How to Build a Security Data Lakehouse for No-Ingestion Fee MDR
How a Security Data Lakehouse MDR Defuses the Legacy SIEM Crisis
In the fresh warmth of early spring two thousand twenty-two, a quiet emergency gripped our security operations floor. Our legacy SIEM invoice had quietly crept past our entire engineering payroll. The culprit was simple: an endless, surging torrent of cloud infrastructure records. We were drowning. To survive, we had to find a different path. We needed a new breed of security data lakehouse MDR setup to restore sanity to our balance sheet. Every spinning Kubernetes cluster, every cloud trail, and every software rollout translated directly to a steeper penalty in monthly ingestion costs. We found ourselves caught in a classic trap, forced to choose between seeing our defense landscape clearly and staying solvent. The math was breaking us. We had to break away from old MDR storage models before our entire defense system folded under its own weight.
This painful dilemma plagues almost every enterprise trying to defend massive cloud ecosystems. Old-school Managed Detection and Response agencies demand a double ransom for your telemetry. First, you pay your infrastructure host to hold the raw files in cheap storage. Then, you hand over a fortune to your security provider to ingest, read, and store those identical files inside their walled garden. This double-ingestion penalty forces security chiefs into dangerous corners. They start filtering out vital endpoint records or deleting historical trails after a mere month. We saw a different path. We decided to split storage away from compute. We would keep total custody of our records while letting our defense partner dissect them in place. That simple shift sparked our migration toward a tailored security data lakehouse MDR system.
We set out to construct our own central vault, a single, unassailable source of truth for our defense team. We wanted to keep our logs in an open, highly affordable structure without sacrificing the blistering speed required to hunt down active intruders. Our goal was relentless, real-time observation, completely free from the tax on every extra gigabyte. What follows is the narrative of how we designed, wired, and ran a live security data lakehouse MDR setup that deletes ingestion fees through direct, in-place queries.
Structuring a Modern Security Data Lakehouse MDR Architecture
Trading our heavy SIEM for a security data lakehouse MDR model meant rebuilding our data pipelines from the bedrock up. A lakehouse merges the cheap, vast storage of a traditional lake with the strict order, clean structure, and swift speed of an enterprise warehouse. Previously, our logs traveled directly to our vendor through complex, fragile integrations. In our new blueprint, we built a one-way street. Every scrap of telemetry lands inside our own cloud perimeter first. We keep the keys. We own the files.
Our new system relies on three distinct layers working in harmony. First, an ingestion mechanism gathers raw events from hundreds of scattered systems and shapes them into a uniform shape. Second, a heavy-duty cloud warehouse handles storage and analytics, supplying the raw horsepower needed to run intricate detection logic across petabytes of historical records. Finally, a shared defense layer lets our security partner query our warehouse directly through secure, modern sharing features. The telemetry never leaves our virtual walls. The double-tax vanished overnight.
To keep this engine running fast, we adopted the Open Cybersecurity Schema Framework. This shared blueprint translates logs from different sources like CrowdStrike, Okta, and AWS into a single language queryable with plain SQL. By cleaning up the data before it pools, our security data lakehouse MDR runs at full throttle. The analytics engine never wastes precious seconds translating messy text blocks while an active incident unfolds.
Sidestepping Ingestion Fees with Query-in-Place Power
The secret to escaping ingestion fees is querying in place. It turns the old managed-security model completely on its head. Historically, analytical engines sat on the vendor side, demanding that you push all your logs into their software. We flipped the equation. We brought the detection engines to our data. Our defense partner plugs directly into our own warehouse, running hunting scripts and defense rules inside our cloud environment.
This relies on modern sharing tools that grant secure, read-only entry to specific datasets without copying them. By carving out secure views in our warehouse, we let our partner inspect the structured log tables while our raw files stay locked inside our network. The vendor sets up their custom rules as scheduled SQL queries running on our compute nodes. They watch our environment live, without ever dragging a single gigabyte to their own servers.
