EKRAN SYSTEM^® VS Balabit vs Wallix vs OBSERVEIT comparison

Observeit vs Balabit vs Wallix vs Ekran System

Internal security breaches and user-based threats are hot topics in the industry, and not only large enterprises are targets: small and medium-sized businesses (SMBs), educational institutions, and government organizations are equally vulnerable.

User activity monitoring solutions are nothing new. These tools are integrated into the security policies of many organizations as part of a compliance and threat prevention strategy. The tools we compare in this review apply modern approaches: indexed video records of user sessions with enhanced search, analysis, notification capabilities, privileged access management, and user behavior analytics.

In this comparison, we look at four user activity monitoring solutions – our own Ekran System vs Balabit vs ObserveIT vs Wallix.

Our goal is to help you better understand the differences among these solutions and determine which best meets your organization’s needs.

Product Review: Summary

Ekran System is recommended for SMBs and large enterprises looking for a stable and easy-to-deploy solution with core monitoring, PAM, and identity management functionality.

ObserveIT is an option for mid-sized and large enterprises looking for broader integration and more sophisticated alerting functionality.

Wallix is suitable for controlling and managing privileged accounts, and is recommended for SMBs and enterprises.

Large enterprises that have a number of critical endpoints and high access management requirements – and that are looking for a solution with detailed activity and data transfer controls as well as automated blocking features – might choose Balabit or Wallix.

Note

Balabit has been acquired by One Identity and has been renamed to One Identity Safeguard for PSM.

All information below about Balabit Shell Control Box applies to One Identity Safeguard for PSM.

ObserveIT has been acquired by Proofpoint. The company has announced changes in ObserveIT pricing and future integration with other Proofpoint products.

Market and Focus Overview

	Ekran System^®	ObserveIT	One Identity Safeguard for PSM (formerly Balabit)	Wallix AdminBastion Suite
Description	Insider threat protection platform	Enterprise insider threat detection software	Monitoring solution that controls privileged access to remote IT systems	Focus on privileged access management and privileged user monitoring
Target audience	Businesses of all sizes	Large enterprises across a range of industries	Large enterprises with high privileged access security requirements	Businesses of all sizes
Technical approach	Agent-based software	Agent-based software	Appliance	Appliance
Deployment	Agent-based deployment (Windows agents can be installed remotely) Jump server deployment Optimized for virtual environments Multi-tenant mode	Agent-based deployment Jump server deployment	Bastion host deployment (possibility to set privileged session management on a virtual appliance) Transparent mode	Bastion host deployment Web-based client Physical or virtual appliance
Maintenance	Manual control panel updates Automatic client updates (online and offline) 24/7 support	Manual control panel updates	Manual firmware updates	Manual firmware updates
Price (based on average deployment cost)	$	$$$	$$$$	$$$$
Licensing	Based on number of monitored endpoints Several licensing tiers	Base fee for control component in addition to fee based on number of monitored endpoints (to be changed to a subscription by Proofpoint)	Based on number of appliances purchased (inflexible)	Based on number of appliances purchased (inflexible) Several licensing tiers

Format

All four solutions incorporate video recordings of user sessions as part of their main functionality and provide session search tools and a web-based interface for Youtube-like playback. Ekran System also records audio input and output streams on each endpoint.

All four tools provide tamper-proof audit trails with parameterized episode search through sessions as well as alerted event marks.

Focus

Insider Threat Detection

Monitoring

User activity monitoring is the core feature of all four products. However, Ekran System and ObserveIT focus more on providing detailed records of user activity in order to detect insider threats and monitor employee activity.

Access

Ekran System provides privileged access management functionality in the form of:

Password manager
One-time passwords
Multi-factor authentication
Secondary authentication
Manual login approval
Time-based restrictions for user access

The Balabit Shell Control Box and the Wallix AdminBastion Suite, one of the biggest Balabit competitors, focus on privileged access management and access control. These solutions put less focus on monitoring, viewing it as a supplementary feature. As a result, they have fewer capabilities for insider threat investigation but provide certain additional protections from outsider attacks.

ObserveIT has the most modest access management toolset of these four solutions, providing only secondary authentication.

Architectures

These solutions use different architectural models: ObserveIT and Ekran System are agent-based software, whereas Balabit and Wallix are gateway-based solutions, delivered as hardware or a virtual appliance.

Gateway-based solutions are easier to deploy and maintain but have some limitations when gathering metadata and eventually become a bottleneck in the network of a big organization.

