The answer may not be “innovation” but going back to basics. It starts with comprehensive asset management. An agency has to identify ALL hardware and software assets on its network. You can’t scan hardware for configuration errors or software for missing patches if you don’t know those devices exist. Every unknown asset is a potential threat vector. This will also help compress breach-to-detection-to-response times. Comprehensive asset management will allow an agency to collect the necessary telemetry needed to look for threat indicators which could be a new threat or even a zero-day. If the threat is on an asset that is “unknown” to the agency you won’t get the telemetry needed to identify the threat.