What is the meaning of Triage in Cybersec world? The 2019 Stack Overflow Developer Survey Results Are InWhat are the most relevant security events/incidents any company should monitor?BitLocker : Update Volume Master Key and meaning of “keyed” vs “re-keyed”What is the difference between data and information when it comes to Data Security?Does “assesse” have a particular meaning in information security?What is the meaning of “me” in ipfw rules?What exactly is the meaning of 'trojan' and 'rootkit'?What is the difference between Compliance and Auditing in Information Security?What is the difference between a SIEM and a SOC?What is a “security bod”?What is a Security Guideline and how does it stand in relation with Standards, Policies, Procedures?

What do hard-Brexiteers want with respect to the Irish border?

What are my rights when I have a Sparpreis ticket but can't board an overcrowded train?

What do the Banks children have against barley water?

What does Linus Torvalds mean when he says that Git "never ever" tracks a file?

What is the meaning of Triage in Cybersec world?

Dual Citizen. Exited the US on Italian passport recently

Could JWST stay at L2 "forever"?

I looked up a future colleague on LinkedIn before I started a job. I told my colleague about it and he seemed surprised. Should I apologize?

Is flight data recorder erased after every flight?

How can I create a character who can assume the widest possible range of creature sizes?

A poker game description that does not feel gimmicky

Why do UK politicians seemingly ignore opinion polls on Brexit?

Is three citations per paragraph excessive for undergraduate research paper?

Is it possible for the two major parties in the UK to form a coalition with each other instead of a much smaller party?

How come people say “Would of”?

aging parents with no investments

Lethal sonic weapons

Time travel alters history but people keep saying nothing's changed

Is there a name of the flying bionic bird?

The difference between dialogue marks

Idiomatic way to prevent slicing?

What effect does the “loading” weapon property have in practical terms?

What is the best strategy for white in this position?

I see my dog run



What is the meaning of Triage in Cybersec world?



The 2019 Stack Overflow Developer Survey Results Are InWhat are the most relevant security events/incidents any company should monitor?BitLocker : Update Volume Master Key and meaning of “keyed” vs “re-keyed”What is the difference between data and information when it comes to Data Security?Does “assesse” have a particular meaning in information security?What is the meaning of “me” in ipfw rules?What exactly is the meaning of 'trojan' and 'rootkit'?What is the difference between Compliance and Auditing in Information Security?What is the difference between a SIEM and a SOC?What is a “security bod”?What is a Security Guideline and how does it stand in relation with Standards, Policies, Procedures?



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








10















I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.










share|improve this question
























  • It means the same thing, just applied to tech/business issues rather than medical issues.

    – Matthew Read
    6 hours ago











  • Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.

    – Fabio Turati
    5 hours ago











  • Just to add the definition: the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of patients or casualties. Now replace wound with a computer word and replace patient with server/workstation.

    – JPhi1618
    45 mins ago

















10















I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.










share|improve this question
























  • It means the same thing, just applied to tech/business issues rather than medical issues.

    – Matthew Read
    6 hours ago











  • Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.

    – Fabio Turati
    5 hours ago











  • Just to add the definition: the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of patients or casualties. Now replace wound with a computer word and replace patient with server/workstation.

    – JPhi1618
    45 mins ago













10












10








10


2






I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.










share|improve this question
















I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.







terminology soc






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 7 hours ago









schroeder

78.8k30175211




78.8k30175211










asked 9 hours ago









victor26567victor26567

562




562












  • It means the same thing, just applied to tech/business issues rather than medical issues.

    – Matthew Read
    6 hours ago











  • Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.

    – Fabio Turati
    5 hours ago











  • Just to add the definition: the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of patients or casualties. Now replace wound with a computer word and replace patient with server/workstation.

    – JPhi1618
    45 mins ago

















  • It means the same thing, just applied to tech/business issues rather than medical issues.

    – Matthew Read
    6 hours ago











  • Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.

    – Fabio Turati
    5 hours ago











  • Just to add the definition: the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of patients or casualties. Now replace wound with a computer word and replace patient with server/workstation.

    – JPhi1618
    45 mins ago
















It means the same thing, just applied to tech/business issues rather than medical issues.

– Matthew Read
6 hours ago





It means the same thing, just applied to tech/business issues rather than medical issues.

– Matthew Read
6 hours ago













Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.

– Fabio Turati
5 hours ago





Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.

– Fabio Turati
5 hours ago













Just to add the definition: the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of patients or casualties. Now replace wound with a computer word and replace patient with server/workstation.

– JPhi1618
45 mins ago





Just to add the definition: the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of patients or casualties. Now replace wound with a computer word and replace patient with server/workstation.

– JPhi1618
45 mins ago










2 Answers
2






active

oldest

votes


















13














We just got reports that 4000 of our systems are infected with ransomeware.



3000 are end users, 800 are non-critical servers, 200 are critical servers.



Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'



It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.



The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.






share|improve this answer























  • wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

    – victor26567
    9 hours ago











  • Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.

    – Adonalsium
    8 hours ago






  • 2





    Poor lil' Inspiron :(

    – Kyle Vassella
    7 hours ago


















1














In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.



