In This Article
Verizon's 2025 Data Breach Investigations Report delivered a number that should keep every financial institution IT director awake: third-party involvement in breaches doubled to 30% year over year. Your vendors, your integrations, your MSP's remote monitoring tools. Each connection is an attack surface your team did not build and cannot fully control.
Reactive security waits for the alert. Proactive security eliminates the conditions that cause the alert. For mortgage lenders, banks, and credit unions under constant regulatory scrutiny, the distinction is not academic. It is the difference between passing your next exam and explaining a breach to your board.
Guardian Security Insights is the proactive operating model ABT runs inside your Microsoft 365 tenant. Not a separate product. Not a parallel detection engine. It is the methodology, the policy set, and the daily monitoring rhythm that turns Microsoft's native security tools (Entra ID, Intune, Defender, Purview, Sentinel) into a continuously hardened environment for your institution.
The Reactive Trap in Financial Services IT
Most financial institution IT teams operate in reactive mode. An alert fires. Someone investigates. The issue gets resolved or escalated. The team moves to the next alert. This cycle repeats hundreds of times per week.
The problem is not that reactive teams are lazy. The problem is structural:
- Alert volume exceeds human capacity. A typical mortgage lender's Microsoft 365 tenant generates 200 to 500 security events per day across Defender, Entra ID sign-in logs, and Purview audit streams. Even with triage rules, the signal-to-noise ratio overwhelms small IT teams.
- Compliance work consumes proactive time. Preparing for GLBA audits, FTC Safeguards Rule documentation, and state examinations eats the hours your team would spend on hardening.
- Tool sprawl creates blind spots. When your endpoint protection, email security, identity management, and compliance reporting come from four different vendors, nobody owns the complete picture.
- The cybersecurity skills gap keeps widening. ISC2's 2025 Cybersecurity Workforce Study found 95% of organizations report at least one critical security skills gap, and 88% say those shortages produced cybersecurity consequences in the last year. Mortgage lenders compete for the same talent as Fortune 500 banks at a fraction of the salary budget.
Reactive mode is a survival strategy, not a security strategy. Your team is fighting fires instead of fireproofing the building.
Why this matters for your next exam
Examiners do not grade institutions on alert volume. They grade on whether the conditions that created the alerts have been engineered out. A team that closes 500 tickets a week and a team that closes 50 tickets a week can produce identical examination findings if the second team eliminated the conditions the first team is still triaging.
What Proactive Security Looks Like with Guardian Security Insights
Proactive security is a set of measurable practices that reduce your attack surface before adversaries find the gaps. As part of the Guardian operating model, ABT translates these practices into Microsoft-native configurations and runs the daily monitoring that keeps them in place.
Blocking Attacks Before They Start
Microsoft reports that 99% of password spray attacks target legacy authentication protocols like IMAP, SMTP, and POP3. These protocols cannot enforce MFA. Every tenant with legacy auth enabled has an unlocked door that attackers check daily.
Blocking legacy authentication is a Microsoft Entra Conditional Access policy change that takes minutes to deploy and stops the most common attack vector cold. ABT implements this in the first week of every Guardian onboarding. Most lenders we onboard had legacy auth enabled for years because "some users might need it." Those users never materialized.
Detecting Drift Before It Creates Gaps
Tenant configurations drift. An admin creates a Conditional Access exclusion for a vendor during a migration and forgets to remove it. A user's device falls out of Intune compliance. A DLP policy gets modified during troubleshooting and never gets restored.
Microsoft Sentinel and Entra ID Workbooks supply the audit signal. As part of the Guardian operating model, ABT runs nightly drift checks against a hardened baseline of 80+ policies. Each drift event is logged, categorized by severity, and surfaced in the next morning's report. Your team does not discover the rogue exclusion during the audit. They discover it the morning after it was created.
Closing MFA Gaps That Standard Reporting Misses
Standard MFA reporting in Microsoft Entra shows users as "registered" once they begin the enrollment process. But registration is not completion. A user who started MFA setup but never finished the second factor is counted as MFA-enabled in most dashboards while remaining completely unprotected.
Guardian Security Insights distinguishes between MFA-registered and MFA-enrolled by querying Entra's auth-method APIs directly. It identifies users who appear compliant on paper but have not completed their setup. This gap is where account takeovers happen, and most IT teams do not know it exists until after the breach.
How does your tenant score against the 90+ controls that drive proactive security?
Get a baseline view of where Microsoft's native tools are configured, where they are drifting, and where the gaps live, graded against regulator expectations rather than peer averages.
Managing the Shadow AI Risk
IBM's 2025 Cost of a Data Breach report found that breaches involving shadow AI cost an average of $4.63 million, roughly $670,000 more than breaches without it. Loan officers uploading borrower documents to ChatGPT. Processors using free OCR tools with unclear data retention. Compliance teams testing AI assistants with real client data. The same report found 97% of AI-related breaches occurred at organizations lacking proper AI access controls.
