EKRAN SYSTEM® VS Balabit vs Wallix vs OBSERVEIT comparison
Internal security breaches and user-based threats are hot topics in the industry, and not only large enterprises are targets: small and medium-sized businesses (SMBs), educational institutions, and government organizations are equally vulnerable.
User activity monitoring solutions are nothing new. These tools are integrated into the security policies of many organizations as part of a compliance and threat prevention strategy. The tools we compare in this review apply modern approaches: indexed video records of user sessions with enhanced search, analysis, notification capabilities, privileged access management, and user behavior analytics.
In this comparison, we look at four user activity monitoring solutions – our own Ekran System vs Balabit vs ObserveIT vs Wallix.
Our goal is to help you better understand the differences among these solutions and determine which best meets your organization’s needs.
Product Review: Summary
Ekran System is recommended for SMBs and large enterprises looking for a stable and easy-to-deploy solution with core monitoring, PAM, and identity management functionality.
ObserveIT is an option for mid-sized and large enterprises looking for broader integration and more sophisticated alerting functionality.
Wallix is suitable for controlling and managing privileged accounts, and is recommended for SMBs and enterprises.
Large enterprises that have a number of critical endpoints and high access management requirements – and that are looking for a solution with detailed activity and data transfer controls as well as automated blocking features – might choose Balabit or Wallix.
Note
Balabit has been acquired by One Identity and has been renamed to One Identity Safeguard for PSM.
All information below about Balabit Shell Control Box applies to One Identity Safeguard for PSM.
ObserveIT has been acquired by Proofpoint. The company has announced changes in ObserveIT pricing and future integration with other Proofpoint products.
Market and Focus Overview
|
Ekran System® |
ObserveIT |
One Identity Safeguard for PSM (formerly Balabit) |
Wallix AdminBastion Suite |
Description |
Insider threat protection platform |
Enterprise insider threat detection software |
Monitoring solution that controls privileged access to remote IT systems |
Focus on privileged access management and privileged user monitoring |
Target audience |
Businesses of all sizes |
Large enterprises across a range of industries |
Large enterprises with high privileged access security requirements |
Businesses of all sizes |
Technical approach |
Agent-based software |
Agent-based software |
Appliance |
Appliance |
Deployment |
|
|
|
|
Maintenance |
|
|
|
|
Price (based on average deployment cost) |
$ |
$$$ |
$$$$ |
$$$$ |
Licensing |
|
|
|
|
Format
All four solutions incorporate video recordings of user sessions as part of their main functionality and provide session search tools and a web-based interface for Youtube-like playback. Ekran System also records audio input and output streams on each endpoint.
All four tools provide tamper-proof audit trails with parameterized episode search through sessions as well as alerted event marks.
Focus
Monitoring
User activity monitoring is the core feature of all four products. However, Ekran System and ObserveIT focus more on providing detailed records of user activity in order to detect insider threats and monitor employee activity.
Access
Ekran System provides privileged access management functionality in the form of:
- Password manager
- One-time passwords
- Multi-factor authentication
- Secondary authentication
- Manual login approval
- Time-based restrictions for user access
The Balabit Shell Control Box and the Wallix AdminBastion Suite, one of the biggest Balabit competitors, focus on privileged access management and access control. These solutions put less focus on monitoring, viewing it as a supplementary feature. As a result, they have fewer capabilities for insider threat investigation but provide certain additional protections from outsider attacks.
ObserveIT has the most modest access management toolset of these four solutions, providing only secondary authentication.>
Architectures
These solutions use different architectural models: ObserveIT and Ekran System are agent-based software, whereas Balabit and Wallix are gateway-based solutions, delivered as hardware or a virtual appliance.
Gateway-based solutions are easier to deploy and maintain but have some limitations when gathering metadata and eventually become a bottleneck in the network of a big organization.
Agent-based solutions, on the other hand, provide more versatility. Under a regular deployment, they can gather more detailed metadata, which is critical especially when monitoring Linux Telnet SSH sessions.
Agent-based software can also be deployed using a gateway-based scheme where a monitoring agent is installed on a single jump server and monitors all connections routed through that server, thus mimicking Balabit or Wallix.
Jump server deployment slightly limits monitoring capabilities compared to deploying agents on every target endpoint but is more versatile and affordable than Wallix or Balabit licensing.
Another advantage of agent-based solutions is that when the network connection is lost, an agent can keep recording data locally and send it to the server later.
In addition, there’s a multi-tenant mode in Ekran System, which allows multiple strongly isolated tenants to operate in one Ekran System environment. The data of each tenant including monitored data, user credentials, client names, and system configuration. is private and not accessible to other tenants.
Target Customers and Pricing
Balabit and ObserveIT target large enterprises, while Ekran System and Wallix target both the large enterprise and SMB markets. But while the Wallix SMB package includes a limited toolset, Ekran System provides monitoring, alerting, incident response, and reporting functionalities in all editions. This difference is reflected in the pricing and licensing models.
Balabit pricing
The price of Balabit Shell Control Box is fixed for each appliance, and thus the cost of a Balabit license is based on the number of deployed appliances, a model oriented around large infrastructures. Deployments with a moderate number of endpoints would not be cost-efficient.
Wallix pricing
Wallix’s licensing is similar to Balabit’s in that Wallix charges a fixed price per appliance. However Wallix also provides a web-based client according to a subscription model.
You can also deploy Balabit or Wallix as a virtual appliance for the cost.
