Netwrix vs ObserveIT vs Ekran System

 

Cybersecurity is one of the most complex issues that companies currently face. Balancing the need to secure sensitive data, pressure from regulators to meet security standards, and company’s own budget can be very thought, and it is often hard to find security solutions that would satisfy all the requirements. With the reports of high profile data leaks by malicious insiders showing up in papers year after year, most companies are aware of the danger that insider threats can pose. But choosing a security tool to deal with them is as hard as it has ever been with all the options available right now on the market.

 

This is why we decided to write this product review as a part of our ongoing series of competitor comparisons. Here we take three competing products and compare them vs each other – our own Ekran System vs Netwrix vs ObserveIT. We will try to look at both advantages and limitations of each solutions and try to provide you with information that will help you to choose a solution for your own specific situations.

 

 

Ekran System

ObserveIT

Netwrix

Overview

User monitoring and insider threat detection tool

User action audit and insider threat management solution

SIEM system designed for simplified audit and compliance

Target audience

SMB and large companies

Large companies

Large companies in need of centralized compliance and auditing tool

Price

*

***

**

Technical approach

Agent-based solution

Agent-based solution

Agent-based session recording

Agentless configuration change monitoring

Feature set

  • Video recording of user screen
  • Extensive metadata on user activity
  • Ability to view live sessions
  • Ability to manually block user
  • Optional automatic blocking of USB devices
  • Definitive identification of shared account users
  • Two-factor authentication
  • One-time password
  • Configurable real-time alerts
  • Pre-defined alerts covering most frequent incidents
  • Customizable manually generated reports
  • Automatically generated scheduled reports
  • Video recording of user screen
  • Extensive metadata on user activity
  • Ability to view live sessions
  • Ability to manually block user
  • Ability to forcibly message user
  • Definitive identification of shared account users
  • Configurable real-time alerts
  • Behavior analytics
  • Customizable manually generated reports
  • Automatically generated scheduled reports
  • Video recording of user screen
  • Various data on key system and configuration changes
  • Customizable real-time alerts
  • Automatically generated scheduled reports

Additional benefits

  • High performance and stability
  • Driver-level agent protection to ensure continuous monitoring
  • Extended SIEM integration
  • High availability
  • Database archiving
  • Optimized for virtualization environment
  • Flexible licensing scheme
  • Commercial and free database support
  • Support for Linux / Unix servers and Windows servers and desktops
  • Autonomous detection of potential incidents
  • Extended SIEM integration
  • High availability
  • Database archiving
  • Commercial database support
  • Support for Linux / Unix servers and Windows servers and desktops
  • Reports, specifically catered to ease compliance
  • Optimized for virtualization environment
  • High availability
  • Database archiving
  • Commercial database support
  • Support for Windows Servers

 

Technical approach

 

The first big difference between Ekran System and ObserveIT vs Netwrix is the technical approach these solutions take. The first two solutions are fully agent-based, while Netwrix uses an agent for video recording purposes and employs agentless approach for monitoring configuration changes across the network. Agent-based approach allows for very easy deployment and does not require any changes to existing network infrastructure of your company. At the same time, both Ekran System and ObserveIT agents can be installed on a bastion-style or jump server, thus effectively mimicking the functionality of a fully agentless solution, albeit with a somewhat limited recording capabilities. Netwrix with its hybrid architecture, on the other hand, makes for a more complex deployment with less options for the client.  

 

Video recording capabilities

 

While Ekran System and ObserveIT are insider threat management solutions, with user monitoring being one of their primary features, Netwrix is a SIEM (Security information and event management) software that collects data in a variety of ways with user monitoring being one of them.

 

As a result, both Ekran System and ObserveIT have much more robust video recording capabilities than Netwrix does. All three solutions are capable of producing full video recording of user actions. Both Ekran System and ObserveIT record everything that user sees on their screen, but also capture a number of relevant metadata, such as opened applications and names of visited websites. This provides you with a full insight into actions of any given individual user at any time.

 

Netwrix, on the other hand, does not capture any metadata and instead tracks system changes directly via many other modules that it possesses. Such approach makes it harder to assess activity of individual user and locate malicious insider that has a knack for hiding their trail.

 

Incident response capabilities

 

All three solutions provide customizable alert functionality, allowing security personnel to receive e-mail notifications upon suspicious events. Ekran System also provides a set of pre-defined alerts, specifically designed to reflect suspicious actions, most frequently taken by malicious and inadvertent insiders.

 

ObserveIT, on the other hand, has its own behavior analysis system, which tries to automatically detect suspicious events, without the need to create a rule for it beforehand. Such system can be useful for large companies, but it also can lead to a number of false positives.

 

Upon detection of suspicious event, if the session is still ongoing, both Ekran System and ObserverIT allow to view it live. This provides security personnel with the ability to confirm that something suspicious is going on, immediately check on it, and block the user remotely if necessary. Netwrix does not provide the ability to view live sessions.

 

Licensing scheme

 

All three solutions have completely different licensing schemes, dictated by their different target audience. Netwrix Auditor is a SIEM software suit that supports Windows Server and Active Directory. It is designed with large enterprises in mind. The licensing is by the number of active directory users that need to be monitored, with the minimum amount of 150 users. Such a scheme can be much more costly than alternative when company has few servers but a lot of users.

 

ObserveIT, on the other hand, is a solution fully aimed at user action monitoring and insider threat management. It supports Windows, Linux and Unix operating systems and also targets large enterprises, which is reflected in both its feature set and its licensing model. With ObserveIT you pay per-agent license as well as a fee for additional server required to manage and store recorded data, thus making ObserveIT the most expensive of the three solutions.

 

Ekran System is a much more affordable solution than either Netwrix or ObserveIT. It is aimed at companies of any size and provides two types of licenses. With standard license user pays only for a number of installed agents (server and/or desktop ones). This makes Ekran System very cost-effective for deployments of any size. Moreover, Ekran System also supports free database, which allows for smaller companies to save even more money. And when it comes to large enterprises, they can get an enterprise license, which includes the infrastructure fee, but also adds a set of enterprise-specific features, such as one-time passwords, high availability and advanced integration with SIEM systems. Ekran System supports Linux / Unix servers and Windows servers and desktops.

 

Conclusion

 

As it stands, solutions offered by each vendor are highly different, with their own strengths and problems and their own target audience to boot, and thus each of the three deserves a recommendation depending on your situation.

 

Both Ekran System and ObserveIT provide a much more robust user monitoring and video recording capabilities, while Netwrix has a much broader focus and session video recording is only as a single part of its extensive functionality. Thus, as it stands, Ekran System and ObserverIT are solutions much more focused on user action monitoring and can be employed in addition to Netwrix or any other general purpose SIEM system in order to provide better insider threat detection capabilities in addition to general security and compliance features of a SIEM.

 

When choosing between Ekran System and ObserveIT the price rating would probably be one of the main deciding factors. Both solutions have very similar functionality, but with cost-effective deployment and stable functioning, Ekran System is obviously a much better choice for SMB, while still also being able to offer much even to large enterprises.

 

 

Compare also: