What is the meaning of Triage in Cybersec world? Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?What are the most relevant security events/incidents any company should monitor?BitLocker : Update Volume Master Key and meaning of “keyed” vs “re-keyed”What is the difference between data and information when it comes to Data Security?Does “assesse” have a particular meaning in information security?What is the meaning of “me” in ipfw rules?What exactly is the meaning of 'trojan' and 'rootkit'?What is the difference between Compliance and Auditing in Information Security?What is the difference between a SIEM and a SOC?What is a “security bod”?What is a Security Guideline and how does it stand in relation with Standards, Policies, Procedures?

How does modal jazz use chord progressions?

Direct Experience of Meditation

How to rotate it perfectly?

Stop battery usage [Ubuntu 18]

Should you tell Jews they are breaking a commandment?

Fishing simulator

Is there a documented rationale why the House Ways and Means chairman can demand tax info?

What is the electric potential inside a point charge?

What is the largest species of polychaete?

Strange behaviour of Check

Simulating Exploding Dice

I'm having difficulty getting my players to do stuff in a sandbox campaign

What LEGO pieces have "real-world" functionality?

Replacing HDD with SSD; what about non-APFS/APFS?

What's the difference between (size_t)-1 and ~0?

Do working physicists consider Newtonian mechanics to be "falsified"?

Passing functions in C++

How do I automatically answer y in bash script?

Is there folklore associating late breastfeeding with low intelligence and/or gullibility?

Unable to start mainnet node docker container

Who can trigger ship-wide alerts in Star Trek?

Statistical model of ligand substitution

Classification of bundles, Postnikov towers, obstruction theory, local coefficients

Using "nakedly" instead of "with nothing on"



What is the meaning of Triage in Cybersec world?



Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Announcing the arrival of Valued Associate #679: Cesar Manara
Unicorn Meta Zoo #1: Why another podcast?What are the most relevant security events/incidents any company should monitor?BitLocker : Update Volume Master Key and meaning of “keyed” vs “re-keyed”What is the difference between data and information when it comes to Data Security?Does “assesse” have a particular meaning in information security?What is the meaning of “me” in ipfw rules?What exactly is the meaning of 'trojan' and 'rootkit'?What is the difference between Compliance and Auditing in Information Security?What is the difference between a SIEM and a SOC?What is a “security bod”?What is a Security Guideline and how does it stand in relation with Standards, Policies, Procedures?



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








41















I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.










share|improve this question



















  • 8





    It means the same thing, just applied to tech/business issues rather than medical issues.

    – Matthew Read
    Apr 9 at 21:45






  • 3





    Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.

    – Fabio Turati
    Apr 9 at 23:38






  • 2





    Just to add the definition: the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of patients or casualties. Now replace wound with a computer word and replace patient with server/workstation.

    – JPhi1618
    Apr 10 at 3:58











  • There was an Arabic website for hackers called something like "TrYaG AlArab" but it is shut down about 9 years ago, your question just reminded me with this website. This same word exists in the Arabic language also but it comes with the meaning "medicine"

    – AccountantM
    Apr 10 at 6:45

















41















I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.










share|improve this question



















  • 8





    It means the same thing, just applied to tech/business issues rather than medical issues.

    – Matthew Read
    Apr 9 at 21:45






  • 3





    Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.

    – Fabio Turati
    Apr 9 at 23:38






  • 2





    Just to add the definition: the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of patients or casualties. Now replace wound with a computer word and replace patient with server/workstation.

    – JPhi1618
    Apr 10 at 3:58











  • There was an Arabic website for hackers called something like "TrYaG AlArab" but it is shut down about 9 years ago, your question just reminded me with this website. This same word exists in the Arabic language also but it comes with the meaning "medicine"

    – AccountantM
    Apr 10 at 6:45













41












41








41


7






I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.










share|improve this question
















I searched Google about this term, but the definitions that I found was related to the medical world, and nothing related to IT. I think that is some kind of procedure of documenting something maybe? Note that I heard this word for the first time in the SOC (Security Operations Center) that I am currently working.







terminology soc






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 9 at 20:52









schroeder

79k30175212




79k30175212










asked Apr 9 at 19:27









victor26567victor26567

33134




33134







  • 8





    It means the same thing, just applied to tech/business issues rather than medical issues.

