Network Monitoring and Intrusion Detection#
Intrusion Detection Systems (IDSs) monitor network traffic traveling into and out of networks for malicious activity. These sensors passively monitor network data traffic but do not block traffic and cannot directly affect a member network or change the actual data traversing the network. Other technologies, called Intrusion Prevention Systems (IPSs), can also block traffic that the sensors deem a threat.
IDSs monitor traffic as it flows across a network to look for matches against a set of threat signatures. If a match is found, an alert is sent for analysis and, if warranted, further action. In this way, an IDS can provide protection against both traditional and advanced network threats by helping organizations identify malicious activity.
The EI-ISAC offers an IDS called Albert to election offices. Albert sensors reside on the local network, providing security alerts for cyber threats, helping organizations identify malicious cyber activity. The sensor passively monitors network data traffic; it does not block traffic and cannot negatively affect a member network or read or change the actual data traversing the network.
Under this service, the EI-ISAC receives any alerts, analyzes them, and works with your office to take any recommended action. The EI-ISAC can also be used to analyze historical data to retroactively search for malicious activity. While the Albert sensor is optimized for use in the state, local, tribal, and territorial governments, commercial IDS and IPS systems are also available.
For Network Monitoring and Intrusion Detection, the necessary actions vary by maturity as detailed below.
Level 1 Maturity#
We don’t recommend investing in an IDS at the Level 1 maturity.
While it can provide protection in any network environment, there are more fundamental steps to take, as described in the best practice prioritization for Level 1.
Level 2 and Level 3 Maturities#
Mapping to CIS Controls and Safeguards#
13.3: Deploy a Network Intrusion Detection Solution
13.4: Perform Traffic Filtering Between Network Segments
13.8: Deploy a Network Intrusion Prevention Solution
Mapping to CIS Handbook Best Practices#