New study released from 3 months of botnet research found that up to 9% of large enterprise organizations are infected and active bot nodes.
This is not surprising and shows the importance of having both internal IDS sensors such as Snort IDS (with Emerging Threats Signature set) and a consolidated logging and event management product (SIEM tools) such as Arcsight.
A large client can leverage SIM to monitor windows event logs, host based ID(P)S and or anti-virus software. With the combined information, companies can leverage strong correlation reports matching those events with the internal IDS sensors. This seems to be a best practice approach at containing sprawling infections such as Conficker, Koobface and even the nasty Zeus (keylogging) malware.
Original article @ Dark Reading:
http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=220200118