    – Matthew Read
    Apr 9 at 21:45






  • 3





    Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.

    – Fabio Turati
    Apr 9 at 23:38






  • 2





    Just to add the definition: the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of patients or casualties. Now replace wound with a computer word and replace patient with server/workstation.

    – JPhi1618
    Apr 10 at 3:58











  • There was an Arabic website for hackers called something like "TrYaG AlArab" but it is shut down about 9 years ago, your question just reminded me with this website. This same word exists in the Arabic language also but it comes with the meaning "medicine"

    – AccountantM
    Apr 10 at 6:45












  • 8





    It means the same thing, just applied to tech/business issues rather than medical issues.

    – Matthew Read
    Apr 9 at 21:45






  • 3





    Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.

    – Fabio Turati
    Apr 9 at 23:38






  • 2





    Just to add the definition: the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of patients or casualties. Now replace wound with a computer word and replace patient with server/workstation.

    – JPhi1618
    Apr 10 at 3:58











  • There was an Arabic website for hackers called something like "TrYaG AlArab" but it is shut down about 9 years ago, your question just reminded me with this website. This same word exists in the Arabic language also but it comes with the meaning "medicine"

    – AccountantM
    Apr 10 at 6:45







8




8





It means the same thing, just applied to tech/business issues rather than medical issues.

– Matthew Read
Apr 9 at 21:45





It means the same thing, just applied to tech/business issues rather than medical issues.

– Matthew Read
Apr 9 at 21:45




3




3





Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.

– Fabio Turati
Apr 9 at 23:38





Not related to cybersec, but the term "triage" can also be used in software development: if a user reports a bug by opening a ticket in the bug tracker, someone must check whether it can be reproduced, what team it should be assigned to, and its severity or priority (that is, how disruptive it is and how urgent it is to fix: is it critical, normal, negligible...?). Some call this process triage. For example, Google uses this term in the Chromium project.

– Fabio Turati
Apr 9 at 23:38




2




2





Just to add the definition: the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of patients or casualties. Now replace wound with a computer word and replace patient with server/workstation.

– JPhi1618
Apr 10 at 3:58





Just to add the definition: the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of patients or casualties. Now replace wound with a computer word and replace patient with server/workstation.

– JPhi1618
Apr 10 at 3:58













There was an Arabic website for hackers called something like "TrYaG AlArab" but it is shut down about 9 years ago, your question just reminded me with this website. This same word exists in the Arabic language also but it comes with the meaning "medicine"

– AccountantM
Apr 10 at 6:45





There was an Arabic website for hackers called something like "TrYaG AlArab" but it is shut down about 9 years ago, your question just reminded me with this website. This same word exists in the Arabic language also but it comes with the meaning "medicine"

– AccountantM
Apr 10 at 6:45










3 Answers
3






active

oldest

votes


















75














We just got reports that 4000 of our systems are infected with ransomeware.



3000 are end users, 800 are non-critical servers, 200 are critical servers.



Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'



It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.



The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.






share|improve this answer


















  • 2





    wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

    – victor26567
    Apr 9 at 19:39






  • 35





    Poor lil' Inspiron :(

    – Kyle Vassella
    Apr 9 at 21:10






  • 6





    In the modern medical world I think there is very little "letting one go so the other might live" - it's more about making the person with a broken leg wait (they probably won't die in the meantime) while they fix the unconscious person who's been knifed (who probably will).

    – Martin Bonner
    Apr 10 at 17:18






  • 8





    @MartinBonner Then assume by 'doctor' I meant 'battlefield medic'. :)

    – Adonalsium
    Apr 10 at 18:18






  • 4





    @MartinBonner it depends of the context, usually there is time to provide some assistance to everyone and it is just a matter of avoiding that you do not fail to provide care to the urgent cases because you are dealing with the non-urgent ones (you just will not get 400 hearts attacks at the same time at an hospital). But if there are suddenly lots of critical cases (for example, after an earthquake or other disaster) then the part about deciding who is too injured to survive (and hence a drain of much needed resources) may kick in.

    – SJuan76
    Apr 10 at 20:19



















14














In addition to Adonalsium's fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.



