Hacking For Good: UAE Startup VUL9 Wants You (And Your Enterprise) To Be Cyber Resilient
From Yahoo's data breach in 2013 and 2014 wherein over 1.5 billion users' data was compromised, to the 2016 DDoS attack which took down popular sites like Twitter, Netflix, Paypal and Spotify, there's certainly been a wave of cybercrimes around the world of late. The 2017 Norton Cyber Security Insights Report found that 978 million in 20 countries were affected by cybercrime in 2017, with the UAE seeing 3.27 million consumers affected by cybercrime and losing US$1.1 billion. Besides cyber attacks being identified as a national security threat, the cost for cybersecurity negligence by companies is high, and along with a lack of cybersecurity education and training, employees and individuals alike are vulnerable. This is the opportunity that cybersecurity startup VUL9 Security Solutions is capitalizing on.
Launched in July 2016 by CEO Mohamed Amine Belarbi and CTO Mohamed Zakariae El Khdime, the co-founders saw a gap in the market and leveraged their access to stellar talent in security and ethical hacking community groups. "Ethical hackers are a very rare resource, and they tend to have a tendency to dislike bureaucracy, corporate structures, and authority," says Belarbi. With VUL9, the co-founders cultivated an environment for hackers to "feel free to pursue their passion in a legal and ethical way, and at the same time, not feel as if they were forced to work for a paycheck."
Team members are given targets, and are tasked to find as many security flaws and vulnerabilities. The end result? Clients are presented with cyberattack scenarios they're unaware of, saving cost and impact of the critical vulnerabilities the startup uncovers. "We are talking unauthorized access to databases with millions of user records, access to financial transactions, ability to destroy or leak data, capability to install backdoors, or even wipe out entire applications and IT infrastructures."
Source: Dubai Startup Hub
The co-founders met in a 2015 hackathon at New York University, Abu Dhabi. While El Khdime's passion for the field started at the age of 13, Belarbi's interest lay in finding opportunities in the market and creating an impact. Learning how to bypass anti-virus solutions from a young age, and having been a member of the white hacking and information security community was, El Khdime says, a "fun and notoriety game." They are now driven to be responsible with that capability, and it's one of the reasons why their core mission is "challenging existing traditional security patterns in order to improve the technology and safeguard millions of users across the region." Their meeting introduced Belarbi to the world of ethical hacking and to the community of infosec enthusiasts and professionals. "We understood that the cybersecurity market was a multimillion-dollar one, and that expertise locally and regionally was limited, hence, the clear opportunity to enter the space and establish ourselves as a provider of choice."
When the duo decided to pursue their business, they were faced with a two-pronged challenge: showing they have a marketable and scalable business (proof of concept), and second, finding the appropriate financing to bring the startup to life. Their solution to the first challenge was peculiar: approach a company with proof of their efficiency. Focusing on a large UAE-based tech company, the team found a critical weakness which can allow access to their entire database of users. They used this flaw to get the attention of the company's top executives, which impressed them of the startup's capabilities, and prompted a $26,000 contract for their services for three weeks. "The proof of concept was achieved because we showcased that someone was willing to pay significant amounts for our work," says Belarbi.
This was also a precedent for one of the ways they acquire potential customers. "We would look at existing companies with valuable digital assets, be it mobile applications, large user databases, usage of online payment facilities- literally anything worth hacking. Then we identify vulnerabilities in these companies' digital assets, and use it as a means to gain their attention, and show them that if our team was able to easily hack them, then someone else could as well, and that hiring us to help them strengthen their security posture is a must."
So far, they haven't stepped on any toes, and have received positive feedback from Samer Awjan, CTO of Aramex, Magnus Olsson, co-founder of Careem, and Fadi Ghandour, founder of Aramex and CEO and Chairman of Wamda Capital. Currently, VUL9 has four revenue streams: security audits and penetration tests, providing trainings, Payment Card Industry Data Security Standard (PCI DSS) certifications, and software products.
