Submitted by admin on December 12, 2016
Balabit vs Wallix vs Ekran System
In modern day business world, securing digital perimeter of your organization is not nearly enough to establish reliable cyber threats protection. Often, attacks will come from within the organization, requiring a completely different set of measures to identify and mitigate them. User action monitoring is the best tool for detecting and deterring malicious insiders.
There are many hybrid solutions that incorporate user action monitoring into their main functionality aimed mostly at protecting from outsider threats. But there are also specialized insider threat detection and prevention solutions, such as Ekran System, that focus only on user monitoring.
In this product review we will compare Ekran System to two competitor privileged action monitoring solutions that also incorporate user action monitoring functionality: Balabit Shell Control Box and Wallix AdminBastion Suit. We will look into general functionality, explore strong suits and limitations of all three solutions and see which of them does the better job of detecting and preventing insider threats – specialized or a more broadly focused one.
|
Ekran System |
Balabit Shell Control Box |
Wallix AdminBastion Suit |
Overview |
User action monitoring solution for insider threat detection |
Privilege user monitoring and access control appliance |
Privileged identity management appliance
|
Target audience |
Large companies and SMB |
Large companies |
Large companies |
Price |
* |
***
|
*** |
Technical approach |
Agent-based solution |
Proxy-based solution |
Proxy-based solution |
User monitoring functionality |
|
|
|
Additional features |
|
|
|
Benefits |
|
|
|
Video recording functionality
In terms of recording functionality, there are large technical differences between Ekran System vs Balabit vs Wallix. While both Balabit and Wallix use an additional appliance that acts as a bastion host and captures all traffic, routed through it, Ekran System employs an alternative approach. It uses recording agents installed locally on specific endpoints and capable of capturing any sessions, initiated on these endpoints.
Agent-based approach gives Ekran System a number of advantages when it comes to detecting insider threats. It can capture both local and remote sessions for any given endpoint and is completely agnostic to applications and protocols used. It can monitor any user regardless of the level of privilege they have. Local agent also allows Ekran System to capture a large amount of additional metadata, including keystrokes, visited web pages, application and active window names, entered commands and executed scripts in an SSH session, etc. All metadata is indexed and coupled with a corresponding video for easy searching. Ekran System also features a powerful record filtering that allows to record only specific applications.
Balabit provides video recording of user sessions along with basic additional information, such as application names, visited URLs, etc. that can be used for quick search. Main problems of Balabit are incompleteness of collected metadata and relatively large storage requirements for graphic session recordings.
Wallix has a recording functionality similar to Balabit. It captures graphic sessions in a Flash video format, which also has a relatively large storage requirements, while text sessions are captured only in a text form. Wallix uses optical character recognition in order to allow searching recordings based on various keywords, however, the number of additional data it provides is less than Ekran System. Ekran System also uses a special file format, optimized to efficiently store indexed graphic sessions and has much smaller storage requirements than either Balabit or Wallix.
Alerting and incident response
Ekran System features customizable real-time alerts that can be set according to the needs of your organization. Upon alert, notification is sent to security personnel with the link to corresponding session, allowing them to review it later or watch it live and manually block the user if needed. It also can detect any USB device and automatically block it, if needed.
Balabit also features an alert system with the ability to either receive a notification or automatically terminate session, upon detecting a predefined suspicious event. Wallix provides an alert system that can both send a notification and automatically block the user.
Other features
Additional functionality of both Wallix and Balabit is broader than that of Ekran System. Both act as a bastion host, providing another layer of protection from outsider attacks, although they also act as a single point of failure and can be a performance bottleneck if deployed incorrectly. Both systems feature password vaults and extensive privilege identity management, allowing you to store, manage, and change passwords to privileged accounts automatically. Deployment of a bastion host is relatively quick and painless for an organization and does not require any major changes to network architecture.
Additional features of Ekran System are aimed at making it more affordable and improving quality of life of the customer. Support for a free database makes Ekran System much more affordable for small companies, while intuitive license management and automatic client updates makes it easy to deploy and maintain.
Licensing
The main difference between hardware-based solutions of Balabit and Wallix and software-based Ekran System is in the licensing. Whether you need to monitor ten or a thousand endpoints, you still need to buy a single appliance. It makes licensing hardly flexible and small or gradually growing deployments financially inefficient.
At the same time Ekran System licensing depends only on the number of monitored end-points. In its standard edition, Ekran System provides even management components for free, thus deployment cost consists only of the endpoint licenses.
Conclusion
The differences in Ekran System vs Wallix vs Balabit lie in the focus and target audience chosen by each vendor. While Balabit and Wallix provide broad functionality that large enterprises in need of managing many privileged users and protecting their accounts from breaches and hacking attacks would choose, they have lower rating in the user monitoring department.
Ekran System, in comparison, is aimed at companies of any size with its robust user monitoring capabilities and lowest price among the three solutions. It is a specialized insider threat detection software that is an easy recommendation to anyone who wishes to protect their organization from potential attacks from within.