The main thing is monitoring what's going on at the desktop level as well as the network level. Know what your users are bringing onto the system in addition to who's trying to break in.