A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.






share|improve this answer























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207100%2fwhat-is-the-meaning-of-triage-in-cybersec-world%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    13














    We just got reports that 4000 of our systems are infected with ransomeware.



    3000 are end users, 800 are non-critical servers, 200 are critical servers.



    Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'



    It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.



    The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.






    share|improve this answer























    • wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

      – victor26567
      9 hours ago











    • Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.

      – Adonalsium
      8 hours ago






    • 2





      Poor lil' Inspiron :(

      – Kyle Vassella
      7 hours ago















    13














    We just got reports that 4000 of our systems are infected with ransomeware.



    3000 are end users, 800 are non-critical servers, 200 are critical servers.



    Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'



    It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.



    The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.






    share|improve this answer























    • wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

      – victor26567
      9 hours ago











    • Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.

      – Adonalsium
      8 hours ago






    • 2





      Poor lil' Inspiron :(

      – Kyle Vassella
      7 hours ago













    13












    13








    13







    We just got reports that 4000 of our systems are infected with ransomeware.



    3000 are end users, 800 are non-critical servers, 200 are critical servers.



    Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'



    It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.



    The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.






    share|improve this answer













    We just got reports that 4000 of our systems are infected with ransomeware.



    3000 are end users, 800 are non-critical servers, 200 are critical servers.



    Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'



    It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.



    The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered 9 hours ago









    AdonalsiumAdonalsium

    3,5211721




    3,5211721












    • wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

      – victor26567
      9 hours ago











    • Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.

      – Adonalsium
      8 hours ago






    • 2





      Poor lil' Inspiron :(

      – Kyle Vassella
      7 hours ago

















    • wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

      – victor26567
      9 hours ago











    • Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.

      – Adonalsium
      8 hours ago






    • 2





      Poor lil' Inspiron :(

      – Kyle Vassella
      7 hours ago
















    wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

    – victor26567
    9 hours ago





    wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

    – victor26567
    9 hours ago













    Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.

    – Adonalsium
    8 hours ago





    Pretty much. It's just deciding what systems make the most sense to fix first, because you have limited resources.

    – Adonalsium
    8 hours ago




    2




    2





    Poor lil' Inspiron :(

    – Kyle Vassella
    7 hours ago





    Poor lil' Inspiron :(

    – Kyle Vassella
    7 hours ago













    1














    In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.



    A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.






    share|improve this answer



























      1














      In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.



      A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.






      share|improve this answer

























        1












        1








        1







        In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.



        A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.






        share|improve this answer













        In addition to @adonalsium ‘s fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.



        A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 6 hours ago









        John DetersJohn Deters

        29k34392




        29k34392



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207100%2fwhat-is-the-meaning-of-triage-in-cybersec-world%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            How to create a command for the “strange m” symbol in latex? Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)How do you make your own symbol when Detexify fails?Writing bold small caps with mathpazo packageplus-minus symbol with parenthesis around the minus signGreek character in Beamer document titleHow to create dashed right arrow over symbol?Currency symbol: Turkish LiraDouble prec as a single symbol?Plus Sign Too Big; How to Call adfbullet?Is there a TeX macro for three-legged pi?How do I get my integral-like symbol to align like the integral?How to selectively substitute a letter with another symbol representing the same letterHow do I generate a less than symbol and vertical bar that are the same height?

            Българска екзархия Съдържание История | Български екзарси | Вижте също | Външни препратки | Литература | Бележки | НавигацияУстав за управлението на българската екзархия. Цариград, 1870Слово на Ловешкия митрополит Иларион при откриването на Българския народен събор в Цариград на 23. II. 1870 г.Българската правда и гръцката кривда. От С. М. (= Софийски Мелетий). Цариград, 1872Предстоятели на Българската екзархияПодмененият ВеликденИнформационна агенция „Фокус“Димитър Ризов. Българите в техните исторически, етнографически и политически граници (Атлас съдържащ 40 карти). Berlin, Königliche Hoflithographie, Hof-Buch- und -Steindruckerei Wilhelm Greve, 1917Report of the International Commission to Inquire into the Causes and Conduct of the Balkan Wars

            Чепеларе Съдържание География | История | Население | Спортни и природни забележителности | Културни и исторически обекти | Религии | Обществени институции | Известни личности | Редовни събития | Галерия | Източници | Литература | Външни препратки | Навигация41°43′23.99″ с. ш. 24°41′09.99″ и. д. / 41.723333° с. ш. 24.686111° и. д.*ЧепелареЧепеларски Linux fest 2002Начало на Зимен сезон 2005/06Национални хайдушки празници „Капитан Петко Войвода“Град ЧепелареЧепеларе – народният ски курортbgrod.orgwww.terranatura.hit.bgСправка за населението на гр. Исперих, общ. Исперих, обл. РазградМузей на родопския карстМузей на спорта и скитеЧепеларебългарскибългарскианглийскитукИстория на градаСки писти в ЧепелареВремето в ЧепелареРадио и телевизия в ЧепелареЧепеларе мами с родопски чар и добри пистиЕвтин туризъм и снежни атракции в ЧепелареМестоположениеИнформация и снимки от музея на родопския карст3D панорами от ЧепелареЧепелареррр