Need to show how static analysis has value, to save my position.
We use Autoruns on several clients to pull persistent mechanisms on clients endpoints, and we have alerts that present data to about 7 different people/shifts, with all "new" PM's on a device that they inspect for maliciousness using the hashes (for the most part). That is our Dynamic analysis.
My position looks at all the autorun and registry entries, as well as the new PM's that were alerted on for the past 24 hours, on all endpoints, for all clients, the following day, in an effort to catch anything that was missing during the dynamic analysis.
My boss wants to do away with my static analysis because he doesn't see the value in it. I know that these dynamic alerts could be pulled together to be used to identify attacks that utilize several legitimate processes, that may seem benign when seen by itself in an alert. But, my boss wants metrics that show the value of my position. I'm a bit overwhelmed with trying to show this to him. I know there is value, but how and where do I find "metrics" that proof that my position really is valuable. I haven't found a lot of malware, but I have found PUPs that pose a threat...and that treat could lead to malicious network connections. But that would hopefully be caught by those who analyze the network traffic. I know there is value in seeing "all" the processes and files on an endpoint, I just don't know how to prove it.
I really need help with this. I am 1 of only 2 women who work in this department and I feel like I just can not get their respect for my perspective, without some solid ground to stand on. I need that ground!! How do I prove this? with metrics? Women's intuition is just not enough in this career!
thanks for any ideas!