A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.






share|improve this answer

























  • Worth noting that this can also be an ongoing process. Alerts are always numerous, so an initial sift, sort, and send is typically conducted by one person, while the rest of the team deep dives into the issues raised.

    – Jozef Woods
    Apr 10 at 7:26


















7














In addition to the other great answers, the term triage is also used in the bugbounty bug report process to mean the process of initially reproducing the issue and assigning a priority to it.




Triage



The process of validating a vulnerability submission from raw submission to a valid, easily digestible report.




Source: https://www.bugcrowd.com/resources/glossary/triage/



Or when talking about various states of a reported bug:




Triaged: A submission that may be valid, but needs to be reviewed again and validated.




Source: https://docs.bugcrowd.com/docs/submission-status



The term is used in similar context by HackerOne as well (though they have less states for a submission so this covers more than the same-name state by BugCrowd):




Triaged - The report is evaluated but hasn't been resolved. It is in the state of being fixed.




Source: https://docs.hackerone.com/hackers/report-states.html






share|improve this answer























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207100%2fwhat-is-the-meaning-of-triage-in-cybersec-world%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    75














    We just got reports that 4000 of our systems are infected with ransomeware.



    3000 are end users, 800 are non-critical servers, 200 are critical servers.



    Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'



    It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.



    The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.






    share|improve this answer


















    • 2





      wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

      – victor26567
      Apr 9 at 19:39






    • 35





      Poor lil' Inspiron :(

      – Kyle Vassella
      Apr 9 at 21:10






    • 6





      In the modern medical world I think there is very little "letting one go so the other might live" - it's more about making the person with a broken leg wait (they probably won't die in the meantime) while they fix the unconscious person who's been knifed (who probably will).

      – Martin Bonner
      Apr 10 at 17:18






    • 8





      @MartinBonner Then assume by 'doctor' I meant 'battlefield medic'. :)

      – Adonalsium
      Apr 10 at 18:18






    • 4





      @MartinBonner it depends of the context, usually there is time to provide some assistance to everyone and it is just a matter of avoiding that you do not fail to provide care to the urgent cases because you are dealing with the non-urgent ones (you just will not get 400 hearts attacks at the same time at an hospital). But if there are suddenly lots of critical cases (for example, after an earthquake or other disaster) then the part about deciding who is too injured to survive (and hence a drain of much needed resources) may kick in.

      – SJuan76
      Apr 10 at 20:19
















    75














    We just got reports that 4000 of our systems are infected with ransomeware.



    3000 are end users, 800 are non-critical servers, 200 are critical servers.



    Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'



    It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.



    The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.






    share|improve this answer


















    • 2





      wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

      – victor26567
      Apr 9 at 19:39






    • 35





      Poor lil' Inspiron :(

      – Kyle Vassella
      Apr 9 at 21:10






    • 6





      In the modern medical world I think there is very little "letting one go so the other might live" - it's more about making the person with a broken leg wait (they probably won't die in the meantime) while they fix the unconscious person who's been knifed (who probably will).

      – Martin Bonner
      Apr 10 at 17:18






    • 8





      @MartinBonner Then assume by 'doctor' I meant 'battlefield medic'. :)

      – Adonalsium
      Apr 10 at 18:18






    • 4





      @MartinBonner it depends of the context, usually there is time to provide some assistance to everyone and it is just a matter of avoiding that you do not fail to provide care to the urgent cases because you are dealing with the non-urgent ones (you just will not get 400 hearts attacks at the same time at an hospital). But if there are suddenly lots of critical cases (for example, after an earthquake or other disaster) then the part about deciding who is too injured to survive (and hence a drain of much needed resources) may kick in.

      – SJuan76
      Apr 10 at 20:19














    75












    75








    75







    We just got reports that 4000 of our systems are infected with ransomeware.



    3000 are end users, 800 are non-critical servers, 200 are critical servers.



    Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'



    It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.



    The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.






    share|improve this answer













    We just got reports that 4000 of our systems are infected with ransomeware.



    3000 are end users, 800 are non-critical servers, 200 are critical servers.



    Triage is looking at this mess and deciding which order to start restoring systems in. We can't tackle them all at once, so we have to look at some and say 'Sorry, little Inspiron that couldn't, you get to sit there and be useless for a while.'



