What We Recently Assessed about the Albert Network Intrusion Detection System

Much has been published lately on the Albert Intrusion Detection System (IDS) provided through grant money by the federally funded Center for Internet Security, including opinions that it is part of an over-reaching federal data collection operation.

Prince William County does have an Albert sensor system, provided with grant money from the MWCOG. The Memorandum of Agreement calls out undefined and open ended language, ‘election entities’, in its agreements. According to Power,

“Albert compares the captured Netflow data against thousands of known threat signatures and Albert will send a threat alert when there is a match back to CIS’ 24×7 Security Operations Center (SOC) for further analysis.”

The Center for Internet Security (CIS) distributes the Albert system pre-installation questionnaire below to states and localities. A few cyber security specialist who set up networks for a living gave us feedback on this PIQ that is shared in general terms here. They also looked at the Memorandums of Agreement, and information available on the CIS website via this question,

“Whether Albert is place ahead of the firewall or behind it is  possibly an option for each client. There are two graphic representations on the CIS website, https://www.cisecurity.org/services/albert-network-monitoring . There is a question in the lower right corner that is a link to a downloadable image, https://learn.cisecurity.org/Albert-Network-Monitoring-Fact-Sheet . Here, two images exist and data flows appear differently.  As I am told, the Virtual Machine (VM) option  could potentially lead to the installation of the IDS directly onto the firewall, primary router, or virtually anywhere within an enterprise architecture. Wouldn’t using an Albert negate even having a firewall in one or more of these cases?”

The PIQ is below for those interested.

Download File

The responses from the cyber network professionals are summarized below.

1. First response was that CIS is reputable, but there is surprise over there not being a service level agreement (SLA) called out in the MOA saying how quickly the Albert system is required to respond. CIS explains that they only notify if there is a match to their database and if they decide to notify without giving a timeframe. Tools like Artic Wolf have the requirement for time to respond called out in the SLAs. Generally speaking, admin(s) would want to get notified as soon as possible with any sort of security event. IT/Security never sleeps but it comes with the territory.
2. The Albert can be anywhere, before, after, or in the firewall and can be virtual (VM) which is cheaper. 
3. According on one analyst,, “As far as operating as a virtual machine, that’s entirely possible. I have a physical (a virtual machine is an option) that sits on the network and all endpoints (computers, switches, routers, network devices, etc.) all are configured to report to for logging and analysis. If you have a virtualization environment in place in your infrastructure, it could potentially save you some money but having a physical appliance installed is more convenient, from my perspective.”
4. CIS says it receives encrypted data, which is very difficult to decipher. However our analysts say this also depends on how the network is setup. Of course we do not know that part.
5. All analysts say the device gets all network traffic, not just net flow data as CIS claims in the briefings we have found.
6. To reiterate, the ‘traffic monitoring’ they are talking about (including TAP or SPAN) means that this device is intended to see ALL network traffic, which would make it trivial to see inside all the packet captures, and in some circumstances, inside the encrypted packets.
7. As far as where they ‘put it’, the network it has access to could be easily changed by software, exponentially increasing the attack vectors.
8. Network admins can run their own IDS systems (any available) that don’t give backdoor access to unknown actors. Albert sensors actually open up a whole new line of attack vectors, the opposite of security.