The Sole Property of Type80 Security Software, Inc - Essay Example

Protecting the IBM z/OS with SMA_RT Security Monitor and Type80 Syslog Business Summary July 5, 2007 Jerry Harding 211 North Union Street, Suite 100 Alexandria, VA 22314 Phone: 703.519.1229 Email: jerry.harding@type80.com The content of this report is confidential and is the sole property of Type80 Security Software, Inc. Its use is strictly limited to those readers authorized by the Company. Any reproduction or divulgence of the content of this report without the written consent of the Company is strictly prohibited. Table of Contents Executive Summary 4 The Business 4 GAP Funding 5 Venture Funding 5 6 Market 6 Management 8 Mission Statement 9 Company Description and Ownership 9 Company Location and Facilities 9 The Market 9 Type80 Customers 10 Software Products Overview and Detail: 10 SMA_RT Security Monitor 10 Type80 Syslog Security Agent 12 Revenues/Pricing 13 Competitive Advantages 13 Development Projects Using GAP Funding 16 Recently LAB-Completed Development 16 Software Development Usage of GAP Funding 16 Possible Usage of Future GAP Funding 16 Marketing and Sales 17 Management Team Summary 19 Organizational Structure 19 Management Team 21 Executive Summary The Business Type80 Security Software, Inc. (Type80) develops and markets proprietary software for IBM mainframe computers running on the zSeries/Operating System (z/OS). Type80 has two products fully developed and successfully deployed at customer sites: Security Monitor and Alert in Real Time (SMA_RT) SMA_RT is our "flagship" product designed to protect information stored on IBM mainframes by detecting the presence of an unauthorized entry (intrusion) and "sounding the alert" to responsible parties immediately upon detection. SMA_RT operates one step beyond security products designed to prevent access to intruders. Once the security is breached, an intruder can cause significant damage and huge financial loss in a very short period of time. The SMA_RT solution is to thwart the intruder before he has the opportunity to create havoc. Type80 Syslog Mainframe computers are no longer stand-alone entities. They are now connected to large networks that span the globe. Information technology (IT) security personnel must now concern themselves with enterprise-wide security throughout their entire network. Type80 Syslog is designed to centralize security event monitoring, bridging the gap between network and mainframe security products. Intellectual Property With SMA_RT and Syslog, Type80 is dedicated in providing the highest quality IT security possible on the market. In order to ensure the competitive advantage in our market, we applied for patents for both products. The U.S. Patent and Trademark Office has completed 2 years of research and accepted all 28 elements of the application. The total fees for the application have been paid and the patent is expected to be issued within the next 30-45 days, making Type80 the sole legal software provider of mainframe Security Monitoring and Alerting in Real-Time (SMA_RT). GAP Funding In its effort of ensuring competitiveness, Type80 continues its thrust to innovate by adding new features to its current offerings and developing entirely new products which will further broaden its ability to monitor, identify, and report an intrusion that virtually touches any resource within the mainframe. In the implementation of Type 80's immediate growth plan, the company expects to incur an estimated $500,000 in total costs. This GAP funding will utilized in the development of a Screen Image Capture Feature (SICF) of the SMA_RT product. This feature will allow forensics investigators and law enforcement agencies to immediately view and capture illegal activities real-time. The data collected by the SCIF can be presented and used as evidence for legal prosecution. The development of SICF gateways is in response to the lack of commercial software with is used for legal purposes. Because of this, SICF also places Type80 an estimated five years ahead if its potential competitors. Terms of the GAP funding is linked to its development milestones and will better position Type80 for its long-term growth plan. Venture Funding In undertaking Type 80's long-term growth plan, it is estimated that the company will need to source $1,678,360. The $681,360 will be generated from sales receipts. Type80 is seeking investors to contribute the additional $1,000,000. Terms and conditions are negotiable. The financial plan demonstrates that Type80 can return the investment plus interest during the first five years of business: Market The mainframe market is growing. This growth is largely because the mainframe has proven itself as an ebusiness workhorse. According to IBM, 70% of its growth in MIPS (millions of instructions per second) represents new workloads such as Linux applications, SAP or WebSpere - software that supports ebusiness. Mainframes today are connected to vast networks, including the Internet. They are no longer private islands where only those allowed on the island had access. We live in a hacker prone era rife with data theft and increasingly innovative techniques to perpetrate computer fraud. This is a problem that will not get better with time and can not be "legislated" away. The perpetrators are highly skilled, live in various countries throughout the world, and continue to develop new techniques to penetrate private