Today it is well-known that malwares and spams may bypass antiviruses and intrusion detection systems. if security software vendor did not develop the required signature for this attack than attacker will be able to execute the malicious software and take a full control of the corperate network.
To stop the malicious activities at an early stage you need to monitor and correlate all events reported by your security devices, for that you can consider BotHunter a very interesting utility that allow user to correlate existing events on the network coming from computers, switches , routers and Intrusion detection systems.
(1) BotHunter’s Infection Life Cycle Model
BotHunter classify all events in the corporate environment with a dialogue correlation to identify any intrusion, usually we have the panic of false positives where the IDS will alert about legitimate activities as intrusions but here the tool will correlate the events with the dialog correlation algorithm to flag the host as infected and directly isolate it from the network beside notifying administrator to make the necessary steps for cleaning the malware.
Infection profiles table provide a very handy information that include the IP of infected machine, Score for flagging the host as infected , IP address of the command and control server and description for the event to explain the administrator what have been observed on the network. You can read and download the utility on the official website.
Source: (1) Figure of BotHunter’s Infection Life Cycle Model http://www.bothunter.net/about.html