Enterprise Cybersecurity Insider Threat Software Comparison

 

To help you better understand how Ekran System® compares to alternatives on the market, we’ve created a detailed comparison of user activity monitoring software. In particular, we’ve compared tools that rely on user session video recording as the main security data format. In addition to general information, you can find a feature-by-feature competitor comparison in the table below.

Licensing and Pricing

Feature
Ekran System®
Ekran System
ObserveIT (Proofpoint)
ObserveIT
Veriato Cerebral (formerly Spector 360)
Veriato Cerebral
Teramind
Teramind
Licensing and Pricing
Floating endpoint licenses

checked-icon

minus-icon

minus-icon

minus-icon

Free database support

checked-icon

minus-icon

minus-icon

checked-icon

Commercial database support

checked-icon

checked-icon

checked-icon

minus-icon

Non-persistent VDI monitoring

checked-icon

minus-icon

minus-icon

minus-icon

Total cost of ownership

$

$$$

$$

$$

 

There are several popular licensing schemes for insider threat software: per-user, per-session, per-host, a fixed infrastructure fee, and combinations thereof. 

 

The most common licensing schemes for insider threat solutions are based only on the number of hosts, making the pricing transparent and helping you optimize costs. Products with complicated multi-factor licensing may sometimes have hidden costs as well as additional features included by default.

 

Another useful option is support for floating endpoint licenses, allowing you to reassign licenses between endpoints. This is especially useful if you have a lot of virtual machines to monitor. While Ekran System includes this option for both physical and virtual machines, you’ll find it hard to quickly reassign licenses for ObserveIT and Veriato.

 

Note that in November 2019, ObserveIT was acquired by Proofpoint, a cybersecurity company. ObserveIT has operated under a permanent licensing paradigm, but Proofpoint has already changed it to a yearly subscription model. For this reason, many current and potential ObserveIT customers have started looking for ObserveIT competitors and alternatives such as Ekran System.

Monitored Platforms

Feature
Ekran System®
Ekran System
ObserveIT (Proofpoint)
ObserveIT
Veriato Cerebral (formerly Spector 360)
Veriato Cerebral
Teramind
Teramind
Monitored Platforms
Windows XP / Server 2003

checked-icon

minus-icon

minus-icon

checked-icon

Windows Vista through Windows 10 / Server 2019

checked-icon

checked-icon

checked-icon

checked-icon

Linux / Unix (Telnet and Console sessions)

checked-icon

checked-icon

minus-icon

minus-icon

X Window sessions

checked-icon

minus-icon

minus-icon

minus-icon

 

Determine what endpoints and platforms you need to surveil when choosing activity monitoring software. Keep in mind that you might need a wider choice of platforms as your company grows.

 

All the solutions we’ve compared support Windows. Ekran System and ObserveIT also monitor sessions on Linux/Unix systems. Ekran is the only product supporting X Window session monitoring, which allows you to monitor Ubuntu Amazon Linux Workspaces.

 

Another important challenge is monitoring virtual environments like Citrix, Microsoft Hyper-V, and VMware Horizon. Functionality for monitoring these environments should be identical to that for monitoring physical endpoints. For virtual desktop environments, it’s best to use monitoring solutions that support floating licenses for native endpoints, as virtual machines are created more frequently than physical ones. 

 

To floating endpoint licenses, Ekran System delivers a client ready to be added to the golden image and automates license provisioning via the license pool. As a virtual machine instance is shut down, the license is released and returns to the pool. Therefore, to audit VMware or Citrix desktop environments, you need only the number of Ekran System Workstation licenses corresponding to the maximum number of simultaneously active virtual desktops. Also, Ekran System floating licenses support non-persistent VDI monitoring. 

 

At the same time, Ekran System delivers comprehensive functionality to monitor and audit published application sessions. Teramind and ObserveIT also support published application infrastructures.

