ObserveIT vs Veriato vs Teramind vs Ekran System: Best ITM Software Comparison
The effectiveness of insider threat management (ITM) software deployment greatly depends on the suitability of this software for your organization. When chosen correctly, it helps you detect and prevent security incidents, while taking a little time to manage and support. The market for ITM solutions is on the rise, so choosing the right one may not be so easy.
To help you analyze the market and make the best choice, we’ve created a detailed comparison of the top four solutions: Erkan System, ObserveIT, Veriato Cerebral, and Teramind software. All of them rely on user session video recording as the main security data format. Take a look at the comparison of Ekran System, ObserveIT, Veriato, and Teramind pricing, licensing, deployment options, and security features in the table below.
Licensing and Pricing
| Feature |
Ekran System®
 |
Proofpoint ITM (former ObserveIT)
 |
Veriato
 |
Teramind
 |
||
|---|---|---|---|---|---|---|
| Licensing and Pricing | ||||||
| Floating endpoint licenses |
|
|
|
|
||
| Free database support |
|
|
|
|
||
| Commercial database support |
|
|
|
|
||
| Non-persistent VDI monitoring |
|
|
|
|
||
| Total cost of ownership |
$ |
$$$ |
$$ |
$$ |
||
There are several popular licensing schemes for insider threat software: per-user, per-session, per-host, a fixed infrastructure fee, and combinations thereof.
The most common licensing schemes for insider threat solutions are based only on the number of hosts, making the pricing transparent and helping you optimize costs. Products with complicated multi-factor licensing may sometimes have hidden costs as well as additional features included by default.
Another useful option is support for floating endpoint licenses, allowing you to reassign licenses between endpoints. This is especially useful if you have a lot of virtual machines to monitor. While Ekran System includes this option for both physical and virtual machines, you’ll find it hard to quickly reassign licenses for ObserveIT and Veriato.
Note that in November 2019, ObserveIT was acquired by Proofpoint, a cybersecurity company. ObserveIT previously operated under a permanent licensing paradigm, but Proofpoint has now changed it to a yearly subscription model. For this reason, many current and potential ObserveIT customers have started looking for ObserveIT competitors and alternatives such as Ekran System.
Ready to replace ObserveIT?
Claim an exclusive offer for ObserveIT customers switching to Ekran System®
Monitored Platforms
| Feature |
Ekran System®
|
Proofpoint ITM (former ObserveIT)
|
Veriato
|
Teramind
|
||
|---|---|---|---|---|---|---|
| Monitored Platforms | ||||||
| Windows XP / Server 2003 |
|
|
|
|
||
| Windows Vista through Windows 10 / Server 2019 |
|
|
|
|
||
| Linux / Unix (Telnet and Console sessions) |
|
|
|
|
||
| X Window sessions |
|
|
|
|
||
Determine what endpoints and platforms you need to surveil when choosing activity monitoring software. Keep in mind that you might need a wider choice of platforms as your company grows.
All the solutions we’ve compared support Windows. Ekran System and ObserveIT also monitor sessions on Linux/Unix systems. Ekran is the only product supporting X Window session monitoring, which allows you to monitor Ubuntu Amazon Linux Workspaces.
Another important challenge is monitoring virtual environments like Citrix, Microsoft Hyper-V, and VMware Horizon. Functionality for monitoring these environments should be identical to that for monitoring physical endpoints. For virtual desktop environments, it’s best to use monitoring solutions that support floating licenses for native endpoints, as virtual machines are created more frequently than physical ones.
As well as floating endpoint licenses, Ekran System delivers a client ready to be added to the golden image and automates license provisioning via the license pool. Whenever any virtual machine instance is shut down, the license is released and returns to the pool. Therefore, to audit VMware or Citrix desktop environments, you only need the number of Ekran System Workstation licenses corresponding to the maximum number of simultaneously active virtual desktops. Also, Ekran System floating licenses support non-persistent VDI session monitoring.
At the same time, Ekran System delivers comprehensive functionality to monitor and audit published application sessions. As for Teramind vs ObserveIT, they both support published application infrastructures.
