Dear gods, where to start?
Mine field is the right term. There are a million and one (possibly more) ways to get this sort of thing set up, configured and running and every one of those ways is dependent on your technical skills, your budget for purchase and your budget for ongoing maintenance and support.
Let’s start at the edge. Your business hub thing is a perfectly adequate little box for normal use, but you’ll need something more advanced if you want to do the whole monitoring/inspection thing with traffic. Look for F5 products, Juniper or something similar or, if you are feeling handy, have a crack at making your own system using Linux and some of the many different applications like Snort/IPTables that you can get. Either of these should allow you to limit outbound traffic and possibly monitor what people are doing. Check with legal to make sure that you are covered for that sort of thing with a suitable disclaimer though, and be prepared for people to hate you for it.
Mail servers. The choice is endless. Exchange 2010 or similar would probably do everything you want it to, but it may be more than you need. However, you can configure it with server-based AV for incoming mail scanning, so it would take care of that part of your requirements. other products that do the same thing are available though, so cast around.
End-point AV. We use Macafee and it works, but anything good that is updated regularly should work. Be aware that any AV product is only as good as it’s updates and it will only ever be reactive. Encouraging your userbase to _not_ open attachments from random sources, even if they look legit, will be as much again of protection. If you can set up the mail server to block attachments of specific sorts, that will help too, even if it annoys people sending in picture of cats or something in the short term.
Cloud stuff is good, but be aware that any app you put in the cloud goes away f the cloud is gone. Always think about redundancy/failover/DR and how people will work if it all goes horribly wrong. You could even consider hosted apps on a Citrix server somewhere else in your network and really lock down the desktops, but this would mean extra hardware. Maybe even hosted desktops too.