The Center for Internet Security’s newly established Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) plans to deploy intrusion detection sensors to voter registration websites for all 50 states by the 2018 midterm elections, an official told GCN. The intrusion detection sensors are called Albert sensors, and CIS has been using them on the state and local level since 2010, according to CIS Vice President of Operations Brian Calkin. The open-source Albert sensors provide automated alerts on both traditional and advanced network threats. Albert grew out of a Department of Homeland Security’s Einstein project, which focuses on detecting and blocking cyberattacks within federal agencies. DHS approached CIS about creating similar capability for states and localities, but since the Einstein name was taken, CIS called it Albert instead.
The first version looked only at NetFlow data, or the IP network traffic, which provides high-level insights. It shows which IP addresses communicate with each other and the amount of data sent between systems, but not what was transmitted, Calkin said.
“You can almost think of it as looking at your phone bill,” he said. “You know that you and I had a conversation, you see my number and your phone number, but you don’t actually know what transpired in the half an hour that we spoke,” he said. “NetFlow is very similar.”
Albert ran on NetFlow data for four years until CIS decided “the data wasn’t rich enough to get really solid hits on malicious threats,” Calkin said. In 2014, CIS added full intrusion detection capabilities using Suricata’s high-performance intrusion detection engine, which allowed the sensors to run the traffic against a library of about 25,000 malware signatures. New signatures are pushed out to all of the Albert sensors every 12 hours, Calkin said.