EKRAN SYSTEM VS Balabit vs Wallix vs OBSERVEIT comparison

 

Internal security breaches and user-based threats are hot topics in the industry, and not only large enterprises are targets: SMBs, educational institutions, and government organizations are equally vulnerable.

 

User activity monitoring solutions are nothing new. These tools are integrated into the security policies of many organizations as part of a compliance and threat prevention strategy. The tools that we’re going to compare in this review apply modern approaches: indexed video records of user sessions with enhanced search, analysis, and notification capabilities.

 

In this comparison, we’ll look at four user activity monitoring solutions – our own Ekran System vs Balabit vs Observeit vs Wallix.

 

Our main goal for this comparison is to help you better understand the differences among these solutions to determine which best fits your organization’s needs.

 

Product Review: Summary

 

Ekran System is recommended for both the SMBs and large enterprises looking for a stable monitoring solution with core analysis and access management functionality.

 

Observeit is an option for mid-sized and large enterprises looking for broader integration and more sophisticated alerting functionality.

 

Large enterprises that have a number of critical endpoints and high access management requirements – and that are looking for a solution with detailed activity and transferred data controls and automated blocking features – might choose Balabit or Wallix.

 

Market and Focus Overview

   Format

   Focus

   Architectures

   Target Customers and Pricing

Feature and Usage Scenario Overview

   User Action Monitoring

   Access Management

   Incident Response Functionality

 

Market and Focus Overview

 

 

Ekran System

Observeit

Balabit Shell Control Box

Wallix AdminBastion Suite

Description

User activity monitoring software for servers and desktops

Enterprise insider threat detection software

Monitoring appliance that controls privileged access to remote IT systems

Appliance with a focus on privileged access management and privileged user monitoring

Target audience

Businesses of all sizes

Large enterprises across a range of industries

Large enterprises with high privileged access security requirements

Large enterprises that need to control access  and monitor privileged users

Technical approach

Agent-based software

Agent-based software

Appliance

Appliance

Deployment

  • Agent-based deployment
  • Jump server deployment
  • Optimized for virtual environments
  • Agent-based deployment
  • Jump server deployment
  • Bastion host deployment
  • Transparent mode
  • Bastion host deployment
  • Web-based client

Maintenance

  • Manual control panel updates
  • Automatic client updates
  • Manual control panel updates
  • Manual firmware updates
  • Manual firmware updates

Average deployment cost

*

***

****

****

Licensing

  • Based on number of monitored endpoints
  • Several licensing tiers
  • Base fee for control component in addition to fee based on number of monitored endpoints
  • Based on number of appliances purchased (inflexible)
  • Based on number of appliances purchased (inflexible)
  • Several licensing tiers

 

Format

 

All four solutions incorporate video recordings of user sessions as part of their main functionality and provide session search tools and web-based interface for DVR-like playback. All four tools also provide tamper-proof audit trails with parameterized episode search through sessions, as well as alerted event marks.

 

Focus

 

User activity monitoring is the core feature of all four products. However, both Ekran System and Observeit focus much more on providing detailed records of user activity in order to detect insider threats and monitor employee activity.

 

The Balabit Shell Control Box and the Wallix AdminBastion Suite, one of the biggest Balabit competitors, focus more on privileged access management and access control functionalities. These solutions put less focus on monitoring, viewing it as a supplementary feature to their access management functionalities. As a result, they have fewer capabilities for insider threat investigation but provide certain additional protections from outsider attacks.

 

Architectures

 

These solutions use different architectural models: Observeit and Ekran System are agent-based software products, whereas Balabit and Wallix are gateway-based solutions, delivered as a hardware or virtual appliance. Gateway-based solutions are easier to deploy and maintain, but have some limitations when gathering metadata.

 

Agent-based solutions, on the other hand, provide more versatility. Under a regular deployment, they can gather more detailed metadata, which is critical in particular when monitoring Linux Telnet SSH sessions. They can also be deployed using a gateway-based scheme where a monitoring agent is installed on a single jump server and monitors all connections routed through that server, thus mimicking Balabit or Wallix.

 

Jump server deployment slightly limits monitoring capabilities compared to deploying agents on every target endpoint, but is more versatile and affordable than Wallix or Balabit licensing.

 

Another advantage of agent-based solutions is that when the network connection is lost, an agent can keep recording data locally and then send it to the server later.

 

Target Customers and Pricing

 

Wallix, Balabit, and Observeit target large enterprises, while Ekran System targets both the large enterprise and SMB markets. This segmentation is reflected, first of all, in pricing and licensing models. 

 

The Balabit Shell Control Box price is fixed for each appliance, and thus the Balabit license cost is based on the number of deployed appliances, a model oriented around large infrastructures; deployments with a moderate number of endpoints would not be cost-efficient.

 

Wallix’s licensing is similar to Balabit’s in that Wallix charges a fixed price per appliance. However, the main difference from Balabit pricing is that Wallix additionally provides a web-based client according to a subscription model.

 

Observeit licensing consists of two parts: a fixed price for the system management component and a price based on the number of monitored endpoints. Thus, comparing Balabit vs Observeit, the licensing model of the latter is more flexible, though there’s still a significant barrier to entry; thus, small and mid-sized deployments will not be cost-efficient.

