In today's expansive information environment, it can be difficult to separate fact from fiction. Learn and share important facts about CIS and our cybersecurity efforts and help stop inaccurate information from spreading. You can find the facts here.
At CIS, we're one of the few institutions with a more than 20-year track record of sustainability in the cybersecurity industry. Learn all about us in this blog post.
Learn More
The Center for Internet Security (CIS) receives funding through various means, including direct sales of various cybersecurity best practices tools and resources, like CIS SecureSuite Membership and CIS Hardened Images, and cybersecurity services like CIS Endpoint Security Services. CIS also receives funding from various government and non-profit grant programs designed to improve the overall cybersecurity posture of U.S. State, Local, Tribal, and Territorial (SLTT) government organizations. CIS operates the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC and EI-ISAC) in a cost-share model including federal funding and CIS funds. Information about CIS funding through a Cooperative Agreement with Congressional federal fiscal year 2023 appropriations can be found here (page 57-58 addresses the MS-ISAC).
Generally, the Cybersecurity and Infrastructure Security Agency (CISA) has visibility into certain data that is derived from sensors/services that are funded via the Cooperative Agreement subject to confidentiality obligations. For example, CISA may request and receive the full set of Albert Network Monitoring and Management data only for those Albert deployments funded via the Cooperative Agreement, which represents approximately 20% of the deployed Albert sensor fleet.
Albert: Roughly 80% of deployed Albert sensors are paid for by U.S. state and local governments. For these SLTT-funded sensors, Albert alert data and Albert NetFlow metadata is shared with Federal partners only with the explicit approval of the individual hosting state or local organization.
The deployment of the remaining Albert sensors is funded by Congressional appropriation through the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS- and EI-ISAC) to support cyber defense across the U.S. below the federal level. For these CISA-funded sensors, information shared with federal partners is limited to Albert alert data and Albert NetFlow metadata.
NCSR: For the Nationwide Cybersecurity Review (NCSR), CISA currently sees only anonymized data, such as threat data and self-reported maturity scores by sector. To date, this data is anonymized, so there is no organization-specific information included.
At CIS, we're one of the few institutions with a more than 20-year track record of sustainability in the cybersecurity industry. Learn all about us in this blog post.
Learn More
The Center for Internet Security (CIS) receives funding through various means, including direct sales of various cybersecurity best practices tools and resources, like CIS SecureSuite Membership and CIS Hardened Images, and cybersecurity services like CIS Endpoint Security Services. CIS also receives funding from various government and non-profit grant programs designed to improve the overall cybersecurity posture of U.S. State, Local, Tribal, and Territorial (SLTT) government organizations. CIS operates the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC and EI-ISAC) in a cost-share model including federal funding and CIS funds. Information about CIS funding through a Cooperative Agreement with Congressional federal fiscal year 2023 appropriations can be found here (page 57-58 addresses the MS-ISAC).
Generally, the Cybersecurity and Infrastructure Security Agency (CISA) has visibility into certain data that is derived from sensors/services that are funded via the Cooperative Agreement subject to confidentiality obligations. For example, CISA may request and receive the full set of Albert Network Monitoring and Management data only for those Albert deployments funded via the Cooperative Agreement, which represents approximately 20% of the deployed Albert sensor fleet.
Albert: Roughly 80% of deployed Albert sensors are paid for by U.S. state and local governments. For these SLTT-funded sensors, Albert alert data and Albert NetFlow metadata is shared with Federal partners only with the explicit approval of the individual hosting state or local organization.
The deployment of the remaining Albert sensors is funded by Congressional appropriation through the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS- and EI-ISAC) to support cyber defense across the U.S. below the federal level. For these CISA-funded sensors, information shared with federal partners is limited to Albert alert data and Albert NetFlow metadata.
NCSR: For the Nationwide Cybersecurity Review (NCSR), CISA currently sees only anonymized data, such as threat data and self-reported maturity scores by sector. To date, this data is anonymized, so there is no organization-specific information included.
Albert Network Monitoring is a secure, highly-effective network security solution custom-built for state and local government organizations. Learn about it in this blog post.
