Bangladesh Bank Reduces Mean Time to Detect by 60%
A Bangladesh Bank-regulated institution deployed EIC managed SOC, cutting mean time to detect from 72 hours to under 30 minutes — transforming their security monitoring from business-hours-only to 24/7 coverage.
72-Hour Detection Window — A Bangladesh Bank Exam Risk
A scheduled Bangladesh Bank BRPD examination had flagged the bank's incident detection capability as inadequate in the prior cycle. The examiner's report noted a 72-hour mean time to detect for security events — a gap between event occurrence and analyst awareness that regulators described as "insufficient for a licensed financial institution processing real-time transaction volumes."
The bank's internal security team of four had no 24/7 coverage. Nights and weekends — the highest-risk windows for transaction fraud and external attacks — had no active monitoring. Security events occurring on a Friday evening might not be reviewed until Monday morning, creating a 60+ hour blind spot that attackers could exploit.
The Bangladesh Bank BRPD examination finding was not merely advisory. The regulator had indicated that continued detection delays of this magnitude would result in a formal directive in the next examination cycle — a finding that would be visible to the bank's board and potentially to correspondent banking partners who review regulatory status as part of their due diligence.
The bank's CISO engaged EIC following the examination finding, with a clear mandate: achieve 24/7 detection coverage that would satisfy Bangladesh Bank's examination standards before the next scheduled review. The budget had been approved at board level, but the timeline was tight — the next examination cycle was 4 months away, and the SOC needed to be operational with demonstrated metrics before that date.
- 72-hour mean time to detect flagged by Bangladesh Bank BRPD examination
- No 24/7 monitoring coverage — nights and weekends unmonitored
- Internal security team of four with no SOC operational experience
- Formal regulatory directive risk at next examination cycle
- 4-month window before next Bangladesh Bank examination
From Zero SOC to 24/7 Coverage in 6 Weeks
EIC deployed a phased SOC implementation designed to achieve operational 24/7 coverage within 6 weeks, with detection rules specifically tuned for Bangladesh Bank BRPD requirements and the bank's transaction processing environment.
Log Source Integration
37 log sources integrated: core banking, internet banking platform, firewalls, AD, endpoints, SWIFT interface. Baseline event rate established.
Detection Rule Tuning
Custom detection rules for BRPD requirements: transaction anomaly thresholds, failed auth bursts, SWIFT message anomalies, privilege escalation. False positives reduced from 340/day to 22 actionable alerts.
24/7 Coverage Handover
EIC SOC analysts took over L1 and L2 monitoring. Internal team retained L3 response ownership. Escalation matrix and runbooks documented.
Managed Service
Monthly threat intelligence reports. Quarterly board-ready SOC summary for Bangladesh Bank examination readiness. All incidents in BB incident log format.
From 340 Raw Alerts to 22 Actionable Events Per Day
The initial log source integration in weeks 1–2 generated a raw alert volume of approximately 340 events per day from the bank's 37 log sources. At this volume, the SOC would have been overwhelmed with noise — the same problem that had contributed to the bank's 72-hour detection gap in the first place. Volume without intelligence produces fatigue, not security.
EIC's detection engineering team spent weeks 2–4 building custom correlation rules and tuning thresholds specifically for the bank's transaction patterns. The bank's core banking system generated legitimate high-volume authentication events during batch processing windows (2:00–4:00 AM daily) that would otherwise trigger false positive authentication anomaly alerts. These patterns were baselined and excluded from alerting.
The SWIFT-specific monitoring rules were particularly critical. EIC configured real-time alerting for any SWIFT message type that deviated from the bank's established correspondent banking patterns — including messages to counterparties not on the bank's approved list, messages outside normal business hours, and messages exceeding established value thresholds. These rules were developed from the bank's own historical SWIFT message data, not generic templates.
The result: 22 actionable alerts per day, each with contextual information sufficient for an L1 analyst to make a triage decision within minutes. The false positive rate dropped from over 90% to under 15% — meaning the SOC team spent their time investigating real potential threats rather than dismissing noise.
Measurable Outcomes
Before EIC, our security posture on a Saturday night was essentially zero. Now we have detection coverage that meets Bangladesh Bank's examination standards — and a quarterly report I can put in front of the board without hesitation.