Five Tools for User Activity Monitoring

As discussed in our blog post “What is User Activity Monitoring?”, user activity monitoring (UAM) is a form of surveillance that provides visibility and insight into employee productivity and engagement while also revealing insider security threats. While UAM on company-owned or company-sanctioned devices and networks is legal, ethical and HR considerations require that UAM be implemented with a high level of professionalism and sensitivity.

This blog post reviews five leading UAM tools with comprehensive feature sets. They are presented in alphabetical order and are all well-suited to both larger enterprises and SMBs.

ActivTrak

Overview

ActivTrak from Birch Grove Software is an employee monitoring solution that measures productivity, analyzes team behavior, streamlines operational efficiency, and hardens security. It targets small to large Fortune 1000 companies (5-1000+ employees) and provides actionable productivity and security insights for business owners, IT and HR managers, and team leaders. 

ActivTrak integrates with leading collaboration and business intelligence/management solutions such as Slack, Tableau, Trello, Jira, Quickbooks, and Salesforce via JSON Webhooks or Raw SQL Data.

Its main use cases are:

• Insider Threat Detection and User Behavior Analytics: ActivTrak monitors application and web usage, automatically triggering notifications and remedial actions in response to potentially risky behavior. It provides contextual realtime or archived reports for forensic investigation of security compromises and breaches.
• Employee Monitoring: Its tracking agents, which can also be installed remotely on any number of end devices, run continuously in the background where they capture every action with screenshots and video recordings to add context. In addition to assessing employee engagement and productivity, ActivTrak can block unapproved applications, limit social media time, and monitor USB activity and file downloads.
• Operational Efficiency and Productivity Tracking: Metrics-based productivity analyses can be produced for individuals, groups, or the entire organization. ActivTrak’s Activity Logs and Top Users Reports can uncover deviations from policies, inefficient workflows, and both top- and under-performing employees.

Key Features

• Activity and email monitoring
• Screen activity recording
• Browsing history
• Productivity analysis
• Time and attendance
• Two-factor authentication
• User privacy features, such as the ability to restrict monitoring to work hours

Limitations

• No keyword search within screenshots
• No keystroke logging

Pricing

A freemium version of ActivTrak monitors up to three users. Under this plan, data storage is limited to 3GB. Only limited data exports and a single screenshot are included. 

ActivTrak Advanced, which includes most of the features described above without limitations, costs $7.60 per user per month with an annual contract. Other costs are:

• Video playback at $6/user/month
• Raw data access at 20% of the annual contract
• Screenshot flagging and redaction at customized pricing

Ekran System

Overview

Ekran System tracks user activity on corporate servers, physical and virtual desktops, remote laptops, and jump servers. It supports all popular operating systems, virtualization solutions, and network architectures such as Windows, MacOS, Linux, VMware, and Citrix. Ekran System also integrates seamlessly with existing infrastructure, including leading SIEM and ticketing systems such as Splunk, ServiceNow, SysAid, HP ArcSight, and IBM QRadar.

Ekran System creates indexed session video records that can be searched by keywords. Other captured data, such as keystrokes, opened URLs, and executed Linux commands, provide additional context for session analysis, PC activity monitoring, alerting, and reporting. Ekran System also manages and audits privileged access. It comes with a two-factor authentication tool that combines user credentials and time-based, one-time passwords. It also has a rule-based alert system that triggers notifications and response workflows.

Because Ekran System is an on-premises UAM solution with a robust internal encryption system, it is favored by industries such as healthcare and governmental services where data privacy and compliance are paramount concerns. The platform is especially designed to support large deployments (tens of thousands of endpoints) with high availability, multi-tenancy, system resource and health monitoring, and automated maintenance.

Key Features

• Video replay of every session
• Realtime playback of live sessions
• Keystroke and clipboard recording
• USB device alerting and blocking
• Kill process/block user on alert
• Anonymization to protect employee privacy
• Multi-factor authentication
• Secondary authentication for shared logins

Limitations

Ekran System is focused primarily on security features and does not provide the productivity analysis capabilities that are built into the other UAM tools described here. 

Pricing

Ekran System comes in Standard and Enterprise (for larger deployments) Editions. In the Standard Edition, no license is required for the management panel. In both editions, each monitored endpoint is subject to an Ekran System client license. The company does not publish its licensing costs, but Capterra indicates that the starting price is a one-time fee of $500 per endpoint. 

InterGuard

Overview

InterGuard from Awareness Technologies is a comprehensive employee monitoring and control solution. Its key use cases are:

• Employee productivity monitoring: This is done by monitoring computer activity and measuring productive versus idle time for both on-premises and remote workers.
• Protection against insider threats: InterGuard scans and blocks data-at-rest and data-in-motion. You can set risk alerts triggered by keywords, attempted policy violations, and anomalous behaviors. You can also set automatic incident response actions.
• Investigations and Compliance Audits: Session recordings and screenshots can be used to conduct internal investigations or meet auditor requirements.
• Web Filtering and Website Blocking: Web and search activity can be monitored whether employees are on or off the network. InterGuard allows you to monitor internet bandwidth usage for uploading or downloading large files and block websites by whitelist, blacklist, or category.

