On February 27, Beacon CEO Gal Tal-Hochberg presented at the SANS 2026 SOC, SIEM, SOAR Forum on a topic that comes up in almost every conversation we have with security teams: why do we keep ending up with the wrong data when it matters most?

‍

The talk explores a common pattern. A team switches SIEMs, invests in reimplementation, and within months ends up right back where they started. Expensive, noisy, missing the logs they actually need. The problem isn't the tool. It's how teams decide what to collect in the first place.

‍

Gal walks through a different approach, one borrowed from how signals intelligence organizations had to rethink collection as the internet exploded the volume of available data. The core idea: stop starting from what data sources you can get, and start from the threats you're actually defending against.

‍

He covers a practical framework for mapping threats to telemetry requirements, a simple ROI model for deciding which sources are worth the cost, and a real example involving an insider risk investigation where the log source that mattered most was one nobody had thought to collect.

‍

Watch the full replay here.