Our security team found a new way to make money. In 2006, after perfecting our enterprise malware monitoring, we began to deploy tools for monitoring Cisco’s infrastructure more deeply. In doing so, we found our team positioned to monitor applications in new ways. Weary of ignoring the risk presented by new ventures, we offered a solution: fund staff to monitor targeted risk areas, and handle the infrastructure ourselves. The solution paid off—our monitoring team has grown, and we’ve developed new techniques for finding and addressing the necessary risks of a growing enterprise.

In 2007, we shared this experience with our Forum for Incident Response and Security Teams (FIRST) buddies at the annual conference. Some say we chose that conference because it was being held in Seville, Spain, but we were just doing our part for the security community. We wanted a crowd, so we titled our presentation “Inside the Perimeter: 6 Steps to Improve Your Security Monitoring.” We received enough encouragement to repeat the presentation at the annual Cisco Networkers conference later that year, where we expanded the talk to two hours and packed the house with an enthusiastic audience. Feedback was positive, and we were asked to repeat it in Brisbane, Australia; Orlando, Florida; and Barcelona, Spain over the next several months. In the meantime, we felt we had enough ideas to fill a book, and the editors at O’Reilly agreed.

Our audiences told us they liked the presentations because they craved honest experience from security practitioners. We share the challenges you face; we’re on the hook for security, and have to prioritize resources to make it happen. We like reading authentic books—the ones that don’t try to sell us gear or consulting services—and we’ve endeavored to write this book with that angle. This book aims to share our experience, successes, and failures to improve security monitoring with targeted techniques.