Deployment & Management

Feature
Ekran System®
Ekran System
ObserveIT (Proofpoint)
ObserveIT
Veriato Cerebral (formerly Spector 360)
Veriato Cerebral
Teramind
Teramind
Deployment & Management
Deployment model

On-premises

On-premises

On-premises

SaaS and on-premises

Easy deployment

checked-icon

minus-icon

minus-icon

checked-icon

Remote installation/uninstallation of clients

checked-icon

minus-icon

checked-icon

minus-icon

Management via web console

checked-icon

checked-icon

minus-icon

checked-icon

Centralized endpoint client updates

checked-icon

minus-icon

minus-icon

checked-icon

System health monitoring

checked-icon

checked-icon

minus-icon

minus-icon

Easy on-premises maintenance

checked-icon

checked-icon

checked-icon

minus-icon

Database cleanup

checked-icon

checked-icon

checked-icon

checked-icon

History archiving

checked-icon

checked-icon

minus-icon

minus-icon

 

A Software as a Service (SaaS) solution is fast to deploy and available on any platform and device. Teramind provides its service primarily according to the SaaS model. They also offer user activity monitoring and data loss prevention solutions on the AWS platform according to the Platform as a Service (PaaS) model.

 

However, on-premises deployment is associated with fewer security risks. On-premises deployment provides these benefits to Ekran System clients:

  • A one-time license for Ekran System includes system installation and configuration.
  • Ekran can be deployed on a dedicated server or in a client’s personal cloud.
  • Cloud storage resources are estimated by deployment team according to business needs.
  • Clients retain complete control over data protection and data access.
  • Highly sensitive information remains confidential.
  • Ekran ensures compliance with industry and government regulations.

 

Some reviewers point out that ObserveIT and Veriato are hard to deploy by yourself. You may also face scalability issues with large deployments, as these products impact server performance. Customers of Ekran System, on the other hand, praise the detailed technical documentation and easy deployment process along with the many automated maintenance tasks.

Basic Recording and Incident Response Functionality

Feature
Ekran System®
Ekran System
ObserveIT (Proofpoint)
ObserveIT
Veriato Cerebral (formerly Spector 360)
Veriato Cerebral
Teramind
Teramind
Basic Recording and Incident Response Functionality
Video replay of every session

checked-icon

checked-icon

checked-icon

checked-icon

Audio recording

checked-icon

minus-icon

minus-icon

minus-icon

Real-time playback of live sessions

checked-icon

checked-icon

checked-icon

checked-icon

Multi-monitor recording 

checked-icon

checked-icon

checked-icon

checked-icon

Real-time alerts

checked-icon

checked-icon

checked-icon

checked-icon

User behavior analytics and risk scoring

checked-icon

checked-icon

checked-icon

checked-icon

Multi-tenancy

checked-icon

minus-icon

minus-icon

minus-icon

Privileged account management

checked-icon

minus-icon

minus-icon

checked-icon

USB device alerting and blocking

checked-icon

minus-icon

minus-icon

minus-icon

Mass storage device control

checked-icon

minus-icon

minus-icon

checked-icon

Kill process on alert / block user on alert

checked-icon

checked-icon

checked-icon

checked-icon

User blocking

checked-icon

checked-icon

minus-icon

checked-icon

 

Recording is a key functionality of any user monitoring software. Almost all employee monitoring solutions are equipped with real-time alerting functionality: the software notifies a security officer if something suspicious is happening. Ekran System and Teramind also allow security officers to kill this activity and block the user and allow for recording audio in addition to the usual video logs.

 

Storing records requires plenty of disk space or cloud storage space. To use this space effectively, monitoring platforms use various compression techniques. Ekran System provides two options: to save records with the original screen resolution or compress them. Ekran’s compression algorithms allow for saving the master image and its deltas, thus reducing the amount of required disk space. Additionally, all screenshots are encrypted with a session key and the data structure of records is optimized to ensure fast insertion and deletion of records with any number of active sessions.

