Netwrix vs ObserveIT vs Ekran System^®

ObserveIT vs Netwrix vs Ekran System

Cybersecurity is one of the most complex issues that companies currently face. Balancing the need to secure sensitive data, pressure from regulators to meet security standards, and the company’s own budget can be tough. It’s often hard to find security solutions that satisfy all the requirements.

With reports of high-profile data leaks by malicious insiders showing up year after year, most companies are aware of the danger that insider threats can pose. But choosing a security tool to deal with them is as hard as ever with all the options on the market.

That’s why we decided to write this product review as part of our ongoing series of competitor comparisons. Here we take three competing products and compare them against each other – in this case, our own Ekran System vs Netwrix vs ObserveIT.

We’ll look at both the advantages and limitations of each solution and, unlike many ObserveIT and Netwrix reviews, provide you with practical information that will help you choose a solution for your own specific situation.

Product Review: Summary

Both Ekran System and ObserveIT provide robust user monitoring and video recording capabilities, while Netwrix has a much broader focus and session video recording is only one part of its extensive functionality.

Ekran System is more focused on user activity monitoring and access and identity management. Additionally, it can be integrated with any general-purpose SIEM system in order to provide better insider threat detection capabilities. ObserveIT provides enhanced monitoring with limited access management controls.

It should also be taken into account that ObserveIT has a File Activity Monitoring feature, while Ekran System has multi-tenancy support, privilege access monitoring, and password management features.

When choosing between Ekran System and ObserveIT, price will probably be one of the deciding factors. These solutions have similar functionality, but with cost-effective deployment and stable performance, Ekran System is obviously a much better choice for SMBs while still being able to offer much even to large enterprises.

Market and Feature Overview

	Ekran System^®	ObserveIT	Netwrix
Description	Insider threat protection platform	User action audit and insider threat management software	SIEM system designed for simplified audit and compliance
Target audience	Businesses of all sizes	Large companies	Large companies in need of a centralized compliance and auditing tool
Technical approach	Agent-based solution	Agent-based solution	Agent-based session recording Agentless configuration change monitoring
Price (based on average deployment cost)	$	$$$*	$$
Monitoring	Video and audio recording of user activity Extensive metadata on user activity Ability to view live sessions	Video recording of user screen Extensive metadata on user activity Ability to view live sessions File activity monitoring Email monitoring	Video recording of user screen Various data on key system and configuration changes File activity monitoring
Reporting	Customizable manually generated reports Automatically generated scheduled reports User behavior analytics	Customizable manually generated reports Automatically generated scheduled reports	Automatically generated scheduled reports User behavior analytics
Incident response	Ability to automatically or manually block users Ability to forcibly message users Optional automatic blocking of USB devices Configurable real-time alerts Predefined alerts covering most frequent incidents	Ability to manually block users Ability to forcibly message users Configurable real-time alerts	Customizable real-time alerts (real-time only for Office 365)
Identity and access management	Additional authentication for identifying users of shared accounts Two-factor authentication One-time passwords Privileged account and session management (PASM) Password vault	Additional authentication for identifying users of shared accounts Second layer of authentication	Password management (provides additional products)
Integrations	Active Directory Extended SIEM Ticketing systems	Active Directory Extended SIEM Ticketing systems	Active Directory Extended SIEM integration reports, specifically designed to ease compliance Ticketing systems
Additional benefits	High performance and stability Driver-level agent protection to ensure continuous monitoring High availability Database archiving Optimized for virtual environments Flexible licensing scheme Commercial and free database support Support for Linux/Unix servers and Windows servers and desktops Multi-tenancy support	Autonomous detection of potential incidents High availability Database archiving Commercial database support Support for Linux/Unix servers and Windows servers and desktops	Autonomous detection of potential incidents Optimized for virtual environments High availability Database archiving Commercial database support Support for Windows Server

*Note

At the end of 2019, ObserveIT was acquired by cybersecurity company Proofpoint. Proofpoint has already announced plans to change ObserveIT licensing from a one-time purchase to a subscription. While there are no details available so far, this will surely affect ObserveIT pricing.

Technical Approach

The first big difference between Ekran System, ObserveIT, and Netwrix Auditor is the technical approach these solutions take.

Ekran System and ObserveIT are fully agent-based, while Netwrix uses an agent for video recording purposes and employs an agentless approach for monitoring configuration changes across the network.

