EKRAN SYSTEM® VS Balabit vs Wallix vs OBSERVEIT comparison

Observeit vs Balabit vs Wallix vs Ekran System

Internal security breaches and user-based threats are hot topics in the industry, and not only large enterprises are targets: small and medium-sized businesses (SMBs), educational institutions, and government organizations are equally vulnerable.

 

User activity monitoring solutions are nothing new. These tools are integrated into the security policies of many organizations as part of a compliance and threat prevention strategy. The tools we compare in this review apply modern approaches: indexed video records of user sessions with enhanced search, analysis, notification capabilities, privileged access management, and user behavior analytics.

 

In this comparison, we look at four user activity monitoring solutions – our own Ekran System vs Balabit vs ObserveIT vs Wallix.

 

Our goal is to help you better understand the differences among these solutions and determine which best meets your organization’s needs.

 

Product Review: Summary

 

Ekran System is recommended for SMBs and large enterprises looking for a stable and easy-to-deploy solution with core monitoring, PAM, and identity management functionality.

 

ObserveIT is an option for mid-sized and large enterprises looking for broader integration and more sophisticated alerting functionality.

 

Wallix is suitable for controlling and managing privileged accounts, and is recommended for SMBs and enterprises.

 

Large enterprises that have a number of critical endpoints and high access management requirements – and that are looking for a solution with detailed activity and data transfer controls as well as automated blocking features – might choose Balabit or Wallix.

 

Note

 

Balabit has been acquired by One Identity and has been renamed to One Identity Safeguard for PSM.

 

All information below about Balabit Shell Control Box applies to One Identity Safeguard for PSM.

 

ObserveIT has been acquired by Proofpoint. The company has announced changes in ObserveIT pricing and future integration with other Proofpoint products.

 

 

Market and Focus Overview

 

 

Ekran System®

ObserveIT

One Identity Safeguard for PSM (formerly Balabit)

Wallix AdminBastion Suite

Description

Insider threat protection platform

Enterprise insider threat detection software

Monitoring solution that controls privileged access to remote IT systems

Focus on privileged access management and privileged user monitoring

Target audience

Businesses of all sizes

Large enterprises across a range of industries

Large enterprises with high privileged access security requirements

Businesses of all sizes

Technical approach

Agent-based software

Agent-based software

Appliance

Appliance

Deployment

  • Agent-based deployment (Windows agents can be installed remotely)
  • Jump server deployment
  • Optimized for virtual environments
  • Multi-tenant mode
  • Agent-based deployment
  • Jump server deployment
  • Bastion host deployment (possibility to set privileged session management on a virtual appliance)
  • Transparent mode
  • Bastion host deployment
  • Web-based client
  • Physical or virtual appliance

Maintenance

  • Manual control panel updates
  • Automatic client updates (online and offline)
  • 24/7 support
  • Manual control panel updates
  • Manual firmware updates
  • Manual firmware updates

Price (based on average deployment cost)

$

$$$

$$$$

$$$$

Licensing

  • Based on number of monitored endpoints
  • Several licensing tiers
  • Base fee for control component in addition to fee based on number of monitored endpoints (to be changed to a subscription by Proofpoint)
  • Based on number of appliances purchased (inflexible)
  • Based on number of appliances purchased (inflexible)
  • Several licensing tiers

 

Format

 

All four solutions incorporate video recordings of user sessions as part of their main functionality and provide session search tools and a web-based interface for Youtube-like playback. Ekran System also records audio input and output streams on each endpoint.

 

All four tools provide tamper-proof audit trails with parameterized episode search through sessions as well as alerted event marks.

 

Focus

Insider Threat Detection

Monitoring

 

User activity monitoring is the core feature of all four products. However, Ekran System and ObserveIT focus more on providing detailed records of user activity in order to detect insider threats and monitor employee activity.

 

Access

 

Ekran System provides privileged access management functionality in the form of:

  • Password manager
  • One-time passwords
  • Multi-factor authentication
  • Secondary authentication
  • Manual login approval
  • Time-based restrictions for user access

 

The Balabit Shell Control Box and the Wallix AdminBastion Suite, one of the biggest Balabit competitors, focus on privileged access management and access control. These solutions put less focus on monitoring, viewing it as a supplementary feature. As a result, they have fewer capabilities for insider threat investigation but provide certain additional protections from outsider attacks.

 

ObserveIT has the most modest access management toolset of these four solutions, providing only secondary authentication.

 

Architectures

 

These solutions use different architectural models: ObserveIT and Ekran System are agent-based software, whereas Balabit and Wallix are gateway-based solutions, delivered as hardware or a virtual appliance.

 

Gateway-based solutions are easier to deploy and maintain but have some limitations when gathering metadata and eventually become a bottleneck in the network of a big organization.

 

Agent-based solutions, on the other hand, provide more versatility. Under a regular deployment, they can gather more detailed metadata, which is critical especially when monitoring Linux Telnet SSH sessions.

Agent based vs gateway based software

Agent-based software can also be deployed using a gateway-based scheme where a monitoring agent is installed on a single jump server and monitors all connections routed through that server, thus mimicking Balabit or Wallix.

Jump server deployment scheme

Jump server deployment slightly limits monitoring capabilities compared to deploying agents on every target endpoint but is more versatile and affordable than Wallix or Balabit licensing.

 

Another advantage of agent-based solutions is that when the network connection is lost, an agent can keep recording data locally and send it to the server later.

 

In addition, there’s a multi-tenant mode in Ekran System, which allows multiple strongly isolated tenants to operate in one Ekran System environment. The data of each tenant including monitored data, user credentials, client names, and system configuration. is private and not accessible to other tenants.

Multi-tenant cybersecurity deployment scheme

 

Target Customers and Pricing

 

Balabit and ObserveIT target large enterprises, while Ekran System and Wallix target both the large enterprise and SMB markets. But while the Wallix SMB package includes a limited toolset, Ekran System provides monitoring, alerting, incident response, and reporting functionalities in all editions. This difference is reflected in the pricing and licensing models.

 

Balabit pricing

 

The price of Balabit Shell Control Box is fixed for each appliance, and thus the cost of a Balabit license is based on the number of deployed appliances, a model oriented around large infrastructures. Deployments with a moderate number of endpoints would not be cost-efficient.

 

Wallix pricing

 

Wallix’s licensing is similar to Balabit’s in that Wallix charges a fixed price per appliance. However Wallix also provides a web-based client according to a subscription model.

 

You can also deploy Balabit or Wallix as a virtual appliance for the cost.

 

ObserveIT pricing

 

ObserveIT licensing consists of two parts: a fixed price for the system management component and a price based on the number of monitored endpoints. Thus, comparing Balabit vs ObserveIT, the licensing model of the latter is more flexible, though there’s still a significant barrier to entry. Small and mid-sized deployments will not be cost-efficient.

 

Also, Proofpoint (the company that recently acquired ObserveIT) plans to change the ObserveIT pricing model from a perpetual license to a subscription.

 

Ekran System pricing

 

Ekran System offers two licensing schemes.

 

Standard

 

With the Standard licensing scheme, pricing fully depends on the number of deployed agents, making this solution cost-effective for small and medium-sized companies. At the same time, Standard licensing provides a user with all the necessary tools for insider threat protection.

 

Enterprise

 

The Enterprise licensing scheme adds fixed charges for the management panel, similar to ObserveIT, but also provide additional benefits that are useful for larger companies, such as one-time passwords, advanced SIEM and ticketing system integration, audio recording, and high availability.

 

Ekran System also has a separate licensing model for jump server deployments.

 

Both the Standard and Enterprise licensing schemes provide floating licensing. This means licenses can easily be reassigned to another endpoint, whether real or virtual.

 

Feature and Usage Scenario Overview

 

 

Ekran System®

ObserveIT

One Identity Safeguard for PSM (formerly Balabit)

Wallix AdminBastion Suite

Monitoring

  • User session recording
  • Video recorded in a custom format
  • Audio recording
  • Full metadata recording
  • Search by metadata
  • User session recording
  • Video recorded in a custom format
  • Full metadata recording
  • Search by metadata
  • Email monitoring
  • User session recording
  • Video recorded in a custom format
  • Limited metadata recording
  • Search by metadata
  • User session recording
  • Video recorded in Flash format (for GUI sessions) or text format (for SSH sessions)
  • Optical character recognition for text-based search

Alerting

  • Real-time alerts
  • Custom alerts
  • Predefined alerts
  • Live session view
  • Forced user messaging
  • Automatic and manual user blocking
  • Automatic application kill
  • Automatic USB device blocking
  • User behavior analytics
  • Real-time alerts
  • Custom alerts
  • Rule-based behavior analysis
  • Live session view
  • Forced user messaging
  • Manual session blocking
  • Alerting on connecting a USB storage device or mobile phone
  • User behavior analytics
  • Real-time alerts or session termination
  • Custom alerts
  • Live session view
  • Possibility to add user behavior analysis with Blindspotter
  • Rule-based behavior analysis
  • User behavior analytics (requires an additional license)
  • Real-time alerts
  • Custom alerts
  • Live session view
  • Automatic session blocking

Access management

  • Additional authentication for identifying shared accounts
  • Two-factor authentication
  • One-time passwords
  • Privileged account and session management (PASM)
  • Manual approval of USB device connections
  • Password management
  • Additional authentication for identifying shared accounts
  • Second layer of authentication
  • Password vault and password management
  • Additional authentication options
  • Access permission management
  • Two-factor authentication
  • Password vault and password management
  • Additional authentication options
  • Access permission management
  • Two-factor authentication

Integration

  • Active Directory integration
  • SIEM integration
  • Ticketing systems integration
  • Active Directory integration
  • SIEM integration
  • Ticketing systems integration
  • Active Directory integration
  • SIEM integration
  • Integration with other third-party solutions
  • Ticketing systems integration
  • Active Directory integration
  • SIEM integration
  • Integration with other third-party solutions

Other

  • Customized reporting
  • Forensic export
  • Records protected from tampering
  • Multi-tenancy support
  • Driver-level uninstall protection
  • Stability and highly optimized performance
  • Customized reporting
  • Forensic export
  • Records protected from tampering
  • Customized reporting
  • Forensic export
  • Records protected from tampering
  • Customized reporting
  • Forensic export
  • Records protected from tampering

 

User Action Monitoring

 

The difference in architecture and focus of these four solutions determines the differences in how they approach user activity monitoring.

