What is the meaning of Triage in Cybersec world? The 2019 Stack Overflow Developer Survey Results Are InWhat are the most relevant security events/incidents any company should monitor?BitLocker : Update Volume Master Key and meaning of “keyed” vs “re-keyed”What is the difference between data and information when it comes to Data Security?Does “assesse” have a particular meaning in information security?What is the meaning of “me” in ipfw rules?What exactly is the meaning of 'trojan' and 'rootkit'?What is the difference between Compliance and Auditing in Information Security?What is the difference between a SIEM and a SOC?What is a “security bod”?What is a Security Guideline and how does it stand in relation with Standards, Policies, Procedures?
Feasability of miniature nuclear reactors for humanoid cyborgs
What is a mixture ratio of propellant?
Why is it "Tumoren" and not "Tumore"?
Confusion about non-derivable continuous functions
What do hard-Brexiteers want with respect to the Irish border?
Is three citations per paragraph excessive for undergraduate research paper?
Landlord wants to switch my lease to a "Land contract" to "get back at the city"
Why Did Howard Stark Use All The Vibranium They Had On A Prototype Shield?
is usb on wall sockets live all the time with out switches off
Lethal sonic weapons
Where to refill my bottle in India?
Why do UK politicians seemingly ignore opinion polls on Brexit?
Evaluating number of iteration with a certain map with While
Is flight data recorder erased after every flight?
Falsification in Math vs Science
How to change the limits of integration
Any good smartcontract for "business calendar" oracles?
Limit the amount of RAM Mathematica may access?
Are there any other methods to apply to solving simultaneous equations?
Inversion Puzzle
Does it makes sense to buy a new cycle to learn riding?
Which Sci-Fi work first showed weapon of galactic-scale mass destruction?
What are the motivations for publishing new editions of an existing textbook, beyond new discoveries in a field?
Can we apply L'Hospital's rule where the derivative is not continuous?
What is the meaning of Triage in Cybersec world?
The 2019 Stack Overflow Developer Survey Results Are InWhat are the most relevant security events/incidents any company should monitor?BitLocker : Update Volume Master Key and meaning of “keyed” vs “re-keyed”What is the difference between data and information when it comes to Data Security?Does “assesse” have a particular meaning in information security?What is the meaning of “me” in ipfw rules?What exactly is the meaning of 'trojan' and 'rootkit'?What is the difference between Compliance and Auditing in Information Security?What is the difference between a SIEM and a SOC?What is a “security bod”?What is a Security Guideline and how does it stand in relation with Standards, Policies, Procedures?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.
terminology soc
edited 3 hours ago
schroeder♦
78.8k30175211
asked 5 hours ago
victor26567victor26567
461
add a comment |
I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.
terminology soc
edited 3 hours ago
schroeder♦
78.8k30175211
asked 5 hours ago
victor26567victor26567
461
It means the same thing, just applied to tech/business issues rather than medical issues.
– Matthew Read
2 hours ago
Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.
– Fabio Turati
1 hour ago
add a comment |
I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.
terminology soc
edited 3 hours ago
schroeder♦
78.8k30175211
asked 5 hours ago
victor26567victor26567
461
I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.
terminology soc
terminology soc
edited 3 hours ago
schroeder♦
78.8k30175211
asked 5 hours ago
victor26567victor26567
461
edited 3 hours ago
schroeder♦
78.8k30175211
asked 5 hours ago
victor26567victor26567
461
edited 3 hours ago
schroeder♦
78.8k30175211
edited 3 hours ago
schroeder♦
78.8k30175211
edited 3 hours ago
schroeder♦
78.8k30175211
78.8k30175211
asked 5 hours ago
victor26567victor26567
461
asked 5 hours ago
victor26567victor26567
461
asked 5 hours ago
victor26567victor26567
461
461
It means the same thing, just applied to tech/business issues rather than medical issues.
– Matthew Read
2 hours ago
Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.
