There's been a lot of talk about how to use technology to protect against advanced targeted attacks, but in fact, technology is rarely the issue. These basics must be covered first and foremost before you even begin to think about technology.
#1 Employ System administrators who actually read their system's log files!
You can hire 100 security analysts to look over your centralised log storage of every system in your infrastructure - but they will never know those systems as well as the person who administrates them on a day to day basis. The diligent sysadmin who reads their logs and can come to the security team pointing to events therein saying "This shouldn't happen normally" can be the most powerful detection control you have.
#2 Compartmentalise and Define your Administrative Activities.
Defining what is and is not normal within the complexities of modern computing systems can be like emptying the ocean with a cup. Instead, define what is normal for /your business procedures/ and alert on what is divergent from that. If you know that all remote desktop sessions using administrative credentials, must originate from a trusted admins-only terminal server, locating the potentially malicious sessions becomes a simple process of elimination
#3 Don't leave instructions for an intruder!
As any professional pen-tester will tell you, the best source of information about what to attack next (and how to attack it) are often provided to them by system administrators leaving notes for themselves in 'temporary' documents on systems - lists of system information, plain text credentials, notes about the account they've just reset to a default password 'temporarily', while they debug a problem. An administrator's home directory on a system is often the very first place an attacker will examine once they have control of a system - and that goes for metadata documents as well - an administrator's command line history is an open book about the layout of the system and the other systems they work on.