I always liked that idea of dropping all your firewall rules and only opening the ports back up when users complain. Maybe it's not practical or politically wise, but it would surely increase your knowledge about your network. The core idea is to disrupt flows and see what happens. Make your monitoring and reporting easier.
One idea that we have promoted in talks is adding two-factor authentication to sudo on linux via PAM-RADIUS. If you're using 2FA to login to your servers, this might seem excessive, but what if your servers have been compromised by a vulnerability? The key idea is that you don't have to do it forever, just implementing it for a week or so will show you if anything is running sudo that shouldn't.
At BSidesAsheville this past weekend, I had the pleasure of discussing this idea with Paul Coggin. (Paul's talk on MPLS hijacking was a hit. Look for the slides when they are posted.) He made the suggestion (and had implemented it) of adding two-factor authentication as a requirement for internet egress. What a great way to assure that your outbound connections are by humans and not malware! Again - you don't have to do it forever. Just long enough to see what's trying to dial home - to the wrong home.
