A few questions we get asked on a regular basis are “how do we compare with Varonis?” and “is Lepide an alternative to Varonis?”
To answer this question, I’ve created this blog and, whilst I’ve tried to be as unbiased as I can, clearly, I have a favorite. It’s also important to know this blog is in many places anecdotal, created from information obtained either from direct customer feedback or publicly available sources.
With that being said I hope it at very least helps prospects and customers thinking about Varonis to ask the right questions before making a decision.
Is Lepide an Alternative to Varonis?
Up until 5-6 years ago, Varonis had a monopoly on the data security platform market. Whilst they have still seen significant revenue growth, there have been a number of data-centric security vendors, such as Lepide, that have risen to prominence in recent years.
As to whether we’re actually a competitor or not really depends on what you’re looking at Varonis for. If you’re considering Varonis as a means of classifying sensitive data, tracking user behavior, uncovering current/excessive permissions, or even keeping track of states and changes around Active Directory, Group Policy etc. – then without a doubt we should also be on your list of vendors to look at.
It is, however, fair to say that a lot of the prospects that choose our data security platform will have used or reviewed Varonis at some point in the discovery process. There is a lot of crossover in both our functionality and messaging.
Both Lepide and Varonis are avid believers in the principals of DCAP (Data-Centric Audit & Protection) outlined by Gartner in their DCAP research, and we both apparently share the view that data security NEEDS to evolve and become more data-centric.
Varonis Alternative for Data Discovery and Classification
Make no bones about it – the Varonis data security platform is comprehensive and mature.
It delivers extensive data discovery functionality, although from what I’ve heard this is an OEM of a third-party Oracle SDK plug-in.
I have heard a few prospects claiming that it only classifies files under a certain file size, I’ve heard this is around 25mb per file.
All of that being said, irrespective, by all accounts its pretty good. Despite the discovery aspect of the Varonis solution that seems to work smoothly, I have heard mixed feedback on the classification side of things. The main complaint we’ve heard seems to be to do with false positives, which I know is a common problem for many vendors offering such solutions.
The other main gripe we’ve heard often about the Varonis offering is the cost, both in terms of the product itself but also in the services they will attempt to ‘make’ you buy for the deployment.
While our approach in comparison to Varonis is 100% homegrown it does not have the same level of functionality in the range of supported platforms (yet). Our approach is much more simplistic than Varonis. We enable the discovery and classification of files (of any size) based on a range of PII types specified by pre-defined regular expressions. We then populate our reports and alerts section making it really easy to work out what’s happening to these files. Where we tend to win is the ease of deployment, ease of use and cost. Often, we’re well under a third of the cost of Varonis in this area.
Frankly though, if data discovery and classification is your primary driver and a siloed project then it’s likely that neither Lepide or Varonis would suit your needs. The value of solutions such as Lepide really comes through when used as a holistic approach to monitoring the location, permissions and user behavior around the data.
Varonis Alternative for Auditing of Changes and States on Critical Systems
Quite a lot of prospects that look at Varonis are seeking a platform to audit, alert and monitor the systems that govern access to the data. Specifically looking to audit Active Directory, Group Policy, SQL Server, SharePoint and other key pieces of infrastructure.
Both Varonis and Lepide believe that tracking changes and reporting on states across these systems is critical to keeping the data secure.
In terms of functionality, I’ve not really heard of any negative feedback around the Varonis offering apart from a few niggles around the latency of the alerts when changes are made. Like for like, the functionality of Lepide Vs Varonis across these areas is frankly pretty similar.
If you’re looking for a means of auditing changes made to these platforms or want to keep track of the states of these platforms, I’d argue that our reports offer more detail, are faster to run and are easier to manipulate and configure. Or at least this is the feedback we’ve heard from some of our larger customers. I’ve specifically heard this around the quality of our Group Policy reporting.
Aside from functionality we also win vs Varonis in this area because of our pricing model. Whilst I believe we win based on functionality, it would be naive of me to claim that price isn’t relevant.
