User activity monitoring software comparison

User activity monitoring software – not to be confused with spyware – is a growing segment of the enterprise market with a number of companies using these tools to resolve their security tasks.

Various security executive surveys, independent researches as well as news feeds show that the main danger to the corporate data and infrastructure comes from the inside. When the perimeter is protected and 24/7 monitored for external intruders, it’s time to think about those who are already in: employees, third-party service providers, hired experts.

Internal user activity monitoring is applied to detect employee fraud, data leakages, and malicious configuration changes like backdoors or password changes. Such monitoring is a part of corporate security programs and is implied by various industry compliance norms.

When choosing a product to control user activity on the corporate end-points, first you should choose between active DLP solutions providing some automated blocking functionality for user actions and passive monitoring tools, which provide detailed information for making decisions but do not intrude into the business processes. It’s worth mentioning that in a modern complicated infrastructure, it can be pretty hard to configure an active DLP tool properly to minimize false positives and do not interrupt working processes.

In this post, we will provide user activity monitoring software comparison focusing on passive monitoring solutions and the tools built on the interesting modern approach of user session video recording indexed by various text metadata for easy search. This integrated and intuitive monitoring result format gains more and more popularity on the market.

You can find a detailed table-framed comparison of leading user activity monitoring and video recording tools here. Meanwhile, below we will provide a general comparison of approaches and products.

We will start our user monitoring software comparison by dividing these tools into 3 main classes by their architecture type.

The first class we can name is proxy-based user activity monitoring solutions. These tools can be a specific appliance connected to the corporate network or virtual appliance installed on a virtual machine. They act as a proxy for all network traffic or a selected set of user sessions depending on the monitoring needs. The example of such solutions is Balabit.

The main advantage of this solution is simplicity of its deployment: it is a simple out-of-the-box deployment with physical or virtual appliance. This deployment does not affect the work of employees and their end-points by any means.

Among the cons of this approach, we can name:

• It is unable to work with local sessions and without network connection to an end-point;
• It is able to capture only a limited set of metadata details about the user activity, e.g. do not capture visited URL, active window title, system events, hidden typed text;
• The connection is built around a single point, which is a bottleneck in terms of performance, especially for highly distributed infrastructures;
• High and non-flexible pricing (questionable cost-effectiveness for small and medium deployments).

Another approach is bastion-based user activity monitoring. Solutions of this type are installed on bastion host machines or provided as an appliance, which acts a ready bastion host. The access to the monitored end-points are organized in such way that users have to first login to the bastion host and only then they are granted access to the critical infrastructure nodes. The example of such solutions are CyberArk and Wallix.

Such solutions are focused on the user access management and thus provide many options of organizing rule-based access to the critical end-points, besides the user activity monitoring functionality. They also have the same smooth deployment advantage as the proxy-based solutions. At the same time, bastion-based tools have the same cons: limited possibilities of metadata capture and analysis, performance bottleneck, and non-flexible pricing, which is hardly elastic as for the infrastructure size.

The alternative third approach is agent-based user activity monitoring software, which has its clients installed on each end-point to be monitored and includes a management part providing tools for viewing and analyzing results. Here we can compare employee activity monitoring software like Ekran System, Observeit, and Netwrix.

Ekran System and Observeit are direct competitors, but while the first is targeting both SMB and large corporate markets, the second is focused on the big business deployments. Coinciding in the core functionality, both products offer some unique features with the Observeit solution focusing more on the multifactor user behavior analysis and Ekran System working on easy solution deployment and management as well as monitoring process protection from the unauthorized interruptions. Hitting not only the large deployments, but also the SMB market, Ekran System has a flexible price scheme with pay-only-for-clients licensing, unlike Observeit scheme with a significant fee for the management component and thus high “entrance” cost.

Netwrix products have user session recording functionality, while focusing more on the SIEM tasks. As user session video recording is not the main feature, the solution provides less details on recorded video as compared with the previously mentioned tools and lacks some important accompanying features like metadata synchronization, real-time alerts on suspicious events, and live session viewing. Netwrix pricing for overall user activity monitoring is less affordable that the Ekran System deployment cost while compared with the Observeit pricing.

You can get more detailed comparison of the mentioned tools in the table here.

It is hard to name the best user activity monitoring tool, because it always depends on your particular need, business size, budget, and other factors. But it is clear that user activity monitoring is an important task within the process of providing corporate security in enterprises of any sizes. While monitoring of third-party service providers accessing the company’s infrastructure is an indisputably required security activity, employee monitoring can be questionable in some countries, in particular in UK and other European states in terms of legal risks related to the disturbing employees’ privacy. At the same time, European legal institutions issued several recommendations about the correct organization of such monitoring. You can read more details about the employee monitoring and its legality here.