Balabit vs Wallix vs Ekran System^®

Balabit vs Wallix vs Ekran System

In the modern business world, securing your organization’s digital perimeter isn’t nearly enough to establish reliable protection against cyber threats. Often, attacks come from within the organization, requiring a completely different set of measures to identify and mitigate them. User activity monitoring, enhanced with privileged access and identity management, is the best tool for detecting and deterring insider threats.

There are many hybrid solutions, aimed mostly at protecting from outsider threats, that incorporate user activity monitoring into their main functionality. But there are also specialized insider threat protection platforms, such as Ekran System, that combine all necessary security features in a single solution.

Insider Threat Detection

In this product review, we compare Ekran System to two competing privileged activity monitoring solutions that also incorporate user activity monitoring functionality: Balabit Shell Control Box and the Wallix AdminBastion Suite.

We look at general functionality, explore the strengths and limitations of all three solutions, see which of them does a better job of detecting and preventing insider threats, and provide estimates for the price of Ekran System, Balabit, and Wallix.

Product Review: Summary

The differences between Ekran System, Wallix, and Balabit lie in their focus and target audience.

While Balabit and Wallix provide broad functionality that large enterprises need for managing many privileged users and protecting their accounts from breaches and hacking attacks, they have lower ratings in the user monitoring department.

Ekran System, in comparison, is aimed at companies of any size. It provides the most robust set of insider threat protection tools: user activity monitoring, privileged access management, and identity management. Ekran System is specialized software that’s an easy recommendation for anyone who wishes to protect their organization from insider attacks.

Notes

Balabit was acquired by One Identity and has been renamed One Identity Safeguard for PSM.

All information below referring to Balabit Shell Control Box applies to One Identity Safeguard for PSM.

Market and Focus Overview

	Ekran System^®	One Identity Safeguard for PSM (formerly Balabit)	Wallix AdminBastion Suite
Description	Insider threat protection platform	Appliance that controls and monitors privileged access to remote IT systems	Appliance with a focus on privileged access management and privileged user monitoring
Target audience	Businesses of all sizes	Large enterprises with high privileged access security requirements	Businesses of all sizes
Technical approach	Agent-based software	Appliance	Appliance
Deployment	Agent-based deployment (Windows agents can be installed remotely) Jump server deployment Optimized for virtual environments	Bastion host deployment (possibility to set privileged session management on a virtual appliance) Transparent mode	Bastion host deployment Web-based client Physical or virtual appliance
Maintenance	Manual control panel updates Automatic client updates 24/7 support	Manual firmware updates	Manual firmware updates
Price (based on average deployment cost)	$	$$$$	$$$$
Licensing	Based on number of monitored endpoints Several licensing tiers	Based on number of appliances purchased (inflexible)	Based on number of appliances purchased (inflexible) Several licensing tiers

Licensing

The main difference between the hardware-based Balabit and Wallix and the software-based Ekran System is in the licensing.

Balabit and Wallix Pricing and Licensing

Whether you need to monitor ten or one thousand endpoints, you’ll still need to buy a single appliance. This makes licensing inflexible and small or gradually growing deployments financially inefficient.

Ekran System Pricing and Licensing

Ekran System offers two licensing options:

The Standard Edition provides user monitoring in the form of video recording, alerting, reporting, and access management functionality
The Enterprise Edition adds audio recording on user endpoints, enhanced with additional access management features and integration with SIEM and ticketing systems

These options provide you with flexibility depending on the scale of deployment and the feature set you require.

Feature and Usage Scenario Overview

	Ekran System^®	One Identity Safeguard for PSM (formerly Balabit)	Wallix AdminBastion Suite
Monitoring	User session recording Video and audio recorded in a custom format Full metadata recording Search by metadata	User session recording Video recorded in custom format Limited metadata recording Search by metadata	User session recording Video recorded in Flash format (for GUI sessions) or text format (for SSH sessions) Optical character recognition for text-based search
Alerting	Real-time alerts Custom alerts Predefined alerts Live session view Forced user messaging Automatic and manual user blocking Automatic application kill Automatic USB device blocking User behavior analytics	Real-time alerts and session termination Custom alerts Live session view Possibility to add user behavior analysis with Blindspotter Rule-based behavior analysis	Real-time alerts Custom alerts Live session view Automatic session blocking
Access management	Additional authentication for identifying users of shared accounts Two-factor authentication One-time passwords Privileged account and session management (PASM) Password vault and password management	Password vault and password management Additional authentication options Access permission management Two-factor authentication	Password vault and password management Additional authentication options Access permission management Two-factor authentication
Integrations	Active Directory SIEM Ticketing systems	Active Directory SIEM Other third-party solutions Ticketing systems	Active Directory SIEM Other third-party solutions
Other	Customized reporting Forensic export Records protected from tampering Multi-tenancy support	Customized reporting Forensic export Records protected from tampering	Customized reporting Forensic export Records protected from tampering

Video Recording Functionality

In terms of recording functionality, there are large technical differences between Ekran System, Balabit, and Wallix.