Deployment & Management
| Feature |
Ekran System®
|
Proofpoint ITM (former ObserveIT)
|
Veriato
|
Teramind
|
||
|---|---|---|---|---|---|---|
| Deployment & Management | ||||||
| Deployment model |
SaaS and on-premises |
SaaS and on-premises |
On-premises |
SaaS and on-premises |
||
| Easy deployment |
|
|
|
|
||
| Remote installation/uninstallation of clients |
|
|
|
|
||
| Management via web console |
|
|
|
|
||
| Centralized endpoint client updates |
|
|
|
|
||
| System health monitoring |
|
|
|
|
||
| Easy on-premises maintenance |
|
|
|
|
||
| Database cleanup |
|
|
|
|
||
| History archiving |
|
|
|
|
||
A Software as a Service (SaaS) solution is fast to deploy and available on any platform and device. Teramind provides its service primarily according to the SaaS model. They also offer user activity monitoring and data loss prevention solutions on the AWS platform according to the Platform as a Service (PaaS) model.
However, on-premises deployment is associated with fewer security risks. On-premises deployment provides these benefits to Ekran System clients:
- A one-time license for Ekran System includes system installation and configuration.
- Ekran can be deployed on a dedicated server or in a client’s personal cloud.
- Cloud storage resources are estimated by the deployment team according to business needs.
- Clients retain complete control over data protection and data access.
- Highly sensitive information remains confidential.
- Ekran ensures compliance with industry and government regulations.
Some reviewers point out that ObserveIT and Veriato are hard to deploy by yourself. You may also face scalability issues with large deployments, as these products impact server performance. Customers of Ekran System, on the other hand, praise the detailed technical documentation and easy deployment process along with the many automated maintenance tasks.
Basic Recording and Incident Response Functionality
| Feature |
Ekran System®
|
Proofpoint ITM (former ObserveIT)
|
Veriato
|
Teramind
|
||
|---|---|---|---|---|---|---|
| Basic Recording and Incident Response Functionality | ||||||
| Video replay of every session |
|
|
|
|
||
| Audio recording |
|
|
|
|
||
| Real-time playback of live sessions |
|
|
|
|
||
| Multi-monitor recording |
|
|
|
|
||
| Real-time alerts |
|
|
|
|
||
| User behavior analytics and risk scoring |
|
|
|
|
||
| Multi-tenancy |
|
|
|
|
||
| Privileged account management |
|
|
|
|
||
| USB device alerting and blocking |
|
|
|
|
||
| Mass storage device control |
|
|
|
|
||
| Kill process on alert / block user on alert |
|
|
|
| ||
| User blocking |
|
|
|
|
||
Recording is a key functionality of any user monitoring software. Almost all employee monitoring solutions are equipped with real-time alerting functionality: the software notifies a security officer if something suspicious is happening. Ekran System and Teramind also allow security officers to kill this activity and block the user and allow for recording audio in addition to the usual video logs.
Storing records requires plenty of disk space or cloud storage space. To use this space effectively, monitoring platforms use various compression techniques. As a worthy Teramind alternative, Ekran System provides two options: to save records with the original screen resolution or compress them. Ekran’s compression algorithms allow for saving the master image and its deltas, thus reducing the amount of required disk space. Additionally, all screenshots are encrypted with a session key and the data structure of records is optimized to ensure fast insertion and deletion of records with any number of active sessions.
ObserveIT divides a user’s screen into nine parts and stores those records independently. This approach allows ObserveIT not to duplicate parts of records. For instance, when user activity is located in one part of the screen, there’s no need to record the rest of it. On the other hand, this system makes it hard to delete, transfer, or archive data because many records may refer to a single screenshot.
As for Teramind vs Veriato, their approaches to storing on-screen records differ a bit. Veriato compresses screen records and stores them in a default format. Teramind saves video streams, compresses them, and changes the screen resolution.
Multi-tenancy is a useful feature for managed service providers who take care of cybersecurity for their clients. It’s also useful for organizations with offices in different locations. The Ekran System multi-tenant deployment mode ensures that several independent tenants can operate in one environment.
Ekran’s alert system includes an Artificial Intelligence (AI) module that detects abnormal user activity and possible account compromise by establishing baseline user behavior and monitoring user behavior in real time. For instance, this module can create a baseline of a user’s work hours and notify a security officer in case of user activity at an abnormal time.
ObserveIT employs user behavior analytics to gather statistics for the main dashboard. It provides a security officer with information on risk scores and user behavior trends over periods of time, but it doesn’t notify of suspicious trends.
When comparing ObserveIT vs Veriato, the last one offers a much wider set of features. It provides you with user behavior analytics and risk scoring functionality to analyze regular user actions, establish a baseline of safe behavior, and notify designated personnel of dubious activity. But keep in mind that Veriato offers this functionality as standalone software that requires an additional license.
Veriato also uses AI to analyze employee correspondence and daily activities for sentiment-based threat detection.
Additional Recording Features
| Feature |
Ekran System®
|
Proofpoint ITM (former ObserveIT)
|
Veriato
|
Teramind
|
||
|---|---|---|---|---|---|---|
| Additional recording features: | ||||||
| Keylogging |
|
|
|
|
||
| Clipboard |
|
|
|
|
||
| Index by active window title |
|
|
|
|
||
| Index by active application name |
|
|
|
|
||
| Host name |
|
|
|
|
||
| User name |
|
|
|
|
||
| Date/time |
|
|
|
|
||
| Visited URLs |
|
|
|
|
||
| IP associated with host |
|
|
|
|
||
| IP of remote desktop |
|
|
|
|
||
| Logging all USB device connections |
|
|
|
|
||
| File activity monitoring |
|
|
|
|
||
| Logging USB mass storage connections |
|
|
|
|
||
| Magnifier option (zoom screenshot regions) |
|
|
|
|
||
In order to thoroughly monitor user activity, you need more than a video of the session. Additional data helps you understand the context and search more effectively. If an insider attack has already happened, this data allows you to investigate the scope of the breach, the tools used, and the parties involved.
Advanced user monitoring solutions like Ekran System perform keylogging, record clipboard contents, and log details of active processes and applications, web activities, and device connections. They also record in-depth network details upon connecting to a host. While differing in the user activity details — and especially in the network connection details — they provide, ObserveIT, Veriato, Ekran System, and Teramind all support file activity monitoring.
Searching, Reporting, and Exporting
| Feature |
Ekran System®
|
Proofpoint ITM (former ObserveIT)
|
Veriato
|
Teramind
|
||
|---|---|---|---|---|---|---|
| Searching, Reporting, and Exporting | ||||||
| Search by metadata |
|
|
|
|
||
| Scheduled and ad-hoc reports |
|
|
|
|
||
| Interactive system dashboards |
|
|
|
|
||
| Save sessions in encrypted format (forensic) |
|
|
|
|
||
| Export screenshots to external formats |
|
|
|
|
||
| Put your company name on reports and notifications |
|
|
|
|
||
Recording lots of metadata is only part of the insider threat prevention process. To effectively prevent threats, you need to be able to search within collected data. It’s hard to find a single event, especially if you don’t know when it happened and your company employs thousands of people. That’s why all top monitoring solutions allow you to search by any recorded parameter.
Accumulated data can also be used for generating reports. Usually, activity monitoring software can create various scheduled and ad-hoc reports. Ekran System allows you to customize emails and reports with your company’s name and logo.
Finally, monitoring information can be used for investigations and forensic activities. Ekran System, ObserveIT, Veriato, and Teramind export recorded data in an encrypted tamper-proof format that may be used for forensic purposes.
Access Management
| Feature |
Ekran System®
|
Proofpoint ITM (former ObserveIT)
|
Veriato
|
Teramind
|
||
|---|---|---|---|---|---|---|
| Access Management | ||||||
| Secondary authentication to identify users of shared accounts |
|
|
|
(cloud-based system) |
||
| Access request functionality |
|
|
|
|
||
| One-time passwords |
|
|
|
|
||
| Multi-factor authentication |
|
|
|
|
||
| Time-based user access restrictions |
|
|
|
|
||
| Privileged account and session management (PASM) |
|
|
|
|
||
| Password sharing |
|
|
|
|
||
Access management functionality controls which users have permission to work with certain data. It’s especially useful when working with privileged users and third-party vendors.
Tools such as secondary and multi-factor authentication allow you to positively identify a person trying to log in to your system. These tools are commonly used to authenticate users of shared profiles such as “admin” and “root.”
In order to protect the most sensitive data, some solutions offer one-time passwords as well as access request and workflow approval capabilities.
Ekran System has the most robust access management functionality among the top insider threat security solutions.
Solution Work and Security
| Feature |
Ekran System®
|
Proofpoint ITM (former ObserveIT)
|
Veriato
|
Teramind
|
||
|---|---|---|---|---|---|---|
| Solution Work and Security | ||||||
| Watchdog mechanism |
|
|
|
|
||
| Driver-level uninstall protection |
|
|
|
|
||
| Centralized endpoint client updates |
|
|
|
|
||
| Audit trail for system users |
|
|
|
|
||
| SIEM system integration |
|
|
|
|
||
| Ticketing system integration |
|
|
|
|
||
Employee monitoring software should be easy to use, protected, and compatible with the other security solutions a company uses. This is especially important for large enterprises that build custom security systems using several compatible solutions.
