ObserveIT vs Cyberark vs Ekran System^®

CyberArk vs ObserveIT vs Ekran System

Insider threats have established themselves as an important issue in the field of cybersecurity. Many different solutions have arisen to combat the problem. However, these solutions often target different audiences and focus on different aspects of the problem, making it hard to choose the best one for a particular situation.

In this product review, we decided to compare our own Ekran System with two competitor solutions for insider threat detection and privileged access management: ObserveIT and CyberArk.

Our goal is to highlight the strengths and limitations of Ekran System vs ObserveIT vs CyberArk and help you better understand the situations where Ekran System would be the best choice.

Product Review: Summary

CyberArk is by far the weakest among the three products in this comparison when it comes to detecting and preventing insider threats.

It uses a bastion approach, which requires all connections to be routed through the bastion host which, while it can be convenient, brings its own set of problems. Such a host can serve as a performance bottleneck and a single point of failure and has limited recording capabilities, making it the least effective as a monitoring tool.

However, CyberArk brings strong privileged access management functionality to the table, which, in addition to its high price, makes it a good recommendation for large enterprises looking for a privileged identity management solution.

ObserveIT has a much tighter focus on user monitoring and insider threat detection, but its high price makes it viable only for large companies.

Ekran System has almost the same set of features but for a more affordable price, making it an easy recommendation for both SMBs and large enterprises.

Additionally, Ekran System provides a stable client with great performance, automatic client updates, privileged access management, and free database support, making for easy deployment and maintenance.

An Ekran System Enterprise license also provides a set of additional features designed specifically for large enterprises, such as SIEM and ticketing system integration, high availability, and multi-tenancy support.

Market and Focus Overview

	Ekran System^®	ObserveIT	CyberArk
Description	Insider threat protection platform	Insider threat detection and user audit software	Privileged account management, password protection, and user action audit features
Target audience	Businesses of all sizes	Large enterprises	Large companies with the need for extensive privilege access protection
Technical approach	Agent-based software	Agent-based software	Bastion-based solution
Deployment	Agent-based deployment (Windows agents can be installed remotely) Jump server deployment Optimized for virtual environments	Agent-based deployment Jump server deployment	Agent-based deployment Jump server deployment Virtual appliance deployment support
Maintenance	Manual control panel updates Automatic client updates 24/7 support	Manual control panel updates	Manual updates
Price (based on average deployment cost)	$	$$$	$$$$
Licensing	Based on number of monitored endpoints Several licensing tiers	Base fee for system management component in addition to fee based on number of monitored endpoints*	Base fee for system management infrastructure in addition to fee based on number of monitored endpoints, users, or sessions

*Note

ObserveIT pricing will change due to the acquisition of this product by Proofpoint, which has decided to replace the one-time license with a subscription. For now, there is no information on future ObserveIT pricing.

Licensing and Target Customers

Each of these solutions is designed with a different target audience and different purpose in mind, which is reflected in their prices and features.

ObserveIT vs CyberArk Pricing Comparison

Both ObserveIT and CyberArk are relatively expensive, targeting large enterprises. The cost of CyberArk is not flexible for smaller deployments.

While ObserveIT is focused on providing an insider threat management tool with capabilities for detection and prevention of insider attacks, CyberArk has much more robust privileged identity management capabilities with weaker monitoring capabilities. It’s primarily designed for auditing and maintaining a paper trail in case of an incident.

Ekran System vs ObserveIT Pricing and Licensing Comparison

Although Ekran System provides certain access management tools such as two-factor authentication, one-time passwords, and privileged account management, it’s most similar to ObserveIT though it’s ultimately much more affordable than either ObserveIT or CyberArk.

Ekran System is an all-in-one insider threat protection solution for companies of any size. It combines robust monitoring with privileged access and identity management functionalities. The flexible licensing scheme allows Ekran System to support swift small-scale and large-scale deployments, while automatic license provisioning makes it easy to maximize the use of a single license in a virtual environment.