 

ObserveIT divides a user’s screen into nine parts and stores those records independently. This approach allows ObserveIT not to duplicate parts of records. For instance, when a user activity is located in one part of the screen, there’s no need to record the rest of it. On the other hand, this system makes it hard to delete, transfer, or archive data because many records may refer to a single screenshot.

 

Veriato compresses screen records and stores them in a default format. Teramind saves video streams, compresses them, and changes the screen resolution.

 

Multi-tenancy is a useful feature for managed service providers who take care of cybersecurity for their clients. It’s also useful for organizations with offices in different locations. The Ekran System multi-tenant deployment mode ensures that several independent tenants can operate in one environment.

 

Ekran’s alert system includes an Artificial Intelligence (AI) module that detects abnormal user activity and possible account compromise by establishing baseline user behavior and monitoring behavior in real time. For instance, this module can create a baseline of a user’s work hours and notify a security officer in case of user activity at an abnormal time.

 

ObserveIT employs user behavior analytics to gather statistics for the main dashboard. It provides a security officer with information on risk scores and user behavior trends over periods of time, but it doesn’t notify of suspicious trends.

 

Veriato offers user behavior analytics and risk scoring functionality to analyze regular user actions, establish a baseline of safe behavior, and notify designated personnel of dubious activity. But keep in mind that Veriato offers this functionality as standalone software that requires an additional license. 

 

Veriato also uses AI to analyze employee correspondence and daily activities for sentiment-based threat detection.

Additional Recording Features

Feature
Ekran System®
Ekran System
ObserveIT (Proofpoint)
ObserveIT
Veriato Cerebral (formerly Spector 360)
Veriato Cerebral
Teramind
Teramind
Additional recording features:
Keylogging

checked-icon

checked-icon

checked-icon

minus-icon

Clipboard

checked-icon

checked-icon

checked-icon

checked-icon

Index by active window title

checked-icon

checked-icon

checked-icon

checked-icon

Index by active application name

checked-icon

checked-icon

checked-icon

checked-icon

Host name

checked-icon

checked-icon

checked-icon

checked-icon

User name

checked-icon

checked-icon

checked-icon

checked-icon

Date/time

checked-icon

checked-icon

checked-icon

checked-icon

Visited URLs

checked-icon

checked-icon

checked-icon

checked-icon

IP associated with host

checked-icon

checked-icon

minus-icon

checked-icon

IP of remote desktop

checked-icon

checked-icon

minus-icon

minus-icon

Logging all USB device connections

checked-icon

minus-icon

minus-icon

minus-icon

File activity monitoring

checked-icon

checked-icon

checked-icon

checked-icon

Logging USB mass storage connections

checked-icon

checked-icon

checked-icon

minus-icon

Magnifier option (zoom screenshot regions)

checked-icon

checked-icon

minus-icon

checked-icon

 

In order to thoroughly monitor user activity, you need more than a video of the session. Additional data helps you understand the context and search more effectively. If an insider attack has already happened, this data allows you to investigate the scope of the breach, the tools used, and the parties involved.

 

Advanced user monitoring solutions like Ekran System perform keylogging, record clipboard contents, and log details of active processes and applications, web activities, and device connections. They also record in-depth network details upon connecting to a host. While differing in the user activity details — and especially in the network connection details — they provide, ObserveIT, Veriato, Ekran System, and Teramind all support file activity monitoring.

