Implement automated patch management for all systems, including non-production - Remove SUID bits from binaries that are not strictly necessary - Monitor for new SUID binaries appearing on systems - Use file integrity monitoring for critical system binaries