The BotNet Came Calling

There is a writeup in todays ISC diary about a botnet found on a corporations network across 40 sites. I highly recommend reading it.
The question is how do you avoid it. The company in question failed to follow good practices by not noticing when their antivirus failed to update. It also sounds like they relied on their computers going to symantec’s liveupdate server rather than using an internal system or using VDTM. That sounds like another mistake.
What else can you do? Monitor for P2P installation (banning it should already be company policy). Prevent users from being admin? That just doesn’t fly. Limit outbound activity to the firewall to specifically allowed ports? Great idea, already done it. I suppose an internal IDS/IPS as well as segmenting internal networks so not everyone can talk to everyone would help also. Patching should also help. The article doesn’t state how GaoBot spread within the network. Its either not patching or improperly secured file shares (ie wide open or weak passwords).
When half the company subverts firewall security by going home with a laptop and hooking it up to an untrusted network, you never know what surprises you are going to find when they bring the computer back in.