 

Ekran System vs ObserveIT

 

Ekran System and ObserveIT provide much more robust monitoring functionality, using indexed video formats to record everything a user sees on the screen during a particular session as well as all additional metadata for indexing, including:

 

  • names of opened applications and visited websites
  • names of active windows
  • keystrokes

 

In addition, Ekran records audio input and output on user endpoints.

 

Ekran System can also (optionally) monitor USB devices and provide manual access upon request, allowing for the detection of potentially dangerous devices. ObserveIT monitors only USB storage devices and mobile phones.

 

Both Ekran System and ObserveIT feature various filters that allow you to start and stop recording at specific times or based on specific events and filter the information that’s recorded.

 

These two monitoring solutions employ a user behavior analytics module to detect suspicious user actions. In this way, ObserveIT gathers information for its main dashboard. Ekran System provides a machine learning algorithm that establishes baseline user behavior to detect abnormal user activity and notify security personnel about it.

 

Wallix vs Balabit

 

Gateway-based solutions are easier to deploy and maintain but have some limitations when gathering metadata. Wallix doesn’t gather metadata at all. It saves videos in Flash format and uses optical character recognition to provide additional text data that’s used as the basis for text search.

 

At the same time, Balabit provides another product, Blindspotter, which can complement monitoring data (gathered by the Balabit Shell Control Box and other tools) with intelligent privileged user behavior analysis. This product has a separate licensing model.

 

Balabit’s approach is less effective than actual metadata recording, as it provides both a less robust search feature and a less detailed audit trail.

 

Access Management

 

When considering Ekran System vs ObserveIT vs Balabit vs Wallix from the perspective of privileged user monitoring, all four services provide tools to control activity in detail.

 

 Functionality

Ekran System®

ObserveIT

One Identity Safeguard for PSM (formerly Balabit)

Wallix

Secondary authentication

checked-icon

checked-icon

checked-icon

checked-icon

One-time password

checked-icon

minus-icon

minus-icon

checked-icon

Administrator’s approval on login

checked-icon

minus-icon

checked-icon

checked-icon

Privileged user accounts and session management (PASM)

checked-icon

minus-icon

checked-icon

checked-icon

Password management

checked-icon

minus-icon

checked-icon

checked-icon

Integration with various third-party password management tools

minus-icon

minus-icon

checked-icon

checked-icon

Multi-factor authentication solutions

checked-icon

minus-icon

checked-icon

checked-icon

 

Ekran System provides additional access management features compared to ObserveIT:

  • Two-factor authentication to verify the true identity of a user trying to log in
  • One-time password functionality that allows system administrators to manually approve logins by providing a set of one-time use credentials
  • Manual login approvals to secure the most critical assets
  • A password manager to implement the principle of least privilege
  • Privileged account and session management for granular remote access

 

ObserveIT does provide an additional layer of authentication, requesting not only user credentials but also confirmation via a code sent to the email address associated with the user. Nevertheless, both layers rely on the knowledge factor, so this scheme can’t be considered the best standard of multi-factor authentication.

 

Ekran System’s multi-factor authentication, on the other hand, requires credentials and a user’s mobile phone. Using two different factors (knowledge and possession), this solution ensures a truly reliable authentication procedure.

 

Also, Ekran System allows you to manage secrets such as Windows admin passwords, Active Directory secrets, and SSH/Telnet keys (for UNIX environments). The included password manager helps you secure the creation, storage, delivery, and rotation of credentials.

 

Any Wallix and Balabit review will say that both solutions have robust privileged access control features with access permission management, gateway authentication, built-in password vaulting, and integration with third-party password management and multi-factor authentication solutions.

 

Balabit has a slight edge on Wallix in that it allows for deployment in transparent mode, making the appliance invisible to users that connect through it.

 

Incident Response Functionality

 

All four tools deliver customizable alerts on potentially malicious actions, and in addition to notifying security personnel, they also provide the following incident response tools:

 

  • Ekran System allows real-time session review and manual user blocking with session termination and subsequent login blocking. It also has a built-in alert system with a range of automated responses such as user blocking and application killing.
  • ObserveIT has a comprehensive rule-based alert system that can force users to acknowledge their actions by showing a blocking message with a custom security message. A session continues after a user reads the message and provides feedback. 
  • Balabit Shell Control Box allows automated session termination.
  • Wallix also allows automated session termination, similar to Balabit.