    It comes from the medical world, as you've stated. It's the same reasoning as an ER doctor looking at two patients and deciding to work on the one that they're more certain they can save. You let one go, as hard as it may be, so that the other might live. If you'd worked on the worse injured person, it's possible they both would have died.



    The difference in the security world is that often it's dollars lost due to users being unable to work, rather than literal life and death. You work on the systems that you are most likely to be able to restore, and that will return the largest amount of productivity to the environment. You leave the individual laptops that only affect a single user to the side, for now.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Apr 9 at 19:33









    AdonalsiumAdonalsium

    3,90611121




    3,90611121







    • 2





      wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

      – victor26567
      Apr 9 at 19:39






    • 35





      Poor lil' Inspiron :(

      – Kyle Vassella
      Apr 9 at 21:10






    • 6





      In the modern medical world I think there is very little "letting one go so the other might live" - it's more about making the person with a broken leg wait (they probably won't die in the meantime) while they fix the unconscious person who's been knifed (who probably will).

      – Martin Bonner
      Apr 10 at 17:18






    • 8





      @MartinBonner Then assume by 'doctor' I meant 'battlefield medic'. :)

      – Adonalsium
      Apr 10 at 18:18






    • 4





      @MartinBonner it depends of the context, usually there is time to provide some assistance to everyone and it is just a matter of avoiding that you do not fail to provide care to the urgent cases because you are dealing with the non-urgent ones (you just will not get 400 hearts attacks at the same time at an hospital). But if there are suddenly lots of critical cases (for example, after an earthquake or other disaster) then the part about deciding who is too injured to survive (and hence a drain of much needed resources) may kick in.

      – SJuan76
      Apr 10 at 20:19













    • 2





      wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

      – victor26567
      Apr 9 at 19:39






    • 35





      Poor lil' Inspiron :(

      – Kyle Vassella
      Apr 9 at 21:10






    • 6





      In the modern medical world I think there is very little "letting one go so the other might live" - it's more about making the person with a broken leg wait (they probably won't die in the meantime) while they fix the unconscious person who's been knifed (who probably will).

      – Martin Bonner
      Apr 10 at 17:18






    • 8





      @MartinBonner Then assume by 'doctor' I meant 'battlefield medic'. :)

      – Adonalsium
      Apr 10 at 18:18






    • 4





      @MartinBonner it depends of the context, usually there is time to provide some assistance to everyone and it is just a matter of avoiding that you do not fail to provide care to the urgent cases because you are dealing with the non-urgent ones (you just will not get 400 hearts attacks at the same time at an hospital). But if there are suddenly lots of critical cases (for example, after an earthquake or other disaster) then the part about deciding who is too injured to survive (and hence a drain of much needed resources) may kick in.

      – SJuan76
      Apr 10 at 20:19








    2




    2





    wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

    – victor26567
    Apr 9 at 19:39





    wow, thanks a lot. So, in brief, it is like prioritize which systems you want to restore, because there are many of them, and you cant work with all of them at the same time, right?

    – victor26567
    Apr 9 at 19:39




    35




    35





    Poor lil' Inspiron :(

    – Kyle Vassella
    Apr 9 at 21:10





    Poor lil' Inspiron :(

    – Kyle Vassella
    Apr 9 at 21:10




    6




    6





    In the modern medical world I think there is very little "letting one go so the other might live" - it's more about making the person with a broken leg wait (they probably won't die in the meantime) while they fix the unconscious person who's been knifed (who probably will).

    – Martin Bonner
    Apr 10 at 17:18





    In the modern medical world I think there is very little "letting one go so the other might live" - it's more about making the person with a broken leg wait (they probably won't die in the meantime) while they fix the unconscious person who's been knifed (who probably will).

    – Martin Bonner
    Apr 10 at 17:18




    8




    8





    @MartinBonner Then assume by 'doctor' I meant 'battlefield medic'. :)

    – Adonalsium
    Apr 10 at 18:18





    @MartinBonner Then assume by 'doctor' I meant 'battlefield medic'. :)

    – Adonalsium
    Apr 10 at 18:18




    4




    4





    @MartinBonner it depends of the context, usually there is time to provide some assistance to everyone and it is just a matter of avoiding that you do not fail to provide care to the urgent cases because you are dealing with the non-urgent ones (you just will not get 400 hearts attacks at the same time at an hospital). But if there are suddenly lots of critical cases (for example, after an earthquake or other disaster) then the part about deciding who is too injured to survive (and hence a drain of much needed resources) may kick in.