While both Balabit and Wallix use an additional appliance that acts as a bastion host and captures all traffic routed through it, Ekran System employs an alternative approach. It uses recording agents that are installed locally on specific endpoints and are capable of capturing any sessions initiated on these endpoints.

Agent based vs gateway based software

The agent-based approach gives Ekran System a number of advantages when it comes to detecting insider threats. It can capture both local and remote sessions for any endpoint and is completely agnostic to applications and protocols. It can monitor any user regardless of the level of privilege they have.

The local agent allows Ekran System to capture a large amount of metadata, including

keystrokes,
visited web pages,
application and active window names, and
entered commands and executed scripts in an SSH session.

All metadata is indexed and coupled with corresponding video for easy search. Ekran System features powerful record filtering that allows recording only specific applications. Also, Ekran System records audio input and output streams from user endpoints.

Balabit provides video recordings of user sessions along with basic additional information such as application names and visited URLs that can be used for quick search. The main problems of Balabit are the incompleteness of collected metadata and the relatively large storage requirements for graphical session recordings.

Wallix has recording functionality similar to Balabit. It captures graphical sessions in Flash format, which also has relatively large storage requirements, while text sessions are captured only in text form.

Wallix uses optical character recognition in order to search recordings based on various keywords; however, the amount of additional data it provides is less than Ekran System.

Ekran System also uses a special file format, optimized to efficiently store indexed graphical sessions, and has much smaller storage requirements than either Balabit or Wallix.

Alerting and Incident Response

Ekran System features a set of predefined alerts that reflect the most common scenarios encountered by our clients. It also lets you create your own custom alerts according to the specific needs of your organization.

When setting up an alert, either predefined or custom one, you can assign an automated incident response action to it. It may be showing a warning message, killing the related application or process, blocking the user completely on the corresponding endpoint.

When an alert is triggered, a notification is sent to security personnel with a link to the corresponding session episode record and, if assigned, the automated incident response action is taken. The notification with a link allows security personnel to review the session later or watch it live and manually block the user if needed.

Monitoring result - Alerts

Ekran System also can detect USB devices and automatically block them, if needed.

Both Ekran System and Balabit provide user behavior analytics to spot suspicious actions and alert security officers before a threat turns into an attack. This is accomplished by analyzing normal user behavior and creating a baseline. Any unusual action (for example, logging in at unusual hours or accessing resources that aren't typically accessed) triggers an alarm.

Ekran System has this functionality built in, whereas One Identity Safeguard for PSM (formerly Balabit) offers an additional product called Blindspotter for user behavior analytics.

Balabit features an alert system with the ability to either receive a notification or automatically terminate a session upon detecting a predefined suspicious event.

Wallix provides an alert system that can both send a notification and automatically block the user.

Access and Identity Management

All three solutions provide substantial access and identity management functionality. These features allow you to positively identify users and define and maintain a strict access policy.

Both Balabit and Wallix feature tools for two-factor authentication, additional authentication options for shared accounts, and secrets management in the form of a password vault and password management.

In addition to those features, Ekran System provides one-time passwords to secure access to the most critical assets and a privileged account and session management (PASM) module to control remote access.

Privileged Access Management

Other Features

Wallix vs Balabit

Both Wallix and Balabit act as a bastion host, providing another layer of protection from outsider attacks. But this also acts as a single point of failure and can be a performance bottleneck if deployed incorrectly.

Deploying a bastion host is relatively quick and painless for an organization and doesn't require any major changes to network architecture.

Ekran System

Additional features of Ekran System are mostly aimed at making it more effective and improving the quality of life of customers.

Support for a free database makes Ekran System much more comfortable to use for small companies, while intuitive license management and automatic client updates make it easy to deploy and maintain.

Additionally, multi-tenant mode is available in the latest versions of Ekran System. In this mode, all tenant users have access to their tenant clients but have no access to other tenants’ clients, configurations, alerts, reports, and so on. Furthermore, you can put the name of your company on reports and notifications.

Multi-tenant cybersecurity deployment scheme