What is the meaning of Triage in Cybersec world? The 2019 Stack Overflow Developer Survey...
Falsification in Math vs Science
Limit the amount of RAM Mathematica may access?
Should I write numbers in words or as numerals when there are multiple next to each other?
JSON.serialize: is it possible to suppress null values of a map?
Is domain driven design an anti-SQL pattern?
Idiomatic way to prevent slicing?
Is bread bad for ducks?
How to create dashed lines/arrows in Illustrator
Does light intensity oscillate really fast since it is a wave?
If a poisoned arrow's piercing damage is reduced to 0, do you still get poisoned?
Patience, young "Padovan"
Why don't Unix/Linux systems traverse through directories until they find the required version of a linked library?
Geography at the pixel level
Realistic Alternatives to Dust: What Else Could Feed a Plankton Bloom?
Spanish for "widget"
In microwave frequencies, do you use a circulator when you need a (near) perfect diode?
Time travel alters history but people keep saying nothing's changed
Are USB sockets on wall outlets live all the time, even when the switch is off?
What is the motivation for a law requiring 2 parties to consent for recording a conversation
Unbreakable Formation vs. Cry of the Carnarium
Confusion about non-derivable continuous functions
What tool would a Roman-age civilization have to grind silver and other metals into dust?
Springs with some finite mass
Any good smartcontract for "business calendar" oracles?
What is the meaning of Triage in Cybersec world?
The 2019 Stack Overflow Developer Survey Results Are InWhat are the most relevant security events/incidents any company should monitor?BitLocker : Update Volume Master Key and meaning of “keyed” vs “re-keyed”What is the difference between data and information when it comes to Data Security?Does “assesse” have a particular meaning in information security?What is the meaning of “me” in ipfw rules?What exactly is the meaning of 'trojan' and 'rootkit'?What is the difference between Compliance and Auditing in Information Security?What is the difference between a SIEM and a SOC?What is a “security bod”?What is a Security Guideline and how does it stand in relation with Standards, Policies, Procedures?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.
terminology soc
edited 4 hours ago
schroeder♦
78.8k30175211
asked 6 hours ago
victor26567victor26567
461
add a comment |
I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.
terminology soc
edited 4 hours ago
schroeder♦
78.8k30175211
asked 6 hours ago
victor26567victor26567
461
It means the same thing, just applied to tech/business issues rather than medical issues.
– Matthew Read
3 hours ago
Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.
– Fabio Turati
2 hours ago
add a comment |
I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.
terminology soc
edited 4 hours ago
schroeder♦
78.8k30175211
asked 6 hours ago
victor26567victor26567
461
I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.
terminology soc
terminology soc
edited 4 hours ago
schroeder♦
78.8k30175211
asked 6 hours ago
victor26567victor26567
461
edited 4 hours ago
schroeder♦
78.8k30175211
asked 6 hours ago
victor26567victor26567
461
edited 4 hours ago
schroeder♦
78.8k30175211
edited 4 hours ago
schroeder♦
78.8k30175211
edited 4 hours ago
schroeder♦
78.8k30175211
78.8k30175211
asked 6 hours ago
victor26567victor26567
461
asked 6 hours ago
victor26567victor26567
461
asked 6 hours ago
victor26567victor26567
461
461
It means the same thing, just applied to tech/business issues rather than medical issues.
– Matthew Read
3 hours ago
Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.
– Fabio Turati
2 hours ago
add a comment |
It means the same thing, just applied to tech/business issues rather than medical issues.
– Matthew Read
3 hours ago
Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.
– Fabio Turati
2 hours ago
It means the same thing, just applied to tech/business issues rather than medical issues.
– Matthew Read
3 hours ago
It means the same thing, just applied to tech/business issues rather than medical issues.
– Matthew Read
3 hours ago
Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.
– Fabio Turati
2 hours ago
Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.
– Fabio Turati
2 hours ago
add a comment |
2 Answers
2
active
oldest
votes
We just got reports that 4000 of our systems are infected with ransomeware.
3000 are end users, 800 are non-critical servers, 200 are critical servers.
Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'
It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.
The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.
answered 6 hours ago
AdonalsiumAdonalsium
3,5011721
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
5 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
5 hours ago
2
Poor lil' Inspiron :(
– Kyle Vassella
4 hours ago
add a comment |
In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.
A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.
answered 3 hours ago
John DetersJohn Deters
28.9k34392
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207100%2fwhat-is-the-meaning-of-triage-in-cybersec-world%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
We just got reports that 4000 of our systems are infected with ransomeware.
3000 are end users, 800 are non-critical servers, 200 are critical servers.
Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'
It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.
The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.
answered 6 hours ago
AdonalsiumAdonalsium
3,5011721
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
5 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
5 hours ago
2
Poor lil' Inspiron :(
– Kyle Vassella
4 hours ago
add a comment |
We just got reports that 4000 of our systems are infected with ransomeware.
3000 are end users, 800 are non-critical servers, 200 are critical servers.
Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'
It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.
The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.
answered 6 hours ago
AdonalsiumAdonalsium
3,5011721
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
5 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
5 hours ago
2
Poor lil' Inspiron :(
– Kyle Vassella
4 hours ago
add a comment |
We just got reports that 4000 of our systems are infected with ransomeware.
3000 are end users, 800 are non-critical servers, 200 are critical servers.
Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'
It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.
The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.
answered 6 hours ago
AdonalsiumAdonalsium
3,5011721
We just got reports that 4000 of our systems are infected with ransomeware.
3000 are end users, 800 are non-critical servers, 200 are critical servers.
Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'
It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.
The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.
answered 6 hours ago
AdonalsiumAdonalsium
3,5011721
answered 6 hours ago
AdonalsiumAdonalsium
3,5011721
answered 6 hours ago
AdonalsiumAdonalsium
3,5011721
answered 6 hours ago
AdonalsiumAdonalsium
3,5011721
3,5011721
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
5 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
5 hours ago
2
Poor lil' Inspiron :(
– Kyle Vassella
4 hours ago
add a comment |
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
5 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
5 hours ago
2
Poor lil' Inspiron :(
– Kyle Vassella
4 hours ago
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
5 hours ago
wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?
– victor26567
5 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
5 hours ago
Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.
– Adonalsium
5 hours ago
2
2
Poor lil' Inspiron :(
– Kyle Vassella
4 hours ago
Poor lil' Inspiron :(
– Kyle Vassella
4 hours ago
add a comment |
In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.
A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.
answered 3 hours ago
John DetersJohn Deters
28.9k34392
add a comment |
In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.
A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.
answered 3 hours ago
John DetersJohn Deters
28.9k34392
add a comment |
In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.
A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.
answered 3 hours ago
John DetersJohn Deters
28.9k34392
In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.
A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.
answered 3 hours ago
John DetersJohn Deters
28.9k34392
answered 3 hours ago
John DetersJohn Deters
28.9k34392
answered 3 hours ago
John DetersJohn Deters
28.9k34392
answered 3 hours ago
John DetersJohn Deters
28.9k34392
28.9k34392
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207100%2fwhat-is-the-meaning-of-triage-in-cybersec-world%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
It means the same thing, just applied to tech/business issues rather than medical issues.
– Matthew Read
3 hours ago
Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.
– Fabio Turati
2 hours ago