NetApp and Cisco Take Ransomware Response to Storage

NetApp and Cisco have expanded their collaboration with a new security playbook for Splunk SOAR that aims to accelerate responses to ransomware attacks from a often critical layer: the storage where corporate data resides.

The solution connects security signals gathered by Splunk with direct actions on NetApp ONTAP environments, enabling teams to contain threats, limit data loss, and reduce response time when a potential incident is detected. The announcement reinforces a clear trend in enterprise cybersecurity: backups and storage are no longer solely passive repositories but active components of defense and recovery.

Storage takes on an active role in automated response

The new strategy manual, NetApp Splunk Security Orchestration, Automation, and Response (SOAR), enables Splunk SOAR workflows to execute actions on NetApp ONTAP systems during incident response.

These actions include blocking a suspicious user, creating data snapshots, or disconnecting volumes to prevent the spread of infection. In a ransomware attack, such measures can be the difference between containing the incident and allowing an outbreak that affects critical applications.

Splunk Enterprise Security was already integrated with NetApp Ransomware Resilience to gather data layer analysis, improve incident classification, and help prioritize alerts. With this new playbook, that visibility is transformed into automated action capabilities.

The key is to narrow the window between detection and containment. When an attack advances in minutes, relying solely on manual processes can leave too much damage in its wake. Automation does not replace human oversight but helps execute predefined responses faster and more consistently.

Ransomware, AI, and less time to respond

NetApp and Cisco position this launch within a context of increasingly fast and sophisticated attacks, also driven by malicious actors’ use of artificial intelligence. In this scenario, organizations need to respond before encryption or data exfiltration reach critical systems.

Sandeep Singh, senior vice president and general manager of Platform at NetApp, noted that response times have been reduced and that companies must act immediately upon threat detection. His message indicates a shift: security must extend into storage, where the data targeted for encryption, theft, or blocking resides.

David Dalling, Cisco’s senior vice president of Splunk Security, highlighted that effective strategies require visibility and action across the entire tech stack, including the data layer. With the integration of Splunk SOAR and NetApp ONTAP, storage now becomes part of the response loop, no longer outside the security teams’ scope of work.

This also impacts internal coordination. In many organizations, security and storage teams operate with different tools, priorities, and languages. A shared playbook can help bridge this gap and facilitate more coordinated responses during incidents.

Cyber resilience beyond backups

This announcement fits into a broader view of cyber resilience. Protecting data means more than just having backups. It also involves detecting anomalous behaviors, isolating affected assets, maintaining recovery points, restoring quickly, and ensuring business continuity.

Automated responses can improve metrics like Mean Time to Contain (MTTC) and reduce the manual workload for teams. This is particularly important for large organizations with hybrid environments, multi-cloud setups, massive data volumes, and complex attack surfaces.

For NetApp, collaborating with Cisco and Splunk reinforces its positioning as a provider of intelligent data infrastructure. For Cisco, which completed the acquisition of Splunk, it broadens its security and observability offerings into a critical part of enterprise infrastructure.

The NetApp and Splunk SOAR playbook is now available for download on SplunkBase. Its effectiveness will depend on how each organization integrates it into response processes, storage policies, and recovery plans. While it is not an isolated ransomware solution, it is a useful component of a layered defense strategy.

In a time when attacks aim to shut down entire operations, the ability to act directly on data may prove as crucial as threat detection. Recovery begins well before restoring a backup—it starts when you prevent the attack from escalating.

FAQs

What have NetApp and Cisco announced?
They announced a NetApp and Splunk SOAR playbook that automates response actions directly on NetApp ONTAP storage during ransomware incidents.

What actions can the playbook perform?
It can block suspicious users, create data snapshots, and disconnect volumes to limit the infection’s spread.

Why is acting on storage important?
Because it’s where critical data resides. Involving storage in response enables organizations to contain attacks earlier and reduce the risk of mass data loss or encryption.

Scroll to Top