Use full drive crypto with TPM
The only way to secure a laptop is to use full drive crypto that supports TPM and have a laptop which has functional TPM chip. For example DELL business models.
And then never leave the laptop in suspended mode when you leave the room, always either switch it off or use hibernation.
Thus attacker cannot do DMA attack to memory since memory is switched off, and cannot modify boot sector even by accessing hard drive directly with another PC as TPM will scream on that.