Identifying Suspicious Election Network Activity with Albert

Marion-CountyGovernment organizations are frequent targets of cyber-attacks. Quick identification of these threats is critical, but monitoring and understanding your organization’s network traffic can be a serious challenge. Are you aware of what’s going on? Can you quickly identify suspicious activity so you can take action to stop it? Network monitoring through a cost-effective Intrusion Detection System (IDS) like Albert can help you identify threats quickly so you can protect your systems and data.

The information challenge

Wesley Wilcox at Marion County, Florida Elections says his biggest challenge before implementing Albert was information about network activity. He lacked the ability to identify and make sense of activity on his network. Albert changed that:

Prior to Albert, I had no mechanism for fully analyzing my incoming and (just as importantly) outgoing electronic traffic…I now have a reliable, affordable, and trusted source that inspects ALL of my traffic in both directions.

A solution for identifying network activity

Wilcox’s first alert from CIS and Albert clued him into network activity that he was not aware of. A copy machine on the agency’s network sent a regular usage report to an outside headquarters. While typical for Wilcox’s organization – they work with multiple partners – it immediately triggered an Albert sensor alert.


“On the surface, it was an unknown device automatically attempting to make contact with an unknown outside entity,” said Wilcox. An investigation by a CIS Security Operations Center (SOC) analyst determined the traffic was benign and legitimate. Wilcox believes this highlights an important point – that it is just as important to monitor and guard the inside of the network perimeter as it is to monitor and guard the outside.

This type of Albert sensor alert is normal, especially early in the adoption of the IDS. It’s part of an initialization period during which typical activity is documented by the CIS SOC in order to help build a customized image of an organization’s normal network activity. This period is crucial to providing visibility into what’s happening across an organization’s network. The need for network visibility is described by CIS Control 6 and CIS Control 12 which explain the maintenance, monitoring, and analysis of audit logs that are managed by many IDS. Albert Network Monitoring provides defense-in-depth by helping organizations develop a clear picture of their network activity while keeping an “always-on” eye for malicious behavior.

How SLTT-specific threat detection works

Albert is an SLTT-focused IDS that routinely compares network traffic logs to signatures of traffic previously associated with malware.


An IDS is only as good as its signature set. A robust IDS incorporates signatures from multiple verified intelligence sources and updates them often, ensuring the latest threat monitoring. Albert sensors leverage a unique, SLTT-focused signature set developed through years of working with government organizations. Albert’s signatures are updated on a daily basis, providing the latest security monitoring for SLTT government networks.

When a threat is detected and a signature match is found, an alert is sent to the CIS 24×7 SOC. Analysts experienced in SLTT government cybersecurity review an average of 53 terabytes of information per day. An analyst eliminates false positives, and when malicious activity is confirmed, the analyst notifies the affected entity within minutes of detection and provides information about security best practices to help.

A valuable tool for network monitoring

If you’re on the fence about implementing Albert, Wilcox says, “Just do it! This is just another valuable tool in your toolbelt of layered defense.” Albert Network Monitoring is a cost-effective IDS that identifies threats quickly so you can act to protect your organization’s systems and data.