I recently had an interesting meeting with someone looking to implement DLP.  During our conversation the director of security began talking about tombstones and ransom notes.  I listened trying to figure out what the heck he was talking about… “Did I misunderstand him?  No.  There, he said it again.  He wants tombstones?  Ransom notes?”

I waited until he was finished talking to say anything.  It gave me enough time to reassure myself that: a) I wasn’t crazy.  He actually did say what I thought he said; and b) I had to suck it up and politely ask him WTF he was talking about.  Boy was I glad I did.

Like most organizations, this one was planning to discover its data at rest.  They wanted to scan their network and local shares to see what files contained confidential data.  Surprisingly there aren’t many DLP solutions that can do this well (See Commandments #1, 2, and 4).  There are even fewer that when they find confidential data can do something about it.  The other DLP vendors take the pig and lipstick approach: “If we slap DLP on the box it’ll look pretty and people like things that are pretty.”

The leading DLP solutions (see the Gartner MQ) are able to take action on data at rest.  Such actions include deleting the file, encrypting the file, changing the files rights and permissions, and/or moving it to a secure location.  So, for example, if a discovery process finds an Excel file on a laptop and that file contains a customer list and CCNs (a possible PCI violation), you can do something about it automatically.  Hmmm… Solve a problem - what a novel approach.

“I’m sorry but what do you mean by tombstones and ransom notes,” I asked.  He replied, “When we discover a file containing confidential data I want to be able to either delete the file and leave a marker behind - a tombstone, or move the file somewhere else on my network and leave a marker behind - a ransom note.”  “Ha.  Of course,” I laughed. “What a perfect name for it.”

What he was asking for is done all the time.  I’d just never before heard it called that.  The tombstone is usually a text file with the same name as the original file.  In place of the original files’ contents, however, is a message to the user that typically reads something like:

“The file named customer.xls was found to contain confidential information and violated our data security and compliance policy.  It has been permanently deleted.

Please refer to the employee guide on data security and compliance located here or contact your administrator.”

For ransom notes the message is similar except it refers to the new, safe location of the document.

The reason you want to leave a tombstone or ransom note behind is to let the user(s) know why their file was deleted or moved.  Otherwise they’ll just think it went missing, call the helpdesk, and cause you and other people more work.

Tombstones, ransom notes, and DLP - it all makes sense.  I’d always called them markers, but now they’ve got new names.