Searching, Reporting, and Exporting

Feature
Ekran System®
Ekran System
ObserveIT (Proofpoint)
ObserveIT
Veriato Cerebral (formerly Spector 360)
Veriato Cerebral
Teramind
Teramind
Searching, Reporting, and Exporting
Search by metadata

checked-icon

checked-icon

checked-icon

checked-icon

Scheduled and ad-hoc reports

checked-icon

checked-icon

checked-icon

minus-icon

Interactive system dashboards

checked-icon

checked-icon

checked-icon

checked-icon

Save sessions in encrypted format (forensic)

checked-icon

minus-icon

minus-icon

minus-icon

Export screenshots to external formats

checked-icon

checked-icon

checked-icon

checked-icon

Put your company name on reports and notifications

checked-icon

minus-icon

minus-icon

minus-icon

 

Recording lots of metadata is only part of the insider threat prevention process. To effectively prevent threats, you need to be able to search within collected data. It’s hard to find a single event, especially if you don’t know when it happened and your company employs thousands of people. That’s why all top monitoring solutions allow you to search by any recorded parameter.

 

Accumulated data can also be used for generating reports. Usually, activity monitoring software can create various scheduled and ad-hoc reports. Ekran System allows you to customize emails and reports with your company’s name and logo.

 

Finally, monitoring information can be used for investigations and forensic activities. Ekran System, ObserveIT, Veriato, and Teramind export recorded data in an encrypted tamper-proof format that may be used for forensic purposes.

Access Management

Feature
Ekran System®
Ekran System
ObserveIT (Proofpoint)
ObserveIT
Veriato Cerebral (formerly Spector 360)
Veriato Cerebral
Teramind
Teramind
Access Management
Secondary authentication to identify users of shared and built-in accounts

checked-icon

checked-icon

checked-icon

checked-icon

(cloud-based system)

Access request functionality

checked-icon

minus-icon

minus-icon

minus-icon

One-time passwords

checked-icon

minus-icon

minus-icon

minus-icon

Multi-factor authentication

checked-icon

minus-icon

minus-icon

minus-icon

Time-based user access restrictions

checked-icon

minus-icon

minus-icon

minus-icon

Privileged account and session management (PASM)

checked-icon

minus-icon

minus-icon

minus-icon

Password sharing

checked-icon

minus-icon

minus-icon

minus-icon

 

Access management functionality controls which users have permission to work with certain data. It’s especially useful when working with privileged users and third-party vendors.

 

Tools such as secondary and multi-factor authentication allow you to positively identify a person trying to log in to your system. These tools are commonly used to authenticate users of shared profiles such as “admin” and “root.”

 

In order to protect the most sensitive data, some solutions offer one-time passwords as well as access request and workflow approval capabilities.

 

Ekran System has the most robust access management functionality among the top insider threat security solutions.

Solution Work and Security

Feature
Ekran System®
Ekran System
ObserveIT (Proofpoint)
ObserveIT
Veriato Cerebral (formerly Spector 360)
Veriato Cerebral
Teramind
Teramind
Solution Work and Security
Watchdog mechanism

checked-icon

checked-icon

checked-icon

checked-icon

Driver-level uninstall protection

checked-icon

minus-icon

minus-icon

minus-icon

Centralized endpoint client updates

checked-icon

minus-icon

minus-icon

checked-icon

Audit trail for system users

checked-icon

checked-icon

checked-icon

checked-icon

SIEM system integration

checked-icon

checked-icon

checked-icon

checked-icon

Ticketing system integration

checked-icon

checked-icon

minus-icon

minus-icon

 

Employee monitoring software should be easy to use, protected, and compatible with the other security solutions a company uses. This is especially important for large enterprises that build custom security systems using several compatible solutions.

 

Recording and storing data requires a lot of disk space. If your company has thousands of employees, you may end up with terabytes of surveillance records each week. An insider attack can go unseen for months, so it’s a common requirement to preserve data for a considerable amount of time. This may be a problem with some solutions, such as Veriato, that use a lot of resources for data storage, thereby impacting server performance.

 

Ekran System uses highly optimized formats to store session recordings and metadata. It also optimizes bandwidth use.

 

Integration with SIEM and ticketing systems allows you to exchange data inside your security infrastructure. By combining information from these systems, you can trace not only the details of user actions but the reasons for them. All the monitoring solutions we’ve mentioned integrate with some set of popular SIEM systems, and several also integrate with ticketing systems.