Read moreAn IDS is industry-standard technology for network defense. The National Institute of Standards and Technology (NIS) defines an Intrusion Detection System (IDS) as “a security service that monitors and analyzes network or system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.” Also known as a network intrusion detection system (NIDS), an IDS often comes in the form of a piece of hardware, such as a computer or server, or a dedicated appliance.
An IDS sits on a network to watch for malicious or suspicious network activity that it sees. In most cases, it performs this monitoring by utilizing signatures, or pre-defined patterns determined to be malicious. If network traffic matches the pattern, the IDS generates an alert.
An IDS is different from an intrusion prevention system (IPS). The latter can stop traffic; it’s “active.” Meanwhile, an IDS cannot interfere with network activity; it’s “passive.” It’s therefore imperative that whoever receives the alert takes action in some way.
Albert is an intrusion detection system (IDS) based on open-source technology with a particular focus on threats to SLTT/election community organizations. Albert sensors monitor network traffic, to look for matches against a set of “signatures” that indicate the network traffic contains known cyber threats. Albert does not interfere or change the network traffic in any way and cannot inspect the contents of encrypted communications. The process proceeds as follows:
Albert sensors, in combination with a layered “defense in depth” approach to cybersecurity, have proven to be highly effective in protecting against cyber threats, including known ransomware. While no IDS can detect 100% of malicious traffic, this powerful capability detects virtually all known threats that have documented IDS signatures.
As a signature-based IDS, Albert is as effective as the signatures with which it is configured. CIS subscribes to the latest commercially-available signature sets, subsequently deploying those signature sets to Albert. CIS works diligently to also research and develop custom signatures to deploy to Albert that are specifically tuned to the threats that may impact U.S. SLTT government and Election community organizations.
Another factor leading to Albert’s effectiveness is the speed at which the 24x7x365 CIS Security Operations Center (SOC) reviews and notifies monitored organizations of threats the Albert sensor detects. The CIS SOC notifies the monitored organization with an industry-leading average of less than five minutes when the Albert sensor alerts on potential malicious or anomalous activity. This response speed enables cybersecurity defenders to quickly take action to defend their networks and contain threats to reduce the impact of a successful attack.
Albert sensors and associated SOC support are approximately one third the cost of alternative commercial products and monitoring services, and the average alert response time of under five minutes is much quicker than alternative services.
Yes, Albert is a secure, highly-effective network intrusion detection system designed for the public sector. In a 2022 third-party evaluation of Albert by Counter Hack, security testers reported that “the current incarnation of the Albert sensor is, perhaps, the most secure tool we have ever tested.”
Albert can only alert the CIS SOC of any network traffic that triggers one of the signatures deployed to detect malicious or anomalous activity. Albert cannot alter, block, or impede the network traffic of an organization as it is only monitoring a copy of the organization’s network traffic and not the actual network traffic itself.
No, Albert does not communicate with or to any systems – voting or otherwise – within a monitored organization's network environment. Albert monitors a copy of network traffic that the customer configures for delivery to the Albert sensor. It then communicates any suspicious or malicious activity back to the CIS SOC.
Albert sends to customers a Monthly Activity Report (MAR). It contains monthly and Year-to-Date (YTD) metrics for the activity detected and alerted on by the Albert sensor and by the 24x7x365 SOC. Customers may also request other ad-hoc reporting if they're looking for something more specific or that’s tailored to their reporting needs.
CIS is proud to play a role helping election offices understand and defend against cyber threats. Learn about our efforts to support election security in this blog post.
Learn moreThe EI-ISAC® is a community of dedicated election officials and cybersecurity professionals working side by side to ensure the integrity of elections among U.S. State, Local, Tribal, and Territorial (SLTT) governments. The EI-ISAC was created in 2018 to help increase the cybersecurity posture of state and local election officials, as well as improve the security of critical election infrastructure. The EI-ISAC currently consists of more than 3,600 members across all 50 states.
The EI-ISAC provides members with training, tools, and services funded by both Congress and CIS to bolster their security. The EI-ISAC provides members with the latest threat intelligence through its information sharing network and operates a 24x7x365 Security and Operations Center (SOC) to assist election officials in protecting their own environments. These services include cybersecurity best practices and education, security exercises, real-time security threat alerts, network and endpoint security services to monitor network and device-level threats, cyber incident response, and additional services aimed at enhancing the security of their systems.