computer systems. There are really only two avenues of defense: 1. Keep the perpetrators out 2. Catch and neutralize perpetrators who breach the defenses Numerous software vendors, including IBM, have developed products to prevent access to intruders. But intruders get through. Some, unfortunately, are "trusted" users. Software companies addressing this issue have developed products that generate usage logs and "intelligent analytics" to sort through the logs attempting to identify anomalies. These are generally forensic investigations which even if identified, may be entirely too late. Type80 uses highly sophisticated, uniquely created analytics. The Type80 solution reports in real time, that is, when the intruder enters. Type80 is the only software on the market with our broad range of capabilities, and as a result, our potential market is as large as the number of mainframe computers running z/OS. We estimate that number is somewhere between 10,000 and 20,000 (and probably closer to the high side), and will continue to grow for many years to come. Management The owners themselves assume the three key positions: Director of Operations, Chief and Assistant Chief Technical Officers. The owners, collectively, created Type80, took it to market, and successfully installed and maintained the software with customers around the world. Together they have over 75 years of experience in software development, mainframes, computer networking, intrusion detection, computer security, and consulting for governmental agencies, Fortune 500 and international companies. Having developed and successfully marketed a must-have product for every networked mainframe running z/OS, the owners are prepared to take Type80 to the next level by hiring a talented sales staff to take the message to mainframe users that Type80 can protect their information, their systems, and by default, their businesses. Mission Statement Our mission is to protect IBM z/OS mainframe computers from unauthorized use and malicious activity by selling and installing our products on as many of the up to 20,000 relevant IBM mainframes in the market. Company Description and Ownership Type80 Security Software, Inc. is a privately-held C-corporation, incorporated in the State of Delaware in 2002. Owners include Messrs. Jerry Harding, Chris Goggans, and Donald Pagdin who equally share 97% ownership, along with a 3% minority partner. Company Location and Facilities Our corporate office is located at 211 North Union Street, Suite 100, Alexandria, VA 22314. We are currently seeking approximately 2,400-square feet of office space with some private offices, cubicles, reception area, and a conference room in the Washington, D.C. metro area. The Market Worldwide, there are between 10,000 and 20,000 IBM z/OS based mainframe systems. IBM does not publicize that number, but as eCommerce businesses continue to proliferate, the need for mainframe computers will flourish. Mainframes running z/OS can store massive databases that far exceed the storage available on client server technology. As more information becomes centralized and stored on mainframe computers, they will become more attractive to hackers. Historically, information on mainframes was restricted to closed environments, but today those mainframes must communicate with the outside world, and the need to secure them is ever so more important. eCommerce has become a way of life growing at geometric speed and there is no end in sight. Companies participating in eCommerce, financial institutions, healthcare insurers and providers, and governmental agencies have valuable customer databases that must be protected for both legal and competitive reasons. Type80 Customers Type80 serves a diverse market including banks in Australia, Mexico and the United States, a major Blue Cross/Blue Shield healthcare provider, a mid-west finance company, a large retailer requiring PCI (payment card industry) compliance, and a US Government agency. Software Products Overview and Detail: Type80 Syslog is based on our flagship solution, SMA_RT. Syslog uses a scaled-down version of the SMA_RT technology for extending mainframe console messages and write-to-operator messages to external log retention servers. This enables easy integration with enterprise management platforms such as Security Information Management (SIM) products. . SMA_RT Security Monitor SMA_RT is a mainframe computer security software product providing real-time intrusion detection and response that is not available from any other mainframe security product. SMA_RT augments security products such as IBM's RACF (Resource Access Control Facility) and Computer Associates' ACF2 and Top Secret. SMA_RT facilitates integration with Security Information Management (SIM) and Network Management products. The SMA_RT real-time reporting facility eliminates cumbersome and untimely batch reporting. SMA_RT captures in real time system management function (SMF) data, operating system messages, application program messages, database messages, TSO (time-sharing option) messages and even customer-specific messages generated using our API (application programming interface). These input streams are used to determine possible security attacks on the mainframe using a combination of configurable security rules and basic anomalous behavior models. The SMA_RT Security Monitor: Provides real-time alerting of security events occurring on the mainframe Detects potentially