There are many tools out on the market to respond or monitor to malware incidents and outbreaks, and there are several event correlation systems (SELM, SIEM, SEM) that can take information from the events and give statistics and reports about what happened and where.
These systems are necessary but there is alot more that can be done to help in responding to malware incidents by providing contexts of how and where they spread, where to deploy resources to remediate and inoculate systems and possibly find weak spots that allow the malware to come in and take root.
The toolsets are available to do this type of reponse, although they are often very difficult to get working correctly. Many require custom coding and asset lists, subnet lists, and many other data points that most companies do not have a good handle on. Those data points are slowly becoming available through asset and network management systems. The trick is to get all this information together in a consise and visible way to understand the contexts, waypoints and weak spots that the malware thrives on.
We have ran an experiment using common data sets normally available to an enterprise; We correlated data from an AV management system, a malware detection/protection gateway, a CMDB (asset management system) and a feed from a DNS grid to provide subnet information.
Most AV systems provide hostnames and/or addresses of when a piece of malware is detected or remediated, malware gateways often provide the same information but for where it was intented to infect or has infected and was detected. This information can be cross referenced with asset information to find out who uses the asset, what its properties are (workstation, laptop, mobile device, etc…), OS, use (production,development,DR, personal, etc…). This information can be used in a risk calculation to provide an ordered list of high to low priority incidents to take a look at. Mapping these to known subnets from a network management tool (DNS in our case) provides a visual context, a map of all sites within the enterprise which can show where geographically we are being infected.
Much more useful information can be gleaned by combining this data; such as a spike in trojans being targetted at executives, rootkits at database servers, etc… This information is hard to obtain from each system respectively but together provides a much bigger picture of what is happening, where and to who or what.
When implementing security services it is a good idea to think ahead on the interoperability between the systems, how data can be extracted or interfaced so that later on it can be attached into a malware response system.
Beyond malware, this type of correlation and response can also be fed even further into other systems within an information security management framework.