Varonis Alternative for User Behavior & Entity Analytics (UEBA)
A common reason many prospects look at our solution and the Varonis solution is to determine what their users are doing with their sensitive data. More accurately, to determine whether users are acting ‘normally’ or appropriately with their sensitive data.
Our approach to this is quite different from Varonis. We fully integrate the ‘sensitive data type’ into our core reports and make it simple to include sensitive data type when creating alerts. Our anomaly spotting offers the ability to spot anomalies in user behavior or a specific system (though is perhaps not as integrated as the Varonis platform). We came to the UEBA market a little late in comparison to Varonis, so their solution is in some regards a little more mature than ours. But ours is easier to use and understand which ultimately makes it easier to get value from.
One major thing we’ve heard quite a few times is the latency on alerts with the Varonis solution. We’ve had some users claiming alerts are not what you’d call “real-time.” The other key thing we’ve heard is that Varonis lacks the ability to alert on when files are copied. It’s an issue that many of our competitors struggle with. We believe it’s absolutely imperative you know this information as files being copied represents one of the biggest security risks. We’re able to do this as we use a lightweight agent that captures this detail in real-time.
They do however offer a much broader range of platforms than we do. We cover platforms they don’t and vice versa. So, it’s a good idea to check that the platforms you require are covered. If you’re unsure, just ask us (there’s every chance that if we don’t cover it currently, it’s on our immediate roadmap).
Varonis Alternative for Privileges and Permissions
A key feature that both Varonis and Lepide share is the ability to help enterprises easily understand who has access to what and help determine whether permissions and privileges are appropriate.
We’re both able to offer reports on excessive permissions and show who has access to which files and folders. Or, in reverse, which files and folders (with which permissions) a user can access.
From what we’ve seen, Varonis offers more functionality with regards to identification of data owners than we currently do, and they also offer the ability to handle the automation of / granting of permissions straight from within their console. Though I’m not sure how widely used this feature is.
One feature that we have that I’ve not seen Varonis offer is historic permissions. Being able to see who HAD which levels of access at a previous point in time.
Differences in Commercial Engagement
Another, perhaps the incidental, point is we’re not about the heavy, hard sell. No-one wants it. I have even heard some people walking away from Varonis altogether as they felt the engagement was a little overzealous.
I’ve heard it’s hard to get a demo of their solution or you want to try it yourself, it’s not that easy. They would rather draw you in on a risk assessment. They’re also keen to wrap the process in professional services. Perhaps they don’t like showing people the GUI until later in the engagement. Whilst it’s a matter of preference, I don’t think it’s unreasonable to say that the GUI within the Varonis solution is in places inconsistent. As is often the natural evolution with these things. In places, it looks a little Windows 3.1esq.
Where Lepide Wins
I truly believe we win because people actually prefer how easy our solution is to install, deploy and use. They prefer the speed, the flexibility of the reports and alerts but it would be foolish to ignore the fact that we’re typically well under half the price of Varonis.
Budget of course plays a role in decision making and I’m sure has been the deciding factor in prospects choosing Lepide over Varonis.
Often the price point of Varonis escalates as they are keen to load the price with a lot of professional services. Just something to be aware of when talking through the commercials with them. Like Varonis, we offer professional services, but ours are completely optional.
As to which solution you should choose, it’s clearly (obviously) dependent on your needs. There is no right answer. What we know for certain; 90% of those prospects that compare Lepide vs Varonis, choose Lepide.
Varonis offers a lot more bells and whistles than we do, and the company is more mature (in terms of years at least). However, for most prospects, our offering delivers exactly what they need without prospects having to make too many compromises. We also have a significant roadmap in place so even if there’s something you need that we don’t currently provide, I can pretty much guarantee it’s in the pipeline.
For anyone comparing us to Varonis, or any other vendor for that matter, I highly recommend talking to one of our experts for an informal, unbiased conversation about the problems you’re trying to fix.