    – SJuan76
    Apr 10 at 20:19






    @MartinBonner it depends of the context, usually there is time to provide some assistance to everyone and it is just a matter of avoiding that you do not fail to provide care to the urgent cases because you are dealing with the non-urgent ones (you just will not get 400 hearts attacks at the same time at an hospital). But if there are suddenly lots of critical cases (for example, after an earthquake or other disaster) then the part about deciding who is too injured to survive (and hence a drain of much needed resources) may kick in.

    – SJuan76
    Apr 10 at 20:19














    14














    In addition to Adonalsium's fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.



    A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.






    share|improve this answer

























    • Worth noting that this can also be an ongoing process. Alerts are always numerous, so an initial sift, sort, and send is typically conducted by one person, while the rest of the team deep dives into the issues raised.

      – Jozef Woods
      Apr 10 at 7:26















    14














    In addition to Adonalsium's fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.



    A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.






    share|improve this answer

























    • Worth noting that this can also be an ongoing process. Alerts are always numerous, so an initial sift, sort, and send is typically conducted by one person, while the rest of the team deep dives into the issues raised.

      – Jozef Woods
      Apr 10 at 7:26













    14












    14








    14







    In addition to Adonalsium's fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.



    A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.






    share|improve this answer















    In addition to Adonalsium's fine answer regarding prioritization, the triage step will include the initial routing of the event to the people best suited to handle it.



    A virus or ransomware attack would go to the operations team who would first isolate the computer to minimize collateral damage. A DDoS attack may go to the network team to start sinking the garbage packets. A report of suspicion may get placed in a queue for a generalist to handle later. Evidence of an intrusion may get escalated immediately to the Incident Management team.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Apr 10 at 18:35









    yoozer8

    1741211




    1741211










    answered Apr 9 at 21:56









    John DetersJohn Deters

    29.1k34393




    29.1k34393












    • Worth noting that this can also be an ongoing process. Alerts are always numerous, so an initial sift, sort, and send is typically conducted by one person, while the rest of the team deep dives into the issues raised.

      – Jozef Woods
      Apr 10 at 7:26

















    • Worth noting that this can also be an ongoing process. Alerts are always numerous, so an initial sift, sort, and send is typically conducted by one person, while the rest of the team deep dives into the issues raised.

      – Jozef Woods
      Apr 10 at 7:26
















    Worth noting that this can also be an ongoing process. Alerts are always numerous, so an initial sift, sort, and send is typically conducted by one person, while the rest of the team deep dives into the issues raised.

    – Jozef Woods
    Apr 10 at 7:26





    Worth noting that this can also be an ongoing process. Alerts are always numerous, so an initial sift, sort, and send is typically conducted by one person, while the rest of the team deep dives into the issues raised.

    – Jozef Woods
    Apr 10 at 7:26











    7














    In addition to the other great answers, the term triage is also used in the bugbounty bug report process to mean the process of initially reproducing the issue and assigning a priority to it.




    Triage



    The process of validating a vulnerability submission from raw submission to a valid, easily digestible report.




    Source: https://www.bugcrowd.com/resources/glossary/triage/



    Or when talking about various states of a reported bug:




    Triaged: A submission that may be valid, but needs to be reviewed again and validated.




    Source: https://docs.bugcrowd.com/docs/submission-status



    The term is used in similar context by HackerOne as well (though they have less states for a submission so this covers more than the same-name state by BugCrowd):




    Triaged - The report is evaluated but hasn't been resolved. It is in the state of being fixed.




    Source: https://docs.hackerone.com/hackers/report-states.html






    share|improve this answer



























      7














      In addition to the other great answers, the term triage is also used in the bugbounty bug report process to mean the process of initially reproducing the issue and assigning a priority to it.




      Triage



      The process of validating a vulnerability submission from raw submission to a valid, easily digestible report.




      Source: https://www.bugcrowd.com/resources/glossary/triage/



      Or when talking about various states of a reported bug:




      Triaged: A submission that may be valid, but needs to be reviewed again and validated.




