SMBs can install a firewall or they can purchase managed services in their attempts to ward off the dangers of network intrusions. The first is easy on the budget but totally inadequate. The second may provide peace of mind and adequate protection but is costly. Most choose the first: Install firewalls and cross their fingers. Without a solution that fills the gap, SMBs can do little but dodge risk by employing security through obscurity.
Securing the Market
The Calyptix products enable SMBs to deploy IT security that is comparable to solutions that large organizations spend more than $20,000 to implement—for about 10 percent of the cost. Their solution, built on one hardware platform, requires no other equipment, staff, maintenance or integration and provides security functions that greatly reduce the occurrence and impact of incidents.
A single IT security device integrates several security functions into one package. Within the IT security space, this is known as a UTM or a Unified Threat Management device. Implementing other types of solutions to deploy like functions involves as many as four separate devices or platforms. The single, unified device is predicted to be the way that more IT security solutions will be offered in the coming years. According to IDC, “Integrated secure content and threat management solutions will be more effective in combating the complex new blended and hybrid threats than traditional deployment of independent security technologies.”
Calyptix’s product, AccessEnforcer, is a small appliance—more like a DVD player than a microwave—and is perhaps more easily managed than a DVD player. Its operation can be monitored with a user-friendly dashboard that clearly identifies and tracks potential threats and the measures it takes in providing protection.
“This is a problem-solver for the SMB because it supports all of their basic security needs—protection, management, maintenance and compliance—in a single device that is simple to use. This solution provides an incredible amount of security ‘bang’ for their buck,” Yarbrough confirms.
Creating Noise of Its Own
Yarbrough readily admits that the IT security space is fiercely competitive with several mega providers dominating the market with products that, at first glance, look similar to what Calyptix offers. “Big marketing budgets and well-known clients sometimes obscure new ideas brought to the marketplace,” Yarbrough points out.
The Calyptix team continues to analyze other products and the marketplace, prove and improve their technology and inform the industry of their discoveries. Their tenacity and their fresh approach to intrusion prevention is creating noise of its own. In 2006 and early 2007, Calyptix detected several significant malicious elements ahead of multiple leading anti-virus makers including the Storm Trojan, the Valentine’s Bug, and the Stration and NuWar worms.
Recently, industry publications noted Calyptix’s research in identifying a CSRF (cross-site request forgery) flaw in numerous existing security appliances on which large and small businesses depend for intrusion prevention. Because of Calyptix’s research, these appliances are being updated to fix the flaw.
Calyptix is building relationships with partners who can contribute value to its foundational offerings or sell its products as part of a larger strategic solution. Input from a broad array of customers such as the Charlotte Chamber of Commerce, Commercial Credit Group, Ettain Group, JPS Industries and the Ben Craig Center is driving future development of their products to address emerging issues with fresh solutions.
While IT security and intrusion protection may be less glamorous than slick iPhones, it has tremendous impact on businesses and individuals. The Internet’s proliferation into our critical commerce and communications infrastructure required only ten years when other elements of comparable significance required 50 years. Nefarious threats are escalating at a frightening pace.
Combating illusive, rampant and increasingly malicious attacks on our vital worldwide infrastructure is quite a challenge. With their world class expertise and knowledge, Zheng, Teo and Yarbrough continue to lead Calyptix to research, test and examine technology so we can feel confident that “the world’s new currency” remains protected.