ObserveIT vs Veriato Cerebral vs Ekran System®

Veriato vs Observeit vs Ekran System

Insider threat prevention software is designed to provide full visibility into what users are doing, allowing supervisors to assess employee performance and clearly detect any malicious actions. There are many such solutions on the market, each with its own technical approach, feature set, and licensing scheme designed with a specific audience in mind.

 

In this product review, we compare three alternatives: Ekran System, ObserveIT, and Veriato Cerebral (previously Veriato 360). We try to determine reasons to choose these solutions, their strong suits, and their drawbacks with an emphasis on highlighting differences between them.

 

Product Review: Summary

 

Each of the three solutions in this comparison presents different features and benefits, with each vendor targeting a slightly different audience.

 

ObserveIT provides large companies with an advanced insider threat detection toolset that includes monitoring and alerting tools. However, there are limited access management tools. Current ObserveIT pricing makes this system cost-prohibitive for smaller businesses, and plans to implement a subscription model have companies of all sizes looking for alternatives.

 

Veriato Cerebral is an affordable solution that focuses on employee monitoring, performance review, and insider threat detection by employing user behavior analytics. But it doesn’t offer much in terms of incident response. Some Veriato reviewers also say it can have scalability issues with large deployments and that the product impacts server performance.

 

Ekran System provides a robust and stable feature set making it an easy recommendation for both SMBs and large companies. Its comprehensive user activity monitoring, identity and access management, multi-tenancy support, action logging, and incident response capabilities make Ekran System a strong ObserveIT and Veriato alternative for and insider threat protection.

 

Notes

 

At the end of 2019, ObserveIT was acquired by cybersecurity company Proofpoint. So far, Proofpoint has not declared plans to change the feature set of this product. However, Proofpoint has already announced a change to the ObserveIT pricing model from a lifelong license to a subscription.

 

Veriato has renamed Veriato 360 to Veriato Cerebral in order to highlight its artificial intelligence tools for insider threat detection.

 

Market and Focus Overview

 

ObserveIT, Veriato, and Ekran System are close competitors using the similar technical approach. But each has a different feature set and licensing model that we’ll look at in more detail.

 

 

Ekran System®

Observeit

Veriato Cerebral (previously Veriato 360)

Description

Insider threat management platform

Insider threat management platform

Employee monitoring and insider threat detection platform

Target audience

Businesses of all sizes

Large enterprises

Businesses of all sizes

Technical approach

Agent-based software

Agent-based software

Agent-based software

Deployment

  • Agent-based deployment (Windows agents can be installed remotely)
  • Jump server deployment
  • Optimized for virtual environments
  • Agent-based deployment
  • Jump server deployment
  • Agent-based deployment

Maintenance

  • Remote installation/uninstallation of clients
  • Manual control panel updates
  • Centralized endpoint client updates
  • System health monitoring
  • Database cleanup
  • History archiving
  • Manual control panel updates
  • System health monitoring
  • Database cleanup
  • History archiving
  • Remote installation/uninstallation of clients
  • Manual control panel updates
  • Database cleanup

Total cost of ownership

$

$$$

$$

Licensing

  • Based on number of monitored endpoints
  • Several licensing tiers
  • Yearly subscription
  • Based on number of monitored endpoints

 

Pricing and Deployment

 

Observeit pricing

 

ObserveIT is currently the most expensive of these three solutions. Since 2020, ObserveIT has charged a yearly subscription fee (instead of a one-time fee for a permanent license). The high subscription price makes the total cost of ownership too much for companies with small or medium-sized deployments.

 

Deploying ObserveIT may be tricky without online support of a product expert. Also, deploying and updating this product requires an internet connection. Once deployed, ObserveIT licenses live with agents.

 

Ekran System and Veriato Cerebral Pricing

 

Ekran System provides two types of licenses, with the price of the Standard license based only on the number of monitored endpoints – the, same as the Veriato pricing scheme.

 

The Ekran Enterprise license offers additional functionality that’s specifically designed with large enterprises in mind: a robust access management toolset, SIEM and ticketing system integration, multi-tenancy support, health monitoring dashboards and scheduling of automated maintenance tasks.

 

Both Ekran System and Veriato feature licensing distribution that allows users to easily transfer licenses between machines.

 

In addition to floating endpoint licenses, the Ekran System client can be added to a golden image. The software automates license provisioning via the license pool. As a virtual machine instance is shut down, its license is released and returned to the pool. This allows users to maximize the use of a single license by automatically transferring it upon termination of a virtual machine. Also, Ekran System floating licenses support non-persistent VDI monitoring.

 

Ekran System is also the easiest to deploy between these three solutions. Deployment can be performed in just a few simple steps. There’s also 24/7 technical support, and product updates can be done in one click and be performed offline.

