Building Your Open Security Lakehouse: Ingest, Normalize, and Model Security Data at Scale

Many organizations are experimenting with “security data lakes” but struggle to move from DIY projects to an operational architecture the SOC can live in every day. This session walks through Lakewatch’s reference architecture for an open security lakehouse: how to onboard and unify diverse security, IT, and business telemetry on open storage, normalize it to OCSF, and organize it into bronze, silver, and gold tables optimized for SecOps. We’ll cover ingestion patterns for common data sources, Medallion modeling for security analytics, governance with Unity Catalog, index and search strategies, and how to safely bring in multimodal data like emails and documents. You’ll leave with an opinionated architecture to evaluate or design your own security lakehouse, plus guidance on when to augment versus replace existing SIEM tooling.