The economic relief was immediate and deep. Since our partner does not ingest or hold our files, our bills from them for storage dropped to zero. We pay only the raw, baseline cost of our cloud storage. By separating storage from analysis, we can keep years of logs for deep forensic hunts that would have bankrupted us under old SIEM licenses. Our partner can focus entirely on what they do best: writing sharp detection rules and hunting threats, rather than running a massive data-hosting business.
Step-by-Step Setup of a Snowflake Security Data Lakehouse MDR
Constructing a fast Snowflake data lake starts with a clean pipeline. We used an open-source log router to gather events from our cloud services and drop them straight into an Amazon S3 bucket. We tuned the router to bundle these events into compressed Parquet files every five minutes. This struck a perfect balance between fresh data and smart file sizes. From there, Snowpipe picks up the Parquet files automatically, loading them into Snowflake the second they hit the bucket.
To illustrate how this data is structured within our Snowflake security data lake, we created a dedicated database and schema to house our normalized security logs. The following SQL script demonstrates how to define a table for AWS CloudTrail logs using a highly structured schema that supports fast analytical queries.
CREATE TABLE security_lake_db.normalized_logs.aws_cloudtrail ( event_time TIMESTAMP, event_id VARCHAR, event_name VARCHAR, user_identity OBJECT, source_ip_address VARCHAR, request_parameters OBJECT, response_elements OBJECT, additional_event_data OBJECT );
Once the tables are created and Snowpipe is actively populating them with incoming telemetry, the next step is to configure secure data sharing. Snowflake allows us to share specific tables and views with external accounts securely, without copying the data. We created a secure share object and granted select permissions to our MDR provider, allowing their analytical platforms to query our security logs directly. The following SQL commands outline the process of creating a share and granting read-only permissions to our external partner.
CREATE SHARE security_partner_share; GRANT USAGE ON DATABASE security_lake_db TO SHARE security_partner_share; GRANT USAGE ON SCHEMA security_lake_db.normalized_logs TO SHARE security_partner_share; GRANT SELECT ON TABLE security_lake_db.normalized_logs.aws_cloudtrail TO SHARE security_partner_share;
Once this is set up, our external defense team mounts the shared database inside their own Snowflake account. They run their threat-hunting engines and scan our logs while we keep total control of our storage and compute spend. This link forms the backbone of our modern security data lakehouse MDR setup.
How Security Data Lakehouse MDR Rewrites Incident Response
The moment of truth arrived during a red-team drill. A skilled simulation team targeted our cloud infrastructure by hijacking an over-privileged IAM role. Under our old SIEM setup, tracing their steps would have taken hours of painful log recovery because older CloudTrail logs were regularly buried in cold storage to save money. With our new lakehouse model, a whole year of security records sat warm and ready. Our team traced the entire attack path in minutes.
With real-time access to our database, our MDR partner flagged the strange IAM activity the moment it occurred. They ran complex joins across our Okta identity logs and AWS CloudTrail records, linking the initial login to suspicious API calls across multiple cloud accounts. The query-in-place model scanned millions of rows in seconds, pinpointing the attacker's IP and freezing the compromised keys before a single file could be stolen.
This swift save proved that a data lakehouse is more than a way to trim the budget. It is a far better defense platform. By tearing down the walls built by old SIEM storage limits, we gave our analysts and partners the clear view they needed to guard our network. We no longer fear the bill when adding new log feeds, which lets us harden our defenses without asking permission from the finance team.
Direct Takeaways for Security Leaders
Moving to a security data lakehouse MDR architecture takes planning, but the payoff is massive. To make the shift work, keep a few crucial rules in mind.
- Establish Data Ownership First: Map your pipelines so that all raw records drop into your own cloud storage before any vendor touches them.
- Standardize on Open Schemas: Adopt data structures like OCSF early to keep your files uniform and queries lightning-fast.
- Use Native Data Sharing: Rely on built-in warehouse sharing to give your partner read-only access, killing off replication and extra fees.
- Separate Storage from Compute: Keep old records in cheap object storage and spin up processing power only when searching for threats.
By following this guide, you can escape the pricing traps of legacy SIEM providers, shifting your budget back to active defense instead of storage fees. This setup scales cleanly alongside your growing infrastructure, keeping your eyes open and your defenses strong in a complex world.