Feature and Usage Scenario Overview

	Ekran System^®	ObserveIT	CyberArk
Monitoring	Full video recording of every local and remote session Audio records of input and output streams Extensive collection of additional metadata	Full video recording of every local and remote session Extensive collection of additional metadata File activity monitoring	Video recording of remote session Extensive collection of additional metadata
Reporting	Advanced report generation system	Advanced report generation system	Privileged threat analytics Behavior analytics
Incident response	Real-time alerts Custom alerts Predefined alerts Live session view Forced user messaging Automatic and manual user blocking Automatic application kill Automatic USB device blocking User and entity behavior analytics	Real-time alerts Custom alerts Rule-based behavior analysis Live session view Forced user messaging Manual session blocking Alerting upon connection of a USB storage device or mobile phone User and entity behavior analytics	Automatic session blocking
Access management	Additional authentication for identifying users of shared accounts Two-factor authentication One-time passwords Privileged account and session management Password vault Manual USB approval	Additional authentication for identifying users of shared accounts Second layer of authentication	Additional authentication for identifying users of shared accounts Two-factor authentication One-time password functionality Password vault and password management (Cyberark Password Vault)
Integrations	Active Directory SIEM Ticketing systems	Active Directory SIEM Ticketing systems	Active Directory SIEM Ticketing systems
Additional benefits	Stable agent with great performance Advanced driver-level agent protection Flexible licensing scheme Automatic license provisioning for a virtual environment Support for a free database Tool for autonomous suspicious event detection Employee privacy protection with anonymization (ability to put the company name on reports and notifications)	Tool for autonomous suspicious event detection Employee privacy protection with anonymization	Extensive privileged account security functionality Permission-based account management Tool for autonomous suspicious event detection

Technical Approach Comparison

The main difference between CyberArk, ObserveIT, and Ekran System is the widely divergent technical approaches these solutions take to employee monitoring.

While ObserveIT and Ekran System employ agents that are installed at individual endpoints, CyberArk uses a separate virtual or physical appliance that acts as a bastion-type proxy server, capturing and recording all data that goes through it. Each of these approaches has its strengths and weaknesses.

CyberArk PAM Traditional Architecture

The Cyberark bastion approach provides simplicity of deployment and some active protection, although with the added cost of hardware and maintenance for the appliance. Agent-based solutions are ultimately much better at monitoring user actions, as they can record all sessions and get much more data per session.

Ekran System provides simple deployment, with especially convenient Windows agent deployment features (remote installation with pre-defined or custom settings is available).

Ekran System and ObserveIT also support jump server deployment. You can install just one terminal server client on a jump server to monitor all sessions that come through it. If needed, Ekran System can also help manage access to endpoints within the protected perimeter using its PASM toolset.

Jump server deployment scheme

Recording Capabilities

CyberArk

CyberArk has the most limited recording capabilities among the three solutions. It is capable of recording only user sessions routed through the bastion host with no way to record local sessions or any sessions, routed through other servers.

The solution collects the least amount of additional metadata, and, for example, is not able to monitor the content of running scripts in Linux sessions. According to some Cyberark reviews, users lack a way to easily search recordings, as they are stored as plain video files and take a lot of storage space.

All three solutions employ additional authentication features for target end-points, although, none of the considered CyberArk competitors can beat its sophisticated access management system based on a number of permissions.

ObserveIT and Ekran System

Both ObserveIT and Ekran System store their videos in an indexed searchable format coupled with large amounts of relevant metadata. Videos are easily searchable and take far less space.

Similar to ObserveIT, Ekran System provides great visibility into user actions, allowing you to fully record any session regardless of applications used or level of privilege that a user has. At the same time, CyberArk is not application agnostic and requires a specific connector to be installed for certain applications.

Additionally, Ekran System records audio input and output on each user endpoint.

Access Management and Incident Response

All three solutions have built-in session termination feature, allowing to stop the ongoing session if malicious actions are detected.

Ekran System

In order to detect malicious actions in the first place, Ekran System employs a robust customizable alert system that can be set up to best reflect the realities of a given organization and sent notifications to security personnel upon specific suspicious events.

Monitoring result - alerts

Additionally, Ekran System can detect any USB devices on connection and optionally block them, preventing the use of mass storage devices and other potentially dangerous tools. This platform also uses an artificial intelligence module to analyze normal user behavior and detect suspicious actions.

With Ekran System, you can provide users with temporary RDP access to protected computers using privileged accounts whose credentials are stored in the secure password vault.

As an all-in-one solution, Ekran System also provides PAM functionality to secure access to critical data:

Multi-factor authentication to positively identify a user trying to log in (even to a shared account)
A privileged account and session management (PASM) toolset to monitor remote access to corporate resources
One-time passwords to provide granular access to the most secure assets
Password management to secure user credentials and other secrets
Manual login approval

ObserveIT

ObserveIT has similar alert functionality. It also employs a built-in behavior analytics module designed to automatically recognize suspicious behavior without the need to manually create alerts. But with ObserveIT, this module also collects data for a dashboard.

Access management features aren’t ObserveIT’s strong suit. ObserveIT is equipped only with secondary authentication, which doesn’t ensure reliable access protection.

It also can detect USB storage devices and mobile phones and block them.

CyberArk

CyberArk, on the other hand, is focused on password protection. It has separate secure password storage with the ability to automatically change passwords and request a one-time password if needed.

This solution provides clients with almost the same monitoring toolset as Ekran System and ObserveIT: video recording, coupled with extensive metadata logging.

CyberArk also has a privileged threat analytics feature, similar to ObserveIT behavior analytics, that tries to detect threats automatically based on pre-programmed algorithms and also can suspend sessions automatically.