Albert is a unique network monitoring solution that provides automated alerts on both traditional and advanced network threats, allowing organizations to respond quickly when their data may be at risk. Albert utilizes open source software – running on commodity hardware – that results in a very cost-effective IDS monitoring solution with a unique, SLTT-focused signature set. Combined with our in-depth review conducted by expert analysts through CIS’ 24x7 Security Operations Center, Albert is a fully monitored and managed service that’s both personal and customizable.
How does Albert work?
Albert leverages Suricata's high-performance IDS (Intrusion Detection System) engine to accurately identify and report malicious activity. It monitors raw network packets and converts data into a netflow format for efficient storage and analysis.
The MS-ISAC analyzes netflow by comparing activity to statistical models developed in-house, allowing us to pinpoint deviations from healthy network activity. CIS maintains thousands of signatures, including commercial, open-source, and Advanced Persistent Threat (APT) indicators, as well as signatures developed in-house by our Computer Emergency Response Team (CERT). For every 24 hours of data transmitted and received by Albert sensors, our analysts manually review anomalies for malicious activity or data exfiltration, and notify you if there are any concerns.
Signature fires > Alert generated & sent to CIS > Analysis conducted in 24x7 SOC > Event notification sent
Where does the data live?
With Albert, no logs or data reside on the sensor. All of your organization's data is compressed, encrypted, and sent to the MS-ISAC every two minutes for analysis.
Additionally, data is compressed and stored for 5 months at a time per each sensor deployed through Albert. This allows us to review previous network activity and search for specific threats or activity related to newly-released signatures, providing a distinct advantage over traditional security network monitoring services.
Alerts, Reporting, & Management
After a SOC analyst has verified an alert as legitimate, the MS-ISAC sends out an event notification which includes:
- which system(s) are affected
- the identified issue
- mitigation recommendations
- traffic associated with the event
Our 24x7 SOC is always on hand to answer questions or query netflow data. We also provide organizations a monthly activity report for each sensor deployed through Albert, providing details for actionable alerts a review of the volume of traffic monitored.
CIS manages all sensors deployed through Albert, including updates to the operating system, engine, netflow tools, and signature sets. Signatures are updated twice daily to ensure the latest security monitoring is being provided.
To learn more about deploying Albert in your organization, complete this short form or contact us directly at firstname.lastname@example.org.