Microsoft Purview audit logging captures every AI-tool interaction inside your tenant. Microsoft Entra Conditional Access can restrict access to unsanctioned AI services at the network and identity layer. As part of the Guardian operating model, ABT configures these tools with FI-specific policies (restricted-app lists, approved-AI allowlists, sensitive-data DLP) and surfaces violations in the daily report so your team addresses them before they become an examination finding. For the deeper view of how the Guardian operating model handles AI governance, see our compliance walkthrough.
The Guardian Proactive Security Framework
Guardian operates on four stages that run continuously. Each stage maps to a specific function in the M365 Guardian feature architecture: Guardian Protect handles pre-incident hardening, Guardian MxDR handles detect-and-respond, and Guardian Insights surfaces what leadership needs to see. This is the operating cadence for your tenant security, not a one-time assessment.
Stage 1: Hardening, Eliminate Known Weaknesses (Guardian Protect)
ABT configures your tenant to a hardened baseline drawn from 27+ years of managing financial institution tenants. Conditional Access policies, Intune device compliance, Microsoft Entra ID configuration, email authentication (SPF, DKIM, DMARC enforcement), and Purview DLP. Each configuration is tuned for your institution's regulatory requirements and operational needs. This is the Guardian Protect feature family in action: preventive, opinionated, and policy-driven.
Stage 2: Monitoring, Catch Changes in Real Time (Guardian MxDR)
Microsoft Defender XDR and Sentinel capture the telemetry. As part of Guardian MxDR, ABT's security operations team reviews drift events, new unmanaged devices, incomplete MFA enrollments, stale accounts, and Conditional Access exclusions every business day. Your team receives a filtered, prioritized action list rather than the raw alert stream.
Stage 3: Insights, Turn Data Into Decisions (Guardian Insights)
Sign-in anomalies, MFA coverage rates, device compliance trends, and Microsoft Secure Score movement across all four categories all live in one operational view. The data tells a story: are you improving, drifting, or stalling? Leadership gets dashboards they can read without an IT glossary.
Stage 4: Response, Act with Specificity (Guardian MxDR)
When findings require action, Guardian provides the exact steps. Not "review your MFA settings" but "these 12 users have not completed MFA enrollment, here are their names and departments, and here is the enrollment link to send them." For risky-user events, ABT's Tokenator agent calls Microsoft Graph to revoke active sessions automatically. This is a Guardian Protect agent that runs the moment Sentinel surfaces a high-risk sign-in. Specificity drives completion. Vague recommendations drive inbox burial.
Reactive teams measure mean time to remediate in weeks. Proactive teams measure it in hours, because the conditions that created the finding were engineered out before adversaries arrived to exploit them.
Proactive Security and Regulatory Compliance
Proactive security and compliance are not separate workstreams. Every proactive action produces compliance evidence as a byproduct.
The FFIEC retired its Cybersecurity Assessment Tool effective August 31, 2025, pointing institutions to the NIST Cybersecurity Framework 2.0 and CISA's Cybersecurity Performance Goals as the new examination reference. The NCUA's examiners now reference NIST CSF 2.0 in current examination cycles. For mortgage lenders, the FTC Safeguards Rule requires a written information security plan, risk assessments, access controls, encryption, and continuous monitoring.
Guardian maps to all of these frameworks because the underlying practices are the same. Conditional Access enforcement satisfies FTC Safeguards access-control requirements. Stale account management satisfies NIST CSF 2.0 PR.AA identity-management controls. Device compliance monitoring satisfies FFIEC examination expectations under PR.PS. The compliance evidence is a byproduct, not a separate project. Our compliance integration walkthrough shows how the same control set produces evidence for multiple regulators simultaneously.
Mortgage lenders also face state-level regulation. The 23 NYCRR Part 500 amendments effective in 2025 added stricter MFA, asset-management, and incident-response requirements for institutions operating in New York. California's CPRA layers data privacy obligations on top of CCPA. Guardian covers the controls these regulations require because they overlap almost entirely with strong Microsoft 365 security practices.
Key takeaway
One hardened control set, configured by ABT and monitored as part of Guardian MxDR, produces evidence for FFIEC NIST CSF 2.0 alignment, FTC Safeguards, NCUA examinations, NYDFS Part 500, GLBA, and state privacy laws simultaneously. The same Conditional Access policy that blocks legacy auth also satisfies access-control requirements across every framework that asks about it.
The ABT Difference: Pure Microsoft Stack
Most managed service providers run their security operations through third-party platforms: ConnectWise for remote monitoring, Kaseya for endpoint management, SolarWinds for network monitoring, Nerdio for tenant orchestration. Each platform adds another vendor in your supply chain. Each adds another attack surface.
ABT runs a pure Microsoft technology stack. No ConnectWise. No Kaseya. No SolarWinds. No Nerdio. Guardian is built entirely on Microsoft-native tools: Microsoft Entra ID, Intune, Defender for Endpoint, Defender for Office 365, Defender for Identity, Purview, and Sentinel.
This architecture decision has real-world consequences. When ConnectWise ScreenConnect was breached in February 2024, every MSP running ConnectWise had to scramble. ABT's clients were unaffected. Zero exposure. When Kaseya VSA was compromised in July 2021, the same story. ABT's clients were not in the blast radius because ABT does not use the platform.
