When a threat actor walks into your network using a legitimate username and password, which control stops them? For most financial institutions, the honest answer is: nothing catches it immediately.