The last topic of this section is not a new topic, but one that is gaining more traction as human behavior lends itself to patterns that can be predictive of future action. Today, we rely on an analyst to recall if a certain behavior has occurred in the past with the same user or IP address, either by memory or review of previous incident data. This does not always occur, and predictive behaviors can be missed because no one is keeping track. Predictive behavioral analysis does not only apply to people, but can be something such as the Cyber Monday traffic patterns observed by online retailers. The first Cyber Monday was a shock, but analysis of traffic on the same day in previous years would have indicated a continued increase. Some online retailers had enough resources to handle the increase, others did not, and their online presences failed, costing them millions in revenue. This same analysis is used by denial-of-service solutions where the traffic is analyzed of a period of time and if certain behaviors such as incomplete conversations are observed, the source is penalized until the condition clears. If the condition does not clear and continues, the source is penalized to the point where communication is cut off to the target as the behavior has indicated that the source has malicious intent.

Being able to keep a running score of a user or IP address is at the heart of this method and can prove invaluable in stopping malicious action before it occurs, and therefore greatly reducing impact to the business. Financial institutions use this technique as a part of fraud detection; actions are closely monitored and known questionable actions raise red flags that can hone in on the monitoring and allow the financial institution to react almost immediately. Currently, the closest we have to this in readily available commercial security tools is active response to an already perpetrated action, not predictive mitigation. There are highly-specialized tools used for behavioral analysis that have been modified to work at the network layer to predict malicious behavior and take action. I think we will see a shift to this predictive technology provided it can help find the needle in the haystack of good and bad anomalous traffic.