One year of Heimdall – and that’s just the beginning

At the turn of the year 2019/2020, the time had come: After the focus of the Heimdall service was on analysis and learning at the beginning, Heimdall now also sent assessments to the participants of the Heimdall beta. While the functionality of Heimdall was limited at the beginning, the Heimdall service was able to steadily expand it by continuously gathering experience. Over the course of 2020, the repertoire of detections grew significantly. In this article, we will look back at a number of developments and show how Heimdall became increasingly active, especially in the second half of 2020.

What is Heimdall?

The Heimdall service in NoSpamProxy collects and analyses metadata on emails and attachments. The goal is to build an even more powerful anti-malware intelligence that can detect and defend against spam and malware attacks even faster and more accurately.

Heimdall analyses a growing number of emails

Heimdall’s great strength lies in centrally bundling the meta-information of the numerous distributed NoSpamProxy instances and, based on this, identifying suspicious trends early on. The following graph shows the number of emails reported by Heimdall for the second half of 2020:

Anzahl der von Heimdall berichteten E-Mails

In the overview, the emails are divided as follows:

  • Outbound emails (Outbound)
  • Inbound emails with Level of Trust (Trusted Inbound)
  • Inbound emails without Level of Trust (Untrusted Inbound)

The dark line (Trend) represents the averaged overall trend. It is easy to see here that the number of reports to Heimdall increases significantly over time. As expected, email traffic is greatly reduced at the end of the year.

Heimdall beta increasingly popular

The free use of the Heimdall service (currently available as a beta version) by NoSpamProxy customers comprises two stages.

In the first stage, participation in Heimdall can be activated locally. The NoSpamProxy instance then reports to the Heimdall service. This allows the algorithms to adjust to the reported meta-data, but does not provide any additional protection.

The second stage becomes active as soon as the NoSpamProxy support has been activated. Then NoSpamProxy not only sends reports, but also receives replies from Heimdall. In this case, additional SCL points are then awarded on the basis of the assessments made.

Anzahl von Berichten verglichen mit der Anzahl von Bewertungen

The graph shows

  • how many emails have been reported to Heimdall over the last few months (Nur Berichte)
  • and how many of these have already been evaluated by Heimdall (Antworten).

Again, the figures refer to daily values. The proportion of reports that were also answered is represented by the dark line and uses the scale on the right. Especially from the summer of 2020, the proportion of NoSpamProxy customers who used the Heimdall beta increased. As a result, the proportion of Heimdall reports that were answered also increased.

Heimdall is constantly improving

In the course of the last year, the malware and spam detection of the Heimdall service has been constantly expanded with new features. The aim is to complement the existing protection mechanisms in NoSpamProxy.

“Heimdall takes care of the particularly difficult cases and thus complements the protection provided by NoSpamProxy perfectly.”

The following graphs compare the number of local detections with the number of detections by Heimdall:

  • Number of local detections compared to detections by Heimdall

    Anzahl der lokalen Erkennungen im Vergleich mit den Erkennungen durch Heimdall
  • Local detections compared to detections by Heimdall (detailed view)

    Lokale Erkennungen im Vergleich mit Erkennungen durch Heimdall (Detailansicht)

It becomes clear here that the local protection mechanisms of NoSpamProxy detect the majority of malicious emails. Nevertheless: Threats keep cropping up where Heimdall contributes a significant amount of additional detection and completes the protection.

One example is the detection of phishing or spam waves, which in many cases last less than an hour. Here, the correlation of meta-data enables fast and targeted detection.

Conclusion

After a little over a year, Heimdall is slowly coming of age. In more and more areas, the existing protection is being effectively supplemented. Especially in the case of special threat situations – such as those caused by Emotet and others – Heimdall can react quickly and flexibly thanks to its cloud infrastructure. Moreover, it is already apparent that Heimdall is gradually developing into a mature malware intelligence.

Start using Heimdall now

Heimdall ensures that metadata on emails and attachments are collected and analysed. The goal: to build an even more powerful anti-malware intelligence that can detect and fend off attacks by spam and malware even faster and more unerringly. If you are interested in using the beta version of Heimdall, send an email with the subject “Heimdall activation” to NoSpamProxy Support and attach a screenshot of your licence details.