- Anti-Virus is (or should not be) an incident response tool. The emphasis here is on response. I agree that AV is often an incident detection tool, and ideally an incident avoidance tool. However, if you think AV is going to help recover from a totally compromised system, you are probably going to be upset by the results.
- Your default incident recovery strategy should be to rebuild from scratch. The emphasis here is on recovery. I am not saying your default incident response strategy should be to rebuild from scratch. Your default response strategy should be to investigate to determine how the victim was compromised, what aspects of Confidentiality/Integrity/Availability were violated, and so on. I agree that any response which begins with re-imaging the victim is a recipe for failure.
- SPAN ports should not be the default traffic access option. I'm standing by this one. The only time SPAN ports are superior to taps is the situation where intra-switch traffic needs to be seen. Otherwise, spend a few dollars and get a product designed to grant reliable traffic access. I'm talking about professional ways to perform incident response here. Hardware is the easiest thing to gain budget for in any organization. It's easier to buy a piece of hardware than it is to send a person to training, or hire new help, or bring in outside consultants, or any other activity that could benefit a security shop.
I appreciate the other recommendations I've seen. These are only a few big thoughts which struck me based on recent engagements. I have over a dozen recommendations in my Network Security Operations class and I think I cover similar material in Extrusion Detection.