ObserveIT vs Veriato Cerebral vs Ekran System^®

Veriato vs Observeit vs Ekran System

Insider threat detection software is designed to provide full visibility into what users are doing, allowing supervisors to assess employee performance and clearly detect any malicious actions. There are many such solutions on the market, each with its own technical approach, feature set, and licensing scheme designed with a specific audience in mind.

In this product review, we compare three alternatives: Ekran System, Veriato vs. ObserveIT. We try to determine reasons to choose these solutions, their strong suits, and their drawbacks with an emphasis on highlighting differences between them.

Product Review: Summary

Each of the three solutions in this comparison presents different features and benefits, with each vendor targeting a slightly different audience.

ObserveIT provides large companies with an advanced insider threat detection toolset that includes monitoring and alerting tools. However, there are limited access management tools. Current ObserveIT pricing makes this system cost-prohibitive for smaller businesses, and plans to implement a subscription model have companies of all sizes looking for alternatives.

Veriato Cerebral is an affordable solution that focuses on employee monitoring, performance review, and insider threat detection by employing user behavior analytics. But it doesn’t offer much in terms of incident response. Some Veriato reviewers also say it can have scalability issues with large deployments and that the product impacts server performance.

Ekran System provides a robust and stable feature set making it an easy recommendation for both SMBs and large companies. Its comprehensive user activity monitoring, identity and access management, multi-tenancy support, action logging, and incident response capabilities make Ekran System a strong ObserveIT and Veriato alternative for and insider threat protection.

Notes

At the end of 2019, ObserveIT was acquired by cybersecurity company Proofpoint. So far, Proofpoint has not declared plans to change the feature set of this product. However, Proofpoint has already announced a change to the ObserveIT pricing model from a lifelong license to a subscription.

Veriato has renamed Veriato 360 to Veriato Cerebral in order to highlight its artificial intelligence tools for insider threat detection.

Market and Focus Overview

ObserveIT, Veriato, and Ekran System are close competitors using the similar technical approach. But each has a different feature set and licensing model that we’ll look at in more detail.

	Ekran System^®	Observeit	Veriato Cerebral (previously Veriato 360)
Description	Insider threat management platform	Insider threat management platform	Employee monitoring and insider threat detection platform
Target audience	Businesses of all sizes	Large enterprises	Businesses of all sizes
Technical approach	Agent-based software	Agent-based software	Agent-based software
Deployment	Agent-based deployment (Windows agents can be installed remotely) Jump server deployment Optimized for virtual environments	Agent-based deployment Jump server deployment	Agent-based deployment
Maintenance	Remote installation/uninstallation of clients Manual control panel updates Centralized endpoint client updates System health monitoring Database cleanup History archiving	Manual control panel updates System health monitoring Database cleanup History archiving	Remote installation/uninstallation of clients Manual control panel updates Database cleanup
Total cost of ownership	$	$$$	$$
Licensing	Based on number of monitored endpoints Several licensing tiers	Yearly subscription	Based on number of monitored endpoints

Pricing and Deployment

Observeit pricing

The ObserveIT price list is currently the most expensive of these three solutions. Since 2020, ObserveIT has charged a yearly subscription fee (instead of a one-time fee for a permanent license). The high subscription price makes the total cost of ownership too much for companies with small or medium-sized deployments.

Deploying ObserveIT may be tricky without online support of a product expert. Also, deploying and updating this product requires an internet connection. Once deployed, ObserveIT licenses live with agents.

Ekran System and Veriato Cerebral Pricing

Ekran System provides two types of licenses, with the price of the Standard license based only on the number of monitored endpoints – the, same as the Veriato pricing scheme.

The Ekran Enterprise license offers additional functionality that’s specifically designed with large enterprises in mind: a robust access management toolset, SIEM and ticketing system integration, multi-tenancy support, health monitoring dashboards and scheduling of automated maintenance tasks.

Both Ekran System and Veriato feature licensing distribution that allows users to easily transfer licenses between machines.

In addition to floating endpoint licenses, the Ekran System client can be added to a golden image. The software automates license provisioning via the license pool. As a virtual machine instance is shut down, its license is released and returned to the pool. This allows users to maximize the use of a single license by automatically transferring it upon termination of a virtual machine. Also, Ekran System floating licenses support non-persistent virtual desktop infrastructure monitoring.

Ekran System is also the easiest to deploy between these three solutions. Deployment can be performed in just a few simple steps. There’s also 24/7 technical support, and product updates can be done in one click and be performed offline.