Key Features

• Many add-on modules including laptop recovery, DLP, geolocation, and print monitoring
• Desktop and mobile activity monitoring
• Keyword alerts
• Screenshot capturing
• File tracking
• Automatic blocking of programs
• Keystroke logging
• Notification and report wizards

Limitations

• Agent installation can be tricky and prone to compatibility issues. It typically requires a lot of manual settings. 
• The user interface is difficult to navigate.
• Data takes time to sync.

Pricing

Pricing for the primary employee monitoring module starts at $8 per user per month for the Business Cloud version. A minimum of 25 users is required, and volume discounts are available. The on-premises version requires a SQL Server and integrates with Active Directory. 

Each additional module (Web Filtering, Data Loss Prevention, Laptop Recovery, Mobile Monitoring, PC Geolocation, and PC Web Blocking) has its own licensing scheme. The Enterprise Edition includes file tracking, Dropbox and download tracking, and advanced print monitoring.

Teramind DLP

Overview

Teramind DLP is an end-to-end user activity monitoring and data loss protection tool for large and small organizations. It can be deployed as a hosted solution, on a private cloud, or on-premises. 

Teramind DLP captures keystrokes and screenshots to monitor all user actions related to apps, websites, files, emails, and messaging. Cross-organization data activities are displayed on a central customizable console. Administrators can use the policy and rules editor to control who accesses what information and how, with real-time alerts to anomalous behavior.

This tool provides a high level of automation. It uses OCR, NLP, document fingerprinting and tagging, and other advanced technologies to automatically discover and classify structured and unstructured sensitive data. It also comes with numerous predefined DLP policies and rules to effectively protect this sensitive data.

External drives, clipboard usage, social media and IMs, and download/upload operations can all be tracked to prevent accidental or intentional data exfiltration. Should a data breach occur, Teramind DLP provides the forensic evidence necessary to investigate it. Teramind DLP also has built-in support for a wide range of compliance standards such as GDPR, HIPAA, and PCI DSS.

Teramind DLP’s event triggers and logs can be sent to SIEM and threat or security analytics systems for unified security orchestration. This platform supports most of the leading SIEM tools such as HP ArcSight, Splunk, IBM QRadar, and McAfee Enterprise Security Manager. It also exposes a set of RESTful APIs that can be used by any application that supports web service connections.

Key Features

• Monitoring of a wide range of system objects such as websites, applications, keystrokes, messaging, and email 
• Productivity analysis, including active versus idle time analysis
• Content-based policy and rules engine, with hundreds of pre-built rules and templates
• User behavior analysis
• Content discovery and classification
• Real-time alerts and notifications
• Advanced OCR and NLP for monitoring screenshots, application interfaces, and videos
• Clipboard monitoring
• Identification and tagging of important documents and files to track modifications and transfers
• Support for compliance audits and forensics
• Advanced risk analysis and scoring

Limitations

• Latency issues when monitoring remote users have been reported. 
• The very comprehensive set of monitoring features can be overwhelming.

Pricing

The Teramind DLP cloud-based subscription costs $150/month for a minimum of five users, while the on-premises subscription costs $150/month for 10 endpoints, with each terminal server costing an additional $450/month. The first two months are free when opting for annual billing.

For smaller organizations, the Teramind Starter hosted edition, which does not have DLP capabilities and offers a somewhat limited set of user activity monitoring/analysis, rules-based policies, and audit features, costs $60/month for a minimum of five users.

Veriato Cerebral

Overview

Veriato Cerebral (formerly known as Veriato 360) promotes productivity by recording and storing all on-screen activity and keystrokes, including chats and IM, social media sites, email, web browsing and searches, application engagement, file transfers, documents printed or transferred to USB, network connections, and bandwidth consumption. Veriato Cerebral issues keyword-based productivity and security alerts.

For protection against insider threats, Cerebral’s AI-driven UAM incorporates user and entity behavior analytics as well as automated data breach response. It monitors for unusual access by IP address, geolocation, and more. It uses computational linguistic analysis to automatically identify and categorize employee sentiment and anomalous risky behavior. In general, Cerebral implements robust statistical analyses, including multivariate and regression analyses for forecasting, association discovery, and compliance tracking. Cerebral issues real-time security alerts and supports rapid action through video playback of user activity.

Key Features

• Scheduled productivity reports (daily, weekly, monthly)
• Screen recordings and DVR playback
• User status tracking
• Third-party integrations
• Customization
• Uncluttered interface
• Cloud, SaaA and on-premises deployment options
• Whitelisting/blacklisting of websites and applications

Limitations

• Implementation involves a fairly steep learning curve.
• Some additional training may be required to take advantage of all of its options.

Pricing

Pricing is only available upon request. One reviewer submitted a request for a small business with 10 employees and was quoted a price of $1,200 per year.

Final Note

The first step in choosing a UAM tool is to clarify the organization’s UAM needs and objectives. As a best practice, many organizations choose to integrate the UAM with an existing SIEM or security analytics solution. If you choose to do that, the UAM tool must support such an integration, and comprehensive DLP features are less important for you. Consult HR to see what their user privacy and depth of surveillance requirements are. Consider whether or not your IT resources are capable of handling installation, configuration, and maintenance issues. Some of the tools described are easier to install, use, and maintain than others.

Do you have experience with UAM in general and UAM tools in particular? If so, please feel free to comment for the benefit of our readers who may only be at the beginning of their UAM learning curve.