Skip to main content

Request SaaS Deployment

Contact Sales

Ekran System® vs One Identity vs
Wallix Bastion vs Proofpoint

Internal security breaches and user-based threats are hot topics in the industry, and not only large enterprises are targets: small and medium-sized businesses (SMBs), educational institutions, and government organizations are equally vulnerable.

In this comparison, we look at four user activity monitoring solutions – our own Ekran System vs One Identity vs Proofpoint vs Wallix Bastion.

Our goal is to help you better understand the differences among these solutions and determine which best meets your organization’s needs.

Product review: Summary

Ekran System is recommended for SMBs and large enterprises looking for a stable and easy-to-deploy solution with core monitoring, PAM, and identity management functionality.

Proofpoint is an option for mid-sized and large enterprises looking for broader integration and more sophisticated alerting functionality.

Wallix Bastion is suitable for controlling and managing privileged accounts, and is recommended for SMBs and enterprises.

Large enterprises that have a number of critical endpoints and high access management requirements – and that are looking for a solution with detailed activity and data transfer controls as well as automated blocking features – might choose One Identity or Wallix Bastion.

Note

Balabit has been acquired by One Identity and has been renamed to One Identity Safeguard for PSM
All information below about Balabit Shell Control Box applies to One Identity Safeguard for PSM.
Proofpoint has been acquired by Proofpoint. The company has announced changes in Proofpoint pricing and future integration with other Proofpoint products.

Market and Focus Overview


Description

Insider threat protection platform

Enterprise insider threat detection software

Monitoring solution that controls privileged access to remote IT systems

Focus on privileged access management and privileged user monitoring

Target audience

Businesses of all sizes

Large enterprises across a range of industries

Large enterprises with high privileged access security requirements

Businesses of all sizes

Deployment

  • Agent-based deployment (Windows agents can be installed remotely)
  • Jump server deployment
  • Optimized for virtual environments
  • Multi-tenant mode
  • Agent-based deployment
  • Jump server deployment
  • Bastion host deployment (possibility to set privileged session management on a virtual appliance)
  • Transparent mode
  • Bastion host deployment
  • Web-based client
  • Physical or virtual appliance

Maintenance

  • Manual control panel updates
  • Automatic client updates (online and offline)
  • 24/7 support

Manual control panel updates

Manual firmware updates

Manual firmware updates

Price (based on average deployment cost)

$

$$$

$$$$

$$$$

Licensing

  • Based on number of monitored endpoints
  • Several licensing tiers

Base fee for control component in addition to fee based on number of monitored endpoints (to be changed to a subscription by Proofpoint)

Based on number of appliances purchased (inflexible)

  • Based on number of appliances purchased (inflexible)
  • Several licensing tiers

Format


All four solutions incorporate video recordings of user sessions as part of their main functionality and provide session search tools and a web-based interface for Youtube-like playback. Ekran System also records audio input and output streams on each endpoint.

All four tools provide tamper-proof audit trails with parameterized episode search through sessions as well as alerted event marks.

Focus


Monitoring

Access

  • Password manager
  • One-time passwords
  • Multi-factor authentication
  • Secondary authentication
  • Manual login approval
  • Time-based restrictions for user access
  • Ticketing systems integration

The One Identity Safeguard for PSM and the Wallix Bastion Suite focus on privileged access management and access control. These solutions put less focus on monitoring, viewing it as a supplementary feature. As a result, they have fewer capabilities for insider threat investigation but provide certain additional protections from outsider attacks.

Proofpoint has the most modest access management toolset of these four solutions, providing only secondary authentication.

Architectures


These solutions use different architectural models: Proofpoint and Ekran System are agent-based software, whereas One Identity and Wallix Bastion are gateway-based solutions, delivered as hardware or a virtual appliance.

Gateway-based solutions are easier to deploy and maintain but have some limitations when gathering metadata and eventually become a bottleneck in the network of a big organization.

Agent-based solutions, on the other hand, provide more versatility. Under a regular deployment, they can gather more detailed metadata, which is critical especially when monitoring Linux Telnet SSH sessions.

Agent-based software


Gateway-based


Agent-based software can also be deployed using a gateway-based scheme where a monitoring agent is installed on a single jump server and monitors all connections routed through that server, thus mimicking One Identity or Wallix Bastion.

