Suggestion 4 (deploy IPS/IDS) mixes up IPS and NBA, which are different types of products. Network Behavioral Anomaly (NBA) systems look for unusual traffic activity. As you point out, they're good for detecting suspicous activity, but be aware that they require some care and feeding -- an analyst must validate that the suspicious activity is due to malware. Intrusion Prevention Systems detect previously installed bots/spyware/malware and prevent their installation in the first place. Many examine the HTTP payload in the return traffic to look for known or suspicious content, including attacks such as cross site scripting. Not all IPSs have these features, so be sure to ask the vendor about their spyware capabilities before buying.