malicious activity, including actions authorized by mainframe security settings Integrates with RACF, ACF2 and Top Secret, even across multiple data centers Supports UNIX System Services Gather events in real time from SMF data and an Operating System Interface Includes API that makes it possible for customers to define custom security events Sends security events to 3rd party products to provide complete enterprise-wide threat management coverage Helps detect denial of service attacks Saves excessive man-hours searching through system logs when investigating a security breach Provides configurable rules within the GUI (graphical user interface) making it possible for customers to filter out non-critical events Uses a small memory footprint in each LPAR ("mainframe instance) being monitored Is easy to install and does not require rebooting the system The Type80 SMA_RT agent will take mainframe console messages as well as any security messages (RACF/ACF2/TS) and forward them to an external destination, such a SIM/log consolidation platform. The SMA_RT agent can also track and forward a variety of events, including forwarding detailed information from various SMF record types and track their occurrence to watch for anomalous activity. This is above and beyond the simple authorized/unauthorized monitoring of the standard mainframe security agents. For example, using Type80's SMA_RT agent, a security engineer can track file access or the opening of a dataset for updating, even if the user accessing the file has been granted authorization by RACF or ACF2. SMA_RT can easily accommodate the monitoring of additional SMF records if requested by the customer. Further, through the use of an API, SMA_RT can easily monitor (and forward) data generated from applications developed in-house. Type80 Syslog Security Agent Type80 Syslog for IBM z/OS enables extension of all mainframe console messages and write-to-operator messages to be routed to external log retention servers using the TCP/IP Syslog protocol. TCP/IP (Transmission Control Protocol/Internet Protocol) is the suite of communications protocols used to connect computers on the Internet. It is built into z/OS, UNIX, Windows, Linux and other operating systems and is the Internet's de facto standard for transmitting data over networks. Type80 messages are sent in real time and provide an easy way to monitor the mainframe as part of an enterprise-wide security program. Easy installation without any downtime No IPL (initial program load or reboot) No complex rule syntax Presents messages in real-time for immediate action Provides multi-line WTO (write to operator) messages as one message allowing for easy parsing and string searching Adds real-time legacy messages to enterprise-wide security products already purchased Centralizes security event monitoring bridging the gap between mainframe and network security products Provide centralized monitoring to facilitate easier compliance with SOX (Sarbanes-Oxley), HIPPA (Health Insurance Portability and Accountability Act), GLB (Gramm-Leach-Bliley), and other mandated security requirements Revenues/Pricing Our pricing is based solely on the number of LPAR's the client must secure. Many developers of mainframe software continue to tie pricing to MIPS, or Millions of Instructions Per Second executed by the CPU using the logic that the software is protecting more when more MIPS are used, and therefore should cost more. The logic is conceptually deficient because different programming languages operate at different efficiencies. Hence when two different languages are doing the exact same work, but one language is less efficient and consuming more MIPS, the customer is penalized by higher pricing. Type80 uses a standard of "pricing by delivered function," i.e., our function is to monitor LPAR security, regardless of MIPS, processes, programs in use, number of users or any other metrics. Clients know exactly what they are going to pay regardless of any other activities taking place on their mainframe. The price for SMA_RT is $15,000 per LPAR for the first five copies. Each additional copy is $6,000. The price for software maintenance (i.e., periodic updates) is 20% of the initial purchase price and can be extended year after year. While the software license provides lifetime protection for the LPAR to which it is installed, we anticipate all of our customers will most likely choose the maintenance renewal option every year to maintain state-of-the-art, up-to-date protection on their z/OS mainframes. Competitive Advantages In competing with the other players in the industry, Type80 utilizes Pricing Power, Lateral Growth and several Technical Competitive Advantages in order to ensure superiority. Pricing Power - The Type80 products are priced by "LPAR's" (Logical Partitions) or better described by "the number of instances", not by MIPS (millions of instructions per second) which are used by other competitors. This means that Type80's customers enjoy economies of scale. For example, provides a company the size of Bank of America with cost savings of hundreds of thousands of dollars through this pricing strategy. It also allows Type80 the ability to introduce price increases and still be at par with the industry. Lateral Growth - All of our competitors have elected to deliver security alerts only to their own product lines. Many governance and compliance regulations require mainframe logs to