SIEMs & Data Lakes can be friends...it isn't Either/Or, It’s Yes, And.

Alex:
Hello everyone, and welcome back to Detection Dispatch — the show where detection engineers, SOC analysts, and really anyone building in the trenches of SecOps come to swap stories and sharpen their strategies. And occasionally, like in my last episode, question their life choices.

I’m your host, Alex Hurtado, and today we’ve got a killer episode with our friend Jake Berkowsky.

Jake:
Let’s do it.

Alex:
Jake, welcome to the pod! We’re so excited to have you here.

Before we dive in — I just had my first pumpkin spice latte of the season. Have you had yours yet?

Jake:
Not yet! I’ve been sticking to iced coffee. After seven years in Boston, it’s a habit.

Alex:
Fair. Are you a black coffee drinker?

Jake:
Always. No cream, no sugar.

Alex:
Ah, so the “high-IQ” type. I stand corrected!

Let’s start with the basics — how did you get into security, and what are you working on these days over at Snowflake?

Jake:
Like a lot of folks in this field, I kind of fell into it. I ran a cloud consulting company, and people kept asking us to handle their security work. Naturally, I said, “Of course we can.” Next thing I knew, I had a master’s, a CISSP, and a full-blown security practice.

Then a friend tricked me into joining Snowflake — said they were building something amazing around security data lakes. And here I am.

Alex:
Any overlap with Omer Singer back in the day?

Jake:
Yeah! He was actually one of the people who interviewed me.

Alex:
That’s awesome. We miss Omer — I think he’s still in stealth mode building something new.

Jake:
Oh, for sure. I bet he’s sitting on a massive backlog of LinkedIn posts ready to go.

Alex:
[Laughs] 100%. Shoutout to Omer.

Okay, let’s talk data lakes — why people adopt them, when it’s time, and how the market’s evolved. When I started this podcast, we were seeing early adopters experimenting. Now it’s mainstream. You’re basically left behind if you’re not thinking about your long-term data security strategy.

We just saw at SplunkConf that Splunk announced a new federated search integration with Snowflake. Full disclosure — Anvilogic has a first-class integration with Snowflake, and Jake works there. But that’s not what this is about. Today we’re really asking: What do we actually need here? And why are more and more folks heading down this path?

Jake:
I’ve been at Snowflake for about three years now, but even before that I was trying to adopt the data lake approach. What we found is most people start from a threat detection mindset — looking for scalability and cost savings — but the real driver is simpler: they realize they have a data problem.

Funny story — one of our large financial customers realized they had too much scattered data. Their head of security literally walked across the hall to the head of data and said, “What do you use?” The answer: “Snowflake.” So security said, “Cool, we’ll use that.” Didn’t tell anyone. Next thing we knew, a massive influx of security data hit the platform and everyone at Snowflake was freaking out — “Did we break something?” Nope. That was just the start of the security data lake movement.

Alex:
That’s such a great story. And it’s funny because it highlights that this whole shift really is about realizing security is a data problem.

So what’s the problem people are actually trying to solve? Is it ingestion? Cost? Pipeline complexity?

Jake:
All of the above. The cloud changed the game. When everything was on-prem, things were predictable. Then came cloud scale — 10x the logs, 10x the retention requirements, and 10x the costs.

So yeah, people realized they needed a data platform — something scalable, flexible, and not built solely for log ingestion.

Alex:
Exactly. I hear that half of most orgs’ data never even makes it into their SIEM. It’s wild.

And now we’re seeing tools like Splunk, Query.AI, and others integrating with Snowflake — because you have to. Visibility demands it.

Jake:
Right. Some start because of cost, others because of data silos or detection performance. I’ve seen huge orgs like Okta run all their detections directly in Snowflake — not because it’s trendy, but because it’s practical.

Alex:
I love when orgs build detections tailored to their environment. Those are always the strongest.

But silos — they’re still everywhere. Why? It’s 2025! We’ve solved compute and storage. Is it organizational? Political?

Jake:
Bingo. It’s mostly organizational. Different departments, budgets, tools. And sometimes the person who set up that legacy system retired years ago — no one even knows where the SSH keys are.

Alex:
That’s so real. I remember when I couldn’t even say “cloud” in a customer meeting around 2013 without getting death stares. Now, it’s the default. I think data lakes are the new cloud.

Jake:
Exactly. Everyone’s heading there — kicking and screaming maybe, but heading there.

Alex:
Speaking of kicking and screaming… Splunk. Tell me more about this new integration with Snowflake.

Jake:
[Laughs] It’s been in the works for years. The hardest part was translating SPL to SQL — that’s like translating from English to Zebra. Totally different architectures, both great at what they do.

