Albert Network Monitoring and Management FAQ



What is Albert Network Monitoring and Management?

The Center for Internet Security (CIS) offers network security monitoring and management services through a solution referred to as Albert. This service is available to U.S. State, Local, Tribal, and Territorial governments, including elections, public education, and critical infrastructure entities. Albert can be used to monitor many types of traffic including networks with user workstations, web servers, or those hosting voter registration databases.


What environments does Albert work within?

Albert Network Monitoring and Management is available for on-premises environments.


How does Albert work?

Albert is an Intrusion Detection System (IDS) that compares inspected network traffic against tens of thousands of threat signatures. Albert’s signatures include commercial, open-source, and custom signatures developed from leveraging our federal partners for access to recently de-classified signatures, our CERT forensic cases, as well as member submitted and third-party threat data. Albert compares network traffic logs to these signatures that detect known malicious activity. When a match is found, analysts in the CIS 24×7 Security Operations Center (SOC) review for malicious activity and alert the customer of any valid threats.

The basic lifecycle of an Albert event is as follows:


What services are provided with Albert Monitoring and Management?

  • 24×7 network monitoring from the CIS SOC (U.S.-based)
  • Alerts about potentially malicious activity
  • Monthly activity summary reports

albert-network-monitoring-table on premises only


What are my network monitoring options?

Albert can monitor on-premises networks.


How much does Network Monitoring and Management cost?

Pricing is based on average Internet connection utilization. A one-time initiation fee per sensor applies. To find out more about network security monitoring, contact us today at [email protected].


What other data is collected?

We collect data about the traffic, not what’s in the traffic, in addition to alert data about the signatures firing. This data is called NetFlow. NetFlow is only collected for on-premises sensors and not available for Cloud.

  • Source IP
  • Destination IP
  • Source port
  • Destination port
  • TCP flags
  • Number of bytes of traffic sent and received
  • Timestamp information (start, end, and duration of connection)


What hardware do I need?

The on-premises Albert service can be supplied as a turnkey solution or utilizes physical or virtual commodity hardware to provide a robust offering at a low cost. We recommend supplying an Albert sensor with network traffic by way of a network tap or data aggregator if your infrastructure already supports these options. For smaller <1Gb networks, a span port off a router or switch will work well. Please contact CIS Services for assistance with sizing your hardware.


What are the Albert Cloud Requirements?

Albert Cloud is not available at this time.


Who manages the sensor?

Monitoring, as well as full management of the sensor, is handled by the CIS SOC. This includes maintaining the operating system, IDS engine, NetFlow tools, and signature sets. CIS will work with your organization to make signature modifications upon request as well as collaborate to write custom signatures to detect specific types of malicious activity on your network.