be included in the monitoring process but no other non-mainframe SIM vendor has the ability of collecting mainframe logs and security events in real-time. Type80, by thinking outside the box, has taken the business approach of being able to communicate and interface with all SIM vendors who wish to strategically include real-time mainframe security log processing. Type80 alert data is delivered to all SIM vendors by using a patented industry common delivery technique. This design provides easy integration with any SIM product and makes Type80 the "mainframe GO-TO guys" for any SIM vendor. It also provides Type80 with lateral growth by interfacing with any new SIM vendor entering in the market space. Technical Competitive Advantages - IBM and Computer Associates (CA) produce software designed for preventive security protection (the sentries at the gate), and Consul, Beta Systems and Vanguard Enforcer produce pro-active security monitoring software with limited abilities to detect malicious activities, but Type80 stands alone with its advanced features which caters to the needs of an untapped market. The company recognizes that threats from attacks are becoming more sophisticated not only in the technology they use, but also in their strategies. These include using employees to gain access to information, or even posing as employees themselves. In response, Type80 provides unique solutions to identify and stop these intruders because it is the only eServer product which is able to detect differences in the behavioral patterns of employees. The significant Type80 technical competitive advantages are summarized on the following page. Competitive Advantages 1 z/OS Security Products Preventive Security Protection Pro-Active Security Monitoring Detect Malicious Activity Detect Denial of Service Take Deterrent Actions Mainframe Real-Time Alerting DB2 Real-Time Alerting SCIF Real-Time Screen Capture Type80 No Yes Yes Yes No Yes Yes Future development IBM RACF Yes No No No No No No No CA ACF2 Yes Some No No No No No No CA Top Secret Yes No No No No No No No Beta Systems No Yes Limited No No No No No Vanguard Enforcer No Yes Limited No No No No No Consul No Yes Limited Limited Yes Yes No No 1 - Data was drawn from publicly available information posted on their websites and printed in their brochures Development Projects Using GAP Funding Recently LAB-Completed Development Type80 has recently self-funded the development of a SMA_RT add-on module that will collect input from and report activities taking place in IBM's DB2 (database management system). IBM describes DB2 as follows: "DB2 is the database management system that delivers a flexible and cost-effective database platform to build robust on demand business applications. DB2 further leverages resources with broad support for open standards and popular development platforms like J2EE and Microsoft .NET. The DB2 family also includes solutions tailored for specific needs like business intelligence and advanced tooling. Whether the business is large or small, DB2 has a solution built and priced to meet its unique needs." DB2 software manages some of the most sensitive, important and mission critical information stored on mainframe computers. Monitoring the accesses and activities that DB2 places on database record sets is critically important to the overall information security mission. Software Development Usage of GAP Funding Committed to innovation, future software development includes Screen Image Capture Feature (SICF) capabilities for system administrators for the collection of actual screen images of suspicious activities in the real-time. For example, an authorized user may "wander" into a dataset that he has permission to access, but is there at a time that does not necessarily fit his job responsibility. The SICF function of SMA_RT allows the system administrator to view the events screen images in Real-Time allowing him to assess significance of the event and take appropriate corrective action. Possible Usage of Future GAP Funding We also plan on developing our own version of SIM software that will store mainframe alerts to a single MySQL repository. MySQL is the world's most popular open source database. This will provide the capability to perform forensic analysis of all Type80 mainframe alerts across all "Mainframe Instances", commonly referred to as LPAR's, but more importantly to reduce our dependency on SIM vendors to sell our products. Marketing and Sales While we engage in some direct sales, our primary strategy has been to work with channel partners, such as SIM vendors, to gain exposure in the market. Partners include LogLogic (loglogic.com), Fitz Software & Co. (fitzsoftware.com), netForensics (netforensics.com), and Value-4IT (value-4it.com). We currently have numerous channel partners and will continue to add more, particularly in foreign markets, such as Japan (where use of mainframes is widespread) and other countries with promising growth in their businesses that use mainframe computers. These channel partners have helped establish Type80 with important customers that demonstrate the marketability of our products and provide excellent references, although selling our software is not their first priority. Once positioned for Venture Capital funding, Type80 will expand our marketing and sales efforts to include software resellers, and more importantly, develop an in-house sales staff to focus our attention