 

Access an Ekran System® demo now!
Clients from more than 40 countries worldwide already use Ekran System®

Ekran System® vs competitors

 

ObserveIT, Veriato, and Teramind are the top user activity monitoring solutions on the market. Let’s consider their functionality compared to Ekran System.

ObserveIT

 

ObserveIT has robust recording functionality and logs a lot of metadata in addition to video. It’s equipped with two-layer authentication (credentials and email codes) and secondary authentication for shared logins. Deployment can be somewhat complicated without a product expert. 

 

On the other hand, ObserveIT has limited access management functionality, providing only secondary authentication. Product licensing is a combination of a fixed infrastructure fee and a set of endpoint monitoring licenses. You may have some trouble distributing these licenses between virtual machines, however. Also, it’s impossible to update a client offline.

 

ObserveIT doesn’t provide automated or manual incident response tools besides a warning message forcing users to acknowledge their actions.

 

Note that ObserveIT changed to a yearly subscription model after its acquisition by Proofpoint. Since the acquisition, more and more ObserveIT clients have been choosing Ekran System as a worthy ObserveIT alternative.

 

Bottom line: Ekran System is a proven alternative to ObserveIT. It provides the same monitoring and alerting functionality while offering robust identity and access management capabilities, device management, and incident response tools. In addition to recording video, audio, and metadata, Ekran System uses a UEBA module to analyze this data and detect suspicious activity. Coupling these features with granular access and identity management, this all-in-one solution ensures full-cycle insider threat management. Ekran System offers a flexible licensing scheme, with floating endpoint licensing and with licensing for the Standard Edition based only on the number of endpoints.

Veriato Cerebral

 

Veriato Cerebral (formerly Veriato 360) is a solution for monitoring Windows and macOS-based endpoints. With a flexible licensing scheme, it’s currently more affordable than ObserveIT.

 

Veriato provides basic recording functionality with a limited ability to block suspicious activity. What differentiates Veriato from its competitors are a UEBA module and computational linguistic analysis. Veriato identifies disgruntled employees (who are considered potential attackers) by analyzing sentiments in their correspondence and actions. This solution also uses AI to detect indicators of stolen credentials.

 

With employee monitoring as its main use case, Veriato delivers a number of additional activity-specific reports such as on email monitoring and chat monitoring.

 

Bottom line: Compared to Veriato, Ekran System supports more platforms (macOS, Linux/Unix, X Window, Citrix, VMware Horizon, Microsoft Hyper-V, and Windows) and is equipped with more robust access control functionality. Ekran System ensures granular access to critical endpoints using tools such as multi-factor authentication, one-time-passwords, and access requests. Also, Ekran employs UEBA to detect suspicious user behavior and prevent insider threats.

Teramind

 

Teramind offers two types of deployment: SaaS and on-premises. However, the SaaS model is the most common. As an on-premises solution, Teramind is deployed as a Linux virtual machine. It provides you with tools for native database management, deployment scaling, permission configuration, etc.

 

Despite considerable recording, alerting, and incident response tools, Teramind doesn’t include identity and access management functionality besides secondary authentication for shared accounts, which is available only for the cloud-based system. Without multi-tenancy and specific scaling capabilities, it may be complicated for managed service providers and those with large infrastructures to deploy Teramind.

 

Bottom line: Ekran System is a worthy Teramind alternative, as Ekran is a universal and stable on-premises solution that allows you to record not only Windows but also Linux and virtual endpoints. While on-premises software takes more time to deploy than do SaaS solutions, it brings more benefits in the long run.

 

Ekran provides an incident response toolset in addition to monitoring and recording features. It also includes robust identity and access management functionality and is equipped with must-have features for scaling a deployment from a limited pilot to an extra-large hybrid infrastructure.

 

 

Rating: 
Average: 4.6 (9 votes)