Ellen Nakashima reports to the Washington Post that "The National Security Agency is working with Internet service providers to deploy a new generation of tools to scan e-mail and other digital traffic with the goal of thwarting cyberattacks against defense firms by foreign adversaries, senior defense and industry officials say .. The program uses NSA-developed “signatures,” or fingerprints of malicious code, and sequences of suspicious network behavior to filter the Internet traffic flowing to major defense contractors. That allows the Internet providers to disable the threats before an attack can penetrate a contractor’s servers. The trial is testing two particular sets of signatures and behavior patterns that the NSA has detected as threats. The Internet carriers are AT&T, Verizon and CenturyLink. Together they are seeking to filter the traffic of 15 defense contractors".
See "NSA allies with Internet carriers to thwart cyber attacks against defense firms" - here.
While this is a case of "national security", security threats to enterprise customers are real and growing (see Cisco's report below). Nevertheless, security represents an opportunity for ISPs to sell a value-added service.
One aspect, offered by DPI/traffic management vendors is DDoS prevention functions, offered as an add-on to traffic management (see examples from Allot, Arbor, Procera and Sandvine), by detecting traffic anomalies and blocking the relevant packets, thus protecting networks and business or residential subscribers from being attacked.
See also "ALU Bell Labs: Network Behavior Analysis Helps to Detect Malware Infection" - here and "Recent Cyber Monday DDoS Attacks "revealed a sophisticated and motivated attacker” - here.