How does Albert work?
- Doug McLean
Albert is an intrusion detection system (IDS) based on open-source technology with a particular focus on threats to SLTT/election community organizations. Albert sensors monitor network traffic, to look for matches against a set of “signatures” that indicate the network traffic contains known cyber threats. Albert does not interfere or change the network traffic in any way and cannot inspect the contents of encrypted communications. The process proceeds as follows:
An organization that hosts an Albert sensor selects the network segments to be monitored by the Albert sensor and configures their network to send a copy of the selected network traffic to the Albert Intrusion Detection System (IDS) sensor for inspection using what is called a “mirror port” or “network tap.” This parallel configuration means that normal network traffic and speeds are unaffected by Albert.
CIS deploys (~25,000) daily threat “signatures” based on current cyber threat intelligence and reported cyber incidents to all Albert sensors to assist in identification of known malicious and anomalous activity.
If an Albert sensor detects a match to a known threat signature in network traffic, an alert is sent to the CIS Security Operations Center (SOC) for analysis.
Cybersecurity experts at the CIS SOC analyze the Albert alert and escalate to the SLTT/election community partner if it is determined to be a credible threat. Escalated alerts are communicated in an average of less than five minutes. The SLTT/election community partner can then decide how they want to handle the alert. As a passive IDS, Albert can take no responsive action against threats it detects.