Recording and storing data requires a lot of disk space. If your company has thousands of employees, you may end up with terabytes of surveillance records each week. An insider attack can go unseen for months, so it’s a common requirement to preserve data for a considerable amount of time. This may be a problem with some solutions, such as Veriato, that use a lot of resources for data storage, thereby impacting server performance.
Ekran System uses highly optimized formats to store session recordings and metadata. It also optimizes bandwidth use.
Integration with SIEM and ticketing systems allows you to exchange data inside your security infrastructure. By combining information from these systems, you can trace not only the details of user actions but the reasons for them. All the monitoring solutions we’ve mentioned integrate with some set of popular SIEM systems, and several also integrate with ticketing systems.
Ekran System® vs competitors
ObserveIT, Veriato, and Teramind are the top user activity monitoring solutions on the market. Let’s consider their functionality compared to Ekran System.
ObserveIT vs competitors and alternatives
ObserveIT has robust recording functionality and logs a lot of metadata in addition to video. It’s equipped with two-layer authentication (credentials and email codes) and secondary authentication for shared logins. Deployment can be somewhat complicated without a product expert.
On the other hand, ObserveIT has limited access management functionality, providing only secondary authentication. Product licensing is a combination of a fixed infrastructure fee and a set of endpoint monitoring licenses. You may have some trouble distributing these licenses between virtual machines, however. Also, it’s impossible to update a client offline.
ObserveIT doesn’t provide automated or manual incident response tools besides a warning message forcing users to acknowledge their actions.
Note that ObserveIT changed to a yearly subscription model after its acquisition by Proofpoint. Since the acquisition, more and more ObserveIT clients have been choosing Ekran System as a worthy Proofpoint alternative.
Bottom line: Ekran System is a proven ObserveIT (or Proofpoint) competitor. It provides the same monitoring and alerting functionality while offering robust identity and access management capabilities, device management, and incident response tools. In addition to recording video, audio, and metadata, Ekran System uses a UEBA module to analyze this data and detect suspicious activity. Coupling these features with granular access and identity management, this all-in-one solution ensures full-cycle insider threat management. Ekran System offers a flexible licensing scheme, with floating endpoint licensing and with licensing for the Standard Edition based only on the number of endpoints.
Learn why top firms are switching from ObserveIT to Ekran System in the video review below:
Veriato Cerebral vs competitors and alternatives
Veriato Cerebral (formerly Veriato 360) is a solution for monitoring Windows and macOS-based endpoints. With a flexible licensing scheme, it’s currently more affordable than ObserveIT.
Veriato provides basic recording functionality with a limited ability to block suspicious activity. What differentiates Veriato from its competitors are a UEBA module and computational linguistic analysis. Veriato identifies disgruntled employees (who are considered potential attackers) by analyzing sentiments in their correspondence and actions. This solution also uses AI to detect indicators of stolen credentials.
With employee monitoring as its main use case, Veriato delivers a number of additional activity-specific reports such as on email monitoring and chat monitoring.
Bottom line: Compared to Veriato, Ekran System supports more platforms (macOS, Linux/Unix, X Window, Citrix, VMware Horizon, Microsoft Hyper-V, and Windows) and is equipped with more robust access control functionality. Ekran System ensures granular access to critical endpoints using tools such as multi-factor authentication, one-time-passwords, and access requests. Also, Ekran employs UEBA to detect suspicious user behavior and prevent insider threats.
Teramind vs competitors and alternatives
Teramind offers two types of deployment: SaaS and on-premises. However, the SaaS model is the most common. As an on-premises solution, Teramind is deployed as a Linux virtual machine. It provides you with tools for native database management, deployment scaling, permission configuration, etc.
Despite considerable recording, alerting, and incident response tools, Teramind doesn’t include identity and access management functionality besides secondary authentication for shared accounts, which is available only for the cloud-based system. Without multi-tenancy and specific scaling capabilities, it may be complicated for managed service providers and those with large infrastructures to deploy Teramind.
Bottom line: Ekran System is one of the worthy Teramind alternatives. It’s more universal than other Teramind competitors because Ekran is a universal and stable on-premises solution that allows you to record not only Windows but also Linux and virtual endpoints. While on-premises software takes more time to deploy than do SaaS solutions, it brings more benefits in the long run.
Ekran provides an incident response toolset in addition to monitoring and recording features. It also includes robust identity and access management functionality and is equipped with must-have features for scaling a deployment from a limited pilot to an extra-large hybrid infrastructure.
Learn why MSPs are switching from Teramind to Ekran System in the video review below:
