Comments on SANS CDX Briefing

1- Know the Network and Keep it Simple: Each additional device is another avenue of attack. The entire team must understand the network. Troubleshooting is easier with a simple design.
2- Deny by Default Policy: Only allow what is absolutely necessary. It's easier than blocking known bads.
3- Remove Unnecessary Services, Software, and User Accounts: What is the role of the computer? Remove unnecessary software completely.
4- Plan for Contingencies: All networks will eventually have a problem.

Read this in Richard Bejtlich's blog.