DoD Zero Trust Focuses on Insider Threats

The DoD's Zero Trust strategy mandates a full-scale implementation by the end of fiscal year 2027, a deadline set to address the insufficiency of traditional perimeter-based security against sophisticated nation-state actors. Deputy CIO for Cybersecurity, Dave McKeown, has emphasized that the department is now in the execution phase to meet the 91 capability outcomes defined as "target level" Zero Trust. At the core of this strategy are seven pillars: User, Device, Applications and Workloads, Data, Network/Environment, Visibility and Analytics, and Automation and Orchestration. The "User" pillar is foundational, shifting from location-based trust to a model where identity is the new perimeter, demanding continuous verification of every access request. This involves leveraging Identity and Access Management (IAM), Privileged Access Management (PAM), and multi-factor authentication to enforce the principle of least-privilege. For a Splunk Engineer, this translates to building specific detection rules that baseline normal user activity and flag deviations. Relevant data sources to ingest include authentication logs, file and database access logs, and VPN logs to identify suspicious patterns like abnormal login times, unusual data access volumes, or multiple failed login attempts. Integrating threat intelligence feeds can further enrich this data, correlating internal anomalies with external threat indicators. Dynamic risk scoring is a key component of this continuous validation model. Instead of a one-time authentication, a risk score is assigned to users and devices, which updates in real-time based on factors like behavior, location, and device health. If a user's score crosses a certain threshold, automated responses can be triggered, such as requiring multi-factor authentication or even blocking access, a significant shift from static, perimeter-based trust.