HR4RS stamp
Mentoring for Euriclea research
Abel Verard / Irene Vega
Cybersecurity aims to protect assets against threats. The security controls that protect these assets are often too rigid or too lax in protecting domains that are complex, heterogeneous, or operate with high uncertainty. For this reason, the team Cyber Security Cluster of the URJC has proposed a model called RiAS (Risk-based Adaptive Security) based on the adaptation of the security controls that an organization applies to the real risk that it has at all times.
With the use of this solution, the protections will be adapted to the risk that is run or that you want to run in real time. According to researcher Marta Beltrán, "the idea is to have dynamic protections or countermeasures, which can be dynamically reconfigured if the context changes and if the control itself or the asset it protects varies." Also even depending on the risk that the organization itself wants to assume.
three layer architecture
To achieve this type of adaptation, a three-layer solution is proposed. The first layer is the measurement layer, which collects data on the context of the control, as well as on the control itself and the asset it protects. The second layer, on the other hand, is the decision layer. It is based on all this data to decide if it is necessary to make an adaptation of the control or if, on the contrary, it should remain as it is. To make these decisions, security administrators express their requirements and goals in simple semantics through Rules and Policies. In this way, decisions are automated with hardly any intervention from human operators necessary.
Finally, the third layer is the adaptation layer, which allows the control to be modified if it has been decided that an adaptation is necessary. This modification may imply a change in the location of the control, in its configuration, in its use, etc.
The RiAS model has been validated in a use case in which the configuration of a web content filter (WAF) that is protecting a video streaming application is automatically adapted, although the results obtained, published in the high-impact scientific journal Computers & Security, point out, according to the researcher herself, that the proposed solution “can be used practically with any control and in any type of context, since it is defined in a general way and not for a specific type of control”.
