BSidesLuxembourg 2026

Many SOCs invest into powerful Risk&AI-based tools to generate and classify their alerts to "clear-out the noise" and pin-point actual "value" out of the massive amount of data they collect. It is not a secret that nowadays we're collecting on SIEM more data than we'd ever thought possible decades ago, most of which are of no real operational relevance. Some even say "SOC is dead" as this model isn't humanly bearable. Some also offer flashy magic wands that may solve all these issues in a painless plug&play way, while at the same time magically reducing cost (or not).
What's the solution, then? Agentic-AI? Data Lakes? Cloud-first? All valuable solutions, but there's something we can also do upstream: On top of trying to clean a dirty river, decrease its source pollution.

This approach allows also to mitigate a lesser known risk, yet very serious: unknown unknowns in data collection. In the same way alert-fatigue is correlated with False Positives figures/ratio, most CyberSecurity departments focus on the unsustainability of telemetry volumes and forget about False Negatives, hence the useful logs you should be collecting but don't know you don't have. Caring for your car's longevity / performances means also not assuming any fuel would do and hope for the best.

Our solution: Governance and Data Quality. It's not a coincidence that NIST recently added this as a new pillar into its CSF. With the "Identify" pillar you get "informed" decision, yet it's "Governance" that gives the "deliberate" element on what to collect, why, and if it's enough. Having no Logging Data-Compliance framework, or having one that doesn't take into account business values (e.g. BIA, crown-jewels, investments) ultimately results in building Security Monitoring on sand, or focusing in scopes that are so narrow that only security may benefit from it, fueling the "working in silos" approach and goes against the "holistic observability" and "management buy-in" elements.