ObserveIT pricing
ObserveIT licensing consists of two parts: a fixed price for the system management component and a price based on the number of monitored endpoints. Thus, comparing Balabit vs ObserveIT, the licensing model of the latter is more flexible, though there’s still a significant barrier to entry. Small and mid-sized deployments will not be cost-efficient.
Also, Proofpoint (the company that recently acquired ObserveIT) plans to change the ObserveIT pricing model from a perpetual license to a subscription.>
Ekran System pricing
Ekran System offers two licensing schemes.
Standard
With the Standard licensing scheme, pricing fully depends on the number of deployed agents, making this solution cost-effective for small and medium-sized companies. At the same time, Standard licensing provides a user with all the necessary tools for insider threat protection.
Enterprise
The Enterprise licensing scheme adds fixed charges for the management panel, similar to ObserveIT, but also provide additional benefits that are useful for larger companies, such as one-time passwords, advanced SIEM and ticketing system integration, audio recording, and high availability.
Ekran System also has a separate licensing model for jump server deployments.
Both the Standard and Enterprise licensing schemes provide floating licensing. This means licenses can easily be reassigned to another endpoint, whether real or virtual.
Feature and Usage Scenario Overview
|
Ekran System® |
ObserveIT |
One Identity Safeguard for PSM (formerly Balabit) |
Wallix AdminBastion Suite |
Monitoring |
|
|
|
|
Alerting |
|
|
|
|
Access management |
|
|
|
|
Integration |
|
|
|
|
Other |
|
|
|
|
User Action Monitoring
The difference in architecture and focus of these four solutions determines the differences in how they approach user activity monitoring.
Ekran System vs ObserveIT
Ekran System and ObserveIT provide much more robust monitoring functionality, using indexed video formats to record everything a user sees on the screen during a particular session as well as all additional metadata for indexing, including:
- names of opened applications and visited websites
- names of active windows
- keystrokes
In addition, Ekran records audio input and output on user endpoints.
Ekran System can also (optionally) monitor USB devices and provide manual access upon request, allowing for the detection of potentially dangerous devices. ObserveIT monitors only USB storage devices and mobile phones.
Both Ekran System and ObserveIT feature various filters that allow you to start and stop recording at specific times or based on specific events and filter the information that’s recorded.
These two monitoring solutions employ a user behavior analytics module to detect suspicious user actions. In this way, ObserveIT gathers information for its main dashboard. Ekran System provides a machine learning algorithm that establishes baseline user behavior to detect abnormal user activity and notify security personnel about it.
Wallix vs Balabit
Gateway-based solutions are easier to deploy and maintain but have some limitations when gathering metadata. Wallix doesn’t gather metadata at all. It saves videos in Flash format and uses optical character recognition to provide additional text data that’s used as the basis for text search.
At the same time, Balabit provides another product, Blindspotter, which can complement monitoring data (gathered by the Balabit Shell Control Box and other tools) with intelligent privileged user behavior analysis. This product has a separate licensing model.
Balabit’s approach is less effective than actual metadata recording, as it provides both a less robust search feature and a less detailed audit trail.
Access Management
When considering Ekran System vs ObserveIT vs Balabit vs Wallix from the perspective of privileged user monitoring, all four services provide tools to control activity in detail.
Functionality |
Ekran System® |
ObserveIT |
One Identity Safeguard for PSM (formerly Balabit) |
Wallix |
Secondary authentication |
|
|
|
|
One-time password |
|
|
|
|
Administrator’s approval on login |
|
|
|
|
Privileged user accounts and session management (PASM) |
|
|
|
|
Password management |
|
|
|
|
Integration with various third-party password management tools |
|
|
|
|
Multi-factor authentication solutions |
|
|
|
|
Ekran System provides additional access management features compared to ObserveIT:
- Two-factor authentication to verify the true identity of a user trying to log in
- One-time password functionality that allows system administrators to manually approve logins by providing a set of one-time use credentials
- Manual login approvals to secure the most critical assets
- A password manager to implement the principle of least privilege
- Privileged account and session management for granular remote access
ObserveIT does provide an additional layer of authentication, requesting not only user credentials but also confirmation via a code sent to the email address associated with the user. Nevertheless, both layers rely on the knowledge factor, so this scheme can’t be considered the best standard of multi-factor authentication.
Ekran System’s multi-factor authentication, on the other hand, requires credentials and a user’s mobile phone. Using two different factors (knowledge and possession), this solution ensures a truly reliable authentication procedure.
Also, Ekran System allows you to manage secrets such as Windows admin passwords, Active Directory secrets, and SSH/Telnet keys (for UNIX environments). The included password manager helps you secure the creation, storage, delivery, and rotation of credentials.
Any Wallix and Balabit review will say that both solutions have robust privileged access control features with access permission management, gateway authentication, built-in password vaulting, and integration with third-party password management and multi-factor authentication solutions.
Balabit has a slight edge on Wallix in that it allows for deployment in transparent mode, making the appliance invisible to users that connect through it.
Incident Response Functionality
All four tools deliver customizable alerts on potentially malicious actions, and in addition to notifying security personnel, they also provide the following incident response tools:
- Ekran System allows real-time session review and manual user blocking with session termination and subsequent login blocking. It also has a built-in alert system with a range of automated responses such as user blocking and application killing.
- ObserveIT has a comprehensive rule-based alert system that can force users to acknowledge their actions by showing a blocking message with a custom security message. A session continues after a user reads the message and provides feedback.
- Balabit Shell Control Box allows automated session termination.
- Wallix also allows automated session termination, similar to Balabit.
Compare also: