I've been fairly successful in doing the regular geoip block process on the ASA. I've been compiling the ranges of IPs from malicious/unstable/non-allied/etc. countries, and blocking their access at the perimeter. Of course, it isn't a fool proof solution knowing that the determined entity will be able to pivot off of trusted but compromised country ranges. But, pairing it with BOGONS, TOR exit points and a few others, we've seen a drop in the intrusion scale.
I did this as the drain on the resources on the ASA was negligible. But, as the list of countries keeps rising, perhaps the better approach would be to allow only trusted countries access to our public facing services.
Does anyone have a working process or solution for allowing only traffic from the States and Canada access through the ASA? Examples would be appreciated.