The City of San Diego

Tenable is enhancing security visibility and reducing risk exposure for the City of San Diego’s interconnected, far-reaching network — and saving the city about $1.3 million per year

San Diego, CA is recognized for its mild year-round climate, expansive Pacific coast beaches, deep coastal harbor and popular attractions like parks, museums, gardens and a world-famous zoo. Long associated with the U.S. Navy, which still maintains a large and active fleet, the city has gained recent recognition for its advancements in biotechnology and healthcare. Today, San Diego is home to nearly 1.4 million residents, making it the eighth largest city in the U.S.

Behind the scenes, the City of San Diego’s vast infrastructure includes a complex and wide-ranging enterprise IT system, which serves as its management, operations and communications lifeline. It is comprised of 24 distinct networks from 40 city departments, including parks and recreation, transportation, public safety, public works, sanitation, police and fire departments, as well as libraries, water and waste treatment facilities, municipal airports, cemeteries and dozens of other departments and service providers. In addition, a number of departments operate network connected point-of-sale terminals, requiring that they maintain and demonstrate Payment Card Industry Data Security Standards (PCI DSS) compliance.

In 2013, Gary Hayslip joined the City of San Diego as a Deputy IT director and its first chief information security officer, charged with building the city’s first cyber security program. What he initially discovered was an intricate, interconnected mix of old and new technologies — a very different experience from his previous cybersecurity management roles with the Department of Defense and U.S. Navy.

While Hayslip was able to implement many best practices, such as adopting the NIST Cybersecurity Framework and controls to establish a security baseline, he had to significantly adapt his approach in order to manage cybersecurity for a major city — and its unique goals and challenges. Cities must costefficiently and effectively deliver essential, operational, management, maintenance and quality of life services 24 hours a day. At the same time, they must ensure the privacy and security of their integrated technologies and the enormous amounts of network data they contain. Network breaches can significantly impact city operations and data, resulting in information and financial loss, service disruptions and more.

And they are also businesses that run 24 hours a day, every day. “The City of San Diego is a $4 billion business that never shuts down,” noted Hayslip. “We needed to figure out how to address all of its security threats and risks without interfering with how it provides services.”

His initial challenge was deciding how to deal with the technology and applications developed over decades to monitor, control, automate and deliver city services — everything from new cloud technologies and Intelligent smart city infrastructure, such as automated transportation systems, street lighting, traffic control and public transportation, to PowerBuilder applications and other programs built more than a dozen years ago.

“City networks are massive — they’re like hoarders,” he joked, explaining that cities don’t often get rid of older or outdated programs, especially if they still work, delivering services and providing value to citizens. But sometimes, there’s no way to protect the data in legacy programs. “For example, when many of these programs were created years ago, they weren’t encrypted because no one was thinking about the risk.”

Now they are.

To fully understand what his team needed to protect, Hayslip embarked on a due diligence mission to meet the city’s key network stakeholders and learn about their data, programs and applications. “That took quite a while, but it really helped me understand the vastness of the technology and what I was dealing with,” he recalled.

He then performed a comprehensive inventory and assessment — quite a challenge to achieve without asset visibility, network maps or tools to adequately evaluate and manage overall risk exposure. In addition, with a network facing nearly a whopping one million cyberattacks a day — and a security team consisting of just eight IT professionals — Hayslip knew he needed a platform that could quickly and effectively provide a unified view of network security and risk, without disrupting the city’s daily business operations. It also had to integrate with the city’s existing infrastructure, while having the scalability to support its future growth.

Quite a tall order, indeed.

“With a large enterprise like this, I needed to have data at my fingertips,” he recalls. Tenable sprang to mind right away, thanks to his familiarity with the company and its products from his previous position at the Department of Defense. “I had already worked with Nessus and SecurityCenter Continuous View (CV), as did many members of my team, and I really liked the passive scanning piece. I was also very interested in its new components — I could tell that the solution had matured.”

Hayslip considered other solutions besides Tenable, but they didn’t provide the same combination of features, capabilities, scalability and cost-effective pricing. He also chose not to pursue open source solutions. “When you have a small staff, you don’t have time to maintain and care for open source programs — you need to find a platform that’s already built, easy to run and able to quickly meet all of your requirements,” he explained.

In mid-2014, the City of San Diego selected Tenable SecurityCenter CV as its continuous monitoring platform and installed it with a license for over 12,000 IP addresses. Integrated with the Nessus vulnerability scanner, the Tenable solution delivers a centralized and integrated view of the city’s vulnerability status across its far-flung network.

“I knew Nessus was flexible and my team could go ahead and start using it with no issues. It was quick and easy for us to set up, and with a little training, we were able to start doing scans and gain complete visibility into our network.”

What are some of the other reasons they chose Tenable? “When you’re getting service tickets but you don’t have visibility into your network, you don’t really know what is happening. With Nessus, we have continuous visibility and actionable context, so we can tell the bigger story from a security perspective. Nessus gives us an enterprise view and enables us to test our assumptions on whether we’re secure or still at risk,” he explained.

Hayslip is also a fan of the platform’s multifaceted features, which enable end users to utilize different types of technology and data and perform a variety of actions. “It’s like a digital Swiss army knife,” he added.

SecurityCenter CV’s unique sensors and advanced analytics continuously scan, monitor and prioritize network threats, enabling the city’s IT team to quickly and remotely remediate issues. That saves the team valuable time and manpower, and frees them up to focus on other critical issues.

Hayslip and his team run daily scans to monitor and assess inventory network traffic and data from all sources — including thousands of mobile and other BYOD devices — to identify misconfigured devices, compliance issues and missing or outdated patches in real time. They also perform PCI scans and send them to Tenable for analysis to ensure compliance. And to demonstrate network status, they can quickly create custom reports for city stakeholders, IT leaders and third-party vendors.

By delivering a comprehensive and continuous view of the city’s security posture across its enterprise network, Tenable has already helped reduce the City of San Diego’s threat exposure — and save it more than $1.3 million per year.

“Previously, we averaged about 200 infected machines per month, each costing about $600 in lost productivity. Today we average about 35. In addition to saving our IT department time and money, Tenable has helped us build a flexible, streamlined security program that reduces our attack surface,” he said.

What does the future hold for the City of San Diego? The thriving city is on target for continued growth — and that includes behind the scenes as well. The city currently has numerous staffers logging in remotely through VPN connections, and is planning to renew its Tenable subscription with a 50% increase in IP addresses. It is also moving into mobile and is using cloud-based solutions to host its vast stores of data.

“We are a 24/7/365 business, and you can’t run a network of this size without expanding into a cloud environment,” noted Hayslip, adding that Tenable solutions strategically dovetail with his five year plans. “Nessus provides our baseline of valid network information, it provides an enterprise-wide view of what's going on. It’s just a good fit.”

Hayslip is now talking to Tenable about a cloud-based solution, which offers vulnerability management capabilities, scalability and enterprise user-support, and is a PCI approved scanning vendor (ASV) solution.

“As we continue to grow, we’re becoming a much bigger target for the bad guys, and Tenable is instrumental in helping us stay ahead of the threats,” he said. So with all of the many features and capabilities the company provides, what does he consider most important? His response is quick. “Tenable helps me sleep at night.”