Maryland Launches Modular Zero Trust Framework

Maryland's cybersecurity modernization is anchored in the NIST Cybersecurity Framework (CSF) 2.0, with a significant emphasis on the new "Govern" function. This strategic alignment ensures that cybersecurity policies are directly linked to enterprise risk management, a foundational concept for demonstrating compliance to federal and DoD partners. The state's 31-module framework is structured in a three-tiered hierarchy: 100-level governance policies, 200-level functional policies, and 300-level technical standards that align with NIST SP 800-53 Rev. 5. For detection engineers, this tiered structure provides a clear roadmap for implementation. The "Identification & Authentication Standard," for instance, directly maps to the DoD's User pillar. This allows for the creation of specific Splunk detection rules and dashboards that can provide continuous validation of user identities, a core tenet of the "never trust, always verify" model Maryland has adopted. To meet DoD Zero Trust objectives for the User pillar, focus on detecting anomalous access patterns. A crucial detection is for "impossible travel," which can indicate compromised credentials. The following SPL query can identify a user logging in from multiple locations faster than they could physically travel: `index=* sourcetype=windows_security OR sourcetype=linux_auth EventCode=4624 | iplocation src_ip | stats dc(Country) as country_count, values(Country) as countries by user | where country_count > 1`. Another key detection is for brute-force attempts. This can be achieved with: `index=* sourcetype=windows_security OR sourcetype=linux_auth | search (EventCode=4625 OR (action="failure" AND user!="root")) | stats count by user, src_ip | sort -count`. These rules provide the evidence-gathering capability that Maryland's framework and DoD compliance demand. A dedicated Splunk dashboard for "DoD User & Identity Compliance" should be created to visualize these detection rules and other relevant metrics. Key panels would include "Privileged Accounts in Use," "Privileged Account Usage Over Time," and "Impossible Travel Alerts." This dashboard can be added to the Splunk Enterprise Security menu for easy access by security operations teams. The "Access over time by app" and "Access over time by action" panels from the Access Center dashboard in Splunk ES can also be incorporated to provide a comprehensive view of authentication events. Splunk User Behavior Analytics (UBA) is a powerful tool for maturing beyond basic detection rules. UBA leverages machine learning to baseline normal user behavior and detect deviations that could indicate an insider threat or compromised account. This is particularly important for DoD compliance, as it helps to identify sophisticated, low-and-slow attack techniques that may not be caught by simple correlation searches. Threats detected by UBA can be automatically forwarded to Splunk ES as notable events, integrating them into the existing incident response workflow. For multi-client environments, a multi-tenant Splunk architecture is essential. The best practice is to create unique indexes for each customer (e.g., `customer_a_windows`, `customer_b_firewall`) to ensure data segregation. Role-based access controls can then be applied to these indexes, ensuring that clients can only view their own data. For managed security service providers (MSSPs), architecting separate Splunk stacks for each customer can mitigate many of the risks associated with shared resources in a multi-tenant environment. To enhance threat detection capabilities, integrate threat intelligence feeds that focus on adversaries targeting the Defense Industrial Base (DIB). Look for feeds that provide indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) related to Advanced Persistent Threats (APTs) known to target the defense sector, such as those with a China-nexus. These feeds can be integrated into Splunk ES to enrich security events and provide greater context for investigations. This proactive approach aligns with the principles of CMMC 2.0, which is increasingly intertwined with Zero Trust strategies for protecting controlled unclassified information (CUI).