One of the points driven home at Ignite was that of File Blocking. Its common practice to do file blocking in email, but most browsers do not block files – and that is how badness gets in. Block these in your WAF; or NGFW.
Block all PE files ( .pif, .fon, efi, .drv, .scr, .sys, .ocx, .dll .cpl, .exe )
Block .LNK, .HLP, .CHM, .BAT, .VBS
ALERT on .RAR., and .ZIP < – as an indicator