– Fabio Turati
1 hour ago
add a comment |
It means the same thing, just applied to tech/business issues rather than medical issues.
– Matthew Read
2 hours ago
Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.
– Fabio Turati
1 hour ago
It means the same thing, just applied to tech/business issues rather than medical issues.
– Matthew Read
2 hours ago
It means the same thing, just applied to tech/business issues rather than medical issues.
– Matthew Read
2 hours ago
Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.
– Fabio Turati
1 hour ago
Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.
– Fabio Turati
1 hour ago
add a comment |
2 Answers
2
active
oldest
votes
We just got reports that 4000 of our systems are infected with ransomeware.
3000 are end users, 800 are non-critical servers, 200 are critical servers.
Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'
It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.
The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.
answered 5 hours ago
AdonalsiumAdonalsium
3,5011721
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
5 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
4 hours ago
2
Poor lil' Inspiron :(
– Kyle Vassella
3 hours ago
add a comment |
In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.
A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.
answered 2 hours ago
John DetersJohn Deters
28.9k34392
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207100%2fwhat-is-the-meaning-of-triage-in-cybersec-world%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
We just got reports that 4000 of our systems are infected with ransomeware.
3000 are end users, 800 are non-critical servers, 200 are critical servers.
Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'
It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.
The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.
answered 5 hours ago
AdonalsiumAdonalsium
3,5011721
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
5 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
4 hours ago
2
Poor lil' Inspiron :(
– Kyle Vassella
3 hours ago
add a comment |
We just got reports that 4000 of our systems are infected with ransomeware.
3000 are end users, 800 are non-critical servers, 200 are critical servers.
Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'
It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.
The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.
answered 5 hours ago
AdonalsiumAdonalsium
3,5011721
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
5 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
4 hours ago
2
Poor lil' Inspiron :(
– Kyle Vassella
3 hours ago
add a comment |
We just got reports that 4000 of our systems are infected with ransomeware.
3000 are end users, 800 are non-critical servers, 200 are critical servers.
Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'
It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.
The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.
answered 5 hours ago
AdonalsiumAdonalsium
3,5011721
We just got reports that 4000 of our systems are infected with ransomeware.
3000 are end users, 800 are non-critical servers, 200 are critical servers.
Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'
It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.
The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.
answered 5 hours ago
AdonalsiumAdonalsium
3,5011721
answered 5 hours ago
AdonalsiumAdonalsium
3,5011721
answered 5 hours ago
AdonalsiumAdonalsium
3,5011721
answered 5 hours ago
AdonalsiumAdonalsium
3,5011721
3,5011721
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
5 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
4 hours ago
2
Poor lil' Inspiron :(
– Kyle Vassella
3 hours ago
add a comment |
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
5 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
4 hours ago
2
Poor lil' Inspiron :(
– Kyle Vassella
3 hours ago
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
5 hours ago
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
5 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
4 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
4 hours ago
2
2
Poor lil' Inspiron :(
– Kyle Vassella
3 hours ago
Poor lil' Inspiron :(
– Kyle Vassella
3 hours ago
add a comment |
In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.
A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.
answered 2 hours ago
John DetersJohn Deters
28.9k34392
add a comment |
In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.
A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.
answered 2 hours ago
John DetersJohn Deters
28.9k34392
add a comment |
In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.
A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.
answered 2 hours ago
John DetersJohn Deters
28.9k34392
In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.
A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.
answered 2 hours ago
John DetersJohn Deters
28.9k34392
answered 2 hours ago
John DetersJohn Deters
28.9k34392
answered 2 hours ago
John DetersJohn Deters
28.9k34392
answered 2 hours ago
John DetersJohn Deters
28.9k34392
28.9k34392
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207100%2fwhat-is-the-meaning-of-triage-in-cybersec-world%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
It means the same thing, just applied to tech/business issues rather than medical issues.
– Matthew Read
2 hours ago
Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.
– Fabio Turati
1 hour ago