I've been tasked with responding with a policy & procedures walk-thru for "what do we do when we have been informed that we have a threat in-house".



I'm looking for documentation that would give better sample responses than whitepapers that say "use us and we will remediate your threat for you"...



I am aware of (and am investigating IDS type tools), but I am working from the premise that *something* got inside the enterprise; now how to find it and eradicate it...



I'm working from

1. Escalate security on a deep-packet device like a sonicwall.
   
2. run a in-depth manual scan of all servers and workstations.
   
3. add realtime packet inspection to more of the services (looking for traffic).
   
4. then... remediate and clean as necessary.
   

Thoughts/suggestions?