For financial institutions where regulators ask about your vendor supply chain, "our MSP runs entirely on Microsoft-native tools" is a clean answer that closes the conversation.
Microsoft's 2024 Digital Defense Report tracked roughly 600 million identity-based attacks every day across the Microsoft ecosystem. Inside that volume, the patterns are remarkably consistent: most successful intrusions exploit gaps in baseline configuration: legacy auth still enabled, MFA registration incomplete, Conditional Access bypasses for service accounts that nobody remembers creating. As a Tier 1 Microsoft Cloud Solution Provider for financial institutions, ABT has visibility into the same attack telemetry Microsoft sees, which is why Guardian's hardening baseline targets exactly those configuration gaps in the first onboarding scan.
Source: Microsoft Digital Defense Report 2024.
Measuring Proactive Security Success
Proactive security needs metrics. Here is what ABT tracks for every managed tenant through Guardian Insights:
- Microsoft Secure Score trend. Weekly movement across Identity, Data, Devices, and Apps. Microsoft grades your score on a curve, comparing your tenant against tenants of similar size and industry. The board hears "average for our size" and relaxes. The auditor hears "38% of recommended controls unimplemented" and writes a finding. Guardian measures against regulator expectations, not peer averages.
- MFA completion rate. Not just registered. Fully enrolled with a completed second factor. Target: 100%.
- Stale account count. Accounts inactive beyond policy threshold. Target: zero outside of documented exceptions.
- Device compliance rate. Percentage of devices accessing the tenant that meet Intune compliance policies. Target: 95%+.
- Policy drift events. Number of unauthorized or unreviewed configuration changes per month. Target: trending toward zero.
- Mean time to remediate. Hours between finding detection and resolution. Proactive teams measure in hours; reactive teams measure in weeks.
These metrics flow into the dashboards your leadership team sees and the reports your auditors receive. They tell the same story from two angles: this institution takes security seriously, and here is the proof.
Technical Reference
Move From Reactive to Proactive
Your next examination is coming. Your next breach attempt is already underway. The question is whether your team catches it in tonight's drift scan or discovers it in the incident response. A 30-minute Security Grade walkthrough will show you which side of that line your tenant is on right now.
Frequently Asked Questions
Guardian Security Insights is ABT's security operating model for Microsoft 365. It is the methodology that configures Entra ID, Defender, Purview, and Sentinel against an FI-tuned baseline and runs nightly drift checks against it. Financial-services breaches averaged $5.56 million in IBM's 2025 Cost of a Data Breach report. Guardian eliminates the configuration gaps that lead to those breaches before adversaries find them, and produces compliance evidence as a byproduct of the same control set.
MFA-registered means a user started the MFA enrollment process in Microsoft Entra. MFA-enrolled means they completed it with a verified second factor. Standard Microsoft admin dashboards count registered users as compliant, but they remain unprotected until enrollment is complete. As part of the Guardian operating model, ABT queries Entra's auth-method APIs directly to track this distinction and close the gap that most reporting tools miss.
Legacy authentication protocols like IMAP, SMTP, and POP3 cannot enforce MFA, making them the primary target for password spray attacks. Microsoft reports 99% of password spray attacks use legacy auth. Blocking these protocols through Microsoft Entra Conditional Access is the single highest-impact Secure Score improvement and typically raises the Identity score noticeably in the first scan cycle. Remember Secure Score grades on a curve. Your bank examiner does not.
Loan officers and processors may upload borrower documents to consumer AI tools like ChatGPT or free OCR services with unclear data retention policies. IBM's 2025 Cost of a Data Breach report found shadow AI breaches cost about $670,000 more than breaches without AI involvement, and 97% of AI-related breaches occurred at organizations lacking proper AI access controls. Microsoft Purview audit logging captures every AI tool interaction; Microsoft Entra Conditional Access can restrict access to unsanctioned services. As part of the Guardian operating model, ABT configures both layers and surfaces violations in daily reports.
Third-party MSP platforms add vendor supply chain risk. ConnectWise ScreenConnect was breached in February 2024. Kaseya VSA was compromised in July 2021. ABT runs a pure Microsoft stack with no third-party MSP platforms, meaning clients have zero exposure when those platforms are attacked. Combined with Verizon's 2025 finding that third-party involvement now drives 30% of breaches, this architecture decision simplifies vendor risk conversations with regulators and auditors.
The FFIEC retired the Cybersecurity Assessment Tool effective August 31, 2025 and pointed institutions to NIST Cybersecurity Framework 2.0 plus CISA's Cybersecurity Performance Goals. Guardian Protect implements the NIST CSF 2.0 Protect function: identity controls (PR.AA), platform configuration (PR.PS), and data security (PR.DS). Guardian MxDR implements Detect, Respond, and Recover. The same control set that satisfies NIST CSF 2.0 also produces evidence for FTC Safeguards, NCUA examinations, NYDFS Part 500, and GLBA simultaneously.