 

Ekran System provides several types of licensing. With the most basic model, pricing fully depends on the number of deployed agents, making this solution cost-effective for small and medium-sized companies. Other deployment models add fixed charges for the management panel, similar to Observeit, but also provide additional benefits that are useful for larger companies, such as one-time passwords, advanced SIEM and ticketing system integration, and high availability. Ekran System also has a separate licensing model for jump server deployments.

 

Feature and Usage Scenario Overview

 

 

Ekran System

Observeit

Balabit Shell Control Box

Wallix AdminBastion Suite

Monitoring

  • User session recording
  • Video recorded in custom format
  • Full metadata recording
  • Search by metadata
  • User session recording
  • Video recorded in custom format
  • Full metadata recording
  • Search by metadata
  • User session recording
  • Video recorded in custom format
  • Limited metadata recording
  • Search by metadata
  • User session recording
  • Video recorded in Flash format (for graphic sessions) or text format (for SSH sessions)
  • Optical character recognition for text-based search

Alerting

  • Real-time alerts
  • Custom alerts
  • Predefined alerts
  • Live session view
  • Forced user messaging
  • Automatic and manual user blocking
  • Automatic application kill
  • Automatic USB device blocking
  • Real-time alerts
  • Custom alerts
  • Rule-based behavior analysis
  • Live session view
  • Forced user messaging
  • Manual session blocking
  • Real-time alerts or session termination
  • Custom alerts
  • Live session view
  • Possibility to add user behavior analysis with Blindspotter
  • Real-time alerts
  • Custom alerts
  • Live session view
  • Automatic session blocking

Access management

  • Additional authentication for identifying shared accounts
  • Two-factor authentication
  • One-time passwords
  • Additional authentication for identifying shared accounts
  • Password vault and password management
  • Additional authentication options
  • Access permission management
  • Two-factor authentication
  • Password vault and password management
  • Additional authentication options
  • Access permission management
  • Two-factor authentication

Integration

  • Active Directory integration
  • SIEM integration
  • Ticketing systems integration
  • Active Directory integration
  • SIEM integration
  • Ticketing systems integration
  • Active Directory integration
  • SIEM integration
  • Integration with other third-party solutions
  • Ticketing systems integration
  • Active Directory integration
  • SIEM integration

Other

  • Customized reporting
  • Forensic export
  • Records protected from tampering
  • Customized reporting
  • Forensic export
  • Records protected from tampering
  • Customized reporting
  • Forensic export
  • Records protected from tampering
  • Customized reporting
  • Forensic export
  • Records protected from tampering

 

User Action Monitoring

 

The difference in architecture and focus of these four solutions determines the differences in how they approach user action monitoring.

 

Ekran System and Observeit provide much more robust monitoring functionality, using indexed video formats to record everything a user sees on the screen during a particular session as well as all additional metadata for indexing, including names of opened applications and visited websites, names of active windows, keystrokes, and more. Ekran System can also optionally monitor USB devices, allowing detection of mass storage devices and other potentially dangerous devices.

 

Both Ekran System and Observeit feature various filters that allow you to start and stop recording at specific times or based on specific events and filter the information that’s being recorded.

 

Gateway-based solutions are easier to deploy and maintain, but have some limitations when gathering metadata. Wallix doesn’t gather metadata at all. It saves videos in Flash format and uses optical character recognition to provide additional text data that’s used as the basis for text search.

 

At the same time, Balabit provides another product, Blindspotter, which can complement monitoring data (gathered by the Balabit Shell Control Box and other tools) with intelligent privileged user behavior analysis. This product has a separate licensing model.

 

Balabit’s approach is less effective than actual metadata recording, as it provides both a less robust search feature and a less detailed audit trail.

 

Access Management

 

When considering Ekran System vs Observeit vs Balabit vs Wallix from the perspective of privileged user monitoring, all four vendors provide tools to control activity in detail. Each provide a second layer of authentication for shared accounts like “root” or “admin.”

 

Ekran System provides additional access management features compared to Observeit: two-factor authentication, which can be used for free, as well as one-time password functionality that allows system administrators to manually approve logins by providing a set of one-time use credentials. As a Wallix and Balabit alternative, Ekran System has fewer access management features but provides better monitoring capabilities.

 

Any Wallix and Balabit review will say that both solutions have robust privileged access control features with access permission management, gateway authentication, built-in password vaulting, and integration with various third-party password management and multifactor authentication solutions.

 

Balabit has a slight edge on Wallix in that it allows for deployment in transparent mode, making the appliance invisible to users that connect through it.

 

Incident Response Functionality

 

All four tools deliver customizable alerts on potentially malicious actions, and in addition to notifying security personnel, they also provide the following incident response tools:

 

  • Ekran System allows real-time session review and manual user blocking with session termination and subsequent login blocking. It also has a built-in alert system with a range of automated responses such as user blocking and application killing.
  • Observeit has a comprehensive rule-based alert system that can force users to acknowledge their actions by showing a blocking message with a custom security message. A session continues after a user reads the message and provides feedback. 
  • Balabit Shell Control Box allows automated session termination.
  • Wallix also allows automated session termination, similar to Balabit.

 

 

Compare also: