San Diego

The City of San Diego Protects its Smart City Network with Packetsled


As the eighth most populous city in the U.S., San Diego has experienced a period of unprecedented growth in recent years - second only to an influx of settlers in the 1870s after the discovery of gold. Now, home to 1.37 million people and 51,000 tech professionals, it is widely considered the center of gravity for innovative thinking and ranked one of the “World’s Most Inventive Cities” by Forbes Magazine.

Pioneering advances from industries like biotech, aerospace, telecom and manufacturing have shaped San Diego into an international tech and science destination. In 2015, it was the only city selected in North America by National Geographic as a “World Smart City,” which defined it as “one of the most forward-thinking cities across the globe.”

All of that attention yields pressure for the city of San Diego. It manages 5 petabytes of data across more than 40 agencies, including the Mayor and City Council. Securing information resources (in a town that demands the highest level), is a responsibility that is taken very seriously - and may explain why city officials consider information security management as one of its highest priorities. Chief Information Security Officer Darren Bennett oversees the citywide cyber security strategy and chose PacketSled to assist his team of four in creating a cyber security program designed for what he characterizes as “a city environment in a constant state of change.”

Compliance Regulations

The city must be compliant with PCI-DSS for the handling of credit card payment data, HIPAA with respect to health data as it pertains to the records of residents of the city, and, various securities compliance regulations (city trades bonds as an example).


Understanding the City of San Diego’s complex network and how it is used by stakeholders was essential in creating an effective cyber security program. Aside from the 1.5 million external users that include San Diego citizens, the enterprise also includes more than 11,000 city employees and another 1,000 municipal employees of third party agencies. Without accurate visibility in such a complex environment, ongoing threat response can be adversely affected, and necessary action muted.

Tuning external tools deployed into the environment can be tricky for City of San Diego’s security team, but they found that PacketSled’s platform for automated network insight minimized the need for trial and error.

City of San Diego's goals included:

  • Obtaining a real-time view of the attack cycle that is ongoing within the enterprise network, utilizing a combination of PacketSled for network visibility and detection, and Carbon Black for providing endpoint protection and remediation.
  • Reducing the risk exposure to the city’s enterprise by decreasing mean-time response and increasing fidelity of forensic data.
  • Giving the team the ability to communicate findings in a way that can be understood by key city officials.

“We're a Top 10 city and this is a $4B business. I trust PacketSled to provide real-time, accurate visibility on cyber threats. This visibility is extremely valuable for the City of San Diego’s security teams.”

City of San Diego CISO, Darren Bennett

The Problem

The City of San Diego is connected to the Department of Homeland Security (DHS), municipal parks, and other attractive targets where a network break-in can cause major disruptions. From police cars and utilities to water treatment facilities, citywide resources are at risk if sophisticated controls are not in place.

“Cyber criminals are very talented, have significant resources behind them and include a wide range of personalities from school age kids to nation state actors. Adding tools like PacketSled to our quiver, allows our security team to effectively detect, investigate and respond to anomalies and threats to our network.”

City of San Diego CISO, Darren Bennett

For large metropolitan areas like San Diego, variety and complexity are normal competitors to operational security. When San Diego is operating a network infrastructure that runs 24x7x365, continuous security monitoring can be difficult and expensive. Some key challenges include:

  • Regular upgrading of city department applications;
  • Replacing network assets; and
  • Connecting with third-party vendors to collaborate

PacketSled’s Solution

PacketSled provided several key advantages to the City of San Diego, including:

  • Offering full visibility across the entire city enterprise with the full context of threats.
  • The ability to automatically assess file payloads as they cross the wire, knowing immediately what resources are potentially affected by a specific attack.
  • Useful attack data labeled with kill chain behavioral stages with explanations of the risk posed to the city on a per attack basis.
  • Automation of the incident response process, which removed the burden of repeating similar investigations from the SOC team.
  • Near-zero false positive rate on detections.

The Future of Network Visibility in the City of San Diego

As is true in nearly all enterprises of this size, the City of San Diego continues to rapidly expand its network footprint, and more devices are being connected every day. With additional locations, networks, and endpoints comes additional risk.

“One of the great things about PacketSled is that I don’t need to pay to add a sensor. In about 15 minutes, I can add visibility with only a few clicks. The future of security is the cloud software stack, and PacketSled has it wired.”

The City of San Diego is intending on expanding its network visibility into more areas of the network as they come online in order to more effectively understand risk as it applies to various city departments and functions.

“The City of San Diego’s main goal is to create an environment where the mentality is "security first" and the partnership with PacketSled allows us to do just that.”

Chief Information Security Officer Darren Bennett

Security Operations and IR teams use PacketSled for:

  • Advanced Incident Detection. Fusing data from endpoint, threat intelligence, and files with immutable network truth to provide very high confidence detection.
  • Threat-Hunting. Using PacketSled’s natural language search and interactive visualizations to navigate the highest priority threats by killchain stage.
  • Security Information and Event Management (SIEM) Alert Validation. Obtaining context in seconds from SIEM alerts in order to determine the need to respond.
  • Incident Response. Using the prioritized data from PacketSled to orchestrate team actions and coordinate outcomes.