What is the meaning of Triage in Cybersec world? The 2019 Stack Overflow Developer Survey...

Falsification in Math vs Science

Limit the amount of RAM Mathematica may access?

Should I write numbers in words or as numerals when there are multiple next to each other?

JSON.serialize: is it possible to suppress null values of a map?

Is domain driven design an anti-SQL pattern?

Idiomatic way to prevent slicing?

Is bread bad for ducks?

How to create dashed lines/arrows in Illustrator

Does light intensity oscillate really fast since it is a wave?

If a poisoned arrow's piercing damage is reduced to 0, do you still get poisoned?

Patience, young "Padovan"

Why don't Unix/Linux systems traverse through directories until they find the required version of a linked library?

Geography at the pixel level

Realistic Alternatives to Dust: What Else Could Feed a Plankton Bloom?

Spanish for "widget"

In microwave frequencies, do you use a circulator when you need a (near) perfect diode?

Time travel alters history but people keep saying nothing's changed

Are USB sockets on wall outlets live all the time, even when the switch is off?

What is the motivation for a law requiring 2 parties to consent for recording a conversation

Unbreakable Formation vs. Cry of the Carnarium

Confusion about non-derivable continuous functions

What tool would a Roman-age civilization have to grind silver and other metals into dust?

Springs with some finite mass

Any good smartcontract for "business calendar" oracles?



What is the meaning of Triage in Cybersec world?



The 2019 Stack Overflow Developer Survey Results Are InWhat are the most relevant security events/incidents any company should monitor?BitLocker : Update Volume Master Key and meaning of “keyed” vs “re-keyed”What is the difference between data and information when it comes to Data Security?Does “assesse” have a particular meaning in information security?What is the meaning of “me” in ipfw rules?What exactly is the meaning of 'trojan' and 'rootkit'?What is the difference between Compliance and Auditing in Information Security?What is the difference between a SIEM and a SOC?What is a “security bod”?What is a Security Guideline and how does it stand in relation with Standards, Policies, Procedures?





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







8















I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.










share|improve this question

























  • It means the same thing, just applied to tech/business issues rather than medical issues.

    – Matthew Read
    3 hours ago











  • Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.

    – Fabio Turati
    2 hours ago


















8















I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.










share|improve this question

























  • It means the same thing, just applied to tech/business issues rather than medical issues.

    – Matthew Read
    3 hours ago











  • Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.

    – Fabio Turati
    2 hours ago














8












8








8


1






I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.










share|improve this question
















I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.







terminology soc






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 4 hours ago









schroeder

78.8k30175211




78.8k30175211










asked 6 hours ago









victor26567victor26567

461




461













  • It means the same thing, just applied to tech/business issues rather than medical issues.

    – Matthew Read
    3 hours ago











  • Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.

    – Fabio Turati
    2 hours ago



















  • It means the same thing, just applied to tech/business issues rather than medical issues.

    – Matthew Read
    3 hours ago











  • Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.

    – Fabio Turati
    2 hours ago

















It means the same thing, just applied to tech/business issues rather than medical issues.

– Matthew Read
3 hours ago





It means the same thing, just applied to tech/business issues rather than medical issues.

– Matthew Read
3 hours ago













Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.

– Fabio Turati
2 hours ago





Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.

– Fabio Turati
2 hours ago










2 Answers
2






active

oldest

votes


















11














We just got reports that 4000 of our systems are infected with ransomeware.



3000 are end users, 800 are non-critical servers, 200 are critical servers.



Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'



It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.



The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.






share|improve this answer
























  • wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

    – victor26567
    5 hours ago











  • Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.

    – Adonalsium
    5 hours ago






  • 2





    Poor lil' Inspiron :(

    – Kyle Vassella
    4 hours ago



















1














In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.



A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.






share|improve this answer
























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "162"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207100%2fwhat-is-the-meaning-of-triage-in-cybersec-world%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    11














    We just got reports that 4000 of our systems are infected with ransomeware.



    3000 are end users, 800 are non-critical servers, 200 are critical servers.



    Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'



    It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.



    The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.






    share|improve this answer
























    • wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

      – victor26567
      5 hours ago











    • Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.

      – Adonalsium
      5 hours ago






    • 2





      Poor lil' Inspiron :(

      – Kyle Vassella
      4 hours ago
















    11














    We just got reports that 4000 of our systems are infected with ransomeware.



    3000 are end users, 800 are non-critical servers, 200 are critical servers.



    Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'



    It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.



    The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.






    share|improve this answer
























    • wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

      – victor26567
      5 hours ago











    • Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.

      – Adonalsium
      5 hours ago






    • 2





      Poor lil' Inspiron :(

      – Kyle Vassella
      4 hours ago














    11












    11








    11







    We just got reports that 4000 of our systems are infected with ransomeware.



    3000 are end users, 800 are non-critical servers, 200 are critical servers.



    Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'



    It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.



    The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.






    share|improve this answer













    We just got reports that 4000 of our systems are infected with ransomeware.



    3000 are end users, 800 are non-critical servers, 200 are critical servers.



    Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'



    It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.



    The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered 6 hours ago









    AdonalsiumAdonalsium

    3,5011721




    3,5011721













    • wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

      – victor26567
      5 hours ago











    • Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.

      – Adonalsium
      5 hours ago






    • 2





      Poor lil' Inspiron :(

      – Kyle Vassella
      4 hours ago



















    • wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

      – victor26567
      5 hours ago











    • Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.

      – Adonalsium
      5 hours ago






    • 2





      Poor lil' Inspiron :(

      – Kyle Vassella
      4 hours ago

















    wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

    – victor26567
    5 hours ago





    wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

    – victor26567
    5 hours ago













    Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.

    – Adonalsium
    5 hours ago





    Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.

    – Adonalsium
    5 hours ago




    2




    2





    Poor lil' Inspiron :(

    – Kyle Vassella
    4 hours ago





    Poor lil' Inspiron :(

    – Kyle Vassella
    4 hours ago













    1














    In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.



    A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.






    share|improve this answer




























      1














      In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.



      A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.






      share|improve this answer


























        1












        1








        1







        In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.



        A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.






        share|improve this answer













        In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.



        A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 3 hours ago









        John DetersJohn Deters

        28.9k34392




        28.9k34392






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207100%2fwhat-is-the-meaning-of-triage-in-cybersec-world%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Fairchild Swearingen Metro Inhaltsverzeichnis Geschichte | Innenausstattung | Nutzung | Zwischenfälle...

            Pilgersdorf Inhaltsverzeichnis Geografie | Geschichte | Bevölkerungsentwicklung | Politik | Kultur...

            Marineschifffahrtleitung Inhaltsverzeichnis Geschichte | Heutige Organisation der NATO | Nationale und...