Well, since I had suggested this I guess it appropriate for me to be one of the first people to comment. I actually have a lot of comments swirling around in my head regarding this so I will do my best to get them out in a coherent manner.
I recently watched a webinar from a FIM vendor where it was shown how the malware would have been easily detected using some simple FIM software. I find it scary how simple it would have been to detect something like this in so many different ways yet I think most organizations would have missed this in the same way that Target did. I guess it's one of those things where hindsight is aways 20/20.
The vendor account thing is definitely something you need to be very careful with and monitor very closely. While it may seem like a lot of work I think it would make the most sense to trigger an alert on every use of a vendor account out to a ticketing system or run a daily report and have those logins approved. It may seem like a bit of work but vendor accounts can be a huge exposure and need to be very closely managed.
I think the using naming patterns is a great idea! This provides the necessary meta-data to easily apply logic against in so many useful ways. I am totally putting that idea in my back pocket for later use.
I liked the example of a server phoning home to Brazil. This is a good example where good visualizations of data would be helpful. Just showing the IP's isn't very helpful because I doubt many people can look at an IP address and tell which country it belongs to. Having a good visualization showing an icon representing the country would quickly grab your attention if that country were not one that server should be communicating with. Having the data is important but having good ways to visualize it in useful ways can help you quickly identify something that isn't right or out of place.
I personally think a lot of this is "DUH" stuff that is also just out of reach. I think it's out of reach because it's very difficult to show the value in the cost to implement a SIEM and the staff to do the active management, and analysis of the data. I don't really know how to explain it but I have found it very difficult to get people to wrap their heads around SIEM and the power that it can bring to the table. I think when a lot of less technical people look at it they just see another log management system that costs more $$$ and don't see that value which makes it a very difficult sell and that puts it out of reach for the technical people trying to get it into place.