HomeResourcesCase StudiesBangladesh Bank Managed SOC
SOC ServicesBankingBanking · Bangladesh

Bangladesh Bank Reduces Mean Time to Detect by 60%

A Bangladesh Bank-regulated institution deployed EIC managed SOC, cutting mean time to detect from 72 hours to under 30 minutes — transforming their security monitoring from business-hours-only to 24/7 coverage.

24/7 Managed SOC · Bangladesh Bank
60%
MTTD Reduction
37
Log Sources
22
Daily Alerts
28min
Avg MTTD
24/7
Coverage
Industry
Banking & Financial Services
Service
24/7 Managed SOC Services
Timeline
6-week deployment + ongoing managed service
Technology
EIC SOC Platform + SIEM Integration
The Challenge

72-Hour Detection Window — A Bangladesh Bank Exam Risk

A scheduled Bangladesh Bank BRPD examination had flagged the bank's incident detection capability as inadequate in the prior cycle. The examiner's report noted a 72-hour mean time to detect for security events — a gap between event occurrence and analyst awareness that regulators described as "insufficient for a licensed financial institution processing real-time transaction volumes."

The bank's internal security team of four had no 24/7 coverage. Nights and weekends — the highest-risk windows for transaction fraud and external attacks — had no active monitoring. Security events occurring on a Friday evening might not be reviewed until Monday morning, creating a 60+ hour blind spot that attackers could exploit.

The Bangladesh Bank BRPD examination finding was not merely advisory. The regulator had indicated that continued detection delays of this magnitude would result in a formal directive in the next examination cycle — a finding that would be visible to the bank's board and potentially to correspondent banking partners who review regulatory status as part of their due diligence.

The bank's CISO engaged EIC following the examination finding, with a clear mandate: achieve 24/7 detection coverage that would satisfy Bangladesh Bank's examination standards before the next scheduled review. The budget had been approved at board level, but the timeline was tight — the next examination cycle was 4 months away, and the SOC needed to be operational with demonstrated metrics before that date.

  • 72-hour mean time to detect flagged by Bangladesh Bank BRPD examination
  • No 24/7 monitoring coverage — nights and weekends unmonitored
  • Internal security team of four with no SOC operational experience
  • Formal regulatory directive risk at next examination cycle
  • 4-month window before next Bangladesh Bank examination
EIC's Approach

From Zero SOC to 24/7 Coverage in 6 Weeks

EIC deployed a phased SOC implementation designed to achieve operational 24/7 coverage within 6 weeks, with detection rules specifically tuned for Bangladesh Bank BRPD requirements and the bank's transaction processing environment.

Phase 01 · Weeks 1–2

Log Source Integration

37 log sources integrated: core banking, internet banking platform, firewalls, AD, endpoints, SWIFT interface. Baseline event rate established.

Phase 02 · Weeks 2–4

Detection Rule Tuning

Custom detection rules for BRPD requirements: transaction anomaly thresholds, failed auth bursts, SWIFT message anomalies, privilege escalation. False positives reduced from 340/day to 22 actionable alerts.

Phase 03 · Weeks 4–6

24/7 Coverage Handover

EIC SOC analysts took over L1 and L2 monitoring. Internal team retained L3 response ownership. Escalation matrix and runbooks documented.

Phase 04 · Month 2+

Managed Service

Monthly threat intelligence reports. Quarterly board-ready SOC summary for Bangladesh Bank examination readiness. All incidents in BB incident log format.

Detection Engineering

From 340 Raw Alerts to 22 Actionable Events Per Day

The initial log source integration in weeks 1–2 generated a raw alert volume of approximately 340 events per day from the bank's 37 log sources. At this volume, the SOC would have been overwhelmed with noise — the same problem that had contributed to the bank's 72-hour detection gap in the first place. Volume without intelligence produces fatigue, not security.

EIC's detection engineering team spent weeks 2–4 building custom correlation rules and tuning thresholds specifically for the bank's transaction patterns. The bank's core banking system generated legitimate high-volume authentication events during batch processing windows (2:00–4:00 AM daily) that would otherwise trigger false positive authentication anomaly alerts. These patterns were baselined and excluded from alerting.

The SWIFT-specific monitoring rules were particularly critical. EIC configured real-time alerting for any SWIFT message type that deviated from the bank's established correspondent banking patterns — including messages to counterparties not on the bank's approved list, messages outside normal business hours, and messages exceeding established value thresholds. These rules were developed from the bank's own historical SWIFT message data, not generic templates.

The result: 22 actionable alerts per day, each with contextual information sufficient for an L1 analyst to make a triage decision within minutes. The false positive rate dropped from over 90% to under 15% — meaning the SOC team spent their time investigating real potential threats rather than dismissing noise.

Results

Measurable Outcomes

60%
Reduction in mean time to detect (72hr → 28 min average)
37
Log sources integrated in 2 weeks
22
Daily actionable alerts (down from 340 raw)
Zero
Security incidents escalated undetected since service launch
"
Before EIC, our security posture on a Saturday night was essentially zero. Now we have detection coverage that meets Bangladesh Bank's examination standards — and a quarterly report I can put in front of the board without hesitation.
CISO, Scheduled Commercial Bank, Bangladesh
Services in This Engagement

Facing a Similar Detection Gap?

Describe your current monitoring coverage on a 30-minute scoping call. We'll assess your detection gaps and recommend a SOC deployment plan.