Agent-based solutions, on the other hand, provide more versatility. Under a regular deployment, they can gather more detailed metadata, which is critical especially when monitoring Linux Telnet SSH sessions.

Agent based vs gateway based software

Agent-based software can also be deployed using a gateway-based scheme where a monitoring agent is installed on a single jump server and monitors all connections routed through that server, thus mimicking Balabit or Wallix.

Jump server deployment scheme

Jump server deployment slightly limits monitoring capabilities compared to deploying agents on every target endpoint but is more versatile and affordable than Wallix or Balabit licensing.

Another advantage of agent-based solutions is that when the network connection is lost, an agent can keep recording data locally and send it to the server later.

In addition, there’s a multi-tenant mode in Ekran System, which allows multiple strongly isolated tenants to operate in one Ekran System environment. The data of each tenant including monitored data, user credentials, client names, and system configuration. is private and not accessible to other tenants.

Multi-tenant cybersecurity deployment scheme

Target Customers and Pricing

Balabit and ObserveIT target large enterprises, while Ekran System and Wallix target both the large enterprise and SMB markets. But while the Wallix SMB package includes a limited toolset, Ekran System provides monitoring, alerting, incident response, and reporting functionalities in all editions. This difference is reflected in the pricing and licensing models.

Balabit pricing

The price of Balabit Shell Control Box is fixed for each appliance, and thus the cost of a Balabit license is based on the number of deployed appliances, a model oriented around large infrastructures. Deployments with a moderate number of endpoints would not be cost-efficient.

Wallix pricing

Wallix’s licensing is similar to Balabit’s in that Wallix charges a fixed price per appliance. However Wallix also provides a web-based client according to a subscription model.

You can also deploy Balabit or Wallix as a virtual appliance for the cost.

ObserveIT pricing

ObserveIT licensing consists of two parts: a fixed price for the system management component and a price based on the number of monitored endpoints. Thus, comparing Balabit vs ObserveIT, the licensing model of the latter is more flexible, though there’s still a significant barrier to entry. Small and mid-sized deployments will not be cost-efficient.

Also, Proofpoint (the company that recently acquired ObserveIT) plans to change the ObserveIT pricing model from a perpetual license to a subscription.

Ekran System pricing

Ekran System offers two licensing schemes.

Standard

With the Standard licensing scheme, pricing fully depends on the number of deployed agents, making this solution cost-effective for small and medium-sized companies. At the same time, Standard licensing provides a user with all the necessary tools for insider threat protection.

Enterprise

The Enterprise licensing scheme adds fixed charges for the management panel, similar to ObserveIT, but also provide additional benefits that are useful for larger companies, such as one-time passwords, advanced SIEM and ticketing system integration, audio recording, and high availability.

Ekran System also has a separate licensing model for jump server deployments.

Both the Standard and Enterprise licensing schemes provide floating licensing. This means licenses can easily be reassigned to another endpoint, whether real or virtual.

Feature and Usage Scenario Overview

	Ekran System^®	ObserveIT	One Identity Safeguard for PSM (formerly Balabit)	Wallix AdminBastion Suite
Monitoring	User session recording Video recorded in a custom format Audio recording Full metadata recording Search by metadata	User session recording Video recorded in a custom format Full metadata recording Search by metadata Email monitoring	User session recording Video recorded in a custom format Limited metadata recording Search by metadata	User session recording Video recorded in Flash format (for GUI sessions) or text format (for SSH sessions) Optical character recognition for text-based search
Alerting	Real-time alerts Custom alerts Predefined alerts Live session view Forced user messaging Automatic and manual user blocking Automatic application kill Automatic USB device blocking User behavior analytics	Real-time alerts Custom alerts Rule-based behavior analysis Live session view Forced user messaging Manual session blocking Alerting on connecting a USB storage device or mobile phone User behavior analytics	Real-time alerts or session termination Custom alerts Live session view Possibility to add user behavior analysis with Blindspotter Rule-based behavior analysis User behavior analytics (requires an additional license)	Real-time alerts Custom alerts Live session view Automatic session blocking
Access management	Additional authentication for identifying shared accounts Two-factor authentication One-time passwords Privileged account and session management (PASM) Manual approval of USB device connections Password management	Additional authentication for identifying shared accounts Second layer of authentication	Password vault and password management Additional authentication options Access permission management Two-factor authentication	Password vault and password management Additional authentication options Access permission management Two-factor authentication
Integration	Active Directory integration SIEM integration Ticketing systems integration	Active Directory integration SIEM integration Ticketing systems integration	Active Directory integration SIEM integration Integration with other third-party solutions Ticketing systems integration	Active Directory integration SIEM integration Integration with other third-party solutions
Other	Customized reporting Forensic export Records protected from tampering Multi-tenancy support Driver-level uninstall protection Stability and highly optimized performance	Customized reporting Forensic export Records protected from tampering	Customized reporting Forensic export Records protected from tampering	Customized reporting Forensic export Records protected from tampering