Jump server deployment slightly limits monitoring capabilities compared to deploying agents on every target endpoint but is more versatile and affordable than Wallix Bastion or One Identity licensing.

Another advantage of agent-based solutions is that when the network connection is lost, an agent can keep recording data locally and send it to the server later.

In addition, there’s a multi-tenant mode in Ekran System, which allows multiple strongly isolated tenants to operate in one Ekran System environment. The data of each tenant including monitored data, user credentials, client names, and system configuration. is private and not accessible to other tenants.

Access an Ekran System® demo now!

Clients from 70+ countries already use Ekran System

Target Customers and Pricing


One Identity and Proofpoint target large enterprises, while Ekran System and Wallix Bastion target both the large enterprise and SMB markets. But while the Wallix Bastion SMB package includes a limited toolset, Ekran System provides monitoring, alerting, incident response, and reporting functionalities in all editions. This difference is reflected in the pricing and licensing models.

One Identity pricing

Wallix Bastion pricing

Proofpoint has the most modest access management toolset of these four solutions, providing only secondary authentication.

Proofpoint pricing

Also, Proofpoint (the company that recently acquired Proofpoint) plans to change the Proofpoint pricing model from a perpetual license to a subscription.

Ekran System pricing

Standard

With the Standard licensing scheme, pricing fully depends on the number of deployed agents, making this solution cost-effective for small and medium-sized companies. At the same time, Standard licensing provides a user with all the necessary tools for insider threat protection.

Enterprise

Ekran System also has a separate licensing model for jump server deployments.

Both the Standard and Enterprise licensing schemes provide floating licensing. This means licenses can easily be reassigned to another endpoint, whether real or virtual.

Feature and Usage Scenario Overview


Monitoring

  • User session recording
  • Video recorded in a custom format
  • Audio recording
  • Full metadata recording
  • Search by metadata
  • User session recording
  • Video recorded in a custom format
  • Full metadata recording
  • Search by metadata
  • Email monitoring
  • User session recording
  • Video recorded in a custom format
  • Limited metadata recording
  • Search by metadata
  • User session recording
  • Video recorded in Flash format (for GUI sessions) or text format (for SSH sessions)
  • Optical character recognition for text-based search

Alerting

  • Real-time alerts
  • Custom alerts
  • Predefined alerts
  • Live session view
  • Forced user messaging
  • Automatic and manual user blocking
  • Automatic application kill
  • Automatic USB device blocking
  • User behavior analytics
  • Real-time alerts
  • Custom alerts
  • Rule-based behavior analysis
  • Live session view
  • Forced user messaging
  • Manual session blocking
  • Alerting on connecting a USB storage device or mobile phone
  • User behavior analytics
  • Real-time alerts or session termination
  • Custom alerts
  • Live session view
  • Possibility to add user behavior analysis with Blindspotter
  • Rule-based behavior analysis
  • User behavior analytics (requires an additional license)
  • Real-time alerts
  • Custom alerts
  • Live session view
  • Automatic session blocking
  • Threat analytics

Access management

  • Additional authentication for identifying shared accounts
  • Two-factor authentication
  • One-time passwords
  • Privileged account and session management (PASM)
  • Manual approval of USB device connections
  • Password management
  • Additional authentication for identifying shared accounts
  • Second layer of authentication
  • Password vault and password management
  • Additional authentication options
  • Access permission management
  • Two-factor authentication
  • Password vault and password management
  • Additional authentication options
  • Access permission management
  • Two-factor authentication

Integration

  • Active Directory integration
  • SIEM integration
  • Ticketing systems integration
  • Active Directory integration
  • SIEM integration
  • Ticketing systems integration
  • Active Directory integration
  • SIEM integration
  • Integration with other third-party solutions
  • Ticketing systems integration
  • Active Directory integration
  • SIEM integration
  • Integration with other third-party solutions

Other

  • Customized reporting
  • Forensic export
  • Records protected from tampering
  • Multi-tenancy support
  • Driver-level uninstall protection
  • Stability and highly optimized performance
  • Master Panel
  • Anonymization of user data
  • Customized reporting
  • Forensic export
  • Records protected from tampering
  • Anonymization of user data
  • Customized reporting
  • Forensic export
  • Records protected from tampering
  • Customized reporting
  • Forensic export
  • Records protected from tampering

Licensing

  • Based on number of monitored endpoints
  • Several licensing tiers

Base fee for control component in addition to fee based on number of monitored endpoints (to be changed to a subscription by Proofpoint)

Based on number of appliances purchased (inflexible)

  • Based on number of appliances purchased (inflexible)
  • Several licensing tiers

User Action Monitoring


The difference in architecture and focus of these four solutions determines the differences in how they approach user activity monitoring.

Ekran System vs Proofpoint

Ekran System and Proofpoint provide much more robust monitoring functionality, using indexed video formats to record everything a user sees on the screen during a particular session as well as all additional metadata for indexing, including:

  • names of opened applications and visited websites
  • names of active windows
  • keystrokes

In addition, Ekran records audio input and output on user endpoints.

Both Ekran System and Proofpoint feature various filters that allow you to start and stop recording at specific times or based on specific events and filter the information that’s recorded.

These two monitoring solutions employ a user behavior analytics module to detect suspicious user actions. In this way, Proofpoint gathers information for its main dashboard. Ekran System provides a machine learning algorithm that establishes baseline user behavior to detect abnormal user activity and notify security personnel about it.Both Ekran System and Proofpoint feature various filters that allow you to start and stop recording at specific times or based on specific events and filter the information that’s recorded.

Wallix Bastion vs One Identity

One Identity’s approach is less effective than actual metadata recording, as it provides both a less robust search feature and a less detailed audit trail.

Access Management


Secondary authentication

One-time password

Administrator’s approval on login

Privileged user accounts and session management (PASM)

Password management

Integration with various third-party password management tools

Multi-factor authentication solutions

Secondary authentication

One-time password

Administrator’s approval on login

Privileged user accounts and session management (PASM)

Password management

Integration with various third-party password management tools

Multi-factor authentication solutions

Secondary authentication

One-time password

Administrator’s approval on login

Privileged user accounts and session management (PASM)

Password management

Integration with various third-party password management tools

Multi-factor authentication solutions

Secondary authentication

One-time password

Administrator’s approval on login

Privileged user accounts and session management (PASM)

Password management

Integration with various third-party password management tools

Multi-factor authentication solutions

  • One-time password functionality that allows system administrators to manually approve logins by providing a set of one-time use credentials
  • Manual login approvals to secure the most critical assets
  • A password manager to implement the principle of least privilege
  • Privileged account and session management for granular remote access

Proofpoint does provide an additional layer of authentication, requesting not only user credentials but also confirmation via a code sent to the email address associated with the user. Nevertheless, both layers rely on the knowledge factor, so this scheme can’t be considered the best standard of multi-factor authentication.

Ekran System’s multi-factor authentication, on the other hand, requires credentials and a user’s mobile phone. Using two different factors (knowledge and possession), this solution ensures a truly reliable authentication procedure.

Also, Ekran System allows you to manage secrets such as Windows admin passwords, Active Directory secrets, and SSH/Telnet keys (for UNIX environments). The included password manager helps you secure the creation, storage, delivery, and rotation of credentials.

One Identity has a slight edge on Wallix Bastion in that it allows for deployment in transparent mode, making the appliance invisible to users that connect through it.

Incident Response Functionality


All four tools deliver customizable alerts on potentially malicious actions, and in addition to notifying security personnel, they also provide the following incident response tools:

  • Ekran System allows real-time session review and manual user blocking with session termination and subsequent login blocking. It also has a built-in alert system with a range of automated responses such as user blocking and application killing.
  • Proofpoint has a comprehensive rule-based alert system that can force users to acknowledge their actions by showing a blocking message with a custom security message. A session continues after a user reads the message and provides feedback. 
  • Balabit Shell Control Box allows automated session termination.
  • Wallix Bastion also allows automated session termination, similar to One Identity.

Let’s get the conversation started

Contact our team to learn how our insider risk management software can safeguard your organization’s data from any risks caused by human factors. Book a call with us at a time that suits you best, and let’s explore how we can help you achieve your security goals.