Network security monitoring is an essential part of securing any modern systems. While commercial and open source monitoring solutions do exist for many deployment scenarios, they do not address the needs of very large organisations or nation states. This presentation walks through the challenges faced by the Finnish National Cyber Security Centre (NCSC-FI) while building the HAVARO network security monitoring system. Lessons learned, both for processes and in technology, during five years of incremental development are highlighted. HAVARO is the Finnish national monitoring system for critical infrastructure actors and governmental entities. HAVARO aims to detect serious incidents such as APT attacks using threat intelligence shared among partners. HAVARO has a modular and extendable architecture in order to be able to react to novel threats with new detection mechanisms. It uses a decentralised model where the constituents retain control and ownership of their data while minimising the privacy implications of the monitoring to the end users. HAVARO is complementary to the existing detection systems and services that protect against generic threats. The presentation concludes with a model of open monitoring system design that enables public and private entities to collaborate in defending the constituents. Central components of this model include a REST API and a simple data format to enable easy integration into monitoring systems.