PolySwarm Adviser — Stephen Gill

Stephen Gill is one of PolySwarm’s advisers and the Co-founder, Fellow, and Chief Scientist of Team Cymru, an intelligence company whose technology has scaled to helping millions of users, many Tier 1 ISPs, NSPs, and governments in the fight against cyber crime world-wide. He has over 20 years of experience in cybersecurity in multiple companies including Cisco and IBM.

Stephen’s Gill brings to the project his industry expertise, business acumen and connections to help scale PolySwarm’s marketplace and shape the product offering.

We sat down with him and asked him a few questions to better understand his take on PolySwarm’s edge. Enjoy!

Q: How did you find out about PolySwarm and what interested you about it?

A: I learned about Polyswarm after their ICO and thought it was unique that they were building on a decentralized model of threat intel sharing and distribution. Since I had personally developed an in house Antivirus aggregation system with over 36 engines many years ago I thought it would be interesting to see how I might be able to lend a hand.

Q: What key industry problems is PolySwarm addressing within the cyber security space?

A: Polyswarm is aiming to make the access to quality threat intelligence more economical, accurate, and complete. In the first phase they are tackling Antivirus results and aiming to increase the adoption of micro-engines which are specialized in their own smaller areas of focus through a prediction market. In the simplest case, traditional Antivirus aggregation networks suffer from several problems including:

Circular Logic and Copycats — once one engine tags something as bad, its natural for others to quickly want to follow suit in order to not appear that they are falling behind. This increases the potential for false positives when the actual truth may just be that the few engines got it wrong in the first place.

Threat Horizon — traditionally every engine is required to weigh in on every artifact and this may not be ideal, especially when certain engines may be better than others in specific areas. With the micro-engine model, Polyswarm aims to allow developers, security researchers, and vendors to build engines that have a targeted but very precise domain of expertise thereby increasing the effectiveness. The aim is quality over quantity.

False Security — several vendors are often simply mirrors of each other where one major engine is actually white labelled by several others. When one detection is flagged, all the others will flag at the same time thereby giving the appearance of a broader base of detections. In reality, they all stem from a single source. This is not an effective way to measure detection scope and can lead to a false sense of accuracy.

Infrastructure Limitations — when running engine detection centrally, it means all systems must usually conform to a certain box or standard. This means that the native engine may not be performing in its ideal environment, or worse be restricted from entering the milieu in the first place. Polyswarm is building the network in a decentralized manner such that all participants can have full access and control over their native runtime environments which are making predictions in the marketplace thereby giving maximum flexibility and also allowing for greater protection of intellectual property.