We just raised a $30M Series A: Read our story

Top 8 User Activity Monitoring Tools

CyberArk Privileged Access ManagerObserveITTeramindEkran SystemTSFactory RecordTSFortscaleActivTrackAWS CloudTrail
  1. leader badge
    It is useful for protecting passwords. If you need to do access security management, you can first use the CyberArk console, and after that, you can connect the firewall interface or firewall command line. Similarly, if you need to do an RDP session, you need to first log in to CyberArk before connecting to the Windows RDP session. This way, the admin doesn't know the password, and that password is changed immediately. To change the password, you first discover the old password in the network, and after that, you can change the password.
  2. ObserveIT is small, easy to use, easy to deploy, and is not complicated, so it's more generally suited for only SMBs. It's a good value with a cheaper price.
  3. Screen recording and keylogging to discover suspicious user behavior is the most valuable feature. Ekran uses a combination of easy-to-analyze video record and searchable text metadata representing activity details like application name, active window title, URL address, commands with parameters, and more.
  4. We have used the Remote Desktop Protocol (RDP) and Citrix session recording features, and have found them to be extremely valuable.
  5. report
    Use our free recommendation engine to learn which User Activity Monitoring solutions are best for your needs.
    543,089 professionals have used our research since 2012.

Advice From The Community

Read answers to top User Activity Monitoring questions. 543,089 professionals have gotten help from our community of experts.
Karin Krings
I'm looking for recommendations for software to detect insider threats. Where can I find a Pros/Cons template, customized to organization, to source insider threat detection support?
author avatarXavier Suriol
Real User

I would suggest statistical methods (including machine learning): First, outlier detection. Then, approaches like “Association rules” (=not statistics to explain all the variance in a dataset but to find out tiny observations): for instance, they are useful for DNA prediction of diseases (one or two SNPs among millions of them), a forensic task.

When fraudsters know a tool (a template, a program), the solution is no longer valid. Research is the answer (research software rather than “production” software like in accountability). I mean, research as a step beyond production (only useful in the short term).

author avatarreviewer1324719 (PAM Architect at a tech services company with 11-50 employees)
Real User

This is an inside-out --- outside-in --- inside-in question, as an insider can be an outsider as well. There is no short answer other than a blend of a PAM tool with Behavioral Analytics and Endpoint Management, to protect credentials, govern activities, and detect abnormal activities.

I have about 40 questions I would ask before spitting out a single solution. Without knowing more about your environment I would be slow to start throwing possible solutions, as this will take you days to sort out the differing capabilities and features. You can start by looking at the Gartner Quadrants for PAM tools like BeyondTrust, CyberArk, Centrify, Thycotic, MicroFocus and others. If you spear your specific requirements you may miss bigger threats in your circumference, so use a net, and remedy the surrounding threats in this process.

author avatarKen Shaurette
Real User

You'd need to break out better what you consider to be the types of insider threats. There is fraud; very different in an application system than insider activity that may be simply malicious or results in data loss. You need to identify a baseline of normal activity for each user across files, network, user behavior and the endpoint; correlate abnormal behaviour and lean false positives; that is your software and/or the CyOps team supporting you must. 

Doing that begins to give you some use cases that you can then test to determine if they are important to you and can be supported by your choice(s) of solutions. There may not be one, there may be layers needed, but depending on your choice you may be able to get more in one than with other options. Feel free to contact me off list (LinkedIn) if you'd like a matrix that could be used in a product comparison.

author avatarNorman Freitag

Hello All,

I hope you had a merry Christmas.

In this case it is as simple as it is.
Just take Proofpoint ObserveIT - many companies in the public and financial sector have been using it for years.
By the way, it has GDPR conformity, that's especially interesting if you want to go for the EU or California.
It's easy to install, easy to administer, and comes with a huge number of use cases. So the need for customizing is reduced to minimum. It prevents, detects, alerts and tracks all inputs with a minimum of storage needed.

Few Steps
Phase 1, define the architecture and monitor all high-privileged users with the default setup. Then work with Proofpoint or local support to define gaps and customize use cases (only a few days)

Phase 2 roll out to next group of users and so on.

I apologize for this non-technical answer, but sometimes it really is this simple.
You don't need to invent the wheel a second time :)

Would like to wish everyone here a Happy New Year this way.
Please stay healthy

Best Regards


author avatarreviewer989748 (Security Analyst at a financial services firm with 201-500 employees)
Real User

In addition to responsesfrom Xavier Suriol and reviewer1324719, also consider ObserveIT from Proofpoint.