What you deploy initially and in the future will highly depend on business requirements / expectations / existing perceived risks, etc.. You'll probably fine-tune this as you go along and get more acquainted with the organization's security policy.
One thing that I'd definitely recommend doing is take a pulse of what's currently going on in the network. In other words, baseline activity, traffic, etc. on systems and infrastructure devices. This provides a "norm" reference with a cautionary understanding that this baseline might include existing malicious activity.
Everything that can be practically used for alerting and response should be logged centrally with proper NTP synchronization. If you're multi-site, you might want to consider setting everything to GMT. Snort, OSSEC, Splunk, syslog-ng, Ntop, etc. can provide visibility. Don't forget vulnerability assessments to get a snapshot of the current state of the environment. As mentioned previously, definitely utilize NetFlow, diffing config backups, scripts to summarize daily events, etc.. Also consider an annual or quarterly audit plan against recommended practices guides from the NSA, CIS, etc.. If the org doesn't have egress filtering in place, you could put in a number of outbound permit statements just to get hit counts and see what might be leaking out (assuming the filtering devices in question have enough resources).
The commercial tools can do some / a lot of this, but their price / manageability will ultimately also hinge on your budget and comfort levels.
GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, OSWP, WCNA, CCNA, CCNA Security, SFCP, SnortCP, and more useless acronyms.
Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/