 

Feature and Usage Scenario Overview

 

 

Ekran System®

Observeit

Veriato Cerebral

Monitoring

  • Video recording of everything users see on the screen
  • Audio recording
  • Extensive metadata collection to index video
  • Linux SSH session support
  • USB device connection logging
  • USB mass storage connection logging
  • File activity monitoring
  • Records protected from tampering
  • Advanced report generation system
  • Video recording of everything users see on the screen
  • Extensive metadata collection to index video
  • Linux SSH session support
  • USB mass storage connection logging
  • File activity monitoring
  • Records protected from tampering
  • Email monitoring
  • Advanced report generation system
  • Video recording of everything users sees on their screen
  • Separate logs of various metadata: email, URLs, file monitoring, etc.
  • USB mass storage connection logging
  • Advanced report generation system
  • Email monitoring

Incident response features

  • Real-time alerts
  • Custom alerts
  • Predefined alerts
  • Live session view
  • Forced user messaging
  • Kill process on alert / block user on alert
  • Automatic USB device blocking
  • User behavior analytics
  • Real-time alerts
  • Custom alerts
  • Rule-based behavior analysis
  • Live session view
  • Forced user messaging
  • Kill process on alert / block user on alert
  • Alerting on connection of a USB storage device or mobile phone
  • User behavior analytics and risk scoring
    • Customizable alert system
    • Language sentiment analysis
    • Live session view
    • Kill process on alert / block user on alert
    • User behavior analytics and risk scoring

Access management

  • Secondary authentication for identifying users of shared accounts
  • Access request functionality
  • Two-factor authentication
  • One-time passwords
  • Time-based user access restrictions
  • Privileged account and session management (PASM)
  • Password sharing
  • Secondary authentication for identifying users of shared accounts
  • Secondary authentication for identifying users of shared accounts

Integrations

  • Active Directory
  • SIEM
  • Ticketing systems
  • Active Directory
  • SIEM
  • Ticketing systems
  • Active Directory
  • SIEM

Additional benefits

  • Forensic export
  • Flexible endpoint licensing scheme
  • Highly optimized performance and stability
  • Support for MS SQL and PostgreSQL
  • Support for free and commercial databases
  • Specifically catered to work in virtual environments
  • Multi-tenancy support
  • Protected client
  • Driver-level uninstall protection
  • Forensic export
  • Support for MS SQL databases
  • Flexible licensing scheme

 

Recording Functionality

 

Ekran System, OvserbeIT, and Veriato Cerebral (formerly Spector 360) all use a similar agent-based architecture.

Full agent-based deployment scheme

They provide video recordings of everything a user sees on the screen without any limitations for any target endpoint where the monitoring agent is installed. In addition, Ekran System records audio input and output.

 

The resulting recordings contain indexed video and searchable metadata including: 

  • keystrokes
  • web pages and applications
  • executed commands and scripts
  • connected devices

 

The main difference between Veriato Cerebral vs ObserveIT and Ekran System lies in how they treat their data streams. While Ekran System and ObserveIT present video as the main data stream – accompanied by relevant synchronized metadata – Veriato presents all data equally, with video serving mainly as an illustration of the larger metadata. Also, Veriato stores all recorded metadata in the form of separate logs.

 

All three solutions use different algorithms for data compression and storage. Ekran System can either save records with the original screen resolution or compress them. This efficiently uses storage space, as it allows for saving the master image and deltas. The records data structure is optimized to ensure fast insertion and deletion of records with any number of active sessions. Also, records of each session are encrypted with a unique session key.

 

ObserveIT saves disk space by dividing the screen into nine parts and storing those records independently. There’s no need to save recordings of static parts of the screen. However, such an approach slows down the deletion, transfer, and archiving of data because several records can refer to the same screenshot.

 

Veriato Cerebral (formerly Veriato 360) compresses screen records and stores them in a default format.

 

Incident Response Features

 

Incident response functionality differs significantly different between Ekran System and ObserveIT vs Veriato Cerebral.

 

Alerting

 

While Veriato features customizable alerts, allowing for efficient insider threat detection, it does not provide much in the form of incident response tools.

 

Ekran System and ObserveIT, as Veriato competitors, feature comparable alert functionality, including predefined sets of recommended alerts and functionality to develop custom rules.

 

All three solutions have UEBA modules for user behavior analytics. ObserveIT uses this feature to display statistics on the main dashboard. Ekran System detects abnormal user activity and alerts a security officer about it.

Monitoring result - alerts

USB Management

 

Ekran System allows security personnel to automatically (when an alert about suspicious activity is generated) or manually block users, stop the current session, or block the current activity. It also features automatic USB blocking, which helps to protect from mass storage devices and malware distributed via USB sticks. Ekran System ensures thorough control of USB devices by establishing a manual approval procedure. When a device is connected, a user has to file an access request. A security officer may allow or deny the connection.

 

ObserveIT, on the other hand, can alert or show a message upon connection of a mobile phone or USB storage device. When a suspicious event is detected, ObserveIT can forcibly message the user and inform them that a specific security policy has been breached. Security personnel can also block a user’s session if necessary.

 

Access Management

 

Veriato, ObserveIT, and Ekran System all allow you to clearly distinguish between users of shared accounts by employing additional authentication measures.

 

Ekran System offers the most robust access management toolset:

  • Secondary authentication to positively identify users of shared accounts
  • Multi-factor authentication to prove the true identity of a person trying to log in by checking user credentials (knowledge factor) and sending an additional password to the user’s phone (possession factor)
  • One-time passwords to provide temporary access instead of escalating privileges
  • Privileged account and session management (PASM) functionality to granularly manage privileges of remote users of critical assets
  • Access request functionality to manually provide access to the most critical resources
  • Time-based user access restrictions to limit interactions with critical resources
  • Password sharing to secure credentials management

 

 

 

Rating: 
Average: 3.7 (3 votes)