Feature and Usage Scenario Overview

	Ekran System^®	Observeit	Veriato Cerebral
Monitoring	Video recording of everything users see on the screen Audio recording Extensive metadata collection to index video Linux SSH session support USB device connection logging USB mass storage connection logging File activity monitoring Records protected from tampering Advanced report generation system	Video recording of everything users see on the screen Extensive metadata collection to index video Linux SSH session support USB mass storage connection logging File activity monitoring Records protected from tampering Email monitoring Advanced report generation system	Video recording of everything users sees on their screen Separate logs of various metadata: email, URLs, file monitoring, etc. USB mass storage connection logging Advanced report generation system Email monitoring
Incident response features	Real-time alerts Custom alerts Predefined alerts Live session view Forced user messaging Kill process on alert / block user on alert Automatic USB device blocking User behavior analytics	Real-time alerts Custom alerts Rule-based behavior analysis Live session view Forced user messaging Kill process on alert / block user on alert Alerting on connection of a USB storage device or mobile phone User behavior analytics and risk scoring	Customizable alert system Language sentiment analysis Live session view Kill process on alert / block user on alert User behavior analytics and risk scoring
Access management	Secondary authentication for identifying users of shared accounts Access request functionality Two-factor authentication One-time passwords Time-based user access restrictions Privileged account and session management (PASM) Password sharing	Secondary authentication for identifying users of shared accounts	Secondary authentication for identifying users of shared accounts
Integrations	Active Directory SIEM Ticketing systems	Active Directory SIEM Ticketing systems	Active Directory SIEM
Additional benefits	Forensic export Flexible endpoint licensing scheme Highly optimized performance and stability Support for MS SQL and PostgreSQL Support for free and commercial databases Specifically catered to work in virtual environments Multi-tenancy support Protected client Driver-level uninstall protection	Forensic export Support for MS SQL databases	Flexible licensing scheme

Recording Functionality

Ekran System, OvserbeIT, and Veriato Cerebral (formerly Spector 360) all use a similar agent-based architecture.

Full agent-based deployment scheme

They provide video recordings of everything a user sees on the screen without any limitations for any target endpoint where the monitoring agent is installed. In addition, Ekran System records audio input and output.

The resulting recordings contain indexed video and searchable metadata including:

keystrokes
web pages and applications
executed commands and scripts
connected devices

The main difference between Veriato Cerebral vs ObserveIT and Ekran System lies in how they treat their data streams. While Ekran System and ObserveIT present video as the main data stream – accompanied by relevant synchronized metadata – Veriato presents all data equally, with video serving mainly as an illustration of the larger metadata. Also, Veriato stores all recorded metadata in the form of separate logs.

All three solutions use different algorithms for data compression and storage. Ekran System can either save records with the original screen resolution or compress them. This efficiently uses storage space, as it allows for saving the master image and deltas. The records data structure is optimized to ensure fast insertion and deletion of records with any number of active sessions. Also, records of each session are encrypted with a unique session key.

ObserveIT saves disk space by dividing the screen into nine parts and storing those records independently. There’s no need to save recordings of static parts of the screen. However, such an approach slows down the deletion, transfer, and archiving of data because several records can refer to the same screenshot.

Veriato Cerebral (formerly Veriato 360) compresses screen records and stores them in a default format.

Incident Response Features

Incident response functionality differs significantly different between Ekran System and ObserveIT vs Veriato Cerebral.

Alerting

While Veriato features customizable alerts, allowing for efficient insider threat detection, it does not provide much in the form of incident response tools.

Ekran System and ObserveIT, as Veriato alternatives, feature comparable alert functionality, including predefined sets of recommended alerts and functionality to develop custom rules.

All three solutions have UEBA modules for user behavior analytics. ObserveIT uses this feature to display statistics on the main dashboard. Ekran System detects abnormal user activity and alerts a security officer about it.

Monitoring result - alerts

USB Management

Ekran System allows security personnel to automatically (when an alert about suspicious activity is generated) or manually block users, stop the current session, or block the current activity. It also features automatic USB blocking, which helps to protect from mass storage devices and malware distributed via USB sticks. Ekran System ensures thorough control of USB devices by establishing a manual approval procedure. When a device is connected, a user has to file an access request. A security officer may allow or deny the connection.

ObserveIT, on the other hand, can alert or show a message upon connection of a mobile phone or USB storage device. When a suspicious event is detected, ObserveIT can forcibly message the user and inform them that a specific security policy has been breached. Security personnel can also block a user’s session if necessary.

Access Management

Veriato, ObserveIT, and Ekran System all allow you to clearly distinguish between users of shared accounts by employing additional authentication measures.

Ekran System offers the most robust access management toolset:

Secondary authentication to positively identify users of shared accounts
Multi-factor authentication to prove the true identity of a person trying to log in by checking user credentials (knowledge factor) and sending an additional password to the user’s phone (possession factor)
One-time passwords to provide temporary access instead of escalating privileges
Access request functionality to manually provide access to the most critical resources
Time-based user access restrictions to limit interactions with critical resources
Password sharing to secure credentials management