      Source: https://docs.bugcrowd.com/docs/submission-status



      The term is used in similar context by HackerOne as well (though they have less states for a submission so this covers more than the same-name state by BugCrowd):




      Triaged - The report is evaluated but hasn't been resolved. It is in the state of being fixed.




      Source: https://docs.hackerone.com/hackers/report-states.html






      share|improve this answer

























        7












        7








        7







        In addition to the other great answers, the term triage is also used in the bugbounty bug report process to mean the process of initially reproducing the issue and assigning a priority to it.




        Triage



        The process of validating a vulnerability submission from raw submission to a valid, easily digestible report.




        Source: https://www.bugcrowd.com/resources/glossary/triage/



        Or when talking about various states of a reported bug:




        Triaged: A submission that may be valid, but needs to be reviewed again and validated.




        Source: https://docs.bugcrowd.com/docs/submission-status



        The term is used in similar context by HackerOne as well (though they have less states for a submission so this covers more than the same-name state by BugCrowd):




        Triaged - The report is evaluated but hasn't been resolved. It is in the state of being fixed.




        Source: https://docs.hackerone.com/hackers/report-states.html






        share|improve this answer













        In addition to the other great answers, the term triage is also used in the bugbounty bug report process to mean the process of initially reproducing the issue and assigning a priority to it.




        Triage



        The process of validating a vulnerability submission from raw submission to a valid, easily digestible report.




        Source: https://www.bugcrowd.com/resources/glossary/triage/



        Or when talking about various states of a reported bug:




        Triaged: A submission that may be valid, but needs to be reviewed again and validated.




        Source: https://docs.bugcrowd.com/docs/submission-status



        The term is used in similar context by HackerOne as well (though they have less states for a submission so this covers more than the same-name state by BugCrowd):




        Triaged - The report is evaluated but hasn't been resolved. It is in the state of being fixed.




        Source: https://docs.hackerone.com/hackers/report-states.html







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Apr 10 at 15:56









        Torin42Torin42

        1562




        1562



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207100%2fwhat-is-the-meaning-of-triage-in-cybersec-world%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

            Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070

            Cegueira Índice Epidemioloxía | Deficiencia visual | Tipos de cegueira | Principais causas de cegueira | Tratamento | Técnicas de adaptación e axudas | Vida dos cegos | Primeiros auxilios | Crenzas respecto das persoas cegas | Crenzas das persoas cegas | O neno deficiente visual | Aspectos psicolóxicos da cegueira | Notas | Véxase tamén | Menú de navegación54.054.154.436928256blindnessDicionario da Real Academia GalegaPortal das Palabras"International Standards: Visual Standards — Aspects and Ranges of Vision Loss with Emphasis on Population Surveys.""Visual impairment and blindness""Presentan un plan para previr a cegueira"o orixinalACCDV Associació Catalana de Cecs i Disminuïts Visuals - PMFTrachoma"Effect of gene therapy on visual function in Leber's congenital amaurosis"1844137110.1056/NEJMoa0802268Cans guía - os mellores amigos dos cegosArquivadoEscola de cans guía para cegos en Mortágua, PortugalArquivado"Tecnología para ciegos y deficientes visuales. Recopilación de recursos gratuitos en la Red""Colorino""‘COL.diesis’, escuchar los sonidos del color""COL.diesis: Transforming Colour into Melody and Implementing the Result in a Colour Sensor Device"o orixinal"Sistema de desarrollo de sinestesia color-sonido para invidentes utilizando un protocolo de audio""Enseñanza táctil - geometría y color. Juegos didácticos para niños ciegos y videntes""Sistema Constanz"L'ocupació laboral dels cecs a l'Estat espanyol està pràcticament equiparada a la de les persones amb visió, entrevista amb Pedro ZuritaONCE (Organización Nacional de Cegos de España)Prevención da cegueiraDescrición de deficiencias visuais (Disc@pnet)Braillín, un boneco atractivo para calquera neno, con ou sen discapacidade, que permite familiarizarse co sistema de escritura e lectura brailleAxudas Técnicas36838ID00897494007150-90057129528256DOID:1432HP:0000618D001766C10.597.751.941.162C97109C0155020