The goal was simple: customers wanted to query across both without duplicating data. Think about all the logs that don’t belong in a SIEM — HR, Salesforce, Workday. For insider threat investigations, that context matters. Now, you can keep it in Snowflake and query it directly from Splunk.

Alex:
That’s huge. For once, an integration that truly benefits the customer.

Jake:
Exactly. It’s one of those rare “everyone wins” moments.

Alex:
And yet, Splunkers are cult loyalists — in the best way. I’m curious though — how does the integration actually work day-to-day for a SOC team?

Jake:
We already see customers doing hybrid models — detections running partly in Splunk, partly in Snowflake. Some use orchestration layers like Anvilogic to federate across both. It’s not just about querying; it’s about deciding where detections should run.

Alex:
Makes sense. It’s about flexibility, not replacement.

Jake:
Exactly. Everyone’s multi-cloud, multi-tool, whether they admit it or not. This federation model acknowledges that reality.

Alex:
I love that. Let’s talk about another hot topic — the “DIY SIEM.” Some orgs decide, “We’ll just build our own.” What are you seeing?

Jake:
It happens on both extremes — giant orgs with custom environments and tiny, agile teams with simple architectures. The big players like Okta or Comcast have the engineering muscle for it. The smaller ones do it out of necessity.

But it’s tough. Once you get beyond simplicity, maintaining pipelines, schedulers, correlations — it’s a lot. That’s where hybrid overlays like Anvilogic shine: keep the control, but don’t rebuild the wheel.

Alex:
Totally. And let’s be honest — maintaining detections, validating them, keeping them up to date? That’s a full-time job.

Jake:
Exactly. Even Snowflake’s simplicity doesn’t remove that complexity. AI’s helping a lot — schema discovery, pipeline health, false-positive reduction — but DIY can only take you so far.

Alex:
Yes! I’ve been saying this: the future is hybrid. Better detection quality, better flow. It’s not about “more detections,” it’s about better detections.

Jake:
Absolutely. More data isn’t better — better data is better. Same goes for detections.

Alex:
So do you think Snowflake will ever replace Splunk entirely, or just extend it?

Jake:
Honestly? Both. Some customers replace it outright. But most go hybrid — augmenting Splunk, Sentinel, or whatever they use. The flexibility of SQL and scale of Snowflake just make it too valuable to ignore.

Alex:
Couldn’t agree more. And it’s comforting that no matter where you are on the journey, there’s an option that fits.

Let’s fast-forward to AI — everyone’s talking about the “AI SOC.” Some teams are cautious, others are all in. What are you seeing?

Jake:
Two camps: the cautious ones with AI governance committees, and the ones saying, “How are we using AI to boost productivity today?”

The blockers aren’t technical — they’re procedural. Compliance, regulation, internal politics. That’s why at Snowflake, we’ve built governance directly into the platform. You get unified logs, consistent security, and control over where data goes.

Alex:
See, that’s the pragmatic approach. I’m on the other side — I think if you’re not already using AI, you’re behind. Throw it at the problem, see what happens, and learn fast.

Jake:
And you’re not wrong. But some teams are so overloaded they don’t have time to “learn fast.” They’re digging trenches with their hands and don’t even know there’s a shovel nearby.

Alex:
That’s a perfect analogy.

Jake:
Still, we’re seeing progress. I show customers how to build an “AI L1 Analyst” — an agent that investigates alerts using real detection data. It’s basic orchestration plus a large language model. Suddenly, your first-tier triage is automated. That’s powerful.

Alex:
Yes! But I’ll always say — if your alerts suck, AI won’t save you. Garbage in, garbage out. Let’s fix detection quality first.

Jake:
Exactly. But sometimes, AI can help you see the garbage faster.

Alex:
Fair point.

Alright, we could talk for hours, but let’s wrap. I love your pragmatism, Jake. Even though this wasn’t meant to be a product plug, I think it’s clear how much progress Snowflake, Splunk, and Anvilogic are driving together.

Security doesn’t need ten more dashboards — it needs flow. A strong foundation. Access to all your data. And a price tag that doesn’t cost more than a breach.

Jake, thank you for joining us.

Jake:
Thanks so much for having me — this was a blast.

Alex:
Where can folks follow your work?

Jake:
I post on Medium, just under my name — Jake Borkowski. I write about security data lakes, AI, and sometimes completely unrelated tech like MCP servers.

Alex:
Perfect. We’ll link that in the show notes.

And to our listeners — if this episode made you slightly less angry at your SIEM, consider subscribing, sharing with your detection engineering crew, and leaving us a five-star review on Spotify.

We’ll catch you next time on Detection Dispatch.

‍