The devastating cyberattack that hit Sony Pictures Entertainment at the end of 2014 caused some consternation in the upper reaches of the UK government as well as in the boardrooms of companies in the creative industries.

Then Chancellor of the Exchequer George Osborne, who had sought to boost the appeal of the British film and TV industry with lucrative tax breaks, asked his treasury team if the high standing of the production and post-production sectors were at risk of being hit by an equivalent attack.

That worrisome thinking spun downwards, and soon after IBC 2015 government-funded innovation agency Innovate UK struck a 50% funding deal with five London VFX and technology companies.

Sony attack

In November 2014, a hacking group which called itself the Guardians of Peace released confidential data from Sony Pictures including unreleased films, emails and salary details.

Interview

 

The group is thought to have accessed Sony’s systems using malware. It then demanded Sony pull The Interview, a comedy about a plot to assassinate the leader of North Korea. North Korea denied US allegations that that it was behind the attack.

Double Negative, Framestore, Sohonet, MPC and Milk agreed to work together to create a new content security protocol to be known as CISE: Creative Industry Security Environment to provide reassurance to Hollywood studios and coverage for large VFX houses when they sub-contract smaller facilities.

Double Negative Chief Technology Officer (CTO) Graham Jack took on the role of project lead and was the main link to Innovate UK’s grant project sponsor and to Wavecrest, which put the grant application together.

The other members of the team were Framestore CTO Steve MacPherson, MPC Director of Technology Nick Cannon, Sohonet CTO Ben Roeder and Milk Head of Systems Dave Goodbourn.

Digital immune system

CISE is described by Innovate UK as “a project to create a cross-industry digital security environment with an extensible, pluggable framework, to protect the UK’s companies making movies, TV, commercials, games, on-line and immersive media” by creating “a ‘digital immune system’ for media companies, which will constantly watch for and warn against both internal and external security threats, tailor security systems automatically to meet client requirements and threat levels, and immediately shut down and repair systems should any breach occur”.

The plan was to complete CISE by the end of 2016, basing it partly on the security regimes run by giant companies like Facebook, Spotify and Netflix.

“[Netflix] operates such a huge network in handling so much valuable content that they are a good role model,” said Jack. “We have taken inspiration from those big players, but in some areas we have done our own thing.”

At the end of the second quarter MPC suddenly quit the project. “When we lost MPC we took the decision to extend the project by three months to make up the slack,” said Jack.

“Regarding the money that was allocated to MPC, we spread that validation and integration work out across the remaining partners.”

Test networks and firewalls

Jack explained that the project was split into two parts. “There is the monitoring and then the finally executed templates. We built a proof of concept, in fact a whole load of test networks: we had a software defined test network that we started off with, and then we started using that with real hardware – Dell and Sonicwall firewalls.

“Now, we’ve got something that can analyse the set of rules from firewalls or switch and turn it into a high level description of what can access what, and go the other way,” he added.

“So you can look at your kit, you analyse that and see what your access control is. Or you can define your access control in language and then translate that into something you then potentially use to configure.”

In terms of the development, Jack said the hardest aspects related to selecting a high level description that was sufficiently flexible whilst also being “robust and logical enough that we can actually run analysis of it”.

He added: “Part of what we wanted to be able to do is to run a proofer, so you can logically prove that it does what you want it to. And that was something that was really challenging – finding the right fit for that.”

Had Sohonet completed some work in that area already?

“They had done some work in terms of the pure configuration side, but not really in terms of going between different representations of that configuration, and certainly not in the area of being able to prove that configuration,” said Jack.

“So that was the bit that was new research really. Sub-contractor Neil Harris did a lot of that work, because we did not have the resources, and that sort of work is Neil’s specialty.

“Software engineer Al Crate here at Double Negative did a lot of the work setting up the test network, being able to pull those configurations out, and being able to run the testing of the network. That could then be fed into the work that Neil had done with the logic programming part of it.”

Distributed workforce

Part of the project had its roots in helping facilities contend with managing a distributed workforce. “One of the things Framestore contributed was the monitoring of VPN connections and VPN connection failures, so they can start to get a sense of who is logging in from where,” said Jack.

“So if we do move to that more decentralised structure that work would support it. It would be able to monitor the security across a large range of connections coming from many different places.”

The CISE team spoke to security teams from US studios and we talked in detail about the project with Universal and Paramount.

“They both supported the CISE project from afar, and have been working on similar ideas internally,” said Jack. “The monitoring part of it is a daily fact of life now. We the partners are running the monitoring stack that was mostly put together by Sohonet.

“It has been really valuable to some of the partners, and a couple of them found security holes that they were not aware of. What was good for us was that when talking to some of the studio security teams I was able to say we have been running this and we have not had any breaches. Our network is as secure as we say it is.

”Milk, who we often sub-contract to, are running it now and are secure. It is a good way of showing that there is this ecosystem, or supply chain, within London……the biggest benefit really has just been running the monitoring on a real network, all our traffic, and seeing there isn’t anything untoward or unexpected. It gives you confidence when you are talking to the people from the studios.”

Spreading the word

CISE project lead and Double Negative CTO Graham Jack explained that much of the initiative’s work is now available as an open source project on GitHub.

A whitepaper has also been published, and Sohonet is working on a managed product that can be marketed to other facilities.

“Most of the dissemination to the wider audience is going through Sohonet. For them CISE is a product they can sell, but for us it is more something that we can use to back up our security when we have to go through the studios,” said Jack.

He added that the CISE team is keen to talk to the Motion Picture Association of America (MPAA) about standardisation and wider ratification.

“[MPAA] may wish to turn it into more of a standard but we have not, as part of the project, attempted too much to define what the standard is…by the end of the project we had got something that was a good proof of concept, and I think we have got more work that we can do to really make that useful in terms of configuring real networks.

”There are lots of things that we can build onto the monitoring side, on the machine learning point of that.

”We did show that there was pretty good accuracy there in terms of classifying malicious traffic, but that needs to be turned into something that could be really integrated as part of the monitoring service.

“So yes, there is quite a lot of additional work. Framestore has some really good ideas about extending CISE into things that are not just security, verifying other aspects of configuration.”