As the eighth most populous city in the U.S., San Diego has experienced a period of unprecedented growth in recent years – second only to an influx of settlers in the 1870s after the discovery of gold. Now, home to 1.37 million people and 51,000 tech professionals, it is widely considered the center of gravity for innovative thinking, and ranked one of the “World’s Most Inventive Cities” by Forbes Magazine.

Pioneering advances from industries like biotech, aerospace, telecom and manufacturing have shaped San Diego into an international tech and science destination. In 2015, it was the only city selected in North America by National Geographic as a “World Smart City,” which defined it as “one of the most forward-thinking cities across the globe.”

All of that attention yields pressure for the city of San Diego. It manages 5 petabytes of data across more than 40 agencies, including the Mayor and City Council. Securing information resources (in a town that demands the highest level), is a responsibility that is taken very seriously – and may explain why city officials consider information security management as one of its highest priorities. Deputy Director and CISO Gary Hayslip oversees the citywide cyber security strategy and chose PacketSled to assist his team of four in creating a cyber security program designed for what he characterizes as “a city environment in a constant state of change.”

Compliance Regulations

The city must be compliant with PCI-DSS for the handling of credit card payment data, HIPAA with respect to health data as it pertains to the records of residents of the city, and, various securities compliance regulations (city trades bonds as an example).


Understanding the City of San Diego’s complex network and how it is used by stakeholders was essential in creating an effective cyber security program. Aside from the 1.5 million external users that include San Diego citizens, the enterprise also includes more than 11,000 city employees and another 1,000 municipal employees of third party agencies. Without accurate visibility in such a complex environment, ongoing threat response can be adversely affected, and necessary action muted.

Tuning external tools deployed into the environment can be tricky for Hayslip’s security team, but they found that PacketSled’s platform for automated network insight minimized the need for trial and error.

Hayslip’s goals included:

Obtaining a real-time view of the attack cycle that is ongoing within the enterprise network, utilizing a combination of PacketSled for network visibility and detection, and Carbon Black for providing endpoint protection and remediation. Reducing the risk exposure to the city’s enterprise by decreasing mean-time response, and increasing fidelity of forensic data. Giving the team the ability to communicate findings in a way that can be understood by key city officials.

“We’re a Top 10 city and this is a $4B business. I trust PacketSled to provide real-time, accurate visibility on cyber threats. This visibility is extremely valuable for my security teams.”

— Deputy Director and CISO Gary Hayslip

The Problem

The City of San Diego is connected to the Department of Homeland Security (DHS), municipal parks, and other attractive targets where a network break-in can cause major disruptions. From police cars and utilities to water treatment facilities, citywide resources are at risk if sophisticated controls are not in place.

“There are very orchestrated, focused cyber criminals out there today that carry out campaigns on specific targets,” says Hayslip. “They use specific malware and toolsets to launch attacks and we know there are organized groups behind them like hacktivists and nation state attackers. There has been a 60% increase in hacktivism attacks against cities and colleges over the past 3 years.”


For large metropolitan areas like San Diego, variety and complexity are normal competitors to operational security. When San Diego is operating a network infrastructure that runs 24x7x365, continuous security monitoring can be difficult and expensive. Some key challenges include:

Regular upgrading of city department applications;
Replacing network assets; and
Connecting with third-party vendors to collaborate.

PacketSled’s Solution

PacketSled provided several key advantages to the City of San Diego, including:

Offering full visibility across the entire city enterprise with the full context of threats. The ability to automatically assess file payloads as they cross the wire, knowing immediately what resources are potentially affected by a specific attack. Useful attack data labeled with kill chain behavioral stages with explanations of the risk posed to the city on a per attack basis. Automation of the incident response process, which removed the burden of repeating similar investigations from the SOC team. Near-zero false positive rate on detections.

The Future of Network Visibility in the City of San Diego As is true in nearly all enterprises of this size, the City of San Diego continues to rapidly expand its network footprint, and more devices are being connected every day. With additional locations, networks, and endpoints comes additional risk. “One of the great things about PacketSled is that I don’t need to pay to add a sensor. In about 15 minutes, I can add visibility with only a few clicks. The future of security is the cloud software stack, and PacketSled has it wired.” The City of San Diego is intending on expanding its network visibility into more areas of the network as they come online in order to more effectively understand risk as it applies to various city departments and functions.

“My mission includes creating a “risk aware” culture and PacketSled is one of our go-to partner’s provider in maintaining that..” Gary Hayslip, Deputy Director and CISO, City of San Diego

Security Operations and IR teams use PacketSled for:

  • Advanced Incident Detection – Fusing data from endpoint, threat intelligence, and files with immutable network truth to provide very high confidence detection.
  • Threat Hunting – Using PacketSled’s natural language search and interactive visualizations to navigate the highest priority threats by killchain stage.
  • Security Information and Event Management (SIEM) Alert Validation – Obtaining context in seconds from SIEM alerts in order to determine the need to respond.
  • Incident Response – Using the prioritized data from PacketSled to orchestrate team actions and coordinate outcomes.

© 2018 PacketSled, Inc.