After the August worm in 2005, we learned a few lessons. the most important being having better administration for our networking gear. We have come to a point now that we can disable a switch port or a group of ports or a segment with a click of a mouse, or a single command. This gives a ability to isolate the machine or a segment which is infected. Also we use policies on our switches through which we can disable any protocol port on a switch port or a LAN. We are also working on NAC solution which would allow is to isolate any outside laptop connecting to our network if it does not meet the baseline patched status.
Off course, all this is complimented with firewalls, IDSs and a dedicated security team.
That was all technical but it could not have been possible without strong policies and procedures and commitment from the senior management. Also, we have a great co-ordination between the IRT, Security team and the Net OPs and well defined guidelines so that in a event there is no time wasted going through the red tape.
Hope this helps
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+