Strive to spread doubt and confusion in the adversary's mind
There are plenty of ways to do this. You can start by making your infrastructure a moving target by changing addresses, infrastructure topologies, and available resources daily. An activist approach to virtualization makes it possible to build up and tear down resources at will. SDN technology can virtualize the deception process while streamlining the process of building security management and control features into the network fabric. In short, do what you can to prevent the adversary from seeing the same infrastructure twice.
You can also set up honey pots and Potemkin villages on your network that can waste the adversaries' time, divert them from real assets, lead them to tainted intellectual property, or cause them to stumble into alarms that announce their presence in your domain. At their most advanced, these techniques can shake adversaries' confidence in their hacking prowess and increase their anxiety over being caught, exposed and prosecuted.
Collect, correlate, and analyze as much operational data as you can
This strategy is significant as it signals a shift in the remediation mode to detecting and defeating attacks and intrusions quickly and thoroughly when they do occur. In the data, you are looking for Indicators of Compromise (IoCs) -- anomalous device or user behavior, network traffic to and from known addresses, and other tip-offs. Data subject to analysis can include local telemetry from your infrastructure, information and intelligence from beyond your infrastructure, or data traffic that doesn't conform to normal patterns of activity.
Changing your mental approach is just as essential
This new approach to security carries with it a not-trivial change in our mental approach for security. Formerly, we thought of security as defending perimeters and hardening assets against attack. The new model calls for assuming that if people, things, and business processes haven't been compromised, they will be shortly. Established security tools and products like firewalls, security appliances, or anti-malware software do a good job of blocking known threats and leave us freer to detect, recognize, and contain those threats that manage to slip through basic defenses.
Increasingly, we have come to understand that the most dangerous threats do their work quietly and quickly, and then disappear. A threat of this kind will typically wreak its damage in minutes, hours or days. By contrast, too many security teams require days, weeks, or months to discover and remediate an intrusive threat of this kind. That's not good enough.
We also need accountability shifts, a measure by which to define efficacy, and a willingness to "break some glass" to change what we have...otherwise, we continue to get more of what we have today, and that isn't acceptable.
Sign up for CIO Asia eNewsletters.