As for their financing hurdles, the co-founders were keen for the right financial backer who would not only provide financial support, but also provide access to a strategic network locally. Prior to the launch, they achieved this when Mohammed Kamali (who also onboarded as a co-founder) supported the startup with a seed investment of $90,000, helping the startup set up shop in the UAE and kickstart operations. He notes that the company has been profitable for the past year, financing operations with its revenue, and the ecosystem has noticed the startup too.
A year after the launch, two undisclosed Saudi angel investors contributed $225,000 to its seed round, which brought its valuation to $3 million. In 2018, their goal is to drive 50% of their revenue from licensing their suite of products, due to go live this year starting with their proprietary solution, Falcon. In total, the startup has raised $325,000. "[We] are now gearing [up] for our Series A in Q2 2018, when we're raising close to $2 million at a $15 million valuation." If that sounds implausible, Belarbi adds: "Our Series A is already oversubscribed, given the overwhelming interest we had from investors who witnessed our rapid expansion in the market, and the solid client portfolio we've built in such a short period of time." In the past year alone, Belarbi asserts that they've closed over AED1 million deals in the UAE, but have also serviced clients in Morocco, France, Pakistan and Egypt.
As of date, the startup's portfolio lists 12 marquee clients, including Careem, Aramex, Abu Dhabi University, among others. In terms of partnerships, they list Kaspersky, Microsoft and Securitas, and have been approached by institutions in the region, and even competitors, to utilize the skillsets of the team. VUL9 is also one of the startups with whom Dubai Startup Hub, the entrepreneurship support arm of the Dubai Chamber of Commerce and Industry, has facilitated deals with through its Market Access program. The program involves corporations partnering with startups in the region, and its first edition saw VUL9 signing an MoU with Emirates NBD and flydubai to work on cybersecurity projects.
Currently, the startup operates in three markets- the UAE, which is its home base, Morocco, where most of its tech assets are based, and they've also been able to open an operating office in Khartoum, Sudan this year. Partnering with key stakeholders in countries the startup operates in is part of its strategy to leverage their networks and access to close deals, which the co-founders feel wouldn't have been possible had they followed conventional business development approaches.
As a number of players enter the nascent cybersecurity sector, when asked on their strategy to beating the competition, El Khdime reiterates it's the skills of the cybersecurity community that they've tapped into (and prior to VUL9, were a part of too). This allows them to uncover critical vulnerabilities and zero days that, according to El Khdime, even the tech providers aren't even aware of. Their approach to work with clients as an embedded security team is also, El Khdime says, one of the factors their clients have switched from international or local competitors to VUL9. In addition, Belarbi states that compared to others, they don't base their work on a series of standardized/automated tests that conventional providers rely on, but instead use the strategies and techniques that hackers use to compromise enterprises.
"We firmly believe that the best way to fight hackers, is by employing hackers who can think and act like the criminals do. We do not rely on scanners, firewalls and security checklists as benchmark to secure an entity, but rely almost entirely on manual and individual exploitation and hacking techniques that can bypass traditional security systems. Our human assets are not employees performing a task they were contracted for, they are passionate hackers who live and breathe cybersecurity, always learn about the latest exploitation techniques and have previous experience finding major security flaws in tech giants such as Facebook, Google and the likes."
With cyberattacks on the rise, to ensure clients are prepared, the team runs a risk assessment and focuses on worst case scenarios with an action plan on hand to decrease risk drastically. And as for startups that view cybersecurity as a luxury or costly expense, El Khdime notes how they've witnessed MENA startups either get destroyed or have their IP stolen through malicious cyber activity. While there is a focus on features, products and growth, El Khdime asserts that startups "have to commit to the safety of their customer's personal data and transactions because building great products on weak security foundations is a recipe for disaster."
He also cautions that with the rise of heavy DDoS attacks in 2017 exploiting IoT connected devices, this year, with the rise of cryptocurrencies, there's a possibility that silent miners would be exploiting a "collective processing power of comprised instances at a global scale." He even notes that perhaps, more sophisticated forms of ransomware attacks might rise as more entities are able to pay in cryptocurrency. The UAE has launched initiatives to address such potential issues like the Dubai Cyber Security Strategy in 2017 by Dubai Electronic Security Center. However, El Khdime comments that as a targeted region and country, although there is an overall awareness on cyber threats, majority of businesses focus on cybersecurity too late, with some major entities not even having a post-incident plan.
