Its all about whitelisting I say. The less educated folks in IT think it is an impossible feat to use app controls to whitelist your standard baseline system. I was in a conference call this week where someone stated its "easier to blacklist" I was like what??? Sure for the one offs you actually know about but what about the 100 other backdoor apps installed on your network that you DON'T know about??
If anything enforce whitelists on your servers, I mean if you don't know what is running on at least those then you have lost this battle.
I believe the basic firewall rule set is an excellent example and POC - your rules that allow traffic in to specific services with the DENY ALL rule at the end. Even outgoing, allow only these services out from these specific networks, block everything else. Good your egress point to the network is covered. Now do the same for everything else! Sure it may take a while to complete the list of allowed apps on your network but in the long run it will pay off. Keep everything patched and you c-levels can sleep better at night.