Full agent-based deployment scheme

The agent-based approach allows for easy deployment and doesn’t require any changes to your company’s existing network infrastructure.

At the same time, both Ekran System and ObserveIT agents can be installed on a bastion-style or jump server, effectively mimicking the functionality of a fully agentless solution, albeit with somewhat limited recording capabilities.

Jump server deployment scheme

The alternative hybrid architecture of Netwrix, on the other hand, makes for a more complex deployment with fewer options for the client.

Monitoring Capabilities

While Ekran System and ObserveIT are insider threat management solutions, with user monitoring being one of their primary features, Netwrix Auditor is security information and event management (SIEM) software that collects data in a variety of ways, user monitoring being just one of them.

As a result, both Ekran System and ObserveIT have more robust video recording capabilities. But all three solutions are capable of producing full video recordings of user actions.

Both Ekran System and ObserveIT record everything that a user sees on their screen but also capture a lot of relevant metadata, such as opened applications and names of visited websites. In addition, Ekran System records audio input and output from user endpoints.

ObserveIT, in comparison with Ekran System, also has file monitoring functionality, providing full insights into actions of any given user at any time.

Netwrix, on the other hand, does not capture any metadata and instead tracks system changes directly via many other modules. This approach makes it harder to assess the activity of individual users and locate a malicious insider that has a knack for hiding their trail.

Incident Response Capabilities

All three solutions provide customizable alert functionality, allowing security personnel to receive e-mail notifications of suspicious events.

Monitoring result - alerts

Ekran System also provides a set of predefined alerts, specifically designed to reflect suspicious actions most frequently taken by malicious and inadvertent insiders.

All three solutions are empowered with a user behavior analytics system that automatically detects suspicious events without the need to create rules for them beforehand. ObserveIT uses this system to collect data for a dashboard and provide risk scoring.

Upon detection of a suspicious event, if the session is still ongoing, both Ekran System and ObserveIT allow security personnel to view it live. This lets security personnel confirm whether something suspicious is going on, immediately check on it, and block the user remotely if necessary. Netwrix provides only the ability to alert on live sessions and just in Office 365.

Access and Identity Management

Managing access is part of Ekran System’s core functionality. Ekran provides a set of identity and access management features:

Two-factor authentication to ensure the true identity of a user by checking their credentials and sending an additional password to their phone
Secondary authentication to distinguish among users of shared accounts with another layer of authentication
One-time passwords, providing temporary credentials for accessing the most secure assets>
Password manager to create, store, deliver, and rotate passwords and other secrets
Privileged account and session management to ensure granular and secure access for remote users

ObserveIT is equipped with a much more modest PAM toolset that provides a secondary authentication feature.

Netwrix Auditor allows users to manage passwords with an additional product. Netwrix itself has no IAM features.

Licensing Scheme

Ekran System, ObserveIT, and Netwrix have completely different licensing schemes, dictated by their different target audiences.

Netwrix Auditor Pricing and Licensing

Netwrix Auditor pricing as well as the product itself are designed with large enterprises in mind.

Licensing is based on the number of active directory users to be monitored, with a minimum of 150 users. This sets the minimum Netwrix Auditor cost pretty high. This can make Netwrix more costly than alternatives when a company has few servers but a lot of users.

ObserveIT Pricing and Licensing

ObserveIT, on the other hand, is fully aimed at user action monitoring and insider threat management.

It supports Windows, Linux, and Unix operating systems and also targets large enterprises, which is reflected in both its feature set and its licensing model.

ObserveIT uses pay-per-agent licensing and also charges a fee for additional servers required to manage and store recorded data, making it the most expensive of the three solutions.

Note that ObserveIT pricing will change from a life-long license to a subscription as a result of ObserveIT’s acquisition by Proofpoint.

Ekran System Pricing and Licensing

Ekran System is an all-in-one insider threat protection platform that provides two types of licenses.

Standard

With the Standard license, users pay only for the number of installed agents (server and desktop). This edition includes user activity monitoring, alerting, incident response, and limited access management features. This makes Ekran System effective for deployments of any size.

Enterprise

Large enterprises can get an Enterprise license of Ekran System, which includes an infrastructure fee but adds a set of enterprise-specific features such as one-time passwords, high availability, and advanced integration with SIEM and ticketing systems. Ekran System supports Linux and Unix servers and Windows servers and desktops.