What is the meaning of Triage in Cybersec world? The 2019 Stack Overflow Developer Survey Results Are InWhat are the most relevant security events/incidents any company should monitor?BitLocker : Update Volume Master Key and meaning of “keyed” vs “re-keyed”What is the difference between data and information when it comes to Data Security?Does “assesse” have a particular meaning in information security?What is the meaning of “me” in ipfw rules?What exactly is the meaning of 'trojan' and 'rootkit'?What is the difference between Compliance and Auditing in Information Security?What is the difference between a SIEM and a SOC?What is a “security bod”?What is a Security Guideline and how does it stand in relation with Standards, Policies, Procedures?
Is three citations per paragraph excessive for undergraduate research paper?
What are the motivations for publishing new editions of an existing textbook, beyond new discoveries in a field?
"To split hairs" vs "To be pedantic"
aging parents with no investments
What is the use of option -o in the useradd command?
How can I create a character who can assume the widest possible range of creature sizes?
Output the Arecibo Message
Is flight data recorder erased after every flight?
If a poisoned arrow's piercing damage is reduced to 0, do you still get poisoned?
What is the steepest angle that a canal can be traversable without locks?
How to change the limits of integration
Time travel alters history but people keep saying nothing's changed
Why do UK politicians seemingly ignore opinion polls on Brexit?
Access elements in std::string where positon of string is greater than its size
"What time...?" or "At what time...?" - what is more grammatically correct?
Extreme, unacceptable situation and I can't attend work tomorrow morning
Should I use my personal or workplace e-mail when registering to external websites for work purpose?
Why is it "Tumoren" and not "Tumore"?
Realistic Alternatives to Dust: What Else Could Feed a Plankton Bloom?
Are there any other methods to apply to solving simultaneous equations?
Idiomatic way to prevent slicing?
Is "plugging out" electronic devices an American expression?
Limit the amount of RAM Mathematica may access?
"Riffle" two strings
What is the meaning of Triage in Cybersec world?
The 2019 Stack Overflow Developer Survey Results Are InWhat are the most relevant security events/incidents any company should monitor?BitLocker : Update Volume Master Key and meaning of “keyed” vs “re-keyed”What is the difference between data and information when it comes to Data Security?Does “assesse” have a particular meaning in information security?What is the meaning of “me” in ipfw rules?What exactly is the meaning of 'trojan' and 'rootkit'?What is the difference between Compliance and Auditing in Information Security?What is the difference between a SIEM and a SOC?What is a “security bod”?What is a Security Guideline and how does it stand in relation with Standards, Policies, Procedures?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.
terminology soc
add a comment |
I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.
terminology soc
It means the same thing, just applied to tech/business issues rather than medical issues.
– Matthew Read
4 hours ago
Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.
– Fabio Turati
2 hours ago
add a comment |
I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.
terminology soc
I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.
terminology soc
terminology soc
edited 5 hours ago
schroeder♦
78.8k30175211
78.8k30175211
asked 6 hours ago
victor26567victor26567
461
461
It means the same thing, just applied to tech/business issues rather than medical issues.
– Matthew Read
4 hours ago
Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.
– Fabio Turati
2 hours ago
add a comment |
It means the same thing, just applied to tech/business issues rather than medical issues.
– Matthew Read
4 hours ago
Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.
– Fabio Turati
2 hours ago
It means the same thing, just applied to tech/business issues rather than medical issues.
– Matthew Read
4 hours ago
It means the same thing, just applied to tech/business issues rather than medical issues.
– Matthew Read
4 hours ago
Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.
– Fabio Turati
2 hours ago
Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.
– Fabio Turati
2 hours ago
add a comment |
2 Answers
2
active
oldest
votes
We just got reports that 4000 of our systems are infected with ransomeware.
3000 are end users, 800 are non-critical servers, 200 are critical servers.
Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'
It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.
The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
6 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
6 hours ago
2
Poor lil' Inspiron :(
– Kyle Vassella
4 hours ago
add a comment |
In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.
A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207100%2fwhat-is-the-meaning-of-triage-in-cybersec-world%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
We just got reports that 4000 of our systems are infected with ransomeware.
3000 are end users, 800 are non-critical servers, 200 are critical servers.
Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'
It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.
The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
6 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
6 hours ago
2
Poor lil' Inspiron :(
– Kyle Vassella
4 hours ago
add a comment |
We just got reports that 4000 of our systems are infected with ransomeware.
3000 are end users, 800 are non-critical servers, 200 are critical servers.
Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'
It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.
The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
6 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
6 hours ago
2
Poor lil' Inspiron :(
– Kyle Vassella
4 hours ago
add a comment |
We just got reports that 4000 of our systems are infected with ransomeware.
3000 are end users, 800 are non-critical servers, 200 are critical servers.
Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'
It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.
The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.
We just got reports that 4000 of our systems are infected with ransomeware.
3000 are end users, 800 are non-critical servers, 200 are critical servers.
Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'
It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.
The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.
answered 6 hours ago
AdonalsiumAdonalsium
3,5011721
3,5011721
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
6 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
6 hours ago
2
Poor lil' Inspiron :(
– Kyle Vassella
4 hours ago
add a comment |
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
6 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
6 hours ago
2
Poor lil' Inspiron :(
– Kyle Vassella
4 hours ago
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
6 hours ago
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
6 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
6 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
6 hours ago
2
2
Poor lil' Inspiron :(
– Kyle Vassella
4 hours ago
Poor lil' Inspiron :(
– Kyle Vassella
4 hours ago
add a comment |
In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.
A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.
add a comment |
In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.
A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.
add a comment |
In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.
A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.
In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.
A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.
answered 4 hours ago
John DetersJohn Deters
28.9k34392
28.9k34392
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207100%2fwhat-is-the-meaning-of-triage-in-cybersec-world%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
It means the same thing, just applied to tech/business issues rather than medical issues.
– Matthew Read
4 hours ago
Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.
– Fabio Turati
2 hours ago