Putting up a good front

In the face of tight budgets, we need to make sure the money is spend on what is important. I think HIPS and security education should be at the top of that list.
It is well documented that the best security dollar you can spend is on user education. Security Awareness training has gone from being a good idea to being a best practice, to being required by contracts entered into with our customers, to being required by law. By creating an informed user base, the users become our security watchdog instead of our security nemesis. I conclude that technology is not the solution to computer security. It is at the root a human problem.
HIPS (Host-based Intrusion Detection System) is an up and coming method of proactively defending the endpoint computers. Rather than relying on patching and antivirus, software is placed on the system that disallows specific activity. For example, we could either block or prompt the user when something tries to set itself to run automatically after every reboot. It also attempts to block exploits of vulnerabilities. By taking away the need to patch immediately the second Tuesday of every month, the risk to our systems would be lower.
Without HIPS and without user education, we are reduced to four main defensive mechanisms:
1. Patch like mad and update antivirus like mad.
2. Implement more antivirus. Dont just have a multi-layered email defense. Have a multilayered IM defense. Have a multilayered http defense. Have a multilayered ICQ defense. Have a multilayered ftp defense. Have a multilayered nntp defense. Basically every major protocol would need this. Perhaps a fortinet antivirus firewall or the Cisco IDS with Trend Micro would provide a more all in one solution.
3. Implement common mitigation strategies such as taking away people’s’ local admin permissions and performing firewalls between internal network segments.
4. Pray