ObserveIT vs Cyberark vs Ekran System

 

Over the last several years insider threats established themselves as an important issue in the field of cybersecurity, with many different solutions arising to combat the problem. However, these various solutions often target different audience and focus on different aspects of the problem, making it harder to choose the best one for a particular situation.

 

In this product review we decided to compare our own Ekran System with two alternative competitor solutions for insider threat detection and privileged user monitoring, ObserveIT and CyberArk. Our goal is to highlight strong suits and limitations of Ekran System vs ObserveIT vs CyberArk, and help you better understand the situations where Ekran System would be the best solution to choose.

 

 

Ekran System

ObserveIT

CyberArk

Overview

User monitoring solution for detecting and preventing insider threats

Solution for insider threat detection and user audit

Privileged Account Management tool with password protection and user action audit features

Target audience

SMB and large enterprises

Large enterprises

Large companies with the need for extensive privilege access protection

Price

*

***

****

Technical approach

Agent-based solution

Agent-based solution

Bastion-based solution

Feature set

  • Full video recording of every local and remote session
  • Extensive collection of additional metadata
  • Shared account user identification
  • Two-factor authentication
  • One-time password functionality
  • Customizable real-time alerts
  • Forced user messaging
  • Manual user blocking
  • Optional USB device blocking
  • Full video recording of every local and remote session
  • Extensive collection of additional metadata
  • Shared account user identification
  • Customizable real-time alerts
  • Behavior analytics
  • Forced user messaging
  • Manual session blocking
  • Video recording of remote session
  • Shared account user identification
  • Two-factor authentication
  • One-time password functionality
  • Privileged threat analytics
  • Automatic session blocking
  • Password protection and automatic password rotation

Additional benefits

  • SIEM and ticket system integration
  • Stable agent with great performance
  • Advanced driver-level agent protection
  • Flexible licensing scheme
  • Automatic license provisioning for virtual environment
  • Support for a free database
  • Tool for autonomous suspicious event detection
  • SIEM and ticket systems integration
  • Extensive privileged account security functionality
  • Permission-based account management
  • SIEM and ticket systems integration

 

Technical approach comparison

 

The main difference between CyberArk vs ObserveIT vs Ekran System is the widely divergent technical approach these solutions take to employee monitoring. While ObserveIT and Ekran System employ agents that are installed at individual endpoints, CyberArk uses a separate virtual or a physical appliance that acts as a bastion-type proxy server, capturing and recording all data that goes through it. Each of the two approaches has their own set of strength and weaknesses. Bastion approach provides the simplicity of deployment and some active protection, although with the added cost of hardware and maintenance for the appliance, while agent-based solutions are ultimately much better at monitoring user actions, as they allow to record all sessions and get much more data per session.

 

Recording capabilities

 

CyberArk has the most limited recording capabilities among the three solution. It is capable of recording only user sessions routed through the bastion host with no way to record local sessions or any sessions, routed through other servers. It also collects the least amount of additional metadata, and, for example, is not able to monitor the content of running scripts in Linux sessions. There are no way to easily search recordings, as they are stored as plain video files and take a lot of storage space.

 

Both ObserveIT and Ekran System store their videos in an indexed searchable formats coupled with large amounts of relevant metadata. Videos are easily searchable and take far less space. Similar to ObserveIT, Ekran System provides great visibility into user actions, allowing to fully record any session regardless of applications used or level of privilege that user has. At the same time, CyberArk is not application agnostic and requires a specific connector to be installed for certain applications.

 

All three solutions can clearly distinguish between users of shared accounts by employing additional authentication features, although, the system used by CyberArk is more sophisticated, based on a number of permissions.

 

Threat detection and incident response

 

All three solutions have built-in session termination feature, allowing to stop the ongoing session if malicious actions are detected. In order to detect malicious actions in the first place, Ekran System employs robust customizable alert system that can be set up to best reflect the realities of a given organization and sent notifications to security personnel upon specific suspicious events. Additionally, Ekran System can detect any USB devices on connection and optionally block them, preventing use of mass storages and other potentially dangerous tools.

 

ObserveIT has similar alerts functionality that they also take a step further by employing a built-in behavior analytics module, designed to automatically recognize suspicious behavior without the need for you to create alerts. Such a system can benefit large enterprises where there is a need to reduce the number of incoming alerts, but it also tends to produce a lot of false positives in certain environments.

 

CyberArk vendor, on the other hand, is focused on password protection. It has a separate secure password storage with the ability to automatically change passwords and request a one-time password if needed. CyberArk also has a privileged threat analytics feature, similar to ObserveIT behavior analytics, that tries to detect threats automatically based on pre-programmed algorithms and also can suspend sessions automatically.

 

Licensing and target customers

 

All three solutions are designed with different target audience and different purposes in mind, which reflects variety of prices and features. ObserveIT and CyberArk are both relatively expensive solutions targeting large enterprises. While ObserveIT is focused on providing insider threat management tool with capabilities for detection and prevention of insider attacks, CyberArk has much more robust privileged identity management capabilities, with weaker monitoring capabilities, primarily designed for the purpose of auditing and maintaining a paper trail in case of an incident.

 

Despite the fact that Ekran System provides certain access management tools, such as two-factor authentication and one-time password, it is much more similar to ObserveIT, but ultimately much more affordable than either ObserveIT or CyberArk. It is a user monitoring software that provides effective insider threat detection for companies of any size. Flexible licensing scheme allows Ekran System to offer cost effective deployment to both small and large companies, while automatic license provisioning makes it easy to maximize the use of a single license in a virtual environment.

 

Conclusions

 

Among the three products in this comparison, CyberArk is by far the weakest when it comes to detecting and preventing insider threats. It uses a bastion approach, which requires all connections to be routed through bastion host, which, while it can be convenient, brings its own set of problems. Such a host can serve as a performance bottleneck and a single point of failure, and it has a limited recording capabilities, therefore, making it the least effective as a monitoring tool. However, CyberArk brings strong privileged access management functionality to the table, which, in addition to its high price makes it a good recommendation for large enterprises looking for privileged identity management solution.

 

ObserveIT has a much tighter focus on user monitoring and insider threat detection, but high price rating makes it viable only for large companies. At the same time, Ekran System has a similar set of features, but provides a more affordable pricing, that makes it an easy recommendation for both SMB and large enterprises alike. Additionally, Ekran System provides a very stable client with great performance, automatic client updates and a free database support, making for an easy deployment and maintenance with additional cost saving benefits. Ekran System Enterprise license also provides a set of additional features, designed specifically for large enterprises, such as SIEM and ticketing system integration and high availability.

 

 

Compare also: