I'm going to focus on controls/stuff you can do without spending cash.
Patch your shit. Seriously. When I get some more time I'll write up a long form post on how you can "nudge" the server, app and network teams to think it's a really good idea to do this but this should be a key focus for anyone working in blue teams.
When you've finished patching the above go around again and look for all the stuff you've missed. Then patch it. The repeat the process on a regular basis.
Lock down your admin creds (particularly in AD) and reject any app that "requires" Domain Admin/Local Admin or similar to run. Trust me, they don't - it's just lazy implementation guides from the vendor, start digging and there will be a method that allows the app to run via a standard user account.
Close the easy gaps first. Attackers are lazy, and they'll use the minimum required to get in. Review your firewall rules for example: any permit tcp inbound 139/445 ones in there? bin them.
Look for/ask for security guides or hardening guides from your existing vendors. They should all have them, and the likes of Microsoft/Cisco/Apple/insert large IT provider here are generally very good at telling you how to secure their stuff if you go and look for it.