User Action Monitoring

The difference in architecture and focus of these four solutions determines the differences in how they approach user activity monitoring.

Ekran System vs ObserveIT

Ekran System and ObserveIT provide much more robust monitoring functionality, using indexed video formats to record everything a user sees on the screen during a particular session as well as all additional metadata for indexing, including:

names of opened applications and visited websites
names of active windows
keystrokes

In addition, Ekran records audio input and output on user endpoints.

Ekran System can also (optionally) monitor USB devices and provide manual access upon request, allowing for the detection of potentially dangerous devices. ObserveIT monitors only USB storage devices and mobile phones.

Both Ekran System and ObserveIT feature various filters that allow you to start and stop recording at specific times or based on specific events and filter the information that’s recorded.

These two monitoring solutions employ a user behavior analytics module to detect suspicious user actions. In this way, ObserveIT gathers information for its main dashboard. Ekran System provides a machine learning algorithm that establishes baseline user behavior to detect abnormal user activity and notify security personnel about it.

Wallix vs Balabit

Gateway-based solutions are easier to deploy and maintain but have some limitations when gathering metadata. Wallix doesn’t gather metadata at all. It saves videos in Flash format and uses optical character recognition to provide additional text data that’s used as the basis for text search.

At the same time, Balabit provides another product, Blindspotter, which can complement monitoring data (gathered by the Balabit Shell Control Box and other tools) with intelligent privileged user behavior analysis. This product has a separate licensing model.

Balabit’s approach is less effective than actual metadata recording, as it provides both a less robust search feature and a less detailed audit trail.

Access Management

When considering Ekran System vs ObserveIT vs Balabit vs Wallix from the perspective of privileged user monitoring, all four services provide tools to control activity in detail.

Functionality	Ekran System^®	ObserveIT	One Identity Safeguard for PSM (formerly Balabit)	Wallix
Secondary authentication
One-time password
Administrator’s approval on login
Privileged user accounts and session management (PASM)
Password management
Integration with various third-party password management tools
Multi-factor authentication solutions

Ekran System provides additional access management features compared to ObserveIT:

Two-factor authentication to verify the true identity of a user trying to log in
One-time password functionality that allows system administrators to manually approve logins by providing a set of one-time use credentials
Manual login approvals to secure the most critical assets
A password manager to implement the principle of least privilege
Privileged account and session management for granular remote access

ObserveIT does provide an additional layer of authentication, requesting not only user credentials but also confirmation via a code sent to the email address associated with the user. Nevertheless, both layers rely on the knowledge factor, so this scheme can’t be considered the best standard of multi-factor authentication.

Ekran System’s multi-factor authentication, on the other hand, requires credentials and a user’s mobile phone. Using two different factors (knowledge and possession), this solution ensures a truly reliable authentication procedure.

Also, Ekran System allows you to manage secrets such as Windows admin passwords, Active Directory secrets, and SSH/Telnet keys (for UNIX environments). The included password manager helps you secure the creation, storage, delivery, and rotation of credentials.

Any Wallix and Balabit review will say that both solutions have robust privileged access control features with access permission management, gateway authentication, built-in password vaulting, and integration with third-party password management and multi-factor authentication solutions.

Balabit has a slight edge on Wallix in that it allows for deployment in transparent mode, making the appliance invisible to users that connect through it.

Incident Response Functionality

All four tools deliver customizable alerts on potentially malicious actions, and in addition to notifying security personnel, they also provide the following incident response tools:

Ekran System allows real-time session review and manual user blocking with session termination and subsequent login blocking. It also has a built-in alert system with a range of automated responses such as user blocking and application killing.
ObserveIT has a comprehensive rule-based alert system that can force users to acknowledge their actions by showing a blocking message with a custom security message. A session continues after a user reads the message and provides feedback.
Balabit Shell Control Box allows automated session termination.
Wallix also allows automated session termination, similar to Balabit.