Real-time representation of security-relevant system state

What is claimed is: 1. A system comprising: one or more hardware processors; a memory device coupled to the one or more hardware processors; a kernel-level security agent stored in the memory device; a database stored in the memory device, the database configured to store: security-relevant information that represents at least one state of the system, wherein different portions of the security-relevant information are written to the database during different epochs that each begin with one of: (1) a system boot; (2) a restart of the kernel-level security agent, or (3) an end of rundown on an initial installation of the kernel-level security agent; and metadata that defines a trusted time period for each portion of the security-relevant information, the trusted time period for a particular portion of the security-relevant information including an epoch during which the particular portion of the security-relevant information is trusted as accurate, wherein the kernel-level security agent comprises one or more instructions implemented at kernel-level and executed by the one or more hardware processors to cause the one or more hardware processors to perform operations comprising: during a first epoch, storing a first portion of the security-relevant information related to a first ephemeral object into the database in real-time as first execution activities associated with the first ephemeral object are observed, and indicating in the metadata that the first epoch is the trusted time period for the first portion of the security-relevant information, the first epoch beginning with one of: (1) the system boot; (2) the restart of the kernel-level security agent, or (3) the end of rundown on the initial installation of the kernel-level security agent; during a second epoch different from the first epoch, storing a second portion of the security-relevant information related to a second ephemeral object into the database in real-time as second execution activities associated with the second ephemeral object are observed, and indicating in the metadata that the second epoch is the trusted time period for the second portion of the security-relevant information, the second epoch beginning with a different one from the first epoch of: (1) the system boot; or (2) the restart of the kernel-level security agent; determining information of a chain of execution based at least in part on the first portion of the security-relevant information and based at least in part on the second portion of the security-relevant information, wherein the information of the chain of execution comprises at least one of: information of a process; or information of a file; and pruning security-relevant information from the database based at least in part on: an age and a type of the security-relevant information; or a prioritization of different categories of the security-relevant information. 2. The system of claim 1 , wherein the trusted time period defined by the metadata applies to all data acquired about a collection of security-relevant information that includes the security-relevant information, and wherein being trusted as accurate indicates that the collection of security-relevant information has consistent properties of liveness and trustworthiness. 3. The system of claim 1 , the operations further comprising receiving at least the first portion or the second portion. 4. The system of claim 3 , the operations further comprising validating state information associated with the execution activities of the system. 5. The system of claim 3 , the operations further comprising generating events based on at least the first portion or the second portion and on security-relevant information stored in the database. 6. The system of claim 1 , the one or more instructions further comprising a query interface that enables at least one of the one or more instructions to access security-relevant information stored in the database, the query interface further enabling the at least one of the one or more instructions to specify a level of desired trustworthiness associated with metadata that corresponds to security-relevant information stored in the database. 7. The system of claim 1 , wherein the pruning procedure first prunes the security-relevant information based on the age and the type and then, when a size of a pruned situational model exceeds a limit, prunes the security-relevant information based on the prioritization of different categories. 8. The system of claim 1 , wherein the database comprises a schema that is dynamically configurable by a remote security service. 9. The system of claim 1 , wherein the database is further configured to cache at least one of information received from a remote security service, information that is computationally expensive to generate or fetch, or information that is high-latency to fetch. 10. The system of claim 1 , the operations further comprising determining at least some of the security-relevant information based on a configuration received from a remote security service. 11. The system of claim 1 , the operations further comprising validating state information associated with the execution activities of the system. 12. The system of claim 1 , the operations further comprising providing at least some of the security-relevant information to a remote security service. 13. The system of claim 1 , wherein the operations to determine the information of the chain of execution include retrieving the first portion of the security-relevant information from the database when the first portion of the security-relevant information is no longer present on a host operating system of the system. 14. The system of claim 6 , the operations further comprising: determining, by the at least one of the one or more instructions, a query for at least a portion of the security-relevant information, wherein the query specifies at least one of the first epoch or the second epoch as a trust period; requesting, by the at least one of the one or more instructions, security information matching the query via the query interface; and providing, by the query interface, the portion of the security-relevant information. 15. A method comprising: receiving, by a kernel-level security agent of a computing device, a notification of an event associated with execution activities of the computing device; querying, by the kernel-level security agent, a situational model for security-relevant information based at least in part on the notification, the security-relevant information representing a first state of the computing device during a first epoch, wherein the first epoch begins with one of: (1) a system boot; (2) a restart of the kernel-level security agent, or (3) an end of rundown on an initial installation of the kernel-level security agent; validating, by the kernel-level security agent, state information associated with the event based at least in part on the security-relevant information to provide a validation result, wherein the state information represents a second state of the computing device during a second epoch, and the validating includes comparing at least a part of the state information with at least a part of the security-relevant information, wherein the second epoch begins with a different one, from the first epoch, of: (1) the system boot; or (2) the restart of the kernel-level security agent; in response to the validation result being a validation error, performing, by the computing device, at least one security response action, wherein the security response action comprises: reporting the validation error to a