El Khdime suggests for a need for more education around the topic, along with more investment on R&D to truly "build an advanced cybersecurity intelligence powered by local talents, that will work closely with other governmental agencies and ensure a maximum protection for an entire nation and ecosystem." In response to this, with the support of the Abu Dhabi's Union National Bank and Federal Demographic Council, VUL9 has finished building an intelligent platform to assess and train startups, and they're now in the stage of crafting awareness campaign's content, plus have finished beta tests with some existing customers.
2018 looks like a busy year for VUL9's goals. VUL9 wants to strengthen their presence in Sudan as a provider of choice through PCI DSS offering, as well as to focus on bringing their products online, to turn to a product-oriented business model and not solely driven by services. They also want to emphasize on "competing for tenders and RFPs, especially public ones, hence our recent move as an onshore UAE company eligible to compete for public tenders." Besides that, with providers usually focusing on Dubai and Abu Dhabi, the duo wants to focus on less serviced areas in the UAE, such as the Northern Emirates like Sharjah and Ras Al Khaimah, especially within the financial and public sectors.
Along with that, they are also concentrating on partnerships with institutions such as KPMG and Crayon Middle East to further tap into their client portfolio and distribution channels. Plus, they're looking into family businesses as a client base, who, given the digital transformation they're undergoing, their need for cybersecurity is on the rise. As for the long run? The startup wants to a "hit a $200 million exit in five years- either through an IPO, or by being acquired by global cybersecurity players interested in a strong foothold in the MENA market." Watch this space!
Mohamed Amine Belarbi, co-founder and CEO, VUL9
What are your top three tips to aspiring entrepreneurs starting a business in the UAE?
1. Don't approach investors unless you have traction and have a proof of concept to show. If someone is paying you money for your services or products, then you have a business worth investing in.
2. Associate yourself with key figures in the market you operate in, preferably by bringing onboard strategic investors who have a network and access you can tap into, and translate into deals and contracts for your company. The Middle East, for better or worse, is a market where your "wasta' is the way things get done, so instead of shying away from it, leverage it to gain traction and get past doors you wouldn't have been able to open otherwise.
3. Be relentless. Whether it takes two months or two years, you have to keep on hustling and knocking doors because overnight successes in the startup world are a sham. Jack Ma spent 10 years slaving away and building Alibaba before he was recognized for the great company he built, so did Jeff Bezos and other notable entrepreneurs. People celebrate in public what others have spent a lifetime building in private, or as others like to describe it once they reach fame: We are an overnight success years in the making.
Co-founder and CTO Mohamed Zakaraie El Khdime at a training session on cybersecurity for Careem's engineers in 2017
Mohamed Zakariae El Khdime co-founder and CTO
What are the biggest vulnerabilities you found in SMEs and corporations?
"Thanks to the responsible disclosures of our ethical hackers we prevented what we believe could have been the biggest data breaches in the history of the region: millions of personal data records from leading regional platforms. We also uncovered a zero-day vulnerability allowing remote access to over 80% of the existing biometric locks deployed across corporate offices in the UAE, which may allow the attacker to gain full control over the physical security devices of the premises, up to stealing the logs of employees attendance with their biometric data "fingerprints'. The coolest one for our team was a security flaw allowing us to get an unlimited number of items (Cinema Tickets, Shopping list) on multiple platforms for free even though you are required to use your credit card to complete the transaction."
For entities who are looking into cyber security, what's your advice for basic cyber security practices?
"Always have in mind a mapping of the entire data-flow of their platforms and processes. Make sure to understand the digital threats landscape that they are facing. Educate yourself and your team around information security best practices. Look for alternatives in the free software and open source community."
For entities who are looking to step up and improve their cyber security, what's your advice on best practices?
"Cybersecurity start from the top of the organization and needs to have everyone involved. Take security as a crucial aspect of every decision you make when it comes to technologies and architectures choice. Understand that cybersecurity is a non-ending journey, you are never safe. Build an internal infosec knowledge base that will be beneficial to every team and department."