on direct sales by reaching out to mainframe users and delivering our message about monitoring security in real time to prevent catastrophic events from which recovery will be extremely costly and total recovery may never be possible. As an example, although the details of the recent hacking of TJX's customer transactions have not yet been made public, credit card issuers have had to cancel and reissue hundreds of thousands of credit cards at huge expense. A relatively small investment in Type80's SMA_RT and Syslog technologies may have prevented this entire fiasco: CNET News, March 21, 2007, 3:23 PM PDT A major shareholder in T.J. Maxx and Marshalls parent company TJX Companies has filed a lawsuit to obtain documents concerning a hacking incident that left large amounts of customer credit card data vulnerable. The Arkansas Carpenters Pension Fund, one of TJX's largest shareholders, filed the suit Monday in the Court of Chancery of the State of Delaware. The group claimed that TJX has "wrongfully denied (them) access to the materials" pertaining to the data breach, which began in May 2006 and ended early this year. The company discovered the intrusion in December and first announced in January that its systems had been compromised. In the far-reaching hacking incident, credit and debit card data between January 2003 and June 2004 was potentially exposed for customers of all TJX stores in the U.S., Canada and Puerto Rico, with the exception of the Bob's Stores chain. There was also evidence of intrusion into the system that handles customer transactions for TJX's T.K. Maxx chain in the United Kingdom and Ireland. Some drivers license data may also have been left vulnerable. In a separate investigation, some of the credit card data from TJX was found to have been used in a case of gift card fraud at Wal-Mart and Sam's Club stores in the vicinity of Gainesville, Fla. The Florida Department of Law Enforcement announced Monday that six people have been arrested for using stolen credit card information to purchase large quantities of gift cards, which they subsequently cashed at the stores for items like gaming consoles, computers and TVs. According to the Gainesville Police Department, the total losses experienced by the Wal-Mart and Sam's Club stores, as well as banks that issued the stolen credit cards, are currently estimated to be over $8 million. The investigation remains ongoing. Management Team Summary Type80 will have a Director of Operations with responsibility for all business activity including finance and administration, marketing and sales, human resources, and legal compliance. Reporting to the Director of Operations will be Office Manager, the Director of Sales (responsible for all sales and marketing activities, operating within established budgets and achieving assigned sales goals), and the Chief Technology Officer. The Office Manager will attend to administrative duties and insure that the entire team is working in concert. The Office Manager will be responsible for recording day to day financial transactions and coordinating with outside professionals (legal and accounting) when necessary. Type80's Chief Technical Officer is the visionary who created the SMA_RT and Syslog software and will continue revising and updating the products to meet the continuing challenges of thwarting potential hackers. Reporting to the CTO will be an assistant CTO and a Mainframe Developer, who will work closely with the Assistant CTO. Organizational Structure The organizational structure for Type80 will be as follows: Management Team The owners are launching aggressive and technical searches to identify candidates to fill the key position of Director of Sales and additional Development and Support Engineers. The individual must have extensive experience in the IBM mainframe environment and each with demonstrated abilities and proven track records to handle their assigned tasks. Mr. Jerry Harding will serve as Director of Operations. Mr. Harding has over 30 years of mainframe experience and six years of providing security training for businesses, governments, military and counterintelligence agencies in the U.S. and 15 other countries. Mr. Donald Pagdin will serve as Chief Technical Officer (CTO). Mr. Pagdin has over 30 years experience as a mainframe assembler including several years as an independent contractor. Most recently, he was employed as an assembler systems programmer for a major bank in New York. He is the principal z/OS back-end developer and will provide installation and client support while overseeing the development of enhancements to the Type80 products. Mr. Chris Goggans will serve as Assistant CTO. Mr. Goggans has over 15 years security consulting experience specializing in Internet intrusion. He was a former engineer at WheelGroup in San Antonio, Texas, designers of the "NetRanger" intrusion detection product (now Cisco Secure IDS). He was a founder and the Director of Operations for Security Design International, until its purchase by Counterpane Internet Security. He was invited by the University of Tokyo to serve as an associate professor for their Center for Collaborative Research in 2003. He is a frequent speaker at major computer security conferences, author of several books and has published numerous articles about Internet security. He has also worked with federal law enforcement agencies to crack some of the most notorious computer crimes. Read More